[DNS] Bottle breaches policy

[DNS] Bottle breaches policy

From: Anand Kumria <wildfire§progsoc.uts.edu.au>
Date: Wed, 30 Sep 2009 01:24:04 +0100
auDA managed to convince someone:
 - there was an "incident" in 2007 which warranted be told b auDA
 - that, even though, all registered domains were being monitored
 - that, even though, all passwords would be reset
 - that the registrar need to specifically include the text "*and your
credit card transactions"* in their notice to their various customers
 - that, despite auDA receiving amended text (not contested in the summary),
and despite the registrar indicating that they had made an 'cut an paste
error'; the amended text (which does not include the italisced portion
above) was sent
 - that prompted auDA to send an email to registrants so that they had
"advices as to steps that needed to be taken to reduce any risks" and "in
order to protect the integrity of the .au system"
- apparently even auDA considered it unnessary to inform registrants that
they should monitor their credit card (but then they reconsidered, no
information as to why)
- some "terms and conditions" were agreed in respect of Australian Style
security systems; oddly auDA indicate that those terms and conditions did
not prevent them doing any further actions [1]
 - auDA, despite considering a vulnerability a breach, pursued the registrar
about the "2007 incident" and sent a letter. "Australian Style gave the
undertakings, warranties and acknowledgments sought, and provided a response
to auDA?s request for information as contained in the 19 February letter.
auDA did not consider this was a substantial response"
 - auDA does not consider a registrar acquienscing to its demands to be "a
substantial response"
 - neither auDA nor the registrar has useful expert witness able to explain
to a court the material difference between a "security breach" and a
"security vulnerabilty"; so the court made up its own mind what those words
 - unfortunately the court concluded that, despite the fact that a table
structure was already known the the organisation who discovered the security
vulnerability; the fact that they could access it in another manner
constituted a security breach (and thus meant that the 2007 incident was a
breach auDA could act on)
 - the registrar believed it prudent to change their own system passwords
but not theirs customers when the 2007 incident was discovered
 - auDA terminated their registrant agreement on the basis of two things (1.
not sending the right email { with the missing words noted above }, 2. the
behaviour of the registrar in not disclosing the 2007 incident )
 - apparently, it is beholden to registrars to notify auDA about amended
email text that they have been emailed (SS 145)
 - oddly auDA considered that although another registrar (austdomain) had
used the same software as Australian Style ("An unexploited security
vulnerability is not, in Mr Disspain?s view, a security breach.") (SS 176).

Whilst I have mainly noted auDAs failings in my summary; I can not say that
Australian Style comes out very well. The fact that they took advantage of a
court-ordered injunction to transfer domains to a related company speaks

Certainly if I was a registrar, I would be disinclined to be easily
accessible to auDA -- nothing in the registrar agreement requires it; and it
would have meant that things might have been done with more thought for
people at the receiving end (i.e. actual registrants).

As it is auDA actions actually *undermined* the security and confidence of
registrants of the .au domain system.

Why do I say that:
 - as a registrant you first see the domain being transferred away
 - then you see it being transferred back
 - then you see it being transferred somewhere else
 - then you see you not being able to do anything about the domain
 - then it gets transferred away (again)
 - then you have to do something or other to do something with the domain

Why bother when a gTLD offers none of these problems.


[1]: Lessons for resellers so far:
 - auDA is unlikely to be usefully able to read and respond to email (from
the court provided timeline)
 - auDA is unlikely to ever waive their specific rights, unless you
highlight to them that they are waiving their rights
 - auDA believe that a security vulnerability and a security breach are one
and same (your front door being unlocked in a vulnerability, someone going
through your front door is a security breach)

On Tue, Sep 29, 2009 at 11:29 PM, Kim Davies <kim&#167;cynosure.com.au> wrote:

> Quoting Larry Bloch on Tuesday May 12, 2009:
> |
> | I'm on Bottle's side on this because it is bullying tactics, its
> arbitrary,
> | and it could be any one of us next. I'm not standing up for the rights of
> | downtrodden registrars, I'm standing for the right of my business to not
> be
> | threatened by de-accreditation (and ensuing oblivion) over a matter that
> | doesn't warrant it. I'm pretty bemused as to why I'm the only one. Surely
> | you don't want a regulator that destroys businesses and employment with
> | little notice for questionable reasons just because it can.
> Apparently the Victorian Supreme Court thinks it was warranted.
> "[Bottle] demonstrated an extraordinary indifference to the effect of
> credit card fraud upon its victims." I am no lawyer but that sounds like
> pretty strong language.
> http://www.austlii.edu.au/au/cases/vic/VSC/2009/422.html
> kim
> ---------------------------------------------------------------------------
> List policy, unsubscribing and archives => http://dotau.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cynosure.com.au/mailman/private/dns/attachments/20090930/e219040f/attachment.htm>
Received on Tue Sep 29 2009 - 17:24:04 UTC

This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:10 UTC