Well kind of as last night I had successfully been able to add following domains to my PKNIC (Pee-Kay NIC) domain panel.
Disclaimer: This was not a “hack attack”. This was a very spontaneous act carried in good faith after seeing the authorization code bug on their site. I have not done any harm to any of the sites above. I just wanted to record this bug and brought this up all in public for the greater interest of whole Internet community of Pakistan to help make PKNIC improve their domain registration system and quality of service. |
I could have changed anything from registrar/billing/technical information to DNS entries.
Should I have just changed their DNS to point them all to my site?
Well, even a small change in the DNS could have rendered any top Pakistani site, out of sight (and out of business) for at least 72 hours (due to double propagation delay involved) and sure, it could have become a real nightmare for PKNIC but I think I am a nice guy to deal with (Please pay me thanks by may be having my full size picture (with a caption of “ba’a-baa’ay Internet Pakistan :D) on the first page of your site for at least a few days or I wont mind an exclusive interview for your site as well.)
A few more screen shots of zong.com.pk site edit page and google.com.pk whois results. (Telenor and Zong should have given me life time of free air time. heheh)
These screen shots itself speak volumes about the responsibility PKNIC assumes in handling this domain business. Looked like, some nice coder out there at PKNIC had been messing with the live site and had the debug code (may be) on. So when I hit the submit button to get my new authorization code I was surprised to see it on the very top of the site. I immidiately checked my email and there was it. The same code. With fingers crossed I tried to import my domain name and yep. It was imported. I tried to generate a new code and I was given the information that it has already been imported and you should contact the person who has imported it. Imagine if you have to contact Mr. X or PKNIC to get your domain back?!?
They have now taken care of the bug by removing the SQL “SET” query display which contained the authorization code when you tried to generate a new one. They also have moved back all the domains to their previous owners/agents so I don’t see none of these domains anymore in my account.
You can imagine the possibilities (or may not like to imagine them at all) of your domain control being transfered to some crack head to play some domain peek-a-boo with your visitors. But the point is should we let them easily get away with this nonsense? When, if we all try, this event can really become an eye opener for them (Pee-Kay-NIC) and we may very well start seeing some professionalism from our “beloved” Pee-Kay-NIC.
Please feel free to leave some comments on how can we use these evidences for better domain registration/maintenance services in Pakistan.
Update: PKNIC said it was a “minor” bug.
Well, this is the excerpt taken from Telecom Grid where PKNIC has replied to Mr. shehzad Atif.
“The problem reported is completely exaggerated and misreported. There was NEVER any change of domain ownership or capability of any domain DNS modification for the few reported domains. The minor problem of sandbox test code leftover resulted in the display of some domains with outside user names (and billing contacts) attached for a few hours. We will send you the complete statement about this, and how safe PKNIC domain ownership and DNS records are. Even a genuine user or the domain owner himself can not change the domain ownership record without written authorization, let alone a fake user that is only there for the display sandbox for a few hours.” |
As usual they are trying to get away by saying that it was a “minor bug” and I had not have the access to modify anything.Well, I guess, I owe a reply to this answer to let you guys know what exactly has happened that night in a bit more detail.The first time I checked the edit registrar details for jang.com.pk, I could go into the next page where you modify the details and change the email address along with all other info. For a few minutes, I did think of changing the email address just to prove that I could do this change but I realized that it may not be appropriate to do so I passed on this.
Then I went to the DNS area, and I had the access to assign new DNS to these domains.
Then I had to attend the great “Wapda Show” for full one hour. When that ended, I checked again, I still had all those domains in my panel but the bug was fixed by then. I noticed another change in the “edit” link to change registrar info that an AJAX powered pop-up now appears and ask for a written authorization to change these details. Till that time, I still could change the DNS settings. I was very confused on what to do now and then gathered some courage and made up my mind to make it public. I made the screen shots, wrote the last blog post, sent it to a few friends and went to sleep as it was late at night. On morning, when I woke up, all of the domains were moved back to their last state.
I seriously wish, I could have video taped all these acts.
A few questions to PKNIC are,
– What if those domains were not belonged to some giant companies, would they have taken the same speedy action they took in this case?
– YOU are PKNIC, come on! a lot of people in Pakistan has put their future in your hands. They have invested huge sums in a domain name managed by you. Even if that was a “minor” bug to you, why, WHY it did happen in the first place? If you can slip this one away, it is quite possible that we may see even worst leakage in future as long as you are not taking full responsibility of this business.
