First of all, let me point out that I started PhishTank.com, which is a free + community-managed version of what Google's anti-phishing service does. Our service is in use by OpenDNS, Yahoo Mail, Kaspersky and countless other large and small companies (and researchers, too), so my thoughts are both highly informed, but also biased.
The main issue comes down to control. When something is blocked incorrectly, as it inevitably will, do you have the ability to by pass it easily? If you are the webmaster, do you have a clear path to get it resolved in a timely manner?
The mechanism Googlefox uses to automagically enable and block malicious sites is very very aggressive and it's not very clear how users can disable the feature. Additionally, the "let me through to the site" often doesn't work, and it requires you to re-validate on every pageload. It's a user experience nightmare, effectively removing control from the user.
As a publisher, it's not clear how to get yourself unblocked or how to escalate your concern. You can fill out a form with Google, but there is zero transparency into that process.
At PhishTank, we allow all users, and site owners, to flag what they believe is a mistake. It almost never is a mistake, more often they've simply corrected the issue. We make it easy for publishers and users to see the history of data in our system.
At the end of the day, you need to have an open system that is transparent and reliable. A security system that is inside a blackbox is no kind of security system at all.
I wrote this issue regarding my commercial bank's online website just a couple days ago. It's shocking and frustrating how they deal with "security" at all levels.
-david
There will be more (new) announcements in the coming week or two. The DNS is gonna be fun for a while, unfortunately. We prefer it to be reliable and accurate.
1) Our DNS is more secure. This has been shown by third parties now numerous times. 2) Our DNS is faster. 3) Our DNS lets you block out responses you don't want. 4) Our DNS lets you turn off the search result pages, though most organizations like them and customize them. 5) Our DNS has a complete dashboard of stats and settings and is 100% opt-in. If you don't like it, don't use it (but nearly everyone who tries it likes it).
Comparing us to Rogers is like apples and oranges.
That's not true. Look under "shortcuts" in your network preferences and turn off the proxy. It doesn't bother 99.99% of our users and it makes shortcuts and google work beautifully, as both should. But if you don't like it, turn it off.:-)
The features are tied -- when typo-correction is off so is the google redirection.
If you're running a mail server or for any other reason want it turned off, just email contact at opendns dot com with your username and tell them you want it turned off.
That makes no sense. People use our service by choice and 99.9% of people don't care if we redirect Google -- We don't log anything and we're clear about that. What we do is fix a bit of brokenness and pass it on to Google. Google knows and doesn't care. Tons of corporations and ISPs proxy users... we're just doing it to fix problems with shortcuts and some other edge cases.
We don't send them to a page about the blog post because that's a WORSE user experience and my goal is to give users, regular users, the BEST experience possible. For the techies, like you, you see the CNAME and then google around and find out blog post and know what's up.
What you suggest is counter-intuitive for users -- having them want to reach google and get some other page? That's a terrible idea.
The geeks have heard of us, and use us. The rest of the world hasnt'. And still a lot of the techies don't know that they can create an account and manage all the settings and features they want (or don't want).
I don't use (only) OpenDNS because I don't like being tracked... We don't track you. The stats and charts are for your network only and we only log that if you tell us to. Additionally, we provide a clear "don't log my queries" option along with a "purge all historical data" button in the interface to make everything crystal clear.
It doesn't get much more transparent -- or easier -- than that. Users without an account do not have their DNS requests logged, obviously.
We're running a service used by hundreds of thousands of IT professionals and millions of users around the world -- we can't even keep stats fast enough as it is for the users who want them, let alone deal with everyone else.
-david (CEO and occasional janitor over at OpenDNS)
Are you implying that you wouldn't sell any derivatives of that data?
You mean like selling domainers a list of all unregistered domains?
Correct, we will never sell that kind of data. It's not the right thing to do. It also doesn't make any business sense. If the data has so much value to someone else that they're willing to pay a large price for it then it probably has value to keep to yourself. That's not our entire rationale, but it's a part of it. It's a bad PR move, it's a bad business move to do. Etc.
I can't think of every example, but I can say we've never sold our data, or any derivative of it to date. If we do, we'll probably do it in a public way. Like share some DNS data with researchers. If we do that, we'll make sure not to cause any AOL Search-style disaster. But even sharing with researchers has never happened.
I do want to do some personal research on the.cm thing -- and publish the results though.
