Domain seized

Update here. Talked to Western District Court Clerk. They could not clarify the appeal process but said to contact the responsible attorneys. I went online and used the PACER database to find the case.

Here are the responsible attorneys:



This is a US Federal District court.

As Pittsburgh is clearly driving this operation, I reached out to Colin Callahan via voicemail and email with cc to the registrant. We'll see how they reply on clarifying the criteria used and the appeal process for removal from this list without onerous or tedious legal action.

was this more likely to happen this way cause its a european registrar...or things would still happen if say it was on godaddy..epik..etc

alcy said:

was this more likely to happen this way cause its a european registrar...or things would still happen if say it was on godaddy..epik..etc

Click to expand...

Interpol is in the mix here so I doubt it mattered -- the registries are global and the "judicial" (and extrajudicial) machinery are similarly global.

The lead attorney on this case is Jesuit-trained Colin Callahan from GeorgeTown Law. Georgetown is also where ShadowServer was founded. Those with eyes to see can connect the dots.

1. MalwareTech creates lists of the domains under diguise of ShadowServer.
2. ShadowServer sells list to ISP's.
3. ISP's inform law enforcement.
4. From here it gets cloudy

Internet.Domains said:

1. MalwareTech creates lists of the domains under diguise of ShadowServer.
2. ShadowServer sells list to ISP's.
3. ISP's inform law enforcement.
4. From here it gets cloudy

Click to expand...

Do you have incontrovertible proof of this allegation?

Rob Monster said:

Do you have incontrovertible proof of this allegation?

Click to expand...

All of this was found using social media, news interviews, cybersecurity blogs and their own websites, etc.

Is it proof, or enough proof? I would let the lawyers argue that, but it definitely appears to be enough for further investigation.

Internet.Domains said:

All of this was found using social media, news interviews, cybersecurity blogs and their own websites, etc.

Is it proof, or enough proof? I would let the lawyers argue that, but it definitely appears to be enough for further investigation.

Click to expand...

Right, I believe it. If you have a reasonably authoritative source I think useful to understand. The folks at RoLR an ShadowServer are very quiet. See on Twitter:

https://twitter.com/Shadowserver

I believe that your conclusion is plausible but a more evidenced summary would be helpful if you can produce one soon.

So for us beginners—and l am a beginner despite all the stars next to my name, as l took a sabbatical from domaining soon after taking up the undertaking (perhaps the wrong choice of words) and just returned three months ago—is there anyway to protect our domains from such blatant skullduggery?

Thanking any responders in advance....

Lew Riley

Lewstar said:

So for us beginners—and l am a beginner despite all the stars next to my name, as l took a sabbatical from domaining soon after taking up the undertaking (perhaps the wrong choice of words) and just returned three months ago—is there anyway to protect our domains from such blatant skullduggery?

Thanking any responders in advance....

Lew Riley

Click to expand...

Yes, there is.

First and foremost it is through the existing governance frameworks and through exposing acts of malfeasance and non due process as they occur. I am doing that as are others. There is no joy in it since you make enemies that are not averse to dirty tricks like this one:

https://www.huffingtonpost.com/entr...9e4b05d7e5d846f72?ncid=tweetlnkushpmg00000067

The other thing that the industry can do is design counter-measures that render domains useful independent of ICANN. You could call it seceding from the union but really only as a matter of last resort. I describe it here:

https://gab.com/epik/posts/44196461

My hope is that cooler heads prevail and that industry stakeholders show backbone to protect sovereignty of intellectual property. In particular, Verisign and Godaddy need to show backbone, but otherwise it will come down to the small fry.

