Network Solutions E-Mail Security Alert

The following story is somewhat alarming. You must read it if you own a domain name. It is not a hoax; I tested the security hole on a domain name I own. It worked. A large number of readers have written us about it. The Network Solutions site was already overloaded and responding slowly in the wee hours and is probably going to be hit hard all day. They have made a monumental mistake here. Click below to read Slashdot reader Ralph Brandi's excellent description of what's going on. Update posted 2:10 p.m. EDT - see bottom of the story (below).

Ralph writes: Network Solutions has starting spamming some of its customers with notices that include, among other things, the news that they've set up a free e-mail account for you, without bothering to ask first, at their new dot com now mail Hotmail clone. They've even taken the liberty of assigning you a password:

3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account:

 >>>>>>>>>>>>Login name:  domainid
 >>>>>>>>>>>>Password:    domainidnsi

Note that nifty password? It's the same pattern for every domain they've registered an e-mail address for.

Big security [bleep]up. If someone beats you to your account and "guesses" your password, now they can masquerade as you, and if they change the password, you can't even get into the account.

I've already gone into my "accounts", verified that they exist, and changed the passwords. I know that they exist because when I entered other domain IDs I control that I wasn't spammed at, I was returned to the login screen rather than being brought to a presumably newly-created mail page.

I called Network Solutions tech support to demand that they remove the accounts, but the moron on the line didn't understand that they were doing something incredibly boneheaded and wouldn't listen to my explanation. The person on the line insisted that they wouldn't create an account without me signing up for it, but I didn't have to sign up; it was already in place.

The mail I received started out "As a customer of Network Solutions or one of our Premier Program members", so I'm not sure if they're doing this for everyone or just for people who bought their domains through some of the big providers like Pair who are part of the "Premier Program". If you get the e-mail from them, I suggest logging on immediately and changing your password, whether you wanted the account or not. Maybe with a little prodding, Network Solutions will realize they screwed up and delete the accounts and change their procedure.

Update posted 2:10 p.m. EDT by RM - doulos writes "If your tired of getting a busy signal at the 703-... phone number, I found that they have a nice staff of people waiting to answer your questions and complaints at the following TOLL FREE phone number: 1-888-642-9675

They did refer me to the toll-line, but I (politely) insisted that because this was a matter of security that they had initiated, that I should be able to at least speak with a supervisor. They nice person on the phone _politely_ complied, and I was able to put in my request to have those e-mail accounts removed with my appropriate domains.

I just thought I would submit this as an article update because I felt maybe if the phone # was posted as an update it might help alieve some of the offense of having to call, by at least removing the toll from being on your nickel..."

However much you may hate XXXX corp.

[anthonyclark]

OK,

However much you may hate XXXX corp DO NOT try and masquerade as them!

It's not big, clever or AFAIK legal.

What may seem as a good idea right now may land you/us/everyone in the world in a whole heap of trouble.

Re:However much you may hate XXXX corp.

[DAVEO]

lol, daveo was about to try MICROSOFT-DOMnsi, but realized it would not be smart ;0) better would it be to throw pies than to risk being sued!

but how would nsi make such a mistake, it is bad, even for them.

Re:However much you may hate XXXX corp.

[Navarre]

So, if NSI is so freakin' useless, and I hear a lot of people say that they are, then why do they hold a monopoly on dealing out domain names?

They ignore their own spamming and nearly get blacklisted.

They make a security blunder and 10-year old with a couple of computer classes in school wouldn't make.

Why can't I go somewhere else for my service? This might be a naive question, but somebody humour me and explain this, please.

Mike

Re:However much you may hate XXXX corp.

[.pentai.]

They don't hold a monopoly.

There are other places with which to get domainnames...the place I work at is soon going to become a registrar (hopefully).

Re:However much you may hate XXXX corp.

[Ticker]

better would it be to throw pies than to risk being sued!

How come you talk like yoda?

Re:However much you may hate XXXX corp.

[fwr]

It's my understanding that they do hold a monopoly. When the "new" companies are able to register new domain names, they pass the information to Network Solutions who will still be in "control" of the root name servers and maintaining them, right? I personally believe that this qualifies as a monopoly.

Why doesn't our (USA) government take the monopoly away and assign it to another company? Can't be all that hard to transfer control of a bunch of root domain servers over to another company, can it?

Re:However much you may hate XXXX corp.

No, this is flamebait. I don't think I've ever experienced such dumb moderation in my life. You must sniff solvents or something. Did I say "hey, you're such an idiot, you talk like yoda!"? No.. I asked why. I never implied there's anything wrong with talking like Yoda. I happen to think he's cute.

Anyways, this is an obvious flame towards the moderator, so feel free to moderate this down.

Perhaps my post was off-topic, but flamebait it wasn't.

Kinda makes you wonder...

[LordChaos]

What kind of programmer can create an entire web based email system, write the code, and bring the whole system to working order, and then ignore one of the basic principles of password choice that has been a major no-no in the un*x (and other) operating system for decades.
Mind you I guess it's not surprising when we consider the other screw ups we've seen lately - even in other web based email systems like the recent hotmail scare.
All we can do is hope that they will be a learning experience for us all, and that screw ups in the "early" days of the internet for the masses will prevent (or at least lessen the effect of) major security holes in future systems..

Holy shit

[flamingdog]

me being the non-beleiver I am, I just tried it out, and I just about wet myself from the domain I used as a test...
Let me just say that it works.
Some people ought to consider security every now and again....

---------------------------
"I'm not gonna say anything inspirational, I'm just gonna fucking swear a lot"

Re:Holy shit

Yikles ... I tried it on a domain we host and yup ... it STILL works. Sheesh!

Oh dear

[Palin+Majere]

First they produce copyright restrictions in whois queries that people cannot opt out of. Then they fight tooth and nail with government regulators over divvying up their monopoly. Now this?

What's next, my bank creating an email account for me and assigning it the password 123456, like everyone else's?

Just imagine the possibilities of such a monumental foul-up:

-) Email Masquerading:
"Hi InterNic Tech Support, this is so-and-so, I'd like my contact information changed to... No, I'm really so-and-so. You can tell because I'm emailing you from so-and-so's account..."

-) Spam, Spam, Spam, Spamitty-Spam:
"You've got mail! Oh joy, so-and-so@internic is spamming me. Lets get them blacklisted and ban their server."

-) Misrepresentation via Email:
With this, and some of the information available from a standard whois query, you easily order products and have them shipped to someone COD. And of course, it's authentic because it was shipped from your internic account....

Someone stop the madness before it continues to spread!

Re:Oh dear

[Black+Parrot]

> Spam, Spam, Spam, Spamitty-Spam:

Just use the account to spam Network Solutions, and maybe they'll revoke your account!

Re:Oh dear

A bank in Norway actually did the equivalent of this, the only difference was that it was worse. It decided to change all pin codes for all its customers to its netbank system. That by itself is bad. But it got worse. They made the new pin code directly from the customer's date of birth (not social security code, just the birthday). Then they sent (snail) mails to all its customers, informing them about how nice the bank has been to them. Result: Anybody who received a mail like that instantly knew the pin code to any other customer for which the birthdate was known or could be made known. Not particularly hard, that. And of course any customer not at home at the moment (say, on a four week vacation for example) would come home and find that the netbank account had been open for the world the last weeks.

Could not get in

[lee]

Either my company's email boxes have not been created, do not use the stupid password, or someone has logged in and changed them.

Re:Could not get in

[DAVEO]

daveo checked his email, but did not get this ad, and could not log in for dot-com mail

Will this piss off enough people to get NSI sued?

[Myself]

Okay this has way too much potential. How long is it going to take them to clean up the aftermath? I see another mess of legal battles over this one, and maybe because it's so prominent, we might see some penalties for boneheaded admins like this one. (Oh please, oh please, oh please? We need a legal precedent that makes "blatant neglect" a crime.. heh)

Re:Wowee

[infinitas]

Surprised?
I'm not... (I don't have a domain name yet either)

Can you say ...

[Ummon]

... class-action lawsuit?

Who wants to keep track of how much time is lost due to this?

Anyone know how I can figure out what other accounts I might have?

...also username=last_name, pw=last_name+nsi...

Example:

username: smith
password: smithnsi

I am so #$%@ pissed! Who do we complain to???

Re:...also username=last_name, pw=last_name+nsi...

Yeah, I managed to log in using my last name as well and changed the password. I clicked on profiles (or whatever it's called, I forgot already) and found out that it wasn't me, but someone else with the same last name. So I changed it back, no use changing someone else's password. I was sort of surprised since I've got a pretty uncommon last name (no I'm not going to tell you what it is).

Re:...also username=last_name, pw=last_name+nsi...

[bmetzler]

Yeah, I managed to log in using my last name as well and changed the password. I clicked on profiles (or whatever it's called, I forgot already) and found out that it wasn't me, but someone else with the same last name.

Note, for last names that are consecutively numbering them. So the first the accounts are set up like this:

user: smith
pass: smithnsi
user: smith1
pass: smith1nsi
user: smith2
pass: smith2nsi
user: smith3
pass: smith3nsi
user: smith4
pass: smith4nsi

Needless to say I don't consider that a good security measure either. And no, I'm not telling you what mine is numbered...

--

Re:...also username=last_name, pw=last_name+nsi...

I already beat you to smith99.

Re:...also username=last_name, pw=last_name+nsi...

[Jonavin]

Holy ithoughtyouwerealltrolling.com!!

I tried my domain name but it didn't worked. Then I tried my surname after reading your post and now... well, now I'm paranoid.

Does that mean somebody has already beaten me to my domain logons, or are these mailboxes 'random'.

complain! complain!

How about

[cg]

...suenetsolnow

Bah!

[ninjaz]

Just when you thought you'd seen it all, NSI sinks to a new low! I just noticed a name I control affected, too. It appears that they may still be in the process of rolling this out, as the oldest domain got this account, but the others haven't (yet, at least).

Also, I think it's disturbing that something important as control of your domain name is left wide open by only offering cleartext passwords. i.e, even if you *do* log in and change your password, it can be seen in transit and your name can still get hijacked.

I think this is a demonstration of NSI's utter incompetence/unwillingness to take due dilligence and that their contract should be terminated.

Re:Bah!

[ninjaz]

Lest I become a source of misinformation, I'm correcting myself now:

As far as I can tell, this doesn't directly compromise control of the domain name, just the cheesy webmail account. Of course, as others have stated, that may be an effective tool to help with social engineering..

Anyway, I prefer to roll my own webmail service using Imp along with mod_ssl which doesn't require sending cleartext passwords over the net.

Site appears to be down

[Paul+Johnson]

I just followed given in the article, and I just get an instant blank page. It looks like Network Solutions have just pulled the service until they get it sorted.

Paul.

Re:Site appears to be down

[DAVEO]

no, daveo tried it with random common last names, and it does work still.

Re:Site appears to be down

[DAVEO]

daveo gave it about 2 minutes to load, maybe more, maybe it has been /.ed?

Re:Site appears to be down

[shri]

It's /.ed. Very ironic if you ask me. I managed to get through after about 15 reloads.

Re:Site appears to be down

[sorphin]

it's moments like this that i decided to drop NSI and register my current domain with one of the other registrars.. i.e. register.com and the like.. they atleast appear to have more than a clue than NSI does, unfortunately, people still use 'whois' to look up a domain, and since that only looks at NSI by default, well, makes life harder... but i'm not surprised that NSI would do something this dumb... i tried 6 times to get them just to change my CONTACT INFO, and oops.. sorry, we lost your pgp key, (and since i can't mail from the email in my contact info anymore.. too bad), thank god i don't hold any domains with them now..

Site appears to be down

[Paul+Johnson]

Sorry, I meant to say... I just followed the link given in the article, and I just get an instant blank page. It looks like Network Solutions have just pulled the service until they get it sorted.

Paul.

Anyone figured out how to remove the account???

Changed the password already, but I want them to know I'm not interested in more ways than one.

This is the last time I want to deal with them. I will be using one of the other services next year when my registration expires.

Hell, I might even switch to another domain name registry just out of spite before then, but I doubt that would do any good; they'd still claim me as a customer & I'd get no prorated refund. Hmmmm....

Hmmm...

[Khan]

Looks like it's either /.ed or their servers are offline while they fix this little "problem". .....Heh, I just made myself laugh pretty hard writing that last comment ;) This is truly unreal.

Re:Hmmm...

[Kintanon]

Looks like it's either /.ed or their servers are offline while they fix this little "problem". .....Heh, I just made myself laugh pretty hard writing that last comment ;) This is truly unreal.

Remember, this is NOT a 'problem'! This is the convenient 'Easy Password Recall' memory assistance system whereby you are no longer required to remember some obscure string of letters and numbers but can rely on a password so obvious that even if you forget it you can guess it in only a few tries! For more of our convenient new services contact us at NSI@FUBAR.NET!

Kintanon

Re:Hmmm...

[47Ronin]

Easy Password Recall? That concept should never have been thought up by these type of companies.. that's why most real computers ship with some sort of highlight-your-newly-created-password and "copy/paste" type of function. Get into your account with the freaky tongue-twister password then change it later to whatever you want.

-----
Linux user: if (nt == unstable) { switchTo.linux() }

Personally..

