Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Network Solutions E-Mail Security Alert 245

The following story is somewhat alarming. You must read it if you own a domain name. It is not a hoax; I tested the security hole on a domain name I own. It worked. A large number of readers have written us about it. The Network Solutions site was already overloaded and responding slowly in the wee hours and is probably going to be hit hard all day. They have made a monumental mistake here. Click below to read Slashdot reader Ralph Brandi's excellent description of what's going on. Update posted 2:10 p.m. EDT - see bottom of the story (below).

Ralph writes: Network Solutions has starting spamming some of its customers with notices that include, among other things, the news that they've set up a free e-mail account for you, without bothering to ask first, at their new dot com now mail Hotmail clone. They've even taken the liberty of assigning you a password:

3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account:

 >>>>>>>>>>>>Login name:  domainid
 >>>>>>>>>>>>Password:    domainidnsi

Note that nifty password? It's the same pattern for every domain they've registered an e-mail address for.

Big security [bleep]up. If someone beats you to your account and "guesses" your password, now they can masquerade as you, and if they change the password, you can't even get into the account.

I've already gone into my "accounts", verified that they exist, and changed the passwords. I know that they exist because when I entered other domain IDs I control that I wasn't spammed at, I was returned to the login screen rather than being brought to a presumably newly-created mail page.

I called Network Solutions tech support to demand that they remove the accounts, but the moron on the line didn't understand that they were doing something incredibly boneheaded and wouldn't listen to my explanation. The person on the line insisted that they wouldn't create an account without me signing up for it, but I didn't have to sign up; it was already in place.

The mail I received started out "As a customer of Network Solutions or one of our Premier Program members", so I'm not sure if they're doing this for everyone or just for people who bought their domains through some of the big providers like Pair who are part of the "Premier Program". If you get the e-mail from them, I suggest logging on immediately and changing your password, whether you wanted the account or not. Maybe with a little prodding, Network Solutions will realize they screwed up and delete the accounts and change their procedure.

Update posted 2:10 p.m. EDT by RM - doulos writes "If your tired of getting a busy signal at the 703-... phone number, I found that they have a nice staff of people waiting to answer your questions and complaints at the following TOLL FREE phone number: 1-888-642-9675

They did refer me to the toll-line, but I (politely) insisted that because this was a matter of security that they had initiated, that I should be able to at least speak with a supervisor. They nice person on the phone _politely_ complied, and I was able to put in my request to have those e-mail accounts removed with my appropriate domains.

I just thought I would submit this as an article update because I felt maybe if the phone # was posted as an update it might help alieve some of the offense of having to call, by at least removing the toll from being on your nickel..."

This discussion has been archived. No new comments can be posted.

Network Solutions E-Mail Security Alert

Comments Filter:
  • by anthonyclark ( 17109 ) on Wednesday September 15, 1999 @09:16PM (#1679067)

    However much you may hate XXXX corp DO NOT try and masquerade as them!

    It's not big, clever or AFAIK legal.

    What may seem as a good idea right now may land you/us/everyone in the world in a whole heap of trouble.

  • by LordChaos ( 2432 ) on Wednesday September 15, 1999 @09:20PM (#1679068) Homepage
    What kind of programmer can create an entire web based email system, write the code, and bring the whole system to working order, and then ignore one of the basic principles of password choice that has been a major no-no in the un*x (and other) operating system for decades.
    Mind you I guess it's not surprising when we consider the other screw ups we've seen lately - even in other web based email systems like the recent hotmail scare.
    All we can do is hope that they will be a learning experience for us all, and that screw ups in the "early" days of the internet for the masses will prevent (or at least lessen the effect of) major security holes in future systems..
  • by Palin Majere ( 4000 ) on Wednesday September 15, 1999 @09:28PM (#1679070)
    First they produce copyright restrictions in whois queries that people cannot opt out of. Then they fight tooth and nail with government regulators over divvying up their monopoly. Now this?

    What's next, my bank creating an email account for me and assigning it the password 123456, like everyone else's?

    Just imagine the possibilities of such a monumental foul-up:

    -) Email Masquerading:
    "Hi InterNic Tech Support, this is so-and-so, I'd like my contact information changed to... No, I'm really so-and-so. You can tell because I'm emailing you from so-and-so's account..."

    -) Spam, Spam, Spam, Spamitty-Spam:
    "You've got mail! Oh joy, so-and-so@internic is spamming me. Lets get them blacklisted and ban their server."

    -) Misrepresentation via Email:
    With this, and some of the information available from a standard whois query, you easily order products and have them shipped to someone COD. And of course, it's authentic because it was shipped from your internic account....

    Someone stop the madness before it continues to spread!
  • Either my company's email boxes have not been created, do not use the stupid password, or someone has logged in and changed them.
  • Okay this has way too much potential. How long is it going to take them to clean up the aftermath? I see another mess of legal battles over this one, and maybe because it's so prominent, we might see some penalties for boneheaded admins like this one. (Oh please, oh please, oh please? We need a legal precedent that makes "blatant neglect" a crime.. heh)
  • ... class-action lawsuit?

    Who wants to keep track of how much time is lost due to this?

    Anyone know how I can figure out what other accounts I might have?
  • by ninjaz ( 1202 )
    Just when you thought you'd seen it all, NSI sinks to a new low! I just noticed a name I control affected, too. It appears that they may still be in the process of rolling this out, as the oldest domain got this account, but the others haven't (yet, at least).

    Also, I think it's disturbing that something important as control of your domain name is left wide open by only offering cleartext passwords. i.e, even if you *do* log in and change your password, it can be seen in transit and your name can still get hijacked.

    I think this is a demonstration of NSI's utter incompetence/unwillingness to take due dilligence and that their contract should be terminated.
  • Sorry, I meant to say... I just followed the link [netsol.com] given in the article, and I just get an instant blank page. It looks like Network Solutions have just pulled the service until they get it sorted.


