[Paleopsych] NYT: (Panix.com) Purloined Domain Name Is an Unsolved Mystery

[Premise Checker]

Purloined Domain Name Is an Unsolved Mystery
NYT January 18, 2005
By TOM ZELLER Jr.

[I can't say my understanding is very great, but I was down for somewhat 
less than two days. Nice to learn that it has six thousand customers, 
including me.]

It was yet another reminder of how vulnerable a company's
brand name can be in the world of electronic commerce.

In the space of about 48 hours over the weekend, Panix.com,
New York City's oldest commercial Internet service
provider, saw its name slip out of its control and become
the center of an international cyberhunt to get it back.
Whether maliciously or inadvertently, the company's main
domain name - panix.com - had somehow been transferred to a
company in Australia.

Mail to users with a panix.com address was suddenly being
sent to a server computer in Canada that had no relation to
the company. And in Vancouver, Wash., Panix's registrar -
the broker responsible for securing rights to the domain
name and administering its use - was completely unaware
that the name had been pinched.

By yesterday evening, things were mostly back to normal at
Panix. But finger-pointing continued, and the incident
served as a reminder that, for all of the safeguards in
place to protect one of the more valuable assets in online
commerce - a company's domain name - those business
addresses remain vulnerable to theft.

The panix.com incident follows other cases of Internet
names being hijacked, including the temporary commandeering
last fall of the domain name for eBay Germany (ebay.de), by
a 19-year-old German man who said he had done it "just for
fun."

Alexis Rosen, president of Public Access Networks, which
owns Panix, said, "The system is broken. And it's incumbent
on the registries and registrars to fix it."

Mr. Rosen was lamenting the byzantine system for
distributing and maintaining domain names. The rules have
been established by and are overseen by the closest thing
the global Internet has to a governing body: the Internet
Corporation for Assigned Names and Numbers, or Icann, a
nonprofit international collective.

According to Icann's rules, Mr. Rosen or at least Panix.com
should have received a notice that someone, somewhere - it
is still unclear - had submitted a request to transfer the
domain name. That would have set in motion a process that
would have made the transfer happen automatically, unless
Panix took steps to block it.

Mr. Rosen argued that a notice should also have been
provided by the registrar through which he originally
received the panix.com domain, a company called Dotster.
But Dotster says it was simply following Icann's rules.

Whatever the sequence, over the weekend an Australian
Internet company, MelbourneIT, found itself the new owner
of the panix.com domain. MelbourneIT executives said they
knew nothing about it until receiving calls from Panix.com
representatives. The two sides determined that the transfer
had been initiated via an MelbourneIT affiliate in Britain,
but that no one had yet figured out who actually submitted
the request.

Another layer of notification, Mr. Rosen said, should have
come from VeriSign, a company in Mountain View, Calif.,
that maintains the Internet's master registry of all
dot-com addresses. But Mr. Rosen said that VeriSign had
provided no such notification and had not been helpful at
first when he alerted it to his problem over the weekend.

He received an e-mail message from a VeriSign customer
service representative. "Unfortunately there is little that
VeriSign Inc. can do to rectify this situation," the
message read in part.

VeriSign did not return phone calls yesterday seeking
comment.

Meanwhile, Mr. Rosen's 6,000 customers, many of them local
businesses and community groups in the New York tri-state
area, were slowly losing their e-mail and Web sites.
Eventually, Panix's status as one of the region's original
Internet service providers prompted longtime Internet users
to pressure the various parties to do something. Mr. Rosen
said VeriSign eventually contacted MelbourneIT and nudged
it to return the domain name to Panix's control.

Some placed the blame on new domain transfer rules that
Icann established in November, which were designed to make
it easier to transfer domain names from one registrar to
another. The rule changes were made in response to
widespread complaints from domain owners that their
registrars were making it too hard for them to sever ties
and take their business elsewhere. Under the new rules,
domain transfer requests are automatically approved after
five days unless the owner of the domain takes action to
stop the move.

One angry Panix customer, Kenny Greenberg, posted a message
on the Icann Web site saying that "there is obviously a
huge flaw with the existing transfer policy."

But Tim Cole, the chief registrar liaison for Icann, said
such criticism was premature. "For one thing, some research
has to be done into what the hijacking consisted of," Mr.
Cole said. "How did it take place? It could be a
disgruntled former employee of Panix, for instance, or
someone who simply hacked into a computer to determine the
right administrative contact names. And no amount of policy
could prevent that."

Other Internet specialists seemed to agree. They said the
only protective measure - itself not foolproof - would be
for domain owners to insist that registrars put a "lock" on
domain names, which requires an extra layer of verification
before a name can be transferred. (Dotster said yesterday
it would automatically begin locking its customers' domain
names.)

"Somebody simply spoofed the contact info for this domain,"
said Susan Crawford, a professor of Internet law at the
Benjamin N. Cardozo School of Law in New York. "It has
always been an easy thing to do, which is why all
registrants should have a lock put on the name. Nothing can
be made perfectly secure, and as far as I can tell, neither
the registrar nor the registry acted improperly."

Mr. Rosen said the inability to assign blame was indicative
of the current system's problems. "It happened to us not
because of any error on our part," he said. "If it can be
done to us it can be done to anybody."

http://www.nytimes.com/2005/01/18/technology/18domain.html