Slashdot Mirror
How Secure is Your Domain Registration?
Matthew Enger writes "A article on dnspolicy.net has underlined some important concerns with domain registrations through Network Solutions. It discusses concerns with the standard security method used (MAIL-FORM) as well as how easy it is for people to hijack your domain.
" It's 11 o'clock - do you know where your domain name is?
just tell me the email addr you used to register it, gimme a few hours, and bam no domain for you to worry about =)
There is even an 1997 bugtraq message I found on it here. It goes into quite a bit of detail on hijacking names, but is probably outdated by now.
AC and proud of it!
Here in the UK the concept of dust and gravel applies to any amount of the stuff.
There is no plural for dust or gravel.
The same applies to the word "grit", a quantity of gritty dirt.
So can somebody PLEASE explain your usage of "grits" and specifically why they
would be applied around the genitals? Hot?!
If there is a USA meaning to the word PLEASE put me out my ignorance misery.
And please stop using "boxen" for boxes - it's horrible!
Network Solutions just poured a bowl of hot grits down my pants! Thank you.
grits (noun plural but singular or plural in construction)
[perhaps partly from grit [1], partly from dialect grit coarse meal, from Old English grytt; akin to Old English greot]
First appeared 1579
: coarsely ground hulled grain; especially : ground hominy with the germ removed
........ hope that helps =)
[ You know, what I can't understand is why the parent post appears as a post on bugtraq, almost verbatim. But I'm not sure if that fact is really relevant. ]
yeah, obviously he wants to know what americans mean by grits. Its a simple enough question.
Americans, missing the point of a simple request? Never!
:)
I hate Network Solutions. I accidentally misspelled the name I wanted to use as my company name on the registration, and they won't change it without me seeing a notary public (lawyer?) and getting a certified signature. Of course that costs money...
All I want to do is correct a misspelling of the company name, and they won't do it! However, I WAS able to transfer the domain to different contacts without any verification whatsoever (I used a different email account on a different provider)! Why is it so easy to change the person who "owns" the domain name, but not the company name? Shouldn't this be consistent? Shouldn't it be the other way around, maybe?
-"What's a troll?"
-"A scary monster that lives in the ground and comes out after dark."
Neal Stephenson, The Diamond Age
Recently I had a domain hijacked. The domain had been protected with NSI's Guardian even. One day, I get an email that asks to approve changing ALL of the contacts and the name servers. With Guardian this should not have even gone this far! I of course said NO. I then called NSI not once, but twice to tell them to refuse the changes just for good measure. I then get a message from NSI stating that the requested changes would be cancelled. The very next day, I no longer had the domain. It took the hijacker 2 days to take the domain, but then NSI gives me the shaft and makes me fight for a full week to get MY domain back!
yes this off topic
the attacks on those web sights is effecting
the stock market
what a wonder full time to be alive!
investors may begin to understand what is going on
some think online trading sights are next!
hey hemos post a story about this so we can discuss and be on topic
NOW!
I recieved notice that "my" domains have been paid for in full till 2002. Uhh I did'nt ORDER any new domains...some guy in Bangalore, India is going to be pissed. I'm somehow Admin, Tech, Billing and Zone contact on these new domains. Hmmm better sell them on Ebay while I have the chance.
grits.net
grits.org
grits.edu
grits.mil.
grits.aq
pour.a.bowl.of.grits.down.your.pant.*
thank you.
I highly recommend that everyone goes to this page and download the stuff that's on it. Yesterday I posted this link to Slashdot and the web page activity went WAY up. It'll be interesting to see how much Slashdot can boost
:-)
activity today if this is posted early.
Is that supposed to be *your* song?
Let's try to Slashdot this site!
The slashdot effect isn't that major. If you have a homepage that is linked to your name when you post you get the same effect. Essentially when I tried it I got about oh maybe 50 hits in a week or so. Quite interesting. But nothing to bog down a server with.
Screw this boring domain shit, go check out the hot mammas at http://www.pond.com/~erik/hgundam/!
Tyler,
I thought you were GREAT in Armageddon! I especially like the part when that guy put cookies on you. Yum! Don't worry about Deep Impact being called better by all the critics - what do they know? Hang in there, honey!
C'mere, you. Gimmie a peck on the cheek, you dumb turd you!
JOKER told ME to take my business elsewhere.
READ on.
I think Joker.com is a one man operation.
this stefan guy is the same as info@joker.com guy.
----------------------------
Hello,
we are not able to charge your cc-card, so we have canceld your
request. please take your business elsewhere.
JOKER-TEAM
On 4 Feb 00, at 11:38, rainkid wrote:
> I faxed my transfer_template and a copy of my driver's liecense ID 2 weeks
> ago. My registrar had not been changed yet to CORE.
>
> My emails are ignored.
>
> If you are unable to complete this registrar transfer to CORE, inform me so
> I can take my business elsewhere.
>
>
>
> >>>
> Hello,
>
> append a copy of your driver-licence or similay to the fax.
>
> Stefan
>
>
>
>
Jeremy,
You were GREAT in Die Hard III! The best villian out of any of the Die Hard films! DOn't listen to anyone that days the first one was the best - they don't know any better! Keep it going, yo!
C'mere, you, and give me a smooch! Ya dumb turd, you.
kwsNI.
I thought that was the African American Holiday around Christmas time? Oh well. Well, then, Happy kwsNI!
Kinda sucks having two holidays so close to each other, what with Troll Day being yesterday and all.
aw, no hard feelings. C'mere, you, and give me a handshake. Ya dumb piece of turd, you.
