Agree. Let's add this to our DNS abuse discussions Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org<http://www.Innovatorsnetwork.org> ________________________________ From: At-Large <at-large-bounces@atlarge-lists.icann.org> on behalf of Evan Leibovitch <evan@telly.org> Sent: Friday, August 23, 2019 11:08:47 AM To: Olivier MJ Crépin-Leblond <ocl@gih.com> Cc: ICANN At-Large list <at-large@atlarge-lists.icann.org> Subject: Re: [At-Large] Sonoma Valley Hospital loses 3-letter domain name to hijackers On Fri, 23 Aug 2019 at 10:59, Olivier MJ Crépin-Leblond <ocl@gih.com<mailto:ocl@gih.com>> wrote: With all the safeguards in use, that's really surprising. Surprising? I would say scandalous. And it's an abuse vector that ought to concern At-Large far more than gTLD allocation. Why doesn't ICANN have an appeals mechanism that allows maliciously redirected gTLDs to be returned to their original owner if malice can be demonstrated? Since we now now that "all the safeguards in use" can still be circumvented, why isn't there an after-the-fact remedy? Yes, it could be messy. But certainly you must all realize that if this goes unchecked it only opens the door to a new form of ransomware along side "we've encrypted your site". - Evan Best, Olivier On 23/08/2019 16:46, Dev Anand Teelucksingh wrote: https://www.sonomanews.com/home/a1/9924307-181/hospital-website-hijacked-by-... Sonoma Valley Hospital’s website was hacked earlier this month, forcing the change of its URL and email addresses, hospital officials announced last week. On Tuesday, Aug. 6, at 6:30 p.m., the hospital’s domain svh.com<http://svh.com> was “maliciously acquired,” said Celia Kruse de la Rosa, the hospital’s communications director. Hospital CEO Kelly Mather added: “The hijacking of our domain name was surprising and we are finding out, not unusual for highly valuable three letter domain names such as ‘svh.com.’” When it became apparent that the hospital would not get the domain name returned, they “began migrating all internet connectivity to the new and current domain: sonomavalleyhospital.org<http://sonomavalleyhospital.org> (web) and @sonomavalleyhospital.org<http://sonomavalleyhospital.org> (email),” de la Rosa said. _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org<mailto:At-Large@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Olivier MJ Crépin-Leblond, PhD http://www.gih.com/ocl.html _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org<mailto:At-Large@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Evan Leibovitch, Toronto Canada @evanleibovitch or @el56

+1 John More

On Aug 23, 2019, at 11:08 AM, Evan Leibovitch <evan@telly.org> wrote:

On Fri, 23 Aug 2019 at 10:59, Olivier MJ Crépin-Leblond <ocl@gih.com <mailto:ocl@gih.com>> wrote: With all the safeguards in use, that's really surprising.

Surprising? I would say scandalous. And it's an abuse vector that ought to concern At-Large far more than gTLD allocation.

Why doesn't ICANN have an appeals mechanism that allows maliciously redirected gTLDs to be returned to their original owner if malice can be demonstrated? Since we now now that "all the safeguards in use" can still be circumvented, why isn't there an after-the-fact remedy?

Yes, it could be messy. But certainly you must all realize that if this goes unchecked it only opens the door to a new form of ransomware along side "we've encrypted your site".

- Evan

Best,

Olivier

On 23/08/2019 16:46, Dev Anand Teelucksingh wrote:

...

https://www.sonomanews.com/home/a1/9924307-181/hospital-website-hijacked-by-... <https://www.sonomanews.com/home/a1/9924307-181/hospital-website-hijacked-by-...>

Sonoma Valley Hospital’s website was hacked earlier this month, forcing the change of its URL and email addresses, hospital officials announced last week.

On Tuesday, Aug. 6, at 6:30 p.m., the hospital’s domain svh.com <http://svh.com/> was “maliciously acquired,” said Celia Kruse de la Rosa, the hospital’s communications director.

