UPDATED: OpenSSH Domain Name Controversy

Bowie J. Poag was one of the folks who wrote to us about the domain name controversy regarding OpenSSH. (I've included the full letter below). They're in the interesting situation of /having/ to be a .com, because a squatter has taken the openssh.org domain name. Read the letter below - it's a stickier situation than the other squatting issues we've talked about. Update: 03/07 04:58 by E : Alex de Joode has written his own response here. I hope this can be resolved amicably.

Please be advised that OpenSSH.ORG is NOT the official domain name for OpenSSH development. The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community. The correct Web and e-mail address for the OpenSSH development effort is OpenSSH.COM instead of .ORG.

The OpenSSH developers wanted to register under the .ORG top level domain, traditionally meant for non-profit organisations such as OpenSSH, but the name had already been taken. They settled for the .COM in the interim.

The .ORG name is currently held by Mr. Alex de Joode <adejoode@zedz.net>, a proponent of open source cryptography who runs his own free crypto portal hosted by xs4all.nl, a well-known and respected Dutch ISP. Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers. This leaves us no choice but to issue this advisory.

The OpenSSH.ORG Web site currently is a blank page with a link to the official site. Please do not visit the .ORG site, nor send e-mail to anybody at the .ORG address. This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution.

Any help or suggestions in breaking the deadlock are appreciated.

Regards

For the OpenSSH developers, Louis Bertrand <louis@openbsd.org>

Re:Looks like de Joode's trying to make a point.

openssh.org does not attempt to set a cookie. It does not contain any scripts or applets. Its HTML is perfectly vanilla, and it doesn't even have any meta tags to redirect search engines. It also contains a link to openssh.com.

Certainly looks harmless enough to me.

Two questions...

One: why not openssh.net? I think it suits the project better than openssh.com or openssh.org anyway, given the nature of the project.

Two: Why won't this guy just let them use the domain name? He's not using it for anything. This isn't a typical squatting case either, because he's not even trying to sell them the name. Though frankly, that frightens me even more; what could he want with the name, if he doesn't intend to sell it or to use it for a legitimate site?

Abuse of the namespace...

"net" was traditionally intended for use by network service providers.

Yes, and I've only seen one ISP (UUNet) which actually uses that as their primary address. Many of the other big ISP's hold on to the .net TLD, but it's nothing more than a redirect to the .com address, which is by your definition another "ridiculous misuse of the namespace."

Your useage is no less an abuse than "slashdot.org", another ridiculous misuse of the namespace.

What, then, would you suggest Slashdot's URL be? "Slashdot.com" doesn't fit, because Slashdot isn't really a commercial venture (the ads notwithstanding). "Slashdot.net" doesn't work for the reasons you just said. "Slashdot.gov" and "slashdot.mil" are obvious problems as well.

That's the major problem with TLD's; there aren't enough of them. Then again, that's because they were created in a time when no one had really come up with the idea of personal Websites or Weblogs or anything like that. If the slashdot.org name is an abuse of the namespace, it only goes to show that the problem is with the namespace itself, not the users. The namespace needs to be changed to reflect the times. Until it is, there's nothing that can be done, and .net still fits the project better than .com does.

Re:Looks like de Joode's trying to make a point.

Well, how long before the first OpenSSH release was the news of OpenSSH leaked? (It's not rhetorical, I don't know the answer). Then there's also the little fact that registering a domain isn't instantaneous and can take a little while. 9 days isn't all that long, especially when you consider that two out of every seven aren't business days (I don't have a calander handy to check what day of the week Oct 25-Nov 4 were)

That said, my problem with the OpenSSH.org thing isn't that he got there first, it's that he's using it to advertise his site knowing that OpenSSH.org is where people will go to try to find information about (surprise) OpenSSH. If they wanted his site they'd have gone to FreeSSH for obvious reasons. I know that I, for one, usually think ".org" when I think of OpenSSH or Open anything. Even if he does have a legitimate claim to the domain and he isn't trying to squat it for cash (which he isn't), it would still be a good jester to hand over the domain (especially since they offered to pay for it) as an offer of goodwill.