Sure any script kiddie can fake mail from me to NSI, but how's he going to get the acknowledgement with the magic number, to send back to NSI?
Unless we're talking about promiscuous packet sniffing of plaintext email, I fail to understand whi MAIL-FROM is insecure. And a h4x0r who can is in a position to freely sniff packets betweek you and your ISP is a greater menace in other areas.
Couldn't NSI be sued for negligence, or for product-tying (domain names are only $35/y, but if you want to keep them, we'll charge you another $119)?
That should at least get them to wake up and fix the problem.
-jesser (IANAL, btw)Hi,
Any good experiences with other registrar (register.com, dotster.com...)?
The problem with Network Solutions is that they apparently have too many customers... I can't get any REAL invoice (not just plain emails with not even the amount of the transaction!) for my accounting department and it's very difficult to manage +30 domains; I can't find any easy way to do modifications on all of them in one single pass...
Nick.
I'd be suprised if the humans have to do anything more than click "OK" to accept the domain.. even that is stretching it since the computer probably validates all the information for the domain, checks to see if it exists, and processes it automatically unless it raises some kind of flag. I'm fairly certain the IRS works in the same way.. your tax form is scanned into a computer automatically and processed. If it can't be read for some reason or if there is something that brings up a flag, only then is it actually LOOKED at by a human. You'd need millions of people to process all the IRS forms by hand!
and they released an article about it several months ago.
I process the form using my email address, it sends me the form to mail back. If I then mail it from YOUR email address then it should go through. We will see. I just attempted to hijack my own domain vi telnet rs.internic.net 25 I was just thinking, it's nice having your own domain and machines on the internet, you can crack them and not feel bad about it :)
Microsoft keeps sending MSN disks addressed to me at a post office box which I've never used for anything other then my domain registrations. =)
Wow 3000 hits a day I bet you think that you're so special. that is probably twice your national population? everyone in your country visits that site twice a day because they are tired of fucking goats.
It usually takes only a few minutes for me to get registration confirmations back. However, I've had some that NEVER went thru, even after several MONTHS. Just goes to show you, make sure to follow through on your domain purchases!
Since I doubt that NSI has the ability or legal power to actually check a drivers license with some remote state's DMV (NSI is in VA), I could easily scan my own DL, change the name, address, and a few numbers, print it and fax it (which results in such poor image quality as to make spotting forged DLs impossible) and hijack domains this way, bypassing mail-from, crypt-pw, pgp, and their latest pay-auth scheme too?
Why try to h4x0r them when a horrible grade photocopy of a DL will get anything you want done to your domain?
I just hope the other registrars have better methods and they figure out a painless way to transfer management of existing domains from one registrar to another. A method for the latter has not yet been universally agreed upon.
I decided to send an email to Network Solutions to get a written response. The answer I received brushed off the issue and handled it as a technical matter. I replied to this on 1/28/2000 and asked for a clear legal statement from the CEO or legal department of Network Solutions.
I have not heard a word yet. Maybe now?
The other thing problem I have with this article is the claim that use of SSL web updates means implies better "security." Going back to dnspolicy.net as an example, their choice of register is dotster.com (this shouldn't be a surprise since it ended up the first alternative listed in the article). Does dotster.com allow dnspolicy to directly do a security audit of dotster.com? Will dotster.com sign-off on allowing dnspolicy to have a third party of dnspolicy's choosing do a security audit of dotster.com? Will doster even sign-off on doing a port scan of their machines? It seems to me if you haven't been able to do a security audit in search of methods that the machine accomplishing SSL decryption doesn't provide for a known method of comprised access then how can anyone really claim that the offering of SSL decryption really provides better security? There is no claim on Dotster's website that security is a primary consern. The website provides no list of third-parties that have been able to audit Dotster's services for buffer overflows or other forms of exploits. This article just seems more interested in pushing the myth that as more Internet services make use of SSL that the ability to compromise and alter data will become impossible. SSL is only designed to be a "secure" **transport**, just like an armor car. A complette evaluation of security should include looking at the bank vault. The goods don't remain secure if the armor truck dumps them into a bank vault of swiss cheese.
If you don't want to deal with Network Solutions, check out DomainMonger.com. $17 for a domain, and administration is all web-based. (Just make sure you keep your login and password secure).
This guy is almost certainly a day trader planting ideas. What a wretch.
I know this isn't the "right" way to go about it, but it is easy to fake the system out. Just fill out the form and save it. Then use Sendmail to send it out with a "From:" address of whoever is the listed technical contact and a reply-to: of a working mail address. As long as it appears to have come "From:" the tech. contact they won't question it. I'm not sure on the legality of this but so long as you are still the Billing contact I don't see a problem -)
How embarrassing for MCI. It must have really hurt their pride.
I've had really good luck with Dotster. They email you an invoice immediately, and it contains everything you need to know. I've emailed them several times and have always gotten a response back within a couple of hours. Sometimes within minutes. I'm completely happy with their service and I don't think I'll switch. The problem I've had with the outfits using open srs is that they seem to be small time players trying to make a quick buck, and their service isn't up to par with some of the accredited registrars. I'd have to rate dotster number one and register.com a close second.
No soup for you!
Also, if your going to steal the /. trollmastah account, at least try to post something of revelance and not a quick copy/paste of a bugtraq posting. True it was an troll in essence, but please get your own account.
The real,
Trollmastah Without the period ant the end of the name.
If you use a 3rd party provider, can't someone still send an email to NS and hijack your domain?
