While the Association of Trustworthy ISPs idea has some merit, we've
not been too successful in self-organizing lately. ISP/C?
At the moment, I'm concerned whether we have trustworthy TLD operators.
It's been about 24 hours, it is well-known that the domain has been
hijacked, we've heard directly from the domain owner and operator,
but the TLD servers are still pointing to the hijacker.
wsimpson@greendragon.com (William Allen Simpson) wrote:
While the Association of Trustworthy ISPs idea has some merit, we've
not been too successful in self-organizing lately. ISP/C?
I thought we already had built such a thing, currently covered by ICANN.
But well...life changes everything, and for some (or many) or us, this
association doesn't seem so trustworthy anymore. Maybe it would be better
to improve trustworthiness of the existing authorities. I believe there
is still much room for participation, not to mention political issues
you simply cannot counter on a technical level.
At the moment, I'm concerned whether we have trustworthy TLD operators.
One can never know what's going on behind the scenes. Maybe Verysign
is on the issue, maybe not. I believe, there are at least three VS
people on this list who could address this. I don't know whether they
are allowed to.
It's been about 24 hours, it is well-known that the domain has been
hijacked, we've heard directly from the domain owner and operator,
but the TLD servers are still pointing to the hijacker.
By chance - how is the press coverage of this incident? Has anybody
read anything in the (online) papers? Unfortunately I haven't been
able to follow the newsboards intensely this week-end, but Germany
seems very quiet about this.
Yours,
Elmar.
Nothing in the offline papers, but panix.com does appear once in print as the email home of business journalist and Newsweek "Wall Street" editor Allan Sloan, whose unflattering article about Cheney-Halliburton-asbestos appeared in the Washington Post on January 11.
The article is here:
http://www.washingtonpost.com/wp-dyn/articles/A64535-2005Jan10.html
TV
slashdot has mentioned it, with lots of quotes from the NANOG list:
http://it.slashdot.org/it/05/01/16/0027213.shtml?tid=95&tid=172&tid=17
Nothing like staying on the subject.... That's way I started a new
thread. Let's keep this separate, please.
James Edwards wrote:
> While the Association of Trustworthy ISPs idea has some merit, we've
> not been too successful in self-organizing lately. ISP/C?I thought we already had built such a thing, currently covered by ICANN.
let's think outside the box.
there's no reason that nanog (or anyone willing to run
a mailing list) couldn't create an ad hoc
decentralized Trustworthy ISP/Root service. heck,
such a thing may even encourage more active
participation in nanog. having a shared group
identity where the rubber meets the road is very
powerful. it's the underlying motivator behind the
nanog, xBSD, GPL, torrent, tor, (pick your non-
hierarchical community driven project), etc. clans.
there's also no reason that this has to replace ICANN.
and it would likely have the exact result on existing
entities that you mention below - improved
trustworthiness.
peace
See http://www.public-root.com for an alternative to the ICANN monopoly.
Those folks are very concerned with security.
i sent in a hastily worded summary with some quotes from the list to
theregister.com/co.uk. ime, a lot of print media use them to source stories.
with any luck, we'll see it up there tomorrow.
-p
See http://www.public-root.com for an alternative to the ICANN monopoly.
Those folks are very concerned with security.
these folks don't seem very decentralized. do you
know if they have a public mailing list? there
doesn't seem to be much information on the website.
(this is kinda old since it seems the problem is being reversed, but...)
It's possible that the process which exists today to move and un-move
domains from registrar to registrar is in fact working. It's also possible
that changing that process based on 'size of the abused' is not looked
upon kindly by:
1) operators
2) icann
3) the world at large
I'm not sure what's happening with Melbourne IT (is anyone aside from Mr
Rosen and MIT?) I'm also not sure what's going on with Verisign, though I
assume Mr. Rosen and MIT do... If the proper process was started then
things look good, though unfortunately it may take some time to resolve
the problem. That process/procedure is in place for a good reason,
circumventing it will lead to problems in the long run. Do you circumvent
for MS, for AOL, for ATT? At what point do you draw the line? My home
business of pot painting?
A process that is equally applied across the board serves all folks
better. Fixing the current process to have faster, more complete reaction
times would certainly seem in order (and I'd expect Mr Rosen and several
others here to have something to say about that at the next ICANN
meeting?).
As to the percieved lack of progress by a Registrar, it does seem strange
that ICANN/Verisign/Core (I'm not sure which of the three really) don't
have some sort of 24/7 management, monitoring and operations
requirements built into registrar contracts. Perhaps they do and this will
be some leaverage to revoke that contract?