--
Reject

woah

this seems really really odd. I mean the Zedz guys are the formerly know as replay.com guys. It seems odd that he wouldn't sell the domain name if he really supports cryptography as in the past. This really bugs me because I relied on replay/zedz for alot of crypto enabled software.

I think is the unique case we should give the Zedz guys a chance to comment on the issue publically before jumping to conclusions (which we all have done and are guilty of).

While I totally value the opinion of the OpenBSD team and the OpenSSH team I think something along these lines without any comment from the other (in my opinion) well respected party involved is a bit harsh.

Re:Hold Your Opinions

Dead or Alive, Mr. de Joot certainly is in the right here. The openssh.org site is not in anyway harming openssh. They're even providing the courtesy of linking to the projects site. OpenSSH should be happy that they're getting that much. They should have registered all of the TLD's, but didn't see it as being necessary, and apparently, they thought the .com was the one they needed the most.

Even the U.S. government has not been able to get around this mistake. There's the infamous whitehouse.com site, which is still active.

If someone came to me and said that I had to give them one of my domains, because they felt they had some right to it I'd laugh in their face. Simply because you're an open source project does not excuse stupidity.

Beyond all this, we're talking about the former Replay.com site here, now zedz.net [zedz.net] which has provided for years a good many of us with free crypto systems. They were doing a service years before OpenSSH was even thought of.

I don't use OpenSSH on my machines yet, and I was considering switching, but due to this situation where it appears they're in the running for a Slashdot beanie for "Open source domain bully" I'm going to boycott the product, until they play nice.

Re:I think you might have missed something...

There's a ton of ACs who read the stupid-dot summary/story and go on to post "that fucker! how could he be squatting that domain! he's going to be raping my children next! why the fuck doesn't he hand of the openssh.org domain to the REAL security experts! the fucker!" Yet it turns out
that Mr. de Joode is a real, honest-to-god security/crypto/privacy advocate with a great deal of knowledge and experience and a long history of service to the community.

I'd be curious to know how long stupid-dot is going to allow this sort of defamation to continue and how long it's going to be until they get their spleen yanked out in a court of law over something like this.

Come on, this is Alex de Joode!

Unless something extremely world-shattering has happened and Alex de Joode is now a radically different person from who I remember from years ago during my involvement with the Cypherpunks, I find it extremely difficult to imagine that he would set up a web site to do any of what the OpenSSH developers claim he is doing. De Joode would not collect viewer data. De Joode would not collect addresses for spamming. That's just not what the guy is all about.

The OpenSSH advisory says that they don't know his motives. They're absolutely correct; they don't know his motives at all. They correctly identify de Joode as the one who started xs4all.nl, and they correctly identify him as someone who advocates widespread use of cryptography, but they fail to mention that he is a privacy advocate. They also fail to give any rationale for their accusations other than that de Joode refused to sell them his property, which is meaningless.

Visit http://www.openssh.org/ [openssh.org] and judge his motives for yourself. Other posters have already discussed the ludicrousy of boycotting the web site so I won't repeat all of it here, but have a little think: Why would the OpenSSH group want you to think that openssh.org, who points to openssh.com and to one other site, is evil?

Agreed!

Hell, this guy is even providing a clear link to openssh.com, just in case folks come to his site looking for them. He's clearly not trying to cash in on confusion-- he isn't even running adds on the openssh.org [openssh.org] page. I think that it's pretty clear that some of the implcations in the letter (such as indicating that this guy is setting people up to confuse him for them and thus gather data on security-minded individuals) is unfounded and alarmist. Nothing at openssh.org seems in any way intended to make anyone believe that it is the official website of OpenSSH devel.

And, isn't an unconditional boycott a pretty good way to prevent people from actually looking at the site and deciding for themselves if it was set-up with bad intention?

what are you referring to?

A search for OpenSSH? [google.com]
A search for Open SSH? [google.com]
A search for "OpenSSH"? [google.com]

None of them return the actual site near the top, neither the .org or .com varieties.

