Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
The Internet

How Secure is Your Domain Registration? 137

Matthew Enger writes "A article on dnspolicy.net has underlined some important concerns with domain registrations through Network Solutions. It discusses concerns with the standard security method used (MAIL-FORM) as well as how easy it is for people to hijack your domain. " It's 11 o'clock - do you know where your domain name is?
This discussion has been archived. No new comments can be posted.

How Secure is Your Domain Registration?

Comments Filter:
  • I've been using PGP authentication for all of the domains I am the technical contact for.
    One day I sent in a request which I forgot to sign (I mailed the plaintext, rather than the signed copy).
    The changes went through anyway.
  • I was tasked with setting up a simple Linux web/mail/etc server for a local store. They were moving from one ISP who was hosting their web page to another where they wanted to host it with their new DSL. Simple enough. I send the required emails to NSI to move their name servers to the new DSL ISP.

    Then, the DSL ISP decides they'll take their own sweet time updating their name servers with my client's domains. After like a week they start getting pissy with me, so I take things into my own hands. I set up Bind on the DSL box, and register whatever.com as a name server at NSI. Send in another form to change the primary name server for whatever.com to whatever.com. And it all worked. The only catch was that if the line goes down, things would revert to the secondary name server with the DSL ISP and fail because they are lazy asses.

    Eventually that ISP got on the ball and made the additions to their name servers. By this time they did a whois check and found their DSL IP address as the primary name server. They called and got pissy with me, saying it couldn't be done. They say only "true" name servers can register with NSI as a name server. Not wanting to get them yanked from the ISP, I switched it back to the ISP's name server and all is good now.

    So, you domain experts out there, tell me this. Why was this guy assuming only "true" name servers could register as a name server at NSI? Is NSI supposed to have some other authentication for adding a new name server? Just simply filling out the form to register a new one was all it took for me.

    Plus I was thinking, if I and a friend set up a name server, couldn't we each be one of the name servers for each other's domains? (This DSL ISP uses static IP addresses.) Assuming it can be pulled off without the ISP noticing, we would have our own domains and not be subjected to the ISP's ridiculous business fees, web page hosting fees, etc. Mind you I'm not wanting to have a bandwidth hog like another Slashdot or anything big, but a simple personal web page but mostly my own vanity email@myname.com (or something).
  • I suspect that your ISP either doesn't know what they're talking about, or would simply rather that you pay them lots of money to host the DNS there ;-). There is no reason that you can't use your own box; the only thing required is to register it with NSI as a DNS, which you've already done.
  • CowboyNeal confirmed this last night. While NSI gets its shit together, Hypermart has been gracious enough to host slashdot's DNS.
  • That ticket number has nothing to do with it. And I'll tell you exactly how to spoof NSI into switching some domains info.

    This uses M$ Outlook Express (since Eudora won't let me do it however, I assume pine/elm/whatever would if it allows header edits).

    Domain to hack: fredsbank.com
    Go to NSI and fill out the form (if you're incapable of doing it the old way (by hand)) and have it emailed to "hax0r@whatever.dom".
    Then in OE, set the "from" address to whatever the admin/tech contact "mail from" address is.
    This is the hack, set the reply to address as "hax0r@whatever.dom".
    Now send this baby off. Granted, the contact that you didn't use will be notified however, the changes will go through.

    Now you've just hijacked fredsbank.com. Simple.


    rodent...

  • on purpose, because it is really a pain in the ass to change an entry. It takes days until a mail is processed, only to see that the request could not be processed for some reason. In order to actually change something, a month can easily pass - if you cannot plan a server migration a long time in advance, you are in real trouble.
    This sluggish service also prevents people from switching - so there is maybe some wacky business strategy behind that (which only worked in the first place due to the monopoly they had for years; I would never register a new domain there now).
  • Forget about MAIL-FROM. I have a letter with confirmation from Netsol, that has another letter, from another person (with CRYPT-PW scheme), chained to my letter by Netsol. They just sent me a confirmation "this is the letter you've sent us" and got another person's letter in along with mine. With password, name, ID, everything. If I wanted, I just could go and take over this innocent person's handle and wreak havoc. I wonder how many letters of others *my* information got chained to...

    And you have nothing to do - Netsol still controls the process, and the cost of moving is too high. And nobody there seems to care.
  • A little over a year ago somebody did try and hijack a domain for a game I help code. Fortunately we caught it before it was hijacked but if email hadn't happened to be checked at the appropriate time we would've lost it. We're not absolutely sure who did it but the evidence did narrow the suspects down. Unfortunately there was little that could actually be done over it.

    As a side note Network Solutions should automatically flag rather radical requests. In this case every field other than the billing field was changed.
  • A week after I registered "magincia.org" for an Ultima Online guild page, MCI called me asking if Mr. Xiaofei (my character name) was interested in their business solutions.
  • This is a typical example of slashdot being months behind the rest of the informed internet... its gotten to the point where slashdot would only be providing me useful information if i took a time machine a few months into the future and read todays news.

    Blah. Im sure this will get moderated down, but seriously slashdot people... try to stay somewhat recent. Month old bugtraq discussions != good current news.

    ~spot
  • For those of you who might be interested.
    There has been a discussion about this issue on Bugtraq in January 2000. Read it from www2.merton.ox.ac.uk/~ security/bugtraq-200001/0148.html [ox.ac.uk]
  • Trifthen dun said:

    You don't have grits in the UK? I find that hard to believe.

