Let’s call it what it is. It’s not a domain taken over by squatters. The domain was stolen.
I’ve seen other domains get stolen recently, it seems to be about the same time.
Patterns dot com
Piracy dot com
Perl dot com
All stolen at around the same time.
With patterns, the thief hacked the network solutions account, put the domain under privacy, transferred it to a Chinese registrar, and then put the old whois data back. They then tried to sell it on sedo and afternic for 10 percent of what it’s worth.
I have been able to get sedo and afternic to remove the listings. But patterns has not been returned to its owner after about two months. Still working with the owner and registrars on that.
My advice is to lock down your domains, register them for at least 5 years, and if there are changes deal with them quickly. Once a domain is transferred it’s much harder to get back. It can be done, but it’s a lot of work to unravel it all.
Correct. Use a registrar with 2FA using authenticator or hardware key. No SMS 2FA. Rolling 5 year renewals will work for not letting the domain expire, but not for this scenario.
Agreed, definitely use 2fa if it’s offered. What many people don’t realize is that there are a lot of registrars still using less secure platforms. So moving to a more secure registrar can help as well.
I mention registering for 5 years in the future because if something like this happens, there will be no question as to whether or not you lost the domain because it expired.
I'm actually not sure for this type of attack how much I'd value OTP authenticators over SMS. They are both vulnerable to phishing in the same way.
What I'd like to see a lot more of is WebAuthn specifically, rather than "hardware keys" generally. It's frustrating to me that the outfits I deal with only have OTP and not WebAuthn.
This actually rules out a substantive number of registrars. I have a statement from an account manager at our wholesale supplier arguing that the requirement to know both the email address and password is considered "two factor" in the industry.
I don't see why offering MFA hasn't been made a requirement in order to be an accredited domain registrar.
Yes. At the time, and with the information available, it looked like an isolated incident. It now appears that this affects several, dozens maybe, or potentially many more domains after what appears to be a social engineering attack at a registrar. Check your domains!
Looking at whois history sites, it looks like the domain was owned by Tom Christiansen aka tchrist, which wrote Programming Perl, Learning Perl and the Perl Cookbook.
The record wasn't supposed to expire until 2029, so not sure how the squatters got this domain.
There's always the chance someone social-engineered their way past the registrar's access control, or that they got some kind of access to the registrar's systems. Or the domain owner simply didn't read an email properly and clicked the wrong link.
There's too little information to draw conclusions at this point.
Thanks to everyone who has given advice and helped us develop a timeline of the incident. I'm not part of the network and asset management: I'm a mere editor of the website.
The current registrar has contacted me. They've locked the domain and we need to submit some paperwork. It shouldn't be that big of a deal even though it's annoying. All of this was handled quickly (12 hours) because of the attention to the internet in general.
That's great news, Brian. The key here is that it was handled quickly. The longer it goes on unnoticed, the more difficult it becomes to unravel, as a domain gets transferred from registrar to registrar and from owner to owner.
I can confirm that Neurologist dot com and Chip dot com were also stolen at the same time. There may be others.
checking whois for each of those domains, my first thought is I sure hope Key-Systems didn't get owned :|
EDIT: On a sidenote:If this[1] is true, looks like the attacker may have compromised another registrar that perl.com used (Network Solutions), moved domain to another registrar, than KS. Still a big concern though
Floodgap was part of this. I just talked to a very helpful person in NetSol's security department and she looked through the ticket. It was initiated by a web chat, and they produced official looking but completely fraudulent documents (photo ID, utility bill, business license, etc.) to prove identity, so this was socially engineered and apparently for multiple domains. They're supposed to contact me tomorrow for more on the post mortem.
If documentation is key, then perhaps have a service that will, take your documentation, hash it and then you can store the hash on your domain root (much like google analytics).
Then if you lose the domain, you have wayback machine style proof that the domain originally had these docs associated with it.
(I can see some downsides to this but what do people think?)