Hello NP's,
IMO the main feasibility of the above mentioned processing is fully argumented and documented proceeding from those all regulators. For example database of logs of any illegal activity on domain(s) owned by private registrars that are by the way obligated with Registry Terms to abide legal and fair usage practice and avoid any misuse especially in terms of malicious IT involvement. Furthermore there are very different developing directions in that regards, for example some advantageous registries are introducing add-on service as a Domain Lock service, while on the other side, in the area of some cCTLD registrars those aside from globally integrated planning - there are periodically occurrences of the major hacks at top NIC registry tables infrastructure affecting many, but specifically major international companies on their locally developed domains/web services. So, to repeat domainers are having a legal responsibility(Terms of Registration) for keeping their registered intellectual property in a good standing(as with many property in realty) particularly from malware broadly affecting internet space system and third parties property as well.
Regards

Nik Pantic said:

Hello NP's,
IMO the main feasibility of the above mentioned processing is fully argumented and documented proceeding from those all regulators. For example database of logs of any illegal activity on domain(s) owned by private registrars that are by the way obligated with Registry Terms to abide legal and fair usage practice and avoid any misuse especially in terms of malicious IT involvement. Furthermore there are very different developing directions in that regards, for example some advantageous registries are introducing add-on service as a Domain Lock service, while on the other side, in the area of some cCTLD registrars those aside from globally integrated planning - there are periodically occurrences of the major hacks at top NIC registry tables infrastructure affecting many, but specifically major international companies on their locally developed domains/web services. So, to repeat domainers are having a legal responsibility(Terms of Registration) for keeping their registered intellectual property in a good standing(as with many property in realty) particularly from malware broadly affecting internet space system and third parties property as well.
Regards

Click to expand...

There is no possible way domain owners can currently protect their domain from malware, especially WannaCry, under the current system (that may change). If you feel it is the domain owners legal responsibility, please contribute what could be done by the domain owner.

Hi, well I'm not much introduced into registry sys networking, but as announced for last year infections the spread through networks was switched off by registration of domain name used for sending endless request intrusions. So, for already present records in registry that should not be a problem but rather the problems are bad practices of non resolving domains left at registrar company default servers that later went changed or so, making significant amount of domain names globally non functioning and thus hazard for other server abuses and spreading malware other ways than mentioned for above specific one. So the best precaution is to set any page than leaving domain reside non configured after registration or transfer and ensure host directories permission protections, to repeat, even for the blank web site / default domain landing page. Regards

Nik Pantic said:

Hello NP's,
IMO the main feasibility of the above mentioned processing is fully argumented and documented proceeding from those all regulators. For example database of logs of any illegal activity on domain(s) owned by private registrars that are by the way obligated with Registry Terms to abide legal and fair usage practice and avoid any misuse especially in terms of malicious IT involvement. Furthermore there are very different developing directions in that regards, for example some advantageous registries are introducing add-on service as a Domain Lock service, while on the other side, in the area of some cCTLD registrars those aside from globally integrated planning - there are periodically occurrences of the major hacks at top NIC registry tables infrastructure affecting many, but specifically major international companies on their locally developed domains/web services. So, to repeat domainers are having a legal responsibility(Terms of Registration) for keeping their registered intellectual property in a good standing(as with many property in realty) particularly from malware broadly affecting internet space system and third parties property as well.
Regards

Click to expand...

So, according to you its, let's put the blame on the owner of the stolen car, for the bank robbery?

Well, I didn't intend to play with you here as a smart a#@.. Still you probably know what is worth about regulations, where all parties obey rules. So in this practical example it should be both registrants and host/registrar responsibility to isolate access to domains configuration, but as with most web companies they are directing advanced services to full service customers as VPS hosters etc. So basic domains accounts without hosting/content are on their own(settings panel) without services known as ddos mitigation, ip filtering etc. At the end to add info on a couple new trends as Domain Lock(speciality of DirectNic), PremiumDNS(NameCheap, ClouDns), and CloudFlare - that in the cases of malicious traffic influx would protect at some degree domains alone without before mentioned website firewall protection mods, and prevent blacklisting at Net security agencies.

sircc said:

So, according to you its, let's put the blame on the owner of the stolen car, for the bank robbery?

Click to expand...

By my knowledge you are certainly obligated to report stolen car as with rules for car registration, insurance etc. that could with now days technics resolve other collateral risks.

Admittedly this is a complex issue, and one that we don't know everything. For the domain name that started this discussion the only use in years seems (from my examination of Wayback Machine) to have been when it was listed on Undeveloped (and many years previous on a parking site). It seems to me highly problematic that it can be seized without notice or justification.