    I don't find it hard to believe at all. Hell, there are parts of the United States that don't have grits (like, oh, rural Ohio until fairly recently). I figured that grits were a Southern thing, kinda like being served cornmeal with breakfast, or biscuits (note to UK readers-- not biscuits like you have with tea--American biscuits are closer to a cross between scones and dinner rolls, basically like a flaky wheat-cake; UK biscuits are what we call cookies :)

    Odd bit of trivia, though--there is a sort of "grits/biscuits" line. Above this line, you're going to probably get toast with breakfast and, if you get anything cereal-like at all, it'll be oatmeal or "cream-of-wheat"; below this line, you are liable to get biscuits and grits with breakfast whether you wanted them or not. :) (Kentucky is around the start of the "grits zone", and the "okra zone" too [you CANNOT find okra up north to save your life--I know, I've tried :P]. Needless to say, I've some experience with this.)

    I have to say that I've NEVER heard of ham in grits, though. I'm more used to the ham being a fried country-ham steak. :) The stuff isn't too bad with sugar or butter, though, not to mention egg yolks (for that matter, (American) biscuits are good for sopping up egg yolks too :). Poached eggs aren't real common here, either (I've heard they are up north)--here, you will get them scrambled or fried. (Yes, it is true what you've heard about American breakfasts, especially the traditional Southern breakfast, causing instant heart attacks in people who aren't used to them. :)

  • by Windigo The Feral (N ( 6107 ) on Wednesday February 09, 2000 @02:32PM (#1292594)

    Gil Bates dun said:

    A notary public is not a lawyer, but a person who is certified to verify your signature on a legal document. Just go to the nearest branch office of your local bank. They will have one or more notaries public on staff. You will need to bring the document you are signing and one or more pieces of photo ID. They will verify you are who you say you are, watch you sign, then place their stamp on the document verifying your signature. No big deal, and it won't cost you anything other than your time.

    Actualy, this varies from state to state. In some states, notary republics have to undergo special certification (usually because, in those states, notaries can have powers up and beyond just certification of signatures--in some states, for instance, notaries can legally perform weddings).

    Also, notarisation being free ALSO varies between states; in Kentucky, for instance, getting a notary to certify something is most certainly not free (it usually costs around $50, in fact; I happen to know a notary, which is how I know this). Also, banks may or may not have notaries for this reason (again, in Kentucky a lot of people actually make a business out of being a notary and advertise their services as a notary).

    Depending on the laws in your state, you might also have to get witnesses (I know you do in Kentucky for some certification stuff).

  • Anyone take a look at the slashdot.org whois lately? Sure looks hijacked to me...

    Registrant:
    Andover.net (SLASHDOT5-DOM)
    50 Nagog Park
    Acton, MA 01720

    Domain Name: SLASHDOT.ORG

    Administrative Contact:
    Malda, Rob (RM7054) slashdot121@HOTMAIL.COM
    616-994-0441
    Technical Contact, Zone Contact:
    DNS Administrator - HyperMart (DA3706-ORG) dns-admin@HYPERMART.NET
    206.447.1595
    Fax- - 206.447.1625
    Billing Contact:
    Malda, Rob (RM7054) slashdot121@HOTMAIL.COM
    616-994-0441

    Record last updated on 07-Feb-2000.
    Record created on 01-Feb-2000.
    Database last updated on 8-Feb-2000 14:38:52 EST.

    Domain servers in listed order:

    NS1.HYPERMART.NET 206.253.222.65
    NS2.HYPERMART.NET 206.253.222.66

  • in a quasi-digital-everything-online-and-automated world, it's freaking ANNOYING to have to go thru the painful process of doing ANYTHING with Network Solutions.. is it too hard to for them to make things a little bit more intuitive and easier for everyone???

    So anyway, I bought a couple of domains thru Register.com, and I have to say that I'm extremely impressed with their service.. and unlike Netsol, everything (dns, user info, blah blah this and that) is done without sending emails all over the place.

    my only quirk is that they make transfering registrars a lengthy, somewhat legal and troublesome process.. but that will probably change..

    ~mc
  • what the hell is it with ISP's not answering e-mail anyway?!?!? i have that very same problem with my ISP. isn't that the BUSINESS they are in? cripes.

    --bc
    ------------------------------------------
    the amazing bc
    latin/funk flugelhorn & trumpet
    webnaut, music junkie, sysadmin from hell
  • At this point I have registered two domains through NSI/internic and two domains through register.com. It is the difference between night and day.

    Now that the Internic database has been opened up (by federal order) I have transferred one domain's registrar from NSI to register.com, which took some hoop-jumping but it was worth it. (I believe the hoops were mandated by the NSI in their agreement with the feds to open up the registry process). I had to sign some papers in front of a notary at my credit union, which took ~10 minutes of my time. A week later, the domain is AWAY from NSI's sticky fingers.

    Actually, register.com made a mistake, and typed in my credit card number incorrectly. When I called their 800 number, I spoke to a human in three minutes, she apologized for their error, and fixed it in another three minutes.

    I will be changing the one remaining domain to register.com shortly.

    The funniest thing is I've been getting ads from NSI for discounted registration. Ha. They want me to register for ten years. Ha ha.
    --
  • Yeah, I realized that after I posted...

    hm... There's always nsi--sucks.com or nsibites.com or I-hate-nsi.com.
    --

  • NSI/internic's stock is through the roof- $258 per share and the company is worth nearly 9 billion dollars.

    This is going to change eventually when investors realize any company with a brain is transfering their domains away from Internic. Want to assist in this process?