> We're still trying to unravel this and I can't get into details. However, it looks like there was an account hack. I don't know how long that would take to rewind. We're looking for people who have actual experience dealing with that situation so we can dispute the transfer. If you've actually gone through thatprocess, please get in touch.
> The perl.org and perl.com domains are unrelated and have different rightful registrants, so this doesn't affect perl.org.
I was wondering why none of the links were working. I was trying to read on the beginnings of Perl6 (now Raku) design (such as in https://www.perl.com/pub/2000/11/perl6rfc.html/) and also check some States of the Onion. At least everything is currently accessible either through the Wayback Machine or here: https://perldotcom.perl.org/
What is the full story behind this? How did it happen? Was it a domain hijack? Did someone forget to pay the bill? Do I need to worry about this for my domains?
From what I can see Perl the programming language has its home at perl.org, which is running fine. The .com does not show up prominently when googling for perl. Based on Google's cache it seems it was some kind of programming-related news page. Was it relevant/popular in the Perl community?
Historically, it was the Perl web site for a long time. It was registered by Tom Christiansen in 1994 and soon afterwards, he let O'Reilly run it - and they used it to post useful Perl news and articles for a long time.
But O'Reilly's interest in Perl waned and it sat, moribund, for several years (which probably explains its lack of Googlejuice).
A few years ago, the Perl community approached Tom and he let them take over running it. The team behind the PerlTricks web site ported over all the old articles and had been posting new ones. It had become a pretty useful resource again.
So, yes, it would be a shame to lose it. But from what brian has posted elsewhere on this thread, that seems unlikely to happen.
It hosted cperl and rperl, which are important. Perl5, as you might not know is not developed anymore, it's only maintained into oblivion, getting worse and worse over time. 20 years no new features, only design mistakes over mistakes piling up. perl11 provided the continuation of Perl development, but the maintainers in their tunnel vision do not agree (yet). Almost everything they did in the last 6 years came from cperl, but it's still only 10%.
Now it's on perl11.github.io
When the squatters give up, fine, but GitHub served us well over the years. Better than everyone else, esp. Google.
Uh Perl 5 is in ACTIVE development and has gotten new features. Everything you said about Perl 5 is wrong. Perl 7 (skipping Perl 6 obviously) is on the table and being talked about and Perl 5.34.0 is going to be released in a couple months setting the stage for Perl 7.
reini has a ... unique ... perspective on perl development, which is probably related to how he got banned from the p5p mailing list for repeatedly calling people incompetent without giving actual technical reasons against the patches.
cperl is an interesting fork with a lot of good ideas, but his tendency to submit patches to core modules to work around cperl bugs without full explanation and then yell at the people asking for justification and actual tests for those changes meant that such patches don't tend to actually end up applied.
Given reini is undeniably brilliant when at his best, I consider this deeply unfortunate, but I've tried to explain the concept of "even if you're sure you're right, you need to actually convince people of that" multiple times both online and in person and apparently not got through, so at this point I can only suggest that people who're interested in his brilliance follow their code for themselves and submit the interesting stuff as patches.
Speculation: they’re selling on Afternic, which sounds more like a legitimate forgetting to renew and someone bought it during the grace period rather than a hack.
Central authority is a poor substitute for social consensus.
If you look at a case like this, there is absolutely no question or ambiguity "which perl.com domain people really want." This issue only exists because of an artificial monopoly and an application of capitalism to an allocation problem that doesn't exist.
Domain names should be a thin wrapper around private/public keypairs. Domain keys should be pinned per application or per first use OS-wide, with configuration tools to unpin and update the mapping. Any critical access, such as update servers, should always use the full key anyways. There is no reason in principle that there shouldn't be multiple name-key assignments for perl.com, except inasmuch as it would make webdevs' and OS developers' jobs slightly harder. Hell, ping both and see which one matches the pinned https key for perl.com, and this problem would already have been solved! This whole monopoly is caused by a bad band-aid technical solution for a social problem that we can and should find a better solution for.
I'm not saying "boycott DNS." I'm saying "the fact that everyone is fine with the current state of affairs is an embarrassment."