[Kitsune+Sushi]

If we can expect quality service like this because of it, I'm all for monopolies over services, products, whatever you got! Tell Uncle Sam to stick it.. Let those businesses continue to deliver the good stuff until it hurts!

Warning: The views expressed in this message are not necessarily shared by the poster, Slashdot, or the free-thinking populace at large.

Re:Personally..

[Buttercup]

Eh... perhaps you hadn't noticed, but Uncle Sam created NSI's monopoly in the first place. That's the way it usually happens.

MJP

Update

[sgs]

I just got the spam from NS, and it was a bit different than described. The account name was the administrator's last name with a random number added; not the domain name as described. The password was as described; the account name with "nsi" added to the end.

A bit better; anyone trying to screw up somebody's account would have to know how to use WHOIS and guess a short number.

Clueless. Utterly clueless. And these are the guys who claim to be running the Net??

My password is now a random string that I've already forgotten. Why would I need another e-mail account anyway? Don't you have to have an e-mail address (contact point) to set up a domain name?

Re:Update

[KFury]

> A bit better; anyone trying to screw up somebody's account would have to know how to use WHOIS and guess a short number.

The number appended to the admins last name isn't random. If you do a whois lookup on yourself or your domain, you'll find this is actually your ns 'handle.' The number NS has appended to your last name (usually the entire last name, plus the uid), and is just as easy to obtain as any other piece of info you've registered.

Re:Update

[peter+hoffman]

If this is true, then they have me confused with someone else because that number is not part of my handle!

Just to make certain they hadn't assigned two handles to me, I did do a whois on the number I received and it returned information about someone else.

Re:Update

[drewbie]

Well, I haven't even gotten the spam yet and the d**n account has been created for me! I logged in with the username "lastnamehandle" & password as described above and there was the mail interface! So go check and immediately change the password. And then never, ever go back again.

Looks like I'll be checking out those alternative registrars quickly.

Re:Update

[fdicostanzo]

no good- i got spam'd and i DID use an alternate registry. i don't think this would effect my domain however....

Re:Update

[Carl+Nasal]

The userid isn't random. AFAIK, it is the user's last name and a number (which is just an incremented number based on the number of the same last names).

For example, mine is "nasal1". (I don't know of *any* of people with a last name of "Nasal", so that's why there is a 1 after it. For common names like "Jones", someone may get "jones50".)
--
ZZWeb.net Web Hosting - http://www.zzweb.net

Re:Update

I was able to get into the account for my domain administrator using his last name for a username and his last name + 'nsi' as a password.

Re:Update

[Emil+Brink]

Your last name is Nasal? Wow! I don't mean any offense here, but you could probably make the folks over in comp.lang.c (Deja link) laugh themselves silly pretty easily. Just write a program doing something unspecified (letting main() return void is a classic), and see what happens. Oh, the joy of stupid word plays.

Re:Update

[agshekeloh]

A further update (someone might have posted this below my threshold; apologies if so)

I received another NSI spam at 10:30 AM EDT, and it was also a bit different than described above.

Specifically, it doesn't include the free email account.

It does state that blackhelicopters.org has received a free listing in the new dotcom directory. I wonder what services we're supposed to sell? Perhaps people would pay to be able to launch Black Helicopters(tm, pat. pend.) on people of their choice? Sorry, off-topic.

It also describes various domain registration bonus plans, and the "read our spam or else" threat.

No password is included in the mail.

Re:Update

[vkire]

The number appended to the admins last name isn't random. If you do a whois lookup on yourself or your domain, you'll find this is actually your ns 'handle.' The number NS has appended to your last name (usually the entire last name, plus the uid), and is just as easy to obtain as any other piece of info you've registered.

This is clearly not true. I got the mail and it didn't have any numbers appended. My assumption is that they append numbers if they have more than one person with the same last name. Since my last name is pretty unique (only 5 families in the entire world, AFAIK, and I am the only one that owns a domain), I didn't get a number assigned.

KV

Re:Update

[ct]

Hate to burst your bubble, but there must be at least 1 other 'Nasal' before you - one without the digit after his ID (at least there is as of 20:03 MST)

Re:Update

[FModnar]

Yep...there must be at least one other "nasal"

My last name was just the last name....no numbers after it at all.

Re:Update

>> Clueless. Utterly clueless. And these are the guys who claim to be running the Net?? No, Al Gore is running the Net. :)

Re:Update

My account name was also the administrator's last name. Upon receiving the spam mail last night, I went and changed the password. I thought it was all pretty strange when I saw it.

I expect Rod Serling to step out and tell me I'm in the Twilight Zone or something.

While you could say that NSI and I have a business relationship, spam by any other name still tastes awful (no offense to the fine canned meat by product). Calling this a security hole doesn't do it justice -- it's more like the Grand Canyon!

Try: http://mail.dotcomnow.com

...it seems to work for me.

Re:Try: http://mail.dotcomnow.com

[JeremyH]

Damn I just tried that. It does work.

And I never even got the email from nsi.

If it wasnt for /. I never would have heard about this. WTF?????

Same story here

[kechnng]

Yep, same story - blank page. Either NSI have really taken it down or it's suffered the slashdot effect(tm) ;-)

Try: http://mail.dotcomnow.com

That address worked a moment ago...

Weird...

I haven't heard anything from Network Solutions. Yet. We own multiple domains ourselves and host a lot more for our clients, but I haven't seen anything.

Tried to login, but couldn't. What is the 'domainid' anyway? Something like 'MICROSOFT-DOM' or the contact ID - something like 'MN5-ORG'? Tried lastname as well, didn't work either.

So it's either a big misunderstanding, or NSI fixed it really fast...

Re:Weird...

Correction; it doesn't work with my last name. But when I picked some random last name it did work.
Scary... I think I'll try all our clients and change their passwords for them before someone else does...

*shiver*

Re:Weird...

Nope, it's just the domain name (middle part of Web address). For example, if the website is at www.etrade.com, the domainid is just etrade, not etrade-dom. The password would be etradensi (or cypherpunks, if somebody was faster than you ;) ) N.B. Apparently they didn't do every domain yet.

Re:Weird...

[barbaBob]

If it works like that; what's the domain id for 'etrade.net' or 'etrade.org'?

More likely is indeed the last name of the administrative contact. I've already found several that work that way :(

Good luck...

barbaBob

Re:Weird...

[mke2fs]

It works like this :

* Domain1 could be domain.com
* Domain2 could be domain.net

And so on...

This may not be it, but I used domain3 as my username... and got in.

When you do a whois you'll see what to use.
Regards,
Stig

Mailing out passwords

[Tet]

Am I the only one that thinks emailing out unsolicited passwords in plain text is a bad idea in the first place? Unencrypted email's not exactly the most secure way of transferring information. There may be times when I *request* a password via email, but I do so knowing and accepting the risks, and I wouldn't do it with something I couldn't afford to be compromised. Of course, the choice of password was dumb beyond belief as well, but that's a separate issue...

Re:Mailing out passwords

[GC]

When I set up users to access our ftp server, the procedure is usually as follows:

1. I get a verbal request from operations
2. I tell operations to put it in writing
3. The request comes in writing
4. I generate a user ID & password generated by my random password generator
5. The user id & password goes out to the user by tracked mail. (Snail Mail)

Re:Mailing out passwords

[deusx]

Am I the only one that thinks emailing out unsolicited passwords in plain text is a bad idea in the first place?

Man! Is this one of my biggest pet peeves! I can kinda understand it for a service that generates a password for me-- I need to log in real quick and change it. It's basically a one time password.

But when I sign up, and PROVIDE a password, and STILL the service sends me an insecure e-mail with the password I JUST PICKED, it really pisses me off!

Even worse, there was a site (I forget which one now) that I hadn't visited in awhile. So, I get spam from them saying, "Hi we haven't seen you around in awhile, in case you forgot, here's your username and password!"

AAAAUUUGGGHHH!!

New Advertising slogan?

[Jonny+Royale]

Network Solutions...we're the "duh" in dot com!

Re:New Advertising slogan?

How about the doh! in .dom. [I can see it now: some NSI Marketdroid coming up with "We're the dough in .dom" not realizing how it really sounds. ;) ]

Re:New Advertising slogan?

[adric]

Network Solutions...we're the "duh" in dot com!

Nah. More like we're the "duh" in stupenduhs (and yes, I know it's not really spelled that way :-)
---

Re:New Advertising slogan?

[pod]

uhm, stupendous maybe?

Re:New Advertising slogan?

Or even... network solutions - we're "the complete goddamn morons" in "the complete goddamn morons who now control dom. registration" yeah, i'm venting, but i think its a pretty justified vent...

what am I missing?

[eff]

If someone beats you to your account and "guesses" your password, now they can masquerade as you, and if they change the password, you can't even get into the account

I'm probably just extremely dense, but isn't dotcommail just yet another free mail service?

do you really think people are stupid enough to think that a mail from 'slashdot@dotcomnow.com' (or 'slashdot@hotmail.com' which I just grabbed) must necessarily come from someone working for slashdot?

if that's the case, we're in deep trouble. there are hundreds of free mail services out there...

Re:what am I missing?

[akey]

do you really think people are stupid enough to think that a mail from 'slashdot@dotcomnow.com' (or 'slashdot@hotmail.com' which I just grabbed) must necessarily come from someone working for slashdot?

You're most likely correct that most people will not believe that mail coming from slashdot@hotmail.com is from the /. staff, but if even 1% of people believe it, it can mean trouble. What if you had a large commercial domain, and someone hijacked your "free" email account, and sent out a few hundrew thousand pieces of insulting, obscene, misleading (or worse) e-mail. You'll spend a large amount of time and money trying to repair the damage. Sure, only a few hundred people truly believed it, but you've got to send emails to all of them, post an apology to your web site, etc.

For a competitor, this could be a real easy way to generate bad publicity...

Re:what am I missing?

the same is true of hotmail or any other free email service, though. i can easily find a free email server on which i can register anydomainname@freeemailserver.com and send out a bunch of spam. why is nsi any different? how many people send out spams from microsoft@excitemail.com or something like that every day? it's not the least bit worse sending from microsoft@dotcomnow.com. no one who doesn't own a domain name is even going to know that there is any affiliation between dotcomnow.com and nsi.

Re:what am I missing?

[drix]

I can send mail to people that's obscene, insulting, misleading - whatever - under the name 'slashdot@hotmail.com' right now and I always will be able to. Sendmail has no authentication to determine if the from address you're telling it is really who you are (duh). Instead of slashdot@hotmail.com, I could send two million e-mails marked "From: clinton@whitehouse.gov". And guess what? Those same one percent who you mentioned will be the people who actually believe it.

Bottom line, the ability to recieve mail under a domain, in all but a few exceptions, is not the be-all end-all of security breaches. The only people who would be fooled by this aren't going to take the time to reply back; they're going to take it at face value.

Hotmail was a security breach. This is stupidity, but on a far more minute level.

Re:what am I missing?

I think the big danger is that 2 weeks from now a few thousand people who don't read Slashdot and who never think about password security will be out there using their spiffy new mail account that NSI was nice enough to sign them up for, and they won't change the password. Someone will notice their address in a newsgroup, on a mailing list or web page, and say "hey I'd like to read all their mail, and they have that handy dotcommail address so I know their password!". So yeah, I think the article stated the real danger wrong, stealing a brand new account isn't so hot, but stealing one in afew weeks when mail is coming in, that's a real problem.

Re:what am I missing?

[Reject]

The problem (as far as I can tell) is that since NSI were "nice" enough to setup the account for you, and set up the password, they'll assume that it's you coming from that account. Because of that, and the fact that it's so easy for someone to steal the account, someone can just steal your free email account, then pose as you in an email to NSI and have whatever they want done to your domain. That makes it incredibly easy to steal a domain in my eye.

Then, maybe I'm totally wrong. I might not be giving them enough credit. I'm also not a security expert, so there may be some other totally different problem(s). This is just what's wrong as I can see it.

--
Reject

Is USA.Net effected by this?

[mhaertel]

I have 2 accounts at usa.net, and I get a bad password error on both of my accounts, they were working about 8 hours ago. Anybody else experiance this?

Re:Is USA.Net effected by this?

The problem described shouldn't affect usa.net BUT I'm having the same problem as you. I suspect free e-mail servers are going down in sympathy with the recent Hotmail security breach.

Re:Is USA.Net effected by this?

[blue]

No. NetAddress has nothing to do with Network Solutions, and that fiasco is something else in itself. Mine works.

Re:Is USA.Net effected by this?

[Zedzded]

I had the problem, now it is fixed. It's some other glitch, apparently. Zed

Use a public Internet Terminal...

... they're there for a reason.

Wait a second... are we reacting too hastily?

[shri]

I took a look at this story and hurried over to the NSI website and the account I use to register some domains to check this out. Nothing.

I am glad there was nothing, no dotcomnow account that I can think of and no email with my nice little present from Netsol. If there was, I guess I might have joined in the frenzy here.

This got me thinking about what the "security hole" is.

a) That account cannot be used to change my domain parameters, since it does not match the e-mail address I registered from.
b) Anyone can really set up an account on one of thousands of webmail providers and pretend to be me. Heck, this has happened to me before on some discussion groups, and there is simply nothing I can do to prevent someone from misrepresenting me to lusers. People who know me know where my e-mail comes from, and know I use digital signatures.
c) How is this different from your friendly bank sending you a credit card without your approval? Infact that is something which I consider more dangerous than this act of stupidity by Netsol.

