- Impact
- 0
My apologies for what has become a tediously long post--but I wanted to wrap this up...
Hello again,
Just wanted to thank everyone who contributed constructively to the original VY.COM thread. The domain transfer back to NSI was finally completed today (while the original domain transfer from NSI to DirectNIC completed in 48 hrs, the transfer back took the full 7 days, hrm). I believe this forum was very instrumental in the fact that we did get the domain back, and therefore definitely wanted to express my appreciation.
I’m still very concerned about a few things: the future security of VY.COM, uncovering the thief who originally broke into my Account Manager account, and the fact that (as touched upon on another thread here just recently) an ACK that goes unanswered for 5 days automatically defaults and the transfer goes through.
When I first registered VY.COM, it was held by Internic and there were rather a lot of manual processes involved that were, I think, not so prone to fraud. If I lost access to my email account on record, I had to fax Internic with my photo ID and speak to a real live person to get it back. And I guess the ‘net just wasn’t so full of malicious idiots back then as well. Great wakeup call this has been in that respect.
I’m still concerned that even with Domain Protect and Private Registration on, anyone can still exploit the challenge question on my Account Manager account at NSI and promptly turn off Domain Protect, change the contact of record, and if that happens to be during a 5 days holiday from email, I’ll be none the wiser. NSI finally confirmed that their challenge question database is, in fact, clear text—this means that anyone with access to the servers can plainly read the responses and exploit this TREMENDOUS security hole.
I’m fairly convinced at this point that NSI have someone on the inside, or an ex-employee, who are making a killing off of valuable privately held domain names. I believe the figure I heard was 14,000 lost domains at NSI alone and I’m sure a majority of those were held by private individuals who lacked the resources, knowledge, or tenacity to fight it and simply gave up—something I’m sure the perpetrators count on when selecting domains to steal.
VY.COM was clearly hijacked by someone with experience, someone who’s done this on a number of previous occasions. I believe VY.COM was selected specifically because there is a market for two-letter domain names and therefore had immediate sale value, and because it was held by a private individual who most likely would not be in a position to pursue recovery actions very far.
Domain theft is clearly not sufficiently addressed by our criminal justice system, and it’s a tricky issue. After filing a couple of invalid WHOIS reports, the record for VY.COM was finally updated by someone claiming to reside in Monaco (that his originating IP in emails never supported this fact is another issue altogether). This poses tremendous obstacles in terms of jurisdiction. Even after retaining an attorney to pursue recovery of the domain, and even after preparing our declaratory relief claims, we were still faced with having to track down Mr Vincent Young Fond through his payment records to DirecNIC, and then prepare for the chance that he might claim that the California courts hold no personal jurisdiction over him because he resides elsewhere. Fortunately, it seems that Mr V Y Fond was sufficiently disturbed by the mere thought of litigation (and perhaps the extent of publicity this domain was receiving) to agree to return the domain voluntarily.
And then there’s NSI’s lack of culpability:
“1. Security. Network Solutions does not guarantee the
security of your domain name registration records, and you assume all
risks that the password and/or passphrase you select may be compromised
as a result of fraudulent, unauthorized or illegal activity.”
which strikes me as patently absurd and irresponsible. ‘Nuff said, really.
So very much of this situation remains a mystery, from people who contacted us at private email addresses immediately after we reported the domain stolen, to Mr V Y Fond’s claims that he bought the domain from someone claiming to be Shannon Madison (unnecessary, as the contact of record at the time of the alleged sale had already been changed to someone else), to his insistence that he corresponded with the email address on record ([email protected], which was a closed account at an ISP run by a friend of mine, who checked and confirmed that the account had neither been reopened nor used), the fact that Mr V Y Fond used proxy relays to hide his true location (if he was the innocent victim he claimed to be, why hide?), to the fact that he emailed Giles at his very private work email address the same day we started making noise about the theft…none of it adds up.
I’m just glad we got the domain back.
I’m currently pursuing this with my California State Assembly Member, Sally Lieberman, my Congressional representative, Anna Eschoo, and have contacted the offices of Barbara Boxer (who always seems up for a good fight) to see if we can put some better legislation around domain name ownership. I’m also still quite interested in discovering who is stealing domains from NSI (particularly VY.COM) and seeing to it that this person is discovered and prosecuted.
Thanks again for all of your help. January really is the worst month of the year, eh?