PGP gets updated occasionally, so if your on one version then NSI goes to another version you are out of luck, often it's the other way around, you upgrade and they don't. Crypt PW or mail from is the way to go. Crypt works very consistently, and regardless of what people say, mail-from is very secure. It is hard to mock an email address, unless you have admin access to that particular server with the SOA records.
I've been using PGP authentication for all of the domains I am the technical contact for.
One day I sent in a request which I forgot to sign (I mailed the plaintext, rather than the signed copy).
The changes went through anyway.
I was tasked with setting up a simple Linux web/mail/etc server for a local store. They were moving from one ISP who was hosting their web page to another where they wanted to host it with their new DSL. Simple enough. I send the required emails to NSI to move their name servers to the new DSL ISP.
Then, the DSL ISP decides they'll take their own sweet time updating their name servers with my client's domains. After like a week they start getting pissy with me, so I take things into my own hands. I set up Bind on the DSL box, and register whatever.com as a name server at NSI. Send in another form to change the primary name server for whatever.com to whatever.com. And it all worked. The only catch was that if the line goes down, things would revert to the secondary name server with the DSL ISP and fail because they are lazy asses.
Eventually that ISP got on the ball and made the additions to their name servers. By this time they did a whois check and found their DSL IP address as the primary name server. They called and got pissy with me, saying it couldn't be done. They say only "true" name servers can register with NSI as a name server. Not wanting to get them yanked from the ISP, I switched it back to the ISP's name server and all is good now.
So, you domain experts out there, tell me this. Why was this guy assuming only "true" name servers could register as a name server at NSI? Is NSI supposed to have some other authentication for adding a new name server? Just simply filling out the form to register a new one was all it took for me.
Plus I was thinking, if I and a friend set up a name server, couldn't we each be one of the name servers for each other's domains? (This DSL ISP uses static IP addresses.) Assuming it can be pulled off without the ISP noticing, we would have our own domains and not be subjected to the ISP's ridiculous business fees, web page hosting fees, etc. Mind you I'm not wanting to have a bandwidth hog like another Slashdot or anything big, but a simple personal web page but mostly my own vanity email@myname.com (or something).
CowboyNeal confirmed this last night. While NSI gets its shit together, Hypermart has been gracious enough to host slashdot's DNS.
This uses M$ Outlook Express (since Eudora won't let me do it however, I assume pine/elm/whatever would if it allows header edits).
Domain to hack: fredsbank.com
Go to NSI and fill out the form (if you're incapable of doing it the old way (by hand)) and have it emailed to "hax0r@whatever.dom".
Then in OE, set the "from" address to whatever the admin/tech contact "mail from" address is.
This is the hack, set the reply to address as "hax0r@whatever.dom".
Now send this baby off. Granted, the contact that you didn't use will be notified however, the changes will go through.
Now you've just hijacked fredsbank.com. Simple.
rodent...
rodent...
Tactical nuclear weapons are a viable alternative!
on purpose, because it is really a pain in the ass to change an entry. It takes days until a mail is processed, only to see that the request could not be processed for some reason. In order to actually change something, a month can easily pass - if you cannot plan a server migration a long time in advance, you are in real trouble.
This sluggish service also prevents people from switching - so there is maybe some wacky business strategy behind that (which only worked in the first place due to the monopoly they had for years; I would never register a new domain there now).
Forget about MAIL-FROM. I have a letter with confirmation from Netsol, that has another letter, from another person (with CRYPT-PW scheme), chained to my letter by Netsol. They just sent me a confirmation "this is the letter you've sent us" and got another person's letter in along with mine. With password, name, ID, everything. If I wanted, I just could go and take over this innocent person's handle and wreak havoc. I wonder how many letters of others *my* information got chained to...
And you have nothing to do - Netsol still controls the process, and the cost of moving is too high. And nobody there seems to care.
-- Si hoc legere scis nimium eruditionis habes.
A little over a year ago somebody did try and hijack a domain for a game I help code. Fortunately we caught it before it was hijacked but if email hadn't happened to be checked at the appropriate time we would've lost it. We're not absolutely sure who did it but the evidence did narrow the suspects down. Unfortunately there was little that could actually be done over it.
As a side note Network Solutions should automatically flag rather radical requests. In this case every field other than the billing field was changed.
A week after I registered "magincia.org" for an Ultima Online guild page, MCI called me asking if Mr. Xiaofei (my character name) was interested in their business solutions.
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
This is a typical example of slashdot being months behind the rest of the informed internet... its gotten to the point where slashdot would only be providing me useful information if i took a time machine a few months into the future and read todays news.
Blah. Im sure this will get moderated down, but seriously slashdot people... try to stay somewhat recent. Month old bugtraq discussions != good current news.
~spot
"and no, im not the spot working for Transmeta, although i wish i was..." -- ~spot "i'm the epitome of public enemy..."
For those of you who might be interested.
There has been a discussion about this issue on Bugtraq in January 2000. Read it from www2.merton.ox.ac.uk/~ security/bugtraq-200001/0148.html
Anyone take a look at the slashdot.org whois lately? Sure looks hijacked to me...
Registrant:
Andover.net (SLASHDOT5-DOM)
50 Nagog Park
Acton, MA 01720
Domain Name: SLASHDOT.ORG
Administrative Contact:
Malda, Rob (RM7054) slashdot121@HOTMAIL.COM
616-994-0441
Technical Contact, Zone Contact:
DNS Administrator - HyperMart (DA3706-ORG) dns-admin@HYPERMART.NET
206.447.1595
Fax- - 206.447.1625
Billing Contact:
Malda, Rob (RM7054) slashdot121@HOTMAIL.COM
616-994-0441
Record last updated on 07-Feb-2000.
