Recent Posts
- First registry gets breach notice over new abuse rules
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
NetSol to alert cops over domain hijacking
Network Solutions intends to “notify the proper authorities” after a high-profile customer had his account hijacked over the weekend.
Stephen Toulouse, head of policy and enforcement for Microsoft’s Xbox LIVE, lost access to stepto.com, including his web site and email, for several hours yesterday, after a disgruntled teenaged gamer persuaded a member of NetSol’s support staff to hand over the account.
In a statement published on its blog, the domain name registrar said it was an “isolated incident directed at a specific customer account”, adding:
We maintain a well developed processes to ensure that Social Engineering attempts or any identified security concerns are immediately alerted to a Supervisor, who will expedite the investigation, usually with the help of the Network Solutions Security team. In this case, the procedure was not followed, and we apologize for any trouble caused to our customer.
Our Security team continues to investigate this matter. Additionally, because we take this matter very seriously, we intend to notify the proper authorities with the evidence that we have gathered, so that they may investigate the person(s) responsible for the fraud.
According to a new YouTube video released by the person claiming responsibility for the attack, “Predator”, he’s 15. He blamed Toulouse for his frequent Xbox LIVE bannings.
While he said he perpetrated the attack to highlight insecurities in Xbox LIVE, he also offered to hijack other gamers’ accounts for up to $250.
Comments posted in response to his first post-attack video claim to reveal his true identity, but of course comments on YouTube are not what you’d call reliable evidence.
The video itself does reveal a fair bit of information, however, so I can’t imagine tracking him down will be too difficult, especially if Microsoft has his parents’ credit card number on file.
His YouTube channel also has videos of him operating a botnet. That’s a whole lot more serious.
Xbox security chief gets domain hijacked
The head of Xbox Live policy and enforcement at Microsoft has had his domain name compromised by a disgruntled gamer using a social engineering attack on Network Solutions
Stephen Toulouse, who goes by the screen name “Stepto” and has the domain stepto.com, seems to have also lost his email, hosting and, as a result, his Xbox Live account.
He tweeted earlier today: “Sigh. please be warned. Network solutions has apparently transferred control of Stepto.com to an attacker and will not let me recover it.”
Somebody claiming to be the attacker has uploaded a video to YouTube showing him clicking around Toulouse’s Xbox account, whilst breathlessly describing how he “socialed his hosting company”.
It’s a bit embarrassing for Toulouse. He was head of communications for Microsoft Security Response Center for many years, handling comms during worm outbreaks such as Blaster and Slammer.
Now at Xbox Live, he is, as the attacker put it, “the guy who’s supposed to be keeping us safe”.
But it’s probably going to be much more embarrassing for Network Solutions. When the tech press gets on the story tomorrow, difficult questions about NSI’s security procedures will no doubt be asked.
Toulouse has already made a few pointed remarks about the company on his Twitter feed today.
Social engineering attacks against domain name registrars exploit human, rather than technological, vulnerabilities, involving calling up tech support and trying to convince them you are your victim.
In this case, hijacking the domain seems to have been a means to control Toulouse’s email account, enabling the attacker to reset his Xbox Live password and take over his “gamer tag”.
The same technique was used to compromise the Chinese portal Baidu.com, that time via Register.com, in late 2009. That resulted in a lawsuit, now settled.
The attacker, calling himself Predator, was apparently annoyed that Toulouse had “console banned” him 35 times, whatever that means.
He seems to have left a fair bit of evidence in his wake, and he appears to be North American, so I expect he’ll be quite easy to track down.
Predator’s video, which shows the immediate aftermath of the attack, is embedded below. It may not be entirely safe for work, due to some casually racist language.
UPDATE (April 5): The video has been removed due to a “violation of YouTube’s policy on depiction of harmful activities”. I snagged a copy before it went, so if anybody is desperate to see it, let me know.
ICANN doubles .xxx fees
ICANN has doubled the amount it will charge ICM Registry to register .xxx domain names, adding potentially hundreds of thousands of dollars to its top line.
