Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

NSI E-mail Vunerability 80

blackwidow sent us the latest in the Web-mail security gaffes. After creating accounts that had easily guessable passwords, it turns out the security for the NSI Webmail accounts is...breachable (Hint - understatement). Ya know, all I wanted was my domains to work - I don't want more then I ask for *sigh*.
This discussion has been archived. No new comments can be posted.

NSI E-mail Vunerability

Comments Filter:
  • You can't. The only thing the new registrars can do is take orders and pass them on to NSI. AFAIK, that was the setup. They STILL control everything in the end. Someone blow up these people. (disclaimer: I am not responsible for the person who actually does this.) ;)
  • Umm, I am dissappointed. Aparrently no one as found the vulnerability I found around a year ago. Its a real vulnerability, not just weak web based email stuff. Lets just say it has to do with mail-from authentication of domain name changes. I am sure someone will figure it out now.

    Where have you been? Domain hijacking exploits using 'mail-from' have been in the news quite a bit lately. Recent well-publicized cases have involved godhatesfags.com [wired.com] and kkk.com [wired.com].

  • This is great...

    whois '*@microsoft.com' (or your fav domain name)


    Use it before NSI "fixes" it...

    --------------------------
    Your Favorite OS Sucks.
    ^D

  • I have some web domains, but I'm unsure on what to do about them. The ones I've been mailed about don't have the classic really easy to guess passwords (+'nsi'), but they're still pretty easy. But according to the latest info, if I go in to try to change anything, then my account is immediately accessible by anybody regardless of the password. Suggestions? Could some kind hacker please figure out a way to take down their email database permanently, to rescue us all?!

    For obvious reasons this is being posted anonymously, but let me tell you about this one time when I was the postmaster for a university. One "genius" faculty member showed some other faculty memebers how to set up an autorespond message to send e-mail back to their students automatically... with the expected results when they sent e-mail to each other. Luckily the same "genius" faculty member fixed the problem of their e-mail inboxes getting filled up with out any "University Computing" assistance at all. (a solution that he was very proud of) He showed his fellow faculty members how to create a filter that auto-deleted any e-mail with an autoresponder message (after it had been auto-responded to of course). I bet you can guess what the results of "that" was... when I finally figured out what was causing the mail slowdown... the main mail server queue had 8,000+ messages "in-flight"

    "A little knowledge is a dangerous thing"
  • ICANN's Registrar Accreditation Agreement [icann.org] effectively requires prepayment (see Section III.I.4). The only .com/.net/.org registrar not (yet) bound by that agreement is Network Solutions.
  • umm, NO!. They have not. Those articles never mentioned anything about the method. They just said that someones domain was taken over, and they didnt know how. There has been no actual reports , especially with details, about mail-from exploiting. There hasnt even been a hacker article. Unless you can provide links of course to someone mentioning mail-from hijacking. And still, I believe it to be a different method then what I know about. The way I am talking about requires no mail relaying, or spoofing of email, no telneting port 25 or anything to do with sending and email until the exploit as already tooken place.
  • OR, remove the entire system and NOT start over. I'm adminning a couple HUNDRED domains, this is great fun.
  • Those articles never mentioned anything about the method.

    Nonsense. From this Wired article [wired.com]:

    Network Solutions verifies changes as legitimate by sending an automated email to the registered owner of the domain.

    The unknown hacktivist managed to subvert that not-so-secure security measure and update the domain name server information to a company called VDirect.

  • If you're interested, here's what the original author has to say to the plagerism of his work (and the editing out of the first half):

    "Hang the Information Highwayman!" [cornell.edu]
    http://www.gsm.cornell.edu/staff/Gene/Highwayman .HTML

  • Yes, very, very sad. Someone at NSI should lose their job. Oh wait, I forgot, they don't really care. They must still be riding the monopoly train. I guess that's why I can still steam right in. I bet they thought they fixed the thing.
    Sorry! Over 2100 accounts are still compromised. Here's a programming hint, hole 1 created hole 2.
    Idiots! So Sad.
  • Whatever you do, don't mail any NSI support accounts associated with the freemail system. They are all compromised. If you haven't used that account yet, you shouldn't worry. What did you say your domain name was? ;)
  • From the looks of the P.S. on that autoreply, I would conclude that this is *not* an official NSI communication -- somebody cracked the webmaster@dotcomnow.com account and put that text in as the autoreply.
    -----
    New E-mail address! If I'm in your address book, please update it.
  • That was the case before, but may not be entirely correct now. I am still looking for more information from ICANN but they seem to be concentrating on the political rather than the technical.

