The most ethical move would have been to write to people listed at https://www.iana.org/domains/root/db/cd.html and put IANA in copy (likely ROOT-MGMT@IANA.ORG as listed in the public document: 24x7 Emergency Process Step-by-Step Description).
I feel it's problematic that whenever someone writes about an ethically tricky security vulnerability disclosure someone will come up with some variant of "but doing it a bit differently would've been more ethical".
The reason I think this is problematic is that there are already more than enough people in the security community who will either say "fuck it, I'm not gonna bother with that" or "let's sell it to the highest bidder".
We should appreciate more when people are trying to do the right thing and worry more about the people doing clearly the wrong thing and less about whether the people doing overall the right thing did it perfectly.
I think this situation is like knowing a car crash is about to happen and then still waiting for it to happen though. Why not email someone to pay their bill?
It's worse than that. It's knowing a car crash will happen, wait until it does, and then writing a self promotional article about how awesome you are at predicting car crashes in an attempt to sell your car crash prediction services.
I assume you mean that he should have done that when he noticed the domain was pending renewal? (edited to "renewal", not deletion)
He definitely acted decently overall (and did reach out to the people you mention afterwards). But I can empathize with the author for simply thinking "pending renewal? alright whatever" and later on "pending DELETE? shit I should make sure they're OK!".
I guess there's always what's best in hindsight and what's actually done.
A week after he registered the domain name. That's not the same thing as "before," which I believe the top comment in this thread was implying about what he should have done instead of what he did do.
And if he wasn't going to contact anyone, watching for the domain name to drop, and manually registering it at that point, is a recipe for disaster. It may not have been feasible for him to set up an automatic registration script (although I see he was using Route 53, so maybe it would have been?), but being first in line to drop-catch a domain name is the exact purpose of services such as SnapNames. Took a terrible and unnecessary risk on top of not doing the "most ethical" thing.
> Although one of the contacts replied and delegated to their colleague, as of this writing, I haven’t received any follow-up confirmation that they fixed the issue.
Wonder if that means they're investigating a "legal response" to his report?
I had a gut feeling it will be '.cd' before clicking on the article and I was right. Dealing with the state entity (SCPT) that manages this TLD is quite a pain. It's so painful that I've given up managing all the .cd domains I used to own.
.cd domains are also some of the most expensive to get. Hopefully the new government will take this seriously.
There was some discussions here recently about this, and from memory the answer was nothing, except reputation. They're free to do whatever they please with it, though jacking the price suddenly might not be great business long term.
But you do need to have a registered business in Thailand with the exact name as the domain name to register the domain.That's a fact for co.th, I'm not sure about .th though, but I would assume it to be true.
The new crop of TLDs are really cheap. I bought a .download for like $2 a year or something. Not all are that cheap (I bought it as a throwaway for a project that relied on my having DNS control) but there are literally hundreds of them that are.
Only issue is I don't think there's anything preventing the price going sky-high in coming years, for most of these TLDs. For a throwaway it doesn't matter, but could really hurt if you start relying on one.
Interesting read and also the reaction from authorities in DRC is interesting - they changed the records with IANA. Probably good course of action because OP could hold them hostage and they shouldn't risk relying on his written confirmation in such a important matter.
Good decision making on the DRC in the end. Well Done.
Once it's in the redemption grace period the domain is already on the way to deletion. That's not part of the normal domain lifecycle; that's part of the deletion lifecycle.
You clearly have never ever worked in domain renewals before. Many people only renew once dns stops resolving. I've seen govt agencies use this as their reminder to renew.
And yes, many scammers out there send postcards to businesses offering to assist for $1,000 on the renewals - and many people pay. So people do send out "alerts" the way you ask - most commonly exploitive and at least I give the advice to ignore ALL such renewal alerts. If you are telling people to respond to those you are sending people down scam ally.
> Many people only renew once dns stops resolving.