  • by Khan ( 19367 )
    Looks like it's either /.ed or their servers are offline while they fix this little "problem". .....Heh, I just made myself laugh pretty hard writing that last comment ;) This is truly unreal.
  • If we can expect quality service like this because of it, I'm all for monopolies over services, products, whatever you got! Tell Uncle Sam to stick it.. Let those businesses continue to deliver the good stuff until it hurts!

    Warning: The views expressed in this message are not necessarily shared by the poster, Slashdot, or the free-thinking populace at large.

  • by sgs ( 78161 ) on Wednesday September 15, 1999 @09:49PM (#1679085) Homepage
    I just got the spam from NS, and it was a bit different than described. The account name was the administrator's last name with a random number added; not the domain name as described. The password was as described; the account name with "nsi" added to the end.

    A bit better; anyone trying to screw up somebody's account would have to know how to use WHOIS and guess a short number.

    Clueless. Utterly clueless. And these are the guys who claim to be running the Net??

    My password is now a random string that I've already forgotten. Why would I need another e-mail account anyway? Don't you have to have an e-mail address (contact point) to set up a domain name?
  • Yep, same story - blank page. Either NSI have really taken it down or it's suffered the slashdot effect(tm) ;-)
  • It's /.ed. Very ironic if you ask me. I managed to get through after about 15 reloads.
  • Am I the only one that thinks emailing out unsolicited passwords in plain text is a bad idea in the first place? Unencrypted email's not exactly the most secure way of transferring information. There may be times when I *request* a password via email, but I do so knowing and accepting the risks, and I wouldn't do it with something I couldn't afford to be compromised. Of course, the choice of password was dumb beyond belief as well, but that's a separate issue...
  • by Jonny Royale ( 62364 ) on Wednesday September 15, 1999 @10:04PM (#1679094) Homepage Journal
    Network Solutions...we're the "duh" in dot com!
  • by eff ( 27908 ) on Wednesday September 15, 1999 @10:04PM (#1679095) Homepage

    If someone beats you to your account and "guesses" your password, now they can masquerade as you, and if they change the password, you can't even get into the account

    I'm probably just extremely dense, but isn't dotcommail just yet another free mail service?

    do you really think people are stupid enough to think that a mail from 'slashdot@dotcomnow.com' (or 'slashdot@hotmail.com' which I just grabbed) must necessarily come from someone working for slashdot?

    if that's the case, we're in deep trouble. there are hundreds of free mail services out there...

  • I took a look at this story and hurried over to the NSI website and the account I use to register some domains to check this out. Nothing.

    I am glad there was nothing, no dotcomnow account that I can think of and no email with my nice little present from Netsol. If there was, I guess I might have joined in the frenzy here.

    This got me thinking about what the "security hole" is.

    a) That account cannot be used to change my domain parameters, since it does not match the e-mail address I registered from.
    b) Anyone can really set up an account on one of thousands of webmail providers and pretend to be me. Heck, this has happened to me before on some discussion groups, and there is simply nothing I can do to prevent someone from misrepresenting me to lusers. People who know me know where my e-mail comes from, and know I use digital signatures.
    c) How is this different from your friendly bank sending you a credit card without your approval? Infact that is something which I consider more dangerous than this act of stupidity by Netsol.

    Having said this, I seriously think we're over reacting.

    Shri -- returning to the scheduled Typhoon York.
  • Go to http://mail.dotcomnow.com [dotcomnow.com] and click on preferences. You can change your password from there.
  • it's moments like this that i decided to drop NSI and register my current domain with one of the other registrars.. i.e. register.com and the like.. they atleast appear to have more than a clue than NSI does, unfortunately, people still use 'whois' to look up a domain, and since that only looks at NSI by default, well, makes life harder... but i'm not surprised that NSI would do something this dumb... i tried 6 times to get them just to change my CONTACT INFO, and oops.. sorry, we lost your pgp key, (and since i can't mail from the email in my contact info anymore.. too bad), thank god i don't hold any domains with them now..
  • Hrm, has the thought occured to anyone that by alarming all of us slashdotters to this not-so-important security hole that the hype and alarm of this story rushes each and every one of us to _GIVE NSI A PASSWORD_. Most folks dont believe in smart passwords. Most folks use the same password everywhere.

    You may have just given NSI more power then they deserve.

    Wouldn't you just love to be a corrupted employee working for dot com mail?

    Just think... if you were, you'd have passwords to hundreds of thousands of root accounts, etc.

    God, what the hell were you guys thinking doing this. Big whoop. Spank NSI.

    But realize that this is a double edged sword.

  • If it works like that; what's the domain id for 'etrade.net' or 'etrade.org'?

    More likely is indeed the last name of the administrative contact. I've already found several that work that way :(

    Good luck...

  • I tried this particular little 'trick' with a random domain, and there was no 'account'. SO, they must be being selective ass holes. -C
  • by KFury ( 19522 ) on Wednesday September 15, 1999 @10:23PM (#1679106) Homepage
    > A bit better; anyone trying to screw up somebody's account would have to know how to use WHOIS and guess a short number.

    The number appended to the admins last name isn't random. If you do a whois lookup on yourself or your domain, you'll find this is actually your ns 'handle.' The number NS has appended to your last name (usually the entire last name, plus the uid), and is just as easy to obtain as any other piece of info you've registered.

  • Since I don't *want* another damn free email account, but I don't want anybody else to have it either, I intend to change the password to some random string of characters and then promptly forget it.
  • Lest I become a source of misinformation, I'm correcting myself now:

    As far as I can tell, this doesn't directly compromise control of the domain name, just the cheesy webmail account. Of course, as others have stated, that may be an effective tool to help with social engineering..