    Nowadays there are alternative registrars [icann.org] that actually seem to take you through the whole process. I gather that NSI is still on the backend but you do not actually become an NSI customer anymore. Unfortunately I haven't had an opportunity to try anybody out yet, I have more important things to do like reading Slashdot (-:

    Maybe we can get someone who works for one of those registrars to clear things up here?

    (P.S. I will... ummm... not be dropping by NSI anytime soon with the explosives that I don't have. :-)

  • by RelliK ( 4466 ) on Monday September 20, 1999 @01:10AM (#1672575)
    news.com has a story [cnet.com] about how NSI and NameSecure handle domain disputes. NSI once again screwed over a small company, Virtual Works, that registered the domain vw.net. They just transfered the domain to Volksvagen and Virtual Works had to spend big bucks in court to get it back.

    On the other hand, NameSecure's policy is exactly opposite to NSI's. They don't transfer the domain until they get the court order.

    That is a reason enough to switch to NameSecure. Not to mention that the totally moronic email screw up is outrageous.

  • by Anonymous Coward
    http://darklife.org/2600/
  • I registered a domain not too long ago, and I was a little suprised that their online method of credit card payment was completely unsecured.

    I registered a domain not too long ago, and I was not surprised to see that their online credit card payment was simply encrypted using shttp.

    Roger.

  • by Anonymous Coward
    err, no - the point is not that someone can create an e-mmail address that looks like you, you can go to yahoo to deja or netsacpeor whatever and if the name is unused there's nothing to stop you. But you usually have to supply a real e-mail address and then a temporary password is mailed to that address and you have to go back and change the password to get in.

    Problem here is that NSI creates e-mail accounts based on your publicly known domain, sets the password to something ridiculously easy to guess, leaving you open to someone going in and assuming your identitiy.

    Now, you might not think that's a big deal, but I can assure you, _we_ take it very seriously because we are running a business here and the quality of service and our good name are all we have. If someone hijacks mycompanyname@dotcomnow.com and starts to use it to send abusive e-mail to our customers, NSI has caused us a situation that we don't need.

    Granted, the possibility that someone would do this, or that they could get mycompanyname@hotmail.com and do the same thing is not the point. We don't pay NSI to cause us headaches (well, they do that anyway in the course of their normal service, but that's besides the point). If they could just focus on providing the service we pay for and not make more work for us, that would be great.

    Josef Pluckarski
    pluckarski@dotcomnow.com
  • Neet, I shot off about 3 emails to my friends from various staff accounts (childish i know, but its neet)... now it just throws out "Still working on creating your mailbox....".

    Heh, hotfixes suck.

    -Mike
  • At approx. 12:45 PM, Monday, September 20, 1999 they closed the front door. It seems that everyone that read the article started using the webmaster@dotcomnow.com account so they regenerated the account. The sign-up system came back online at approx. 1 AM ish, Tuesday, September 21, 1999. Too bad for them that I can still get in. The hint: Hole 1 made Hole2 Nurf said "Eat cheese Bebo Cerveza the equinox and fall begins"
  • Okay, it's official NSI has made it onto my list of 'corrupt organizations'. No flameage, this is not intended as a reflection on their ethics, it's a private designation for companies who have (for one reason or another) corrupted their ability to fairly, efficiently, and appropriately fulfill the functions I contract with them for [and generally must be replaced, like a corrupt file]

    I have several domains coming up for renewal this month, and need reports from the trenches on the level of service, function and compatibility available by registering at Joker.com (CSL GmBH).

    Despite owning domains since '94 (when they were free), the potential for havoc still makes my stomach queasy. [In NSI's defense, it made the process easy enough that I rarely had to delve into the details, and it was fairly reliable.]

    Would some joker.com registrants care to help me out by discussing (the quality of):

    • propagation of registration changes
    • inter-registrar cooperation
    • unforeseen glitches
    • general caveats
    Please post here (for the benefit of the general community) and not to my username. The experiences of domain transferers vs. new registrants would be paticularly welcome!

    In the meantime, I'm going to dust off my once-fluent German and pore through the original docs (In international negotiations, I find that comparing my translations with theirs often highlights points that might have been trouble]

    Much thanks for the help!

  • Special Note: The NSI dotcomnow.com e-mail system vulnerability was discovered with a PalmIII PDA via a CDPD Novatel Plus Wireless modem connection to the internet using the Proxiweb browser..

    Reply to Buddy on 01:17 PM September 20th, 1999 EDT

    Well, you haven't seen it in the media because they are ignoring it. I've been paying way too much attention to this topic and I haven't heard a peep except what the hacker community already knows. This is not because I didn't try..Read On..