In their own words the (apparently just a couple of individuals) that operate the sinkhole operation say "we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers". If they indeed were registering available domains and pointing them wherever they want, I have no real problems. But here it seemed they took control without notice or justification or compensation to owner or registrar (well to registrar eventually, 7+ months later).

To do this along with saying that take domains that might be "future malicious domain names" (their words) seems a huge overstep. What is a possible future malicious domain name? Surely that is any domain name? With a few keystrokes malware code can readily be switched from interacting with one domain name to another.

I was for a walk this morning. Cars drove by me - I wondered, surely its possible that car could be used in the future as a getaway vehicle. I hope my local police seize it from the owner. Went by a costume store - could be a disguise in robbery - sure hope they seize everything in the store in advance just to be sure. Then was in kitchen store - it had knives everywhere. Better seize them all in advance, just in case to prevent future misuse!

I know I am being silly but to have about 1 out of every 400 domain names registered seized (800,000) without compensation, notice or justification to owners seems to be ridiculously over stepping authority.

In my mind this is rather different from the FBI seizure of about 800 websites earlier this year. Here there was at lease criminally alleged use and prosecution underway on specific offences (mainly counterfeit goods, illegal sales of prescription drugs, and possible prostitution/trafficking) so public justification was needed and could be cross examined. It was the website, not the domain name per se, that was taken over to prevent ongoing allegedly criminal activity.

To me this case is very different. Here it appears that a few individuals (one of whom is currently charged with malware development himself) recommended on seizure of a huge number of domain names.

I can''t believe that this thread is not totally dominating NPs. As the OP said, it is not the reg fee in this case that is the issue, but if a fear gets out there that you could buy a domain name for 5 figures, use it entirely properly, but one day it is seized without justification or even notice, that will be a chill on the whole domain aftermarket like we have never seen before.

Bob

Bob Hawkes said:

To me this case is very different. Here it appears that a few individuals (one of whom is currently charged with malware development himself) recommended on seizure of a huge number of domain names.

Click to expand...

Actually it turns that firstly independent IT technician later become accredited authority after founding causes of hi-tech notorious malware spread over millions of Government computers worldwide. Still not sure and convicted into full blow of phenomenon, but these days bot net systems are powerful in wrongdoing(as opposite to regulated business web engines) and possible instrument of much wider public concerns than domain registrars as hybrid data manipulation, representatives meddling and other civil society threats. So I guess when such tunneling got established on a domain(through NS or website files injection/corruption) and malware starts spread, the web sites went usually suspended by hosts(etc) and in the other case when traffic disruption arise through Name Servers - domain has to be isolated (pointed onto mediary servers - directive/warrant of mentioned agency), temporary or so. Still more transparent proceeding would be beneficial widely.

boker said:

Looks like one of my domains was used in some kind of cyber attacks or something like that. The domain oreux in king, was a hand reg from a year ago and I wanted to transfer it to another registrar. The transfer failed because the domain was locked. I've double checked with my registrar, and everything showed fine in the control panel, domain unlocked and the nameservers where ns1.undeveloped.com, but when I did a whois check, the domain was transfer prohibited and the nameservers were something like:
SC-C.SINKHOLE.SHADOWSERVER.ORG
Looks like the domain was used in some kind of cyber attack and they have seized around 800.000 domains. Nobody has told me anything about it and I still have access to everything in the control panel, the only issue is that control panel doesn't have control over everything. Couple of months ago everything was fine, so looks like they have changed the nameservers in the last months. So be aware, you could own some of the 800.000 domains seized. I have found a link here about it: https://www.europol.europa.eu/newsroom/news/‘avalanche’-network-dismantled-in-international-cyber-operation
I will wait and see if I can do something about this transfer to epik.

Click to expand...

My server was hacked a few months back and hundreds of thousands of emails were sent out. The only thing I knew to do was redirect the domains and then I reinstalled Cpanel. I haven't noticed any of the domains be locked to strange name servers, but I set Google alerts for the domain names that I know we're used in the hack. Thanks for the info .