I would really like to help make the system as secure as possible and would be delighted to have your comments/replies over here so we may sort things out for the greater interest of domain owners and Internet users of Pakistan.
You should bring this up on forums like telecom-grid-pakistan on google groups and the telecompk.net blog. I remember an online discussion about the role of PKNIC on telecom-grid pretty recently.
Congratulation you are elected for http://www.ethicalgurus.com award 😀 and you award is “ba’a-baa’ay Internet Pakistan :D”
PKNIC and other companies must Say at least a Thank you for helping them to get more secure.
Your wish “ba’a-baa’ay Internet Pakistan”… hehehe… Come one!!!! Mr. Ashar Nisar is the most valuable asset and expert IT guru in pakistan who can write compilers and developed first virus in Pkaistan along with his team memebrs like Mr. Imran Anwar, the ba’a-baa’ay Email in Pakistan… you are just a kid in front of them and are trying to make Pakistan look bad… ha! Keep in mind saying anything about Mr. Ashar Nisar or pknic is like saying against Pakistan….
It is sad and shame on .pk hi-jackers…
We will never develope!!!!!
@ ReallyVirtual : Yes, I would try to bring this up on Telecom Grid, Tee emm, and all other famous blogs. On top of that I was thinking to approach some media personalities who work in top news papers and channels. I would really love any help in this regard.
@ Abdul Qudoos : LOL1 I am not a guru at all. In fact I was just there at the right time. The bug was so obvious that even a 12 years old kid could do what I have done. And yes, they should thank me of not changing anything to their site as if there were someone else in my place, things could have been worst.
@ PKNIC: I was expecting something like this from you guys. Instead of accepting your mistake and having a public apology and promise to deliver better in the future you are not assuming any responsibility of the very business you do. I am not concerned How big of an IT guru Ashar is, but one thing is sure, he must be hell of a Politician as they are the only species found in Pakistan who makes loads of money and easily gets away from not doing something they are being elected for. I like the fact that he originated email service back then and no, writing compilers or creating viruses has nothing to do with running a domain business. (Why dont you guys get it? it’s real life business and it does require some managerial abilities.) If Ashar sahab are so competent and is such a committed Pakistani then why he does not take care of the very root of Internet of Pakistan. You could not even get the mere sarcasm in my words and saying it that it was a hijack attempt. (At least you have admitted your software bug this way). And I am not saying anything against Ashar, I am saying things against the way you manage Pee-Key NIC. No offence, but it really sounds like some one managing it after doing some “Pee Key” Stuff. How else you could leave the Authorization code on the live site for every one else to see?
On the other side, you should also be thankful to me for not creating any other problem by changing DNS of any of these sites. Imagine, Jang group asking you how their site got turned off for more than 3 days?
yes man you are right but you did well. if you want me to change this topic title then i have no problem as Disclaimer: We Are Just Providing Plate Form. All Shared Content is Sole Property of There Writer n Owners. if you found any article missing with reference please post in its comments with reference link.
@Abdul Qudoos : Please do that as it just looks bad and creates a feel that as if some one had done this on purpose where as it was really a software bug. So please change your post title to something which is more “bug oriented” than “hack attempt”. Thanks!
Title is replaced with new title which is “Registrar PKNIC Bug” i hope its fine now.:)
Admin’s Edit: Why did you remove the comments and the reference to this site when you are pasting my whole article on your site as it is? Atleast have some decency. Some people never miss a chance to earn some quick bucks.
Well for one – I would pat Touseef on the back for restraining he had the power but even then he restrained from going through with the damage, at times like these its easy to get carried away but if that had been the case then it would have been a crime. The question is where does one draw the line or better yet where does FIA / cyber crime law draw the line – since if we were to look at the lapsed cyber crime law, this ethical hack is a punishable crime.
For me its without doubt that we need conscious ethical hackers to keep us on our toes, and we must not condemn these people – as they are good for the industry, they help us expose the loop holes in an attempt to prevent a raging lunatic trample over uncle PKNIC who has the registry on Cruise Control.
It is also along the same lines that Really Virtual [Shoaib Athar] cracked the LESCO database, was able to read and expose the loop hole but did not modify anything – do we condemn these people, or do we applaud their restraint and harness their ingenuity to poke and probe other more sensitive issues.
In all honesty PKNIC needed yet another kick in the shins to wake up. But I have one question – is this hack during the same time PKNIC went through a front page upgrade, could have the crack been limited within the upgrade alone? I ask this out of curiosity, that possibly the old system was being upgraded to the PKNIC online account system which may have been exposed, as mind you the affected domains were on the old registry DOT com DOT pk.
