Slashdot Mirror
Web-Based Office Suite Zoho Taken Offline By Registrar After Alleged Phishing Complaints (techcrunch.com)
New submitter atxlakeshore writes: On Monday, ICANN-approved domain registrar Tierra.net turned off access to all Zoho domains, affecting 40 million customers worldwide. Zoho, a web-based office suite company, which provides customer relationship and invoicing services to small businesses, tweeted that the site was 'blocked' earlier in the day by Tierra.Net, which administers its domain name.
Zoho customers affected by the disruption reached out to the registrar's support chat and email. Tierra.net then discussed Zoho's account details with these third parties, claiming that phishing attempts were originating from Zoho's webmail service, and these attempts necessitated blocking the company's domains. Zoho is a privately held India-based competitor to Google's G Suite platform, and maintains US offices in Austin, Texas. The dispute has resulted in calls for censure from ICANN. In a series of tweets, Zoho CEO Sridhar Vembu said TierraNet blocked the domain without "ever notifying us of any issue." He also expressed frustrations at not being able to easily reach out to TierraNet executives.
Zoho customers affected by the disruption reached out to the registrar's support chat and email. Tierra.net then discussed Zoho's account details with these third parties, claiming that phishing attempts were originating from Zoho's webmail service, and these attempts necessitated blocking the company's domains. Zoho is a privately held India-based competitor to Google's G Suite platform, and maintains US offices in Austin, Texas. The dispute has resulted in calls for censure from ICANN. In a series of tweets, Zoho CEO Sridhar Vembu said TierraNet blocked the domain without "ever notifying us of any issue." He also expressed frustrations at not being able to easily reach out to TierraNet executives.
It seems the rule of law is breaking down and the presumption of innocence is no longer required and instant guilt is all that's required.
Since when do registrars get involved in policing the internet to protect us from "phishing attempts"?
Here's something else ICANN will happily do: You know those emails that come once a year asking you to verify your domain registrant contacts? If you fail to click and verify your address (no matter if it hasn't changed in 20 years) ICANN will also suspend your domain. Though the suspension is miraculously immediate, it takes 6-8 hours to be reinstated.
In a series of tweets, Zoho CEO Sridhar Vembu said TierraNet blocked the domain without "ever notifying us of any issue." He also expressed frustrations at not being able to easily reach out to TierraNet executives.
He got so used to scamming the plebeians that he can't understand why the other noble class won't give him his noble privilege.
Millions of business are losing revenue and data because of this. It is ridiculous that a registrar would take such an arbitrary action knowing full well the impact it would have.
Keep DNS and Registrar separate!!!
Also, keep hosting separate.
That "do everything" checkbox is a trap.
I had a client using Zoho Apps for a major portion of their infrastructure. It was terrible, with frequent outages, and tech support completely unable to help with anything. It was actually worse than not helping - they would pretend to help, and then burn three weeks of calendar time saying that they could perform a restoration, when they couldn't.
We migrated them off of Zoho, and are grateful to have done so. I wish we would have gotten away from Zoho sooner. They are absolutely terrible, and I feel genuinely sorry for anyone using any portion of their infrastructure.
Why is a domain registrar the anti-spam police now? How does suspending all of their domains without notifying them help anybody? I use Zoho and really like their suite of low cost services including Zoho Mail which I like a lot better than G Suite.
You won the lottery.... found a bad domain registrar.
Now I suggest reaching out to CloudFlare or CSC for help transfer your corporate registrar services to; even if it costs $50K a year --- it's better than registering your domain on some fly by night operation ICANN should've discredited for thinking they're the internet police and shutting down domains based on bogus "phishing site" or other charges which have nothing to do with the DNS system.
Sorry, but this seems like affirmative action on America's behalf. Not notified of any issues? Tierra.net executives don't even want to answer?
With 40 million customers, they have a very big slice of this market. Starting to take a too big cut out of Google's and other American businesses money? When the money starts moving its way to other places than America, the intelligence services will just serve up a few court- and gag-orders to "fix" things.
It's another good reason why you should not rely on American businesses and companies for your services. They should've gone with a different registrar.
I rip Tierra.netâ(TM)s head off and shit down their neck!
It's always been used for phishing. Why come it hasn't been taken?
I guess a Mercedes GLS is a competitor to a Radio Flyer... Zoho is WAY more than G Suite...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Oh, please ... this even about going up against the big players.
As someone who has had contact with Indian offshoring, I am forced to conclude that the quality of this stuff is probably garbage, and would not be surprised at all if the company itself was running scams. And this includes having worked with IBM's India people as well as 'development' shops.
The ones I've encountered start off reasonably good .. for a few weeks. Then you get the real fucking idiots who don't know anything about what you are allegedly paying them for.
We became quite certain that every account we interacted with had 10-20 people behind it, all being too incompetent to be allowed to live, let alone touch technology -- we know this, because the same email address once sent us a half a dozen completely contradictory emails within about 30 seconds in response to a question.
