Slashdot Mirror

← Back to Stories (view on slashdot.org)

UPDATED: OpenSSH Domain Name Controversy

Posted by ryuzaki0 on from the domain-squatting dept.

Bowie J. Poag was one of the folks who wrote to us about the domain name controversy regarding OpenSSH. (I've included the full letter below). They're in the interesting situation of /having/ to be a .com, because a squatter has taken the openssh.org domain name. Read the letter below - it's a stickier situation than the other squatting issues we've talked about. Update: 03/07 04:58 by E : Alex de Joode has written his own response here. I hope this can be resolved amicably.

Please be advised that OpenSSH.ORG is NOT the official domain name for OpenSSH development. The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community. The correct Web and e-mail address for the OpenSSH development effort is OpenSSH.COM instead of .ORG.

The OpenSSH developers wanted to register under the .ORG top level domain, traditionally meant for non-profit organisations such as OpenSSH, but the name had already been taken. They settled for the .COM in the interim.

The .ORG name is currently held by Mr. Alex de Joode <adejoode@zedz.net>, a proponent of open source cryptography who runs his own free crypto portal hosted by xs4all.nl, a well-known and respected Dutch ISP. Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers. This leaves us no choice but to issue this advisory.

The OpenSSH.ORG Web site currently is a blank page with a link to the official site. Please do not visit the .ORG site, nor send e-mail to anybody at the .ORG address. This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution.

Any help or suggestions in breaking the deadlock are appreciated.

Regards

For the OpenSSH developers, Louis Bertrand <louis@openbsd.org>

14 of 364 comments (clear)

  1. openssh.org owned by replay/zedz.net by bbk · · Score: 4

    The guy who registered openssh.org runs the zedz.net site, which hosts the replay redhat crypto archives (good place to get .rpms of security software). They used to be at replay.com before replaytv bought the domain from them.

    The Zedz guys seem to be pretty good people as far as free software goes. Makes you wonder what they plan to do with the domain, and why they set it up as a forwarder to openssh.com

    This reminds me of the whole LinuxHQ/Kernelnotes.org fiasco...

  2. You mixed up your dates.. by Inoshiro · · Score: 4


    $ whois openssh.com@whois.corenic.net
    Record created: 1999-10-25 08:44:41 MET by CORE-80

    $ whois openssh.net@whois.networksolutions.com
    Record created on 16-Nov-1999.

    $ whois openssh.org@whois.networksolutions.com
    Record created on 04-Nov-1999.

    So it was
    1) OpenSSH.ORG by our friend in Europe (04-11-1999)
    2) OpenSSH.NET 12 days later by the OpenBSD people (16-11-19996)
    3) OpenSSH.COM a further 9 days later (25-11-1999)

    I don't understand why they don't just use .net. They (OpenSSH project) did register it before the one in the COM TLD. Sigh.
    ---

    --
    --
    Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
  3. Is it *really* that important? by smoondog · · Score: 4

    Ok, so some jerk has taken a name that really shouldn't be his. This would be a non-problem if nobody cared. I'm just not sure that being a *.com, *.org or a *.net really means much anymore. /. is under a publicly traded company (andover.net), is that necessarily the right place for a *.org? (see nobody really cares...) I think Openssh is just fine as a .com and I don't think it to be a big deal. Why not be openssh.net? That seems appropriate, too. If you are really doing great stuff for a .org domain name, people will know, whether or not it is a .org or a .com


    -- Moondog

  4. Jesus, Now slashdot is attacking their own! by cruise · · Score: 4

    Well this sure tops the cake. Now Slashdot is bullying OpenSource ADVOCATES!

    Domain Names are first come first serve. I hardly see how an OpenSource advocate who registers a domain name in the org top level to be a squatter when he is using it for related purposes (or any purposes.. he paid for it, he was there first, He took the initative that the SSH group did not.) Big deal! They were caught sleeping.. they loose.

    Like it or not (I don't much like it anymore) Slashdot has some power over this OpenSource comunity and this is a clear abuse of that power. The poor guy's web page is being flooded, his email box is being flooded with lamer flames and Slashdot is directly responsible by posting this story.

    You've twisted the SSH announcemnt to incite anger among your members, You're using your members as a tool for your own personal attack on a person who was well within their rights to register a domain he felt he could use for his benefit.