Pablo Nevares, "the freshmaker".

Hypocritical Linux Community (including /.ers)

All you people who are giving the legal owner of the openssh.org domain name a hard time for using it ought to be ashamed of yourselves. How dare you stand up and speak about having a free and open internet with no controls (and bullying) by big companies, then whinge and complain when someone actually uses it.

If you are all as high and morally right as the drivel you so often spout you have an obligation to support Alex de Joode in his legal right to use the domain he registered. Too bad if FreeBSD didn't get there first - they have their chance 2 years from now to beat Alex to the renewal process (if he hasn't succumbed to the pressure by then and given it away).

Don't whine about people who work within the rules. If you don't like the way the domain registration process works, try to get the rules changed!

I also hate to say it but most of the whining seems to come from Linux user wannabes who want to put all their pent up frustration into ridiculous vocal support of any Linux based endeavour. Use your brains people. I think Linux is great, but I don't think everything Linux is great. Be more selective about what you support. Complaining about domain registration just because a Linux company is affected is really lame.

openssh.org owned by replay/zedz.net

The guy who registered openssh.org runs the zedz.net site, which hosts the replay redhat crypto archives (good place to get .rpms of security software). They used to be at replay.com before replaytv bought the domain from them.

The Zedz guys seem to be pretty good people as far as free software goes. Makes you wonder what they plan to do with the domain, and why they set it up as a forwarder to openssh.com

This reminds me of the whole LinuxHQ/Kernelnotes.org fiasco...

You mixed up your dates..

$ whois openssh.com@whois.corenic.net
Record created: 1999-10-25 08:44:41 MET by CORE-80

$ whois openssh.net@whois.networksolutions.com
Record created on 16-Nov-1999.

$ whois openssh.org@whois.networksolutions.com
Record created on 04-Nov-1999.

So it was
1) OpenSSH.ORG by our friend in Europe (04-11-1999)
2) OpenSSH.NET 12 days later by the OpenBSD people (16-11-19996)
3) OpenSSH.COM a further 9 days later (25-11-1999)

I don't understand why they don't just use .net. They (OpenSSH project) did register it before the one in the COM TLD. Sigh.
---

Is it *really* that important?

Ok, so some jerk has taken a name that really shouldn't be his. This would be a non-problem if nobody cared. I'm just not sure that being a *.com, *.org or a *.net really means much anymore. /. is under a publicly traded company (andover.net), is that necessarily the right place for a *.org? (see nobody really cares...) I think Openssh is just fine as a .com and I don't think it to be a big deal. Why not be openssh.net? That seems appropriate, too. If you are really doing great stuff for a .org domain name, people will know, whether or not it is a .org or a .com


-- Moondog

Jesus, Now slashdot is attacking their own!

Well this sure tops the cake. Now Slashdot is bullying OpenSource ADVOCATES!

Domain Names are first come first serve. I hardly see how an OpenSource advocate who registers a domain name in the org top level to be a squatter when he is using it for related purposes (or any purposes.. he paid for it, he was there first, He took the initative that the SSH group did not.) Big deal! They were caught sleeping.. they loose.

Like it or not (I don't much like it anymore) Slashdot has some power over this OpenSource comunity and this is a clear abuse of that power. The poor guy's web page is being flooded, his email box is being flooded with lamer flames and Slashdot is directly responsible by posting this story.

You've twisted the SSH announcemnt to incite anger among your members, You're using your members as a tool for your own personal attack on a person who was well within their rights to register a domain he felt he could use for his benefit.

Some animals are more equal than others?

PIGS

Today will be the last day I participate in this madness which is called Slashdot. Today is also the day that I buy that Dell computer instead of a VA Linux system.


They are a threat to free speech and must be silenced! - Andrea Chen

a slight bit of interest

strange. look what whois turned up:

Registrant:
Open SSH Project (OPENSSH2-DOM)
Zaanstraat 250
AMSTERDAM, NL-1013 RZ
NL

Domain Name: OPENSSH.ORG

Odd.and the page is simply a link. Looks like this guy registered the domain name for the project. We need some more information on what this guy is doing before an honest opinion could be made.