Having said this, I seriously think we're over reacting.

Shri -- returning to the scheduled Typhoon York.

Re:Wait a second... are we reacting too hastily?

[EJB]

Well because it is NSI's e-mail service and the account is your nic-handle, it looks more official than just another e-mail service.

And second, (I don't know how it is in the states these days) but a bank sending unwanted credit cards causes quite an outrage here in the Netherlands.

A big organization tried this with its members, trying to force the terms of the credit card company (with regards to abuse, etc.) on their members, and because of the outrage they had to change it such that those terms would only go into effect after the first authorized use of the credit card.

So yes, I agree with your c), it's just as bad as sending an unwanted credit card, and I think that's pretty bad.

EjB

Re:Wait a second... are we reacting too hastily?

Good post Shri, In amongst this herd of lemmings, over reacting to anything NSI does there rises your island of calm and sanity. For everyone else, Jesus, don't you whiners have anything better to do?

You can change your password

[MikeA]

Go to http://mail.dotcomnow.com and click on preferences. You can change your password from there.

NSI/Slashdot Conspiracy Theory

[kaiti]

Hrm, has the thought occured to anyone that by alarming all of us slashdotters to this not-so-important security hole that the hype and alarm of this story rushes each and every one of us to _GIVE NSI A PASSWORD_. Most folks dont believe in smart passwords. Most folks use the same password everywhere.

You may have just given NSI more power then they deserve.

Wouldn't you just love to be a corrupted employee working for dot com mail?

Just think... if you were, you'd have passwords to hundreds of thousands of root accounts, etc.

God, what the hell were you guys thinking doing this. Big whoop. Spank NSI.

But realize that this is a double edged sword.

-krs

Re:NSI/Slashdot Conspiracy Theory

[ptomblin]

Since I don't *want* another damn free email account, but I don't want anybody else to have it either, I intend to change the password to some random string of characters and then promptly forget it.

Re:NSI/Slashdot Conspiracy Theory

[kaiti]

Yes, but in my opinion, the hype caused by the "security threat" announcement psychologically will trigger people to want to "claim ownership" of those domains. Think about it.

-krs

Re:NSI/Slashdot Conspiracy Theory

[Psiren]

Anyone using a root password on the web is a moron in the fisrt place. Not likely to happen is it.

Re:NSI/Slashdot Conspiracy Theory

[hucke]

Most folks use the same password everywhere. Just think... if you were, you'd have passwords to hundreds of thousands of root accounts, etc.

I would hope no slashdotters would be foolish enough to do that.

I've changed the password for "my" account and for those of the Fortune 100 company I work for to such things as "idiots.nsi", "nsi-criminals", etc.

(I also got into "amazon", "bn", and "msn", but don't want to be seen as trying to "take" those accounts... they're available right now if anyone wants them!)

Re:NSI/Slashdot Conspiracy Theory

[Greg+W.]

Anyone using a root password on the web is a moron in the fisrt place. Not likely to happen is it.

Oh, no. Of course not. There are no morons on the web. No, everyone using the web is a long-time Unix hacker, with a background in practical security administration and cryptology. So this won't cause any problems at all.

</sarcasm>

Re:NSI/Slashdot Conspiracy Theory

[Amphigory]

Yeap... fsckyounsi is my password :)

Re:NSI/Slashdot Conspiracy Theory

[Amphigory]

Yeap... fsckyounsi is my password :) Of course I'll now have to change it again

Re:NSI/Slashdot Conspiracy Theory

[thekla]

Are you suggesting there are people who'd use their root passwd for a free web-based mail service login? They ought to be found and shot if they exist.

Nick Moraitakis

Re:NSI/Slashdot Conspiracy Theory

[thekla]

I would hope no slashdotters would be foolish enough to do that.

I've changed the password for "my" account and for those of the Fortune 100 company I work for to such things as "idiots.nsi", "nsi-criminals", etc.

You spent the time to change the passwords and now you tell everybody in /. some general directions (illustrated with examples) on how to guess the new ones? Cool!

Nick Moraitakis

BTW: it's not for everyone

[cjsteele]

I tried this particular little 'trick' with a random domain, and there was no 'account'. SO, they must be being selective ass holes. -C

Re:BTW: it's not for everyone

[Christopher+Cashell]

I'd have to guess they just hadn't gotten to the one that you checked.

I happen to be a certifiable 'nobody' and I got this e-mail to. However, as yet, I've been unable to get to Network Solution's site, the connection is timing out.

Looks like they're prolly getting nailed with a less than pleasant response. Well deserved, however. When I signed up for a domain name, I *never* opted in to recieve any spam, advertisements, or security hole ridden web based e-mail crap.

I used to like InterNIC and Network Solutions, of course, that was a few years ago now. Back before they were losing their monopoly and acting like spoiled children about it.

What a shame.

We probably are, but...

[barbaBob]

We probably are reacting a bit over the top, but the scary part is that at least three of the 'lastname' and 'lastnamensi' get me into someone elses e-mail account.

You're right about there not being a real security at the moment. Only people who used their Dot Com Mail address as their contact's e-mail address will be at risk of losing control of their domain, since most of them use 'MAIL-FROM' as their authentication method for authorizing changes to their domain registration.

It does make me think about advertising ourselves as a 'Network Solutions Partner' though. But then again, I doubt that you'd be really better off with any of the other TLD registrars.

Cya
barbaBob

Re:We probably are, but...

[shri]

I agree. The least they could have done would have been to add some sort of verified activation.

Go to this URL and activate your account. On activation the password would be sent to the e-mail in your contact info.

BAD security. But not a major concern for now. Unless they have updated your NSI contact info to your new e-mail addr ;-)

Password mailing.

[malkavian]

Wow...
I'm impressed... It's been a while since I saw a monumental cockup like that (well, since the hotmail affair anyway).
I'm sure that a couple of minutes adding a check with cracklib wouldn't have gone amiss, or just adding in a random password generator..
I wonder.. Do these people have a QC department, to make sure that the code they release is robust?
Or is a building of PHBs with a lone coder stuck in a cabinet somewhere and let out to be fed and watered every now and then..
For a large company with huge resources at their disposal, there's no excuse for not checking their functionality a hundred times before release... Especially as this is supposed to be their core business!!!
I'd love to see their PR dept. right now.. :)

be persistent

The site is /.ed. Just persist and you'll get in. I'm not so sure this is such a big potential security breach, but it is annoying.

Even more annoying to me was...

[scenic]

this little gem at the bottom:

If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

So basically, if I don't want stupid emails like this, I have to give up "real-time" communication from NSI about my account? That sounds kind of stupid, don't you think?

Sujal

Re:Even more annoying to me was...

[earlytime]

this is exctly why I registered my domain with register.com, NSI is a fscking horrible company. I never get mail from register.com, nevermind spam. Also, I've found that register.com's web interface to domain administration is *far* bettter than the e-mail crap that NSI has set up for their domain admin process. Not to say that register.com is perfect, I've had my problems, but NSI is orders of magnitude worse.
-earl

PARC Lemmings at Network Solutions

[Effugas]

OK, gotta get the music to that strangely addictive game out of my head now.

Check out this piece of wholesome goodness, delivered in the same message as my (cleartext) domain hijacking password:

If you do not wish to receive e-mail from Network Solutions, click on this
+e-mail address and type "remove" in the
+subject line.
PLEASE NOTE: by opting to be removed from this list we will not be able to
+communicate to you, in real-time, on issues regarding your account.

The mind boggles. One of the primary aspects of the net's formative power is its ability to quickly report the consensus of a company's customer base. Emails such as the one recently sent to all domain owners--containing both an unprecedented security breach and a jaw-dropping amount of arrogance(read our spam or we lose your bill)--only serve to increase internal communication within NSI's customer base, and to erode and eliminate the trust that the company has built up over the years.

I am positive there are alot of others out there like myself who hold a great deal of technical respect for their extremely high-uptime management of the closest thing we have to a single point of failure. They've done much right, and honestly, they've scaled better than one might have expected considering their ever increasing workload and the sheer number of years they've been doing their job.

I almost see a parallel to Microsoft here. People complain that the Windows 9x kernel is buggy, but considering that it runs everything from ancient DOS games to 32 bit applications, it's a miracle it runs at all. There's some truly respectable hackery involved in that! However, nobody, not even Microsoft's staunchest allies will say that their businesspeople are the most ethical in the industry, and most of the industry will claim that the Microsoft businessdroids have even less faith in their coders than the Linux bigots.

Why else fudge the numbers and force the shipments? Nobody's going to run Internet Explorer unless they're forced to...so lets force 'em. That seems to be the mindset.

Similarly, the Network Solutions folks have pulled off some significant technical miracles, but their business side is obsessed with the concept that nobody cares about anything technical. Since nobody would use NSI if they had an alternative registrar, the quality and quantity of alternatives must be fought tooth and nail. Since NSI is nothing but its collection of names and addresses retrieved under contract from the federal government, they'll claim de facto ownership of the WHOIS database until the Commerce Department's gun is pointed at their head with the hammer cocked.

Nobody cares about name resolution, you see. The real fad is WEB BASED EMAIL; create accounts for people without even following basic security procedures!

Nobody would actually want any of the services offered by NSI through email, so issue a vague threat to cut off all email--even that which is critical to the operation of one's domain--unless the domain owner agrees to sift through the latest thing being hawked by NSI.

The more NSI does in this style, the more they disenchant, disenfranchise, and disconnect themselves from their customer base.

There's no logical reason for this to occur.

I call all of this the PARC Lemming Syndrome. Every hi-tech businessperson secretly(or not-so-secretly) laments that he or she wasn't there at Xerox PARC to bring all of those amazingly profitable inventions to market. The agony of imagining so many lost dollars causes them to try to milk whatever or wherever they're at without due concern for what this will actually do to the businesses Core Competency.

To the businessperson...maybe he's breaking loose, pulling ahead of the pack, about to lift off, ascend to new hights...or maybe she's in the middle of a herd, trailblazing, secure in the knowledge that together new possibilities are being forged.

The the customers, and the rest of us...just looks like a bunch of lemmings racing headlong towards a cliff.

I implore you, Network Solutions. Buy a clue. Get a twelve pack if needed. Your customers trust you because your uptime is unbeatable, your security is generally reasonably tight, and because you've been doing it right longer than anyone else in the business. I'm one of your customers. Before you tell me anything, offer me anything, or do anything, think of why I do business with you, and about what could make me stop.

Don't be a lemming!

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com


Once you pull the pin, Mr. Grenade is no longer your friend.

Incredible. Even for NSI.

[Bob+Ince]

This is frankly amazing. Not only that such a large, allegedly net-savvy company could make an elementary security blunder(*), but that they even thought to was a viable business plan.

After all, all existing domain holders already have valid contact addresses(**) and don't need another poxy webmail account. They're also likely to be the kind of net users who'd not use webmail for importantish stuff. Maybe they just wanted to be able to claim X current users to advertisers, whilst not telling them none of the actually use the service.

Just glad they don't seem to have included any domains I'm involved in...

(*) Hey! Has anyone tried to get root at NSI using the password 'nsinsi' or something?

(**) Except for the spammers, obv. Maybe NSI were aiming the service at spammers. That would certainly fit their modus operandi.

--

Re:Incredible. Even for NSI.

[Blrfl]

Where ever did you get the silly idea that NSI was a large company?

Still works..

[seeken]

So i went and changed the PW for the doms I manage- and I made a mistake... I got the email, it said xxxxx4 for user, and I jusr type xxxxx, so I accidentally changed the wrong password! D'oh!

friggan turds.



Surfing the net and other cliches...

works

[Overkill]

Bahahahaha
I just sucessfully picked 3 random names
and added nsi to the end for the password and it actually let me log in=P

The stupidity of some people...

Re:works

[Zedzded]

Still works, I picked random 3 bigbig websites, haven't changed a thing though, it's too easy. Zed

Re:Will this piss off enough people to get NSI sue

sueing anyone for anything sucks. the US is not the world. i want my freedom!!

Imagine what that poor webmaster thought...

[Brento]

I can just see that moron sitting in his office now.

"Hey, look! My new e-mail service is getting tons of hits! Wow, it's only been available for a few hours, and everyone is logging in with their new accounts! Unbelievable! I'm going to be a huge success! I'll be on the cover of Fortune. Hotmail, move over, baby." (sound of smacking lips)

So let's all contribute to his trumped-up feeling of greatness. I'm logging in with every name I can find (someone else's, of course) and sending congratulatory e-mails to webmaster@dotcomnow.com about what a wonderful service this is, blah blah blah.

FYI, http://mail.dotcomnow.com still works, even though the original URL sent out in the e-mail is /.ed.

And before you try it, I've already snatched clinton, lewinsky, and elvis. Heh heh heh....

Re:Imagine what that poor webmaster thought...

[mwalker]

Woop! I just got "slashdot@nsimail.com"!
Also, hats off to whoever got "root@nsimail.com",
you beat me to it.

I must be the "damn" in dot com.

Whoever got root@nsimail could have some real fun...

to: webmaster@www.microsoft.com
from: root@nsimail.com
Subject: Domain termination
-------
Your domain name, registered with us on August 15,
1985, "microsoft.com", is being terminated
immediately by NSI. Please call our technical
support line with any questions you may have.

