Latest news of the domain name industry

Recent Posts

Are ISOC’s claims about .org’s history bogus?

Kevin Murphy, December 2, 2019, Domain Registries

The Internet Society has started to fight back against those trying to put a stop to its $1.13 billion sale of Public Interest Registry to Ethos Capital.

Among the tactics being deployed appears to be an attempt to play down the notion that .org has always been considered as a home for non-profits run by a non-profit.

Apparently, it’s perfectly fine for .org to transition back into commercial hands, because not-for-profit ISOC was never intended as its forever home and the TLD was never intended for non-profits anyway.

Is that bullshit?

Yes and no. Mostly yes. It turns out you get a different answer depending on when you look in .org’s storied history.

ISOC, it seems, is starting in 1994, in an internet standard written by Jon Postel (who was ICANN before there was an ICANN).

A statement published by ISOC last week tries to characterize .org as a home for the “miscellaneous”, quoting from RFC 1591

I also want to address some other misconceptions about .ORG. Although .ORG has often been thought of as a “home of non-profits”, the domain was not actually defined that way. In 1994, RFC 1591 described it this way: “ORG – This domain is intended as the miscellaneous TLD for organizations that didn’t fit anywhere else. Some non-government organizations may fit here.”

It’s an accurate quote.

.org is described in other RFCs in a similar way. The earliest reference is 1984’s RFC 920 which says .org means “Organization, any other domains meeting the second level requirements.”

RFC 1032 says:

“ORG” exists as a parent to subdomains that do not clearly fall within the other top-level domains. This may include technical-support groups, professional societies, or similar organizations.

I can’t find any mention of non-profits in any of the relevant DNS RFCs.

ISOC goes on to note that .org was managed by a for-profit entity — Network Solutions, then Verisign — from 1993 until PIR took over in 2003.

Again, that’s true, but while it might have been managed by a commercial entity, NetSol was pretty clear about who .org was for.

When it went public in 1997, the company told would-be investors in its S-1 registration statement:

The most common TLDs include .com, used primarily by commercial entities, .org for nonprofit organizations, .net for network service providers, .edu for universities and .gov for United States governmental entities

That’s pretty unambiguous: the .org registry in 1997 said that .org was for non-profits.

In 2001, when ICANN inked a deal with Verisign to spin off .org into a new registry, there was no ambiguity whatsoever.

In announcing the deal, ICANN said that it would “return the .org registry to its original purpose” and .org would return to “to its originally intended function as a registry operated by and for non-profit organizations” (my emphasis).

The price ICANN paid for extracting .org from Verisign’s clutches was the very first “presumptive renewal” clause being inserted into the .com contract, which has seen Verisign reap billions with no risk of ever losing its golden goose.

The prize was so potentially lucrative that Verisign even agreed to give a $5 million endowment — no questions asked — to the successor registry, for use relaunching or promoting .org.

The only catch was that the new registry had to be a non-profit. Commercial registries — Verisign competitors such as Neustar — wouldn’t get the money.

ICANN and its community spent the remainder of 2001 and most of 2002 devising an RFP, accepting proposals from 11 would-be .org registries, and picking a winner.

The multistakeholder Domain Names Supporting Organization — roughly equivalent to today’s GNSO — was tasked with coming up with a set of principles governing who should get to run .org and how.

It came up with a report in January 2002 that stated, as its first bullet point:

The initial delegation of the .org TLD should be to a non-profit organization that is noncommercial in orientation and the initial board of which includes substantial representation of noncommercial .org registrants.

It went on to say that applicants “should be recognized non-profit entities” and to suggest a few measures to attract such entities to the bidding process.

These recommendations, which secured consensus support of the DNSO’s diverse stakeholders and a unanimous vote of the Names Council (the 2002 equivalent of the GNSO Council), nevertheless never made it into ICANN’s final RFP.

At some point during this process, ICANN decided that it would be unfair to exclude for-profit bidders, so there was no non-profit requirement in the final RFP.

As far as I can tell from the public record and my increasingly unreliable memory, it was Vint Cerf — father of the internet, creator of ISOC, then-chair of ICANN, and one of the few people currently cool with PIR being sold into commercial hands — that opened it up to for-profit bidders.

The decision was made at ICANN’s board meeting in Accra, Ghana, at ICANN 12. Back then, the board did its thinking aloud, in front of an audience, so we have a transcript.

The transcript shows that Cerf recommended that ICANN remain neutral on whether the successor registry was non-profit or for-profit. He put forward the idea that a commercial registry could quite easily create a non-profit entity in order to bid anyway, so it would be a kinda pointless restriction. The board agreed.

So in 2002, 11 entities, some of them commercial, submitted proposals to take over .org.

In ISOC’s bid, it stated that it would use the $5 million Verisign endowment “primarily to expanding outreach to non-commercial organizations on behalf of .ORG”.

ISOC/PIR took Verisign’s millions, as a non-profit, in order to pitch .org at other non-profits, in other words.

The evaluation process to pick Verisign’s successor was conducted by consultancy Gartner, a team of “academic CIOs” and ICANN’s Noncommercial Domain Name Holders’ Constituency (roughly equivalent to today’s Non-Commercial Stakeholders Group).