Record created on 01-Feb-2000.
Database last updated on 8-Feb-2000 14:38:52 EST.
Domain servers in listed order:
NS1.HYPERMART.NET 206.253.222.65
NS2.HYPERMART.NET 206.253.222.66
in a quasi-digital-everything-online-and-automated world, it's freaking ANNOYING to have to go thru the painful process of doing ANYTHING with Network Solutions.. is it too hard to for them to make things a little bit more intuitive and easier for everyone???
So anyway, I bought a couple of domains thru Register.com, and I have to say that I'm extremely impressed with their service.. and unlike Netsol, everything (dns, user info, blah blah this and that) is done without sending emails all over the place.
my only quirk is that they make transfering registrars a lengthy, somewhat legal and troublesome process.. but that will probably change..
~mc
what the hell is it with ISP's not answering e-mail anyway?!?!? i have that very same problem with my ISP. isn't that the BUSINESS they are in? cripes.
-
--bc
-----------------------------------------
the amazing bc
latin/funk flugelhorn & trumpet
webnaut, music junkie, sysadmin from hell
the amazing bc
just another guy doing IT
webnaut, music junkie, holes-in-head
At this point I have registered two domains through NSI/internic and two domains through register.com. It is the difference between night and day.
Now that the Internic database has been opened up (by federal order) I have transferred one domain's registrar from NSI to register.com, which took some hoop-jumping but it was worth it. (I believe the hoops were mandated by the NSI in their agreement with the feds to open up the registry process). I had to sign some papers in front of a notary at my credit union, which took ~10 minutes of my time. A week later, the domain is AWAY from NSI's sticky fingers.
Actually, register.com made a mistake, and typed in my credit card number incorrectly. When I called their 800 number, I spoke to a human in three minutes, she apologized for their error, and fixed it in another three minutes.
I will be changing the one remaining domain to register.com shortly.
The funniest thing is I've been getting ads from NSI for discounted registration. Ha. They want me to register for ten years. Ha ha.
--
HOWTO get better dates on slashdot
hm... There's always nsi--sucks.com or nsibites.com or I-hate-nsi.com.
--
HOWTO get better dates on slashdot
NSI/internic's stock is through the roof- $258 per share and the company is worth nearly 9 billion dollars.
This is going to change eventually when investors realize any company with a brain is transfering their domains away from Internic. Want to assist in this process?
A proposal:
register NSIsucks.com; write HOWTO instructions for switching to any of the other registrars; put up a signup page for people who have transferred their domains; put up a press area for when the business press comes to visit.
Publicize nsisucks.com in tech and ISP media (letters to the editor, press releases). When we get enough buzz there (because they already know the truth about NSI) notify the business press that we have 100,000 former NSI customers who have switched to other registrars.
Watch NSI's stock tank.
--
HOWTO get better dates on slashdot
When you fill out the web forms and choose CRYPTO-PW it will encrypt your password using crypt() with your password as the salt!!! ARRGGH
For those not in the know. the salt is the first two chars of the encrypted password. So, the first two chars of your encrypted password are actually the first two chars of your unencrypted password.
What morons.
"Now, I hope and pray that I will, but, today I am still just a bill"
Now I hope and pray that I will But today I am still, just a bill
ok, someone hijack my domain (semisphere.org)
:)
I won't be angry - as long as you give it back
If anyone wants to steal my domain.... FOR THE LOVE OF GOD, PLEASE TAKE IT! I NEED SLEEP! I NEED TO DO HOMEWORK! COLLEGE SUCKS!
PLEASE, RELIEVE ME FROM MY DUTIES AND STEAL MY DOMAIN!
Domain registration should not take 14 days, it should take about 14 minutes at most....
When I buy Domains, they appear in the Corenic Whois database within minutes (3-5 at most). Remember, Corenic is who calls the game these days.
.mg domain name. ;) :-(
Of course the nameservers only get restarted once a day, but as soon as the Domain is in the Corenic DB, you ought to be safe.
At any rate, only third world country registries take 14 days... or more.
I am still waiting for my
I have been TOTALLY satisfied with joker.com as well. I can make all changes to any domain I have registered with them online via SSL. Is it so hard for NSI to use SSL? They even have a really intense ownership change method in place. I just met with one of my business partners last night to sign a form that had to be snailmailed to them to change ownership of one of my domains. They also charge a 26 dollar proccessing fee to do so. So even if someone somehow got my password for my joker.com forms, they couldn't change ownership fully. I really like these guys and I've already registered 6 domains with them.
;> )
YATFASC (Yet another testimony from a satisfied customer
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
One of my old domains had old contact info for me, old address, old e-mail address at an ISP I no longer had an account at.. yet I was able to change my info with no verification whatsoever. While it was nice to be able to do so, it was also seriously disturbing that no sort of check was in place. :\
BilldaCat
This problem has been discussed a fair bit in bugtraq. The consensus was that DNS wasn't really secure using the crypt and signed message may help to prevent this but in general were not that great since netsol sometimes ignore crypt-pw and their pgp signed mail thing is often broken. Essentially if someone can forge their header so that it looks like its coming from the technical contact, it probably go through.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
I'm sorry in advance if your the guy who posted this to bugtraq. But the exact same message appeared with the domain names changed about 3 weeks ago in bugtraq. Next time be a little more creative.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
To make a change as the registrant, you'll need to fax them a letter on company letterhead, signed by someone with authority for the company (e.g. "President"). If the registrant name is the domain name itself, make up a letterhead on your word processor for it and sign yourself with the title "Owner." If the domain is registered to your personal name, you need to fax them your driver's license along with the letter as proof of your ID and signature (make an enlarged photocopy)
Two very important points:
- First phone NSI and have the customer service (?) rep tell you exactly what the letter needs to contain and follow this to a T.