Out of curiosity – I would love to know if Google rep in Pakistan Badar receive the same Authorization codes or did he get new changed one
@ Teeth Maestro: Thanks man for the kind words. I would however like to clear a little bit.
– I am a no hacker or don’t have any such experience. And this was not a hack attack as for that you do it on purpose. But it was quite spontaneous attempt after seeing the SQL query at the top of the site. Even a minor with some domain knowledge could easily do that, what I have done. The point is, on such a level where PKNIC stands at the moment, do you think a mistake like this is acceptable?
And yes, it must have been that time frame which lasted for around 5-6 hours. And Badar should have received that email last night. Badar, can you please confirm?
A very brave and simply put, ethical thing to do.
Well, this may seem far fetched, but it is the attitude like yours that is the one thing that is missing. With power, people lose all their ‘ambitions’ of fixing the society and fighting the system. Your reasons for coming out clean with this can be anything, from getting famous to simply pointing flaws, or both, but as long as it is not using power (or access) to gain even more power, I must say, a job well done.
Our politicians should take heed from you and start putting their money where their mouth is. Comes crunch time, everyone runs for the bushes, the NROs and the impeachments.
All in all, this little act may not be as ‘big a deal’ as I think I am making it, but it actually is; keep keeping up! God bless & regards,
*sorry if I have come off as too emotionally imbalanced khekhekhe *
keep an eye on the president’s and other government sites as well, will ya….
@ Momekh: Thank you very much for your encouraging post. It surely did boost my moral.
@ Atif Abdul-Rahman: What are you trying to say here? Please explain!
I should really say “THANKS” to you for making this public and not doing anything “wrong” even if you could.
May be (and I am really wishing that) this time, PKNIC will open their eyes and actually try to improve the system.
And I agree with your “Pee Kay” remarks. Most of the time, i also get similar feelings. 😉
@ SMS Admin: Thanks man for the kind words. Let’s hope that PKNIC will learn their lesson now.
its really bad thing. Noboday can do good for Pakistan. Please save the Pakistan first and then yours self.
AoA, advice from a cold-hearted friend to a hot-headed one:
You can never beat the system! not like that anyway. If you found that security loophole then I reckon you should have taken this matter to the head of whatever the concerned authority is and asked them to hire you as an independent consultant. Or even go to the military or a media group or whoever agrees to back you up on that and stand by you.
By law you were in a place where you should not have been, imagine a man barges into your house who wants to prove a point that you forgot to lock the window. Next time you do this kind of stuff consider the political/law and order situation in Pakistan and the implications that it might have for you.
Wassalam
@ usman: yes we should think of Pakistan first and that is exactly what I have done.
@ Abdullah: yaar, I would not let anyone come into my house to prove that it is not secure but let me put it in a different way. What if that is not a house but a club where you are a stake holder. What would you do if you see a security loop hole in the very thing you have put your stakes in. Would you rush to the person at top to tell him to clean the mess or record it all and inform all the stake holders so they may come up with a better solution so this can be fixed for once and for all. This is what I have done, get it?
and btw, thanks for your comment. 🙂
Dear Touseef,
I am very much surprised the way, you tried to handle things. If you had discovered some kind of loop hole in the system, it was not only your religious duty but also a moral duty to intimate Pknic authorities before registering or posting it on your blog. You should reconsider your action and appologise from the authority. Altough, I admit that pknic has got the substandard staff with substandard security system and they need to improve alot but I don’t agree the way you have taken.
A well wisher.
@ Ethical Dilema: if I could have told them about it, do you think they would have allowed me to bring this up here in public?
I agree that I should have contacted them about this bug but given my prior customer support experience with them I had fear that they will fix the bug without taking any strong measure to make sure that it will not happen again. A mistake like this is just not acceptable from a company like “them” and as I said earlier we are all stakeholders and we should be aware of any such problem if ever arise to make things better.
@ Touseef: My friend, which book says that to teach a lesson to a person or lets say an entity, you have to harm them or in your case, you have to threat them. I acknowledge that they don’t give good support and your way might be the best way to teach them a lesson but is it a MORAL way? Is it the RIGHT way? I don’t think so…. And that what wrong with us as the nation. The government and institutions don’t perfrom as they should be and we think that the best way to teach them a lesson is to harm them or show them their weaknesses. That’s wrong because if everyone start doing the things like you are doing, we will be in an anarchical situation.
You just try to guess who am i? and i will give you a way out….