    I messaged all the news media starting late Thursday night, Sept 16, 1999 and then into Friday. Tips@wired.com [mailto] was the first place to be e-mailed: no response. Then I mailed local news and got the same. CNN, ABC, CBS, MSNBC, Microsoft (for the H of it), and NSI to name a few, were all mailed: again no response. Slashdot was also messaged sometime on Saturday, but there were 100+ submission pending, so I understand. http://slashdot.org/faq.shtml#Q42 [slashdot.org]

    The following message was sent:
    You may already know this. I know at least one other person has figured it out.
    The new Network Solutions E-mail systems are wide open. There are two ways to break in.
    The first is to know the name of someone with an account with NSI, type
    User: name
    Pass: namensi
    The second is this...
    Here is the entry to the support account.
    http://mail.dotcomnow.com/signup/poll/support?dlan g=default [dotcomnow.com]
    Replace the word support with any valid account and bang, you're in.

    The only response I received was sometime on Monday from http://netsecurity.about.com [about.com]but well after it became public knowledge. .

    As an ethical person, I wanted to give NSI fair warning. They were officially notified on Saturday, September 18, 1999. Since they were changing their production billing system on Saturday I figured that someone would react by verifying the hole and then taking down the system. This did not happen. I also tried calling. Don't try calling them; it's waste of time. 48 hours after notifying NSI, I released the information to various and nefarious sources detailing a 6-step process for guaranteed access. www.2600.com [2600.com] responded within minutes. In fact, they were so fast that they edited and posted the info about 5 minutes after it was sent. Now that's action.

    Here's a copy of the original instructions:
    Here is how to do it..
    Instructions:
    1. Click on Access Free Web Mail from Http://www.networksolutions.com [networksolutions.com]
    2. Click on one of the e-mail address near the bottom of the screen.
    3. Click Click Here
    4. Enter first and last name
    5. Create a valid e-mail account
    6. Wait until the screen says "Your Mailbox has been Created".
    From here you can change the account name in this line
    http://mail.dotcomnow.com/signup/poll/nametochange >?dlang=defaut [dotcomnow.com]
    http://mail.dotcomnow.com/signup/poll/support?dlan g=default [dotcomnow.com] Actual Support Account

    Here's a copy of the original mail I sent to my friends at 12:52 AM Sep. 18, 1999
    Get this!
    I just created an account on the Network Solutions new e-mail server and guess what...
    I discovered a back door! NO SH***ING.....
    Someone didn't do a good programming job here at all.
    Simply type any name where you see the word "support"..
    The link here will take you to their support e-mail
    http://mail.dotcomnow.com/signup/poll/support?dlan g=default [dotcomnow.com]
    If the account exists you will get in
    http://mail.dotcomnow.com/signup/poll/oracle?dlang =default [dotcomnow.com]
    http://mail.dotcomnow.com/signup/poll/microsoft?dl ang=default [dotcomnow.com]
    http://mail.dotcomnow.com/signup/poll/whitehouse?d lang=default [dotcomnow.com]

    Needless to say, We had a lot of fun collecting accounts over the weekend. Slightly on the dark side of ethical? Maybe, but isn't it more unethical to offer a service that you know is flawed and yet do nothing to fix it. More importantly, we collected these accounts to demonstrate that Hole #2 is still open. Yet, where is the news coverage, where is the outrage, and where does NSI get off ignoring this personal privacy breach. If you want to try out Hole #2 for yourself, you can e-mail me for a small list of inconsequential accounts. Hey M$, This method is also being used on Hotmail.

    Message to the people who use Network Solutions freemail:
    You should be scared. I'm nice and I'm trying to save you. I won't do anything, but I will make this information available to anyone (members of congress, the media, NSI, your neighbors) via request.
    What does this mean?
    IT MEANS WE CAN STILL READ YOUR E-MAIL
    Solution: Forward and then delete all of your mail. Don't have any passwords mailed to the account. Don't register any Domain Names using the account. Stop using the NSI mail system until it's really fixed.

    Message to NSI:
    Shut down the server, fix the problem, and be nice. What you are doing is just wrong, very wrong. Get your third-party e-mail vendor to shape up. Or is that third-party thing just your way of shifting the blame? Tell us, who is this vendor and why do they suck so badly?