- On that same phone call, you need to insist that this is an emergency until the rep gives you a fax number that you can use to send it personally to that rep.
Using NSI's regular fax number will take up to a week for work to be started. By faxing it to the rep's attention, it should be done on the next business day. BUT when I had to do this, I set my fax to retry indefinately and it took five hours to get through to this fax number. You should also allow an hour or two for the phone call to NSI========
<sig>Guvf vf abg n frperg zrffntr
I recently had my domain yanked due to
the old server he was on the hacker
was able to fake a registration request
and I didn't catch it until after the
weekend..
So I call up NSI (after hunting down their
phone number which they absolutely HATE
to give you and explained the situation.
After sitting on hold long enough to save up
enough money to put the children I don't even
have yet through college, they answer with
their "1st Level" support which is no support
what-so-ever. They can't make changes, they
can't look up have the info you need, it's
sad.. So I got transfered to their "2nd Level"
support where they said that I would have to
send on company letterhead (like that
couldn't be forged easily enough) stating the
change was wrong. They didn't mention that I
should tell them what it should be changed TO
I put that in the letter just to make sure,
but ofcourse I didn't stick the name servers
in, so that didn't get changed until day 4 of
this nonsense.. (Yah, 4 days to fix this)
After that monday, I waiting until the 5pm
update, where it ofcourse... Didn't go through.
I called the next day and asked why
they ofcourse couldn't tell me, but I
figured it out on my own.
It seems that all the
second level support can do is put in
a request for a change, just like you the
domain owner... However the hackers over the
past few days changed the request to different
nameservers every night.. The second level
support put in the request first, then the
hackers did.. And the hacker request overwrote
the original request. I had to explain this
to NSI about 3 times before the understood
the concept, and said they would put through
the request shortly before 5 to try and beat
the hackers to the punch.
So the change goes through however,
because I didn't stick our nameservers through
on the company letterhead, they simply changed
the NIC handles. So the domain was once again
owned by us, however, the nameservice was still
wrong. This is day three now.
I call them up and scream, and they say we should
just put through another request.
Which I did, which ofcourse didn't take place
until that evening, giving a number of caching
nameserver the time to take the new domain
info with the wrong nameservers.. Thus
losing our domain on their nameservers
completely..
My quick guide to dealing with NSI:
1- Don't.. Find the alternative registars..
For example, OPENSRS through Tucows is an
excellent service, however a wee-bit new.. But
just find one of their domain resellers,
you can get domains for $10 a year.
2- Accountability - GET NAMES.. The more names
you have after dealing with them, the more
people you can point out as being retards to the
management, however, seeing as this is a
company wide problem that doesn't do much good,
head to step 1 to fix it.
3 - Use Encryption on your domains. Either with
the encrypt password on your contact
info (which is retroactive through all other
domains you control with that NIC then)
or the PGP method. Crypt password beats the
MAIL-FROM which is just pathetic hands down.
4 - Don't bother with anything other then 2nd
level help
2ND LEVEL HELP AT NSI: 1-703-925-6950 (Notice
the awesome NON-use of an 800 number)
I hope this helps ease the plight of NSI victims.
If there is a higher power they will be
forced out of the market by the other registars.
What is sad is that it is people with that mentality who are the most likely to get victimized. Just like several large ISPs did over the holidays.
Yes, I am starting a domain registration service. However it is NOT online now, and it will be at least 60 days until it is. However, I have been involved in Domain-policy forums for over 4 years now, and indeed founded an organization for domain name holders, and am in the process of starting a second organization that will raise defense funds to help domain name holders defend their rights.
So I suggest you yourself look at the facts before you start criticizing people without the facts. Your own messages shows you did not take the time to even READ the substance of the article. If you would like an email address for someone at NSI who works with the guardian system to verify that my description of the process is accurage, feel free to email me.
William X. Walsh
DNSPolicy.net
- Mail your request to NSI.
- NSI responds back with a random cookie number
- You respond to that mail, and NSI checks if the cookie is the same as they mailed out.
Don't ask me why they don't are using it...Just like the title says...
/. about this. But apparently, news like this needs to be posted on another site before /. will carry it. Lame.
I received email from NS saying they were processing my changes. I scratched my head and said "what changes?". One minute later, they sent me email saying my changes had been confirmed.
The guy who stole my domain was trying to get money from me in exchange for control of the domain.
I sent an article into
I have discovered a truly remarkable proof which this margin is too small to contain.
Ever consider that (last I checked, which was a while ago), that since they get paid for domains, they create them very quickly. Since altering the record is a 'freebie', it costs them money to change it. Thus, they lose money from every record change, and what better way to save money than not doing it?
You discribe something thats called "A stupid trol1mastah".
It can actually be done much simpler.
Create a phony "contact form"
telnet rs.internic.net 25
HELO something
MAIL FROM: trollmastah@trollmastah.com (the contacts emailaddress)
RCPT TO: hostmaster@internic.net
DATA
Copy-paste the phony contact form (or pipe or something)
.
QUIT
You now have mailed the phony contact form, from the right email.
No need to wait for hotmailaccount expiration. One advange in using your method is that the real owner of the domain never sees an ack of the contact form change.
Sendy
-- You probably find my HTML-formatting and language usage ridiculous.