-Bob Johnson, NSI tech support.

-----
seriously, don't do anything like this.
at least, unless you're sure no one can trace you.
(;

No SSL either

Also, the login screen is completely insecure! No SSL or anything. Atleast hotmail passwords don't go over the net as plaintext!

Only customers inside the US of A?

[barbaBob]

Can't make it work with contacts outside the US of A. All the last names that work are from people that live inside the US. Guess I am lucky after all ;)

barbaBob

Re:Only customers inside the US of A?

[Paul+Johnson]

My UK-based employer has now grabbed its free mailbox, so non USAians had better look out too.

Thanks, Slashdot. This has given me the chance to look good in front of some pretty senior people here.

Paul.

Not at all surprised....

[yorkie]

What has happened to the IT industry? Quite simply too many clueless people are being employed, usually hired by equally if not more clueless management.

I've seen networks brought to their knees entiely due to management making decisions on the network topology. I have seen distributed networks fail due to a management descision to consolidate all logins to one single server! (Doh!) I have spent hours trying to bring dead systems back to life because no one bothered to maintain or monitor the system for 7 years, hoping the system would look after itself, and once I got it working the machine suffered a catastrophic hardware failure, and no more spares were avaialble world wide. And it goes on...

The most ironic thing is that earlier this year I spent 4 months out of work. For every single interview, the decision rested on someone with no technical experience. I've found a position now, but it is 200 miles from home, and half the team I have to work don't deserve their position.

There are too many fools in this industry making decisions. No wonder NT is so bloody popular.

The moron who thought of this, and the bozo who hired him should never be allowed to touch a keyboard again.

Re:Not at all surprised....

What has happened to the IT industry? Quite simply too many clueless people are being employed, usually hired by equally if not more clueless management.

Curious where they're coming from? I'm not. At my last job I raised concerns with security issues about software that was released shortly before I left. (Specifically, said software stored ISP passwords on the users' system in mindlessly trivial "encryption" -- essentially rot13. They "couldn't fix it" because the portion of the software in question was licensed from another company and we didn't have the code. Open source would have solved that, but that's another matter :-) ) I was told the following, although not in as many words:

1. Keep it quiet. Some employees (the non-techies) don't understand that it's not really a big deal and we don't want them to blab and jeopardize acceptance of the product before it leaves the door.
2. It's not really a big deal. The target audience is home users and most don't have that worry. (Never mind that it was also targeted at business users, most of whom had unsecured machines to begin with; you can just imagine what would happen if a disgruntled but knowledgeable employee was around after hours with all those machines to check out.)
3. You don't seem to want to see this software to get off the ground. (It also included Microsoft software that tended to destroy existing Windows installations; I railed against that too.)

Now to the point -- there was no way I was obtaining any promotions in that company. I had gone against the grain -- raised security concerns that "most of our users won't care about". Other less skilled people with fewer insights into the way it all worked were promoted long before I was.

So now you know the reason why today's crop of IT people is clueless about security. They aren't hired by people who understand the details; rather, they're hired by those who only understand profit and will settle for "it works for most people".

P.S. sorry about the AC, but I have others who agreed with me that still work at that company who I don't care to involve in yet another imbroglio. I hear they've got enough troubles on their hands dealing with the aforementioned software as it is.

Re:Not at all surprised....

Well, tis I, the Bastard Skinflint Boss From Hell, again. The issues you discussed for us can boiled down into the following:

MIS is not seen as important enough to business to be accorded the same cautious independance that accounting is allowed.

Let me explain. When I started in EDP (Electronic Data Processing), I was placed in charge of about 30 young ladies, just out of high school, who wanted a job at a stable oil company in downtown Houston. They were paid very little, and they were normally kept under close supervision because their job was critical and they were assumed to be less than skilled. I got them a 30% raise by getting rid of eight managers (for the 30 girls) and telling them that they were personally responsible. Mistakes dropped, they got faster. The reason why I wound up explaining myself to a senior VP when word of what I had done moved up the corporate spinal column a bit over the next two months was that EDP was seen as way to critical to screw with. I spoke to the VP, we had a drink, he allowed that I might be right (I suggested that making the girls cry was not helpful for keeping them in the right frame of mind to do complicated work like sorting, and at least one of the managers would make one of the women cry almost every day by shouting at them). I invited him down (he came once and was apparently quite impressed that one of the ladies nearly took his hand off at the wrist for touching her cards), and kept an eye on things. What they were doing was keeping the books, really. That was it. If we didn't, we couldn't pay people, including other companies and the IRS. If we did not do what we did (well, what I watched and they did), the company would shut down in a few weeks.

Later (much) we got a faster mainframe, then a second, then two more, better tapes, better tape drives (the self-loading ones that would suck the tape along the track), smaller DASD, and so on. We fully staffed three shifts, the pay increased some, and more men started coming in. Still, every time there was a major problem, I would be talking to multiple VPs because the mainframes were critical to the continuation of our company as a going concern and we were every-aware of that. This was about the time we started to get Selectric IIs, because they were also seen as a sufficiently big improvement that they were worth the large amount of money we spent on them. Still, what we did ran the company, and we were able to supply a lot more of what is now called "business intelligence" to the stats guys and later to management.

About the time that my son was starting high school, we got a three 3090s, went to square tapes, and started to do a whole lot more work with databases. Still, we had to really keep an eye on things as what we did still ran the company. If the 3090s went down, we were screwed. That was why we staffed three shifts. About this time, we started to get PCs in the offices in large numbers, all still from IBM. These were not mission critical and were seen as replacements for the Selectrics, as they usually had dot matrix printers attached to them. We ignored them (the furry little critters) because we had real work to do and they couldn't possibly hurt us. I am sure you can imagine where this went.

Today, about 35% of our huge budget is dedicated to things that we consider "mission critical," namely the new G5s, the big RS6000s, and the odd things (VAXen, OpenVMS Alphas, some NT sadly, Sun boxes, some HP boxes, a few SGIs) that have built up. The single largest line item is telephone software support for Windows users. The next largest item is hardware support for PCs for those same users. Third is support for all of the printers that we have all over. And sadly, as the key things have moved away from stable platforms onto poorly written distributed systems, I can no longer say that all of the stuff that costs us huge amounts of money is not mission critical. Even more sadly, we, the experts, have a lot less say than prudence would suggest in selecting the PCs. So, we have to deal with an environment that we cannot, for the most part, control. And so we have come to this place where MIS is not seen as too critical to mess with in a cavalier fashion.

I think that a lot of this is that system time is too cheap to meter, as it were. If a resource is scarce, people will use it efficiently. That was true with the mainframes. Sadly, as everyone has gotten a PC, the percieved need to husband your time and resources to make full use of the system has essentially vanished, with the training need being largely dropped. We train a lot, but we have to pull people in. The fact that Windows changes so much so often doesn't help much at all. They are faster, but the company has come to see the incredible time sink of Windows as being the way you do business (one of the reasons we are pushing Linux and X terms). Because they are seen as less important, an expert is seen as unneeded (again, Microsoft, which has been telling everyone for years that this stuff just isn't that hard). So they leave us out of the loop (until a year ago, actually) and we get to deal with the consequences.

So, when something goes very wrong (because everyone buys a PC Jr., for instance) because said experts weren't consulted, it is not seen as a logical flow from one bad decision to another, because computers are no longer considered worthy of hard thinking. In my experience, there are a lot of good people out there -- you just have to pay. We pay, we are never short good people. And we are never down. But I think that we will need a major corporate failure to really illustrate this issue, as a few people have pointed out.

NSI - Best security of all

[MobyDisk]

NSI has subscribed to the bes possible security flaw of all - The Slashdot effect. Now that they are hosed, noone can get to their accounts! (At least I cannot seem to get in - timeouts on the site galore)

Prepay for a domain name???

[whirlycott]

Well, in all the fuss, did anybody miss the part in the famed NetSol email saying that as of Sept. 18th, we have to start paying for domain names in full at the time of registration??? How much does that suck?

Re:Prepay for a domain name???

[MR_URC]

But it is completely understandable, since they can't seem to get around to mailing their bills. I asked to be billed by mail and had to pay on the website the day before the bill was due. I never got a bill by mail. I got a receipt for my payment within a week, though. With 30 days to get a bill to me, you think someone might have actually sent a bill before the due date. Several domains that were registered with my last place of employment were cancelled due to lack of payment. The bills were never received.

Forcing online billing is their way of saying that they can't do their own accounting.

Another Potential problem with security....

[Lantheaume]

So, I checked out the the dotcom directory and it looks like you can change anyone's information. If you go to "Update Your Listing" search for a domain. They give you all the fields to update and say that they will call you to verify. BUT then they give you a box to enter in alternate contact information.

My guess is all you would have to do is change things put in a fake name, verify it when they call you and your all set.

Okay, so it's not critical information. But some people might be depending on this engine to find information about companies. Network Solutions is supposed to be a reputable company.

I'm still waiting for my phone call to see what they use to verify I have permission to change a companies information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~

heads up

[jsm2]

very good post, and people should read the essay linked to. Just one point to save you some trouble later:

The phrase "Core Competency" is a [tm] trademark of Gary Hamel, a management science professor at the London Business School. He's a cool enough guy (I know him), and doesn't usually get heavy over the fact. But he makes his living out of going round talking to companies as "the Core Competency[tm] guy". So he's a bit touchy if anyone else tries to pass themselves off. And sometimes he feels obliged to defend his trademark in order to stop it passing into the public domain ("use it or lose it")

I'm not sure what your firm DoxPara Research does, but if you're planning on using the phrase "Core Competency" in a consulting context, you might want to send ghamelATlbsDOTacDOTuk a message, just to keep everything above board.

Me, I'd say screw it, trademark law's a crock and the thing's probably gone public domain anyway by now. But the information can't make you poorer.

this free business advice brought to you by

jsm

Re:heads up

[sphealey]

"The phrase "Core Competency" is a [tm] trademark of Gary Hamel, a management science professor at the London Business School. He's a cool enough guy (I know him), and doesn't usually get heavy over the fact"

Good luck. I have seen that phrase used at least 10,000 times over the last six years [yes, I was on the dark side in an MBA program], in widely distributed business journals and mass market publications, without attribution or a trademark reference. IANAL, but I think he would have a hard time bringing a case against anyone based on the widespread public use of the phrase.

sPh

Re:heads up

[Effugas]

The phrase "Core Competency" is a [tm] trademark of Gary Hamel, a management science professor at the London Business School.

Did he come up with the concept that I named my paper after? Hurm, after I clean it up a bit(some significant alterations are in order after that rather interesting session I had at LWCE), I may toss the paper over to him for evaluation.

The term is reasonably public domain(hell, I've heard of it), but if he's the inventor of the field of thinking, it would behoove me to understand a bit more of what his theories are.

(For those who are wondering WTF all this is about--Core Competencies is an essay regarding the economics of Open Source. I brought it up when discussing the diseconomic meanderings of everybody's favorite registrar.)

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com


Once you pull the pin, Mr. Grenade is no longer your friend.

Re:heads up

[jsm2]

yup, he did. The ref is

Prahalad, C.K.; and Hamel, Gary. "The Core Competence of the Corporation." Harvard Business Review, May-June 1990, pp. 79-91.. He's got a book out with a similar title (in an airport bookshop near you), but I doubt it adds much to the article.

I agree that the [tm] is probably fscked through common usage, although I'll mention that an MBA-dude would have been more likely to hear it without the [tm], as he has given blanket license for its use in academic contexts.

But he's a good guy, and I bet he'd be very receptive to your paper (particularly if the Open Source/Core Competency nexus might add new fields to his consulting empire).

Have fun.

jsm

(good old google shows I'm not just making this up)

Re:heads up

[Effugas]

(Sorry all for the public post. I don't have JSM2's private email.)

I attempted to email Gary, but the message was returned. Could you verify his address and contact me? I'd like to contact him, per your suggestion.

I checked google--yeah, this guy very likely would be interested in the software impacts of much of his economic theories. Particularly with the business model evolution I need to work on involving the future of software development--his input would definitely be appreciated.

Thanks!

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com



Once you pull the pin, Mr. Grenade is no longer your friend.

Now I'm really scared...

[Cort_Tompkins]

I just changed the password for my own personal domain, but that got me thinking and I tried to guess the login/password for the domains of my customers.

Nearly every single one of them has ended in the digits 57. Within a few minutes of picking common names and numbers around 57, I was able to log in to dozens of accounts. It was hard to resist the temptation to commandeer account gates57 =)

Re:Now I'm really scared...

The temtation was too much for me...

contact me at gates69@dotcomnow.com :)

hardly a security problem

Would you trust @hotmail.com.
I dont think so.
This is not any kind of a security problem, just an example of a little stupidity.

Re:hardly a security problem

That should say:
your_company_name@hotmail.com

No, this reflects on NSI's security as a (w)hole

[Brento]

I don't think we're overreacting. I think it's disturbing when someone so big does something so stupid. Think about how much we rely on this company for our day-to-day services, and how tough their security should be. They should have extremely stringent standards.