    Anyway, I prefer to roll my own webmail service using Imp [horde.org] along with mod_ssl [modssl.org] which doesn't require sending cleartext passwords over the net.

  • by barbaBob ( 56615 ) on Wednesday September 15, 1999 @10:33PM (#1679111)
    We probably are reacting a bit over the top, but the scary part is that at least three of the 'lastname' and 'lastnamensi' get me into someone elses e-mail account.

    You're right about there not being a real security at the moment. Only people who used their Dot Com Mail address as their contact's e-mail address will be at risk of losing control of their domain, since most of them use 'MAIL-FROM' as their authentication method for authorizing changes to their domain registration.

    It does make me think about advertising ourselves as a 'Network Solutions Partner' though. But then again, I doubt that you'd be really better off with any of the other TLD registrars.

  • Wow...
    I'm impressed... It's been a while since I saw a monumental cockup like that (well, since the hotmail affair anyway).
    I'm sure that a couple of minutes adding a check with cracklib wouldn't have gone amiss, or just adding in a random password generator..
    I wonder.. Do these people have a QC department, to make sure that the code they release is robust?
    Or is a building of PHBs with a lone coder stuck in a cabinet somewhere and let out to be fed and watered every now and then..
    For a large company with huge resources at their disposal, there's no excuse for not checking their functionality a hundred times before release... Especially as this is supposed to be their core business!!!
    I'd love to see their PR dept. right now.. :)
  • I agree. The least they could have done would have been to add some sort of verified activation.

    Go to this URL and activate your account. On activation the password would be sent to the e-mail in your contact info.

    BAD security. But not a major concern for now. Unless they have updated your NSI contact info to your new e-mail addr ;-)
  • do you really think people are stupid enough to think that a mail from 'slashdot@dotcomnow.com' (or 'slashdot@hotmail.com' which I just grabbed) must necessarily come from someone working for slashdot?

    You're most likely correct that most people will not believe that mail coming from slashdot@hotmail.com is from the /. staff, but if even 1% of people believe it, it can mean trouble. What if you had a large commercial domain, and someone hijacked your "free" email account, and sent out a few hundrew thousand pieces of insulting, obscene, misleading (or worse) e-mail. You'll spend a large amount of time and money trying to repair the damage. Sure, only a few hundred people truly believed it, but you've got to send emails to all of them, post an apology to your web site, etc.

    For a competitor, this could be a real easy way to generate bad publicity...
  • Yes, but in my opinion, the hype caused by the "security threat" announcement psychologically will trigger people to want to "claim ownership" of those domains. Think about it.

  • No. NetAddress has nothing to do with Network Solutions, and that fiasco is something else in itself. Mine works.
  • this little gem at the bottom:

    If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

    So basically, if I don't want stupid emails like this, I have to give up "real-time" communication from NSI about my account? That sounds kind of stupid, don't you think?


  • by Effugas ( 2378 ) on Wednesday September 15, 1999 @10:52PM (#1679119) Homepage
    OK, gotta get the music to that strangely addictive game out of my head now.

    Check out this piece of wholesome goodness, delivered in the same message as my (cleartext) domain hijacking password:

    If you do not wish to receive e-mail from Network Solutions, click on this
    +e-mail address and type "remove" in the
    +subject line.
    PLEASE NOTE: by opting to be removed from this list we will not be able to
    +communicate to you, in real-time, on issues regarding your account.

    The mind boggles. One of the primary aspects of the net's formative power is its ability to quickly report the consensus of a company's customer base. Emails such as the one recently sent to all domain owners--containing both an unprecedented security breach and a jaw-dropping amount of arrogance(read our spam or we lose your bill)--only serve to increase internal communication within NSI's customer base, and to erode and eliminate the trust that the company has built up over the years.

    I am positive there are alot of others out there like myself who hold a great deal of technical respect for their extremely high-uptime management of the closest thing we have to a single point of failure. They've done much right, and honestly, they've scaled better than one might have expected considering their ever increasing workload and the sheer number of years they've been doing their job.

    I almost see a parallel to Microsoft here. People complain that the Windows 9x kernel is buggy, but considering that it runs everything from ancient DOS games to 32 bit applications, it's a miracle it runs at all. There's some truly respectable hackery involved in that! However, nobody, not even Microsoft's staunchest allies will say that their businesspeople are the most ethical in the industry, and most of the industry will claim that the Microsoft businessdroids have even less faith in their coders than the Linux bigots.

    Why else fudge the numbers and force the shipments? Nobody's going to run Internet Explorer unless they're forced to...so lets force 'em. That seems to be the mindset.

    Similarly, the Network Solutions folks have pulled off some significant technical miracles, but their business side is obsessed with the concept that nobody cares about anything technical. Since nobody would use NSI if they had an alternative registrar, the quality and quantity of alternatives must be fought tooth and nail. Since NSI is nothing but its collection of names and addresses retrieved under contract from the federal government, they'll claim de facto ownership of the WHOIS database until the Commerce Department's gun is pointed at their head with the hammer cocked.

    Nobody cares about name resolution, you see. The real fad is WEB BASED EMAIL; create accounts for people without even following basic security procedures!

    Nobody would actually want any of the services offered by NSI through email, so issue a vague threat to cut off all email--even that which is critical to the operation of one's domain--unless the domain owner agrees to sift through the latest thing being hawked by NSI.

    The more NSI does in this style, the more they disenchant, disenfranchise, and disconnect themselves from their customer base.

    There's no logical reason for this to occur.

    I call all of this the PARC Lemming Syndrome. Every hi-tech businessperson secretly(or not-so-secretly) laments that he or she wasn't there at Xerox PARC to bring all of those amazingly profitable inventions to market. The agony of imagining so many lost dollars causes them to try to milk whatever or wherever they're at without due concern for what this will actually do to the businesses Core Competency [doxpara.com].