DNS stops resolving because the domain is pending deletion. At that point it's not a renewal, it's a restore (which costs a lot more money). Refer to the brown "Domain no longer in zone" section of ICANN's lifecycle chart: http://archive.icann.org/en/registrars/gtld-lifecycle.jpg If people are actually regularly using restores instead of renews then they're unnecessarily throwing away lots of money.
> I've seen govt agencies use this as their reminder to renew.
What TLDs were these government agencies using? gTLDs have uniform policies but ccTLDs and special purpose TLDs like .gov do not (and you cannot generalize your experience there to gTLDs). But the expired nameserver domain registration under discussion in this article is a .com, which is a gTLD, so it goes through the standard lifecycle of 30 day redemption grace period + 5 day pending delete period, and during these its DNS is yanked.
Source: I've been in the domains industry for 7 years and run 44 TLDs.
Then you should absolutely know that pending deletion is not a black swan event. Can you talk to someone with some data in this space? You will find pending deletion -> restore is a surprisingly common pattern.
As to govt agencies - sure, many use .org and .com domains routinely. These do not get special treatment - and I do generalize my experience from .com and .org to these govt run websites without hesitation.
Despite ideas - just because a public agency is using these domains does not make them magic.
I'm going to stop here. Despite your claims that folks don't go into pending deletion - they do. I am responding to top comment - people fail to renew their domains on time routinely. I've seen it happen with some surprise in govt agencies (ie, someone in a dept spins up a website, and renews when someone complains its not working and they get permission to spend the money to renew - which is not instantaneous even for small purchases) as well.
All my points stand and I remain unconvinced by your claims that these govt agency websites can't expire (they do routinely), that pending deletion is a black swan event (it is not) or that folks don't fail to renew on a timely basis (they do frequently).
Exactly what I thought. It would have been more ethical to write to them the day BEFORE the expiration (and still buy the domain if they didn't act fast enough).
> If I had operated with malicious intent, I could have also [...]
Wouldn't most of these be mitigated if that ccTLD used DNSSEC (according to dnsviz, it currently doesn't)? The hijacked DNS servers wouldn't be able to provide correctly-signed DNS records, so the fake answers would be rejected by all validating resolvers.
Maybe you could find a cluster of TLDs delegating to each other in a loop. Combined with huge TTLs you might be able to bootstrap a full takeover of a subset of all DNS?
It pisses me off that for something of this magnitude this guy will probably only be paid no more than a couple thousand dollars, if at all. He still has no response.
Understandable stance, but the damage he was capable of causing was probably millions of dollars worth. So yeah, a few thousand bucks as a thank you is reasonable.
The DRC has a lot of problems (to say the least) at the moment and has had for a while and this is pretty low priority in their scheme of things. Countries with weird residual TLDs for non-sovereign territory (e.g. .as or .ac) surely pay more attention to these trivial domains than anyone in the DRC can.
Which is all to say the amount of effort expended on any task, or the amount of knowledge brought to bear on a task, is only sometimes correlated with its value. Ever worked hard on a company that failed?
I felt I needed to put the first line in because my comment on your question could have been misinterpreted as criticism of the hacker.
I work for a few a cities in Europe, and happen to know one of the cities had a site with an sql injection issue. An external person found and let the city know but didn't want to reveal the specifics before getting money. The city has no bounty program and for some people in the City it came across as if the guy was distorting them. The guy probably felt like he didn't get money for his work. Probably both have a point. In the end it got resolved.
if he was smart, then he said nothing that sounds like blackmail. but you could say, for example, that I have to settle the expense of reproducing it and writing it down properly or something similar.
It depends on the country, but in France for instance, there is a maximum sentence of one year in prison and a 15000€ fine just for "fraudulently accessing a data processing system", or trying to do so even if you don't succeed.
It may not directly pay but his reputation as Security Expert is enhanced.
I don't know if "Big Internet" (ICANN, IANA, IETF, RIRs) does not have its own security group like the Commercial companies do (Project Zero, various EH companies). RFC3013???
We have to depend on people who can take time to look for exploits in exchange for reputation.
It seems more likely that the OP even lost money buying a useless domain name that no one will pay for.
Most probably not even a "Thank You" they will give.