GNU guru and mainframe hacker
Comment removed based on user account deletion
I've been on both sides of the fence in this issue: I've had domain names stolen out from under (yes, we switched to CRYPT-PW right quick) us using a fake email address.
... NONE of the email addresses are valid, and forging them hasn't worked yet either.
I also am having trouble with a clients domain that is registered to a provider that no longer exists
Just like most things, it works wrong when life's good, and works even worse when life's bad.
I registered my domain with TotalNIC and it was fast and easy, $35. Of course, I haven't had to change any info with them yet.
Unfortunately, since my DSL provider charges $30 extra for hosting the name, I'm going to have to take the route followed by an earlier poster and figure out my own DNS. Fortunately, I have an old IIci I can use as a firewall/DNS box while the SE/30 serves the site. (Yes, I am insane.)
I use Macs for work, Linux for education, and Windows for cardplaying.
Good article. What worries me is this. The article recommends transfering your registration to some other registrar, but isn't that error prone as well? Didn't I read recently about someone losing a domain in a botched attempt to transfer it? Is there no safe harbor?
I have had to "hijack" Domains before because of my customers and their lack of internet prowess. Usually, what happens is that they canceled their old ISP account, where their Internic handle pointed, without updating their handle. I usually end up doing the same when editing their handle to reflect the correct information. So, I suppose, the real question is: How do we secure your domain name, but still allow for the stupidity of your average domain holder?
Ooops... But then, I did post that in the morning..
;-) I also forgot the part about feeding the servers crack, and testing if (1 == 0) { work_properly(one_nano_second); }
There's no satire-code lint checkbox on Slashdot, oh well
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
They're, well, interesting. We talked about the INS being pathetic, but these people take the cake. If they replaced the INS, you can be sure you'd get a "confirmation of request to enter the country and become a citizen" mail 4 weeks after you received your green card and moved to California.
/dev/dsp);
---
NSI domain managment psuedo code:
if(new_email)
{
grab(new_email);
grab(mail_from_queue[random()]);
send(letter(confirmation));
if(email_changing_options)
{
send(letter(confirmation);
if(mail_security)
{
if(crypt)
crypt(password, password);
else if(mail_from)
for(i = 0; i (255 * random()); i++)
send(letter(confirmation));
else if(pgp)
{
send(pgp_pubkey(random_recipients));
send(pgp_privkey(random_recipients));
}
}
}
if(cranky_servers)
{
transfer_domain(randomly);
send(letter(info_about_transfer));
}
play("/usr/share/sounds/maniacal_laughter.wav",
---
NSI -- the dot incompetent people.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
A while back, an idiot sent in a few hundred fraudulent requests to transfer big-name domains to my ownership. None succeeded, except two: angelfire.com and excite.com. NSI fixed it instantly -- I never showed up as owner of excite.com publicly (although I did for angelfire). The shame is they REFUSED to do that for a friend of mine who had his domain stolen in the same manner... I guess they only help the multi-million dollar companies out. Not only that, after they fixed angelfire.com, the changes switched back a few times over the next few weeks (causing downtime at Angelfire, and also people pissed at spammers to call ME and bitch). Now I was extremely nice about everything -- I didn't want to profit or gain off of this, that wouldn't be right... but imagine if I did? There was a Wired news article about it, you can check it out here.
I would be interested to hear how many others had this experience. I registered two domains through Network Solutions. It clearly states all over their site and in the whois information that the information provided by me is not to be used by anyone for commercial purposes.
Wellll, I soon started receiving computer equipment catalogs addressed to "Jishywa Technologies Inc." which is the fake (hehe) company name I gave with my address for the registration. That form is the only place I ever put that name, so somebody is breaking the rules here...
Josh
NSI has been on a downward spiral since they got so huge. Sometimes they'll be really quick and sometimes they'll act like they never got your request.
I think that eventually NSI will phase out to 4-5 major different domain registrators.
lol, put a bit too much crack in your cereal this morning?
The bugtraq list talked about this about a month back. the original comment is here and most of the discussion on it is here
BofA just bought loans.com for $3,000,000. Wouldn't it suck if that got stolen :)
:)
Maybe I don't see something here but if the actual registration is held at Network Solutions then all that would have to be done is to have to owner to contract the company and have it returned. Just hope they kept the recipt.
Slashdot social engineering at it's finest
how secure is the slashdot domain name. If it isn't, I'd do something. There are a lot of trolls and worse things out there.
I think that it's fine. You see even if someone tried to steal it it would be found out quickly and all you would have to do is just call them up and say:
Hello this is Rob Malda from that little ol' slashdot.org site I would really appreciate it if you would fix the problem with our domain name. Seems like a group of Lebaneese terrorists have taken it and are using it for their new web site.
Slashdot social engineering at it's finest
Domain registration should not take 14 days, it should take about 14 minutes at most....
I thought that for domain registration under the typical regime of the NSI that it took 24-48 hours to process your request. Yeah sure possibly if you streamline the process and have more people doing it it would take 14 minutes. However You have to consider that usually there is a line to get domains registered and that probably a human is entering in each and every one.
Take your income taxes as an example. In the US you have a tax form that could be processed by a machine in less than 10 minutes however because of the fact that a great many other people have taxes as well you have to wait and end up waiting for a long time.
Slashdot social engineering at it's finest
A request-for-proposal I noticed on eLance.com is indicative of the unsavory taste I get in my mouth whenever discussing domain registrations.
I'm not sure whether there's sufficient information on WHOIS to perform this task meaningfully. This requestor may be making a new service to "remind" people that their domain is up for renewal, perhaps to offer a lower price on the renewal than their last registrar, but I have a feeling it's more to find names to scalp.