    To the businessperson...maybe he's breaking loose, pulling ahead of the pack, about to lift off, ascend to new hights...or maybe she's in the middle of a herd, trailblazing, secure in the knowledge that together new possibilities are being forged.

    The the customers, and the rest of us...just looks like a bunch of lemmings racing headlong towards a cliff.

    I implore you, Network Solutions. Buy a clue. Get a twelve pack if needed. Your customers trust you because your uptime is unbeatable, your security is generally reasonably tight, and because you've been doing it right longer than anyone else in the business. I'm one of your customers. Before you tell me anything, offer me anything, or do anything, think of why I do business with you, and about what could make me stop.

    Don't be a lemming!

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com [doxpara.com]

    Once you pull the pin, Mr. Grenade is no longer your friend.
  • This is frankly amazing. Not only that such a large, allegedly net-savvy company could make an elementary security blunder(*), but that they even thought to was a viable business plan.

    After all, all existing domain holders already have valid contact addresses(**) and don't need another poxy webmail account. They're also likely to be the kind of net users who'd not use webmail for importantish stuff. Maybe they just wanted to be able to claim X current users to advertisers, whilst not telling them none of the actually use the service.

    Just glad they don't seem to have included any domains I'm involved in...

    (*) Hey! Has anyone tried to get root at NSI using the password 'nsinsi' or something?

    (**) Except for the spammers, obv. Maybe NSI were aiming the service at spammers. That would certainly fit their modus operandi.

  • So i went and changed the PW for the doms I manage- and I made a mistake... I got the email, it said xxxxx4 for user, and I jusr type xxxxx, so I accidentally changed the wrong password! D'oh!

    friggan turds.

    Surfing the net and other cliches...
  • Bahahahaha
    I just sucessfully picked 3 random names
    and added nsi to the end for the password and it actually let me log in=P

    The stupidity of some people...
  • Anyone using a root password on the web is a moron in the fisrt place. Not likely to happen is it.
  • I had the problem, now it is fixed. It's some other glitch, apparently. Zed
  • When I set up users to access our ftp server, the procedure is usually as follows:

    1. I get a verbal request from operations
    2. I tell operations to put it in writing
    3. The request comes in writing
    4. I generate a user ID & password generated by my random password generator
    5. The user id & password goes out to the user by tracked mail. (Snail Mail)
  • Still works, I picked random 3 bigbig websites, haven't changed a thing though, it's too easy. Zed
  • I can just see that moron sitting in his office now.

    "Hey, look! My new e-mail service is getting tons of hits! Wow, it's only been available for a few hours, and everyone is logging in with their new accounts! Unbelievable! I'm going to be a huge success! I'll be on the cover of Fortune. Hotmail, move over, baby." (sound of smacking lips)

    So let's all contribute to his trumped-up feeling of greatness. I'm logging in with every name I can find (someone else's, of course) and sending congratulatory e-mails to webmaster@dotcomnow.com about what a wonderful service this is, blah blah blah.

    FYI, http://mail.dotcomnow.com [dotcomnow.com] still works, even though the original URL sent out in the e-mail is /.ed.

    And before you try it, I've already snatched clinton, lewinsky, and elvis. Heh heh heh....
  • by Anonymous Coward
    Also, the login screen is completely insecure! No SSL or anything. Atleast hotmail passwords don't go over the net as plaintext!
  • Can't make it work with contacts outside the US of A. All the last names that work are from people that live inside the US. Guess I am lucky after all ;)

  • by yorkie ( 30130 ) on Wednesday September 15, 1999 @11:10PM (#1679132)
    What has happened to the IT industry? Quite simply too many clueless people are being employed, usually hired by equally if not more clueless management.

    I've seen networks brought to their knees entiely due to management making decisions on the network topology. I have seen distributed networks fail due to a management descision to consolidate all logins to one single server! (Doh!) I have spent hours trying to bring dead systems back to life because no one bothered to maintain or monitor the system for 7 years, hoping the system would look after itself, and once I got it working the machine suffered a catastrophic hardware failure, and no more spares were avaialble world wide. And it goes on...

    The most ironic thing is that earlier this year I spent 4 months out of work. For every single interview, the decision rested on someone with no technical experience. I've found a position now, but it is 200 miles from home, and half the team I have to work don't deserve their position.

    There are too many fools in this industry making decisions. No wonder NT is so bloody popular.

    The moron who thought of this, and the bozo who hired him should never be allowed to touch a keyboard again.
  • this is exctly why I registered my domain with register.com, NSI is a fscking horrible company. I never get mail from register.com, nevermind spam. Also, I've found that register.com's web interface to domain administration is *far* bettter than the e-mail crap that NSI has set up for their domain admin process. Not to say that register.com is perfect, I've had my problems, but NSI is orders of magnitude worse.
  • by MobyDisk ( 75490 ) on Wednesday September 15, 1999 @11:12PM (#1679134) Homepage
    NSI has subscribed to the bes possible security flaw of all - The Slashdot effect. Now that they are hosed, noone can get to their accounts! (At least I cannot seem to get in - timeouts on the site galore)
  • Well, in all the fuss, did anybody miss the part in the famed NetSol email saying that as of Sept. 18th, we have to start paying for domain names in full at the time of registration??? How much does that suck?
  • If this is true, then they have me confused with someone else because that number is not part of my handle!

    Just to make certain they hadn't assigned two handles to me, I did do a whois on the number I received and it returned information about someone else.

  • So, I checked out the the dotcom directory and it looks like you can change anyone's information. If you go to "Update Your Listing" search for a domain. They give you all the fields to update and say that they will call you to verify. BUT then they give you a box to enter in alternate contact information.

    My guess is all you would have to do is change things put in a fake name, verify it when they call you and your all set.

    Okay, so it's not critical information. But some people might be depending on this engine to find information about companies. Network Solutions is supposed to be a reputable company.