@ Ethical Dilema: Well, I guess you are the same domain dispute lawyer I spoke with on telephone after this incident? am I right? Also I agree that I could have used some other way but everything was being done very spontaneously. Had it been a planed hack attack, things would have been different.
PS: Please let me know what do you suggest?
Awesome find bro. I must say that the points you’ve raised are eye-opening. If they (PKNIC) didn’t took this matter seriously than I’m afraid one day many people will loose their hard earned cash just because our great PKNIC wasn’t able to create a database that was hack-proof.
I am a simple and common customer of PKNIC
and my all sites and sites of my customer which are more then 100 are not secure, any guy with some technical knowledge can find loopholes in their site and even can get the rights to change anything he wants. Thanks to mr. tauseef that he haven’t done any harm to any site although he was in a position to do so. But i think we all should persue pknic to make a bugless system and provide the support as other TLD’s companies are providing. Dear PKNIC staff plz hum sab per rehum karay aur apnay system ko kuch behtar banay.
Hi,
I think this too should come under some regulatory policy. They should be fined for not keeping a secure system. I think you should wrote a letter to PTA (I believe IT come under their jurisdiction) and bring it. Also inform the media…
Finally Job well done. People like you would make them think that they should be serious about their security. If it was someone else he would have done a lot worse to them.
Regards,
Ahmad
@ Fahad_ultrasonik: Exactly my thoughts and my purpose to bring this all to public.
@ Pee kay Nic’s Customer: Thanks for the acknowledgment. Thats all we need to have PKNIC take the domain system security seriously.
@ Ahmad Zafar: Well, Ahmad, thanks for the TIP. I will see who the concerned authorities are and will send an email to all of them.
We should thank Mr. Touseef for bringing such an important issue and discussing it openely for the sake of secure IT business in Pakistan. we are way behind the developed countries in accepting that E-Commerece is and will be the future way of doing business, and companies like PKNIC which are not taking their jobs seriously are making things even worse. Once Again thanks touseef. May Allah keep you safe
Mr. Touseef you have done a great Photoshop work. We have an openning of web designer with Photoshop skills.
@ Sajjad Ashraf: Thanks Sajjad, we should work together to have a secure IT infrastructure inplaced here in Pakistan.
@ High Lander: Please see the facts before you speak. PKNIC has already confirmed this leakage in their system. And no, I don’t need any job.
Guys, for your info, such an incident is considered as crime in developed countries. Today we are living in eWorld and access to web sites or their down time can cause serious threats to businesses. It is very very serious matter and we all should agree and share the info with the authorities so that PKNIC signs up SLA with the community as millions of web sites are being handled by them. I will now think many times before going for a .pk domain with them, at least. Let’s agree and form a consencus. Touseef, we need to handle this with patience, pride and dignity and above all in good spirit. Collect all digital proofs and let me know when it is done.
AA All,
I am really very surprised with the response of so called Internet Community Experts on someone’s childish statement that he has actually hacked the PKNIC website and then suddenly WAPDA went off and when his WAPDA came back, all was reverted back to normal.:-) 🙂 (what a magic). If it would have such easy to hack PKNIC then Mr. Ashar would not be the person who is running it from last 17 years. I feel sorry about ourselves (PAKISTANI) when we see someone doing good job, instead of appericiating him we start spiting on him. I consider Mr. Touseef’s statement only a garage boy’s dream story and nothing else.
Did you know, High Lander, that PKNIC once let you fill a out form on the web site to create a .com.pk/.org.pk/etc domain? You could do that instead of downloading the text file, filling it out, and emailing it to their staff address. This was several years ago, in the early 2000s.
Know why that useful feature went away? PKNIC was hacked.
This isn’t the first time they’ve had trouble of this kind. Perhaps you’re unaware of their past issues, but people who’ve used it for several years aren’t. Yes, the people behind it should be praised for what they did (and continue to do) — but they shouldn’t be forgiven for what they do wrong, just because we share the same passport.
@ Pride Pakistan: Yes, I totally agree that some service level agreement (SLA) must be signed somewhere so one could actually claim damages in any such unfortunate incident. Another thing I must point out is the need of a road-map by PKNIC of how they will gear them up to the standards of all the other registries operating in other countries.
@ High Lander: Did you read my disclaimer? Did anywhere I mention that I actually “hacked” their system? Did you actually read PKNIC reply about the sandbox bug in their system? I am surprised why you keep on insisting as if this actually did not happen. Are you the “coder” working on the PKNIC site at that time by any chance?