Hospital CEO Kelly Mather added: “The hijacking of our domain name was surprising and we are finding out, not unusual for highly valuable three letter domain names such as ‘svh.com.’”

When it became apparent that the hospital would not get the domain name returned, they “began migrating all internet connectivity to the new and current domain: sonomavalleyhospital.org <http://sonomavalleyhospital.org/> (web) and @sonomavalleyhospital.org <http://sonomavalleyhospital.org/> (email),” de la Rosa said.

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org <mailto:At-Large@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/at-large <https://atlarge-lists.icann.org/mailman/listinfo/at-large>

At-Large Official Site: http://atlarge.icann.org <http://atlarge.icann.org/> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://www.icann.org/privacy/policy>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://www.icann.org/privacy/tos>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-- Olivier MJ Crépin-Leblond, PhD http://www.gih.com/ocl.html <http://www.gih.com/ocl.html> _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org <mailto:At-Large@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/at-large <https://atlarge-lists.icann.org/mailman/listinfo/at-large>

At-Large Official Site: http://atlarge.icann.org <http://atlarge.icann.org/> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://www.icann.org/privacy/policy>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://www.icann.org/privacy/tos>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-- Evan Leibovitch, Toronto Canada @evanleibovitch or @el56 _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org <mailto:At-Large@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/at-large <https://atlarge-lists.icann.org/mailman/listinfo/at-large>

At-Large Official Site: http://atlarge.icann.org <http://atlarge.icann.org/> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://www.icann.org/privacy/policy>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://www.icann.org/privacy/tos>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

One has to wonder - why is it still ICANN policy to limit domain name contract terms to a maximum of ten years?         --karl-- On 8/23/19 7:58 AM, Olivier MJ Crépin-Leblond wrote:

With all the safeguards in use, that's really surprising. Best,

Olivier

On 23/08/2019 16:46, Dev Anand Teelucksingh wrote:

...

https://www.sonomanews.com/home/a1/9924307-181/hospital-website-hijacked-by-...

Sonoma Valley Hospital’s website was hacked earlier this month, forcing the change of its URL and email addresses, hospital officials announced last week.

On Tuesday, Aug. 6, at 6:30 p.m., the hospital’s domain svh.com <http://svh.com> was “maliciously acquired,” said Celia Kruse de la Rosa, the hospital’s communications director.

Hospital CEO Kelly Mather added: “The hijacking of our domain name was surprising and we are finding out, not unusual for highly valuable three letter domain names such as ‘svh.com.’”

When it became apparent that the hospital would not get the domain name returned, they “began migrating all internet connectivity to the new and current domain: sonomavalleyhospital.org <http://sonomavalleyhospital.org> (web) and @sonomavalleyhospital.org <http://sonomavalleyhospital.org> (email),” de la Rosa said.

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site:http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-- Olivier MJ Crépin-Leblond, PhD http://www.gih.com/ocl.html

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

On 8/23/19 10:22 AM, Bill Silverstein wrote:

How would that have changed things? This is not where the registration expired, but it is where someone fell for the providing credentials to the account or Network Solutions, again, fell for a scam.

My observation about the arbitrary and capricious ICANN policy of a ten year maximum is independent of this particular event. It has been my sense that a larger portion of deceptive transfers occur at renewal dates - often by people simply not noticing and names lapsing.  This is particularly a problem in ccTLDs where there may not be any usable grace policies. (It does not help that the renewal notice system is polluted because there are some abusive folks out there who send panic-creating mails, emails, and texts to registrants in order to induce them to jump to a new, and much higher priced, registrar.) You ask "what if the owner dies"?   To which I would extend and clarify that not all domain owners are biological, many are corporate, such as the Sonoma Valley Hospital that is the subject of this thread.  I know from my own operations of various business entities that domain renewals are a constant and annoying - and error prone - drizzle. The churn of forced renewals profits no one except, perhaps registrars and registries (especially in ICANN's new era of no-reason-needed registry price increases, even for legacy TLDs.) Oh yes, there is another group that profits - companies that offer domain name "portfolio management" services, usually for a hefty price. Moreover, in this era of life on the net a domain name may be an important part of a decedent's estate. And, in addition, the notion of lapse by death may, in fact, end up destroying digital legacies by making them inaccessible. Last time I calculated, there are more possible domain names than there are electrons in the universe.  There's no particular need to hurry the reclamation of names.  (Especially, as I have commented elsewhere, domain names are slowly fading from user view: https://www.cavebear.com/cavebear-blog/fading-domain-names/ ) I am often amused that people claim that domain names are "dead'.  What is "alive"?  A paid registration?  A viable NS record?  Some RR's served up by those NS listed servers?  A server at some address listed by an A or AAAA or CNAME?  etc. etc. One of the hallmarks of the concept of ownership is the power to say "no".  Anyone who has ever marketed a product and had to deal with search engine companies knows that once one uses a domain name for a web site that it is dangerous to ever relinquish that domain name because competitors will instantly jump onto it.  My own companies have large numbers of old domain names that we hold, but for which there are no web servers, simply because those names have built up "link juice" that would benefit our competitors were we to relinquish those names.  We are willing to pay $ for a few years to hold those names and let users (and web crawlers) get 404 errors rather than have a competitor grab searches for our products. As for whois "accuracy" - over the last 25 years I have not yet heard any cogent, much less persuasive, reason why private information should be made public 24x7x365 on the basis of mere curiosity without the need for the querier to state his/her own contact information, state a reason for access (and supporting proof).  I believe I can speak for many domain name holders that our telephones and emails are filled with junk derived from whois, even whois entries that vanished years ago. If you think someone is committing an abuse, then it should be easy to create a body of evidence to support that belief.  And when you dig into that whois database you ought to be able to state, into a permanent record, who you are and why you believe you are justified.  (And I'd go further that you should pay some $$ in order to create friction against abusive inquiries.)         --karl--

Let's not let the word "property" or "ownership" color this discussion - those words tend to drag-in a lot of preconceived notions. In law (at least in the US) there really is no such thing as "ownership".  Rather various people (and governments, and other legally recognized entities such as corporations) may have various (and often overlapping) kinds of rights and duties with respect to a thing.  We generally accord the word "owner" to whoever/whatever has the biggest collection of those rights/duties. Your concept of ICANN "owning" all domain names is interesting, however, because there can be multiple domain name systems, that would require a context such as "all domain names registered under such-and-such root zone file".   Moreover, usually such a vast grant of ownership tends to require a governmental level of delegation - the days of Conquistadors planting flags are largely in our past.  ;-) Given ICANN's history of kow-towing to certain industrial/governmental interests would we really want to accord this additional level of authority? Moving on... I find it better to consider the rights/duties surrounding domain names as contractual rights/duties.  That tends to remove any lingering preconceptions that come from words like "property". ICANN as it is presently established does operate on the basis of contract rights and duties.  (What is typically missing in the world of ICANN is the concept of "third party beneficiary" rights, which is the legal notion that a person - an intended or explicity beneficiary of the contract - but who is outside the contractual relationship may have the power to enforce terms of that contract.) Getting back to whois... I would assert that the data mining of whois has been a source of abuse of domain name registrants to at least the same degree, and perhaps a greater degree, than any asserted abuse by spammers. Virtually every person I know who has domain names has become the subject of a the hurricane of scam phone calls and emails originating from whois mined contact information.  And that hurricane does not stop - I'm still getting stuff that is based on whois information that became obsolete 30+ years ago.  A large number of people have turned off their telephones - a fact that recognizes that ill-minded people are modern day Vandals who are undermining our modern culture as much as the elder Vandals undermined Classical Rome. You raise the scenario of a person having to pay money to report a crime.  It is true that there is no $$ fee for that, but there are laws that make false reports a crime - make a false report and you could end up in jail yourself. There is no friction, no penalty, no nothing against anonymously perusing whois and redistributing that information.  There are sometimes some notices of dubious legal applicability and enforceability.  But when was the last time you read about a whois data miner going to jail or suffering a penalty? There's a balance to be made here.  However the status quo is anything but a balance.  The access to whois is free and easy, without penalty, cost, or friction; it can be made anonymously on a whim or mere curiosity - or as part of a mechanized data scraping operation.  On the other side there is a violation of privacy, without prior-notice that the privacy will be violated, note of who violated that privacy, or what accusation, if any, is being made to justify that intrusion. Is if no wonder that registry privacy services are so popular?         --karl--

Hi, I think Karl has made a good suggestion as to where the discussion should begin, and whois information is being covered already with the GDPR discussion. We can focus on the number of years before renewal. 100 years as suggested might be too long, but I also think it should be more than 10 years, maybe 20 years. Thanks Abdulkarim On Sat, Aug 24, 2019 at 5:05 AM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Of course thus is all different under gdpr so hardly worth the discussion

Jonathan Zuck Executive Director Innovators Network Foundation www.Innovatorsnetwork.org

------------------------------ *From:* At-Large <at-large-bounces@atlarge-lists.icann.org> on behalf of Karl Auerbach <karl@cavebear.com> *Sent:* Friday, August 23, 2019 6:15:50 PM *To:* Evan Leibovitch <evan@telly.org> *Cc:* ICANN At-Large list <at-large@atlarge-lists.icann.org> *Subject:* Re: [At-Large] Sonoma Valley Hospital loses 3-letter domain name to hijackers

Let's not let the word "property" or "ownership" color this discussion - those words tend to drag-in a lot of preconceived notions.

In law (at least in the US) there really is no such thing as "ownership". Rather various people (and governments, and other legally recognized entities such as corporations) may have various (and often overlapping) kinds of rights and duties with respect to a thing. We generally accord the word "owner" to whoever/whatever has the biggest collection of those rights/duties.

Your concept of ICANN "owning" all domain names is interesting, however, because there can be multiple domain name systems, that would require a context such as "all domain names registered under such-and-such root zone file". Moreover, usually such a vast grant of ownership tends to require a governmental level of delegation - the days of Conquistadors planting flags are largely in our past. ;-)

Given ICANN's history of kow-towing to certain industrial/governmental interests would we really want to accord this additional level of authority?

Moving on...

I find it better to consider the rights/duties surrounding domain names as contractual rights/duties. That tends to remove any lingering preconceptions that come from words like "property".

ICANN as it is presently established does operate on the basis of contract rights and duties. (What is typically missing in the world of ICANN is the concept of "third party beneficiary" rights, which is the legal notion that a person - an intended or explicity beneficiary of the contract - but who is outside the contractual relationship may have the power to enforce terms of that contract.)

Getting back to whois...

I would assert that the data mining of whois has been a source of abuse of domain name registrants to at least the same degree, and perhaps a greater degree, than any asserted abuse by spammers. Virtually every person I know who has domain names has become the subject of a the hurricane of scam phone calls and emails originating from whois mined contact information. And that hurricane does not stop - I'm still getting stuff that is based on whois information that became obsolete 30+ years ago. A large number of people have turned off their telephones - a fact that recognizes that ill-minded people are modern day Vandals who are undermining our modern culture as much as the elder Vandals undermined Classical Rome.

You raise the scenario of a person having to pay money to report a crime. It is true that there is no $$ fee for that, but there are laws that make false reports a crime - make a false report and you could end up in jail yourself.

There is no friction, no penalty, no nothing against anonymously perusing whois and redistributing that information. There are sometimes some notices of dubious legal applicability and enforceability. But when was the last time you read about a whois data miner going to jail or suffering a penalty?

There's a balance to be made here. However the status quo is anything but a balance. The access to whois is free and easy, without penalty, cost, or friction; it can be made anonymously on a whim or mere curiosity - or as part of a mechanized data scraping operation. On the other side there is a violation of privacy, without prior-notice that the privacy will be violated, note of who violated that privacy, or what accusation, if any, is being made to justify that intrusion.

Is if no wonder that registry privacy services are so popular?

--karl--

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-- Website <http://www.unilorin.edu.ng>, Weekly Bulletin <http://www.unilorin.edu.ng/index.php/bulletin> UGPortal <http://uilugportal.unilorin.edu.ng/> PGPortal <https://uilpgportal.unilorin.edu.ng/>

On August 23, 2019 at 11:04 karl@cavebear.com (Karl Auerbach) wrote:

As for whois "accuracy" - over the last 25 years I have not yet heard any cogent, much less persuasive, reason why private information should be made public 24x7x365 on the basis of mere curiosity without the need for the querier to state his/her own contact information, state a reason for access (and supporting proof).  I believe I can speak for many domain name holders that our telephones and emails are filled with junk derived from whois, even whois entries that vanished years ago.

Many jurisdictions, and not just the US, require that if you are doing business with the public (which includes charities etc) that you must provide useful contact information. One can provide that on their web site but not all business of this nature is conducted via a web site, it might be an email offer etc. And whois was a convenient way for at least the honest to provide that contact information. Which brings us to the deeper nature of domain names. Are they all to be presumed to be an attempt to transact with the public? If not then why have one? One can come up with various reasons from the mundane (you registered your personal name) to the sublime (you thought it might be worth a million dollars one day.) But it's not always about the mental processes of the owner. A domain owner has willingly entered into a public sphere, by definition. I don't much accept the hobbyist or faddish nature of many domain ownerships as a driving force. Registries and registrars of course love that aspect as it means sales but it's the tail wagging the dog. That said I've long advocated that the publicly visible WHOIS information should be moved to a DNS record completely under the owners' control and separate from the business sales record a registrar keeps. But the same reasoning applies if not moreso since in that case an owner would have to make an effort to deceive and would lose the excuse of the potentially conflicting motivations of providing registration purchase data to a registrar vs providing general contact information for the public. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*

On 8/23/19 11:25 AM, bzs@theworld.com wrote:

On August 23, 2019 at 08:32 karl@cavebear.com (Karl Auerbach) wrote:

...

One has to wonder - why is it still ICANN policy to limit domain name contract terms to a maximum of ten years?

It doesn't sound like the problem was an expired domain name but reading the articles details are sketchy.

Multi-year fees can get a little tricky in terms of accounting and liability.

I agree, the case that started this thread may not have anything to do with registration periods.  But that doesn't mean that ICANN's ten year maximum term is arbitrary and capricious.  I was around when it happened and it was quit literally pulled out of thin air with no discussion, no rationale, no nothing - the best word is "fiat".  So why not revisit that decision? Sure, yearly billing can be a nuisance at both ends.  But as they say in housing: Why rent when you can own?   ;-) Why not pay up for the full term at the start?  Wanna buy 100 year registration, then pay the 100 year fee? And I would mention that the service that one gets for that registration fee is what?  The *non* deletion of a record (amounting to an almost negligible amount of storage) and the operation of some highly amortized servers (and an almost negligible amount of bandwidth for any given name.)  That aggregates to at most a few cents per name per year - for which registries are getting a fiat ICANN permitted monopoly registry fee amount that gives rise to profits-over-costs on the order of 10,000%.  In other words, a 100 year registration ought to have an up front-cost that is not much different than a ten year registration. It is fully possible to register domain names on the basis of service costs, rental for a period of years.  For instance in my hypothetical .ewe registry names are sold for a small fee - and represented by a digital certificate, a kind of bearer instrument (and thus no Whois) and no expiration - and revenue is obtained via services for things like updating name server records - https://cavebear.com/eweregistry/ (By-the-way, there is, or was, a blockchain based "namecoin" that uses the blockchain notion of "exactly one instance" to create a token that represents control of a domain name.  The name coin is used as proof of control over that name, not as a form of money.)         --karl--