The two parties yesterday signed a registry agreement (pdf), but it has been revised in quite significant ways since the last published version.
In short: ICANN has substantially increased its revenue whilst substantially reducing its risk.
Notably, ICANN will now charge the registry $2 per .xxx domain per year, compared to the $1 anticipated by the version of the contract published in August 2010 (pdf).
With ICM hoping for 300,000 to 500,000 registrations in its first year, that’s a nice chunk of change. Porn domains could be a $1 million business for ICANN quite soon.
For comparison, successful applicants under the new generic top-level domains program will only have to pay $0.25 per domain per year, and that fee only kicks in after 50,000 domains.
If there’s a .sex or a .porn, they’ll pay an ICANN fee an eighth of ICM’s.
Text from the new gTLD Applicant Guidebook that allows ICANN to raise fees in line with US inflation has also been added to ICM’s contract.
ICANN said in a blog post that the increases “account for anticipated risks and compliance activities”. It appears to be expecting trouble.
A number of other changes address the legal risks and compliance problems ICANN seems to be anticipating.
The contract now allows ICANN to more easily impose monetary fines on ICM for non-compliance, for example.
A new mediation procedure has been added to resolve disputes, to come between face-to-face talks and formal arbitration.
The contract would also would oblige ICM to pay for ICANN’s legal costs in the event of a third-party dispute, such as an Independent Review Panel hearing, being filed.
While the original contract required ICM to indemnify ICANN against third-party lawsuits, the revised version also includes a broad waiver (pdf) “to resolve all outstanding dispute/possible litigation matters” between ICM and ICANN.
I am not a lawyer, but it appears that ICM has signed away a fairly comprehensive chunks of its rights, and has agreed to shoulder most of the risk, in order to get its hands on the potentially lucrative deal.
Domain security arrives in .com
VeriSign announced late yesterday that it has fully implemented DNSSEC in .com, meaning pretty much anyone with a .com domain name can now implement it too.
DNSSEC is a domain-crypto protocol mashup that allows web surfers, say, to trust that when they visit wellsfargo.com they really are looking at the bank’s web site.
It uses validatable cryptographic signatures to prevent cache poisoning attacks such as the Kaminsky Bug, the potential internet-killer that caused panic briefly back in 2008.
With .com now supporting the technology, DNSSEC is now available in over half of the world’s domains, due to the size of the .com zone. But registrants have to decide to use it.
I chatted to Matt Larson, VeriSign’s VP of DNS research, and Sean Leach, VP of technology, this afternoon, and they said that .com’s signing could be the tipping point for adoption.
“I feel based on talking to people that everybody has been waiting for .com,” Larson said. “It could open the floodgates.”
What we’re looking at now is a period of gradual adoption. I expect a handful of major companies will announce they’ve signed their .coms, probably in the second half of the year.
Just like a TLD launch, DNSSEC will probably need a few anchor tenants to raise the profile of the technology. Paypal, for example, said it plans to use the technology at an ICANN workshop in San Francisco last month, but that it will take about six months to test.
“Most people have their most valuable domains in the .com space,” said Leach. “We need some of the big guys to be first movers.”
There’s also the issue of ISPs. Not many support DNSSEC today. The industry has been talking up Comcast’s aggressive deployment vision for over a year now, but few others have announced plans.
And of course application developer support is needed. Judging from comments made by Mozilla representatives in San Francisco, browser makers, for example, are not exactly champing at the bit to natively support the technology.
You can, however, currently download plugins for Firefox that validate DNSSEC claims, such as this one.
According to Leach, many enterprises are currently demanding DNSSEC support when they buy new technology products. This could light a fire under reluctant developers.
But DNSSEC deployment will still be slow going, so registries are doing what they can to make it less of a cost/hassle for users.
Accredited registrars can currently use VeriSign’s cloud-based signing service for free on a trial basis, for example. The service is designed to remove the complexity of managing keys from the equation.
I’m told “several” registrars have signed up, but the only one I’m currently aware of is Go Daddy.
VeriSign and other registries are also offering managed DNSSEC as part of their managed DNS resolution enterprise offerings.