Someone assigned every single account the same password, in essence. This violates so many common sense rules that it's amazing: easy-to-guess user names, standard passwords, passwords sent out in regular e-mail, no authentication process, yadda yadda yadda. I mean, I just logged on and snagged three major commercial sites, just to see if I could do it. I'm batting .666 so far .

If I did something that stupid and assigned all my local office users with easy-to-guess passwords, it would be no big deal, because I'm small potatoes. But when a giant like NSI does it, it's insulting to all of us. None of us would make that mistake, and it's fair to say that most of us probably aren't getting paid whatever the NSI schmuck was.

Looks like they haven't done it for my domain yet

So I hastily created the relevant accounts. Hopefully that will break whatever script is trawling through the whois database and creating accounts, or at least stop me getting a dumb password. :)

This is 'webmaster@dotcomnow.com' talking!

[barbaBob]

Can't believe this. 'webmaster' is wide open as well. There's e-mail from 'clinton', 'elvis' and a few others.

I changed the password. I'll mail it to postmaster@netsol.com later on. Jeez....

Accept our SPAM or else!

[quonsar]

I also received the spam thismorning, and the part that really hacked me off (I was unaware until now of the security implication of the email account) is the end of it:

If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

So by opting out of their spam, you are opting out of ANY communication from them at all regarding your domain(s).

To paraphrase The Who, "Who the fuck are they????????

Bite My Ziff, Davis!

======
"Cyberspace scared me so bad I downloaded in my pants." --- Buddy Jellison

Alternative registrars -- who are they?

[Zigg]

This is absolutely crazy, and I want it to be the last straw. I have been screwed over by NSI both personally and professionally now:

1. I wanted to change the registrant name on zigg.com, which I registered years ago with a short-lived business of mine, to my own personal name, so I could dissolve the business. However, despite the fact that I sent them proof from the county that the business and myself were identical legal entities, they insisted that the change was a "domain transfer" and I'd have to reregister.
2. For two weeks now I have spoken and e-mailed at least ten different people on another issue. I recently came in to work at a startup ISP. The domains were registered through their "Registration Plus" or "WorldNIC" or whatever the hell they wanted to call it -- and the host record handles have periods in them! None of the NSI forms will accept these bogus host handles, and nobody who I can get access to -- not even after the front-line drones got so confused by what I was patiently trying to explain to them that they gave me the supposed "priority" e-mail address (priority@networksolutions.com, for those who are interested; but it still takes days to answer) -- understands the problem. I think I'm going to have to settle for registering the hosts under new IPs.

All in all, NSI has screwed me over again and again, and their callous disregard for professionals that need to get their jobs done by not even allowing me access to engineers (after repeated requests) to repair the aforementioned host handle problem is a load of bullshit.

Now, to the thrust of this posting -- where can I find these so-called alternative registrars? Are they yet capable of freeing me from the shackles of NSI -- to the point of never having to email anyone at networksolutions.com again -- and still keep my .com, .org, and .net's?

I sincerely hope that if they are not here now, that they arrive very soon. I have a lot of new business for them.

Re:Alternative registrars -- who are they?

[joost]

where can I find these so-called alternative registrars?


http://www.joker.com/
(not a joke)

Re:Alternative registrars -- who are they?

[jamiemccarthy]

The official list is at http://www.icann.org/registrar s/accredited-list.html.

Register.com was the first. Joker.com is currently the cheapest (it's based in Germany but its English webpages are passable).

Jamie McCarthy

Re:Alternative registrars -- who are they?

I have had excellent luck with register.com for two of my domain names. When my NSI domain name comes up for renewal I'll be moving it over to register.com. Not only is it easier to deal with register.com, but they offer free DNS and domain aliasing (unlike NSI). The only downside (if you can call it that) is that my domains do not show up in the Internic whois database.

Re:Alternative registrars -- who are they?

Yeah, but then if you use register.com you must realize you are giving money to a company with good tech people, but run by marketing/management people more ignorant than @ internic.. Their chief technology officer, rob gardos, has the intelligence of a reporter covering the oj case, but he's supposed to be the cto of a major internet player? I don't think so. their ignorance should be boycotted!

Way to deal with this...

[sterno]

By accident I have managed to find a way to prevent this webmail problem. If you set up your DNS so that that you have a server named like mail.domainname.tld the webmail thing does not work.

When I tried to access my dot.com webmail (what a dorky name), I was told to go to mail.domainname.tld, which redirected me to my mailserver since I already register that machine name in my DNS settings.

---

Re:Update - Various ways

So far, I've only been able to get into 2 domains using the admin's last name and admin's last name & nsi. I haven't found any domains or any of my domains where I could use admin last name & handle number.

OH, and it gets worse...

[irrelevant]

Passwords are extremely guessable as they are limited in length as well with extra characters being ignored.

Idiots

[eyeball]

This reminds me of when the New York-based phone company Nynex (now Bell Atlantic) sent out a mass mailing to /all/ their subscribers containing a phone card and the matching pin #. Needless to say, many cards fell into the wrong hands, and all hell broke loose...

And people worry about electronic privacy. They should be more worried about gross ineptitude.

Put your dotcomnow mail account to good use! :)

[CoreDump]

Okay,

The link in the email is either /.'ed, they took it down, or it's another example of NSI icompetency. ( I suspect a combo of the first and last. :P )

My username/password was not related to any of my NIC handles in any way. The password was the combo of 'username+nsi' which is truly awful as already noted here.

You can go to http://mail.dotcomnow.com to access your account, so they definitely *haven't* taken the site down.

I logged in, changed my password, set up the vacation message, and sent mail to NSI expressing my displeasure at this rather silly attempt to gain yet more business from me ( it ain't gonna happen. )

So now, when they reply to my emails, they'll get my autoreply vacation message.

Hrm... wonder if there are any autoresponders at NSI that I could mail from my wonderful new account... ( heh )

The *really* nice feature with this is...

THERE'S NO FRIGGIN' WAY TO CANCEL THE ACCOUNT ON-LINE! So they've setup an account I did not want or as for, gave it an easily guessed password (why not make it simpler to guess by just using 'password'?!?) so you have to log in and change it, and now I have to call them to cancel the account?!?!? Can you say morons?

Huh? (was Re:Way to deal with this...)

[Zigg]

Okay, I'm confused. I wasn't offered a new webmail address in my own domain. I was offered some idiotic "whatever@dotcomnow.com" address.

If they had tried to pull something on redirecting mail on my domain at all, you can bet I would be down to Herndon (they are in Herndon, aren't they?) as fast as I could with an aluminum bat demanding to see the person who made that decision.

You know what makes me MAD?

[Amphigory]

Take a look at this little tidbit at the bottom of their email:

If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line.
PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

As I read this, it means that if I choose not to get their spam, then they will not email me anything at all! Like "Your domain is being shut down". Now maybe that isn't really what they mean -- but if not they are deliberately making it sound like that's what they mean.

I really, really, really resent this. Guys -- it is clear that Network Solutions and the domain name system in general is completely, totally out of control. I have been waiting 5 years for some reasonable new TLD's. Waiting, with no luck. All because of network solutions. I want these jerks out of business, and I think I know how.

I think it's time to start our own DNS, a la alternic. If we could get participation from slashdot participants, we would probably cover 50% of the net. If we really agressively pushed it, we could probably get 90% coverage.

*sigh* It would probably never work, but internic makes me mad.

Re:You know what makes me MAD?

[Zigg]

You've got my vote and support -- I'll be your first customer, or employee if you need me. (-:

Re:You know what makes me MAD?

[.@.]

I have been waiting 5 years for some reasonable new TLD's. Waiting, with no luck. All because of network solutions.

Err...not true. The main reason no new gTLDs have been rolled out is that the Intellectual Property (IP) and Trademark (TM) interests are scared of cybersquatting, and refuse to pay what it would cost to police these new gTLDs for possible infringement. This is troublesome, because IP and TM law require the famous mark holder to bear the cost of protecting their marks. They want to shift that cost to the registry and/or registrar, who will of course pass it on to the domain name owner.

They keep asking for things like unilateral, full, standardized, searchable access to all registrant data, enforced verifiable contact info, heavily restrictive and punitive Dispute Resolution Policies, etc.

NetSol may suck, but in this instance, it's not NetSol that's creating the vacuum. It's the people who own famous names and marks, who keep pushing for more than anyone is willing to give. Net result: No new gTLDs.

If you're concerned, stop whining and get involved. The ICANN Domain Name Service Organization is acting on these very issues right now.

The Individual Domain Name Owners' Association is fighting to ensure things like equity in dispute resolution and protection of your personal information are present in the future worldwide DNS system.

Server offline?

[jps3]

Re: the NSI web-base email password fiasco

Now, I can't even get online! The server must be down or just bogged by people trying to break in to the server. What a load of crud...

Take a look at the headers, folks.

[tracey]

I just noticed that the email I got came from netsol1@INTEGRAM.ORG, which whois's to:

INTEGRAM (INTEGRAM4-DOM)
2730 Prosperity Ave.
FAIRFAX, VA 22031
US

They don't seem to have much in common with NSI. their web address seems to be an empty directory (has the apache feel to it though).

So, what gives with this?

Re:Take a look at the headers, folks.

[Ranger+Bob]

Yep. You're right. Of course, this is a prime example of potential Internet-based masquerading...

One more thing: didn't anybody consider that it's just as easy to go to any free-mail site and creat a bogus account for masq-ing as anyone (or any organization???)

Re:Take a look at the headers, folks.

[Wholeflaffer]

Yeah, I looked them up, too. Interesting thing is the e-mail address listed for the main contact:
[snip]
Domain Name: INTEGRAM.ORG

Administrative Contact:
INTEGRAM (IN601-ORG) no.valid.email@WORLDNIC.NET
703 849 1700
Technical Contact, Zone Contact:
Markle, Chad (CM3763) cmarkle@INTEGRAM1.COM
703-849-1700 (FAX) 703-849-0056
Billing Contact:
INTEGRAM (IN601-ORG) no.valid.email@WORLDNIC.NET
703 849 1700

Record last updated on 03-Sep-99.
Record created on 29-Mar-99.
Database last updated on 15-Sep-99 05:06:04 EDT.
[snip]
(FYI - WorldNIC = Network Solutions)
I wonder if I can get a "no.valid.email@" address on my registration?

Re:Take a look at the headers, folks.

The company that I work for has contracted with Integram in the past (helping to set up their mail system, actually). They are legitimate, and are handling this bulk mailing for NSI. If I'm not mistaken, they are mailing out to the domains in alphabetical order. I don't konw why NSI had to contract the job out. You would think they would have the in-house resources for this sort of thing...

reminds me of that 70's SNL skit...

[Croaker]

...with Lily Tomlin as a spokeswoman for the phone company:

"We'll sell your personal information if we feel like it. We'll privitize public information. We'll set up an e-mail account for you, without even asking, and make the password obvious. If you complain, we won't care. We don't have to. We're NSI."

Scary thing is, back then it was comedy. Now, it's the truth.

Re:reminds me of that 70's SNL skit...

[poink]

"Whoops, we just lost Peoria!"

They seem to have shut it off now

[Get+Behind+the+Mule]

I just got the mail from NSI. There is no mention of a free Email account, and in fact there is no section 3.

dumb and dumber

Every email service I ever signed up for including a hotmail account, netscape mail, and yahoo, did not assign me a password. Thanks to this article any one who has an account with these people can basically get f***** real hard. This is an example of clueless managemnet. Obviously whoever thought of this idea was not away of security issues at all. This is either a clueless techie with a hairbrain idea, or a management type that does not listen. This is clearly an example of a good idea gone bad and technology in the wrong hands.

SIGH

[Bud^-]

Man, that would really suck for the person that admins > 100 domains, oh wait that is me ... sigh.

Oh well, it's not like I have nothing to do anyways, I'm glad internic created me this account, it is a true service on there part.

Now I can access my email from home, work and on the road ... oh wait I already do that via telnet->elm.

What ever happened to the key concept in CS 101?
KISS - Keep It Simple Stupid.

These morons are in cahoots with MS

[Oscarfish]

Perhaps NSI and MS are working together on this one, and the "dot com mail" or whatever the hell it's called is based on the (cough) ultra-secure Hotmail code.

This really sucks and I'm not renewing my domains with NSI ever again - when they expire I'll register with someone else and I'll lobby to have them put on the MAPS RBL if they spam me again.

These f*ckers have screwed up before but this really takes the cake. I swear to God they've got to be working with MS on this!

Mail IDs are not by Handle...

[Neurowiz]

The Mail IDs are built via how many of last names there are, and then incrementing a number like so: If there were 3 Maldas, then there are 3 accounts:
malda@...
malda1@...
malda2@...

The password is that MailID & nsi.


--

Another Jim Rutt $#^%#^ up

[ConceptJunkie]

You know I worked for a company (TEIR) that Jim Rutt pounded into the ground by hiring incompetent managers, making incredibly stupid business decisions and thinking the only thing a programmer or engineer wants to be happy is free beer.

Three years ago TEIR developed a Client/Server architecture that required 5 _megabyes_ of DLL's to run on a client machine. This took a year and a half to and about 80 people to develop.

After being given tens of millions of dollars and running the company into the toilet, it's amusing to see he was given another company that continually does incredibly stupid things. I wish I was an executive because there is obviously no accountability.