A Proper Analysis of OpenSSH's proposed boycott

Well, this is a refreshing way to look at the Free Software community. Get that knee-jerk reaction we are so known for, and put it to your use. Now, I'd like to look at Mr. Bertrand's letter.

The name was taken by a someone not affiliated with the OpenSSH development team when news of OpenSSH was first leaked to the community.

Hmm, "when news of OpenSSH was first leaked." Let's look at those seven words, shall we? When was this news leaked?

Performing a search on this here web site (Slashdot for those not in the know) for "openssh" yieds two results. This very article, and one from November 18, 1999, entitled, "OpenSSH Project Now at openssh.com."

Next I moved to LinuxTod ay.com [linuxtoday.com]. They have articles for everything under the sun. Their first article mentioning OpenSSH is one at Security Portal dated October 27, 1999.

I search Google (both plain Google and the Linux subsearch), and they have never heard of openssh.

Finally, I visted the very site for this project, openssh.com [openssh.com]. Looking for an "about this project" sort of link, I clicked on the Project Goals [openssh.com] link right up at the top of the left column of links. What's that it says at the very bottom? "OpenBSD: goals.html,v 1.4 1999/11/17 14:14:15 provos Exp $" That looks much like a cvs (or related) entry. That date is November 11, 1999. I also visited the link to the devel mail list archives, and the earliest date there is November 16, 1999.

Looking at all these, I'd guess their formal announcement was around November 17. But the "leak" award goes to Security Portal on October 27, 1999. I'm sure they got their information from somewhere else, but I'm tired of searching. :) Back on track, when did openssh.org register it's domain? Whois gives me the date of November 4, 1999. I count eight days from that "leak." That's not an extremely brief time, but it is before their formal announcement.

Back to the letter, Mr. Bertrand says, "The OpenSSH developers wanted to register under the .ORG top level domain,[...] but the name had already been taken. They settled for the .COM in the interim."

Ok. Well that sure sounds unfortunate. Let's take a look at when they registered openssh.com, shall we? Returning to my favorite domain searching services, whois, it yields October 25, 1999, as the date the record was created. What's this, I see? That looks a lot like a date before the openssh.org was registered. It's even two days before the slight mention by Security Portal. So, they "settled" on the COM top level domain ten days before the ORG one was "taken by a someone not affiliated with the OpenSSH development team." Uh huh, sure thing buddy.

Next Mr. Burtrand discusses the owner of openssh.org, "Mr. de Joode has repeatedly refused requests to sell or turn the .ORG name over to the OpenSSH developers.

Since when must anyone turn over a domain to anyone who asks for it? In my book, domain names are a first-come, first-served service. The OpenSSH group had plenty of time to register any domains they wanted. What if the real SSH group wants the openssh.com domain? Would you, Mr. Bertrand, be so giving and just surrender it?

Now comes the discussion of openssh.org's web site, "The OpenSSH.ORG web site currently is a blank page with a link to the official site."

Ok, this is somewhat true. Going to openssh.org [openssh.org], you are presented with a link to www.openssh.org. But Mr. Bertrand, did you really stop reading there and not see a few blank lines below (9 lines if you telnetted to port 80)? From openssh.org's page I quote, "For information about OpenBSD' OpenSSH implementation please goto..." and they link to the OpenSSH group's web site, openssh.com [openssh.com]. This ommission is purely ridiculous, Mr. Bertrand.

Finally, Mr. Bertrand pushes one of the hottest buttons in the community, privacy. "This is more than just a request to boycott: there could be privacy issues, possibly data mining or building a mailing list of security conscious users. We simply don't know Mr. de Joode's motives, and we recommend caution." Hmm, a very strong accusation. None of us like being spammed, tracked where we go, etc. So, I asked myself, "What data mining is openssh.org doing?"