The NCDNHC was under strict instructions from ICANN management to not give consideration to whether the applicants were commercial or non-commercial, but its report (pdf) did “take notice of longstanding relationships between the bidders (whether for-profit or non-profit) and the noncommercial community available in the public record”.

It ranked the PIR bid as third of the 11 applicants, on the basis that .org money would go to support ISOC and the IETF, which NCDNHC considered “good works”.

ICANN’s preliminary and final evaluation reports were both opened for public comment, and comment from the applicants themselves, and on both occasions ISOC sought to play up its not-for-profit status. In August 2002, it said:

Overall, we believe ISOC’s experience as a not-for-profit, Internet-focused organization, combined with Afilias’ expertise as a stable and proven back end provider, enables us to fully meet all the criteria set forth by the ICANN Board.

In October 2002, it said:

We believe strongly that the voice of the non-commercial community is critical to the long-term success of .ORG. ISOC’s global membership and heritage and PIR’s non-profit status will ensure the registry remains sensitive to non-commercial concerns. Should the ICANN Board select ISOC’s proposal, PIR will execute extensive plans to ensure that this voice is heard.

ISOC’s application was of course ultimately determined to be the best of the bunch, and in October 2002 ICANN decided to award it the contract.

Then there was the small matter of the IANA redelegation. IANA is the arm of ICANN that deals with changes to the root zone. Whenever a TLD changes hands, IANA issues a report explaining how the redelegation came about.

In the case of .org, IANA echoed the previous feelings about .org’s “intended” purpose, stating:

the Internet Society is a long-established organization that is particularly knowledgeable about the needs of the organizations for which the .org top-level domain was intended. By establishing PIR as a subsidiary to serve as the successor operator of .org, the Internet Society has created a structure that can operate the .org TLD in a manner that will be sensitive to the needs of its intended users

So, does history tell us that .org is meant to be a TLD by and for non-profits?

Mostly, yes, I think it does.

Xbox security chief gets domain hijacked

The head of Xbox Live policy and enforcement at Microsoft has had his domain name compromised by a disgruntled gamer using a social engineering attack on Network Solutions

Stephen Toulouse, who goes by the screen name “Stepto” and has the domain stepto.com, seems to have also lost his email, hosting and, as a result, his Xbox Live account.

He tweeted earlier today: “Sigh. please be warned. Network solutions has apparently transferred control of Stepto.com to an attacker and will not let me recover it.”

Somebody claiming to be the attacker has uploaded a video to YouTube showing him clicking around Toulouse’s Xbox account, whilst breathlessly describing how he “socialed his hosting company”.

It’s a bit embarrassing for Toulouse. He was head of communications for Microsoft Security Response Center for many years, handling comms during worm outbreaks such as Blaster and Slammer.

Now at Xbox Live, he is, as the attacker put it, “the guy who’s supposed to be keeping us safe”.

But it’s probably going to be much more embarrassing for Network Solutions. When the tech press gets on the story tomorrow, difficult questions about NSI’s security procedures will no doubt be asked.

Toulouse has already made a few pointed remarks about the company on his Twitter feed today.

Social engineering attacks against domain name registrars exploit human, rather than technological, vulnerabilities, involving calling up tech support and trying to convince them you are your victim.

In this case, hijacking the domain seems to have been a means to control Toulouse’s email account, enabling the attacker to reset his Xbox Live password and take over his “gamer tag”.

The same technique was used to compromise the Chinese portal Baidu.com, that time via Register.com, in late 2009. That resulted in a lawsuit, now settled.

The attacker, calling himself Predator, was apparently annoyed that Toulouse had “console banned” him 35 times, whatever that means.

He seems to have left a fair bit of evidence in his wake, and he appears to be North American, so I expect he’ll be quite easy to track down.

Predator’s video, which shows the immediate aftermath of the attack, is embedded below. It may not be entirely safe for work, due to some casually racist language.

UPDATE (April 5): The video has been removed due to a “violation of YouTube’s policy on depiction of harmful activities”. I snagged a copy before it went, so if anybody is desperate to see it, let me know.

Network Solutions under attack again

Kevin Murphy, April 18, 2010, Domain Registrars

Network Solutions’ hosting operation is under attack for the second time in a week, and this time it’s definitely not a WordPress problem.

The company has acknowledged that it has “received reports that Network Solutions customers are seeing malicious code added to their websites”, but has not yet released further details.

Sucuri.net, which was intimately involved in the news of the hack against NSI’s WordPress installations last week, blogged that this time the attacks appear to have compromised not only WordPress, but also Joomla-based and plain HTML sites.

Last week’s attacks were eventually blamed on insecure file permissions, which enabled shared-server hosting customers to look at each other’s WordPress database passwords.

But today NSI, one of the top-five domain name registrars, said: “It may not be accurate to categorize this as a single issue such as ‘file permissions’.”

Sucuri said that malicious JavaScript is being injected into the sites, creating an IFrame that sends visitors to drive-by download sites.

It’s a developing story, and not all the facts are out yet.

But it’s clear that NSI has a public relations problem on its hands. Some customers are already using Twitter to declare that they will switch hosts as a result.

And if it’s true, as Sucuri reports, that Google is already blocking some of the affected sites, who can blame them?

WordPress founder criticizes NSI’s security

Kevin Murphy, April 13, 2010, Domain Registrars

WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.

It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.

Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”

WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.

If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.

That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.

The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.

Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.

NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.