    Message to the Mainstream News Media ( /. Excluded)
    You Suck! Maybe NSI has some commercial hold on you or maybe you're just stupid. Why so much coverage on the Hotmail gaffs? NSI provided the world with a code free hack; a front door into their system. This was an idiot door far worse (my opinion) than the Hotmail blunder(s). I stumbled upon it with no thinking required. Is this not news? I guess that a mail system that is used by mostly "nerds" (taken from someone's previous post) isn't worth the attention. I understand that an earthquake in Taiwan, Raisa Gorbachev dying, and of course, Hurricane Floyd, are all big issues, but why so little comment in the tech and headline news media. Personally, I wanted to hear Sarah Baskin report it to the world. Oh well, poor me. Maybe some reporter will summarize what I've said here and get the word out that FREE MAIL IS NOT SAFE. Let me say it again...FREE MAIL IS NOT SAFE. I'm just a regular guy, I'm no "hacker". Look how easy it was to open up their system. This should be a wakeup call.

    Well I have to go now. Unlike the folks at NSI, I need to stop playing around and get some real work done.

  • I have over 21oo addresses from Dotcomexpress.com [dotexpress.com]
    Mymailbag.com [mymailbag.com]
    Nsimail.com(the best by far) [nsimail.com],
    and Good old Dotcomnow.com [dotcomnow.com] that are now cashed, i.e. Browser temp folder to simple cut and paste from notepad and I'm in. Some of these people, judging from subject lines, have used these accounts to register domain names. If you fill out and e-mail network solutions with say, Domain Registration Template [networksolutions.com] from the admin or tech contact account what do you think might happen? Nah! No biG dEaL ;)
  • by rde ( 17364 ) on Monday September 20, 1999 @12:08AM (#1672586)
    If you think of MS as a company that adds unwanted features to such an extent that it's too big to properly support, you'll probably be whispering 'deja vu' to yourself right now.
    Competition is opening up, and NSI want to add features so that people'll stay with them. Unfortunately, they're adding these features quickly so as not to miss the boat, little realising that half-assed, bug-ridden pseudo-features are the pretty much guaranteed to drive the masses away in hordes.
  • This is ridiculous. The first rule of web programming is preventing things like this from happening. I mean, this is friggin' retarded.

    Some of these programmers need to go back and take "Security 101" and learn the basics of web programming.

    And the sad thing is, these people get paid at least twice as much as they're worth. Sad.
  • I just tried to access the DotCom mail(tm) for one of the domains we host, and while no account seems to have been created (thank god for small favors), I noticed that pressing the "Go" button on the access page tried to establish a connection to a host named "mail" in my domain. Just to be sure, I tried again with another domain, and sure enought, there it goes trying to connect to a host named "mail" in that domain too !

    Come on ! They can't be that stupid, can they ? What if there really *was* a host named "mail" in the domain ?

    I can't wait for these clowns to have competition.

    Richard.
  • Sooner or later you would hope market economics would catch up with them and people would pay a little more for a better product/service, but then again for some reason the M$'s and Meijer's and AOL's, Budweiser's of the world continue to grow...
  • Can't blame NSI for trying to differentiate itself by providing more services to its customers since competition for domain registration's heating up *cough* register.com *cough* - it's just a matter of execution. In this case, the execution's less than perfect - that's an understatement :-)
  • NSI needs to get back to what they're SUPPOSED to be doing.

    ADMINISTERING DOMAIN NAMES!

    If we want free junk-mail accounts we'll go to the pros for that. That's what S'notmail and Juno and all the other freemail providers are out there doing.

    I think NSI is targetting the wrong segment of the entire internet market to try and compete in. A thoroughly useless gesture at best.


    Chas - The one, the only.
    THANK GOD!!!

  • From their sign up page [networksolutions.com]

    "Network Solutions now offers TWO e-mail services for your communication needs. Both give you the same reliability and security that has become synonymous with Network Solutions."

  • It's really wrong that anyone would give away a free e-mail account without asking someone if they want it, first. There are several reasons something could go wrong. First off, when someone sets up a free account, or any sort of account, and their password is mailed to them, they are ready to receive it right away, and then they can go change it. If someone accidently or intentionally gets a copy of the email sent to you, you've had the chance to change your password so that nobody else can get in. Even if it's a randomly generated password, if you go send out random e-mail saying that you have some free account already set up for you, and you are out of town, someone could still get into it, and start impersonating you and all that rot. I wonder if there could be any sort of lawsuit involved in there? Could lack of security be a liability? Wouldn't that be nice? We could all get hotmail accounts and sue M$.
  • I've got a domain, but like so many of us, our ISP controls it. I recieve the occasional billing notice, but that's about it.

    I haven't recieved any notice about the email acct. offers, and honestly couldn't find a place to log in *anywhere* on nsi's site(s)...

