Security Bullet In
Communiques from the security front, sir
Thursday 26 June 2008, 7:35 PM
Caught in the GoDaddy red tape
This is one of those situations that would be funny if I wasn't the one caught up in it.
I blogged on Tuesday that I'm listed on WHOIS as the administrator of a charming site called travel-getaways.com. The problem is that I have absolutely no links to travel-getaways.com at all, and the site is pulling content from a legitimate travel site, to populate travel-getaways.com with content.
Now, looking at the WHOIS entry for travel-getaways.com, it has my name, fake address, and a fake contact email address and number. The owner of the legitimate site -- a ZDNet.co.uk reader -- got in contact with me through the community email, to let me know that a site registered in my name was nicking content off his site.
The domain registrar is GoDaddy.com. I gave them a ring. Ok, I thought, I'll be straight with them -- I told them from the beginning that I am an IT security journalist. I didn't go through their PR, however, as I wanted to get a flavour of the GoDaddy complaints procedure.
So what's my complaint? Someone has used my details, subtly altered, to set up a fake GoDaddy account. While not exactly being identity theft, this is definitely somebody using my name, with my slightly altered work details, to register a dodgy site. Obviously I'm not happy about that.
There's also the small matter of the potential intellectual property infringement by travel-getaways.com against the owner of the legitimate site. I'm not happy about that, either.
I wanted to see how GoDaddy would react, given the nature of my concerns.
I contacted GoDaddy to speak to a person in the GoDaddy support department, who very politely directed me to the office of the president. I emailed my complaint to the office of the president, detailing the situation.
The email I got back contained the line:
"It is the domain registrant's responsibility to review and maintain their WHOIS data."
This made me laugh.
"Ok, fair enough, it's the domain registrant's responsibility to maintain their data, but I AM NOT THE DOMAIN REGISTRANT," I said to the computer, shaking my fists.
The email directed me to log a complaint with GoDaddy Domain services, which I duly did, outlining the situation. I gave them a link to the fraudulent WHOIS lookup, as well as contact details -- my (real) work email and telephone number.
Meanwhile I wrote another letter of complaint, also outlining the situation but in stronger terms, and asking GoDaddy to take my details off its register, and to turn over the payment details for the fake account to law enforcement in the States. I doubt very much whether law enforcement would have the time or resources to do anything, but it's worth asking.
I got an answer back from my original complaint:
DearTom Espiner,
Thank you for your email. Please provide evidence to prove your information is being used in the Whois for the domain travel-getaways.com. We can accept a copy of a utility bill showing your name and mailing address or an email from the email address listed. Once we have this documentation from you, we can move forward with your complaint.
Thank you,
GoDaddy.com, Inc.
Domain Services
I must admit, I'm not good with bureaucracy at the best of times, but this email made me both laugh and get angry. For a start, I'd already provided the link to the fake WHOIS entry. It was in the complaint that Domain Services was replying to.
The work address is fake in the fake entry, so providing proof of my real work address wouldn't help at all. Plus, who gets utility bills to their work address, unless they work from home?
The email address listed in the fake WHOIS entry is also, you guessed it, fake. So I couldn't respond from that email address, unless I fiddled around spoofing the sender details, which I doubt would have helped my case much.
Feeling like I was bashing my head against a brick wall, I rang up GoDaddy. In fairness to the company, the person I dealt with first very patiently escalated me to a polite man in the office of the president. GoDaddy is currently looking into the situation. They did keep me on hold for approximately an hour, but to be fair, they were trying to sort the situation out there and then.
So far as I can tell so far about GoDaddy's complaints procedure, it seems that the people on the other end of the phone are courteous, efficient, and professional, while GoDaddy's processes seem clunky, unhelpful, and bureaucratic to the point of being obtuse.
I blogged on Tuesday that I'm listed on WHOIS as the administrator of a charming site called travel-getaways.com. The problem is that I have absolutely no links to travel-getaways.com at all, and the site is pulling content from a legitimate travel site, to populate travel-getaways.com with content.
