Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web-Based Office Suite Zoho Taken Offline By Registrar After Alleged Phishing Complaints (techcrunch.com)

Posted by msmash on from the outage-reports dept.

New submitter atxlakeshore writes: On Monday, ICANN-approved domain registrar Tierra.net turned off access to all Zoho domains, affecting 40 million customers worldwide. Zoho, a web-based office suite company, which provides customer relationship and invoicing services to small businesses, tweeted that the site was 'blocked' earlier in the day by Tierra.Net, which administers its domain name.

Zoho customers affected by the disruption reached out to the registrar's support chat and email. Tierra.net then discussed Zoho's account details with these third parties, claiming that phishing attempts were originating from Zoho's webmail service, and these attempts necessitated blocking the company's domains. Zoho is a privately held India-based competitor to Google's G Suite platform, and maintains US offices in Austin, Texas. The dispute has resulted in calls for censure from ICANN. In a series of tweets, Zoho CEO Sridhar Vembu said TierraNet blocked the domain without "ever notifying us of any issue." He also expressed frustrations at not being able to easily reach out to TierraNet executives.

35 of 66 comments (clear)

  1. rule of law breaking down. by Anonymous Coward · · Score: 2, Insightful

    It seems the rule of law is breaking down and the presumption of innocence is no longer required and instant guilt is all that's required.

    1. Re:rule of law breaking down. by alvinrod · · Score: 2

      I don't think that's true at all. If you look back in history, mob justice was rife and there were people who were outright killed (often in unpleasant ways) over false presumption of guilt. If you're instaed referring to the court of public opinion, that's always existed and if it seems worse now, it's only because social media and global news put every bit of it at your fingertips. Twitter and Facebook are just water coolers for the entire world to share.

      I wouldn't be surprised if Tierra.net knows they screwed up and are trying to take care of this internally so as not to open themselves up to any kind of legal action. Once a proper scapegoat has been found and some poor bastard is made to lean on their sword everything will be cleared up.

    2. Re:rule of law breaking down. by dnaumov · · Score: 1

      What's hysterical is people out there in the world working under the assumption presumption of innocence actually exists in places outside the courtroom.

    3. Re:rule of law breaking down. by omnichad · · Score: 1

      If you're bringing Kavanaugh into this unrelated topic, know this. Neither he nor the accuser are in a court case, which defines who is the defendant. So let's just say both are presumed innocent - meaning that the accuser is also innocent of it being a false accusation / slander until proven guilty.

    4. Re:rule of law breaking down. by Darinbob · · Score: 1

      How does rule of law apply here, there were no legal or law enforcement groups involved?

    5. Re:rule of law breaking down. by I'm+just+joshin · · Score: 1

      Speaking of hysterical...look at the protestors.

    6. Re:rule of law breaking down. by easyTree · · Score: 2

      Once a proper scapegoat has been found and some poor bastard is made to lean on their sword everything will be cleared up.

      What's taking so long? This aspect of business is ripe for disruption. Think getscapegoat.com - simply let it deep-search through your business data then only seconds after all data has been gathered, by the magic of artificial intelligence, the most plausible scapegoat is found.

      CTA: Insulate yourself from consequences, getscapegoat.com now!

      --
      Requiem for the American Dream
    7. Re: rule of law breaking down. by astrofurter · · Score: 1

      "the assumption presumption of innocence actually exists in places outside the courtroom"

      Yeah - we KNOW it doesn't exist inside the courtroom.

    8. Re:rule of law breaking down. by OolimPhon · · Score: 1

      Hmmm. Not going there - it contains the word "goat".

  2. Someone needs to whip ICANN's ass by Anonymous Coward · · Score: 1

    Here's something else ICANN will happily do: You know those emails that come once a year asking you to verify your domain registrant contacts? If you fail to click and verify your address (no matter if it hasn't changed in 20 years) ICANN will also suspend your domain. Though the suspension is miraculously immediate, it takes 6-8 hours to be reinstated.

    1. Re:Someone needs to whip ICANN's ass by Anonymous Coward · · Score: 1

      This is incorrect. First of all it is an ICANN thing for the last 5 years and is baked into the 2013 RAA. You may be using a registrar which hasn't had to renew its accreditation during this time but as soon as they have to re-accredit all of your domains will be subject to this bullshit. People who give answers like you really piss me off because you are smart and ought to know better yet you jump on here and defend this regulatory horseshit because you just want to tell someone else they are wrong. Fuck you.