    A proposal:

    register NSIsucks.com; write HOWTO instructions for switching to any of the other registrars; put up a signup page for people who have transferred their domains; put up a press area for when the business press comes to visit.

    Publicize nsisucks.com in tech and ISP media (letters to the editor, press releases). When we get enough buzz there (because they already know the truth about NSI) notify the business press that we have 100,000 former NSI customers who have switched to other registrars.

    Watch NSI's stock tank.
    --
  • Who the HELL ever taught the boneheads at Network Solutions about security?

    When you fill out the web forms and choose CRYPTO-PW it will encrypt your password using crypt() with your password as the salt!!! ARRGGH

    For those not in the know. the salt is the first two chars of the encrypted password. So, the first two chars of your encrypted password are actually the first two chars of your unencrypted password.

    What morons.

    "Now, I hope and pray that I will, but, today I am still just a bill"

  • ok, someone hijack my domain (semisphere.org)

    I won't be angry - as long as you give it back :)

  • If anyone wants to steal my domain.... FOR THE LOVE OF GOD, PLEASE TAKE IT! I NEED SLEEP! I NEED TO DO HOMEWORK! COLLEGE SUCKS!

    PLEASE, RELIEVE ME FROM MY DUTIES AND STEAL MY DOMAIN!

  • Domain registration should not take 14 days, it should take about 14 minutes at most....
  • When I buy Domains, they appear in the Corenic Whois database within minutes (3-5 at most). Remember, Corenic is who calls the game these days.

    Of course the nameservers only get restarted once a day, but as soon as the Domain is in the Corenic DB, you ought to be safe.

    At any rate, only third world country registries take 14 days... or more.

    I am still waiting for my .mg domain name. ;) :-(
  • I have been TOTALLY satisfied with joker.com as well. I can make all changes to any domain I have registered with them online via SSL. Is it so hard for NSI to use SSL? They even have a really intense ownership change method in place. I just met with one of my business partners last night to sign a form that had to be snailmailed to them to change ownership of one of my domains. They also charge a 26 dollar proccessing fee to do so. So even if someone somehow got my password for my joker.com forms, they couldn't change ownership fully. I really like these guys and I've already registered 6 domains with them.

    YATFASC (Yet another testimony from a satisfied customer ;> )

  • One of my old domains had old contact info for me, old address, old e-mail address at an ISP I no longer had an account at.. yet I was able to change my info with no verification whatsoever. While it was nice to be able to do so, it was also seriously disturbing that no sort of check was in place. :\
  • This problem has been discussed a fair bit in bugtraq [securityfocus.com]. The consensus was that DNS wasn't really secure using the crypt and signed message may help to prevent this but in general were not that great since netsol sometimes ignore crypt-pw and their pgp signed mail thing is often broken. Essentially if someone can forge their header so that it looks like its coming from the technical contact, it probably go through.
  • I'm sorry in advance if your the guy who posted this to bugtraq. But the exact same message appeared with the domain names changed about 3 weeks ago in bugtraq. Next time be a little more creative.
  • This is going to take a few hours, but this is what you do. While the admin and tech contacts are the ones who can make changes online, the registrant trumps them both (I assume that's you too -- the name and address at the very top of the whois record)

    To make a change as the registrant, you'll need to fax them a letter on company letterhead, signed by someone with authority for the company (e.g. "President"). If the registrant name is the domain name itself, make up a letterhead on your word processor for it and sign yourself with the title "Owner." If the domain is registered to your personal name, you need to fax them your driver's license along with the letter as proof of your ID and signature (make an enlarged photocopy)

    Two very important points:

    • First phone NSI and have the customer service (?) rep tell you exactly what the letter needs to contain and follow this to a T.
    • On that same phone call, you need to insist that this is an emergency until the rep gives you a fax number that you can use to send it personally to that rep.
    Using NSI's regular fax number will take up to a week for work to be started. By faxing it to the rep's attention, it should be done on the next business day. BUT when I had to do this, I set my fax to retry indefinately and it took five hours to get through to this fax number. You should also allow an hour or two for the phone call to NSI

    ========

  • I recently had my domain yanked due to
    the old server he was on the hacker
    was able to fake a registration request
    and I didn't catch it until after the
    weekend..

    So I call up NSI (after hunting down their
    phone number which they absolutely HATE
    to give you and explained the situation.


    After sitting on hold long enough to save up
    enough money to put the children I don't even
    have yet through college, they answer with
    their "1st Level" support which is no support
    what-so-ever. They can't make changes, they
    can't look up have the info you need, it's
    sad.. So I got transfered to their "2nd Level"
    support where they said that I would have to
    send on company letterhead (like that
    couldn't be forged easily enough) stating the
    change was wrong. They didn't mention that I
    should tell them what it should be changed TO
    I put that in the letter just to make sure,
    but ofcourse I didn't stick the name servers
    in, so that didn't get changed until day 4 of
    this nonsense.. (Yah, 4 days to fix this)

    After that monday, I waiting until the 5pm
    update, where it ofcourse... Didn't go through.
    I called the next day and asked why
    they ofcourse couldn't tell me, but I
    figured it out on my own.

    It seems that all the
    second level support can do is put in
    a request for a change, just like you the
    domain owner... However the hackers over the
    past few days changed the request to different
    nameservers every night.. The second level
    support put in the request first, then the
    hackers did.. And the hacker request overwrote
    the original request. I had to explain this
    to NSI about 3 times before the understood
    the concept, and said they would put through
    the request shortly before 5 to try and beat
    the hackers to the punch.