    I'm still waiting for my phone call to see what they use to verify I have permission to change a companies information.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~
  • very good post, and people should read the essay linked to. Just one point to save you some trouble later:

    The phrase "Core Competency" is a [tm] trademark of Gary Hamel, a management science professor at the London Business School. He's a cool enough guy (I know him), and doesn't usually get heavy over the fact. But he makes his living out of going round talking to companies as "the Core Competency[tm] guy". So he's a bit touchy if anyone else tries to pass themselves off. And sometimes he feels obliged to defend his trademark in order to stop it passing into the public domain ("use it or lose it")

    I'm not sure what your firm DoxPara Research does, but if you're planning on using the phrase "Core Competency" in a consulting context, you might want to send ghamelATlbsDOTacDOTuk a message, just to keep everything above board.

    Me, I'd say screw it, trademark law's a crock and the thing's probably gone public domain anyway by now. But the information can't make you poorer.

    this free business advice brought to you by

  • I just changed the password for my own personal domain, but that got me thinking and I tried to guess the login/password for the domains of my customers.

    Nearly every single one of them has ended in the digits 57. Within a few minutes of picking common names and numbers around 57, I was able to log in to dozens of accounts. It was hard to resist the temptation to commandeer account gates57 =)

  • Well, I haven't even gotten the spam yet and the d**n account has been created for me! I logged in with the username "lastnamehandle" & password as described above and there was the mail interface! So go check and immediately change the password. And then never, ever go back again.

    Looks like I'll be checking out those alternative registrars quickly.
  • I don't think we're overreacting. I think it's disturbing when someone so big does something so stupid. Think about how much we rely on this company for our day-to-day services, and how tough their security should be. They should have extremely stringent standards.

    Someone assigned every single account the same password, in essence. This violates so many common sense rules that it's amazing: easy-to-guess user names, standard passwords, passwords sent out in regular e-mail, no authentication process, yadda yadda yadda. I mean, I just logged on and snagged three major commercial sites, just to see if I could do it. I'm batting .666 so far .

    If I did something that stupid and assigned all my local office users with easy-to-guess passwords, it would be no big deal, because I'm small potatoes. But when a giant like NSI does it, it's insulting to all of us. None of us would make that mistake, and it's fair to say that most of us probably aren't getting paid whatever the NSI schmuck was.
  • Well because it is NSI's e-mail service and the account is your nic-handle, it looks more official than just another e-mail service.

    And second, (I don't know how it is in the states these days) but a bank sending unwanted credit cards causes quite an outrage here in the Netherlands.

    A big organization tried this with its members, trying to force the terms of the credit card company (with regards to abuse, etc.) on their members, and because of the outrage they had to change it such that those terms would only go into effect after the first authorized use of the credit card.

    So yes, I agree with your c), it's just as bad as sending an unwanted credit card, and I think that's pretty bad.

  • Can't believe this. 'webmaster' is wide open as well. There's e-mail from 'clinton', 'elvis' and a few others.

    I changed the password. I'll mail it to postmaster@netsol.com later on. Jeez....
  • I also received the spam thismorning, and the part that really hacked me off (I was unaware until now of the security implication of the email account) is the end of it:

    If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

    So by opting out of their spam, you are opting out of ANY communication from them at all regarding your domain(s).

    To paraphrase The Who, "Who the fuck are they????????

    Bite My Ziff, Davis!

    "Cyberspace scared me so bad I downloaded in my pants." --- Buddy Jellison

  • by Zigg ( 64962 ) on Wednesday September 15, 1999 @11:30PM (#1679149)

    This is absolutely crazy, and I want it to be the last straw. I have been screwed over by NSI both personally and professionally now:

    1. I wanted to change the registrant name on zigg.com, which I registered years ago with a short-lived business of mine, to my own personal name, so I could dissolve the business. However, despite the fact that I sent them proof from the county that the business and myself were identical legal entities, they insisted that the change was a "domain transfer" and I'd have to reregister.
    2. For two weeks now I have spoken and e-mailed at least ten different people on another issue. I recently came in to work at a startup ISP. The domains were registered through their "Registration Plus" or "WorldNIC" or whatever the hell they wanted to call it -- and the host record handles have periods in them! None of the NSI forms will accept these bogus host handles, and nobody who I can get access to -- not even after the front-line drones got so confused by what I was patiently trying to explain to them that they gave me the supposed "priority" e-mail address (priority@networksolutions.com [mailto], for those who are interested; but it still takes days to answer) -- understands the problem. I think I'm going to have to settle for registering the hosts under new IPs.

    All in all, NSI has screwed me over again and again, and their callous disregard for professionals that need to get their jobs done by not even allowing me access to engineers (after repeated requests) to repair the aforementioned host handle problem is a load of bullshit.

    Now, to the thrust of this posting -- where can I find these so-called alternative registrars? Are they yet capable of freeing me from the shackles of NSI -- to the point of never having to email anyone at networksolutions.com again -- and still keep my .com, .org, and .net's?

    I sincerely hope that if they are not here now, that they arrive very soon. I have a lot of new business for them.

  • By accident I have managed to find a way to prevent this webmail problem. If you set up your DNS so that that you have a server named like mail.domainname.tld the webmail thing does not work.

    When I tried to access my dot.com webmail (what a dorky name), I was told to go to mail.domainname.tld, which redirected me to my mailserver since I already register that machine name in my DNS settings.


  • by Anonymous Coward
    So far, I've only been able to get into 2 domains using the admin's last name and admin's last name & nsi. I haven't found any domains or any of my domains where I could use admin last name & handle number.
  • Passwords are extremely guessable as they are limited in length as well with extra characters being ignored.
  • This reminds me of when the New York-based phone company Nynex (now Bell Atlantic) sent out a mass mailing to /all/ their subscribers containing a phone card and the matching pin #. Needless to say, many cards fell into the wrong hands, and all hell broke loose...