-Chris
Once upon a time, Christopher L. Morrow <christopher.morrow@mci.com> said:
That process/procedure is in place for a good reason,
circumventing it will lead to problems in the long run. Do you circumvent
for MS, for AOL, for ATT? At what point do you draw the line? My home
business of pot painting?
If the proper procedure was circumvented in the first place (which
appears to be the case with panix.com), then it should be circumvented
to repair the damage as fast as possible.
They don't have a mailing list that is public yet. Might
be a good suggestion.
That's the asymmetric problem with identity theft. Companies seem to
make it easier to steal the identity (24x7 transfers with 10 minute zone
file updates) than to correct the theft (only open Monday-Friday, find the
right department, fill out multiple forms, wait 2 weeks, etc).
I agree rules and processes are important. Instead of calling it
circumvention, I would call it a robust exception handling process. Both
the intial process of protecting your identity, as well as the exception
handling process in the event it is compromised, should be available for
both my home domain as well as well-known companies like MS, AOL and
AT&T. It should be as hard to steal my domain as it is to steal AOL.COM.
Unfortunately, there is very little I can do to prevent a
Registry/Registrar from giving my identity away without my
permission.
Sean,
That's the asymmetric problem with identity theft. Companies seem to
make it easier to steal the identity (24x7 transfers with 10 minute zone
file updates) than to correct the theft (only open Monday-Friday, find the
right department, fill out multiple forms, wait 2 weeks, etc).
That just makes it hard to do business period, you need to make it
harder for a user to verify who they are. Such as a secret password
and a faxed in authorization form or choose your level of security.
I agree rules and processes are important. Instead of calling it
circumvention, I would call it a robust exception handling process. Both
the intial process of protecting your identity, as well as the exception
handling process in the event it is compromised, should be available for
both my home domain as well as well-known companies like MS, AOL and
AT&T. It should be as hard to steal my domain as it is to steal AOL.COM.
Yes, it should be equally as hard to steal your domain as it would be
to steal AOL, MS, AT&T, MCI or any of the larger "world-wide traffic
holders"
Unfortunately, there is very little I can do to prevent a
Registry/Registrar from giving my identity away without my
permission.
Theres alot you can do, you can always complain. More complaints to
your registrar about security end up with alot more results. So try
that out.
If it can be proven to have been cicumvented, sure. I don't think anything
beyond conjecture about that has been said 'publicly' yet, has it?
So, more folks need to make the right noise at ICANN meetings about this
policy.
Christopher L. Morrow wrote:
If the proper procedure was circumvented in the first place (which
appears to be the case with panix.com), then it should be circumvented
to repair the damage as fast as possible.
If it can be proven to have been cicumvented, sure. I don't think anything
beyond conjecture about that has been said 'publicly' yet, has it?
Why yes, you must have missed the messages. The domain owner and ISP
and registrar all clearly stated that they had received no notification,
and had not approved the transfer. Notification and approval are
required by the process. Therefore, it was proven to be circumvented. QED.
Now, as to the actual mechanism of circumvention, that has not yet been
revealed here. All we know is that a registry *supervisor* stopped the
workers from finishing their investigation.
Clearly, this .com registry operator is not trustworthy.
The longest piece:
<http://www.theage.com.au/news/Breaking/New-York-ISPs-domain-hijacked/2005/01/17/1105810810053.html>
Also:
http://news.zdnet.com/2100-9588_22-5538227.html
-Hank
Please distinguish (as I'm sure you are, but the subject line and, it seems
some replying aren't) between Root Servers on the one hand, and TLD
operators and the policy controlling them on the other.
You may or may not think Verisign as registry is blameless / disreputable
and to blame for this incident.
You may or may not think the gaining/losing registrars are blameless /
disreputable for this incident.
Tou may or may not think that ICANN gTLD policy is blameless / disreputable
for this incident.
What it has nothing to do with, however, is *root* policy (as in how the
root servers are operated and what goes in them) - it's gTLD policy. There
are plenty of things in the root other than gTLDs, and even policy
variation for gTLDs. Arguing for alternative roots is recipe for chaos and
less protection for existing registrants. Arguing for policy changes (or
even operator changes) within the TLD you find fault with is fair game.
To illustrate the point, .uk has (a) direct contracts between registry and
registrant (even when registered through a registrar), and (b)
registrar<->registar moves done by push (either by the losing registrar or
failing that by the registrant) rather than by pull. I make no claim it is
perfect, and am not even here going to argue it's superior. I will,
however, argue that the failure modes are substantially different. Do not
attempt to apply the same medicine to diverse illnesses!
(more details at
http://www.nominet.org.uk
for those interested)
Alex
Whee, AlterNIC take 7!
In any case, these are *root* (".") servers, not gTLD (i.e., "com.")
servers; they defer to ICANN for those. This wouldn't help one bit.