    So the change goes through however,
    because I didn't stick our nameservers through
    on the company letterhead, they simply changed
    the NIC handles. So the domain was once again
    owned by us, however, the nameservice was still
    wrong. This is day three now.
    I call them up and scream, and they say we should
    just put through another request.
    Which I did, which ofcourse didn't take place
    until that evening, giving a number of caching
    nameserver the time to take the new domain
    info with the wrong nameservers.. Thus
    losing our domain on their nameservers
    completely..


    My quick guide to dealing with NSI:
    1- Don't.. Find the alternative registars..
    For example, OPENSRS through Tucows is an
    excellent service, however a wee-bit new.. But
    just find one of their domain resellers,
    you can get domains for $10 a year.

    2- Accountability - GET NAMES.. The more names
    you have after dealing with them, the more
    people you can point out as being retards to the
    management, however, seeing as this is a
    company wide problem that doesn't do much good,
    head to step 1 to fix it.

    3 - Use Encryption on your domains. Either with
    the encrypt password on your contact
    info (which is retroactive through all other
    domains you control with that NIC then)
    or the PGP method. Crypt password beats the
    MAIL-FROM which is just pathetic hands down.

    4 - Don't bother with anything other then 2nd
    level help

    2ND LEVEL HELP AT NSI: 1-703-925-6950 (Notice
    the awesome NON-use of an 800 number)

    I hope this helps ease the plight of NSI victims.
    If there is a higher power they will be
    forced out of the market by the other registars.

  • Sir, You are absolutely wrong. Your comment shows that you clearly do not understand how the NSI Guardian system works, by any stretch. Indeed, if the email address you send the template to NSI from is the same as the one in your contact handle, and you have Mail-From security, then NSI will process that form. Sure, you get an Ack Message, but READ THE MESSAGE before replying to it. By that time the change has already been processed. Why they attach an ACK at the top of a completion message I'll never understand, because all it serves to do is give a false sense of security to people like you who do not take the time to learn how the system really works.

    What is sad is that it is people with that mentality who are the most likely to get victimized. Just like several large ISPs did over the holidays.

    Yes, I am starting a domain registration service. However it is NOT online now, and it will be at least 60 days until it is. However, I have been involved in Domain-policy forums for over 4 years now, and indeed founded an organization for domain name holders, and am in the process of starting a second organization that will raise defense funds to help domain name holders defend their rights.

    So I suggest you yourself look at the facts before you start criticizing people without the facts. Your own messages shows you did not take the time to even READ the substance of the article. If you would like an email address for someone at NSI who works with the guardian system to verify that my description of the process is accurage, feel free to email me.

    William X. Walsh
    DNSPolicy.net

  • The solutions would be quite simple:
    • Mail your request to NSI.
    • NSI responds back with a random cookie number
    • You respond to that mail, and NSI checks if the cookie is the same as they mailed out.
    Don't ask me why they don't are using it...
  • Just like the title says...

    I received email from NS saying they were processing my changes. I scratched my head and said "what changes?". One minute later, they sent me email saying my changes had been confirmed.

    The guy who stole my domain was trying to get money from me in exchange for control of the domain.

    I sent an article into /. about this. But apparently, news like this needs to be posted on another site before /. will carry it. Lame.
  • Ever consider that (last I checked, which was a while ago), that since they get paid for domains, they create them very quickly. Since altering the record is a 'freebie', it costs them money to change it. Thus, they lose money from every record change, and what better way to save money than not doing it?
  • You discribe something thats called "A stupid trol1mastah".

    It can actually be done much simpler.

    Create a phony "contact form"
    telnet rs.internic.net 25
    HELO something
    MAIL FROM: trollmastah@trollmastah.com (the contacts emailaddress)
    RCPT TO: hostmaster@internic.net
    DATA
    Copy-paste the phony contact form (or pipe or something)
    .
    QUIT


    You now have mailed the phony contact form, from the right email.

    No need to wait for hotmailaccount expiration. One advange in using your method is that the real owner of the domain never sees an ack of the contact form change.

    Sendy
    -- You probably find my HTML-formatting and language usage ridiculous.
  • You don't have grits in the UK? I find that hard to believe. But since you asked:

    Grits are a corn-meal like paste when fully cooked, much like cream of wheat, and is similarly served hot. Generally eaten in larger quantities in the southern US, grits is usually a dinner item. Often canadian bacon or ham is cut up and dropped into a bowl of grits.

    Now just to follow the string of this original post, imagine a hot gritty bowl of this substance being poured down your pants.

  • by MrP- ( 45616 ) <jessica&supjessica,com> on Wednesday February 09, 2000 @04:20AM (#1292618)
    i have a few domains, one of them i got from NSI, i payed the most for it, and the service is horrible, sometimes it takes like 2 or 3 requests before they update the dns entries for it, and their support is horrible also. My most recent domain I got from dotster.com for $15 (saw an ad for it on slashdot, thank you /.) they charge like $25 or $30 normally but until feb 15 its $15, service is nice and fast too

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • I've been on both sides of the fence in this issue: I've had domain names stolen out from under (yes, we switched to CRYPT-PW right quick) us using a fake email address.

    I also am having trouble with a clients domain that is registered to a provider that no longer exists ... NONE of the email addresses are valid, and forging them hasn't worked yet either.

    Just like most things, it works wrong when life's good, and works even worse when life's bad.
  • connection failure...maybe it's under DoS attack.

    I registered my domain with TotalNIC [totalnic.net] and it was fast and easy, $35. Of course, I haven't had to change any info with them yet.

