Shrug. auDA managed to convince someone: - there was an "incident" in 2007 which warranted be told b auDA - that, even though, all registered domains were being monitored - that, even though, all passwords would be reset - that the registrar need to specifically include the text "*and your credit card transactions"* in their notice to their various customers - that, despite auDA receiving amended text (not contested in the summary), and despite the registrar indicating that they had made an 'cut an paste error'; the amended text (which does not include the italisced portion above) was sent - that prompted auDA to send an email to registrants so that they had "advices as to steps that needed to be taken to reduce any risks" and "in order to protect the integrity of the .au system" - apparently even auDA considered it unnessary to inform registrants that they should monitor their credit card (but then they reconsidered, no information as to why) - some "terms and conditions" were agreed in respect of Australian Style security systems; oddly auDA indicate that those terms and conditions did not prevent them doing any further actions [1] - auDA, despite considering a vulnerability a breach, pursued the registrar about the "2007 incident" and sent a letter. "Australian Style gave the undertakings, warranties and acknowledgments sought, and provided a response to auDA?s request for information as contained in the 19 February letter. auDA did not consider this was a substantial response" - auDA does not consider a registrar acquienscing to its demands to be "a substantial response" - neither auDA nor the registrar has useful expert witness able to explain to a court the material difference between a "security breach" and a "security vulnerabilty"; so the court made up its own mind what those words meant. - unfortunately the court concluded that, despite the fact that a table structure was already known the the organisation who discovered the security vulnerability; the fact that they could access it in another manner constituted a security breach (and thus meant that the 2007 incident was a breach auDA could act on) - the registrar believed it prudent to change their own system passwords but not theirs customers when the 2007 incident was discovered - auDA terminated their registrant agreement on the basis of two things (1. not sending the right email { with the missing words noted above }, 2. the behaviour of the registrar in not disclosing the 2007 incident ) - apparently, it is beholden to registrars to notify auDA about amended email text that they have been emailed (SS 145) - oddly auDA considered that although another registrar (austdomain) had used the same software as Australian Style ("An unexploited security vulnerability is not, in Mr Disspain?s view, a security breach.") (SS 176). Whilst I have mainly noted auDAs failings in my summary; I can not say that Australian Style comes out very well. The fact that they took advantage of a court-ordered injunction to transfer domains to a related company speaks volumes. Certainly if I was a registrar, I would be disinclined to be easily accessible to auDA -- nothing in the registrar agreement requires it; and it would have meant that things might have been done with more thought for people at the receiving end (i.e. actual registrants). As it is auDA actions actually *undermined* the security and confidence of registrants of the .au domain system. Why do I say that: - as a registrant you first see the domain being transferred away - then you see it being transferred back - then you see it being transferred somewhere else - then you see you not being able to do anything about the domain - then it gets transferred away (again) - then you have to do something or other to do something with the domain Why bother when a gTLD offers none of these problems. Anand [1]: Lessons for resellers so far: - auDA is unlikely to be usefully able to read and respond to email (from the court provided timeline) - auDA is unlikely to ever waive their specific rights, unless you highlight to them that they are waiving their rights - auDA believe that a security vulnerability and a security breach are one and same (your front door being unlocked in a vulnerability, someone going through your front door is a security breach) On Tue, Sep 29, 2009 at 11:29 PM, Kim Davies <kim§cynosure.com.au> wrote: > Quoting Larry Bloch on Tuesday May 12, 2009: > | > | I'm on Bottle's side on this because it is bullying tactics, its > arbitrary, > | and it could be any one of us next. I'm not standing up for the rights of > | downtrodden registrars, I'm standing for the right of my business to not > be > | threatened by de-accreditation (and ensuing oblivion) over a matter that > | doesn't warrant it. I'm pretty bemused as to why I'm the only one. Surely > | you don't want a regulator that destroys businesses and employment with > | little notice for questionable reasons just because it can. > > Apparently the Victorian Supreme Court thinks it was warranted. > "[Bottle] demonstrated an extraordinary indifference to the effect of > credit card fraud upon its victims." I am no lawyer but that sounds like > pretty strong language. > > http://www.austlii.edu.au/au/cases/vic/VSC/2009/422.html > > kim > --------------------------------------------------------------------------- > List policy, unsubscribing and archives => http://dotau.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.cynosure.com.au/mailman/private/dns/attachments/20090930/e219040f/attachment.htm>Received on Tue Sep 29 2009 - 17:24:04 UTC
This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:10 UTC