    This makes me worry... I haven't been able to ensure that my domain's password has been changed (not that it would help, now, it seems).

    How do I go about protecting myself in this case?
  • I don't really see people flocking away from M$... I'd like to, but I don't. :-)
  • ...are they the 'Solution' for?
    --
  • What are the legal implications of this? Suppose someone gets access to the free email account(thanks NSI!) and then proceeds to cause some trouble. Are the NSI responsible?

    More than that, why did NSI decide to do this? Like the guy said, they are meant to administer domain names.

  • IMHO this is another example of a company
    doing what dejanews did.

    Rather than improve at doing their original job
    they try and do all sorts of extra stuff which
    is of (at best) zero value to their customers/users.
  • by Anonymous Coward
    I didn't believe it after reading the eMails
    on 2600. But then I tried it and it worked.
    I was able to login as webmaster by just entering a URL.

    That's completely absurd.
    This is like going into battle wearing nothing
    but your underwear and a KICK ME sign.
  • To all of those people who bragged that they registered someone's junk-mail account, the rest of us get to say "Ha-Ha!!". Now _anyone_ can get the junk-mail account for .com...

    MAN what a f*ck-up! They need to remove the entire system and start over.
  • by TheNetman ( 66704 ) on Monday September 20, 1999 @12:31AM (#1672601)
    If you send e-mail to webmaster@dotcomnow.com you get a nice little response that is both entertaining and informative. (although I had no idea who could have put up such a amusing bit of text) *grin*


    If a packet hits a pocket on a socket on a port,
    And the bus is interrupted as a very last resort,
    And the address of the memory makes your floppy disk abort,
    Then the socket packet pocket has an error to report!

    If your cursor finds a menu item followed by a dash,
    And the double-clicking icon puts your window in the trash,
    And your data is corrupted 'cause the index doesn't hash,
    Then your situation's hopeless, and your system's gonna crash!

    If the label on the cable on the table at your house,
    Says the network is connected to the button on your mouse,
    But your packets want to tunnel on another protocol,
    That's repeatedly rejected by the printer down the hall,
    And your screen is all distorted by the side effects of gauss,
    So your icons in the window are as wavy as a souse,

    Then you may as well reboot and go out with a bang,
    'Cause as sure as I'm a poet, the sucker's gonna hang!

    When the copy of your floppy's getting sloppy on the disk,
    And the microcode instructions cause unnecessary risc,
    Then you have to flash your memory and you'll want to ram your rom.
    Quickly turn off the computer and be sure to tell your mom!

    Thank you for writing dotcomnow.

    P.S. As you can probably guess, the security of dotcom
    mail is less than stellar. If NSI had a clue, they
    would probably recommend that you do not utilize the
    dotcom mail service for mission critical or sensitive
    communications.

    Sincerely,
    Anonymous Coward

    -NSI... we put the Duh? in dot.com

  • I looks like they finally took the service down.

    bummer, huh?

  • I have some web domains, but I'm unsure on what to do about them. The ones I've been mailed about don't have the classic really easy to guess passwords (+'nsi'), but they're still pretty easy. But according to the latest info, if I go in to try to change anything, then my account is immediately accessible by anybody regardless of the password. Suggestions? Could some kind hacker please figure out a way to take down their email database permanently, to rescue us all?!
  • service not available messages are now appearing. guess that's the fun over for today..............
  • The difference is the customer base. Most of M$'s customers are PHB's and non-techno people. Registering a domain name requires more than a little bit of a clue, so that people should realise they're being fleeced if the service is poor.
    --
  • by CLorox ( 7 )
    I disagree, you are assuming that dotcomnow.com is a name that means something, it really doesn't. For your statement to hold water it would mean all domain owners use this address.

    Dont get me wrong, NSI is very boneheaded for providing accounts and default passwords based on the domain, but anyone who takes it as a legit contact address for a company needs to think about it a little.

    Think about it this way, not much is out there to stop you from picking username@mydomain.com as your return address. I could always post your email address in my preferences in slashdot or send abusive email with your address as my return address and it would look semi-legit unless you look at the headers.

    This is simply an NSI plan to work on paranoya of the internet community to get what they really want. If everyone logs on and changes their password and even half of those that make the change start using it as an email account, NSI simply gets what they wanted and can now say, 80% of domain owners use this as an email account.

    Dont fall into the trap :P NSI is a sneaky and crooked business, thank god we are starting to get other registrars.

    -Adam
  • Some time after the announcement, NSI finally seem to have got round to doing something about it. Nice work, guys.
  • This whole fiasco sounds like the result of adding marketing executives to something that was simple and good (mostly).