@ Faried Nawaz: Yes, if I remember correctly, that hack being done in Aug 2002. But, this time it was not a hack attack. It was just the carelessness of PKNIC that they were testing at the live site and did not bother to check if the new authorization code query is being visible on the site which contained the new code in it. Any 10 year old with some domain knowledge could also have done anything to their system. And that is the kind of attitude which shows how irresponsible they are in taking care of this registry business.
To clarify, by “trouble” I meant “[near-fatal] bugs in their code.”
@chodhry: I also agree with that some service level agreement (SLA) should be signed but this is not the way to impose your opinion on someone. (By the way it has now become part of our culter). Any way I am not a “coder” but a simple user of PKNIC. I do not beleive on this story because there is no change in respective domains lookup pages as claimed by Mr. Touseef. Second as we all know that even you are owner of the domain, to change domain owner information you need a written athorization letter to make changes. It is really surprising for me that if somebody post any modified snapshots, should we start babbling about it without knowing the actual facts.
@ High Lander: Please read my post again. I was there on every domain listed above on whois as agent for that domain for good 4-5 hours. and the ajax pop-up which comes up when you click on the edit link besides the registrar info was not there at that time. They have reverted back all the domains to their last state when probably they came to know about the bug and agent level changes on the above domain. And if you use PKNIC, you must be aware of that we can change the DNS anytime once we are logged-in to the system. So the minimum damage could have been to change it and make the site point to somewhere else for at least 72 hours. Are you saying that I should have changed the dns of these sites or change the ownership info to prove my point here?
And well, I am in no way imposing the opinion but expressing my frustration about their system. If some one could have changed the DNS of my live site, do you think PKNIC would have given me damages of lost traffic of my site? I just want to make sure that they should start taking care of the registry as a business and not as a pet project so things like this would not happen in future.
I hope you have got my point.
@chodhry: Now you come to the point that by becoming ones technical contact, you may able to change dns for few hour but you do not become the owner or cannot change the owner information of the domain. So how could you say yourself the ex-owner of the sites? I think such postings are also a swear crime. Second if you somehow were able become technical contact (which I still do not beleive) and you were kind enough that you did not change the dns of the sites, I think, instead of making the photoshoots and wasting time in posting blog, you should contact the PKNIC staff and let them know about this issue. But you did not do it because …. 😉
@ High Lander: For your kind information no change of DNS can be done for only a “few” hours. A single propagation delay (if you know what it is?) can last anywhere from 24-72 hours. And if there is a change twice like changing the DNS from ABC to XYZ and then back from XYZ to ABC there will be double propagation delay involved so they could have been disappeared to some for even more than 144 hours. Looks like you do not know what you are talking about.
And Where I said only technical contact? Do you think they have separate panel for registrar/technical/billing contacts? When you log-in using the authorization code, you actually can edit all the settings there just like you can do in managing “.pk” domains. To become the owner, all you actually have to do is to change the email address and that’s it. If the domains listed were of any common person like may be “you” instead of these big names, there is bound to have a bigger mess created for you. And who told you that I did not contact them? I am in contact with their Lawyer Zahid Jamil from Jamil & Jamil Associates a.k.a. DNDRC fame.
Did you get it now? Next time you pass a comment, please make sure you know what you are talking about. And becoming the owner or not, is not the thing to be discussed, for a person like you isn’t that enough that PKNIC already have confirmed a “minor” (to them) sandbox bug in their system . Do you think that even a minor bug is acceptable from a company like them? only, unless you are one of them.
Guys,
PKNIC is a business. @chodhry and many others of us are/have been their customers. I, for example, have had to visit their office in Lahore and wait for an hour before being told that “Sahab will not be coming today”. I’ve also had to wait for one more hour later on, in their Firdos Market office in Lahore, after filling up a form to change my DNS entries, so that a not-so-literate sounding guy DICTATE a letter to his (female) secretary could finish his letter before catering to me, the only customer in their office.
So, my friend, PKNIC is a business run by (mostly) incompetent fools, just like PTCL. Just because it has PK/Pakistan in its name does not mean you have to immediately put on your patriotic hat and start bashing anyone who goes against the sacred P (though I don’t blame you, I know we just had our “independence” anniversary).
So, somehow, PKNIC ended up in the hands of Mr. Ashar etc., the same team that used to charge thousands of rupees per month for a single email account (most of us were in schools at that time). Mr. Ashar may have made a virus, and is definitely a top-notch techie, but that does not automatically make him a good businessman.