Let's take a gander at the HTML source code. This site is afterally a mere two pages. There could be some JavaScript performing some hidden actions users won't see when just using Netscape (or other JavaScript enabled browsers). And there it is, plain HTML. What?! No fancy, shmancy Netscape Composer, FrontPage or other editor META tags? No META tags at all to con search engines to pointing to them instead of openssh.com. I find it refreshing that someone else codes HTML in plain, simple HTML. But I see nothing hidden here.

Ok, but I have my Netscape set to just accept all cookies. I could have been slipped one of those and now they have access to my whole hard drive, right (I'm kidding, of course)? Let's give the Netscape cookies file a good grepping, shall we?

316-1 Mon/11:55pm ~> grep -i ssh .netscape/cookies
317-1 Mon/11:56pm ~>

Hmm, exactly zero references to anything SSH related. I still haven't found any maliciousness. What about the "building a mailing list" bit? I've seen many sites with "Click here to receive our free newsletter" sort of links. No doubt many of them then give out your email address to every spammer in the universe. Is there any similar line in these web pages? Not that I can see, the bottom of the second page does contain a simple "For more information about freessh.org, please contact:" mailto link. I haven't sent an email to that address yet, so I can't say if it's a secret email net. But since I'm sending this analysis to Mr. Bertrand, I'll send one to that address as well with a brand new email address. If I get spammed there, I'll know who's to blame. If openssh.org really is using this link to catch people for a spam list, I must sahe's doing a poor job of it. At least claim you can get free porn if you send an email. ;)

In closing, as Mr. Bertrand says "Any help or suggestions in breaking the deadlock are appreciated.", so I say, Mr. Bertrand, I sincerely hope you recosider your position, because well, it has no leg to stand on. A) You registered the .COM ten days prior to Mr. de Joode registered the .ORG one. That is a right-out lie, never a good thing to have right out the starting gate. I will ask, how do you base your allegation of data mining and mail list gathering? If it is also a lie, that's doubly bad. B) Openssh.org is not using the domain for squatting (there isn't a "Pay $10,000US if you want this domain" message like we've all seen so many times). It is about free SSH programs, perfectly reasonable and on target. C) Mr. de Joode provides links on both of it's web pages to openssh.com. Any users looking for it will easily see that and go to the appropriate web site.

If a reasonable agreement between these two parties is made, that's great, but to seek out the outrage of the free software communities by deceiving them like this is not the way to go about it. I sincerely hope you reconsider your position Mr. Bertrand.

Thank you.
John Corey

Copies sent to both Mr. Bertrand and Mr. de Joode.

Whois the two.

Has anyone besides me done a whois on the two domains? There was one bit in there that confuses me.

openssh.com: "Record created: 1999-10-25 08:44:41 MET by CORE-80"
openssh.org: "Record created on 04-Nov-1999."

So, I'm no domain expert, only have one myself. But I think, correct me if I'm wrong, that the OpenSSH group registered the .com a good 10 days before this fellow registered the same .org. Was this a clerical error? Did some secretary fall on the job and not register both? Were walnuts involved in this incident?

This does sound like whining, and though it's nice to see a project like this hq'ed here in the Peoria, IL area, I will have to give my vote to the .org in this matter. They are giving links to free ssh products, even if it is a simple site with no graphics/javascript/bannerads/porn/buy-this-domain -for-$10,000US ad. Domains are a game of first come, first served. They had a ten day lead and fell asleep. That isn't reason enough to come whining to this fine community.

You have to wonder

In this case at least, some of the blame lies with the OpenSSH project noy claiming the domain before announcing their project. I mean really, what does it cost? A whopping $15/yr to register?

Whats even worse is that this story posted on Slashdot could be interpreted as a veiled threat. Not cool. I'm all for OpenSource but this subtle bullying is BS in my book.

Yawn

Situation: Some guy has registered openssh.org and is pointing to the groups real site. He won't sell or give it away and he doesn't appear to be using it.

Conclusion: WE MUST BOYCOTT!!! He might be doing something awful!!!

