Tracking the Phantom Registrar Debate
Here's to the power of the press, the blog, the Web and intelligent debate.
Not to pat ourselves on the shoulder too heartily, but I'm always enthused when a post on this blog moves someone to comment and share their own ideas on security.
When the blog itself can become a place where parties involved in a philosophical debate come to trade opinions and ideas, some that may even affect a change that improves security, well, that just makes me feel warm all over and special indeed.
All kidding aside ...
You may have seen the post that I filed on Tuesday about the latest report out of Boston-based anti-spam project KnujOn, which detailed the seeming lack of background validation that ICANN was performing in making sure that its certified registrars were following the rules and doing their best to keep nefarious sites from getting online.
In this case, KnujOn called out India-based Directi specifically for allowing its subsidiaries and affiliates to support illegal online pharmacy sites via the use of "phantom registrars" that the researchers said don't even exist.
In addition to using shady business practices to distance itself directly from the named activities, Directi was accused by KnujOn of trying to misrepresent some of its own business-related details in the past, such as its location in India, versus its formerly registered locale in Oregon.
Well, Directi didn't think much of the report, or my decision to blog about it--called it all totally inaccurate, in fact--and the folks over there began posting replies on the bottom of the initial blog refuting the research.
KnujOn fired back, and now we've got a fantastic give-and-take going on between the two outfits via the blog comments, one that hopefully sheds light on the gray areas that exist in the world of registrars, ICANN certification and other related matters, namely phantom registrars and Directi's involvement, or lack of involvement, with such entities.
To summarize briefly, Directi claims that KnujOn's report is baseless and that it has never knowingly bent the rules or obfuscated its business model to allow for illegal pharmacies.
KnujOn claims that Directi is simply trying to intimidate it from publishing valid research that lifts the covers off the larger problem of how well ICANN is succeeding in making sure that registrars stick to the straight and narrow.
Perhaps the most salient point of the debate relates to ICANN's practices themselves.
"I think the next angle must include ICANN's convoluted rules and lack of accountability," Garth Bruen, who runs KnujOn, wrote in an e-mail.
And as he pointed out, to further illustrate the point:
- Stacy Burnette, director of contractual compliance at ICANN, recently admitted:
"ICANN doesn't require registrars to publicly disclose their place of incorporation."
- "Telephone numbers in the contact information need not correspond to the location of incorporation."
Well, that's troublesome! It would seem logical to keep this information as accurate as possible, wouldn't it?
And Bhavin Turakhia, CEO of Directi, is on the record with:
- "The [ICANN Registrar Accreditation Agreement] has no obligation that requires a Registrar to suspend domain names or police the Internet or respond to abuse complaints."
Hmm ... now if that's true, it's REALLY worrisome. Because who the hell else can get them offline if the registrar won't?
Keep an eye on the blog comments there and here as hopefully the debate remains ongoing.
And would anyone else like to help us get to the bottom of the issues that drive these problems? Maybe someone from ICANN itself?
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.