devolution stolen domains thread

[Brujah]

who/what are you talking about nameinvestor ?

 

Police arrest. They need tips. Tips come from forums.

Just as TV shows expose crime suspects so too this forum helps provide tips.

 

Brujah, please email me.

 

[Brujah]

I can see both sides of the argument. The information can be helpful to some, but also harmful to many at the same time. Lets be honest, there are a lot of people here and there's bound to be some unscrupulous ones who are looking for information they can use to their advantage. Maybe not even someone thats registered, but a lurker just gathering info.

Either way though, I think safesys did the right thing by temporarily moving it for Dan to make a decision on.

 

[DnPowerful]

Tough call, and I respect your dilemma.

About a year ago, after this loophole being open for perhaps two years, someone posted "How to steal a domain" on their website, and it got massive attention. It concerned those who use only their admin email as security for NSI domains. Prior to this, Verisign kept this seriously easy method of theft to themselves, as much for their own political reasons as for reasons of security.

The result? Verisign was pressured into a big campaign telling people to upgrade to at least Crypt-PW protection, which many surely did.

I'm not sure a post on dnForum will suddenly inspire dozens of new formerly honest people to start stealing domains. Surely those with ill intentions are well into the scams at this point (A search on Google reveals the scams in plain sight). But I do know that plenty of outrage will force registrars to fill loopholes.

 

Freedom of speech and free exchange among domain professionals, or a daycare firewall?

What was decided?........

Miles

 

Out of interest, how do you come to the conclusion that only "domain professionals" would have access to a domain theft guide posted on a public board?

 

[David G]

Originally posted by Namethink I disagree. If you're going to give advice, you have to explain why your advice should be taken. A vague "because" may be fine with children (and even with kids, I think it's good practice to be forthright), but with adults, details are needed.

When police report on a particular kind of new crime taking place, they give the details, so as to inform the public of what's going on and why they should taken certain steps to avoid them.

As for safesys's concern, let me ask you this: what if the exact information contained in devolution's post had been in an article at theregister.co.uk, and someone posted a link to it at DNF. Would you remove the link? Miles

I also agree 100% with Miles. Forum moderation is a great idea and a reason dnforum is so much better than Afternic, as long as it does not go to extremes.

However, if this is public information and readily available elsewhere removing may be little more than uncalled for censorship.

With this information perhaps it will help members take steps to avoid theft, such as domain locking, etc. However, I was unable to read the article to know for sure what extra security can be used as it was censored.

One reason we participate here is to gain knowledge but that access is now blocked.

 

[mole]

Hijackers: Like Kids in a Candy Store.

How can the hijackers do this? They can do it because changing ownership of a domain name is very simple. To illustrate their scheme, let's first look at what it takes to establish ownership of a domain name.

To register a name , you give a domain registrar your credit card number and contact information, such as your name, physical address, e-mail address, and telephone number. Then you invent a password for your domain name account. From then on, you can gain access to your account and change your contact information by logging on to the registrar's site using the password.

But under Network Solutions' commonly used "MAIL-FROM" security setting for domain accounts, name holders can also request changes to their account by sending Network Solutions an e-mail message.

It's this latter option that the cyberthieves are easily exploiting. To steal your name, they simply look up your contact information on BetterWhois.com, a public database that allows anybody to find out who owns a domain name. Then they fake your identity by using your e-mail address with the MAIL-FROM designation.

The crooks send an e-mail message, instructing the registrar to change the contact and server information on the account to whatever new contact and server they specify. With the MAIL-FROM security level, it doesn't matter what the routing information is on this e-mail, as long as the message has your e-mail address in the "From" field. That's how the thieves were able to easily impersonate Warren Sly, director of DomainCaddy and owner of trades.com, and steal his domain name.

Outraged victim domain owners then receive a message from Network Solutions about 30 days after the thieves fake their e-mail addresses, notifying them of the "successful completion of the administrative changes" they didn't even request.

http://www.workz.com/cgi-bin/gt/tpl_page.html,template=1&content=1108&nav1=1&

 

[DnPowerful]

One day the world will wake up and realize that NSI/Verisign got away with bloody murder, hoodwinking investors, domain owners, ICANN and the US Congress into creating the second biggest monopoly in the most "free" capitalist society on earth.

The fact that they've been able to wriggle out of any lawsuits around stolen domains FOR YEARS just points my assertion in high relief.

When America creates and feeds a monopoloy, it's as powerful as any third world dictatorship, with all the techniques of a corrupted thugocracy. While the DOJ was going after Bill Gates, NSI was building a cash machine and screwing domain owners in the process, with complete public ascent.

Sigh...

 

Originally posted by safesys
Out of interest, how do you come to the conclusion that only "domain professionals" would have access to a domain theft guide posted on a public board?

You missed the DNF member study mentioned in last week's Economist?

C'mon. You know I meant that this board, while accessible to everyone (like all public boards), is used mostly by domain professionals and enthusiats. I use "professional" loosely here, to indicate those who follow the domain industry closely, and have financial interests in domain names.

As I said before, if a post isn't unacceptably rude/vulgar/insulting. doesn't put the DNF owner or moderators at legal risk, and doesn't present confidential information, it shouldn't be banned.

I find your earlier post on this matter somewhat revealling...you find the "tone" of the post in question even more of a problem than the content. What's up with that???

And by the way, how about my question: has Dan and the mods made a decision yet about the post?