Now, looking at the WHOIS entry for travel-getaways.com, it has my name, fake address, and a fake contact email address and number. The owner of the legitimate site -- a ZDNet.co.uk reader -- got in contact with me through the community email, to let me know that a site registered in my name was nicking content off his site.
The domain registrar is GoDaddy.com. I gave them a ring. Ok, I thought, I'll be straight with them -- I told them from the beginning that I am an IT security journalist. I didn't go through their PR, however, as I wanted to get a flavour of the GoDaddy complaints procedure.
So what's my complaint? Someone has used my details, subtly altered, to set up a fake GoDaddy account. While not exactly being identity theft, this is definitely somebody using my name, with my slightly altered work details, to register a dodgy site. Obviously I'm not happy about that.
There's also the small matter of the potential intellectual property infringement by travel-getaways.com against the owner of the legitimate site. I'm not happy about that, either.
I wanted to see how GoDaddy would react, given the nature of my concerns.
I contacted GoDaddy to speak to a person in the GoDaddy support department, who very politely directed me to the office of the president. I emailed my complaint to the office of the president, detailing the situation.
The email I got back contained the line:
"It is the domain registrant's responsibility to review and maintain their WHOIS data."
This made me laugh.
"Ok, fair enough, it's the domain registrant's responsibility to maintain their data, but I AM NOT THE DOMAIN REGISTRANT," I said to the computer, shaking my fists.
The email directed me to log a complaint with GoDaddy Domain services, which I duly did, outlining the situation. I gave them a link to the fraudulent WHOIS lookup, as well as contact details -- my (real) work email and telephone number.
Meanwhile I wrote another letter of complaint, also outlining the situation but in stronger terms, and asking GoDaddy to take my details off its register, and to turn over the payment details for the fake account to law enforcement in the States. I doubt very much whether law enforcement would have the time or resources to do anything, but it's worth asking.
I got an answer back from my original complaint:
DearTom Espiner,
Thank you for your email. Please provide evidence to prove your information is being used in the Whois for the domain travel-getaways.com. We can accept a copy of a utility bill showing your name and mailing address or an email from the email address listed. Once we have this documentation from you, we can move forward with your complaint.
Thank you,
GoDaddy.com, Inc.
Domain Services
I must admit, I'm not good with bureaucracy at the best of times, but this email made me both laugh and get angry. For a start, I'd already provided the link to the fake WHOIS entry. It was in the complaint that Domain Services was replying to.
The work address is fake in the fake entry, so providing proof of my real work address wouldn't help at all. Plus, who gets utility bills to their work address, unless they work from home?
The email address listed in the fake WHOIS entry is also, you guessed it, fake. So I couldn't respond from that email address, unless I fiddled around spoofing the sender details, which I doubt would have helped my case much.
Feeling like I was bashing my head against a brick wall, I rang up GoDaddy. In fairness to the company, the person I dealt with first very patiently escalated me to a polite man in the office of the president. GoDaddy is currently looking into the situation. They did keep me on hold for approximately an hour, but to be fair, they were trying to sort the situation out there and then.
So far as I can tell so far about GoDaddy's complaints procedure, it seems that the people on the other end of the phone are courteous, efficient, and professional, while GoDaddy's processes seem clunky, unhelpful, and bureaucratic to the point of being obtuse.
Monday 23 June 2008, 1:21 PM
Alleged teen hacker could get 38 years
A teenager who has been accused of hacking into his school systems to change his grades could get 38 years in jail if found guilty, the Times reports.
Prosecutors allege that Omar Khan hacked into his school computers in Orange County using his teachers' passwords to alter his grades, changing one from an F to an A. The prosecutors also claim Khan installed spyware to remotely access the computers, and changed the grades of 12 other students.
From the article:
"Mr Khan’s plan, the prosecution argues, was to get a place at one of the colleges within the University of California system. After his application was rejected, he requested copies of his student records, known as “transcripts” in the US educational system, so he could appeal. But when teachers looked at his files and noticed all the A grades that had magically appeared next to all the courses he had taken they realised something was wrong."
Prosecutors allege that Omar Khan hacked into his school computers in Orange County using his teachers' passwords to alter his grades, changing one from an F to an A. The prosecutors also claim Khan installed spyware to remotely access the computers, and changed the grades of 12 other students.