Neither of the VeriSign VPs was prepared to speculate about how many .com domains will be signed a year from now.
I have the option to turn on DNSSEC as part of a Go Daddy hosting package. I probably will, but only in the interests of research. As a domain consumer, I have to say the benefits haven’t really been sold to me yet.
Greek IDN blocked due to non-existent domain
Greece’s request for .ελ, a version of .gr in its local script, was rejected by ICANN because it looked too much like .EA, a non-existent top-level domain, it has emerged.
Regular readers will be familiar with the story of how Bulgaria’s request for .бг was rejected due to its similar to Brazil’s .br, but to my knowledge the Greeks had not revealed their story until this week.
In a letter to the US government, George Papapavlou, a member of ICANN’s Governmental Advisory Committee, called the process of applying for an IDN ccTLD “long and traumatic”.
He said that Greece had to jump through “completely unnecessary” hoops to prove its chosen string was representative of the nation and supported by its internet community, before its application was finally rejected because it was “confusingly similar” to a Latin string.
“IANA has no right to question languages or local Internet community support. Governments are in the position of expressing their national Internet communities,” Papapavlou wrote.
The capital letters version of .ελ (ΕΛ) was considered to be confusingly similar to the Latin alphabet letters EA. The possibility of such confusion for a Greek language speaker, who uses exclusively Greek alphabet to type the whole domain name or address, to then switch into capital letters and type EA in Latin alphabet is close to zero. After all, there is currently no .ea or .EA ccTLD.
That’s true. There is no .ea. But that’s not to say one will not be created in future and, due to the way ccTLD strings are assigned, ICANN would not be able to prevent it on stability grounds.
Papapavlou called for “common sense” to be the guiding principle when deciding whether to approve an IDN ccTLD or not.
That is of course only one side of the story. Currently, ICANN/IANA does not comment on the details of ccTLD delegations, so it’s the only side we’re likely to see in the near future.
Those April 1 Headlines in Full
Too many ideas, not enough time.
These are some of the stories I would have written if there were more hours in the day…
Joan Rivers dies after head transplant surgery
UK banishes cybercrime sites to .au
Transparency review calls for ICANN reality show
UDRP panelist returns Taiwan to China
Bob Parsons shoots BigJumbo CEO
“Pigeon shit” blamed for Playboy plague
Hank Alvarez named ICANN compliance chief
Constantine Roussos says DNS needs “more cowbell”
NATO apologizes for Bit.ly bombing
Blacknight unveils leprechaun mascot
RIAA says .so domains “haven for piracy”
DomainTools merges with DomainJerks
BBC to apply for .cotton
ICANN successfully delays heat death of universe
Parsons apologizes, resurrects elephant
‘Hostel’ director slams Go Daddy CEO
Okay, this is getting weird.
Eli Roth, director of Hostel – one of the sickest horror films of recent years – has criticized Go Daddy CEO Bob Parsons for his controversial elephant-hunting video.
In a series of Twitter posts last night, Roth condemned Parsons for his video, saying, among other things: “It’s sick fucks like you that make me think Hostel could really happen.”
If you haven’t seen Hostel, it’s basically about an Eastern European gang that lets wealthy Americans torture and murder kidnapped backpackers in exchange for a hefty fee.
It’s just about as grim a movie as you could imagine.
Here’s a screenshot of some of Roth’s tweets.
Compounding the weirdness, Roth was later retweeted by Russell Crowe.
Porn affiliate network to shun .xxx
The Free Speech Coalition has announced support for its .xxx boycott from what looks to be a significant player in the porn affiliate network market.
Gamma Entertainment, which runs programs such as LiveBucks.com, said it plans to defensively register some of its brands in .xxx.
But for every dollar the company spends with ICM Registry, it also plans to make a matching donation to the top-level domain’s opponents, such as the FSC.
Xbiz quotes Gamma president Karl Bernard: “Gamma is committed to using our resources to lead by example – by pledging our support in the efforts to combat ICM’s .xxx.”
The company will continue to focus development on its .com web sites, according to the article.
