Enough. (was Re: panix hijack press)

Thu Jan 20 19:24:40 UTC 2005

Ok.  I think at this point we all know there are problems with the domain
transfer process.  I suspect we can further agree that, as with many
serious problems, there were probably multiple contributing factors here.

I'd like to suggest that getting into a public screaming match or trying
to establish fault probably won't do anything useful, or at the very least
would be more productive if done in a court rather than on the NANOG list.

What might be more useful would be for those of you with a lot of time to
spend on this issue to come up with proposals for fixing or better
documentng the system, so that it will be more obvious how to avoid
problems like this in the future.

-Steve

On Thu, 20 Jan 2005, William Allen Simpson wrote:

>
> Apparently, some folks just don't get it....
>
>
> Richard Parker wrote:
>
> >...  However, all domain holders
> >can directly monitor the status of their domain using the .com registry's
> >whois server - including whether or not their domain has a status of
> >registrar-lock.  They do not have to rely on their registrar to tell them if
> >their domain is locked or not.
> >
> >
> >
> Now let's get this straight.  You think that ISPs in general need to
> assign staff to monitor the lock status of the hundreds or thousands
> of registered domains of our subscribers.
>
> Or that the subscribers, who typically aren't even on the whois
> contacts list, should be monitoring the lock status, of which they
> probably don't know (nor care) exists?
>
> What are you smoking?
>
> The whole locking mechanism was a poor design from the beginning.
>
> It's opt-out.  And we all are so fond of opt-out schemes, eh?
>
> >I don't think registrar-lock is a red-herring.  In the wake of the panix.com
> >hijack holders of domain names are naturally going to want to know what they
> >can do to prevent something similar happening to them.  The ability to
> >request registrar-lock is one the few defenses domain holders have.
> >
>
> Huh?  What you are saying is maybe panix.com isn't "at fault" because
> they had requested (or expected) registrar-lock, but they are "at fault"
> because their registrar didn't properly lock it?  Or "at fault" because
> they didn't monitor the lock?
>
> Stop blaming the victim!
>
> The registrar-lock isn't a defense for the domain holder.  Not one iota.
> It was designed as a defense for the registrar.
>
> And the registrar in this case is a victim as much as the domain holder.
>
> Stop blaming the victim!
>
> >I haven't seen anyone on NANOG claim that Panix is not a victim.  Clearly a
> >serious error occurred in the process Melbourne IT uses to authenticate
> >transfers.  However, your analogies seem unnecessarily inflammatory.
> >
> >
> >
> Sometimes folks such as yourself need to be educated in clear, unambigous
> terms that relate to life.  And yet the lesson still hasn't taken hold:
>
>
> >Another analogy might be to describe Panix as a bank.
> >
> >
> An analogy that is pretty far off, since the "bank" in this case would
> be the REGISTRAR, not Panix.
>
> And the registrar in this case is a victim as much as the domain holder.
>
> Stop blaming the victim!
>
>
> A personal responder wrote:
>
> >On Wed, Jan 19, 2005 at 09:35:21PM -0500, William Allen Simpson wrote:
> >
> >
> >>(6) Stop blaming the victim!
> >>
> >>
> >Well, in this case, it appears that the victim is saying that it had
> >taken precautions... and I concur with whomever it was who said that if
> >the lock date on all their other domains is post-incident, that's
> >pretty strong circumstantial evidence that they hadn't requested a lock
> >(which is what we *mean* when we say "customer locked that domain", so
> >kindly leggo that red herring).
> >
> >
> >
> You concur, without checking, and have no idea "whomever it was" that
> speculated, nor how many domains are administered by panix or dotster?
>
> You mean the REGISTRAR didn't lock the domain.
>
> But the registrar in this case is a victim as much as the domain holder.
>
> Stop blaming the victim!
>
> >So all we're *really* annoyed about here is that Bruce stepped up to
> >the plate, but Alexis (*reportedly*) won't.  IMHO.
> >
> >
> >
> Huh?  I've seen no such reports.  On what do you base your speculation?
>
> The only report that I've seen clearly says (Thu, 20 Jan 2005 16:56:41
> +1100 quoting Sat, 8 Jan 2005 20:40:34 -0500):
>
>   (1) you have obtained the requisite authorization from the domain
>   name registrant listed in the database of the Current Registrar,
>
> NO.  Obviously not.
>
>   and (2) you have retained a copy of reliable evidence of the
>   authorization.
>
> NO.  Nothing described here.
>
> Indeed, as for Mel-IT stepping up to the plate, we've seen only
> contrary evidence here.
>
> Sure Bruce seems to be a nice guy.  So what?  His staff wasn't
> responding to phone calls.  His boss wasn't responding, either.  His lawyer was actively hostile.
>
>
> Looks to me like Alexis is the one that got screwed.  Certainly spent a
> lot of time at the plate, many many hours!
>
> So, let's go back to basics:
>
>  - If you leave your house unlocked, the thief still goes to jail.
>
>  - If you leave your car unlocked and the engine running, the thief
> still goes to jail.
>
>  - If your bank leaves its doors unlocked and the safe open and all
> the employees go to lunch, the thief still goes to jail.
>
> Stop blaming the victim!
>
> --
> William Allen Simpson
>     Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
>