    Some animals are more equal than others?

    PIGS

    Today will be the last day I participate in this madness which is called Slashdot. Today is also the day that I buy that Dell computer instead of a VA Linux system.


    They are a threat to free speech and must be silenced! - Andrea Chen

    --


    Fish! LipHo
  5. a slight bit of interest by karmatrip · · Score: 4

    strange. look what whois turned up:

    Registrant:
    Open SSH Project (OPENSSH2-DOM)
    Zaanstraat 250
    AMSTERDAM, NL-1013 RZ
    NL

    Domain Name: OPENSSH.ORG

    Odd.and the page is simply a link. Looks like this guy registered the domain name for the project. We need some more information on what this guy is doing before an honest opinion could be made.

    --
    ---- Sig? What sig? Who needs one, anyway?
  6. A Proper Analysis of OpenSSH's proposed boycott by whoop · · Score: 5

    Well, this is a refreshing way to look at the Free Software community. Get that knee-jerk reaction we are so known for, and put it to your use. Now, I'd like to look at Mr. Bertrand's letter.

    The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community.

    Hmm, "when news of OpenSSH was first leaked." Let's look at those seven words, shall we? When was this news leaked?

    Performing a search on this here web site (Slashdot for those not in the know) for "openssh" yieds two results. This very article, and one from November 18, 1999, entitled, "OpenSSH Project Now at openssh.com."

    Next I moved to LinuxTod ay.com. They have articles for everything under the sun. Their first article mentioning OpenSSH is one at Security Portal dated October 27, 1999.

    I search Google (both plain Google and the Linux subsearch), and they have never heard of openssh.

    Finally, I visted the very site for this project, openssh.com. Looking for an "about this project" sort of link, I clicked on the Project Goals link right up at the top of the left column of links. What's that it says at the very bottom? "OpenBSD: goals.html,v 1.4 1999/11/17 14:14:15 provos Exp $" That looks much like a cvs (or related) entry. That date is November 11, 1999. I also visited the link to the devel mail list archives, and the earliest date there is November 16, 1999.

    Looking at all these, I'd guess their formal announcement was around November 17. But the "leak" award goes to Security Portal on October 27, 1999. I'm sure they got their information from somewhere else, but I'm tired of searching. :) Back on track, when did openssh.org register it's domain? Whois gives me the date of November 4, 1999. I count eight days from that "leak." That's not an extremely brief time, but it is before their formal announcement.

    Back to the letter, Mr. Bertrand says, "The OpenSSH developers wanted to register under the .ORG top level domain,[...] but the name had already been taken. They settled for the .COM in the interim."

    Ok. Well that sure sounds unfortunate. Let's take a look at when they registered openssh.com, shall we? Returning to my favorite domain searching services, whois, it yields October 25, 1999, as the date the record was created. What's this, I see? That looks a lot like a date before the openssh.org was registered. It's even two days before the slight mention by Security Portal. So, they "settled" on the COM top level domain ten days before the ORG one was "taken by a someone not affiliated with the OpenSSH development team." Uh huh, sure thing buddy.

    Next Mr. Burtrand discusses the owner of openssh.org, "Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers.

    Since when must anyone turn over a domain to anyone who asks for it? In my book, domain names are a first-come, first-served service. The OpenSSH group had plenty of time to register any domains they wanted. What if the real SSH group wants the openssh.com domain? Would you, Mr. Bertrand, be so giving and just surrender it?

    Now comes the discussion of openssh.org's web site, "The OpenSSH.ORG web site currently is a blank page with a link to the official site."

    Ok, this is somewhat true. Going to openssh.org, you are presented with a link to www.openssh.org. But Mr. Bertrand, did you really stop reading there and not see a few blank lines below (9 lines if you telnetted to port 80)? From openssh.org's page I quote, "For information about OpenBSD' OpenSSH implementation please goto..." and they link to the OpenSSH group's web site, openssh.com. This ommission is purely ridiculous, Mr. Bertrand.

    Finally, Mr. Bertrand pushes one of the hottest buttons in the community, privacy. "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution." Hmm, a very strong accusation. None of us like being spammed, tracked where we go, etc. So, I asked myself, "What data mining is openssh.org doing?"