(http://news.bbc.co.uk/2/hi/uk_news/4187183.stm)
Cheers,
Shannon Madison
Hello again,
Just wanted to thank everyone who contributed constructively to the original VY.COM thread. The domain transfer back to NSI was finally completed today (while the original domain transfer from NSI to DirectNIC completed in 48 hrs, the transfer back took the full 7 days, hrm). I believe this forum was very instrumental in the fact that we did get the domain back, and therefore definitely wanted to express my appreciation.
I’m still very concerned about a few things: the future security of VY.COM, uncovering the thief who originally broke into my Account Manager account, and the fact that (as touched upon on another thread here just recently) an ACK that goes unanswered for 5 days automatically defaults and the transfer goes through.
When I first registered VY.COM, it was held by Internic and there were rather a lot of manual processes involved that were, I think, not so prone to fraud. If I lost access to my email account on record, I had to fax Internic with my photo ID and speak to a real live person to get it back. And I guess the ‘net just wasn’t so full of malicious idiots back then as well. Great wakeup call this has been in that respect.
I’m still concerned that even with Domain Protect and Private Registration on, anyone can still exploit the challenge question on my Account Manager account at NSI and promptly turn off Domain Protect, change the contact of record, and if that happens to be during a 5 days holiday from email, I’ll be none the wiser. NSI finally confirmed that their challenge question database is, in fact, clear text—this means that anyone with access to the servers can plainly read the responses and exploit this TREMENDOUS security hole.
I’m fairly convinced at this point that NSI have someone on the inside, or an ex-employee, who are making a killing off of valuable privately held domain names. I believe the figure I heard was 14,000 lost domains at NSI alone and I’m sure a majority of those were held by private individuals who lacked the resources, knowledge, or tenacity to fight it and simply gave up—something I’m sure the perpetrators count on when selecting domains to steal.
VY.COM was clearly hijacked by someone with experience, someone who’s done this on a number of previous occasions. I believe VY.COM was selected specifically because there is a market for two-letter domain names and therefore had immediate sale value, and because it was held by a private individual who most likely would not be in a position to pursue recovery actions very far.
Domain theft is clearly not sufficiently addressed by our criminal justice system, and it’s a tricky issue. After filing a couple of invalid WHOIS reports, the record for VY.COM was finally updated by someone claiming to reside in Monaco (that his originating IP in emails never supported this fact is another issue altogether). This poses tremendous obstacles in terms of jurisdiction. Even after retaining an attorney to pursue recovery of the domain, and even after preparing our declaratory relief claims, we were still faced with having to track down Mr Vincent Young Fond through his payment records to DirecNIC, and then prepare for the chance that he might claim that the California courts hold no personal jurisdiction over him because he resides elsewhere. Fortunately, it seems that Mr V Y Fond was sufficiently disturbed by the mere thought of litigation (and perhaps the extent of publicity this domain was receiving) to agree to return the domain voluntarily.
And then there’s NSI’s lack of culpability:
“1. Security. Network Solutions does not guarantee the
security of your domain name registration records, and you assume all
risks that the password and/or passphrase you select may be compromised
as a result of fraudulent, unauthorized or illegal activity.”
which strikes me as patently absurd and irresponsible. ‘Nuff said, really.
So very much of this situation remains a mystery, from people who contacted us at private email addresses immediately after we reported the domain stolen, to Mr V Y Fond’s claims that he bought the domain from someone claiming to be Shannon Madison (unnecessary, as the contact of record at the time of the alleged sale had already been changed to someone else), to his insistence that he corresponded with the email address on record ([email protected], which was a closed account at an ISP run by a friend of mine, who checked and confirmed that the account had neither been reopened nor used), the fact that Mr V Y Fond used proxy relays to hide his true location (if he was the innocent victim he claimed to be, why hide?), to the fact that he emailed Giles at his very private work email address the same day we started making noise about the theft…none of it adds up.
I’m just glad we got the domain back.
I’m currently pursuing this with my California State Assembly Member, Sally Lieberman, my Congressional representative, Anna Eschoo, and have contacted the offices of Barbara Boxer (who always seems up for a good fight) to see if we can put some better legislation around domain name ownership. I’m also still quite interested in discovering who is stealing domains from NSI (particularly VY.COM) and seeing to it that this person is discovered and prosecuted.
Thanks again for all of your help. January really is the worst month of the year, eh?
(http://news.bbc.co.uk/2/hi/uk_news/4187183.stm)
Cheers,
Shannon Madison