I want an OS built from the core up around a web of trust model. I want my browser to ask my (manually introduced) peers "which of those versions of perl.com do you think is the one I want." I want a computer with no hardcoded central server queries at all. (And while we're at it, I want it connected to the internet via mesh links.) But I'll never get that, because it'll always be easier to just hardcode some central authority and go home.
How would you prevent a group from trolling or performing a hostile takeover of a small domain? How would someone acquire a domain? How do you determine consensus?
In this case, as someone who doesn't follow Perl, how would I make an informed decision on which perl.com domain I really want?
> How would you prevent a group from trolling or performing a hostile takeover of a small domain?
Several ways.
If you are accessing the domain locally, you'd normally be looking for entries that match the private key you have stored. So if you ever went to that domain, you'll get the same remote again.
If this is your first time accessing the domain, you'd ask your peers what version of the domain they have stored. Those aren't randomly assigned, but people you know IRL, similar to Freenet. You could do some degree of onion routing if you care about keeping sites you go to private from your friends. And again, you'd only do it the first time. And this is hard to attack because you can't make a person have friends in the WOT graph.
When you are following a link, the person placing the link could always just attach the full private key to the link tag.
If you are copying a URL from your browser bar, the browser could attach a random set of index-value pairs of the private key. This would be very hard to spoof, but not increase the size of the URL by much. That would cover you for posting links in forums and chat rooms.
Of course if you were searching for the domain, your first hit would almost certainly have the correct key.
Only if you are told the URL through an out-of-band source, and almost nobody you know (transitively) has gone to that domain, you are in the situation of having to figure out which key is the true key. In that case, you could fall back to certificate checks. Note that certificates as a market are a lot more competetive than the domain name market.
So there's no one-size-fits-all solution, but just like right now, most of the time you wouldn't have to think about it. And unlike right now, if it goes wrong you get a nice error instead of silently the wrong domain.
I just thought of a way to improve the privacy of the DNS lookup. Instead of asking for the domain name, ask for a prefix of the hash of the domain name chosen so you get maybe 20 domains back.
The point is - I got all of the above by thinking about the problem for maybe ten minutes. This is far from unsolvable. We as a community are just terminally lazy.
It's not an obvious problem to solve, but nobody would invest much in performing a hostile take over of a small domain.
In the case of Perl.com it looks like a hostile takeover, of a popular domain, and it didnt cost them much to take it over I guess.
Here [0] is an example of someone putting inordinate amount of effort to take down a tiny mastodon instance. If it would have been possible to take over a domain in a similar manner - it would have happened too.
> Domain names should be a thin wrapper around private/public keypairs.
This way anyone who gets access to the keys, even temporarily gets to take over the whole domain. No chance to resolve the issue with a registrar who can manually review the case and revert changes. This would include anyone working on that level of infra in your company and anyone who hacks them.
I'm not sure what would you compare the https cert to without a central authority in that case.
We tried the web or trust with PGP and it turns out key management is really hard and apart from few geeks nobody's that interested.
The certificate market is a lot better than the domain market, because it's not a monopoly. I think it makes sense to have a trusted-signature system as a backfill and bootstrap for your web of trust.
Agree that nobody cares about this though. I'm certainly not surprised that we settle for easy mediocrity.
I’ve seen other domains get stolen recently, it seems to be about the same time.
Patterns dot com Piracy dot com Perl dot com
All stolen at around the same time.
With patterns, the thief hacked the network solutions account, put the domain under privacy, transferred it to a Chinese registrar, and then put the old whois data back. They then tried to sell it on sedo and afternic for 10 percent of what it’s worth.
I have been able to get sedo and afternic to remove the listings. But patterns has not been returned to its owner after about two months. Still working with the owner and registrars on that.
My advice is to lock down your domains, register them for at least 5 years, and if there are changes deal with them quickly. Once a domain is transferred it’s much harder to get back. It can be done, but it’s a lot of work to unravel it all.