    Ah, Dilbert [dilbert.com].

    --

  • Going to http://mail.dotcomnow.com/signup/poll/webmaster?dl ang=default now results in:

    we are sorry, but this service is not available.


    Ehh, they seem to have woken up.
  • ... As opposed to all those noncommercial companies out there, who act selflessly?
  • Sorry. I don't mean to be offtopic.

    This has been my personal parody since they came out with that slogan. I was sure others had come up with it too, but after reading so many taglines on this theme, I had to put an end to it.

    I'm still interested in seeing better tag lines, I'm sure this isn't the best that can be done. But for those of you just messing aound because you're sure there's a punchline in there somewhere... Thanks for playing. See ya next thread...

  • I registered a domain with Joker just last month (I am the person who posted about them further up the board).

    AFAICT they are excellent. Unfortunatly I am using a bargain-basement ISP to host the domain and their DNS was screwed up. My domain was working four days after I registered it but due to the ISP (not Joker or CORE) there were problems with it resolving on and off for a few weeks.

    During the week or two that I was having these problems with my ISP I contacted NSI (assuming that they had somehow screwed things up). NSI just gave me jive-ass autoresponses at first and finally told me that I should talk to CORE.

    So I sent an e-mail to Joker (my ISP was still denying that it was their problem). Joker responded WITHIN AN HOUR with a commented copy of the file that my ISP needed to fix!

    Although I only have one domain (and have never tried to transfer), I am very impressed with the level of service I have received from Joker.com. On top of this I have gotten no spam to the web mail account I set up as a contact for the domain.

    When a prior employer of mine registered a domain last summer with NSI not only did the contact addresses get bombarded with spam but also postmaster, webmaster and root!
  • by mosch ( 204 ) on Monday September 20, 1999 @12:34AM (#1672614) Homepage
    NSI: if you're going to give us additional features, then

    a) make them optional in an opt-in setup. you'll get fewer immediate signups, but they'll be people who wanted the service.

    b) make them secure. your market is a reasonably technically savvy audiance, and they can spot this stuff a mile away.

    c) make them RELEVENT. The world doesn't need Yet Another Web-mail provider. There's already hotmail, mail.com, etc, etc, etc. not to mention the fact that you targetted people who already administer their own domains. Most of us are happy with our domains.

    d) follow your own rules. If I'm not allowed to use your database for spamming, you certainly aren't allowed to use it to spam either. that's just basic ethics.

    Now if only they'd take this into consideration...
  • Read the second page, paste the right link and you might become webmaster, as far as that pre-cracked mail system is concerned.

    AFAIK these people still own the only complee functional TLD database... single point of failure, anyone?
  • I mean, I guess the funny part is that you can log in as webmaster@whatever.com (dotcom.com or whatever they're calling it). But I think everyone knows by now that mail coming from, say, slashdot@dotcommail.com (or whatever) is not going to be valid.

    This is not to say that I'm not extremely ticked off at NSI. I think they've made a more than serious blunder here. Total stupidity.
  • I registered a domain not too long ago, and I was a little suprised that their online method of credit card payment was completely unsecured. Considering that these bozos apparently have no idea what secure systems are about, I was very disapointed.

    As far as I can remember, they were at the same time, pimping someone else's secure-e-commerce solution. Un-fscking-believable.

    G

  • by Anonymous Coward
    Remember the /. story about joker.com and their $40 domain names? Everybody was very quick to dump on them for their website and their poor english.

    Sure am glad I registered with CORE (through Joker) instead of NSI. My domain was set up almost instantly and my info isn't even in the NSI whois database. Not only do I get NO spam at my contact addresses but I don't have to worry about weather or not some 12 year old kid has taken over my domain!

    All this for $40 less than No Security Inc. charges.
  • Two things:

    (1) Go read the webmaster's mail: http://mail.dotcomnow .com/signup/poll/webmaster?dlang=default [dotcomnow.com] then choose "click here".

    (2) Funny AD I saw during #1: http://imageserv1.imgis. com/images/Ad94426St1Sz1Sq3Id3.gif [imgis.com] to wit, "mail.com...Free Secure, and Private"

  • The funny thing is, I couldn't access my 'free' account previously (I think because someone got to it before me). At least now I can see who's using my name :)

    In a world of stupidity, NSI has managed to flaunt their lack of knowledge better than anyone.

    --Mid
  • by Anonymous Coward
    NSI is still on the back-back-end.

