Recent Posts
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
Are ISOC’s claims about .org’s history bogus?
The Internet Society has started to fight back against those trying to put a stop to its $1.13 billion sale of Public Interest Registry to Ethos Capital.
Among the tactics being deployed appears to be an attempt to play down the notion that .org has always been considered as a home for non-profits run by a non-profit.
Apparently, it’s perfectly fine for .org to transition back into commercial hands, because not-for-profit ISOC was never intended as its forever home and the TLD was never intended for non-profits anyway.
Is that bullshit?
Yes and no. Mostly yes. It turns out you get a different answer depending on when you look in .org’s storied history.
ISOC, it seems, is starting in 1994, in an internet standard written by Jon Postel (who was ICANN before there was an ICANN).
A statement published by ISOC last week tries to characterize .org as a home for the “miscellaneous”, quoting from RFC 1591
I also want to address some other misconceptions about .ORG. Although .ORG has often been thought of as a “home of non-profits”, the domain was not actually defined that way. In 1994, RFC 1591 described it this way: “ORG – This domain is intended as the miscellaneous TLD for organizations that didn’t fit anywhere else. Some non-government organizations may fit here.”
It’s an accurate quote.
.org is described in other RFCs in a similar way. The earliest reference is 1984’s RFC 920 which says .org means “Organization, any other domains meeting the second level requirements.”
RFC 1032 says:
“ORG” exists as a parent to subdomains that do not clearly fall within the other top-level domains. This may include technical-support groups, professional societies, or similar organizations.
I can’t find any mention of non-profits in any of the relevant DNS RFCs.
ISOC goes on to note that .org was managed by a for-profit entity — Network Solutions, then Verisign — from 1993 until PIR took over in 2003.
Again, that’s true, but while it might have been managed by a commercial entity, NetSol was pretty clear about who .org was for.
When it went public in 1997, the company told would-be investors in its S-1 registration statement:
The most common TLDs include .com, used primarily by commercial entities, .org for nonprofit organizations, .net for network service providers, .edu for universities and .gov for United States governmental entities
That’s pretty unambiguous: the .org registry in 1997 said that .org was for non-profits.
In 2001, when ICANN inked a deal with Verisign to spin off .org into a new registry, there was no ambiguity whatsoever.
In announcing the deal, ICANN said that it would “return the .org registry to its original purpose” and .org would return to “to its originally intended function as a registry operated by and for non-profit organizations” (my emphasis).
The price ICANN paid for extracting .org from Verisign’s clutches was the very first “presumptive renewal” clause being inserted into the .com contract, which has seen Verisign reap billions with no risk of ever losing its golden goose.
The prize was so potentially lucrative that Verisign even agreed to give a $5 million endowment — no questions asked — to the successor registry, for use relaunching or promoting .org.
The only catch was that the new registry had to be a non-profit. Commercial registries — Verisign competitors such as Neustar — wouldn’t get the money.
ICANN and its community spent the remainder of 2001 and most of 2002 devising an RFP, accepting proposals from 11 would-be .org registries, and picking a winner.
The multistakeholder Domain Names Supporting Organization — roughly equivalent to today’s GNSO — was tasked with coming up with a set of principles governing who should get to run .org and how.
It came up with a report in January 2002 that stated, as its first bullet point:
The initial delegation of the .org TLD should be to a non-profit organization that is noncommercial in orientation and the initial board of which includes substantial representation of noncommercial .org registrants.
It went on to say that applicants “should be recognized non-profit entities” and to suggest a few measures to attract such entities to the bidding process.
These recommendations, which secured consensus support of the DNSO’s diverse stakeholders and a unanimous vote of the Names Council (the 2002 equivalent of the GNSO Council), nevertheless never made it into ICANN’s final RFP.
At some point during this process, ICANN decided that it would be unfair to exclude for-profit bidders, so there was no non-profit requirement in the final RFP.
As far as I can tell from the public record and my increasingly unreliable memory, it was Vint Cerf — father of the internet, creator of ISOC, then-chair of ICANN, and one of the few people currently cool with PIR being sold into commercial hands — that opened it up to for-profit bidders.
The decision was made at ICANN’s board meeting in Accra, Ghana, at ICANN 12. Back then, the board did its thinking aloud, in front of an audience, so we have a transcript.
The transcript shows that Cerf recommended that ICANN remain neutral on whether the successor registry was non-profit or for-profit. He put forward the idea that a commercial registry could quite easily create a non-profit entity in order to bid anyway, so it would be a kinda pointless restriction. The board agreed.
So in 2002, 11 entities, some of them commercial, submitted proposals to take over .org.
In ISOC’s bid, it stated that it would use the $5 million Verisign endowment “primarily to expanding outreach to non-commercial organizations on behalf of .ORG”.
ISOC/PIR took Verisign’s millions, as a non-profit, in order to pitch .org at other non-profits, in other words.
The evaluation process to pick Verisign’s successor was conducted by consultancy Gartner, a team of “academic CIOs” and ICANN’s Noncommercial Domain Name Holders’ Constituency (roughly equivalent to today’s Non-Commercial Stakeholders Group).