Am I the only one who doesn't understand this response? I think the motives of OpenSSH.com in posting this warning are every bit as strange and unfathomable as Mr. de Joode's in grabbing the site.
(Sorry for injecting a touch of sanity into a /. discussion, I won't ever do it again.)
--Shoeboy

Looks like de Joode's trying to make a point.

Check out the site [openssh.org]. Looks like Mr. de Joode just wants to make sure that freessh.org and other free (beer) ssh projects are easy to find as well. Maybe a bit unfair to be claim jumping the domain, but it's hardly evil. Odd how the warning never mentioned that he was advertising competing projects. I guess the openssh guys wanted to hide that fact. (Which is probably why they say "Don't visit, he's tracking you!")
--Shoeboy

They already have openssh.net

Take a look at the whois records:

$ whois openssh.com@whois.corenic.net
Registrant Todd T. Fries (template COCO-21730)
OpenBSD, the REAL open group
Record created: 1999-10-25 08:44:41 MET by CORE-80

$ whois openssh.net@whois.networksolutions.com
Registrant Todd T. Fries (template COCO-21730)
OpenBSD, the REAL open group
Record created on 16-Nov-1999.

$ whois openssh.org@whois.networksolutions.com
Registrant:
Open SSH Project (OPENSSH2-DOM)
Zaanstraat 250
AMSTERDAM, NL-1013 RZ
NL
Record created on 04-Nov-1999.

Looks to me like the "real" OpenSSH Project registered the dot com first, this other guy grabs dot org, then they got dot net. So why did they grab dot com first? Looks like they screwed themselves.

Anyway, what's the big deal? Even Network Solution suggests that you get all three dot com, dot net and dot org to "protect" your company. Only dodgy purists still stick to the old conventions.

Why even publicize this at all? All the documentation and downloads will use whatever the official openssh URL is anyway. The web already has a way of routing around misinformation.

Also, do open source project automatically have a right to the dot org? I think this is presumptuous. What makes any project "the official" openssh project other than when it becomes the de facto standard? Maybe this guy has a right to create another open source or proprietary "openssh" package.

Is this reallly squatting?

Most people on the thread so far has been very much on the side of the OpenSSH. However, I don't think that what this other guy is doing is wrong in the very least. He is not trying to make a profit. He is not trying to blackmail or exhort anything from the OpenSSH group. He was there first, and if he wants to keep the name, the more power to him. He doesn't necessarily have to do anything with it. I mean, if he wanted to, he could just put up a html document saying "This is my page."

Just because the OpenSSH group happens to have want the name does not mean that they have a right to that name. I think that it is in very poor taste to boycott the OpenSSH.org. It seems almost arrogant in fact, to presume that just because Mr. Alex de Joode does not wish to deal with them with regards to the domain name, that he has ulterior motives. A simple message warning people that OpenSSH.org is not affilated with the OpenSSH group would have surely sufficed.

Re:Is this reallly squatting?

I agree 100%.

The post by the OpenSSH developers strongly implies they think they are solely entitled to OpenSSH.org. Wrong. Are we so quick to forget eToys.com versus etoy.com? Were no lessons learned?

It is unethical for a group to bully others just to acquire an asset. Mr. Alex de Joode has done nothing wrong except to own something the OpenSSH developers want. The OpenSSH developers should be reprimanded for believing they have some right to demand that Mr. Alex de Joode "sell or turn the .ORG name over to the OpenSSH developers." Shame on them.

Hold Your Opinions

Let's not jump to conclusions here. This sounds suspiciously like one of those personality conflicts which are all too common nowadays. It could be that either or both players are acting in ill will, or it could eb that each thinks ill of the otehr but neither is bad from our perspective.

For that matter, if Mr. de Joot has simply not replied to any emails, it may be that he has passed away (don't laugh; it happened to Duane Blehme, a Macintosh shareware programmer years back).

It would seem to me that the wise things to do is to wait and hear from both sides. Remember the Uruguayan Linux fiasco awhile back? We don't really want a repeat of that hysteria, do we?