lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: fw at deneb.enyo.de (Florian Weimer)
Subject: Teen hacker controls ebay

* Karsten W. Rohrbach:

> Florian Weimer(fw@...eb.enyo.de)@2004.09.10 03:14:10 +0000:
>> * Rainer Duffner:
>> 
>> >> Personally, I can't comprehend how the default for something like that
>> >> would be "Yes", 
>> >
>> > Because, if the ISP is bankrupt, the "YES" will never come.
>> 
>> And that's a problem because of ...?
>
> Operations. Some of us call it daily business.

But only if your business is selling domains.

>> DENIC (the registry) claims to have a direct contractual relationship
>> with all domain holders (not "owners", registering a domain doesn't
>> grant you ownership, at least most of the time).
>
> Which means what, if you chose a "cheap domain" wholesale provider who
> "accidentally" sets himself as admin-c?

I'm not familar with DENIC's position in detail.  There are some cases
in which DENIC considered the WHOIS registration information the only
authoritative data.  If the ebay.de case had been treated along the
same lines, ebay.de would have been forced to recover the domain in a
trademark suit because the new owner would have been the one that is
recognized by DENIC.

Of course, this is the way to opt out of self-regulation. 8->

> Which means what, if you happen to _move_ a domain from one provider to
> another, implying consent between the two ISPs involved?

Apparently, you can switch to DENICdirect without consent from any
DENIC member.  There's even a form for it.

>> In theory, you would resolve such a problem with DENIC.  In practice,
>> DENIC doesn't have the infrastructure to deal with bankruptcy even of
>> a small DENIC member/registrar.
>
> DENIC could not care less, if your current ISP's gone bankrupt or what
> not. It is not their business.

According to them, it is.  Your domain is automatically transfered to
DENICdirect if the member fails to pay DENIC for the domain.

> You mail in a KK (request for "connectivity coordination") and they
> process it. Finito. If your ISP does not answer the request, the KK
> will be ACKed, which is a good thing.

How many DENIC members run an auto-NAK bot?

> Also, provider "lock-in" is not possible this way. No provider can block
> your domain for transfer without a "NACK", which would have dire
> consequences when it hits the courts.

Really?  There are very strong arguments for auto-NAKs, and some of
them should stand up in court.

>> > IMHO (and several others more involved in the domain-trading biz)
>> 
>> The problem is that domains are used for more things than just for
>> domain trading.  The current focus on easy domain transfers might have
>> made sense a few years ago, but now there are some major stakeholders
>> which will simply put DENIC out of the loop if the DENIC processes
>> can't guarantee stable delegations, for whatever reason.
>
> DENIC is probably just the messenger in this game. Don't shoot'em.

DENIC is the sum of its members.  The members form its policies.

(The DENIC staff is an entirely different matter, of course.)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