After 9/11, a clever MIT undergrad grabbed some form of alqaeda.net. Any email sent to the address went to the corresponding @mit.edu email address. You could email professor_alice@alqaeda.net, and it'd arrive at professor_alice@mit.edu.<p>Undergrads sent emails like that for the lols. Recipients got freaked out they'd end up on some government watch list.
This is true of crypto wallets and NFTs as well. More than one project has attempted to send NFTs or assets to high profile wallets (ex: trillions of dog-coins sent to Vitalik's wallet that he ultimately donated to get rid of but not before drawing the intended media attention[1]) and the whole concept of airdrops is based around the idea of permissionless receiving.<p>Unfortunately, re: swatting via an non-tech-savy LEA and domain registrars: you could likely just update the contact details on a domain you own to the intended target and that'd probably be enough.<p>[1] <a href="https://www.coindesk.com/markets/2021/10/20/vitalik-buterin-sent-away-trillions-of-unwanted-dog-coins-but-more-keep-rolling-in/" rel="nofollow">https://www.coindesk.com/markets/2021/10/20/vitalik-buterin-...</a>
<a href="https://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html" rel="nofollow">https://www.schneier.com/blog/archives/2008/03/the_security_...</a><p>'Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.<p>I replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”'
This feels plausible but if someone wanted to SWAT someone ... there's probably other / likely easier ways to do it.<p>Having to registrar a domain, come up with some content, or just point the domain at some content ... then transfer it ... and then make a big deal out of it (getting attention is hard) and hoping nobody notices the easy to prove explanation that "someone transferred this to me" ... and avoiding getting caught seems like a big ordeal.<p>The story here is "hey random guy also hosts horrible stuff at his domain that he registered in his own name ... well he did". Maybe some folks run with that, but I'm not so so sure.<p>The mechanism here seems "easy" on the surface, but actually rather complicated, and odds of success seems low.
Tangentially related, but we stepped on a rake by forwarding spam and malware emails to abuse@outlook.com.<p>These morons got our poor mail server blacklisted in some super-exotic way that required several days of escalations to sort out. Moreover, they did it more than once, several months apart, each time causing a week of non-deliverability problems, and it took us a damn long while to add 1 and 1 to see why it was happening. Stopped reporting the abuse to them after that and all is good now.
II.A.1.2:<p>> 1.2 "Designated Agent" means an individual or entity that the Prior Registrant or New Registrant explicitly authorizes to approve a Change of Registrant on its behalf.<p>Unless there is some other mechanism for preventing the Registrar from also being Designated Agent, it might be that R has terms in its EULA where registrants agree that R is also Designated Agent.
Unless things have changed, this isn't an issue with any particular registrar, you can put anyone's contact info in for the WHOIS information. In fact, just not having your name in the WHOIS won't help with the SWAT problem. Someone could just as easily create any website and just say they are you. I haven't talked to a SWAT team member in quite a while, but I still doubt they're very adept at looking up HWOIS information. I think it'd suffice to say that if anyone creates a website that says "I am ..., this is my plan to commit some serious crime". You're probably getting a visit, rather than an assumption that it's a spoof just because the WHOIS info doesn't match.
Being able to send people things without their approval is a problem on all sorts of things across the internet.<p>Spam email is the most common, but the same problem exists for people sharing things in Google Drive.<p>I had a password manager application that allowed you to share password entries to anyone else who has an account with that password manager company. The app/site actually did require you to approve the incoming entries, but didn't let you know what was in them, how many there were, etc.
Was this a "privacy protected domain"?<p>Because if you look at GoDaddy (probably R) domains that are "privacy protected" you see the registrant is <i>actually</i> "Domains By Proxy, LLC" and switching <i>that</i> domain to another GoDaddy account would be <i>invisible</i> on the whois system.
It stinks that we can't trust people.<p>What's more frustrating is when software designers / product managers / business-ey people forget that "we can't trust people."