As discussed on telecom-grid-pakistan @ googlegroups recently, the revenues that PKNIC earns amount in millions of rupees per month. They are charging 2000 Rs. per annum for a domain IIRC, whereas a .com costs about 500Rs. Ideally, they should be able to afford atleast a decent development team. Someone from PKNIC (probably Mr. Ashar) mentioned on the google group that the code/database affected was a sandbox that would not have affected the actual records as “even a legal owner can not get his records changed online this way”. So it seems that PKNIC prides itself on its archaic (and hence ‘secure’) paper based mechanism – for their domain hosting business – in the 21st century. How funny is that?
When a CUSTOMER finds a security flaw in the systems of a business that he spends actual money on, he has every right to be frustrated. He is not getting paid to discover such flaws, it is the job of the business, and not of the client to secure their client’s data and investment. The customer may decide to tell the business ‘you have a serious problem in your system, you idiot!’ which would result in the business silently fixing THAT PARTICULAR problem and sweeping it under the rug, and the rest of the customers would not know anything about it.
Or, he can PUBLISH his findings online and let the business AND the rest of their clientèle know about it. If enough momentum is achieved, this SHOULD force the business to be a bit more cautious in the future (but in our country, it has no effect). Either way, exposing the nature of a vulnerability without divulging in the details is nothing to be ashamed of.
@Touseef…. No my friend you are wrong…. I am an IT ethicist and my name is Aleem Ahmed :D… cheers…
@chodhry: I haven’t seen any disclaimer note on PKNIC website you are talking about. And now my advise is you should first think about what you are going to say….(ex-owner,threatening,blackmailing, blah blah). In your last comment (“you are one of them”), nice try to twist the situtation but you cannot hide your real greed. For your kind information I am the user of PKNIC since more than 4 years, haven’t got any problem yet and I beleive there are thousands other like me. Yes we all are PAKISTANI and with them who are really work for PAKISTAN.
very old type of injection but they use email with auth code to change DNS. It very old bug anyhow u have tried well to get some fame .. jump into big things kid.. May be u should check out Cache poisioning exp. available today.. Scrippty…
Oh man, another aeroplane (@ReallyVirtual) has landed. Oh bhai meray, the domain fee you have mentioned is for two years and not for one year. Now it is confirmed that this is fake blog based on total lies and nothing else.
No wonder, soon we all will see Mr. Touseef as ex-chairman PCB, or ex-president of Pakistan or ….
after all everything is possible in fools Paradise.
@ ReallyVirtual: Shoaib, the problem you have mentioned is being faced by almost every domainer in Pakistan. I even have some photographs when I went to their office for 2 consecutive days in office timings and all I saw were that security guard chacha and poetry books all over the place. And this recent issue can actually help us if it gets some momentum that we may have a SLA signed by PKNIC if not get the price lowered own to some decent level.
@ Ethical Dilema: Oh, my Dear doctor Sahib, nice to see ya posting on my blog. you still have not mentioned any way out yet?
@ Some1: It was nothing like injection or anything. They just had some part of code left while upgrading which actually were displaying a query string at top of page for every new request of Authorization code. And you could actually log-in to the control panel using that code along with the domain name this code is generated for. You could also add that legacy domain to your existing .pk account which you use to manage name.pk domains.
@ High Lander: Please leave us alone in the fool’s paradise and you may continue living happily ever after in your own “judicious” hell.
I really surprised to see this,i also see some bugs on PKNIC system. i think PKNIC system is not good, they should improve this
The folks at PKNIC are losers. They haven’t done anything to improve the site and the whole system for years (Yea I see a new design with links pointing to nowhere http://www.pknic.net.pk/# and http://www.pknic.net.pk/#)
I think you have done a great job to let them know where they stand right now.
Thumbs Up!
@ Rashid Ahmed: What kind of bugs did you get and when? Would you please care to enlighten us about them? Thanks!
@ Hasan: Thanks for the appreciation. And they had this partial face lift after almost a decade. Sometimes I wonder who are the coders working on their site? Does Asher can not afford a decent coder to create a better looking site and run the site bug free. But then again, PKNIC does not have any customer support either. They are running the company as if they are running a lazy Govt. department.
It doesn’t cost too much to hire a good designer/programmer and especially for a company that has a PK in it’s NIC.
I have a few .pk domains with PKNIC and it is a real pain to make any changes, register new names or even make payment. They definitely want a revamp.
