Domain: dotcomnow.com
Stories and comments across the archive that link to dotcomnow.com.
Comments · 15
-
Re:How serious is this?
I have over 21oo addresses from Dotcomexpress.com
Mymailbag.com
Nsimail.com(the best by far),
and Good old Dotcomnow.com that are now cashed, i.e. Browser temp folder to simple cut and paste from notepad and I'm in. Some of these people, judging from subject lines, have used these accounts to register domain names. If you fill out and e-mail network solutions with say, Domain Registration Template from the admin or tech contact account what do you think might happen? Nah! No biG dEaL ;) -
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Re:Mainstream media & Trust
Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..
Reply to Buddy on 01:17 PM September 20th, 1999 EDT
Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..
I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42
The following message was sent:
You may already know this. I know at least one other person has figured it out.
The new Network Solutions E-mail systems are wide open. There are two ways to break in.
The first is to know the name of someone with an account with NSI, type
User: name
Pass: namensi
The second is this...
Here is the entry to the support account.
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
Replace the word support with any valid account and bang, you're in.The only response I received was sometime on Monday from http://netsecurity.about.com but well after it became public knowledge.
.As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.
Here's a copy of the original instructions:
Here is how to do it..
Instructions:
1. Click on Access Free Web Mail from Http://www.networksolutions.com
2. Click on one of the e-mail address near the bottom of the screen.
3. Click Click Here
4. Enter first and last name
5. Create a valid e-mail account
6. Wait until the screen says "Your Mailbox has been Created".
From here you can change the account name in this line
http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut
http://mail.dotcomnow.com/signup/poll/support?dlan g=default Actual Support AccountHere's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
Get this!
I just created an account on the Network Solutions new e-mail server and guess what...
I discovered a back door! NO SH***ING.....
Someone didn't do a good programming job here at all.
Simply type any name where you see the word "support"..
The link here will take you to their support e-mail
http://mail.dotcomnow.com/signup/poll/support?dlan g=default
If the account exists you will get in
http://mail.dotcomnow.com/signup/poll/oracle?dlang =default
http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default
http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=defaultNeedless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.
Message to the people who use Network Solutions freemail:
You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
What does this mean?
IT MEANS WE CAN STILL READ YOUR E-MAIL
Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.Message to NSI:
Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?Message to the Mainstream News Media (
/. Excluded)
You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.
-
Very Nice AutorespondTwo things:
(1) Go read the webmaster's mail: http://mail.dotcomnow
.com/signup/poll/webmaster?dlang=default then choose "click here".(2) Funny AD I saw during #1: http://imageserv1.imgis. com/images/Ad94426St1Sz1Sq3Id3.gif to wit, "mail.com...Free Secure, and Private"
-
Contractual Obligation infoit's worth checking terms of service before setting up an account with dotcomnow.com, or getting in a panic about the possibility of somebody hijacking 'your' account.
G. MODIFICATIONS TO AGREEMENT. [...] You may terminate this Agreement at any time by providing us with notice by e-mail addressed to support@nsimail.com or by United States mail addressed to Free Web Mail Comments, 505 Huntmar Park Drive, Herndon, VA 20170-5139.
Also in the contract are various clauses such as J. ANNOUNCEMENTS which outlines your obligation to receive email from NSI, D. PRIVACY POLICY which states that your privacy is respected unless, in good faith, they decide to violate it, G. MODIFICATIONS TO AGREEMENT which describes how NSI may change the terms of the contract without explicit notification, and various others (E., I., and K, for example) which describe how few responsibilities they have towards you and what obligations you have toward them.dotcomnow.com accounts have been set up without their owners' prior knowledge or permission. Is an involuntary contract valid? At least they provide an out.
rT
-
17:00 EDT status and workaroundAs of 17:00 EDT 16 Sep 1999 it looks like Network Solutions is redirecting requests to http://mail.dotcomnow.com/ and http://mail.dotcomnow.com/login/ to their generic "Free Web Mail" page at http://www.networksolutions.com/freewe bmail/ instead. However, you can still login directly using a bit of HTML:
mail.dotcomnow.com login User ID: Password:
As others have stated, I too could easily login using various surnames with and without digits using the same text with "nsi" appended as the password. However I have not been able to login using a domain ID of any sort. If I use example.com would the domain ID be "example"? And are multiple domains handled by adding digits like surnames are? Someone mentioned on the inet-access list that passwords are truncated at 8 characters so you only need to bother with the first 8. I haven't verified it yet myself. So a login of "harrison" would have a password of "harrison" since the "nsi" characters would be truncated. Just lovely. -
17:00 EDT status and workaroundAs of 17:00 EDT 16 Sep 1999 it looks like Network Solutions is redirecting requests to http://mail.dotcomnow.com/ and http://mail.dotcomnow.com/login/ to their generic "Free Web Mail" page at http://www.networksolutions.com/freewe bmail/ instead. However, you can still login directly using a bit of HTML:
mail.dotcomnow.com login User ID: Password:
As others have stated, I too could easily login using various surnames with and without digits using the same text with "nsi" appended as the password. However I have not been able to login using a domain ID of any sort. If I use example.com would the domain ID be "example"? And are multiple domains handled by adding digits like surnames are? Someone mentioned on the inet-access list that passwords are truncated at 8 characters so you only need to bother with the first 8. I haven't verified it yet myself. So a login of "harrison" would have a password of "harrison" since the "nsi" characters would be truncated. Just lovely. -
Put your dotcomnow mail account to good use! :)
Okay,
The link in the email is either /.'ed, they took it down, or it's another example of NSI icompetency. ( I suspect a combo of the first and last. :P )
My username/password was not related to any of my NIC handles in any way. The password was the combo of 'username+nsi' which is truly awful as already noted here.
You can go to http://mail.dotcomnow.com to access your account, so they definitely *haven't* taken the site down.
I logged in, changed my password, set up the vacation message, and sent mail to NSI expressing my displeasure at this rather silly attempt to gain yet more business from me ( it ain't gonna happen. )
So now, when they reply to my emails, they'll get my autoreply vacation message.
Hrm... wonder if there are any autoresponders at NSI that I could mail from my wonderful new account... ( heh ) -
Imagine what that poor webmaster thought...
I can just see that moron sitting in his office now.
"Hey, look! My new e-mail service is getting tons of hits! Wow, it's only been available for a few hours, and everyone is logging in with their new accounts! Unbelievable! I'm going to be a huge success! I'll be on the cover of Fortune. Hotmail, move over, baby." (sound of smacking lips)
So let's all contribute to his trumped-up feeling of greatness. I'm logging in with every name I can find (someone else's, of course) and sending congratulatory e-mails to webmaster@dotcomnow.com about what a wonderful service this is, blah blah blah.
FYI, http://mail.dotcomnow.com still works, even though the original URL sent out in the e-mail is /.ed.
And before you try it, I've already snatched clinton, lewinsky, and elvis. Heh heh heh.... -
You can change your password
Go to http://mail.dotcomnow.com and click on preferences. You can change your password from there.