North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: panix hijack press

  • From: Richard Parker
  • Date: Thu Jan 20 02:00:36 2005

on 1/19/05 9:14 PM, William Allen Simpson at wsimpson@greendragon.com wrote:

> However, that still looks to me like "Users can only ask that domains
> be locked."  Unless you are claiming that users can send the lock
> request directly to the registry, and monitor its status.

William, as a registrar operator I am certain that Mark Jeftovic knows more
about this subject than I do, but I do not believe that there is any
generally recognized mechanism for an individual domain holder to directly
request that the .com registry lock his domain.  However, all domain holders
can directly monitor the status of their domain using the .com registry's
whois server - including whether or not their domain has a status of
registrar-lock.  They do not have to rely on their registrar to tell them if
their domain is locked or not.

> I repeat, the domain locking red-herring has absolutely nothing to do
> with this domain hijacking.

I don't think registrar-lock is a red-herring.  In the wake of the panix.com
hijack holders of domain names are naturally going to want to know what they
can do to prevent something similar happening to them.  The ability to
request registrar-lock is one the few defenses domain holders have.  If the
panix.com domain had indeed been in registar-lock at the time the transfer
took place then domain holders would have had every right to be concerned
that their own locked domains could fall victim to a similar hijack.  The
fact that panix.com was not in registar-lock at the time of the hijack
provides a little comfort to those worried about a hijack of their own
domains.

> Gosh officer, if she'd only had a big padlock on her purse, I wouldn't
> have stolen it.
> 
> Gosh judge, if she'd only worn running shoes instead of those sexy high
> heels, I couldn't catch and rape her; the shoes made me do it.
> 
> Stop blaming the victim!

I haven't seen anyone on NANOG claim that Panix is not a victim.  Clearly a
serious error occurred in the process Melbourne IT uses to authenticate
transfers.  However, your analogies seem unnecessarily inflammatory.

Another analogy might be to describe Panix as a bank.  If a bank's vault is
robbed the bank is certainly the victim of a crime.  If my valuables are
secured in a similar bank across town, I might be concerned that the robbers
will hit my bank next and steal my valuables, particularly if my bank used
the same style of vault.  Once learning that the first bank hadn't installed
a door on their vault might be somewhat comforting if I check my own bank
and see that it has a secure vault door.  However, a customer of the first
bank might well be upset at the loss of his valuables if he discovered that
his bank's vault did not have a door - and it would not be surprising if he
was not entirely satisfied if the bank responded by saying "we asked our
vault vendor to install a door."

-Richard