    And people worry about electronic privacy. They should be more worried about gross ineptitude.
  • Okay,

    The link in the email is either /.'ed, they took it down, or it's another example of NSI icompetency. ( I suspect a combo of the first and last. :P )

    My username/password was not related to any of my NIC handles in any way. The password was the combo of 'username+nsi' which is truly awful as already noted here.

    You can go to http://mail.dotcomnow.com [dotcomnow.com] to access your account, so they definitely *haven't* taken the site down.

    I logged in, changed my password, set up the vacation message, and sent mail to NSI expressing my displeasure at this rather silly attempt to gain yet more business from me ( it ain't gonna happen. )

    So now, when they reply to my emails, they'll get my autoreply vacation message.

    Hrm... wonder if there are any autoresponders at NSI that I could mail from my wonderful new account... ( heh )
  • Okay, I'm confused. I wasn't offered a new webmail address in my own domain. I was offered some idiotic "whatever@dotcomnow.com" address.

    If they had tried to pull something on redirecting mail on my domain at all, you can bet I would be down to Herndon (they are in Herndon, aren't they?) as fast as I could with an aluminum bat demanding to see the person who made that decision.
  • Take a look at this little tidbit at the bottom of their email:

    If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line.
    PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

    As I read this, it means that if I choose not to get their spam, then they will not email me anything at all! Like "Your domain is being shut down". Now maybe that isn't really what they mean -- but if not they are deliberately making it sound like that's what they mean.

    I really, really, really resent this. Guys -- it is clear that Network Solutions and the domain name system in general is completely, totally out of control. I have been waiting 5 years for some reasonable new TLD's. Waiting, with no luck. All because of network solutions. I want these jerks out of business, and I think I know how.

    I think it's time to start our own DNS, a la alternic. If we could get participation from slashdot participants, we would probably cover 50% of the net. If we really agressively pushed it, we could probably get 90% coverage.

    *sigh* It would probably never work, but internic makes me mad.

  • Re: the NSI web-base email password fiasco

    Now, I can't even get online! The server must be down or just bogged by people trying to break in to the server. What a load of crud...

  • I just noticed that the email I got came from netsol1@INTEGRAM.ORG, which whois's to:

    2730 Prosperity Ave.
    FAIRFAX, VA 22031

    They don't seem to have much in common with NSI. their web address seems to be an empty directory (has the apache feel to it though).

    So, what gives with this?
  • > Spam, Spam, Spam, Spamitty-Spam:

    Just use the account to spam Network Solutions, and maybe they'll revoke your account!

  • ...with Lily Tomlin as a spokeswoman for the phone company:

    "We'll sell your personal information if we feel like it. We'll privitize public information. We'll set up an e-mail account for you, without even asking, and make the password obvious. If you complain, we won't care. We don't have to. We're NSI."

    Scary thing is, back then it was comedy. Now, it's the truth.
  • You've got my vote and support -- I'll be your first customer, or employee if you need me. (-:
  • I just got the mail from NSI. There is no mention of a free Email account, and in fact there is no section 3.
  • My UK-based employer has now grabbed its free mailbox, so non USAians had better look out too.

    Thanks, Slashdot. This has given me the chance to look good in front of some pretty senior people here.


  • Am I the only one that thinks emailing out unsolicited passwords in plain text is a bad idea in the first place?

    Man! Is this one of my biggest pet peeves! I can kinda understand it for a service that generates a password for me-- I need to log in real quick and change it. It's basically a one time password.

    But when I sign up, and PROVIDE a password, and STILL the service sends me an insecure e-mail with the password I JUST PICKED, it really pisses me off!

    Even worse, there was a site (I forget which one now) that I hadn't visited in awhile. So, I get spam from them saying, "Hi we haven't seen you around in awhile, in case you forgot, here's your username and password!"


  • no good- i got spam'd and i DID use an alternate registry. i don't think this would effect my domain however....
  • by Bud^- ( 70689 )
    Man, that would really suck for the person that admins > 100 domains, oh wait that is me ... sigh.

    Oh well, it's not like I have nothing to do anyways, I'm glad internic created me this account, it is a true service on there part.

    Now I can access my email from home, work and on the road ... oh wait I already do that via telnet->elm.

    What ever happened to the key concept in CS 101?
    KISS - Keep It Simple Stupid.
  • Perhaps NSI and MS are working together on this one, and the "dot com mail" or whatever the hell it's called is based on the (cough) ultra-secure Hotmail code [slashdot.org].

    This really sucks and I'm not renewing my domains with NSI ever again - when they expire I'll register with someone else and I'll lobby to have them put on the MAPS RBL if they spam me again [slashdot.org].

    These f*ckers have screwed up before but this really takes the cake. I swear to God they've got to be working with MS on this!

  • Most folks use the same password everywhere. Just think... if you were, you'd have passwords to hundreds of thousands of root accounts, etc.

    I would hope no slashdotters would be foolish enough to do that.

    I've changed the password for "my" account and for those of the Fortune 100 company I work for to such things as "idiots.nsi", "nsi-criminals", etc.

    (I also got into "amazon", "bn", and "msn", but don't want to be seen as trying to "take" those accounts... they're available right now if anyone wants them!)

  • So, if NSI is so freakin' useless, and I hear a lot of people say that they are, then why do they hold a monopoly on dealing out domain names?

    They ignore their own spamming and nearly get blacklisted.

    They make a security blunder and 10-year old with a couple of computer classes in school wouldn't make.

    Why can't I go somewhere else for my service? This might be a naive question, but somebody humour me and explain this, please.