Miles

 

Dan was of the same opinion that the thread should go.

Regarding "tone", Brujah encapsulated the point i was trying to make better than I did.

Theres a big difference between telling someone how to avoid a crime being committed against them and telling them how to perpetrate a crime. As long as the net result is people are aware of the crime and how to prevent it, why help create more criminals?

 

[David G]

Originally posted by safesys Dan was of the same opinion that the thread should go. Regarding "tone", Brujah encapsulated the point i was trying to make better than I did. Theres a big difference between telling someone how to avoid a crime being committed against them and telling them how to perpetrate a crime. As long as the net result is people are aware of the crime and how to prevent it, why help create more criminals?

Again, I must disagree with you Safesys. One reason many of us are here is to gain knowledge. From what I understand the post (which I have not seen) would help us learn how domains are stolen and thus take steps to protect our names.

How can we learn how to safeguard domains if we do not know how they are stolen by dishonest persons in the first place. Removing access to that valuable information is a disservice to the members here, espcially since 'how it was said' was a major factor in your decision to delete, from what I understand.

Using 'how it was said or the tone' as a criteria is not a good reason as it is far too subjective. Plus, it may have been said as a way to exagerate and emphasize the issue to help its impact so we realize the seriousness, not to glorify it.

P.S. It's far from surprising Dan would support your decision as it's highly unlikely an owner would go against a Moderators action ALREADY taken. It would appear his non-action does not verify that he fully supports your decision. Can you imagine how he would be criticized if he reversed what you did and someone then had their domain stolen? They would then blame Dan for it. If I was an owner I would likely not reverse what you had already done too due to the possible ramifications.

 

Originally posted by safesys
Dan was of the same opinion that the thread should go.

Regarding "tone", Brujah encapsulated the point i was trying to make better than I did.

Theres a big difference between telling someone how to avoid a crime being committed against them and telling them how to perpetrate a crime. As long as the net result is people are aware of the crime and how to prevent it, why help create more criminals?

This is a shame...I think freedom of speech and need of domainers to be able to freely share information outweighs the concerns you've made. I'd like to think DNF is a place where all aspects of the domain industry can be discussed. I guess that's not the case.

As for your objections to the way in which the post in question was articulated...I'd hate to have to second-guess myself on my posts to make sure the tone and style are not overly suggestive. That's a little too Orwellian for me.

As for the difference between warning about the crime and giving instructions as to how to commit the crime, I think you can't do the former without giving some of the latter. Otherwise the warnings are meaningless...if you tell people they need to do something, you have to explain why, and not expect them to take your warnings on faith. That sort of thing is for children, not adults.

I object to the decision to not post the information given by devolution regarding his discovery of a way to fraudulently take over domain names with certain types of invalid email addresses. This information was timely and important, and was, I am convinced, made in the spirit of what DNF is all about: domainers freely and clearly sharing information with other domainers.

Miles

 

[mole]

Hey, I missed some valuable postings here! Anyone have any links?

 

Can you imagine how he would be criticized if he reversed what you did and someone then had their domain stolen? They would then blame Dan for it. If I was an owner I would likely not reverse what you had already done too due to the possible ramifications.

The same holds true for inaction with the original post if you're talking ramifications.

The net "learning" from the original post was simply to make sure your admin contact email address was current and live. The extra detail fell into explaing how to use inaccurate email addresses to steal premium domains - that part is surely of no relevance to legitimate domainers.

 

Originally posted by safesys
The extra detail fell into explaing how to use inaccurate email addresses to steal premium domains - that part is surely of no relevance to legitimate domainers.

Who are you--or Dan, for that matter--to decide that?

This is what concerns me about this whole thing. I think a very bad precedent is being set here for DNF.

Censorship is often done with good intentions.

All the calls the DNF team have made so far have been, in my opinion good ones...calls that benefited the board and helped maintain the calm, professional environment we enjoy here today.

What you have done in this case is completely different: witholding information--that is not confidential, the only legitmate reason for censorship in this sort of situation--from the other domainers that use this board, and perhaps rely on it as a source of information.

Miles

P.S. This is an important enough issue that Dan himself should post his thinking on it.

 

What kind of domainer would "rely" on a thread explaing how to *use* inaccurate email addresses to steal premium domains?

 

[David G]

Originally posted by safesys The same holds true for inaction with the original post if you're talking ramifications.

Sorry safesys, I don't believe your assertion is correct. There is a big difference between the Moderators or Owner simply letting a posting stay online vs deleting it and then reversing themselves and reinstating it.

By reinstating a post after its deletion and a major controversy has already taken place it more or less condones or blesses the publication of the information in the old post, at least indirectly.

However, by a member making a post it in no way condones or approves the post in any way by the forum moderators, who are not legally obligated to read and approve all the posts.

 

[WilliamC]

Originally posted by safesys
What kind of domainer would "rely" on a thread explaing how to *use* inaccurate email addresses to steal premium domains?

The only information contained in the post that was of relevance to honest domainers was that we all need to keep up to date email addresses on our domains. The rest was nothing more than a tutorial on how to steal a domain name. Personally, I feel safesys and dan have done the right thing in avoiding furthering the goals of would be theif's by teaching them step by step how to steal a domain name. If you think only honest domainers read this public board then you may be more naive than you think. This board is open to all to read, and is on quite a few search engines for anyone to stumble across, including would be theives.