    Basically the way it's now setup is that each registrar maintains their own whois database. So if you go through register.com, the only way to lookup your domain info is by using whois.register.com

    However, there would obviously be problems if someone registered a domain through register.com and through netsol at the same time. So there is a "central registry" at crsnic.net. You can get at it through the web at www.crsnic.net [crsnic.net] or do a whois directly at whois.crsnic.net. Pretty much the central registry just tells you who the registrar for a domain is. And is the definitive source on determining if the domain that you want is available.

    From my understanding NetSol is still in charge of the central registry (well, you can see their logo all over that) as well as two of the root name servers (including the A server which is the big cohonos). I believe that ICANN wants to take control of the central registry and the A server themselves, which NetSol is obviously making a big stink about, and has been the biggest way that they've stalled (or at least significantly slowed) the transfer of power away from them.

    Oh yeah, and NetSol still gets a buck or two for every domain registered through every registrar to pay for the administrative costs of maintaining the central registry. Neat eh? Even if everyone were to boycott NetSol at the same time, they'd still be making money.

  • Your hint helped me to locate the piece. Here is a link to the complete poem including the copyright notice of the original author Gene Ziegler.

    http://www.gsm.cornell.edu/staff/Gene/DrSeuss.HT ML

    Have fun...

    Björn
  • Ok ... here's a question, now that their are alternative domain registrars, how do I leave NSI? Is it possible or do I have to wait for my domain to expire in 2 years, then reregister it with an alternative vendor? My fear is that when I paid my $70, I agreed to a 2 year exclusive contract but what else was I to do, NSI was the only registrar! Is such a contract even enforceable?
  • The following is a copy of the message I had originally posted [slashdot.org]


    ---- ---- ----
    I just got off the phone with InterNIC.. at the 1-888 number..

    Good lord, apparently there is some sort of masss media and conspiratory confusion ..

    the username/passwd combo is NOT to your domain dot com, org or net name.. but for your free web-based email account (InterNIC's implementation of a hotmail.com, USA.net, atdot.org accounts, etc)..

    I can't possibly imagine the amount of calls they have been recieving with people probably yelling and ranting at them..

    Anyway... it actually took about 15 seconds to speak with a person.. no JOKE.. and that was twice.. once to update my WHOIS info, and another time to verify that they recieved my update via FAX..

    Both times the guy on the phone was totally calm and a complete pleasure to talk to..

    These guys seriously rock, I have a total new respect for InterNIC.. I'm usually one to immediately assume things never go accordingly to plan, because if they did, that would be too simple, but seriously.. these guys rock..

    my one quirk is that I wish they made the online forms a little more intuitive, that whole, remail to hostmaster@internic.net, yadda yadda thing sort of defeats the purpose of ONLINE FORMS.. oh well, like I said.. that would be too easy =)

    Anyway, that is all..

  • ...can be found at the bottom of the 2600 page mentioned above. http://www.2600.com/2600new/092099-mai l.html [2600.com] has some of the mail that was sent to webmaster@dotcomnow.com... very humorous stuff there. :)
  • (aside: You know, I haven't seen much about all this in the mainstream media [but maybe I've just been missing it]. This seems really strange to me, because:)

    The first issue (unsolicited free emailaccounts accessible to all) isn't so much a security thing (after all, anyone can create an email pretending to be me from a free email service anyway) as it is a matter of trust.

    NSI continues to show that it's not worthy of that trust. The data that was entrusted to them for technical and administrative purposes, is now a source of income [dotcomdirectory.com] for NSI, who are also denying [networksolutions.com] others the right to do the same.

    The terms of being registered with NSI, which at the time I registered my domains still had the monopoly, have been changing constantly.

    If anyone can recommend a registry that will allow me [slashdot.org] to keep control of my data, please step forward. I want that control back.

    NSI has shown that it's not worthy of our trust. NSI can't be and shouldn't be trusted. Not by the US Department of Commerce [doc.gov], not by ICANN [icann.org], and not by Internet users [isoc.org] in general.
    --

  • As an earlier poster noted, "NSI want to add features so that people'll stay with them."

    However, this is just the opposite of what I want from a service of this type. I'm about to register a domain name for personal use, and I've been perusing the various new options for doing so. Even looking past NSI's security gaffes, their service is instantly unattractive to me. This is because it's obvious that they don't understand the nature of the service they're selling.