The worst about this thing was that as soon as I saw the e-mail, I immediately windered how many people would try to abuse this blatant security hole. It's obvious no one with two neurons to rub together was involved in this promotion at any level.

I can't wait until I can change to another company for my domain registration.

Rick

Anyone managed...

[bertboerland]

... to get into the networksolutions.com account ;o)

Gah.

[Pascal+Q.+Porcupine]

It's bullshit like this why I'm glad all my domains are Christmas Island. Not only do I get better and cheaper service than NSI domain holders, but they have very strict privacy policies, you can even opt out of being visible in the whois database, and in the case of trademark contention they'll only act based on a court order, end of story. And they're hosted by a British company, too, so I don't think even an American court order would suffice - it'd have to be tried in the British courts. Maybe that's not as good a thing though. :)

.cx domains rule. They're relatively uncommon and not even close to saturated, you get an insanely long "free" period to play with a domain (and technically it'd be possible to never have to pay for a domain, though that's quite dishonest), and if you want uniqueness, no better way than that. "Dot cx? That's weird man... must be some cool thing!"

Oh, and they only have authenticated web-based access for modification. I don't think they use https, though, but then again, email-based NSI updates aren't exactly secure either.

This just settles it for me. I'm never going to trust NSI with any domainnames.
---
"'Is not a quine' is not a quine" is a quine.

Need directions to change to alternate registrar

[Hollins]

Could someone post directions on how to change to a different name registrar for the domains I am already using? I know how to register new domains with the alternatives, but I want to switch my accounts over.

Thanks.

nsi.com networksolutions.com

[JeremyH]

Am I missing something here?

www.nsi.com/dotcomnowmail turns up a 404 for me. Same with www.networksolutions.com/dotcomnowmail. (nsi.com is just a redirector to networksolutions.com)I also looked at networksolutions.com and I cant see anthing on there about this program.

I have a domain registered with nsi (I registered when they were still at internic.net) and I have not recieved any spam from them about free web mail.

Whats the deal? Or did they fix this thing already?

The risks of email spoofing

[remande]

On the one hand, anybody with a domain can set up bogus email accounts: "microsoft@foo.com", "bill_clinton@foo.com". If we worry about people using our personal and organizational names for email addresses, we have a lot to worry about. Too much, in fact.

OTOH, this is a problem because "dotcomnow" is NSI, and NSI has a reputation for trust. Thus, there's a world of difference between "microsoft@foo.com" and "microsoft@dotcomnow.com".

Just some thoughts for figuring out how nasty this security breach is.

Forward all NSI SPAM to the MAPS RBL.

[strredwolf]

NSI is screwed up big time with this deal, and the Internet community, especially those who deal with net-abuse of this type and magnitude, does not like such a bad neighbor. Forward with full headers and apropriate password removed to MAPS RBL (http://www.mail-abuse.org) and post it to news:news.admin.net-abuse.email with the subject of NSI SPAM. Also document every phone call you've made to remove the free e-mail account and pass that along too. It's time we nip NSI in the bud about this.

---
Spammed? Click here for free slack on how to fight it!

It's worse (better?) than you think....

[imac.usr]

Nobody else seems to have brought this up: once you've logged in as someone else, you can set up the service to allow you to send messages using a different address (to "create the appearance of sending mail from your other accounts" - taken directly from their Preferences page). So, apparently all you have to do is add the address listed as the contact address in the WHOIS table, make it the default, and bingo! You've just become that person. You're not user@dotcommail.com, you're user@microsoft.com or user@yahoo.com or user@earthlink.net or user@whitehouse.gov or whatever. If you somehow got ahold of that person's POP settings, you can even have their mail forwarded to the dotcommail account.

Wheee! I haven't been this tempted to screw my former employer since I heard about the NT/IIS4.0 bug!

Will this affect WHOIS?

[Jonny+Royale]

I hate to ask this but...

Since Network Solutions is handing these out based on registrars and domains, and they run the whois database, can/will they modify the whois database? Can someone with an account check this? (I don't have one, or its foo-bar).

I don't think they're allowed to, but it's their playground, so you never know.

will spam bring dotcomnow.com to its knees?

[klund]

I just guessed two usernames and passwords, (sorry, Mr. Smith numbers 83 and 84, whoever you are), put them both on vacation mode, and sent a message from one to the other. No loop.

But, I already received some spam at both accounts. Some spammer has already written a script to generate lastname### address and flood their server. I hate spam, but this is kind of funny.

I wonder how much disk space they have?

"THE DOT COM PEOPLE."

[$nyper]

I thought they were supposed to be "THE DOT COM PEOPLE." I mean my God I have just tested this and let me just say that this has to be one of the most stupid policy based security screw-ups I have ever seen.

MORONIC!!!! My 2 year old cousin has a better understanding of security concepts than these people.

Someone definitely needs a good ass chewing after implementing a policy like this one. If I were to ever write such an idiotic policy like this I would blame it on Old-timers syndrome and retire from the world of Network Security. Damn... I don't know whether to cry or laugh about this incident.

$nyper

Another interesting tidbit from the spam...

[doce]

I recieve the email as well. At the bottom, they were nice *cough* enough to allow you to remove yourself from their spam list, as such:

If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line.
PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.


but of course, you by doing you, you also lose the ability to correspond with NSI altogether. Complete BS, in my opinion.

Amazing it runs at all? Try OS/2!

[LordNimon]

People complain that the Windows 9x kernel is buggy, but considering that it runs everything from ancient DOS games to 32 bit applications, it's a miracle it runs at all.

I hate to break this to you, but OS/2 Warp also runs everything from ancient DOS apps to 32-bit applications. But, it runs DOS apps and Windows 3.1 apps much better than Windows (any version) does, and it runs 32-bit OS/2 apps as well as some 32-bit Windows apps. It can run multiple DOS and Windows apps simultaneously without the performance impact you experience with Windows - I can format a floppy under DOS, compile with a DOS compiler, print from a DOS app, and download a file, all at the same time. It also runs XFree86 and has several Unix apps ported to it.

All this, and it's a hundred times more stable than Windows. In other words, you should not be surprised that Windows runs at all. Every OS/2 user knows that it's possible to for an operating system to do all that Windows does (and more) and still be stable.

Re:Amazing it runs at all? Try OS/2!

[Kintanon]

All this, and it's a hundred times more stable than Windows. In other words, you should not be surprised that Windows runs at all. Every OS/2 user knows that it's possible to for an operating system to do all that Windows does (and more) and still be stable

I knew I should've stuck with Os/2 Warp back in '94.... What kind of support does IBM offer for OS/2 nowadays? OR has someone else taken over the OS? Be nice to know there is another alternative to windows out there.

Kintanon

Re:Amazing it runs at all? Try OS/2!

[LordNimon]

I know this is off-topic, but to answer the question, IBM doesn't exactly provide stellar support for home users. You're much better off relying on the support of fellow OS/2 users. IBM does still provide updates and bug fixes for OS/2 for free, though, but they tend to be geared towards the needs of their big corporate clients. For instance, USB keyboard support is way more important than USB scanner support, so OS/2 has the former but not the latter.

However, that won't stop hundreds of us from attending Warpstock '99 next month, right after the Atlanta Linux Showcase.

There are rumors of Stardock taking over a small-user version of the OS/2 client. We'll know for sure this weekend. You can keep track of the OS/2 world by visiting WarpCast

netsol.com down?

[saturated]

Does anyone know if they took it down, or if it was /.'d?

Try this

[tweek]

I got in via the alternate address and changed my settings. I would suggest doing this. Turn on vacation reply and then use this as the message.


I do not accept mail here. This account was setup
without my permission by NSI. If you need to email me
with important information please email me at the email
address listed via whois.

It gets even better! 8 char password significance

Even though the password field shows as 25 characters and allows you to enter more, it is only significant to 8 characters! That's right, if your assigned username is 8 characters long or more just enter the username as the password.

No item #3 in my email

[joost]

I just got the email from Network Solutions (I'm a non-US customer). There's no item #3. I cannot login using my name, handle or domain name/handle.

So either they've taken it out or it's for US customers only.

Re:No item #3 in my email

[Spatch]

Well, I checked the whois record of a domain I own (and, frankly, would like to get back from the clutches of the Duh Com people, since all their info is horribly out of date and I have no way of contacting 'em) and I tried logging in under every combination of every piece of information I could find in the whois record.

No luck.

Then I tried just my last name. I got in, and thanked the nice people at Network Solutions for giving me such a nice email address. But they seemed to call me "Fred", though.

Strange.

Criminal incompetence

[sammy+baby]

Actually, it is, in some circumstances. It's called "criminal incompetence," but I don't know if there's any legal precedent in the computing industry. Anyone?

Re:Criminal incompetence

This really must be as an AC and I am not going to be specific, but having been through this, I can attest to the following things that can happen:

1. If it is a public company and you exibit gross negligence as defined by standards that the SEC will make up on the spot (but really, they were stuff like keeping off-site backups and checking logs, so they were actually pretty defensible, I just was edgy about the fact that they got some opinions and stated that those were commonly accepted standards), you will be involved in any penalties the SEC will hand down. Because I resigned rather than cover stuff up, this missed me, and because I was discussing blowing the whistle at the time that the forensic accountants decended, I was spared. That is, apart from having to sue for $180,000 in legal fees (although I did get that, and two years salary, and damages, it still took every cent I had for two years).

2. If you run afoul of the SPA (another issue -- they were using close to 600 copies of Office and NT and had licences for less that twenty of them), they will go after you as well as the company, and they are not unlikely to believe that the oddly dumb MBA "just had no idea" and pursue you equally strongly. Except, of course, you don't have the resources of a major company. I saved my emails off-site. That saved my skin.

Those were the two things that I had to deal with when I decided that things were way out of control about six years ago in another state, doing sysadmin/dba work. I easily think that I could have wound up in the Federal pen because I had no idea what I was doing at that point with regard to the legal system if I hadn't already been talking to a seriously old and cynical attorney. I would have, for instance, talked to the SEC without an attorney because I hadn't done anything. That would have been Bad, as they are looking for guilt, not innocence, and they have no interest in proving that you didn't do things, only that you either did or could have. My attorney saved my butt over and over again. If I hadn't had the normal BoFH paranoia, I wouldn't have moved my own files off site and wouldn't have saved all of my email. And I think that I would be mowing the lawn behind razor wire.

This is something to avoid, if only because the stress is severe. Two more examples from friends:

3. If someone sues the company for something computer-related, they may fire and sue you to defelect blame so as to be able to get a smaller settlement. This is civil, not criminal, but it is not unheard of for companies to tell the police that you have been embezzling to get a criminal charge against you for the publicity, to establish fact. Didn't happen to me, happened to a friend at another "financial services company" about the same time I bailed and then got to know a lot of people who worked for the government who were very definitely not there to help me. He countersued and rode the suit through four mergers before they paid him to go away (it worked out very well for him, but it took five years).

4. If you are an officer (and that can be pretty liberally defined in suits, although narrowly by the SEC and other agencies), or if you have any decision-making power and set/write/review policy, you had better make sure that your company has extended legal aid to you. They often just extend it to senior execs. This is a real serious problem if your company gets hit with a class action suit and your name comes up a lot in discovery in areas like "disaster recovery" after, say, a disaster. I know two people who have been fired and have narrowly escaped being ruined because their company wouldn't help them legally (there was no policy and for a variety of reasons they couldn't add them AFTER the suit), fired them because they were a liablity, and then tried to suggest that they were responsible. Those cases are still being argued (one in mediation, one in litigation). The tempation of people to blame all the problems on the last person who left can get very serious when you have people asking where millions of dollars have gone.

So, yes, if your computer error killed someone, you could be sued and put in jail. If your error cost millions, same thing. As far as I am aware, the cases are happening all the time, but they haven't become high enough profile yet. We will probably have to have a Fortune 500 company fail for the public reason of PHB-poisoning in the MIS department before anything changes.

In the meantime, save your work and keep a few tapes waaaaaaaaay off site. Like, in your safety deposit box.

Re:Criminal incompetence

I think that there needs to be a support group (I was thinking that a gun club would work) for sysadmins who have worked for banks, insurance companies, brokerage houses, and so on. I worked for a major credit card bank (either first or second largest now)(two words -- first one starts with F and second with U) and the experience left me twitching for years afterwards. I can still say with complete assurace that that was the worst place that I have ever worked in my life, the worst run, the most dishonest, etc., etc. That seems to be pretty standard. I made paper and electronic copies until they started searching everyone entering and leaving because the fraud from employees had gotten so bad that they were desperate to stop people to from leaving with any scrap of paper that had any data on it, then I smuggled in a modem and learned how to dial up my box at home. Right after I left they got raided by the SPA and they were fined by the SEC, the FCC, and the DoJ looked into whether or not their carelessness in hiring (they wouldn't pay more than $6/hr for phone support, so they were drawing from a pool of people who needed money, and there were often people who decided to stray from the straight and narrow AND they did not background checks whatsoever because they couldn't due to the huge turnover, so they sometimes had felons on the system for months at a time, pulling down lots and lots of data) was criminal. It was a bad experience. Yeah -- always cover your butt, and the more money you are around, the better you should be covering it.

I can't get in either, and I'm in the US

I just got the email, and there's no Section Three.