    Unfortunately, since my DSL provider charges $30 extra for hosting the name, I'm going to have to take the route followed by an earlier poster and figure out my own DNS. Fortunately, I have an old IIci I can use as a firewall/DNS box while the SE/30 serves the site. (Yes, I am insane.)

  • Good article. What worries me is this. The article recommends transfering your registration to some other registrar, but isn't that error prone as well? Didn't I read recently about someone losing a domain in a botched attempt to transfer it? Is there no safe harbor?
  • I have had to "hijack" Domains before because of my customers and their lack of internet prowess. Usually, what happens is that they canceled their old ISP account, where their Internic handle pointed, without updating their handle. I usually end up doing the same when editing their handle to reflect the correct information. So, I suppose, the real question is: How do we secure your domain name, but still allow for the stupidity of your average domain holder?
  • Ooops... But then, I did post that in the morning..

    There's no satire-code lint checkbox on Slashdot, oh well ;-) I also forgot the part about feeding the servers crack, and testing if (1 == 0) { work_properly(one_nano_second); }
    ---
  • They're, well, interesting. We talked about the INS being pathetic, but these people take the cake. If they replaced the INS, you can be sure you'd get a "confirmation of request to enter the country and become a citizen" mail 4 weeks after you received your green card and moved to California.

    ---

    NSI domain managment psuedo code:
    if(new_email)
    {
    grab(new_email);
    grab(mail_from_queue[random()]);
    send(letter(confirmation));
    if(email_changing_options)
    {
    send(letter(confirmation);
    if(mail_security)
    {
    if(crypt)
    crypt(password, password);
    else if(mail_from)
    for(i = 0; i (255 * random()); i++)
    send(letter(confirmation));
    else if(pgp)
    {
    send(pgp_pubkey(random_recipients));
    send(pgp_privkey(random_recipients));
    }
    }
    }
    if(cranky_servers)
    {
    transfer_domain(randomly);
    send(letter(info_about_transfer));
    }
    play("/usr/share/sounds/maniacal_laughter.wav", /dev/dsp);

    ---

    NSI -- the dot incompetent people.
    ---
  • A while back, an idiot sent in a few hundred fraudulent requests to transfer big-name domains to my ownership. None succeeded, except two: angelfire.com and excite.com. NSI fixed it instantly -- I never showed up as owner of excite.com publicly (although I did for angelfire). The shame is they REFUSED to do that for a friend of mine who had his domain stolen in the same manner... I guess they only help the multi-million dollar companies out. Not only that, after they fixed angelfire.com, the changes switched back a few times over the next few weeks (causing downtime at Angelfire, and also people pissed at spammers to call ME and bitch). Now I was extremely nice about everything -- I didn't want to profit or gain off of this, that wouldn't be right... but imagine if I did? There was a Wired news article about it, you can check it out here [wired.com].
  • I would be interested to hear how many others had this experience. I registered two domains through Network Solutions. It clearly states all over their site and in the whois information that the information provided by me is not to be used by anyone for commercial purposes.

    Wellll, I soon started receiving computer equipment catalogs addressed to "Jishywa Technologies Inc." which is the fake (hehe) company name I gave with my address for the registration. That form is the only place I ever put that name, so somebody is breaking the rules here...

    Josh
  • NSI has been on a downward spiral since they got so huge. Sometimes they'll be really quick and sometimes they'll act like they never got your request.

    I think that eventually NSI will phase out to 4-5 major different domain registrators.
  • lol, put a bit too much crack in your cereal this morning?
  • The bugtraq list talked about this about a month back. the original comment is here [securityfocus.com] and most of the discussion on it is here [securityfocus.com]
  • BofA just bought loans.com for $3,000,000. Wouldn't it suck if that got stolen :)

    Maybe I don't see something here but if the actual registration is held at Network Solutions then all that would have to be done is to have to owner to contract the company and have it returned. Just hope they kept the recipt. :)
  • how secure is the slashdot domain name. If it isn't, I'd do something. There are a lot of trolls and worse things out there.

    I think that it's fine. You see even if someone tried to steal it it would be found out quickly and all you would have to do is just call them up and say:

    Hello this is Rob Malda from that little ol' slashdot.org site I would really appreciate it if you would fix the problem with our domain name. Seems like a group of Lebaneese terrorists have taken it and are using it for their new web site.
  • Domain registration should not take 14 days, it should take about 14 minutes at most....

    I thought that for domain registration under the typical regime of the NSI that it took 24-48 hours to process your request. Yeah sure possibly if you streamline the process and have more people doing it it would take 14 minutes. However You have to consider that usually there is a line to get domains registered and that probably a human is entering in each and every one.

    Take your income taxes as an example. In the US you have a tax form that could be processed by a machine in less than 10 minutes however because of the fact that a great many other people have taxes as well you have to wait and end up waiting for a long time.
  • A request-for-proposal I noticed on eLance.com [elance.com] is indicative of the unsavory taste I get in my mouth whenever discussing domain registrations.

    • Inviting bids to create an application to run reports of WHOIS/internic directory by the expiration date. In other words, list the domains expiring in the next X number of days. User should be able to input the number of days in a field. A second report should run to check the above expiring domains to see if they are available to register. These available names should be listed by .com, .net or .org. Need user-friendly front end and documentation for a non-technical person to perform this function.

    I'm not sure whether there's sufficient information on WHOIS to perform this task meaningfully. This requestor may be making a new service to "remind" people that their domain is up for renewal, perhaps to offer a lower price on the renewal than their last registrar, but I have a feeling it's more to find names to scalp.