    Now that's a bold statement to make, but bear with me. Think of it from a sysadmin's career perspective. The typical sysadmin, when s/he does a perfect job, is completely invisible to the organization. When s/he screws up, everyone knows exactly where to send the blame. It's frequently a thankless job. So what happens? The sysadmin tried to increase the visibility of his or her positive performance by adding bells and whistles to the services which are offered. Frequently this takes the form of a new glitzy intranet page, new proprietary email system, or similar type of thing. Some of these may be well-received, and some (most, imho) may not, but the important thing to recognize is that the motivation for these projects is a lack of recognition for successful previous projects, and not an extension of core responsibilities. Unfortunately, it's just the nature of the job that stellar sysadmins are woefully underappreciated.

    Likewise, NSI fails to regnize that its core business is one which will bring little recognition. If they do a great job, most of humanity won't know that they exist. That's just the nature of the beast. By offering these nifty add-on features such as free web email, they don't change the nature of that beast (their core business), they just open themselves up to a whole new set of criticisms. Any when they screw up, as evidenced by the recent security chasms, it makes them look like floundering amateurs.

    Compare this to another internet-infrastructure-related company, Sun. Sun's recent ad campaign uses the "dot in .com" ditty. It may seem stupid, but I think it underscores that they know their business. They want to draw attention to the core things they do well and build on them. It's a subtle attempt to say "those things you take for granted to be reliable are our responsibility, so you should trust us with your further business." NSI tries to effect the same message by giving out free web-mail. Who do you think knows their business better and comes out ahead in the eyes of the masses? (Nevermind that the latter scheme was so poorly executed.)

    On a personal level, it underscores that NSI's existence was dependent on monopoly control, not business expertise or technical self-awareness. The logical concusion is that I don't think NSI is long for this world, excepting radical changes in their business philosophies and practices. Thus the effect is to drive me away from purchasing their core services even if they had none of these web-mail security problems.
  • Umm, I am dissappointed. Aparrently no one as found the vulnerability I found around a year ago. Its a real vulnerability, not just weak web based email stuff. Lets just say it has to do with mail-from authentication of domain name changes. I am sure someone will figure it out now.
  • Does anyone know of a registrar that is not going to require credit card payment or check pre-payment before reserving a domain?

    I work for a small ISP that offers personal and business users the ability to pay by cash/check/ or card. If a customer wants us to host their dns and point it to any of our servers or ips, we require them to allow us to register or tranfer the domain (so the admin, tech contact, primary, and secondary ips are listed correctly). Internic is now going to start to require credit card payment for registrations, which will totally break our system of charging our hosting fees and letting the registrar bill the customer directly for their reservation fee. We won't be able to list credit cards for our non-card paying customers. We've never had a problem with squating, as we charge our hosting fee (with a startup) in order to register the domains. Internic says they will offer to continue doing business to clients who "qualify" on the current system as long as you register more than 10 a month and fill out an application. We register a lot more than 10 a month, but Internic declined our application because of "insufficient" credit history and wants the company to pay some ridiculous thousands of dollars for the priveledge to keep doing business the same way we have been for 4.5 years! Does anybody know a registrar that will allow us to continue to reserve domains right away, and that will send the billing contacts an invoice for the registration charges?

  • As would be expected, 2600.com is blocked by my local firewall admin as is all of the anonymous proxies that I know of. Anyone have a non-assuming mirror of this article?
  • by dattaway ( 3088 ) on Monday September 20, 1999 @12:54AM (#1672635) Homepage Journal
    IMHO this is another example of a company doing what dejanews did.

    Usually, sending compliments to people for a fine job is great. Dejanews was a different story.

    Once dejanews had a email soliciting comments about their service. As it was a great service, I let them know why it was valuable to me and told them "don't change a thing!"" because it was perfect. A short time later, they did the unthinkable and trashed a fine search interface with bloated crap from hell. So much for my suggestion. I still have that email and the thanks they gave me for the compliments.

    I suspect they were looking for emails of praise and saving them for later as testimonials. Dirty tricks... Why do so many commercial companies wish to screw customers?
  • This has nothing to do with domains you have registered other than the fact that certain people were selected to get thier "secure free webmail". Needless to say I lost all faith in network solutions when I was going to change my domains to password instead of email from and I realized that the form form submitting your password was done non secure and they sent the password plaintext to your email address that you use as contact information. Jesus they are some fucking loosers for sure.
  • This is truly sick. This is the kind of thing that happens when a company gets a monopoly on the market. I don't even own a domain name, and i just logged right in and read the webmaster's e-mail. sick.

    on a funny side note - someone has done some organizing on the mail account - all the "you have been own3d" mail is now in the script kiddies folder. hahhahha.


    ---
  • That Network Solutions is sending this crap to people who don't need it.

    If you are the Administrative, Technical, or zone contact for a domain, I think(Hopefully), you could set up your own e-mail system if you wanted it!

You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page

Working...