    Let's take a gander at the HTML source code. This site is afterally a mere two pages. There could be some JavaScript performing some hidden actions users won't see when just using Netscape (or other JavaScript enabled browsers). And there it is, plain HTML. What?! No fancy, shmancy Netscape Composer, FrontPage or other editor META tags? No META tags at all to con search engines to pointing to them instead of openssh.com. I find it refreshing that someone else codes HTML in plain, simple HTML. But I see nothing hidden here.

    Ok, but I have my Netscape set to just accept all cookies. I could have been slipped one of those and now they have access to my whole hard drive, right (I'm kidding, of course)? Let's give the Netscape cookies file a good grepping, shall we?

    316-1 Mon/11:55pm ~> grep -i ssh .netscape/cookies
    317-1 Mon/11:56pm ~>

    Hmm, exactly zero references to anything SSH related. I still haven't found any maliciousness. What about the "building a mailing list" bit? I've seen many sites with "Click here to receive our free newsletter" sort of links. No doubt many of them then give out your email address to every spammer in the universe. Is there any similar line in these web pages? Not that I can see, the bottom of the second page does contain a simple "For more information about freessh.org, please contact:" mailto link. I haven't sent an email to that address yet, so I can't say if it's a secret email net. But since I'm sending this analysis to Mr. Bertrand, I'll send one to that address as well with a brand new email address. If I get spammed there, I'll know who's to blame. If openssh.org really is using this link to catch people for a spam list, I must sahe's doing a poor job of it. At least claim you can get free porn if you send an email. ;)

    In closing, as Mr. Bertrand says "Any help or suggestions in breaking the deadlock are appreciated.", so I say, Mr. Bertrand, I sincerely hope you recosider your position, because well, it has no leg to stand on. A) You registered the .COM ten days prior to Mr. de Joode registered the .ORG one. That is a right-out lie, never a good thing to have right out the starting gate. I will ask, how do you base your allegation of data mining and mail list gathering? If it is also a lie, that's doubly bad. B) Openssh.org is not using the domain for squatting (there isn't a "Pay $10,000US if you want this domain" message like we've all seen so many times). It is about free SSH programs, perfectly reasonable and on target. C) Mr. de Joode provides links on both of it's web pages to openssh.com. Any users looking for it will easily see that and go to the appropriate web site.

    If a reasonable agreement between these two parties is made, that's great, but to seek out the outrage of the free software communities by deceiving them like this is not the way to go about it. I sincerely hope you reconsider your position Mr. Bertrand.

    Thank you.
    John Corey

    Copies sent to both Mr. Bertrand and Mr. de Joode.

  7. Whois the two. by whoop · · Score: 5

    Has anyone besides me done a whois on the two domains? There was one bit in there that confuses me.

    openssh.com: "Record created: 1999-10-25 08:44:41 MET by CORE-80"
    openssh.org: "Record created on 04-Nov-1999."

    So, I'm no domain expert, only have one myself. But I think, correct me if I'm wrong, that the OpenSSH group registered the .com a good 10 days before this fellow registered the same .org. Was this a clerical error? Did some secretary fall on the job and not register both? Were walnuts involved in this incident?

    This does sound like whining, and though it's nice to see a project like this hq'ed here in the Peoria, IL area, I will have to give my vote to the .org in this matter. They are giving links to free ssh products, even if it is a simple site with no graphics/javascript/bannerads/porn/buy-this-domain -for-$10,000US ad. Domains are a game of first come, first served. They had a ten day lead and fell asleep. That isn't reason enough to come whining to this fine community.

  8. You have to wonder by N8F8 · · Score: 5

    In this case at least, some of the blame lies with the OpenSSH project noy claiming the domain before announcing their project. I mean really, what does it cost? A whopping $15/yr to register?

    Whats even worse is that this story posted on Slashdot could be interpreted as a veiled threat. Not cool. I'm all for OpenSource but this subtle bullying is BS in my book.

    --
    "God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
  9. Yawn by Shoeboy · · Score: 5

    Situation: Some guy has registered openssh.org and is pointing to the groups real site. He won't sell or give it away and he doesn't appear to be using it.

    Conclusion: WE MUST BOYCOTT!!! He might be doing something awful!!!