    (Opportunistic domain thieves =anagram> and this viperous competition =anagram> a victim proposition, enthused.)
  • I hate Network Solutions. I accidentally misspelled the name I wanted to use as my company name on the registration, and they won't change it without me seeing a notary public (lawyer?) and getting a certified signature. Of course that costs money...

    A notary public is not a lawyer, but a person who is certified to verify your signature on a legal document. Just go to the nearest branch office of your local bank. They will have one or more notaries public on staff. You will need to bring the document you are signing and one or more pieces of photo ID. They will verify you are who you say you are, watch you sign, then place their stamp on the document verifying your signature.

    No big deal, and it won't cost you anything other than your time.

  • Might it be that the junk mailers are getting your fake company name from your whois entry? I get junk mail for my domain name all the time (registered thru NSI) but I'm pretty sure they just do a whois lookup on the domain and get my address off my whois handle.

  • Yup. Just yesterday I got something addressed to "Christ Trekkers" at my address. NSI is the only place I've ever used that designation.

    Spam, both snail and e, needs to die a quick but painful death.

  • It's 11 o'clock - do you know where your domain name is?

    Right now it's over in Washington on a VAX......ooops!... now it's in Texas on a UUNet server...uh oh, someone just tried to ping it, it's over at UC Berkeley now. Damn, it's all over the place. =)


    Pablo Nevares, "the freshmaker".
  • Singular Plural VAX VAXen maybe - pretty thin + ox oxen handle work without complaint ---------------------- box boxen
  • What about the CRYPT-PW and PGP options? Are these no longer being used?
  • I work for a private domain name registry with email automaton functions similar to network solutions and this is the only way we even considered to implement the default level of email security for domain modifications.

    I was utterly shocked to find out that Network Solutions MAIL-FROM security really only relied on the From: address in the email.


  • PGP:

    From personal experience, I have little confidence in their PGP system. It typically takes several days to get a response to adding or listing a key. When speaking on the phone to Network Solutions recently in disgust about the total lack of security of MAIL-FROM I discussed PGP but was advised not to use it because "the system doesn't work very well yet" (that's a fairly accurate quote) but hey! at least "[their] programmers are working on it" - unbelievable!

    CRYPT-PW:

    This seems at best a shoddy system but maybe the best of the bunch until PGP is reliable. At least I thought so until in the process of modifying the contact handle for a host registered to someone else underneath on of my company's domains the plain text password for the main handle we use was emailed to someone outside our organisation.

    So, in summary, it seems that ALL of their guardian authorisation scheme suck ass big-time.

  • You bet I know where my domain is -- it's registered with Joker.com [joker.com] instead of that shady NSI outfit. $36 for two years and the knowledge that when I want changes made they actually get made in a reasonable time frame (*gasp*).

    I know this sounds like spam, but I people need to stop bitching about NSI and start taking their business elsewhere (now that we finally have alternatives).

  • it looks like it's fixed now, but yesterday the whois record showed slashdot's dns servers as 'ns1.hypermart.net' and 'ns2.hypermart.net' and the contact email was in hotmail.com. i guess that's why they decided to post this story, eh?
  • I know a lot of people who have had the same thing happen to them. It has happened to me. I don't know if it's just a coincidence or not but it makes you wonder.
  • how secure is the slashdot domain name. If it isn't, I'd do something. There are a lot of trolls and worse things out there.

    treefrog.
  • Aye. Same here. Any chance you're using Telocity?
  • Now, if someone has a domain name they purchased and registered and a "hijacker" comes along and changes the registration info and DNS, that is a pain. But, when the original owner proves who they are, the new registration information points to the problem. Or, the new information is not functional and the domain was childishly vandalized. Either way, I don't see how you could truly take someone's domain.
  • Network Solutions (or for that matter, any registrar) should demand PGP/GPG signed emails before they do anything.
  • No wonder it doesn't work ... that code won't even compile. :-) (look at line 8) Paul
  • Transcribed:
    Is your internet identity subject to theft by malicious individuals at Network Solutions? Your domain could be taken away from you, without any warning, hijacked. This could be because your competitor, a derogatory site with attrocious content, wants to try and make people believe you are affiliated with...anything they choose. How badly can one malicious company hurt you through one simple act?

    The answer would be eToys requesting Network Solutions to take etoy.com away. Network Solution then claims they had a court order to do so, despite the fact that both etoy AND etoys claim otherwise and no such court order has been shown. The lawsuit is dropped by eToys, and Network Solutions still refuses to return the domain name. ICANN refuses to look into the matter, and a group of artists are still denied their site.

    It doesn't take hackers to destroy your site where Network Solutions is involved. They'll do it themselves, just to make their larger clients happy.

    This is agent JohnnyAngel at Toywar [toywar.com] reminding you that you can no longer buy a vowel.