(Opportunistic domain thieves =anagram> and this viperous competition =anagram> a victim proposition, enthused.)[
It's 11 o'clock - do you know where your domain name is?
Right now it's over in Washington on a VAX......ooops!... now it's in Texas on a UUNet server...uh oh, someone just tried to ping it, it's over at UC Berkeley now. Damn, it's all over the place. =)
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
What about the CRYPT-PW and PGP options? Are these no longer being used?
You bet I know where my domain is -- it's registered with Joker.com instead of that shady NSI outfit. $36 for two years and the knowledge that when I want changes made they actually get made in a reasonable time frame (*gasp*).
I know this sounds like spam, but I people need to stop bitching about NSI and start taking their business elsewhere (now that we finally have alternatives).
it looks like it's fixed now, but yesterday the whois record showed slashdot's dns servers as 'ns1.hypermart.net' and 'ns2.hypermart.net' and the contact email was in hotmail.com. i guess that's why they decided to post this story, eh?
I know a lot of people who have had the same thing happen to them. It has happened to me. I don't know if it's just a coincidence or not but it makes you wonder.
how secure is the slashdot domain name. If it isn't, I'd do something. There are a lot of trolls and worse things out there.
treefrog.
Aye. Same here. Any chance you're using Telocity?
Now, if someone has a domain name they purchased and registered and a "hijacker" comes along and changes the registration info and DNS, that is a pain. But, when the original owner proves who they are, the new registration information points to the problem. Or, the new information is not functional and the domain was childishly vandalized. Either way, I don't see how you could truly take someone's domain.
Network Solutions (or for that matter, any registrar) should demand PGP/GPG signed emails before they do anything.
Is your internet identity subject to theft by malicious individuals at Network Solutions? Your domain could be taken away from you, without any warning, hijacked. This could be because your competitor, a derogatory site with attrocious content, wants to try and make people believe you are affiliated with...anything they choose. How badly can one malicious company hurt you through one simple act?
The answer would be eToys requesting Network Solutions to take etoy.com away. Network Solution then claims they had a court order to do so, despite the fact that both etoy AND etoys claim otherwise and no such court order has been shown. The lawsuit is dropped by eToys, and Network Solutions still refuses to return the domain name. ICANN refuses to look into the matter, and a group of artists are still denied their site.
It doesn't take hackers to destroy your site where Network Solutions is involved. They'll do it themselves, just to make their larger clients happy.
This is agent JohnnyAngel at Toywar reminding you that you can no longer buy a vowel.
-----
No Zen is good zen
I didn't get one of my domains hijacked, but Network Solutions did something that would qualify as a security breach (using MAIL-FROM). When I got my DSL line, I had asked the provider to get my domain name transferred to their DNS servers. Four weeks after my DSL was installed, I called them about getting all of my domains transferred. They happened to mention that they had no record of the first one (The stupid DSL provider is another story....) They told me that they wouldn't accept several of my domain names into their DNS servers (I have a couple of domain names that end in the .cc and .cx TLD's) because they weren't registered through Network Solutions (their EXACT quote...) Anyway, I said 'Screw Them' and bought a couple of great DNS Books (DNS and Bind, & DNS on NT both from O'Reilly publishers...) and set up my own DNS servers. I'm now happily serving my own DNS. But now, my DSL provider apparently finds the original request for my .com domain because I get a form asking if I want to accept or deny the transfer. I didn't answer it, but I called the person listed as the technical contact on my domain. I told him that if he got the form to deny it. He did (he even CC'd me a copy of the form with a big old NO at the top). Guess what... Network Solutions transferred the technical contact to my DSL provider anyways...and screwed up my (and my wife's) e-mail in serious way. The worst part of the whole damn thing is the my DSL provider has ignored all of the e-mails I've sent them and Network Solutions keeps sending me a message that says I need to send them a Domain Change form... I have e-mailed Network Solutions about 6 times now complaining about this, and they keep telling me that I need to submit a form, in spite of the fact that I keep telling them that I can not submit a form because the e-mail account for admin and billing are both screwed up BECAUSE of this stupid problem and that my DSL provider is ignoring me. I think I'm going to get my best 'I'm PISSED' voice ready and actually call Network Solutions today, and I am DEFINTELY calling my DSL provider since they don't seem to answer e-mails... Codo
Thank you /. and dnspolicy.net for getting me off of my lazy butt. I crafted this letter and sent it to as many registrars as are listed at InterNIC. Here are the results, as they happen
I have never been to impressed with the way network solutions does there business, its sloppy and "expensive".
Currently, we buy our domain names wholesale through Tucows/OpenSRS and then retail them to customers for $45 for two years. The nice thing is that all modifications and renewals are handled via a web interface instead of email templates and Mail-From authentication. Of course if someone found out your password and username I guess they could wreak havoc with your domain name, but even then, we control our clients access so we could easily delete their ability to access and then create a new access account with a new username and password. It all very nice, and trouble free. I'm very impressed so far with Tucows/OpenSRS's service and their setup.
I simply say, why pay Network Solutions for your domain registrations when they can be bought much less expensively somewhere else and the security is better.
Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com
Nathaniel P. Wilkerson
www.haidacarver.com
The public whois database is updated approximately once a day so it may have just been earlier in the day. Under the new distributed registrar system the registry has the real-time availability of any domain, not the whois. This is accessed via most registrars web registration section. This sometimes goes down and make it appear as it is available. When this happened NSI would show a domain available, show it taken, and then show it available again.