    Am I the only one who doesn't understand this response? I think the motives of OpenSSH.com in posting this warning are every bit as strange and unfathomable as Mr. de Joode's in grabbing the site.
    (Sorry for injecting a touch of sanity into a /. discussion, I won't ever do it again.)
    --Shoeboy

  10. Looks like de Joode's trying to make a point. by Shoeboy · · Score: 5

    Check out the site. Looks like Mr. de Joode just wants to make sure that freessh.org and other free (beer) ssh projects are easy to find as well. Maybe a bit unfair to be claim jumping the domain, but it's hardly evil. Odd how the warning never mentioned that he was advertising competing projects. I guess the openssh guys wanted to hide that fact. (Which is probably why they say "Don't visit, he's tracking you!")
    --Shoeboy

  11. They already have openssh.net by shon · · Score: 5
    Take a look at the whois records:

    $ whois openssh.com@whois.corenic.net
    Registrant Todd T. Fries (template COCO-21730)
    OpenBSD, the REAL open group
    Record created: 1999-10-25 08:44:41 MET by CORE-80

    $ whois openssh.net@whois.networksolutions.com
    Registrant Todd T. Fries (template COCO-21730)
    OpenBSD, the REAL open group
    Record created on 16-Nov-1999.

    $ whois openssh.org@whois.networksolutions.com
    Registrant:
    Open SSH Project (OPENSSH2-DOM)
    Zaanstraat 250
    AMSTERDAM, NL-1013 RZ
    NL
    Record created on 04-Nov-1999.

    Looks to me like the "real" OpenSSH Project registered the dot com first, this other guy grabs dot org, then they got dot net. So why did they grab dot com first? Looks like they screwed themselves.

    Anyway, what's the big deal? Even Network Solution suggests that you get all three dot com, dot net and dot org to "protect" your company. Only dodgy purists still stick to the old conventions.

    Why even publicize this at all? All the documentation and downloads will use whatever the official openssh URL is anyway. The web already has a way of routing around misinformation.

    Also, do open source project automatically have a right to the dot org? I think this is presumptuous. What makes any project "the official" openssh project other than when it becomes the de facto standard? Maybe this guy has a right to create another open source or proprietary "openssh" package.

  12. Is this reallly squatting? by p0six · · Score: 5

    Most people on the thread so far has been very much on the side of the OpenSSH. However, I don't think that what this other guy is doing is wrong in the very least. He is not trying to make a profit. He is not trying to blackmail or exhort anything from the OpenSSH group. He was there first, and if he wants to keep the name, the more power to him. He doesn't necessarily have to do anything with it. I mean, if he wanted to, he could just put up a html document saying "This is my page."

    Just because the OpenSSH group happens to have want the name does not mean that they have a right to that name. I think that it is in very poor taste to boycott the OpenSSH.org. It seems almost arrogant in fact, to presume that just because Mr. Alex de Joode does not wish to deal with them with regards to the domain name, that he has ulterior motives. A simple message warning people that OpenSSH.org is not affilated with the OpenSSH group would have surely sufficed.

    1. Re:Is this reallly squatting? by RovingSlug · · Score: 5

      I agree 100%.

      The post by the OpenSSH developers strongly implies they think they are solely entitled to OpenSSH.org. Wrong. Are we so quick to forget eToys.com versus etoy.com? Were no lessons learned?

      It is unethical for a group to bully others just to acquire an asset. Mr. Alex de Joode has done nothing wrong except to own something the OpenSSH developers want. The OpenSSH developers should be reprimanded for believing they have some right to demand that Mr. Alex de Joode "sell or turn the .ORG name over to the OpenSSH developers." Shame on them.

  13. Hold Your Opinions by Bob+Uhl · · Score: 5
    Let's not jump to conclusions here. This sounds suspiciously like one of those personality conflicts which are all too common nowadays. It could be that either or both players are acting in ill will, or it could eb that each thinks ill of the otehr but neither is bad from our perspective.

    For that matter, if Mr. de Joot has simply not replied to any emails, it may be that he has passed away (don't laugh; it happened to Duane Blehme, a Macintosh shareware programmer years back).

    It would seem to me that the wise things to do is to wait and hear from both sides. Remember the Uruguayan Linux fiasco awhile back? We don't really want a repeat of that hysteria, do we?