    -----

  • Indeed it has, according to the network solutions whois.

    http://www.network solutions.com/cgi-bin/whois/whois?slashdot.org [networksolutions.com]


    --
  • I didn't get one of my domains hijacked, but Network Solutions did something that would qualify as a security breach (using MAIL-FROM). When I got my DSL line, I had asked the provider to get my domain name transferred to their DNS servers. Four weeks after my DSL was installed, I called them about getting all of my domains transferred. They happened to mention that they had no record of the first one (The stupid DSL provider is another story....) They told me that they wouldn't accept several of my domain names into their DNS servers (I have a couple of domain names that end in the .cc and .cx TLD's) because they weren't registered through Network Solutions (their EXACT quote...) Anyway, I said 'Screw Them' and bought a couple of great DNS Books (DNS and Bind, & DNS on NT both from O'Reilly publishers...) and set up my own DNS servers. I'm now happily serving my own DNS. But now, my DSL provider apparently finds the original request for my .com domain because I get a form asking if I want to accept or deny the transfer. I didn't answer it, but I called the person listed as the technical contact on my domain. I told him that if he got the form to deny it. He did (he even CC'd me a copy of the form with a big old NO at the top). Guess what... Network Solutions transferred the technical contact to my DSL provider anyways...and screwed up my (and my wife's) e-mail in serious way. The worst part of the whole damn thing is the my DSL provider has ignored all of the e-mails I've sent them and Network Solutions keeps sending me a message that says I need to send them a Domain Change form... I have e-mailed Network Solutions about 6 times now complaining about this, and they keep telling me that I need to submit a form, in spite of the fact that I keep telling them that I can not submit a form because the e-mail account for admin and billing are both screwed up BECAUSE of this stupid problem and that my DSL provider is ignoring me. I think I'm going to get my best 'I'm PISSED' voice ready and actually call Network Solutions today, and I am DEFINTELY calling my DSL provider since they don't seem to answer e-mails... Codo
  • Thank you /. and dnspolicy.net for getting me off of my lazy butt. I crafted this letter [bitwrangler.com] and sent it to as many registrars as are listed at InterNIC [internic.net]. Here are the results, as they happen [bitwrangler.com]
  • About 8 months ago, I changed to the PGP method because I was worried about the security of the mail method. The Network Solutions system accepted my request to change to PGP method, but refused to accept a single signed message of any sort. After a couple of weeks of completely losing control over all of my domains, I ahd to phone them from Australia for an hour to get everything donw correctly, and reversed to the MAIL system.

    In making a system secure against bad guys, you also have tomake sure you don't stop the good guys getting in.

    If anyone has found that they _can_ make the PGP system work, please let me know. I don't know if I have the courage to try it again though. maybe next time they won't accept my phone call as authority to change things. I wonder how they know if a phone call is from a good guy or a bad guy.....

  • I have never been to impressed with the way network solutions does there business, its sloppy and "expensive".
    Currently, we buy our domain names wholesale through Tucows/OpenSRS and then retail them to customers for $45 for two years. The nice thing is that all modifications and renewals are handled via a web interface instead of email templates and Mail-From authentication. Of course if someone found out your password and username I guess they could wreak havoc with your domain name, but even then, we control our clients access so we could easily delete their ability to access and then create a new access account with a new username and password. It all very nice, and trouble free. I'm very impressed so far with Tucows/OpenSRS's service and their setup.
    I simply say, why pay Network Solutions for your domain registrations when they can be bought much less expensively somewhere else and the security is better.


    Nathaniel P. Wilkerson
    NPS Internet Solutions, LLC
    www.npsis.com [npsis.com]
  • You might want to take a look at http://www.granitecanyon.com/.

    The interface is archaic but they'll host your DNS for free. I'm using it for my own DSL line and it's worked out well.

  • The public whois database is updated approximately once a day so it may have just been earlier in the day. Under the new distributed registrar system the registry has the real-time availability of any domain, not the whois. This is accessed via most registrars web registration section. This sometimes goes down and make it appear as it is available. When this happened NSI would show a domain available, show it taken, and then show it available again.
  • I tried registering a Domain through my future Web Hosting company and received an email stating that they submitted the request. Two weeks came and went and then the holiday (Christmas and New Years) week. I tried to reach them during break (yeah right). When I went back to work the first monday in January, the domain was pointing to someone else! So I called my hosting provider and they said they couldn't provide me any proof that they submitted my request. I checked whois and it somehow had merged my request with another request made by someone else two weeks after me. They were listed as registrar, but i was listed as admin and tech contact! WEIRD. The next day, the Domain started to reslove to my address, but Network (lack of) solutions wouldn't correct the information. However they said they wouldn't change my info to theirs either. I got two emails asking if i agree to change the info tho the other company's info, and both times I said no. A week later it was all in their name however. I just want to yell that Network Solutions can lick the shovel that I hope some opensource upstart will use to bury their BS system.
  • Looks like NSI registered nsisucks.com themselves.

    Registrant:
    Network Solutions, Inc. (NSISUCKS6-DOM)
    505 Huntmar Park Drive
    Herndon, VA 20170-5139
    US

    Domain Name: NSISUCKS.COM

    Administrative Contact, Technical Contact, Zone Contact:
    Network Operations Center (NSOL-NOC) NOC@NETSOL.COM
    703-742-4777
    Billing Contact:
    Accounts Payable (AP5173-ORG) ap@NETSOL.COM
    703-742-0400

    Record last updated on 24-Jan-2000.
    Record created on 07-Oct-1999.
    Database last updated on 9-Feb-2000 14:58:57 EST.

    Domain servers in listed order:

    NS2.INTERNIC.NET 198.41.0.11
    NS.NETSOL.COM 198.41.0.196
  • We actually just lost a domain name... and for no apperant reason (in other words, we are still trying to figure out why)... We ordered our company name... 14 days later we discover that someone else has registerd it in the mean time... :(
  • BofA just bought loans.com for $3,000,000. Wouldn't it suck if that got stolen :)

    kwsNI
  • hey reminds me when someone stole a domain from a customer of ours not too long ago... they used hypermart.net too as the DNS servers...

    the worst thing about it was that it was done by an Outlook Express user... how insecure can a system be if even OE users can "hack" it... :)

    getting the domain back was a nightmare and we almost got sued by our customer for it...

    we switched to notify-before-update so thats all we can do about it....

