Alexis Rosen tried to send this to NANOG earlier this evening but it
looks like it never made it. Apologies if it's a duplicate; we're
both reduced to reading the list via the web interface since the
legitimate addresses for panix.com have now timed out of most folks'
nameservers and been replaced with the hijacker's records.
Note that we contacted VeriSign both directly and through intermediaries
well known to their ops staff, in both cases explaining that we suspect
a security compromise (technical or human) of the registration systems
either at MelbourneIT or at VeriSign itself (we have reasons to suspect
this that I won't go into here right now). We noted that after calling
every publically available number for MelbourneIT and leaving polite
messages, the only response we received was a rather rude brush-off from
MelbourneIT's corporate counsel, who was evidently directed to call us
by their CEO.
We are also told that law enforcement separately contacted VeriSign on
our behalf, to no avail.
Below please find VeriSign's response to our plea for help. We're rather
at a loss as to what to do now; MelbourneIT clearly are beyond reach,
VeriSign won't help, and Dotster just claim they still own the domain and
that as far as they can tell nothing's wrong. Panix may not survive this
if the formal complaint and appeal procedure are the only way forward.
how about trying to get in touch with the folks hosting the dns (on the off
chance that they are honest and willing to help) and asking them to put up
the correct panix.com zone?
The purported current admin contact appears to be a couple in Las Vegas
who are probably the victims of a joe job. A little searching will
reveal that people by that name really *do* live at the address given,
and that one of the phone numbers given is a slightly obfuscated form
of a Las Vegas number that either now or in the recent past belonged to
one of them.
Suffice to say it doesn't seem to be possible to get them to change the
DNS.
Chasing down the records for the tech contact, and the allocated party
for the IP addresses now returned for various panix.com hosts (e.g.
142.46.200.72 for panix.com itself), and doing a little gumshoe work,
seems to show that they're all in some way associated with a UK holding
company that, when contacted by phone, claims no knowledge of today's
mishap involving Panix.com. It's possible that this set of entities was
chosen specifically *because* its convoluted ownership structure would
make getting it to let go of a domain it may or may not know it now is
the tech contact for as difficult as possible.
Beyond the above, it's basically a matter for law enforcement. Who is
really behind the malfeasance here is not clear, but what is clear
enough to me at this point is that there is, in fact, some deliberate
wrongdoing going on. Whether the point is just to harm Panix or
to actually somehow profit by it I don't know, but I do note that
an earlier message in this thread pointed out a very similar earlier
incident involving MelbourneIT as the registrar, the same bogus new
domain contacts, and another hapless U.S. corporate victim.
I don't know if these are merely isolated attempts at harassment and
mischief or the precursors to a more widespread attack. What I do know
is that I'm very concerned, Panix is quite literally fighting for its
life, everyone we've shown details of the problem to is concerned --
including CERT, AUSCERT, and knowledgeable law enforcement personnel --
with the notable exception of MelbourneIT, whose sole corporate response
has been one of decided unconcern, and VeriSign, who seem entirely
determined to pass the buck instead of investigating, fixing, or helping.
I don't know if these are merely isolated attempts at harassment and
mischief or the precursors to a more widespread attack. What I do know
is that I'm very concerned, Panix is quite literally fighting for its
life, everyone we've shown details of the problem to is concerned --
including CERT, AUSCERT, and knowledgeable law enforcement personnel --
with the notable exception of MelbourneIT, whose sole corporate response
has been one of decided unconcern, and VeriSign, who seem entirely
determined to pass the buck instead of investigating, fixing, or helping.
And so it goes.
i know people from verisign (used to?) read nanog-l. perhaps some sort of a
deus ex machina intervention may be forthcoming? one can hope.
Since folks have been working on this for hours, and according to
posts on NANOG, both MelbourneIT and Verisign refuse to do anything
for days or weeks, would it be a good time to take drastic action?
Think of what we'd do about a larger ISP, or the Well, or really any
serious financial target.
Think of the damage from harvesting <>logins and mail passwords of
panix users.
I addition, there is a good rule for such situations:
- first, return everything to _previous_ state;
- having it fixed in previous state, allow time for laywers, disputes and so
on to resolve a problem.
It makes VeriSign position very strange (of course, it is dumb clueless
behemot as it was all the time around) - instead of saying _OK, let's return
last transactions and then you can object this change_, they just step out.
Problem is much more serious than just one stolen domain - it shows 100%
that VeriSign is not able to manage domain system properly.
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'?
How much damage will be done until this sleeping behemots wake up, set up a
meeting (in Tuesday I believe - because Monday is a holiday), make any
decision, open a toicket, pass thru change control and restore domain? 5
days?
I addition, there is a good rule for such situations:
- first, return everything to _previous_ state;
- having it fixed in previous state, allow time for laywers, disputes and
so
on to resolve a problem.
agreed. but then proverbially, "common sense isn't".
What happen if someone stole 'aol.com'domain tomorrow? Or
'microsoft.com'?
How much damage will be done until this sleeping behemots wake up, set up
a
meeting (in Tuesday I believe - because Monday is a holiday), make any
decision, open a toicket, pass thru change control and restore domain? 5
days?
with due respect to panix (i knew of panix before i ever knew of aol, even
living in europe), i imagine another bigger 'behemoth', as you so deftly put
it, has a better way of liaising with verisign than you, me or panix.
AS a sort of aside the other phone numbers referenced there are Nampa, ID wireless cells...AT&T wireless I believe. A quick check on nanpa.com agrees with that.
It's possible those numbers might be far more interesting since they stand out. *shrugs*
What happen if someone stole 'aol.com'domain tomorrow? Or 'microsoft.com'?
How much damage will be done until this sleeping behemots wake up, set up a
meeting (in Tuesday I believe - because Monday is a holiday), make any
decision, open a toicket, pass thru change control and restore domain? 5
days?
I remember that in a similar case in .de several larger ISPs put the
previous ('correct') zone on their resolvers. Would
a) people here feel that is an appropriate measure for this case
b) do it on their resolvers
c) the panix.com people want that to happen in the first place?
As much as it pains me to say, I'm sure there is a little difference when it
comes to some of the big domains.
1. It doesn't take any rocket scientist to sit back and say "Ummmm... I
really don't think this is a legit move" without a lot of thinking!
2. If a lawyer for AOL or MS or some really big company sent a letter
saying something about if you don't change this back in the next 30 seconds
or we will destroy your company, it would be more believable!
>
> I addition, there is a good rule for such situations:
> - first, return everything to _previous_ state;
> - having it fixed in previous state, allow time for laywers, disputes
and
so
> on to resolve a problem.
agreed. but then proverbially, "common sense isn't".
> What happen if someone stole 'aol.com'domain tomorrow? Or
'microsoft.com'?
> How much damage will be done until this sleeping behemots wake up, set
up
a
> meeting (in Tuesday I believe - because Monday is a holiday), make any
> decision, open a toicket, pass thru change control and restore domain? 5
> days?
with due respect to panix (i knew of panix before i ever knew of aol, even
living in europe), i imagine another bigger 'behemoth', as you so deftly
put
it, has a better way of liaising with verisign than you, me or panix.
There is _rollback to the first state in case of any conflicts_ common sense
rule, just to prevent liaising.
If you purchase domain or transferred it, and I suspended change for a week,
it may never make big harm to you.
AOL has gamed the system in the past to take over domainnames they wanted
which were inconviently registered by someone else by sending in a e-mail
to transfer the name to AOL. Despite NSI's assurances, the domain was
changed to AOL in spite of the original registrant's objection. NSI
said there was nothing they could do.