I tried registering a Domain through my future Web Hosting company and received an email stating that they submitted the request. Two weeks came and went and then the holiday (Christmas and New Years) week. I tried to reach them during break (yeah right). When I went back to work the first monday in January, the domain was pointing to someone else! So I called my hosting provider and they said they couldn't provide me any proof that they submitted my request. I checked whois and it somehow had merged my request with another request made by someone else two weeks after me. They were listed as registrar, but i was listed as admin and tech contact! WEIRD. The next day, the Domain started to reslove to my address, but Network (lack of) solutions wouldn't correct the information. However they said they wouldn't change my info to theirs either. I got two emails asking if i agree to change the info tho the other company's info, and both times I said no. A week later it was all in their name however. I just want to yell that Network Solutions can lick the shovel that I hope some opensource upstart will use to bury their BS system.
e x p e c t d e l a y . c o m
We actually just lost a domain name... and for no apperant reason (in other words, we are still trying to figure out why)... We ordered our company name... 14 days later we discover that someone else has registerd it in the mean time... :(
BofA just bought loans.com for $3,000,000. Wouldn't it suck if that got stolen :)
kwsNI
Either Network Solutions got even or my work is being pissy. Can someone send me a copy fo this article??
An article at COTSE News points to the proof of Saturday nights RSA Security hack. While the hacker made it look like everyone should distrust RSA Security, the reality is that everyone should distrust NSI. Is all of NSI sleeping in a cave? This information has been out in the media for some time now, and still people are able to exploit them. Something needs to be done...and NOW.
Here's a more interesting question, bear with me a bit on this one. Who is this WilliamX guy anyway? His name certainly doesn't ring a bell like certain other 'net figures. Didn't your mammies teach you not to believe everything you read?
An individual, with a handle of WilliamX posted the article we are discussing in this thread on dnspolicy.net, attempting to discredit NSI. Run a whois is on dnspolicy.net...Pay close attention to the registrant. Also, if you look carefully at his handle on the dnspolicy.net posting, his email is @wxsoft.com. Let me see...What business do you think wxsoft.com is in? Well, one of their services is domain registration. No hidden agenda there, well, not once you look a half inch below the surface.
cat
This actually happened to a company that I used to work for (a huge financial services institution.) One of the employee-related internet sites we had set up somehow got directed to a large pornographic site chock full of links to other pornographic sites. Needless to say this did not sit well with the conservative bankers, and to compound matters it took days to get the problem resolved. On the plus side, though, it was the one and only opportunity we as employees ever had to surf the net for porn without fear of repercussions ("hey, I was just checking out the new company site, was all....")
Been there. Believe me, it's extremely irritating, especially since when they fix it you still have to wait a while before all the nameservers have gotten the corrected version.
WHUTS W1TH THU NAMEZ?!?! USE THU K-K00L NUMBURS!!! KAN 1 GET 1T BY THU NUMBURS?!??
N0 1 TAKEZ THU K-K00L 255 0NEZ. I WANT B1FFD00D!1!
I WANT 177.255.208.13!
I LEFT MY CELL FONE IN PRISON! KAN U HELP???
Hi,
here in Lithuania (eastern Europe) we had case of stolen domain few days ago (last thursday).
I mean Vladas Palubinskas has created site Lithuania on Line five years ago it was very valuable resource on Lithuania and Lithuanian sites and it had as much as 3000 hits a day lately...
Lithuanian company Skaitmenines Komunikacijos offered him to buy him domain name online.lt and pay for him also (as they saw this as a valuable advertisment).
Valadas Palubinskas agreed. He worked on site Lithuania on Line, updated it on daaily baisis for five years...
Month ago Skaitmenines Komunikacijos was acquired by Microlink... and Microlink offered some money for the domain name online.lt to Palubinskas, but he rejected offer, and then Microlink just redirected online.lt to delfi.lt (their own portal...)
Though everything is legal (Skaitmeninines komunikacijos has bought and paid taxes for domain name) it was very unethical move from the side of Microlink, and most lithuanians consider this as stealing...
Links:
New Lithuania on Line domain
Old Lithuania on line domain (currently redirected to delfi.lt)
Delfi portal (by MIcrolink)
There is a reason why you dont want to use a hotmail account as your primary email address for a domain. Not that hotmail can be hacked, but for sheer fact that it is very easy to take a domain this way. Here's what happened to me. I will leave my domain out of this, in its place I will use trollmastah.com (mine) and trol1mastah.com (theirs).
Basicly.. the owner of trol1mastah.com used hotmail as their primary email contact with this domain. Well a visitor of my site, who dislikes www.trol1mastah.com, decided to keep track of the hotmail account of the owner of trol1mastah.com. Well Microsoft has a 60 day (I believe) non-usage expire date on all hotmail accounts.. so when the expiration date happens, the account is deleted. Well this person tried to register the same email address every day for (as I found out) almost a year until the same email address came free. Then they just signed up for the same exact email address.
It worked. And then all this person did was change the contact information to myself, and then *POOF* I owned both www.trollmastah.com and www.trol1mastah.com .. and of course I setup DNS to put to my page ... and well, the rest is apart of media history forever.
This is why SECURITY (and a brain) is needed when registering domains, so that something (as stupid) like this can't happen.
.
Trollmastah
Take all good things in moderation, including moderation.
A few months ago, I looked up a domain name on NSI's whois site one night and it was available. The next day, I asked my ISP to buy it. A reply came back a day or two later that it had been taken by someone else, through another registrar, between the time we looked it up and the time we applied. Coincidence? Or was someone snooping? Not sure. But the next time I needed a domain name, I looked it up during the day and bought it immediately.