    Ricardo.

  • Either Network Solutions got even or my work is being pissy. Can someone send me a copy fo this article??
  • An article at COTSE News [cotse.com] points to the proof of Saturday nights RSA Security hack. While the hacker made it look like everyone should distrust RSA Security, the reality is that everyone should distrust NSI. Is all of NSI sleeping in a cave? This information has been out in the media for some time now, and still people are able to exploit them. Something needs to be done...and NOW.
  • Problem is after you mail from from "MY" email address, NSI then sends email with tracking number to "MY" email address. I then need to send a reply with a Y on the correct line (0a IIRC), and the "tracking number" needs to be in the subject line. How exactly will you get that "tracking number", aside from maybe hacking my email server and reading my email?

    Here's a more interesting question, bear with me a bit on this one. Who is this WilliamX guy anyway? His name certainly doesn't ring a bell like certain other 'net figures. Didn't your mammies teach you not to believe everything you read?

    An individual, with a handle of WilliamX posted the article we are discussing in this thread on dnspolicy.net, attempting to discredit NSI. Run a whois is on dnspolicy.net...Pay close attention to the registrant. Also, if you look carefully at his handle on the dnspolicy.net posting, his email is @wxsoft.com. Let me see...What business do you think wxsoft.com [wxsoft.com] is in? Well, one of their services is domain registration. No hidden agenda there, well, not once you look a half inch below the surface.

  • This actually happened to a company that I used to work for (a huge financial services institution.) One of the employee-related internet sites we had set up somehow got directed to a large pornographic site chock full of links to other pornographic sites. Needless to say this did not sit well with the conservative bankers, and to compound matters it took days to get the problem resolved. On the plus side, though, it was the one and only opportunity we as employees ever had to surf the net for porn without fear of repercussions ("hey, I was just checking out the new company site, was all....")
  • Been there. Believe me, it's extremely irritating, especially since when they fix it you still have to wait a while before all the nameservers have gotten the corrected version.
  • Hi,
    here in Lithuania (eastern Europe) we had case of stolen domain few days ago (last thursday).
    I mean Vladas Palubinskas has created site Lithuania on Line five years ago it was very valuable resource on Lithuania and Lithuanian sites and it had as much as 3000 hits a day lately...
    Lithuanian company Skaitmenines Komunikacijos offered him to buy him domain name online.lt and pay for him also (as they saw this as a valuable advertisment).
    Valadas Palubinskas agreed. He worked on site Lithuania on Line, updated it on daaily baisis for five years...
    Month ago Skaitmenines Komunikacijos was acquired by Microlink... and Microlink offered some money for the domain name online.lt to Palubinskas, but he rejected offer, and then Microlink just redirected online.lt to delfi.lt (their own portal...)
    Though everything is legal (Skaitmeninines komunikacijos has bought and paid taxes for domain name) it was very unethical move from the side of Microlink, and most lithuanians consider this as stealing...
    Links:
    New Lithuania on Line domain [www.on.lt]
    Old Lithuania on line domain [online.lt] (currently redirected to delfi.lt)
    Delfi portal (by MIcrolink) [wwwdelfi.lt]
  • There is a reason why you dont want to use a hotmail account as your primary email address for a domain. Not that hotmail can be hacked, but for sheer fact that it is very easy to take a domain this way. Here's what happened to me. I will leave my domain out of this, in its place I will use trollmastah.com (mine) and trol1mastah.com (theirs).

    Basicly.. the owner of trol1mastah.com used hotmail as their primary email contact with this domain. Well a visitor of my site, who dislikes www.trol1mastah.com, decided to keep track of the hotmail account of the owner of trol1mastah.com. Well Microsoft has a 60 day (I believe) non-usage expire date on all hotmail accounts.. so when the expiration date happens, the account is deleted. Well this person tried to register the same email address every day for (as I found out) almost a year until the same email address came free. Then they just signed up for the same exact email address.

    It worked. And then all this person did was change the contact information to myself, and then *POOF* I owned both www.trollmastah.com and www.trol1mastah.com .. and of course I setup DNS to put to my page ... and well, the rest is apart of media history forever.

    This is why SECURITY (and a brain) is needed when registering domains, so that something (as stupid) like this can't happen.

    .

    Trollmastah
    Take all good things in moderation, including moderation.

  • A few months ago, I looked up a domain name on NSI's whois site one night and it was available. The next day, I asked my ISP to buy it. A reply came back a day or two later that it had been taken by someone else, through another registrar, between the time we looked it up and the time we applied. Coincidence? Or was someone snooping? Not sure. But the next time I needed a domain name, I looked it up during the day and bought it immediately.
  • The truth is it would be possible to steal a domain name, I know that a person can fax in a drivers license and get the authentication. If the Rep feels that something is fishy he will call the contact listed in the WhoIs. They still cannot change the name of the owner and the owner overrules everyone else. Then if the owner comes along and says the name has been hijacked, he too can fax in and have it changed back, then if you end up with 2 parties screaming foul and faxing in. (rarely happens, as the bad guy will always step down as this is illegal, The name will be put on hold awaiting a court order) The rightfull owner then can have the name put on whats known as a hold-lock, (only after a known breakin attempt) this is done via the BAO Bus. Affairs Office. At this point no one can make a change to the record without NSI getting back to the registrant first. This system seems to be regulated by the long arm of the law and has proved pretty effective.

I just asked myself... what would John DeLorean do? -- Raoul Duke

Working...