The NCDNHC was under strict instructions from ICANN management to not give consideration to whether the applicants were commercial or non-commercial, but its report (pdf) did “take notice of longstanding relationships between the bidders (whether for-profit or non-profit) and the noncommercial community available in the public record”.
It ranked the PIR bid as third of the 11 applicants, on the basis that .org money would go to support ISOC and the IETF, which NCDNHC considered “good works”.
ICANN’s preliminary and final evaluation reports were both opened for public comment, and comment from the applicants themselves, and on both occasions ISOC sought to play up its not-for-profit status. In August 2002, it said:
Overall, we believe ISOC’s experience as a not-for-profit, Internet-focused organization, combined with Afilias’ expertise as a stable and proven back end provider, enables us to fully meet all the criteria set forth by the ICANN Board.
In October 2002, it said:
We believe strongly that the voice of the non-commercial community is critical to the long-term success of .ORG. ISOC’s global membership and heritage and PIR’s non-profit status will ensure the registry remains sensitive to non-commercial concerns. Should the ICANN Board select ISOC’s proposal, PIR will execute extensive plans to ensure that this voice is heard.
ISOC’s application was of course ultimately determined to be the best of the bunch, and in October 2002 ICANN decided to award it the contract.
Then there was the small matter of the IANA redelegation. IANA is the arm of ICANN that deals with changes to the root zone. Whenever a TLD changes hands, IANA issues a report explaining how the redelegation came about.
In the case of .org, IANA echoed the previous feelings about .org’s “intended” purpose, stating:
the Internet Society is a long-established organization that is particularly knowledgeable about the needs of the organizations for which the .org top-level domain was intended. By establishing PIR as a subsidiary to serve as the successor operator of .org, the Internet Society has created a structure that can operate the .org TLD in a manner that will be sensitive to the needs of its intended users
So, does history tell us that .org is meant to be a TLD by and for non-profits?
Mostly, yes, I think it does.
Xbox security chief gets domain hijacked
The head of Xbox Live policy and enforcement at Microsoft has had his domain name compromised by a disgruntled gamer using a social engineering attack on Network Solutions
Stephen Toulouse, who goes by the screen name “Stepto” and has the domain stepto.com, seems to have also lost his email, hosting and, as a result, his Xbox Live account.
He tweeted earlier today: “Sigh. please be warned. Network solutions has apparently transferred control of Stepto.com to an attacker and will not let me recover it.”
Somebody claiming to be the attacker has uploaded a video to YouTube showing him clicking around Toulouse’s Xbox account, whilst breathlessly describing how he “socialed his hosting company”.
It’s a bit embarrassing for Toulouse. He was head of communications for Microsoft Security Response Center for many years, handling comms during worm outbreaks such as Blaster and Slammer.
Now at Xbox Live, he is, as the attacker put it, “the guy who’s supposed to be keeping us safe”.
But it’s probably going to be much more embarrassing for Network Solutions. When the tech press gets on the story tomorrow, difficult questions about NSI’s security procedures will no doubt be asked.
Toulouse has already made a few pointed remarks about the company on his Twitter feed today.
Social engineering attacks against domain name registrars exploit human, rather than technological, vulnerabilities, involving calling up tech support and trying to convince them you are your victim.
In this case, hijacking the domain seems to have been a means to control Toulouse’s email account, enabling the attacker to reset his Xbox Live password and take over his “gamer tag”.
The same technique was used to compromise the Chinese portal Baidu.com, that time via Register.com, in late 2009. That resulted in a lawsuit, now settled.
The attacker, calling himself Predator, was apparently annoyed that Toulouse had “console banned” him 35 times, whatever that means.
He seems to have left a fair bit of evidence in his wake, and he appears to be North American, so I expect he’ll be quite easy to track down.
Predator’s video, which shows the immediate aftermath of the attack, is embedded below. It may not be entirely safe for work, due to some casually racist language.
UPDATE (April 5): The video has been removed due to a “violation of YouTube’s policy on depiction of harmful activities”. I snagged a copy before it went, so if anybody is desperate to see it, let me know.
Network Solutions under attack again
Network Solutions’ hosting operation is under attack for the second time in a week, and this time it’s definitely not a WordPress problem.
The company has acknowledged that it has “received reports that Network Solutions customers are seeing malicious code added to their websites”, but has not yet released further details.
Sucuri.net, which was intimately involved in the news of the hack against NSI’s WordPress installations last week, blogged that this time the attacks appear to have compromised not only WordPress, but also Joomla-based and plain HTML sites.
Last week’s attacks were eventually blamed on insecure file permissions, which enabled shared-server hosting customers to look at each other’s WordPress database passwords.
But today NSI, one of the top-five domain name registrars, said: “It may not be accurate to categorize this as a single issue such as ‘file permissions’.”
Sucuri said that malicious JavaScript is being injected into the sites, creating an IFrame that sends visitors to drive-by download sites.
It’s a developing story, and not all the facts are out yet.
But it’s clear that NSI has a public relations problem on its hands. Some customers are already using Twitter to declare that they will switch hosts as a result.
And if it’s true, as Sucuri reports, that Google is already blocking some of the affected sites, who can blame them?
WordPress founder criticizes NSI’s security
WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.
It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.
Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”
WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.
If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.
That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.
The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.
Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.
NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.
Recent Comments