panix hijack press

William Allen Simpson wsimpson at
Thu Jan 20 18:02:16 UTC 2005

Apparently, some folks just don't get it....

Richard Parker wrote:

>...  However, all domain holders
>can directly monitor the status of their domain using the .com registry's
>whois server - including whether or not their domain has a status of
>registrar-lock.  They do not have to rely on their registrar to tell them if
>their domain is locked or not.
Now let's get this straight.  You think that ISPs in general need to
assign staff to monitor the lock status of the hundreds or thousands
of registered domains of our subscribers. 

Or that the subscribers, who typically aren't even on the whois
contacts list, should be monitoring the lock status, of which they
probably don't know (nor care) exists?

What are you smoking?

The whole locking mechanism was a poor design from the beginning.

It's opt-out.  And we all are so fond of opt-out schemes, eh?

>I don't think registrar-lock is a red-herring.  In the wake of the
>hijack holders of domain names are naturally going to want to know what they
>can do to prevent something similar happening to them.  The ability to
>request registrar-lock is one the few defenses domain holders have.  

Huh?  What you are saying is maybe isn't "at fault" because
they had requested (or expected) registrar-lock, but they are "at fault"
because their registrar didn't properly lock it?  Or "at fault" because
they didn't monitor the lock?

Stop blaming the victim!

The registrar-lock isn't a defense for the domain holder.  Not one iota. 
It was designed as a defense for the registrar.

And the registrar in this case is a victim as much as the domain holder.

Stop blaming the victim!

>I haven't seen anyone on NANOG claim that Panix is not a victim.  Clearly a
>serious error occurred in the process Melbourne IT uses to authenticate
>transfers.  However, your analogies seem unnecessarily inflammatory.
Sometimes folks such as yourself need to be educated in clear, unambigous
terms that relate to life.  And yet the lesson still hasn't taken hold:

>Another analogy might be to describe Panix as a bank.  
An analogy that is pretty far off, since the "bank" in this case would
be the REGISTRAR, not Panix.

And the registrar in this case is a victim as much as the domain holder.

Stop blaming the victim!

A personal responder wrote:

>On Wed, Jan 19, 2005 at 09:35:21PM -0500, William Allen Simpson wrote:
>>(6) Stop blaming the victim!
>Well, in this case, it appears that the victim is saying that it had
>taken precautions... and I concur with whomever it was who said that if
>the lock date on all their other domains is post-incident, that's
>pretty strong circumstantial evidence that they hadn't requested a lock
>(which is what we *mean* when we say "customer locked that domain", so
>kindly leggo that red herring).
You concur, without checking, and have no idea "whomever it was" that 
speculated, nor how many domains are administered by panix or dotster?

You mean the REGISTRAR didn't lock the domain.

But the registrar in this case is a victim as much as the domain holder.

Stop blaming the victim!

>So all we're *really* annoyed about here is that Bruce stepped up to
>the plate, but Alexis (*reportedly*) won't.  IMHO.
Huh?  I've seen no such reports.  On what do you base your speculation?

The only report that I've seen clearly says (Thu, 20 Jan 2005 16:56:41
+1100 quoting Sat, 8 Jan 2005 20:40:34 -0500):

  (1) you have obtained the requisite authorization from the domain 
  name registrant listed in the database of the Current Registrar, 

NO.  Obviously not.

  and (2) you have retained a copy of reliable evidence of the 

NO.  Nothing described here.

Indeed, as for Mel-IT stepping up to the plate, we've seen only 
contrary evidence here.  

Sure Bruce seems to be a nice guy.  So what?  His staff wasn't 
responding to phone calls.  His boss wasn't responding, either.  His lawyer was actively hostile.

Looks to me like Alexis is the one that got screwed.  Certainly spent a
lot of time at the plate, many many hours!

So, let's go back to basics:

 - If you leave your house unlocked, the thief still goes to jail.

 - If you leave your car unlocked and the engine running, the thief
still goes to jail.

 - If your bank leaves its doors unlocked and the safe open and all
the employees go to lunch, the thief still goes to jail.

Stop blaming the victim!

William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

More information about the NANOG mailing list