The FSC announced its boycott earlier this week, to signal its objection to ICANN’s approval of the TLD.
Short .tel domains coming June 1
Telnic, the .tel registry, is to start selling short and numeric .tel domain names from June 1.
The company announced today that two-character and numeric-only .tel domains will first be subject to a premium-price landrush, followed by general availability from June 14.
It’s the first time you’ll be able to register domains containing only numerals, but you won’t be able to register anything with more than seven digits, including hyphens.
This would presumably rule out phone numbers including area codes in most if not all places.
All two-letter strings that correspond to existing country-code top-level domains are also reserved, as are all one-letter strings, whether they be numeric or alphabetic.
The release follows Telnic’s moderately controversial request to ICANN to liberalize its registration policies, which I previously covered here and here.
New UDRP guidelines reflect unpredictability
Cybersquatting cases filed under the Uniform Dispute Resolution Policy have become less predictable, judging from complex new guidelines for adjudication panels.
The World Intellectual Property Organization has just published WIPO Overview 2.0, which sets out over 10 years of UDRP precedent for panelists to consider when deciding future cases.
The document is a must-read for domain investors and trademark holders.
Updated for the first time since 2005, it contains new sections covering developments such as registrar parking, automatically generated advertising and proxy/privacy services.
The Overview has quadrupled in length, from 5,000 to 20,000 words. With that, has come increased complexity. WIPO notes:
While predictability remains a key element of dispute resolution systems, neither this WIPO Overview nor prior panel decisions are binding on panelists, who will make their judgments in the particular circumstances of each individual proceeding.
The document reflects decisions already made, rather than creating new law, but as such it also reflects the tilting balance of the UDRP in favor of complainants.
For example, while the 2005 guidelines presented majority and minority views on whether [trademark]sucks.com domains meet the “confusing similarity” criterion, Overview 2.0 presents only a “consensus view” that they do, suggesting that it is now settled law.
On whether parking a domain with PPC ads meets the “legitimate interests” criterion, the guidelines refer to precedent saying that the ads must not capitalize on a trademark:
As an example of such permissible use, where domain names consisting of dictionary or common words or phrases support posted PPC links genuinely related to the generic meaning of the domain name at issue, this may be permissible and indeed consistent with recognized sources of rights or legitimate interests under the UDRP, provided there is no capitalization on trademark value
Supporting this view, the Overview states that “bad faith” can be shown even if the domain owner does not control the content of their parked pages and makes no money from the ads:
Panels have found that a domain name registrant will normally be deemed responsible for content appearing on a website at its domain name, even if such registrant may not be exercising direct control over such content – for example, in the case of advertising links appearing on an “automatically” generated basis… It may not be necessary for the registrant itself to have profited directly under such arrangement
There is a defense to this, if the respondent can show they had no knowledge of the complainant’s trademark and made no effort to control or profit from the ads.
Because the UDRP calls for “registration and use in bad faith”, the guidelines also ask: “Can bad faith be found if the disputed domain name was registered before the trademark was registered or before unregistered trademark rights were acquired?”
The original guidelines said no, with a carve-out for cases where the squatter anticipated, for example, a future corporate merger (microsoftgoogle.com) or product release (ipad4.com).
The new guidelines are a lot less clear, calling it a “developing area of UDRP jurisprudence”. The document lists several cases where panelists have chosen to essentially set aside the registration date and concentrate instead just on bad faith usage.
The question of whether a renewed domain counts as a new registration is also addressed, and also has a couple of exceptions to give panelists more flexibility in the decisions.
The Overview covers a lot of ground – 46 bullet points compared to 26 in the first version – and will no doubt prove invaluable reading for people filing or fighting UDRP cases.
The guidelines are not of course set in stone. The 2005 version read:
The UDRP does not operate on a strict doctrine of precedent. However, panels consider it desirable that their decisions are consistent with prior panel decisions dealing with similar fact situations. This ensures that the UDRP system operates in a fair, effective and predictable manner for all parties
But the new version adds a caveat to the end of the sentence: “while responding to the continuing evolution of the domain name system.”
Recent Comments