  • "The phrase "Core Competency" is a [tm] trademark of Gary Hamel, a management science professor at the London Business School. He's a cool enough guy (I know him), and doesn't usually get heavy over the fact"

    Good luck. I have seen that phrase used at least 10,000 times over the last six years [yes, I was on the dark side in an MBA program], in widely distributed business journals and mass market publications, without attribution or a trademark reference. IANAL, but I think he would have a hard time bringing a case against anyone based on the widespread public use of the phrase.

  • Yeah, I managed to log in using my last name as well and changed the password. I clicked on profiles (or whatever it's called, I forgot already) and found out that it wasn't me, but someone else with the same last name.

    Note, for last names that are consecutively numbering them. So the first the accounts are set up like this:

    user: smith
    pass: smithnsi
    user: smith1
    pass: smith1nsi
    user: smith2
    pass: smith2nsi
    user: smith3
    pass: smith3nsi
    user: smith4
    pass: smith4nsi

    Needless to say I don't consider that a good security measure either. And no, I'm not telling you what mine is numbered...

  • It's bullshit like this why I'm glad all my domains are Christmas Island [nic.cx]. Not only do I get better and cheaper service than NSI domain holders, but they have very strict privacy policies, you can even opt out of being visible in the whois database, and in the case of trademark contention they'll only act based on a court order, end of story. And they're hosted by a British company, too, so I don't think even an American court order would suffice - it'd have to be tried in the British courts. Maybe that's not as good a thing though. :)

    .cx domains rule. They're relatively uncommon and not even close to saturated, you get an insanely long "free" period to play with a domain (and technically it'd be possible to never have to pay for a domain, though that's quite dishonest), and if you want uniqueness, no better way than that. "Dot cx? That's weird man... must be some cool thing!"

    Oh, and they only have authenticated web-based access for modification. I don't think they use https, though, but then again, email-based NSI updates aren't exactly secure either.

    This just settles it for me. I'm never going to trust NSI with any domainnames.
    "'Is not a quine' is not a quine" is a quine.

  • The phrase "Core Competency" is a [tm] trademark of Gary Hamel, a management science professor at the London Business School.

    Did he come up with the concept that I named my paper after? Hurm, after I clean it up a bit(some significant alterations are in order after that rather interesting session I had at LWCE), I may toss the paper over to him for evaluation.

    The term is reasonably public domain(hell, I've heard of it), but if he's the inventor of the field of thinking, it would behoove me to understand a bit more of what his theories are.

    (For those who are wondering WTF all this is about--Core Competencies [doxpara.com] is an essay regarding the economics of Open Source. I brought it up when discussing the diseconomic meanderings of everybody's favorite registrar.)

    Yours Truly,

    Dan Kaminsky
    DoxPara Research

    Once you pull the pin, Mr. Grenade is no longer your friend.
  • Could someone post directions on how to change to a different name registrar for the domains I am already using? I know how to register new domains with the alternatives, but I want to switch my accounts over.

  • On the one hand, anybody with a domain can set up bogus email accounts: "microsoft@foo.com", "bill_clinton@foo.com". If we worry about people using our personal and organizational names for email addresses, we have a lot to worry about. Too much, in fact.

    OTOH, this is a problem because "dotcomnow" is NSI, and NSI has a reputation for trust. Thus, there's a world of difference between "microsoft@foo.com" and "microsoft@dotcomnow.com".

    Just some thoughts for figuring out how nasty this security breach is.

  • I can send mail to people that's obscene, insulting, misleading - whatever - under the name 'slashdot@hotmail.com' right now and I always will be able to. Sendmail has no authentication to determine if the from address you're telling it is really who you are (duh). Instead of slashdot@hotmail.com, I could send two million e-mails marked "From: clinton@whitehouse.gov". And guess what? Those same one percent who you mentioned will be the people who actually believe it.

    Bottom line, the ability to recieve mail under a domain, in all but a few exceptions, is not the be-all end-all of security breaches. The only people who would be fooled by this aren't going to take the time to reply back; they're going to take it at face value.

    Hotmail was a security breach. This is stupidity, but on a far more minute level.
  • by strredwolf ( 532 ) on Thursday September 16, 1999 @12:33AM (#1679192) Homepage Journal
    NSI is screwed up big time with this deal, and the Internet community, especially those who deal with net-abuse of this type and magnitude, does not like such a bad neighbor. Forward with full headers and apropriate password removed to MAPS RBL (http://www.mail-abuse.org) and post it to news:news.admin.net-abuse.email with the subject of NSI SPAM. Also document every phone call you've made to remove the free e-mail account and pass that along too. It's time we nip NSI in the bud about this.

    Spammed? Click here [sputum.com] for free slack on how to fight it!
  • where can I find these so-called alternative registrars?

    (not a joke)
  • (Sorry all for the public post. I don't have JSM2's private email.)

    I attempted to email Gary, but the message was returned. Could you verify his address and contact me? I'd like to contact him, per your suggestion.

    I checked google--yeah, this guy very likely would be interested in the software impacts of much of his economic theories. Particularly with the business model evolution I need to work on involving the future of software development--his input would definitely be appreciated.


    Yours Truly,

    Dan Kaminsky
    DoxPara Research

    Once you pull the pin, Mr. Grenade is no longer your friend.
  • by .@. ( 21735 ) on Thursday September 16, 1999 @01:08AM (#1679213) Homepage
    I have been waiting 5 years for some reasonable new TLD's. Waiting, with no luck. All because of network solutions.

    Err...not true. The main reason no new gTLDs have been rolled out is that the Intellectual Property (IP) and Trademark (TM) interests are scared of cybersquatting, and refuse to pay what it would cost to police these new gTLDs for possible infringement. This is troublesome, because IP and TM law require the famous mark holder to bear the cost of protecting their marks. They want to shift that cost to the registry and/or registrar, who will of course pass it on to the domain name owner.

    They keep asking for things like unilateral, full, standardized, searchable access to all registrant data, enforced verifiable contact info, heavily restrictive and punitive Dispute Resolution Policies, etc.