    2. Re:Someone needs to whip ICANN's ass by MrL0G1C · · Score: 1

      That is the moral of the story here, after reading this article I can't imagine anyone here thinking Tierra.net is a good registrar to use. AKA dumb as fuck.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
  3. This isn't funny by Anonymous Coward · · Score: 1

    Millions of business are losing revenue and data because of this. It is ridiculous that a registrar would take such an arbitrary action knowing full well the impact it would have.

    1. Re:This isn't funny by Alain+Williams · · Score: 1

      This is exactly why I will not use a cloud service for something vital like this. Yes: it might be cheaper, more convenient, need less administration, ... but if it suddenly goes away and you cannot access your documents -- how much of a business do you have left ? Most of the large vendors seem to be pushing cloud solutions ... I fear a meltdown sometime, not all of it, but enough to badly damage some companies.

      So: run your own core IT servers, do your own backups, etc. Be safe.

    2. Re:This isn't funny by bobcat7677 · · Score: 1

      On one hand, Tierra.Net is a small company in decline. They have a 1.5 star rating on WHTOP and have lost over 1/3 of their customer base in the past 5 years. On the other hand you have Zoho, who is a large company with a 1.5 star rating on trustpilot. What happens when two 1.5 rated companies work together? Well, this.

  4. Migrated Off Zoho by brian.stinar · · Score: 5, Informative

    I had a client using Zoho Apps for a major portion of their infrastructure. It was terrible, with frequent outages, and tech support completely unable to help with anything. It was actually worse than not helping - they would pretend to help, and then burn three weeks of calendar time saying that they could perform a restoration, when they couldn't.

    We migrated them off of Zoho, and are grateful to have done so. I wish we would have gotten away from Zoho sooner. They are absolutely terrible, and I feel genuinely sorry for anyone using any portion of their infrastructure.

    1. Re:Migrated Off Zoho by Jetstream · · Score: 1

      Who did you migrate to, hopefully someone more reliable?

    2. Re: Migrated Off Zoho by DimasAhmadEkaPutra · · Score: 1

      3 months using o365. It's great!

    3. Re: Migrated Off Zoho by brian.stinar · · Score: 1

      It was an app in Zoho Apps, and I migrated that app's functionality into their existing CakePHP application. It was basically a survey building tool for medical surveys, so we had to keep track of questions, responses, order between questions/sections, and the like. Pretty much basic CRUD was all Zoho handled for the survey building. The responses were handled by the custom application.

      A company called iNetU that has been acquired like three times + name changes hosts their virtual server, and the company I own performed the rewrite.

    4. Re:Migrated Off Zoho by umghhh · · Score: 1

      o365 is already best ever but combined with browser and sharepoint it exceeds all expectations. Really happy that they made it for us to enjoy. I think so fast and so few hangings editors and excel sheets I had last time in 1993??? Well done.

  5. Congrats, Zoho by mysidia · · Score: 2

    You won the lottery.... found a bad domain registrar.

    Now I suggest reaching out to CloudFlare or CSC for help transfer your corporate registrar services to; even if it costs $50K a year --- it's better than registering your domain on some fly by night operation ICANN should've discredited for thinking they're the internet police and shutting down domains based on bogus "phishing site" or other charges which have nothing to do with the DNS system.

    1. Re:Congrats, Zoho by houstonbofh · · Score: 1

      They could go with SafeNames. Rock solid and all for the price of a couple of beers a year per domain name.

  6. Re:Keep DNS and Registrar separate by darkain · · Score: 4, Informative

    How would this help in the given situation? ANYONE can technically setup a DNS server for ANY domain name. It is the registrar which lists either the GLUE record or authoritative DNS servers to use. The registrar can simply offline the record entirely, preventing anyone from even knowing which DNS servers to contact for the needed records.

  7. Zoho a competitor G Suite? by LynnwoodRooster · · Score: 1

    I guess a Mercedes GLS is a competitor to a Radio Flyer... Zoho is WAY more than G Suite...

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  8. Re:Tierra.net is Bullshit by Darinbob · · Score: 1

    Anti-phishing, not the same thing. The article gives only one side of the issue, nothing from TieraNet.

    I don't know how Zoho is or what they do, but if phishing emails are originating from their domain then they should be responsible for it and they can't blame it on their customers.

  9. Re:Google Docs anyone? by Darinbob · · Score: 2

    How do you use Google docs for phishing? Do they allow any customer to send phishing email originating from that domain?
    (I never use online apps, so I don't know what these services do or allow)

  10. Re:Google Docs anyone? by Jetstream · · Score: 1

    I'm kind of curious about this too. I'm sure that pretty much every email service out there has been used by unscrupulous users to send out spam, phishing emails, etc. Why single out one service that's probably not even one of the biggest?