Hi, you could ask host for mod_secure/ip_tables a php environment module that handles various types of hacking distribution, still many host are not having it as default, so it has to be set as add-on to hosting configuration.

So was this sinkholing related to the one that is described in the document at the following link? If so, it does seem that a fair amount of oversight was employed. However, the dates don't correspond. This was years ago, so how is it possible to hand register a domain 11 months ago that they then decided to sinkhole, is the key question.

https://www.europol.europa.eu/newsr...k-dismantled-in-international-cyber-operation

The document has the countries who were involved, but I could not find statistics on the domain extensions involved. Does anyone know for example what fraction of the 800,000 were .com?

Bob Hawkes said:

So was this sinkholing related to the one that is described in the document at the following link? If so, it does seem that a fair amount of oversight was employed. However, the dates don't correspond. This was years ago, so how is it possible to hand register a domain 11 months ago that they then decided to sinkhole, is the key question.

https://www.europol.europa.eu/newsroom/news/‘avalanche’-network-dismantled-in-international-cyber-operation

The document has the countries who were involved, but I could not find statistics on the domain extensions involved. Does anyone know for example what fraction of the 800,000 were .com?

Click to expand...

That is the issue. They reheated the old docket with a fresh domain list and took out some innocent domains in the process. So far nobody at ShadowServer is providing any clarity around who cross-references the takedown list against the old docket. And nobody at DOJ is returning phone calls or emails for the registrant whose domain was wrongfully taken down. The single domain is not a tragedy. The tragedy is that it appears that any .COM can now be taken down without even telling the registrar. And if that is the case, we have a problem.

Rob Monster said:

The tragedy is that it appears that any .COM can now be taken down without even telling the registrar. And if that is the case, we have a problem.

Click to expand...

Indeed! A huge problem. Even if it only rarely happens, if the possibility is there, it will scare some from investing in valuable assets.

Bob Hawkes said:

Indeed! A huge problem. Even if it only rarely happens, if the possibility is there, it will scare some from investing in valuable assets.

Click to expand...

I would love to know the details of what Verisign gave up in return for their 7% per annum price increase. I am not sure we'll like the answer but better to know than to find out the hard way. Trusted Notifier was part of that deal and my concern is that we might have seen it used in this specific case with ShadowServer as the executing party. Verisign should comment asap.

Bob Hawkes said:

So was this sinkholing related to the one that is described in the document at the following link? If so, it does seem that a fair amount of oversight was employed. However, the dates don't correspond. This was years ago, so how is it possible to hand register a domain 11 months ago that they then decided to sinkhole, is the key question.

https://www.europol.europa.eu/newsroom/news/‘avalanche’-network-dismantled-in-international-cyber-operation

The document has the countries who were involved, but I could not find statistics on the domain extensions involved. Does anyone know for example what fraction of the 800,000 were .com?

Click to expand...

Yes, it appears the (800,000) domains were part of the 'Avalanche Network of Malware' which is a big issue due to many variations. A large concern is that another attack is imminent, according to some hacker forums. That would explain why the dates are not corresponding.

There may be a lot of secrecy here as the U.S. Homeland Security Dept. is involved with investigating and containing this malware network.

ICANN had information about this malware network, but has since been removed:

https://ccnso.icann.org/en/meetings/copenhagen58/presentation-fbi-operation-avalanche-13mar17-en.pdf

This has the potential to be a disaster for domain owners if scenarios are not mitigated prior to a large attack.

Thank you @Rob Monster for leading this issue!

Bob Hawkes said:

So was this sinkholing related to the one that is described in the document at the following link? If so, it does seem that a fair amount of oversight was employed. However, the dates don't correspond. This was years ago, so how is it possible to hand register a domain 11 months ago that they then decided to sinkhole, is the key question.

https://www.europol.europa.eu/newsroom/news/‘avalanche’-network-dismantled-in-international-cyber-operation

The document has the countries who were involved, but I could not find statistics on the domain extensions involved. Does anyone know for example what fraction of the 800,000 were .com?

Click to expand...

Will take a look at the transfers later this morning, Bob.
It won't be precise but it should be enough to give an idea.

Regards...jmcc