You can call me a hypocrite the day that I sell or share the data with a third party. Until then, I suppose you'll have to settle for calling me a "potential future hypocrite." I can live with that. We get phone calls all the time about buying our DNS data. For lots of money. We've never once even considered selling it. This is a core belief we have at the company.
Hold on, let me take out my iPod earbuds and get off my scooter.:-)
Ok. Done.
Google isn't impacting our revenue, read the post. They are just being lame to their users. They are putting their partnership in front of user experience, for the first time. Hence the title of my blog, "Google has turned a page."
It appears to me by using your dns service instead of the one provided by an isp, I forfeit the ability to have my dns lookups remain anonymous. That seems to fall closer to the definition of spyware in my book.
Your DNS requests are not anonymous right now. Don't mislead yourself into believing they are. Even if you run your own resolver that talks to the roots. DNS is one of the most tapped, mined and inspected pieces of the infrastructure I can think of. People do it for profit (domainers) and for research (security folks).
We're clear on how we use it (which is to say, we don't use it for anything personally identifiable or to target ads to you).
It's highly unusual for a piece of software to not mention who put it there. Look at your other Google software you have installed. Do you have "Desktop" installed or do you have "Google Desktop?" Does it say "Toolbar" or does it say "Google Toolbar?"
Oh wait, I know what kind of software hides things like that... software that is trying to be opaque and hidden.
Slashdot Mirror
First of all, let me point out that I started PhishTank.com, which is a free + community-managed version of what Google's anti-phishing service does. Our service is in use by OpenDNS, Yahoo Mail, Kaspersky and countless other large and small companies (and researchers, too), so my thoughts are both highly informed, but also biased.
The main issue comes down to control. When something is blocked incorrectly, as it inevitably will, do you have the ability to by pass it easily? If you are the webmaster, do you have a clear path to get it resolved in a timely manner?
The mechanism Googlefox uses to automagically enable and block malicious sites is very very aggressive and it's not very clear how users can disable the feature. Additionally, the "let me through to the site" often doesn't work, and it requires you to re-validate on every pageload. It's a user experience nightmare, effectively removing control from the user.
As a publisher, it's not clear how to get yourself unblocked or how to escalate your concern. You can fill out a form with Google, but there is zero transparency into that process.
At PhishTank, we allow all users, and site owners, to flag what they believe is a mistake. It almost never is a mistake, more often they've simply corrected the issue. We make it easy for publishers and users to see the history of data in our system.
At the end of the day, you need to have an open system that is transparent and reliable. A security system that is inside a blackbox is no kind of security system at all.
-davidu
I wrote this issue regarding my commercial bank's online website just a couple days ago. It's shocking and frustrating how they deal with "security" at all levels. -david
There will be more (new) announcements in the coming week or two. The DNS is gonna be fun for a while, unfortunately. We prefer it to be reliable and accurate.
I am the founder of both companies. :-)
1) Our DNS is more secure. This has been shown by third parties now numerous times.
2) Our DNS is faster.
3) Our DNS lets you block out responses you don't want.
4) Our DNS lets you turn off the search result pages, though most organizations like them and customize them.
5) Our DNS has a complete dashboard of stats and settings and is 100% opt-in. If you don't like it, don't use it (but nearly everyone who tries it likes it).
Comparing us to Rogers is like apples and oranges.
-David
That's not true. Look under "shortcuts" in your network preferences and turn off the proxy. It doesn't bother 99.99% of our users and it makes shortcuts and google work beautifully, as both should. But if you don't like it, turn it off. :-)
-davidu
They are using our OpenDNS servers as the control group. We've been noticing that a lot lately.
Plus, a lot of folks are using http://cache.opendns.com/ to start checking the records of their personal site from around the world.
You think Boston is bad? Here in the "Silicon Valley" of well -- Silicon Valley, we don't even have FIOS.
SF and the whole bay area have no FIOS service. The best I can get is 16mbps from Comcast. And it ain't comcastic.
The features are tied -- when typo-correction is off so is the google redirection.
If you're running a mail server or for any other reason want it turned off, just email contact at opendns dot com with your username and tell them you want it turned off.
-david
Lots of people setup OpenDNS for other people, like their mom -- or your mom. Heh.
That makes no sense. People use our service by choice and 99.9% of people don't care if we redirect Google -- We don't log anything and we're clear about that. What we do is fix a bit of brokenness and pass it on to Google. Google knows and doesn't care. Tons of corporations and ISPs proxy users... we're just doing it to fix problems with shortcuts and some other edge cases.