As far as I can tell, NSI didn't set up an email account for me -- I tried to log in a whole bunch of times already, and I just get a "couldn't authenticate" message.

So, does this mean that only certain people got the special email message & account, or does it mean that my "dotcom" email account has already been hijacked, and I'm screwed?

...insert sounds of man screaming in fury...

No, try THIS.

I switched on vacation and used this message:

Dear Friend,

I never check email at this account. I did not want
this account but Network Solutions saw fit to create
one for me and then set an OBVIOUS PASSWORD for it so I
had to log in to it whether I wanted to or not, since
having some script kiddie masquerade as me is not my
idea of fun.

All I have to say is that Network Solutions, Inc. is a
piece of shit company that feeds off a government
contract that the CEO must blow half of the federal
administration to keep, when he's not busy blowing
diseased goats. I sincerely hope that the every person
in a management position at Network Solutions is anally
raped by gangs of rabid polar bears, unless they would
like that sort of thing, in which case I hope they
aren't!

Re:No, try THIS.

[tweek]

well i guess that would work

Time to clean the mountain dew of my damn monitor now.

Nice domain name

[Chris+Pimlott]

Hmm, am I the only one who finds the domain name "netSOL.com" oddly appropriate?

Try and register a new account...

Here's something fun: Try and register a new account. After you enter a name, it brings you to page that's obviously supposed to be their terms of service, but it's blank.

Class action lawsuit

[Old+Man+Kensey]

I think this provides enough material for a domain owners' class-action lawsuit. This would fall under criminal negligence, putting literally billions of dollars' worth of assets at risk. Another might be misappropriation of property -- arguably use of an entity's registration info, like use of their phone number, belongs to that entity, and NSI's legal blather at the top of WHOIS queries could be seen as an illegal effort to restrict an entity's use of their own property.

Anybody want to start a mailing list? If we can get about 1,000 subscribers I think we might have something here.

Oh my. . . .

That was WAY too easy. My second attempt at a login worked! I sent a test message to one of my own accounts, and noticed something quite interesting:

Cc: Test@dotcomnow.com, message@dotcomnow.com, from@dotcomnow.com, account!@dotcomnow.com
(of which "account!" is not a valid address, which you get a warning of when sending...)

Anyone know why those CC addresses are automatically added in? For keeping track of all the messages sent by the system?? Interesting...

Re:Oh my. . . .

[jkubecki]

Uh, don't want to say anything, but did you by chance mean to type "Test message from account!" in the SUBJECT line of the message you sent, not the CC line?

It's not in every message

[philg]

I didn't get any NSI communications for my domain name until this morning -- looks like the same message, but only had two bullet points. (i.e., no mention at all of the webmail account).

Mine is a .org account -- any idea if this offer was restricted/implemented only for the .com's? I doubt it....Whether the account actually exists or not is, of course, an open question, at least until the server comes back up. :)

phil

p.s. -- I replied to the message, asking someone to contact me about the disclaimer at the end, and sending administrative and advertising information on the same list. I find this somewhat concerning, as I might skim over important info buried in a sea of "SPECIAL OFFERS". (I also don't want any more spam in my inbox than I can avoid.) I encourage other people with similar concerns to do the same.

Network Solution's Phone Number

[Threemoons]

Hey there...for all of your edification...

it's 703 742-0400

All circuits are busy now.

Luckilly, I'm being let out of my veal-fattening pen at 1 due to the hurricaine...I and my boyfriend will then jointly program our modems to do the dialing for us whilst I kick back with a Jack & water and flip the bird towards VA....

it's JUST an email account, guys.

All it is is an email account. I thought when I read this at first that you could log into this account and use it to change the contact information on the applicable domain, I had visions of changing one of the big Evil Companies' domain name (ahem, excuse me, "Web Address", puke)...but alas, but this is not so. When the most recent hotmail hole came out I whois'd hotmail.com and tried to get the domain changed over to me as the contact, but when I logged into the guy's account to see if I would be able to ACK the transfer, the account had cookies enabled or whatever so you could only view the message titles, not the contents. Couldn't click reply. Darn. And anyway, you would think that hotmail.com would use CRYPT-PW or PGP instead of MAIL-FROM, but you never know. I've retired "you would think that" from my vocabulary...it's possibly the most dangerous phrase in the English language. Lots and lots of things happen to big big important companies that "you wouldn't think would" happen.

Strangely Relevant

[Sebbo]

I was browsing with multiple windows this morning, and had one window fetching this article while another was fetching the floydcam piece from Tuesday. I came back after they'd finished loading, and my eyes fell on: "And for record, I regret damage done to property and life-but the power of Nature is still amazing."

LOOK WHAT ACCOUNTS I WAS ABLE TO GET!!

Even though it is worthless, just out of curiosity I tried the following names.... and got in on all of them: techsupport, noc, billing, payment, spammer, mail, gore, bush, hillary, registration, and management. Unbelievable...

WTF?

[KaosDG]

Hey, can somebody give me some pointers here...
(no, not *p)
I tried the link (netsol.com/blahblah)all i get is a timeout.

and the mail.dotcomnow.com gives me a login screen, but it says it failed to auth when i try the standard lastname##/lastnamensi combo. after a few tries it gives a "free web mail" page but that's it. I didn't recieve an e-mail from NSI, but I did register with them, so i'm partially worried they might have kicked me off the boat.

wtf? can't we mount (he said mount) a petition against this sort of crap? Or at least /. them for it?
I say we lay a corporate smack-down on them and let those roodie-poo, candy-assed NSI people know who brings them the money...

dot com project manager

tquinn@netsol.com

Try: http://mail.dotcomnow.com/login/

http://mail.cotcomnow.com/ will route you to an nsi page but http://mail.dotcomnow.com/login/ will take you to the login screen...

I am a bit paranoid, I have changed passwords of eight accounts already and am considering legal action agains nsi for creating accounts under my name without my permission

Try domainid+1 and domainid+1+nsi for login and passwords, they seem to work in some instances

telnet is eeeeeeevil!

[Nugget94M]

You should be using ssh 1.2.27, not telnet.

Re: NSI real name

[orabidoo]

maybe with this someoen will finally force-rename Network Solutions to Network Problems.

How people should respond....

[jeff_C]

One way to make sure NSI feels some pressure to fix this is for whoever managed to get microsoft, IBM, ford, gm, etc. to send an email to the real administrative contact listed in the whois database an email from this free account. Just make sure in the email that you copy the original email, and explain why this was such a bad idea.

Two major things!

Well... I got in and changed my password... then I decided to send a note to 'pastmaster@mail.dotcomnow.com' to ask them to delete my account. I sent the note from their site and Cc:ed my self.

Once the message was sent it showed a link for a "sent" folder so I clicked on the link. Yep, there was the message I had just sent. So... I click the back button on my browser and what happens? It sent my message again (I got another copy).

Then... after laughing myself silly... I got another message with the subject of "I SUCK BADLY" with text of:

y0,
NSI values security soooo much that we didnt even change our postmaster or root passwords... as a result we will never get your message....

sorry

Sad... really sad...

Re:Two major things!

That should, of course, read:

'postmaster@mail.dotcomnow.com'

I fat fingered it... :-)

Re:Two major things!

I was only trying to be helpful "postmaster"

Stop emailing postmaster! Also not NSI but CP!

First off, Although they are fun to read... and I am trying to give good responses or funny ones... i am sick of all the mail at root and postmaster and support... the best thing is when people send their email addresses.. Props to those at webmaster and admin :) Secondly, NSI didn't build this... they bought a million addresses from critical path cp.net must have set the password to the specs demanded by nsi!

Call them TOLL FREE at: (888) 642-9675

[doulos]

No busy signal either!!! This number was advertized at the following URL on their own site: http://www.networksolutions.com/dotcommail/email_a ccess.html but who knows how long it will be up. I called it and asked to speak to a supervisor, where I was then politely taken care of. I explained the matter of security compromise, and then politely requested the e-mail accounts to be removed for all of my domains in question.

Go ahead. Tell them what you really think...

[macdaddy]

Don't tell /. Tell NSI how stupid this whole ordeal is by filling out their "Customer [Anti-]Satisfaction Survery". I'm sure they'd love to hear from their actual customers that paid *good* monoey for NSI's services exactly what they think of those services and the people supporting them. Go ahead but be honest... :-)

Read their terms of service - VERY BAD!

[Tumbleweed]

If you read their service agreement, you'll notice this little gem as part of section B. REGISTRATION:

"You hereby grant NSI the right to disclose to
third parties such Account Information."

Gah! Okay, so what this means is, if you log into that account, you agree to let them release all your information to be spammed into oblivion.

Nice.

fake?

[jlb]

am i the only person here who does not necessarily believe this really is from internic? I mean, none of the email addresses are even internic hostnames, none of the recieved headers look like they're from internic. Since this is such publically available information, anyone could really pose as internic and mail you. Maybe I'm being naive but I don't think internic is this stupid. It's hard to believe that someone would be that stupid to try to pose as internic to get users for their free email, but I think it makes more sense that way. Here's the headers from my mail: Received: from maild.inte-net.com ([63.71.102.109]) by bilbo.w-link.net (8.9.0/8.8.5) with ESMTP id CAA05359 for ; Thu, 16 Sep 1999 02:04:59 -0700 (PDT)

I have a few questions

[macdaddy]

Could someone answer these for me?

1. What contact person did these messages go to? Billing, Technical, or Administrative?

2. Is this the same DotComNow mail that NSI is wanting to charge $169 for 2 years of service?

3. What specifically is my domainID? I'm assuming from the /. posts that its my NSI Handle.

4. Could someone please document the whole procedings for getting in, checking to see if you have an account, and changing the passwd?

5. Does anyone live in the Baltimore, MD area and have time this afternoon to stop by NSI's headquarters and bitch-slap the first few people you see? If enough /.ers attend this little get together, NSI may get a clue and stop being so "like, whatever..." about everything. :-)

Thanks for the info!

how to tell if you are affected

[MR_URC]

Apparently, part of the system has been shut off. I was sent the email and followed their directions; I could not log in. So I looked around a bit and found this page: There is an engine that will search by your domain name. Mine was not found, implying that my account was deactivated.

"This form will only work if you have already signed up for dot com mail. If your browser informs you that it was unable to locate the server, that means you have not signed up for dot com mail. If you would like to get dot com mail call, 1-888-642-9675."

Since they activated mine automatically and sent me a notice of this, it appears that they have shut down 1st logins.

Angry you be. Relax you must!

So say I, the great JarJar Binks!

Re:Angry you be. Relax you must!

fear leads to anger, Anger leads to hate, hate leads to suffering

Transfer registration to register.com!

[sben]

Caveat: I haven't tried this, but I'm initiating proceedings as I type....

Apparently, register.com lets you transfer the registration of your domain from NSI to them. Check out this page. It seems to require a fax or snail-mail, but at this point, I don't really care how clumsy it is.

They Say it was a crank...

[Darksky]

We just called NSI and they say someone went in and created accounts from the whois list and gave them all the "joe" passwords.... According to NSI you have to go in and actually create your own account, it is not pregenerated. But I don't see how one person would create accounts for everyone on the whois list....

Re:They Say it was a crank...

[Darksky]

P.S. I don't think this was NSI's fault.. did any of yo so called geeks even bother to read the headers on the email? Who the HELL is netsol1@integram.org... They are NOT NSI affiliated....

Re:They Say it was a crank...

[tweek]

Actually they ARE part of netsol.

whois on integram.org shows registered to worldnic.net
worldnic.net shows registered to network solutions


gee do YOUR fucking homework next time.

NetWiz.Net - good service, no spam.

[seebs]

http://domains.netwiz.net/, even has an antispam
policy on their main page.

Oh, it keeps getting better and better.

their little webmail tool includes a little bit to
log in to a remote pop server and pull your email onto their machine so you can read it from their hokey interface. ohhh yeah, baby. One password guessing redirection interface coming right up.

NSI has someone incredibly stupid or incredibly malicious working for them.

How to (supposedly) get the account removed

[tgeller]

I just called the 888 number and asked to have the account removed. The first person said, "You have to respond to the 'remove' instructions at the bottom." I pointed out that that would only stop mail to my @tgeller.com account, and would not remove the dotcomnow account. "No," she said, "it does both." I asked to speak to her supervisor, and he insisted that was correct. I doubt it, but there it is. --Tom

We have choices.

[kuro5hin]

Look here or here for all sorts of other domain registrars. Screw NSI-- enough is enough. There are literally hundreds of other top-level-domains. Find one that's better, and use it.

----
We all take pink lemonade for granted.

An open letter to NSI

[Bald+Wookie]

To those with the power to make a difference:

In an effort to retain customers, you gave them all free web email accounts. Do you even have a clue of who your customers are?

The average domain owner probably has a computer and an ISP. In many cases they will be a company that provides mail services for its employees. Others will be ISP's running huge mail servers. Many more will be website operators, who often get free email with their hosting package. At the very least they probably have a PC and an ISP that offers POP3. These people know the internet, and most of them dont want or need webmail. Those who do, probably already have it.

So, to retain customers you automatically sign them up for a service that they don't want? I simply dont understand the logic behind this. Not only that, but you break the most basic rules of security. Now you force some already annoyed sysadmins to fix a security hole that you created. Heads should roll.