  11. Coincidentally... by hyades1 · · Score: 1

    "In a series of tweets, Zoho CEO Sridhar Vembu said TierraNet blocked the domain without 'ever notifying us of any issue.' He also expressed frustrations at not being able to easily reach out to TierraNet executives."

    Coincidentally, Microsoft and Google announced that carefully-selected business executives have been offered the opportunity to attend multi-week, all-expense-paid team-building retreats at luxury resorts in Thailand and the Bahamas.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  12. Highlights a real danger of using cloud services by misnohmer · · Score: 2

    The higher the reliance on a centralized cloud, the more "eggs in the same basket" which break on a whim of some paper pusher in a company you don't control, caused by their incompetence, by their own beliefs or by some viral social outrage. Then of course there is "if we loose your data all you get is your monthly subscription cost back for this month", or "sorry, we're not going to fight a government request for your data", "we're shutting down the service, all the content you purchased and/or created is now gone". The industry keep cycling between centralized and decentralized computing. I wonder when the cloud based services are going to go the way of a mainframe.

  13. Re:Tierra.net is Bullshit by sg_oneill · · Score: 2

    Zoho are a major cloud provider for office stuff including email.

    Sure there might be some people using it for phishing, but I'd wager they are using gmail, yahoo mail, microsoft 365 mail etc etc.

    Should they ALSO be taken offline everytime someone abuses the service? We're talking potentially billions of people constantly (Possibly hundreds of times a day) losing access.

    I mean how much guilt by association are we talking here?

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  14. Re:Google Docs anyone? by sg_oneill · · Score: 1

    No, but this is refering to cloud email services. So the better question is "How would you use gmail for phishing". The answer to which is "very easily".

    Because thats what we are talking about here. People abusing zohos email service, and then millions of people getting punished for it.

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
  15. This is totally wrong! by cascadingstylesheet · · Score: 1

    This is totally wrong!

    Unless, you know, Zoho was promoting a political opinion I didn't like, or something. In that case de-platforming is totally cool.

  16. Re:Highlights a real danger of using cloud service by thegarbz · · Score: 1

    No. It highlights the danger of not vetting vendors. There's nothing here cloud specific. A shitty vendor had a poor step with a crappy 3rd party that had the ability (and exercised it) to bring them down.

    I mean shit I had this same example on a welding job recently. Company we engaged didn't have the necessary quality control to vet their sub contractors and ensure that they wouldn't suddenly leave them high and dry during a critical day. Fortunately we identified this months ago and had a plan b ready.

    There's no inherent problem with outsourcing to cloud providers, you just have to know how to vet the cloud providers.

  17. Re:Highlights a real danger of using cloud service by misnohmer · · Score: 1

    Show me one cloud vendor who will pay for actual losses cause by their outages (rather than maybe refund this months fee), or one that will not provide government with data they request or simply provide a back-door. It's nice how many providers claim 99.999% availability but are unable to offer insurance against it assuming those odds (for example break even insurance would be I pay $1 per day, and for outage I get paid $100,000 per day, or $69.4 per minute, if they paid $50/minute of outage and charged $1 per day for this insurance, they'd be making money, unless of course 99.999% outage is a fake number).

  18. Re:Highlights a real danger of using cloud service by thegarbz · · Score: 1

    Show me one cloud vendor who will pay for actual losses cause by their outages

    Amazon, Microsoft, Google to name a few. Just because you're using a shitty little free service doesn't mean that enterprise contracts don't have very long and strict performance metrics with legal teams on both ends.

    or one that will not provide government with data they request or simply provide a back-door.

    Rather than asking to prove a negative, you can start by displaying the positive.

    It's nice how many providers claim 99.999% availability but are unable to offer insurance against it assuming those odds

    And yet that insurance is precisely what is in enterprise contracts.

    But ultimately your complaints are completely off point. Before you start incorrectly criticizing the reliability and insurance of cloud based vendors you should first ask yourself: Can I do better? *You* may be able to. The hordes of small business owners on the other hand whose backup strategy involves coping files from one folder to another on the same disk i.e. the types of people who use Zoho in the first place aren't able to.

    But then everyone likes to think they are better or top shit until they actually come across a problem of their own. Mersk didn't use a cloud vendor when they managed to globally take down their entire very well funded IT infrastructure including geographically disperse and redundant AD controllers. Maybe they should have.