> You could instead just tell R, but I can’t really imagine a scenario where even a great tech support person would both understand the problem and be able to get it to the right people on their legal team in an reliable fashion.”<p>That depends…. with the right R I could see it. The tech person I interact with (rarely) at nearlyfreespeech.net deeply gets it — tech, business, legal. I doubt he’s a lawyer of course, but expect he knows when to get them involved. Probably the owner of the whole operation, if I had to guess.<p>And yes I realize they are probably just front ending for the real registrar, but to me they are effectively the registrar; not here to argue about that.
This is true of real estate titles in many jurisdictions, too. You can quit claim a property to anyone without their consent, and then from that point on they are on the hook for property taxes, compliance with title covenants, etc.
I've been calling this kind of thing a "reputation attack". They come in all sorts of shapes.<p>Here's a common one: a platform allows you to create teams and invite other users to be members of those teams. The teams that a user is a member of are shown on their profile.<p>Someone could create a team called "Paid up members of the Nazi party" and add people as members!<p>That's why it's crucial to have a "accept invitation" step if you build anything like this.<p>Getting a lot of press these days is the similar thing where you can transfer an NFT to someone's wallet without their permission.
Just did this at another well known registrar, two clicks and my friend transferred 8 domains to me without much in the way of checks. Crazy to think of but here we are.
This feels a lot like complaining anyone can send you mail. I can send anyone anything provided I know their name and address. Even illicit materials. Or illegal materials. I don't even have to provide my real name. Or address. I can make it look like anyone is a criminal. Muahahahaha.<p>Did they reset the DNS information? Because that's all that's really needed to prevent the sort of weird malicious behavior he's describing.
Tangentially related, now that SWAT'ing is a known-problem, is it possible to contact local law enforcement and forewarn them "Hey, I think I'm at high risk of being SWATed" such that if they receive a call they do some extra diligence to verify? (Like, for example, call you before dispatching.)
I mean, this is why we have due process and a trial, right? At which you can present evidence that you didn't purchase the domain. Probably it wouldn't even get that far.
No reason to worry. After this page topped HN all the SWAT teams will be overwhelmed and when they get to your house in 10 years you probably will already have moved.
> These days, one would hope LEA officers would at least look at who owns the domain name, but you just said that the registrar transferred it to you and changed the WHOIS data to use your full name and address.<p>I started to write a comment about how horribly optimistic this is but then I thought about it some more.<p>If it is indeed "Local" police you are probably screwed. They have zero understanding of the internet/tech and even people in positions with titles like "Cyber security" at your local station are probably just cops that got promoted into that role and have very little to zero understanding. Every interaction with my local cops w.r.t. technology has been painful and fruitless.<p>Of course this assumes they would follow up on it in the first place. My LEA outright refused to lift a finger with a harassment case even when provided step by step instructions (and we knew who was behind it) on how to request information from the company the harasser was using (throwaway phone numbers). That said, maybe an instance like the author describes would get them off their butts.<p>If it goes up to a federal level then maybe they would understand the nuance of domain transfers but not before kicking in you door.
1. Did the DNS information transfer, or did it get reverted? In other words, could the domain still be pointing at the nefarious server?<p>2. Do law enforcement, as standard practice, have access to the history of domain ownership? Would they see that it was recently transferred, or not?
If you want to get ICANN to fix this vulnerability, you could fix it:<p>A. The Proper Way: Find the right person at ICANN, send letters, follow-up, and hope they understand and prioritize the issue so it's addressed in some number of years.<p>or<p>B. The Fast Way: Register a funny yet embarrassing domain name, transfer it to a senior ICANN official, tweet to some journalists idle speculation wondering why this person has such a domain name. The vulnerability will be addressed ASAP. :-)
This reminds me of how Apple (and likely Google at some point) scans all your photos for "illegal content" and how the defaults are set up:<p>* WhatsApp will accept incoming messages from accounts not in your contacts<p>* WhatsApp will save all incoming photos to your library<p>* iCloud will upload all photos in your library to the cloud<p>Scary stuff.
You don't get SWATed for owning a child porn domain. SWAT teams only break down your door if you might have a weapon and be violent with it. If the police just think you're involved in a crime, they have to get a warrant for your arrest and then knock on your door and wait "a reasonable amount of time". They're also less trigger happy if they don't suspect you of having a weapon.