@ Hasan: yes this is the point. Can’t Ashar afford to have a dedicated webmaster for his site? Is not that generating enough money on monthly basis to support a decent level of coder? Does any one have some stats of how many domain sales they are doing each month/year?
“Does any one have some stats of how many domain sales they are doing each month/year?”
See the figures here: http://pakng.wordpress.com/2007/08/08/pknic-stats/
The number of domains for Jan 2008 is in the comments.
@Faried Nawaz: hmmm, does that count includes the domains registered in previous years due to 2 year restriction or this is a count of the 2000Rs./domain transactions? I mean how can you convert these numbers into Rs? and btw, thanks for sharing. Really helpful thoughts. I wish Tariq Sahib (Tee Eem) takes notice of this recent bug as well.
Yes that was happend 35-40 days ago. Some emails i also received but i was amazed that i
never registered such type of domains by pknic. but i got email with authorization code.
even there is none of my email was in to,cc,bcc…but it is fact i got lots of authorization
codes.
hmmm, pretty strange, Did you check if you were able to login using those Authorization codes? May be if you were it would be really nice to see some screen shots of a few domains in your panel. Thanks for bringing this up as well though I did never receive such an email.
The figures are of actual registered domains in late-January of each of those years. It’s possible to break the numbers down into current/old registrations and new registrations; I didn’t need that information, so I haven’t tried to calculate that.
you SHOULD hav changed the whois and dns information….pknic would hav been responsible for it…
btw if u did, most of the internet users in karachi could hav not accessed internet, bcz they use connect.net.pk
even me 😀
its is alll fake he took the screen shoot and edit that image and he is now showing this to us. Lolzzzzzzzzzzzzzzz he just wants to put up touseef.com hahahahah
http;//www.picly.com
@ Faried Nawaz: Thanks Farid, I will check if I could come up with some revenue stats.
@ campolar: Well in that case it could have been a serious crime so I did not do any harm to any site.
@ Fawad: Please read the update. PKNIC has already conformed this bug in their software. Please read completely before you make any more comment.
This is bullshit. This is bullshit. This is bullshit.
If you don’t trust me, you’re wrong. But I have found this entire post to be bullshit. Why in the first place, did you change the Agent Organization and not the dns (which could have taken 24 hours to propagate around the world) when you could?
I mean if you could do that, you would have become more famous. If you were not wanting to be famous, what else could force you to write such a long post that you have made here in your blog?
Screen shots, of course, don’t prove anything. http://www.swiftshare.net/clearshot.png
I don’t doubt the talent of Pakistani’s and specially Pakistani programmers, but a real programmer “NEVER” trust me, NEVER has enough time to run his/her own website. Let alone spending time on ‘hacking’ and writing long posts. This is what actually made me feel doubtful about this post. Then again, the tone in which you have written your post too seems very ‘common’ and very ‘unprofessional’ like how a programmer or a system engineer would sound.
You wrote: “I could have changed anything from registrar/billing/technical information to DNS entries.”
You stated the above line for 1 reason: That we encourage your expertise. Remember, I do not intend to say ‘encourage the crime’ — encouraging someone’s knowledge is good. However, you could have done that by doing so, by doing what you wrote. You could have changed their DNS or anything else? And well:
WHY IN THE WORLD WOULD SOMEONE NOT WANT TO DRIVE GOOGLE’S TRAFFIC TO THEIR WEBSITE WHEN THEY HAVE THE CAPABILITY? EVEN IF FOR A MOMENT?
This is something that I find very confusing and unbelievable. I don’t want to say that you’re a lire, but I do find the above post to be untrue.
I loved reading your blog though. MashaAllah its really interesting. Keep up the good work.
Well, there is an information security event being organized by NR3C [ http://www.nr3c.gov.pk] being held in Islamabad on 27th August, 2008.
Since its an established nationwide event, distinguished Pakistani & international speakers will participate along with Zahid Jamil of DNDRC.
I would try to attend it but not sure as I will have to travel all the way from Lahore from my very busy schedule. But I really wish some one bringing this issue up for the sake of all Pakistani internet users if I could not attend it.
If you are interested in attending, please reach out to following person:
KHAWAJA Mohammad Ali, CISA
Regional Coordinator
National Response Centre for Cyber Crimes (NR3C)
Federal Investigation Agency (FIA)
Government of Pakistan
Karachi Regional Office
Direct: +92.21. 9266 007
PBX: +92.21. 926 NR3C
Fax: +92.21. 9266 733
Emai: [email protected]
@ Muhammad bin Yusrat: The screen shot you posted is obviously taken after they have cleaned their mess and reverted back the domains to their previous state. I already have mentioned it in my first post.