We don't send them to a page about the blog post because that's a WORSE user experience and my goal is to give users, regular users, the BEST experience possible. For the techies, like you, you see the CNAME and then google around and find out blog post and know what's up.
What you suggest is counter-intuitive for users -- having them want to reach google and get some other page? That's a terrible idea.
No, we give everyone the CNAME.
Actually, that's why we put the CNAME in there. If we had any desire to hide it or be shady in any way we'd just resolve it to the IPs.
We put the CNAME in to be transparent to people like you who use host or dig.
But of course, it's also your choice to use OpenDNS. I know it's better, so do millions of others. But it might not be for you, and that's okay.
-david
So I'm sitting here this morning in San Francisco and Youtube won't load...
Why? Pakistan Telecom decided to hijack their IP space. Most likely it was an accident.
For those of you speaking BGP, here's the dirt:
rtr1.pao#sh ip bgp 208.65.153.238 255.255.252.0 longer-prefixes
* Network Next Hop Metric LocPrf Weight Path
* 208.65.152.0/22 140.174.21.165 100 0 2914 174 36561 i
*> 157.130.201.129 100 0 701 174 36561 i
* 38.103.65.96 90 0 174 36561 i
* 208.65.153.0 38.103.65.96 90 0 174 3491 17557 i
* 157.130.201.129 100 0 701 3491 17557 i
*> 140.174.21.165 100 0 2914 3491 17557 i
rtr1.pao#
The geeks have heard of us, and use us. The rest of the world hasnt'. And still a lot of the techies don't know that they can create an account and manage all the settings and features they want (or don't want).
-david
It doesn't get much more transparent -- or easier -- than that. Users without an account do not have their DNS requests logged, obviously.
We're running a service used by hundreds of thousands of IT professionals and millions of users around the world -- we can't even keep stats fast enough as it is for the users who want them, let alone deal with everyone else.
-david (CEO and occasional janitor over at OpenDNS)
Maybe he likes our domain filtering and other features... ?
He would be better of just emailing us and working with support to get NXDomain responses handed back directly.
-davidu
It's a bug, apparently. I'm told our page worked fine until about two weeks ago. :-/
Anyhoo... We're fixing it. Nobody told us it was broken until this thread, so thanks for the report.
Are you implying that you wouldn't sell any derivatives of that data?
.cm thing -- and publish the results though.
You mean like selling domainers a list of all unregistered domains?
Correct, we will never sell that kind of data. It's not the right thing to do. It also doesn't make any business sense. If the data has so much value to someone else that they're willing to pay a large price for it then it probably has value to keep to yourself. That's not our entire rationale, but it's a part of it. It's a bad PR move, it's a bad business move to do. Etc.
I can't think of every example, but I can say we've never sold our data, or any derivative of it to date. If we do, we'll probably do it in a public way. Like share some DNS data with researchers. If we do that, we'll make sure not to cause any AOL Search-style disaster. But even sharing with researchers has never happened.
I do want to do some personal research on the
How do you live in this web2.0 world? Seriously.
We'll do something to fix that though. Thanks for pointing it out.
You can call me a hypocrite the day that I sell or share the data with a third party. Until then, I suppose you'll have to settle for calling me a "potential future hypocrite." I can live with that. We get phone calls all the time about buying our DNS data. For lots of money. We've never once even considered selling it. This is a core belief we have at the company.
Hold on, let me take out my iPod earbuds and get off my scooter. :-)
Ok. Done.
Google isn't impacting our revenue, read the post. They are just being lame to their users. They are putting their partnership in front of user experience, for the first time. Hence the title of my blog, "Google has turned a page."
It appears to me by using your dns service instead of the one provided by an isp, I forfeit the ability to have my dns lookups remain anonymous. That seems to fall closer to the definition of spyware in my book.
Your DNS requests are not anonymous right now. Don't mislead yourself into believing they are. Even if you run your own resolver that talks to the roots. DNS is one of the most tapped, mined and inspected pieces of the infrastructure I can think of. People do it for profit (domainers) and for research (security folks).
We're clear on how we use it (which is to say, we don't use it for anything personally identifiable or to target ads to you).
-david
Bingo. We found out about this yesterday, AFTER the blog post.
Wrong.
It's highly unusual for a piece of software to not mention who put it there. Look at your other Google software you have installed. Do you have "Desktop" installed or do you have "Google Desktop?" Does it say "Toolbar" or does it say "Google Toolbar?"
Oh wait, I know what kind of software hides things like that... software that is trying to be opaque and hidden.
-davidu