We once submitted a ticket to have the same software installed on 4 machines, including what version we required (it was their job to do this) ... we got 32-bit on one, 64-bit on another (despite making it explicit we could not use that), and for the other two they mailed us their internal script for their morons to follow to install and told to install it ourselves. Sorry, but what the fuck are we paying you for if you aren't capable of doing it? They frequently ignored our change windows and powered prod severs off in the middle of the work day.
They throw a lot of bodies at a problem, but since none of them are qualified for anything more complex than a simple task requiring a script, they prove to be a complete fucking waste of resources.
Sorry, but given how we hear the same call centers are simultaneously being used to serve off-shored clients and run scams ... I don't need to know anything other than it's software out of India to completely believe the company was sending phishing as well.
My experience across 3 different companies and across about 6 different projects is that companies who think they're saving money by hiring a flock of drooling idiots in India really haven't got the faintest clue about what they're really getting ... and then the fucking tools who "saved the company money" walk off with their bonuses and leave the company with utter shit support.
Either Zoho was incompetent and got hacked, or they were complicit ... in neither case will my opinion of tech people in India ever be changed for the better. If I was at another place that started talking about doing it, I'd quit there and then.
After all the Gmail to Zoho mail converts, it would be funny for Zoho to move domain registration to Google Domains. They seem to have nice features.
"In a series of tweets, Zoho CEO Sridhar Vembu said TierraNet blocked the domain without 'ever notifying us of any issue.' He also expressed frustrations at not being able to easily reach out to TierraNet executives."
Coincidentally, Microsoft and Google announced that carefully-selected business executives have been offered the opportunity to attend multi-week, all-expense-paid team-building retreats at luxury resorts in Thailand and the Bahamas.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
The higher the reliance on a centralized cloud, the more "eggs in the same basket" which break on a whim of some paper pusher in a company you don't control, caused by their incompetence, by their own beliefs or by some viral social outrage. Then of course there is "if we loose your data all you get is your monthly subscription cost back for this month", or "sorry, we're not going to fight a government request for your data", "we're shutting down the service, all the content you purchased and/or created is now gone". The industry keep cycling between centralized and decentralized computing. I wonder when the cloud based services are going to go the way of a mainframe.
The problem here isn't the registrar.
They would not have taken a major paying customer offline without reason.
The problem here is that people were relying on the Indian developers to be competent enough to prevent phishing, and innocent enough not to have uploaded it themselves.
In practice people will still flock to "cloud" but will stick to the big names, not the small ones. Because the big ones are their own registrar, and they pay ICANN't enough to not kick them off without notice.
The take-away ought to still be that you need your mission critical stuff on your own infrastructure, preferrably in a box right next to where you need it (ie office productivity "app"s right there in the office, thanks), but that's not gonna happen. Reasons why on a postcard, etc.
This is totally wrong!
Unless, you know, Zoho was promoting a political opinion I didn't like, or something. In that case de-platforming is totally cool.
No. It highlights the danger of not vetting vendors. There's nothing here cloud specific. A shitty vendor had a poor step with a crappy 3rd party that had the ability (and exercised it) to bring them down.
I mean shit I had this same example on a welding job recently. Company we engaged didn't have the necessary quality control to vet their sub contractors and ensure that they wouldn't suddenly leave them high and dry during a critical day. Fortunately we identified this months ago and had a plan b ready.
There's no inherent problem with outsourcing to cloud providers, you just have to know how to vet the cloud providers.
No, this is a slam against cloud stuff like Zoho. You don't know when someone will turn off your cloud provider's power because the guy who mows their lawn angered the wrong power company lineman. Or DNS, or government, etc. If your software is in house, you will have access to it during minor external hiccups. If *you* have the lineman issue, or a government raid, then you have bigger things to worry about than software availability. If you lose your external DNS, your software still exists in house though!
Show me one cloud vendor who will pay for actual losses cause by their outages (rather than maybe refund this months fee), or one that will not provide government with data they request or simply provide a back-door. It's nice how many providers claim 99.999% availability but are unable to offer insurance against it assuming those odds (for example break even insurance would be I pay $1 per day, and for outage I get paid $100,000 per day, or $69.4 per minute, if they paid $50/minute of outage and charged $1 per day for this insurance, they'd be making money, unless of course 99.999% outage is a fake number).
Show me one cloud vendor who will pay for actual losses cause by their outages
Amazon, Microsoft, Google to name a few. Just because you're using a shitty little free service doesn't mean that enterprise contracts don't have very long and strict performance metrics with legal teams on both ends.
or one that will not provide government with data they request or simply provide a back-door.
Rather than asking to prove a negative, you can start by displaying the positive.
It's nice how many providers claim 99.999% availability but are unable to offer insurance against it assuming those odds
And yet that insurance is precisely what is in enterprise contracts.
But ultimately your complaints are completely off point. Before you start incorrectly criticizing the reliability and insurance of cloud based vendors you should first ask yourself: Can I do better? *You* may be able to. The hordes of small business owners on the other hand whose backup strategy involves coping files from one folder to another on the same disk i.e. the types of people who use Zoho in the first place aren't able to.
But then everyone likes to think they are better or top shit until they actually come across a problem of their own. Mersk didn't use a cloud vendor when they managed to globally take down their entire very well funded IT infrastructure including geographically disperse and redundant AD controllers. Maybe they should have.