Re: [ga] More Stolen Domains -- not FUD

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

George and all former DNSO GA members or other interested
stakeholders/users,

  From my reading ONLY at this time, I think your listed suggestions
are very good ones.  I will  be sending them along to our members
for their review promptly.  I believe 3, 4, and 5 were made some time
ago and were very much in line with our suggestions some time ago
to ICANN.

  So a partial, WELL DONE is in order for  you here George!  >:)

George Kirikos wrote:

> Hello,
>
> There were MORE stolen domains than just panix.com. On an adult
> webmaster forum (I won't link there, as this is a family-list,
> presumably), someone revealed his Easy-Dater.com domain was hijacked
> this weekend from Dotster, going to DirectI.com. After some further
> research, I found that AEM.com and F3.com were likely stolen by the
> same person (i.e. have the same ns1/2.xybererotica.com nameservers, and
> repointed to the same IP). If someone can grep the zonefiles for all
> other *.xybererotica.com nameserver domain names, that would likely
> reveal a list of other stolen domains.
>
> Even though the new WHOIS was fake, Bhavin of DirectI wasn't really
> helpful. The nameservers of Easy-Dater.com have been put into a
> "suspended" state, instead of pointing back to the prior nameservers.
> We're talking about enormous lost traffic, too (an Alexa top 2000
> site). The thief left his counter public and not password protected
> (disovered browsing through a text browser -- don't use IE or FireFox,
> or you fax popup hell visiting the hijacked domains), and you can view
> the stats (browser safe) at:
>
> http://extremetracking.com/open;unique?login=xyber123
> http://extremetracking.com/open;unique?login=xyber000
>
> Almost 500,000 unique visitors diverted yesterday. Going through the
> referrer logs can help discover some stolen domains, but basically
> DirectI and others need to be more forthcoming with the list of names
> that went to them. They are not proactive, they are reactive.
>
> I have to disagree strongly with Ross regarding the state of the
> transfer system. The old system was premised on the idea that there
> were  rogue registrars gaming the system, to block transfers. The new
> system DID NOT ELIMINATE ROGUE REGISTRARS (or Registrars with inept
> systems that hackers can abuse)! I hate to say "I told you so", but the
> new system's weakness is that it ASSUMES the gaining registrar has
> proper authentication of the transfer. What are the penalties for
> registrars that don't properly do it? A Canadian registrant is supposed
> to "trust" a registrar equally to do authentication, even if they've
> never done business with it before, and are in India, Korea, etc??
>
> Steps that should be taken:
>
> 1) I think Tucows (and other security conscious registrars) should
> immediately LOCK all their customer domain names, just like NSI did, as
> a measure to make it harder for the current wave of thefts to continue.
> A lot of high profile domains are unlocked right now, and ripe to be
> stolen by rogue registrars or individuals. I am willing to bet that at
> least some of the folks rushing to get accredited are doing so in order
> to be able to steal domains that have bad contact info (a lot of
> domains were stolen because the owners are entirely unreachable, and
> thus hard to make a claim against the thief without reaching the prior
> owner). Those names should rightfully have been deleted, going into the
> drop cycle after expiry, but are systematically being stolen prior to
> expiry.
>
> 2) I think security conscious registrars should implement "soft and
> sticky unlocks", as I suggested to ICANN and others already.  What
> would happen is that when a domain name is unlocked, the registrant
> would be able to specify a specific registrar that they would permit
> transfers to. A transfer request from any other registrar would be
> auto-rejected (either by the existing registrar, or the registry,
> depending on how it is implemented), and if a transfer wasn't initiated
> within a given time window (e.g. a day or two) from the permitted
> gaining registrar, the domain would automatically go back to a normal
> locked (that's the "sticky" part).
>
> This would prevent the problem that some are having, where high-value
> domain names are being monitored continuously for changes in their lock
> status -- once they are unlocked, a wave of fraudulent transfer
> requests arrive from some of the minor registrars (e.g. ones in China
> or Korea), trying to steal the domain.
>
> It might be difficult to implement the above at a Registry level, but
> it shouldn't be hard for a registrar to do it. While not a "Consensus
> Policy" suggestion, perhaps it can be a part of a separate "Best
> Practices" document that security-conscious registrars can implement?
> Such "Best Practices" would help prevent undermining and balkanization
> of the system, as folks interpret the new transfer policy different
> (e.g. some registrars, eg. Moniker, will auto-NAK transfers unless a
> second confirmation is received, which I think should be allowed, IF
> and ONLY IF it's something the registrant opted-in to -- registrants of
> very valuable domains should be able to opt-in to higher security).
>
> 3) Double-confirmation (i.e. confirmation of a tranfer by the
> registrant via a mechanism of the losing registrar) should be permitted
> on an opt-in basis explicitly in the Transfer Policy.
>
> 4) "NameServer Sticky Unlock" that only permits changes in the
> nameservers, but autorejects transfers, and returns to regular lock
> status after a fixed period (e.g. 1 day) can be implemented by
> registrars too.
>
> 5) There needs to be a public audit trail over how domain name
> transfers took place (so that we don't need to rely on
> begging/subpoenaing registrars to provide the info to us). Then, buyers
> can have confidence that the valuable domains that they are purchasing
> have good provenance, and registrants are better able to show (without
> the huge expense of lawyers) that the names were hijacked (e.g. via
> fraudulent faxes, etc. -- one would think NSI would have learned given
> what happened with Sex.com, but they have not). We're talking about
> very high profile names too (e.g. yy.com, IRAQ.com, Wifi.com,
> secretary.com, and many others -- not all have been recovered, as
> sometimes it's hard to find the original
> registrants, in order to trace the chain of ownership -- e.g. the
> registrant dies, and then the name is stolen, before it can be properly
> deleted and made open to a fresh owner).
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Be precise in the use of words and expect precision from others" -
    Pierre Abelard

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827