Well, The reason I did not change the DNS that it would have been a serious crime. I am not here to “prove” my “expertise”, I “already” have stated that “I am a no hacker in any way” but the bug was so obvious that anyone who has some PKNIC domain management experience could login the control panel of any legacy domains. I already have been warned by PKNIC lawyer and they already have confirmed the “bug” as a “minor bug” so I don’t know what makes you believe that it could be fake. If I were such an expert faker I would have given many screen shots of almost every page to make it more “believe-able”.
But that was not my intent and it was not some thing planned. I only had a few good hours to decide and go about it and I did what I felt like the best approach in the given circumstances without being involved in any serious crime.
The thing which bothers me most is why everyone is picking up on me and can not understand the point being said that a company like PKNIC should not have even a minor bug exposed in their domain system which could generate a lot of problems. When they already have confirmed that there was a bug, then why in the world you start saying that these screen shots are fake or I am telling a lie. I have my life and my family. In fact I have an interview on a famous TV channel already lined up for another project I have been working on from quite some time. And when I am already on my road to fame and riches I do not need any deviations like this which has killed so many hours of my precious time already.
I think, this debate is useless. We had a chance to get the PKNIC sign a SLA and make their service better but I guess, we are so much used to their pathetic old system that we do not want to get a change any more. I am extremely disappointed.
All “HAIL” to great “PKNIC” – I bow!
First of all, I want to say this website is funny http://nr3c.gov.pk – This goes to show the standards we have.
I totally agree with chodhry on every single point that he has mentioned. PEE KAY NIC should IMPROVE and come to LIFE. They should thank him and rather reward him for notifying them otherwise I am sure they wouldn’t have done anything for years to come unless after USA would invade Pakistan in the near future 😉
Interesting article. Domain system should be 110% safe… 😮
@ Hasan: it is not funny, it is rather pathetic, but this is Pakistan. anything is possible and imaginable in the Govt. Setup. And Yaar I sincerely pray that USA could never ever invade Pakistan. And please check my post regarding this Information Security event, NR3C website and few Information security awareness Posters, screensavers and projecter animation I did for Gitex Duabi for a big Saudi Giant Al Faisaliah Group.
@ DPF Admin: Yes. they should be fool proof and managed by competent managers.
In case someone is still following this thread, I just received an email from PKNIC servers saying:
“You, or someone on your behalf, has requested to send your authorization code to the domain owner email address we have in our record. This information is given below:”
The domain in question expired 6-7 years ago, so I hope we will soon be able to witness what happens when malicious intent meets weak security.
@shoaib, I think no one was concerned enough. I wish I could have changed the DNS regardless of the consequences and I am sure there must have been lot more reaction to this PKNIC blunder. Looks like it is a dead topic now.
BTW, there is a change in PKNIC recently. You are no longer be able to view the expiry of a domain name in a who-is search. I think this can only create more domain disputes in the future. Something is just not right down there.
Nice work ! PKNIC should really improve themselves and make there system better and up to international standards, but you should have played with at least one of them i would love to have seen google.com.pk to go to a Pakistan Zindabad site 🙂 hehehe
you should better contact this person:
KHAWAJA Mohammad Ali, CISA
Regional Coordinator
National Response Centre for Cyber Crimes (NR3C)
Federal Investigation Agency (FIA)
Government of Pakistan
Karachi Regional Office
Direct: +92.21. 9266 007
PBX: +92.21. 926 NR3C
Fax: +92.21. 9266 733
Emai: [email protected]
@ Ehsan: well, I am sure if I had played with any one of these things would have been a lot different for everyone invloved, me, the site being played and PKNIC. but anyways, I now could only hope that they have learned their lesson.
@ Hassan Ahmad: Well, I actually do not know of my position legally. Don’t know if they will ask PKNIC or come after me to have “hacked” PKNIC.
btw to old thing ! like this have been done with FAST nu site last year ! duh.
what went wrong with the FAST site? did they have an unauthorized DNS change?
You have done good work, show them their mistakes…
I am with you…Keep it up!!
Really unprofessionals behind pknic….
thanks Ahmad for the comments. they are aware of the issue.
I like dis!!!!!
I could not believe the reply from the official representative. This is not the first time a #fail is done publicly. Pakistan need more to work on its communications department. Which will hopefully bring some mark to their profiles.
If all comments are taken right by their representaive than big kudos to them specially “fake user that is only there for the display sandbox for a few hours”
Fun !