    NetSol may suck, but in this instance, it's not NetSol that's creating the vacuum. It's the people who own famous names and marks, who keep pushing for more than anyone is willing to give. Net result: No new gTLDs.

    If you're concerned, stop whining and get involved. The ICANN Domain Name Service Organization [dnso.org] is acting on these very issues right now.

    The Individual Domain Name Owners' Association [idno.org] is fighting to ensure things like equity in dispute resolution and protection of your personal information are present in the future worldwide DNS system.

  • Hmm, am I the only one who finds the domain name "netSOL.com" oddly appropriate?
  • I think this provides enough material for a domain owners' class-action lawsuit. This would fall under criminal negligence, putting literally billions of dollars' worth of assets at risk. Another might be misappropriation of property -- arguably use of an entity's registration info, like use of their phone number, belongs to that entity, and NSI's legal blather at the top of WHOIS queries could be seen as an illegal effort to restrict an entity's use of their own property.

    Anybody want to start a mailing list? If we can get about 1,000 subscribers I think we might have something here.

  • well i guess that would work

    Time to clean the mountain dew of my damn monitor now.
  • It's my understanding that they do hold a monopoly. When the "new" companies are able to register new domain names, they pass the information to Network Solutions who will still be in "control" of the root name servers and maintaining them, right? I personally believe that this qualifies as a monopoly.

    Why doesn't our (USA) government take the monopoly away and assign it to another company? Can't be all that hard to transfer control of a bunch of root domain servers over to another company, can it?
  • maybe with this someoen will finally force-rename Network Solutions to Network Problems.
  • by jamiemccarthy ( 4847 ) on Thursday September 16, 1999 @03:52AM (#1679251) Homepage Journal
    The official list is at http://www.icann.org/registrar s/accredited-list.html [icann.org].

    Register.com [register.com] was the first. Joker.com [joker.com] is currently the cheapest (it's based in Germany but its English webpages are passable).

    Jamie McCarthy

  • by Anonymous Coward
    I think the big danger is that 2 weeks from now a few thousand people who don't read Slashdot and who never think about password security will be out there using their spiffy new mail account that NSI was nice enough to sign them up for, and they won't change the password. Someone will notice their address in a newsgroup, on a mailing list or web page, and say "hey I'd like to read all their mail, and they have that handy dotcommail address so I know their password!". So yeah, I think the article stated the real danger wrong, stealing a brand new account isn't so hot, but stealing one in afew weeks when mail is coming in, that's a real problem.
  • But it is completely understandable, since they can't seem to get around to mailing their bills. I asked to be billed by mail and had to pay on the website the day before the bill was due. I never got a bill by mail. I got a receipt for my payment within a week, though. With 30 days to get a bill to me, you think someone might have actually sent a bill before the due date. Several domains that were registered with my last place of employment were cancelled due to lack of payment. The bills were never received.

    Forcing online billing is their way of saying that they can't do their own accounting.
  • by jlb ( 78725 ) on Thursday September 16, 1999 @05:12AM (#1679260) Homepage
    am i the only person here who does not necessarily believe this really is from internic? I mean, none of the email addresses are even internic hostnames, none of the recieved headers look like they're from internic. Since this is such publically available information, anyone could really pose as internic and mail you. Maybe I'm being naive but I don't think internic is this stupid. It's hard to believe that someone would be that stupid to try to pose as internic to get users for their free email, but I think it makes more sense that way. Here's the headers from my mail: Received: from maild.inte-net.com ([]) by bilbo.w-link.net (8.9.0/8.8.5) with ESMTP id CAA05359 for ; Thu, 16 Sep 1999 02:04:59 -0700 (PDT)
  • Caveat: I haven't tried this, but I'm initiating proceedings as I type....

    Apparently, register.com lets you transfer the registration of your domain from NSI to them. Check out this page [register.com]. It seems to require a fax or snail-mail, but at this point, I don't really care how clumsy it is.
  • Look here [yahoo.com] or here [uninett.no] for all sorts of other domain registrars. Screw NSI-- enough is enough. There are literally hundreds of other top-level-domains. Find one that's better, and use it.

    We all take pink lemonade for granted.
  • Your friendly bank does not send you an unsolicited credit card because the courts (at least in the US) have held the contract is unenforcable. One concern was that credit cards could be stolen from the mail without the person's knowledge, and if the card was unexpected and from an unknown company the consumer/victim would have absolutely no clue there was a problem. A second concern was that many people would not be familiar with credit cards (in the 60's, as I recall) and they could incur substantial liabilities without realizing it.

    They can, and do, send you "preapproval" letters that only require you to confirm some information and sign it. Someone can still steal these letters and forge you signature, but theft and forgery are already crimes.

    It is legal for a company to issue you a replacement card without prior notice, but it runs the risk of pissing off customers. A bank manager quietly told me that a full third of the customers, including myself, closed our accounts after our bank was bought out and the new bank decided to issue "debit cards" (pre loss caps) to replace "atm cards" without prior notice or consent. It was rude, crude, and socially unacceptable, but legal.

    Back to the "generous" NetSol offer, I am outraged. And not just because they keep making me these wonderful offers yet are incapable of changing my contact informaton despite repeated requests.

    The currency on much of the net today is reputation, and NetSol's indifferent disregard to the consequences of its actions is as shocking to our sensibilities as the 60's banks disregard to the consequences of it's far-too-open credit card policy was to their peers. Of course nobody should automatically assume that the NetSol accounts are actually controlled by the person whose name appears on them, but a lot of people will. Unlike most (all?) other free mail sites, NetSol accounts can be tied to real names, real addresses and real phone numbers. So they have *far* more intrinsic credibility than "HotMail" or "GeoCities."

Syntactic sugar causes cancer of the semicolon. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982