Lets be honest, your company doesn't have the best reputation for customer service. Instead of blowing money on a mail server and admin costs, you could have hired more reps and made a public commitment to service. That would have made a nice little press release, and attracted some quiet praise. At the very least, it would have shown that you understand the problem, and are taking steps to fix it. Instead, you create more trouble for your customers and get bad press for technical ineptness. Go read the Cluetrain Manifesto www.cluetrain.com, clean house, and hire the clued. Otherwise, wither and die. HTH HAND

-BW

They might have just fixed it.

[phil+reed]

The www.dotcomnow.com site, which when I bookmarked it this morning took me to the login page, now takes me to an introduction & signup page. The original login seems to have vanished. There are now 3 different free mail domains (dotmail.com nsimail.com mymailbag.com) each with the same form, and when I try to use the id and password that worked this morning, they don't work now.


...phil

nanog post

A few days ago, someone on the NANOG list said that he talked to a Netsol rep, and that Netsol's internal name for the company is "Nothingworks Solutions", got a good kick out that. Funny, a few days later this happens. Hehe.

17:00 EDT status and workaround

As of 17:00 EDT 16 Sep 1999 it looks like Network Solutions is redirecting requests to http://mail.dotcomnow.com/ and http://mail.dotcomnow.com/login/ to their generic "Free Web Mail" page at http://www.networksolutions.com/freewe bmail/ instead. However, you can still login directly using a bit of HTML:

mail.dotcomnow.com login User ID: Password:

As others have stated, I too could easily login using various surnames with and without digits using the same text with "nsi" appended as the password. However I have not been able to login using a domain ID of any sort. If I use example.com would the domain ID be "example"? And are multiple domains handled by adding digits like surnames are? Someone mentioned on the inet-access list that passwords are truncated at 8 characters so you only need to bother with the first 8. I haven't verified it yet myself. So a login of "harrison" would have a password of "harrison" since the "nsi" characters would be truncated. Just lovely.

17:00 EDT status and workaround

As of 17:00 EDT 16 Sep 1999 it looks like Network Solutions is redirecting requests to http://mail.dotcomnow.com/ and http://mail.dotcomnow.com/login/ to their generic "Free Web Mail" page at http://www.networksolutions.com/freewebmail/ instead. However, you can still login directly using a bit of HTML:

<html><head><title>mail.dotcomnow.com login</title></head><body> <form method="post" action="http://mail.dotcomnow.com/login"> <table border="0" cellpadding="0" cellspacing"=5"> <tr><td>User ID:</td><td><input type="text" name="userlogin" size="25"></td></tr> <tr><td>Password:</td><td><input type="password" name="password" size="25"></td></tr> <tr><td colspan="2" align="center"> <input type="submit" name="login" value="Go!"></td></tr> </table></form></body></html>

As others have stated, I too could easily login using various surnames with and without digits using the same text with "nsi" appended as the password. However I have not been able to login using a domain ID of any sort. If I use example.com would the domain ID be "example"? And are multiple domains handled by adding digits like surnames are? Someone mentioned on the inet-access list that passwords are truncated at 8 characters so you only need to bother with the first 8. I haven't verified it yet myself. So a login of "harrison" would have a password of "harrison" since the "nsi" characters would be truncated. Just lovely.

Quick Quick!!!

[Shaheen]

Someone, quick! Get over to NSI and take over microsoft.com!!

This is the chance we've all been waiting for! As soon as one of us Linux zealots owns microsoft.com, we can point it to linux.com!

Just a thought to make world domination more feasible.

- Shaheen

Re:Quick Quick!!!

Tried it - doesn't work..

What About Other Registrars?

[Rolan]

Just out of curiousity, did NSI do this to ALL domains in their database or only to the ones that came from their services? i.e. If I registerd a domain through register.com (which I didn't) would they also add this service to that domain? Just an interesting point to consider....

They didn't program it - Critical Path did.

[seebs]

traceroute to mail.dotcomnow.com or whatever it
is revealed that it's hosted by cp.net - Critical
Path, who do kick-ass mailing services - and who
have an aggressive anti-spam policy.

I can only hope...

I expect that at some point in the future DNS will be abandoned for better technology.

that ".com" and "www." crap gets annoying after a while.

Hopefully a system with no central authority, just a number of database providers, each authenticated by digital signatures. Conflicts can be resolved by a voting system, where the address with the greater number of trusted (trust being chosen by the end user) takes priority, or the User can determine how to resolve conflicts (voting, show a list, or prioritization)

That way if one database is comprimized (by crackers or marketers) users can just turn it off, and rely on the other providers. Each database provider can charge the fees (or lack thereof) that they choose. and the Databases can market themselves as they choose. Just like there are competing dead-tree Yellow Pages, (USWest Dex, GTE, 'Bananna Pages', etc.)

So you could have a $1,000,000 a name registry that markets itself to users as the definitive source for Corporate names, and the free public personal home page directorys with no marketing, but fewer conflicts.

Or, better yet, scrap DNS and make everyone use raw IPv6 128 bit adresses. "You can reach me at 8020.1F0D.45B8.9BF6.FE08.F8FA.0A0B.56C9"

Of coarse you could have a system that translates each quad-hex group into one of 65,536 english words, so you'll have easy to remember addresses like "Orange Automobile Fact Penguin Raid Telephone Octagon Maple".

What a crock!

At 8:00pm Central Time the guy I talked claimed to have *no* knowledge whatsoever of this problem - nor did his supervisor. I had to forward him the damn email so that they had a clue what I was talking about!! This is nuts!
The supervisor didn't even know how to close/cancel the email account!

It gets worse...

[sodergren]

As if the username password stuff wasn't bad enough...

They sent me the spam about the free e-mail account, complete with a username/password for a domain that I have nothing to do with!

The domain was sodergren2-dom; I'm not in any of the contact information for this domain. I have nothing to do with this domain. The only connection is that I share a last name with this domain.

Don't they know how to utilize their own whois database? Maybe copyright issues prevent them from using it...

Re:No Monopoly/Other Registrar choices

[ender-]

It's my understanding that they do hold a monopoly.

Actually,no, you're more than welcome to get a Domain name owned by another country, such as mine. [Which is for the lovely little country of Niue "nooway"] or any of a number of other countries... plus your domain info isn't available via whois, so I don't get spam from anyone [not yet anyway]

ender

Can't think of a good sig right now...

UGH! Finally go my "free" e-mail canceled

[GMontag]

Saw this on slashdot and immediately got on the phone to NSI.

I spent 3 hours getting the runaround and being disconected with these idiots today. Was so frustrated that I went to the office in person (Herndon VA is near where I live)and asked at the desk (third floor of a pretty nice building) about the problem.

The people at the front desk don't know anything about the 'net, but offered to let me sit on hold on their phone for lord knows how long, waiting for CS.

Went home, checked mail, and yes I had a copy of the dreaded e-mail Spent another hour+ getting bounced aound, then finally got the offending account removed.

BTW, the nice chick on the phone (only nice one was the one that helped me, the last one) assured me that nobody has used these accounts yet. She was supposed to have mailed a cancellation verification to me, but it has not shown up yet.

CNN, news.com, other news sites?

Has info about this been sent to any of the inernet news sites, or the online security sites? This would make for one hell of a story, bigger than the hotmail story, and even more of an incentive for spreading the registration of domain info among several trusted _non-profit_ organizations who will never again use the database for _any_ commercial reason whatsoever. If NSI can do something this stupid, imagine what they could do if they _tried_ to utilize _our_ information for nefarious ends.

I for one don't want the FBI knocking on my door next week, all because someone grabbed some account that I didn't even knew about, and sent kiddie-porn or other crap like that through it. I then would have to prove that I was innocent, and never knew about the account. That really pisses me off (and scares me, too).


BTW, any idea of how far they have gotten through the ~5 million domains yet? Or if their user add script is still running after this fiasco? Or if you have to worry if you haven't gotten an email like this yet?

Re:CNN, news.com, other news sites?

Internet News posted a story at http://www.int ernetnews.com/bus-news/article/0,1087,3_202671,00. html. They interviewed me this morning, presumably after seeing my original post here on /. I haven't seen any other stories.

Ralph Brandi

The email I got from NetSol has no section 3.

I live in New Zealand and this is the email I got from netsol. Looks a little different from that described in the article.


Subject: Important information about your domain name account
Date: Thu, 16 Sep 1999 08:25:50 -0400
From: Network Solutions
To: Oliver Jones

Dear Oliver Jones,

As a customer of Network Solutions or one of our Premier Program members, we'd
like to update you on two important items:

1. On September 18, 1999, Network Solutions plans to move to a new Web-based
prepayment process for registering domain names. At that point, we will no
longer accept NEW registrations without payment in full at time of
registration. This new online payment method gives customers the convenience
of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR CURRENT DOMAIN(S)
IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART.

If you register ten or more domain names per month, you could be eligible for
Network Solutions' Affiliates or Business Account Programs. Under these
programs, you may qualify to continue receiving invoices for domain name
registrations. To be eligible, you must apply at
http://www.netsol.com/affiliates or http://www.netsol.com/business_account.

2. Because you registered your domain name with us, your company has received
a FREE listing in the NEW dot com directory. We believe the dot com directory
gives you a unique competitive advantage, enabling potential customers to find
and do business with you. Search the directory for your own business to see
how easy it is! Go to http://www.netsol.com/directory to find your business.
You can also click on "Update Your Listing" to search for and verify your
company information.

Thank you for choosing Network Solutions to launch and develop your Internet
identity. We look forward to serving you for many years to come.

Network Solutions, Inc.
the dot com people

Copyright 1999 Network Solutions, Inc. Network Solutions is a registered
trademark. The following are trademarks of Network Solutions, Inc.: the dot
com people; dot com directory. All rights reserved.

If you do not wish to receive e-mail from Network Solutions, click on this
e-mail address and type "remove" in the
subject line.
PLEASE NOTE: by opting to be removed from this list we will not be able to
communicate to you, in real-time, on issues regarding your account.

Just Wondering???

These accounts can be set up for an automatic response, what if you got two accounts and emailed something to the other? Seeing as these people aren't all that smart, does the system actually catch that it is in a loop?

A look at the headers

[Nethead]

I sent mail to myself from the dotcomnow.com system and found that it's really handled by cp.net (Critical Path) out of San Francisco.

The Public and Investor Relationships contact is a Stefanie Elkins (415-344-5503) selkins@cp.net.

Their "Email Solutions for Proprietary/Groupware Systems" toll free number is 1-800-826-4666. I'll call THEM and ask them to remove any knowledge of my domains from their system... and remind them that I'm a Washington State Resident and we don't like spam. We have a nice anti-spam law here.

Contractual Obligation info

it's worth checking terms of service before setting up an account with dotcomnow.com, or getting in a panic about the possibility of somebody hijacking 'your' account.

G. MODIFICATIONS TO AGREEMENT. [...] You may terminate this Agreement at any time by providing us with notice by e-mail addressed to support@nsimail.com or by United States mail addressed to Free Web Mail Comments, 505 Huntmar Park Drive, Herndon, VA 20170-5139.

Also in the contract are various clauses such as J. ANNOUNCEMENTS which outlines your obligation to receive email from NSI, D. PRIVACY POLICY which states that your privacy is respected unless, in good faith, they decide to violate it, G. MODIFICATIONS TO AGREEMENT which describes how NSI may change the terms of the contract without explicit notification, and various others (E., I., and K, for example) which describe how few responsibilities they have towards you and what obligations you have toward them.

dotcomnow.com accounts have been set up without their owners' prior knowledge or permission. Is an involuntary contract valid? At least they provide an out.

rT

What about forced SPAM?

[SWiTCH2]

here is what the bottom of that email states: "If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account." eh? i'm screwed if i did, screwed if i don't!

Re: Unsolicited credit cards

[coyote-san]

Your friendly bank does not send you an unsolicited credit card because the courts (at least in the US) have held the contract is unenforcable. One concern was that credit cards could be stolen from the mail without the person's knowledge, and if the card was unexpected and from an unknown company the consumer/victim would have absolutely no clue there was a problem. A second concern was that many people would not be familiar with credit cards (in the 60's, as I recall) and they could incur substantial liabilities without realizing it.

They can, and do, send you "preapproval" letters that only require you to confirm some information and sign it. Someone can still steal these letters and forge you signature, but theft and forgery are already crimes.

It is legal for a company to issue you a replacement card without prior notice, but it runs the risk of pissing off customers. A bank manager quietly told me that a full third of the customers, including myself, closed our accounts after our bank was bought out and the new bank decided to issue "debit cards" (pre loss caps) to replace "atm cards" without prior notice or consent. It was rude, crude, and socially unacceptable, but legal.

Back to the "generous" NetSol offer, I am outraged. And not just because they keep making me these wonderful offers yet are incapable of changing my contact informaton despite repeated requests.

The currency on much of the net today is reputation, and NetSol's indifferent disregard to the consequences of its actions is as shocking to our sensibilities as the 60's banks disregard to the consequences of it's far-too-open credit card policy was to their peers. Of course nobody should automatically assume that the NetSol accounts are actually controlled by the person whose name appears on them, but a lot of people will. Unlike most (all?) other free mail sites, NetSol accounts can be tied to real names, real addresses and real phone numbers. So they have *far* more intrinsic credibility than "HotMail" or "GeoCities."