ICANN responds

By Larry Seltzer  |  Posted 2005-04-04 Print this article Print

ICANN did talk to me, saying the investigation is ongoing, although one wonders how much more information can be obtained with the passage of time. Tim Cole, ICANNs chief registrar liaison, said in the correspondence that "there is no indication that recent changes to the Transfer Policy had any bearing on this incident (the same abuse could have occurred under either the old or new policy)."

I have to disagree. Correspondence from Dotster demonstrates that it relied on the new transfer policy in its decision not to take any action in response to the notification. But if not for this inaction, predicated on the new policy, the transfer would not have proceeded.

Like I said before, lots of people look bad here, and Dotster is among them. It had the option, under the new policy, of letting the transfer proceed, but it also had the option of confirming it with Panix.com, the party with whom it had a relationship. Domain customers everywhere should take this into account when shopping for a registrar; Dotster wont stick up for you when the slammers come. Like I said, it didnt respond to my inquiries.

In fact, I have to scratch my head over Panix.coms behavior too. According to a whois search on Sunday the domain is still registered with Dotster, although now at least it has REGISTRAR-LOCK set. If I were Panix, after service like that, I would take the first train out of Dotstertown, but perhaps Panix is so cheap it wants to use up the rest of the $6.95 it spent for the domain this year. The fact that the domain wasnt locked until after Dotster got it back speaks badly of both Dotster and Panix. Panix customers should take note. Panix also didnt return my e-mails.

Ironically, the most negligent party of all, the reseller who initiated the illicit transfer, is the only one who gets away with a relatively unscathed reputation, because nobody will identify it. The role of resellers is another interesting issue here. In ICANNs letter to Melbourne IT it said:
    "We are also very concerned by Melbourne ITs explanation that the incident happened because Melbourne IT had purportedly delegated to a reseller the critical responsibility for obtaining the consent of the registrant prior to submitting a transfer request to the registry."
But this expression of surprise rings hollow, since the practice of using resellers for this purpose was discussed while the new transfer policy was being formed and their banishment from this role was considered and rejected. The word "solely" was removed from "The Gaining Registrar is solely responsible for validating Registrant requests to transfer domain names between Registrars." Obviously the point was to allow other parties to be responsible for validation.

I asked ICANN about this in light of recent events, and it said its the registrars responsibility to see that the owner confirmation is obtained and that all these rules are under consideration. That doesnt sound like what was said in the letter, but I guess well see how it plays out.

I also thought it was interesting that the reversal of the improper transfer happened so quickly. The ICANN transfer policy includes a provision for an "undo" procedure involving software written specifically for the purpose. I dont have access to the software, but according to a GoDaddy representative, the actual undo software is lousy:
    "The new registry tool to reverse a transfer does not seem to be an efficient mechanism in many cases. It can take several days to complete although both registrars have agreed to it. We have also had instances where canceling a first-level dispute, after coming to agreement with the other registrar, can take several days."
.And, in fact, it turns out that the undo procedure was not used in the case of Panix.com. ICANN says that it was not necessary in this case, so both registrars just reversed the transfer without using the formal undo. What, I asked, is the point of undo, if registrars can just avoid it when they think its proper to do so? ICANN said that using it is an option they have.

By the way, since Yahoo is a Melbourne IT reseller I specifically asked it if it was the reseller at issue. It denied that is was, and it also told me that it has 24/7 access to Melbourne IT support people in case something like a domain theft occurs. I do know that you can get to Yahoos support people at all hours because I called them this past Saturday night to report that they were hosting a Paypal phishing attack, the domain for which had also been registered through Yahoo Domains. The site was down by Sunday morning, but since the domain was "paypal-cgi.us" you have to think that Yahoo and Melbourne IT dont scrutinize names for trademark violations very carefully.

Finally, Im curious about damages in this case. Perhaps Panix.com would rather put it all behind it, but it suffered damages and I wouldnt blame Panix for trying to recover. But from whom? From Melbourne IT? From Dotster? From ICANN? How about vanessa Miranda? And in what court? All I know now is that there is no ICANN process under which Panix can seek damages, and since this is an international affair and its silly to expect slamming victims to seek redress in foreign courts, that too represents a failure of ICANN.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel