I had a very hard time reading this article. It's filled with so many platitudes and truisms ("And, it always helps to have friends and good relationships with the people who are able to help.") and yet it doesn't really explain what happened. For all I know they might have forgotten to pay for the invoice.
Wow I haven't heard the name Tom Christiansen in years. I remember when he used to comment on Slashdot. This inspired me to find my slashdot login and dig up some of his old posts. I just discovered his amazing eulogy for Gary Gygax [0]. I never knew that Tom used to work at TSR (of D&D fame) before becoming a programmer.<p>[0] <a href="https://slashdot.org/comments.pl?sid=475216&cid=22665150" rel="nofollow">https://slashdot.org/comments.pl?sid=475216&cid=22665150</a>
A lot of domain name management runs on honour system. Here are two relevant stories regarding this:<p>- The Duct Tape Holding the Internet Together: <a href="https://medium.com/thisiscala/the-duct-tape-holding-the-internet-together-12118be60ff1" rel="nofollow">https://medium.com/thisiscala/the-duct-tape-holding-the-inte...</a><p>- Sinkholed: <a href="https://susam.in/blog/sinkholed/" rel="nofollow">https://susam.in/blog/sinkholed/</a><p>Disclosure: I am the author of the second story.
If you own a high value domain, you should consider asking your registrar/registry to turn on a registry lock [1] which protects you from compromises or social engineering at your domain registrar. It's a little more expensive and can slow down NS delegation updates, but otherwise you run the risk of what happened here to perl.com, which can be extremely disruptive even if your attackers don't try and resell the domain.<p>You can check the status of a domain by looking for "Status: server{Delete,Transfer,Update}Prohibited" in the whois response for that domain [2].<p>[1] <a href="https://krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/" rel="nofollow">https://krebsonsecurity.com/2020/01/does-your-domain-have-a-...</a><p>[2] <a href="https://www.verisign.com/en_US/channel-resources/domain-registry-products/registry-lock/index.xhtml" rel="nofollow">https://www.verisign.com/en_US/channel-resources/domain-regi...</a>
We nearly had something like this happen to Fastmail many years ago:<p><a href="https://fastmail.blog/2014/04/10/when-two-factor-authentication-is-not-enough/" rel="nofollow">https://fastmail.blog/2014/04/10/when-two-factor-authenticat...</a><p>Scary stuff. Basically we had 24 hours to dispute via email when a fax was sent to our registrar with a faked up Australian company registration and a fake passport asking to remove 2FA and change the owner email to an address @qq.com.<p>At the same time, our hostmaster email address had been signed up to hundreds of non-double-opt-in mailing lists, so that there was lots of noise for this email to be lost in.<p>We had to fight very hard to be allowed to see the fax that was allegedly from us, so that we could see what they had done.
Aside from the primary content regarding the hijacking the registrar, I really enjoyed reading about the methodological approach they adopted for tracking information and contacts during the crisis.<p>But to the primary content - I've been surprised at just how ad-hoc much of the internet backbone infrastructure is as I've learned more about it. The same could be said about the payments processing industry! Beneath all the complexity and sleekness underlying the tools we use every day seems to eventually lie a system of IOUs, with an honor-based resolution mechanism between sufficiently trustworthy entities.
> John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed.<p>Isn't this preventable with "clientTransferProhibited"[1]?<p>> This status indicates that it is not possible to transfer the domain name registration, which will help prevent unauthorized transfers resulting from hijacking and/or fraud. If you do want to transfer your domain, you must first contact your registrar and request that they remove this status code.<p>If nothing else, you'd think that some simple monitoring would be warranted if you own an important domain, like checking the exit code of:<p># whois -h whois.verisign-grs.com google.com | grep "Registrar: MarkMonitor, Inc."<p>[1]: <a href="https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en#clientTransferProhibited" rel="nofollow">https://www.icann.org/resources/pages/epp-status-codes-2014-...</a>
> We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported.<p>Look, if your domain is with Network Solutions, and you missed the other wakeup call[1] to get off of them; let this be the wakeup call.<p>Network Solutions was the right (only) choice for domains in the 90s, but it hasn't been the right choice for domains in probably two decades.<p>[1] <a href="https://www.theguardian.com/technology/2013/oct/08/whatsapp-avg-avira-anonymous-hacked-palestine" rel="nofollow">https://www.theguardian.com/technology/2013/oct/08/whatsapp-...</a>
Key-Systems GmbH seems like a legitimate business to me (judging by their website and company register data), seems they acquired the domain from the Chinese registrar to resell it. Still, seems hard to believe that you wouldn't become suspicious when a Chinese company offers you a very popular domain name that seems to be in active use for sale.<p>That said I've seen registrars make some glaring mistakes in the past and many still rely on faxed documents to authorize domain transfers, so it's not a surprise that stuff like this happens. Often, all it takes is finding out who's the registrar (easy), obtaining a blank transfer authorization form from that registrar (easy again), obtaining the personal or company data of the domain owner (a bit more difficult but still doable), fill out the form and fax it in. Some providers won't even bother to send you a notification when transferring the domain, so like here the legitimate owner won't notice it's gone before it's way too late.
This highlights a usefulness of not choosing the largest and/or cheapest domain name registrar. I work at a small registrar, and we know all our customers and communicate with them directly. Social engineering attacks get harder in such an environment.
So what actually happened? Neither OP nor linked press articles seem to really explain it.<p>(There's a joke somewhere in here about how readable Perl is.)
> And, it always helps to have friends and good relationships with the people who are able to help.<p>It would be nice if, you know, people just did their jobs impartially regardless of whether they know or like you. But the reality is that not knowing the "right people" does indeed make things much harder, as we hear often here on HN from small businesses trying to deal with the tech giants.
I had this same thing happen at my company, Godaddy somehow allowed someone to disable dual auth through social engineering and reset our password through a compromise email. They proceeded to initiate a domain transfer. Not sure how Godaddy would allow disabling dual auth over the phone.
I literally shuddered when I read "Perl NOC". It was like the ghost of a neckbearded BOFH breathed down my neck... On a serious note, I absolutely adore the simplicity of their blog (<a href="https://log.perl.org/" rel="nofollow">https://log.perl.org/</a>)
A bit off topic, but I like the usage of "social engineering attack" instead of "anything to do with the word computers/cyber/hacking", because it places the onus on the correct parties and the correct systems that failed.
A slow heist by Chinese spammer/scammers to use a popular domain name. This is clever and in direct contrast to the usual gobbling up of domains for spam/scam purposes as soon as they expire at the peril of a forgetful owner.
I did not read this, But a mate I used to work with was getting harassed by debt collectors, He looked up the DNS Records and the domain registrant email was set to another domain. admin@suchandsuch.com, Well turns out suchandsuch.com had expired.<p>He bought the domain, set up the email admin@suchandsuch.com and reset the debt collectors main domain by requesting a transfer to another domain provider, it then sent an email to the domain record holder and he took over their domain.<p>Never use the same domain or another domain for registrant emails and buy privacy. use a gmail or your isp provided email.
That is an incredibly long winded way of saying very little.<p>Which is ironic as that is literally the opposite of the Perl programming language itself.
Took me a while to figure out what this “Perl” was, so if you’re like me, I’m gonna save you some time: “Perl” seems to be the old name of the popular Raku language.
What would solve the constant fear of losing important domains is making domains NFTs on the Ethereum blockchain.<p>This would make the situation better in two ways:<p>1: A normal domain move can only happen when the domain owner signs the transaction. If the domain owner claims to have lost their key, this would raise a red flag and result in an in-depth analysis which the domain owner has to pay.<p>2: The movement of the domain would be announced on the block chain. So in case the in-depth analysis has been tricked by an attacker, the righteous owner would be alarmed immediately. For this they would use some service that monitors the blockchain for them. They could then reverse the transaction with their key.