From the article:
"Mr Khan’s plan, the prosecution argues, was to get a place at one of the colleges within the University of California system. After his application was rejected, he requested copies of his student records, known as “transcripts” in the US educational system, so he could appeal. But when teachers looked at his files and noticed all the A grades that had magically appeared next to all the courses he had taken they realised something was wrong."
Monday 23 June 2008, 12:44 PM
Sites listed under false pretences
I found out that I was the proud owner of a website today. The trouble is, I have never heard of the site, and have absolutely nothing to do with it.
I found out that I am listed by WHOIS as being the administrator of a site called www.travel-getaways.com. The way that I found out is that I was contacted by the owner of another website, asking me to stop pulling content from his site and putting it on www.travel-getaways.com. He had done a WHOIS lookup and had found I was listed as the administrator, so contacted me to very politely ask me to stop nicking his content.
I did a WHOIS lookup, and found I was indeed listed as the administrator, and that the contact address was my work address. I found that the registrar was GoDaddy.com, so rang their support line.
"Could I have your customer number please sir?" said the courteous member of GoDaddy's support staff.
"Well, that's just the problem," I said. "I don't have one."
I was asked to write an email explaining the situation, so am waiting to hear back about the next stage.
I found out that I am listed by WHOIS as being the administrator of a site called www.travel-getaways.com. The way that I found out is that I was contacted by the owner of another website, asking me to stop pulling content from his site and putting it on www.travel-getaways.com. He had done a WHOIS lookup and had found I was listed as the administrator, so contacted me to very politely ask me to stop nicking his content.
I did a WHOIS lookup, and found I was indeed listed as the administrator, and that the contact address was my work address. I found that the registrar was GoDaddy.com, so rang their support line.
"Could I have your customer number please sir?" said the courteous member of GoDaddy's support staff.
"Well, that's just the problem," I said. "I don't have one."
I was asked to write an email explaining the situation, so am waiting to hear back about the next stage.
Wednesday 18 June 2008, 11:19 AM
Sometimes it's hard to be a blogger
Bloggers are getting a hard time of it at the moment, according to two stories out recently.
Bloggers with a political bent are increasingly being arrested, according to research by the University of Washington. As part of research for the World Information Access Project, academics from the university tracked reports of blogger arrests since 2003. They found that the majority of the 64 bloggers had been arrested in Asia and the Middle East, while there had also been arrests in North America and Europe.
It seems that bloggers are increasingly being targeted by governments anxious to shut them up. In 2006 there were 10 arrests, while in 2007 there were 36.
Meanwhile, bloggers may also be coming under increasing legal strain over alleged copyright infringements. Associated Press is embroiled in a legal dispute with Drudge Retort writer Rogers Cadenhead. According to Cadenhead, AP doesn't think that blogs on the Drudge Retort site constitute "fair use".
Bloggers with a political bent are increasingly being arrested, according to research by the University of Washington. As part of research for the World Information Access Project, academics from the university tracked reports of blogger arrests since 2003. They found that the majority of the 64 bloggers had been arrested in Asia and the Middle East, while there had also been arrests in North America and Europe.
It seems that bloggers are increasingly being targeted by governments anxious to shut them up. In 2006 there were 10 arrests, while in 2007 there were 36.
Meanwhile, bloggers may also be coming under increasing legal strain over alleged copyright infringements. Associated Press is embroiled in a legal dispute with Drudge Retort writer Rogers Cadenhead. According to Cadenhead, AP doesn't think that blogs on the Drudge Retort site constitute "fair use".
Thursday 5 June 2008, 4:12 PM
Data breach law: IT managers say 'No'
Two surveys came out today, both concerning perceptions about a possible UK data breach notification law. Such a law would require companies suffering a data breach to notify all affected parties, especially the general public whose details have been compromised. The interesting thing about the surveys is that they have diametrically opposite results.
One of the surveys, commissioned by security company Clearswift, asked IT managers whether the UK should enact data breach legislation. Overwhelmingly, IT managers said 'No' -- 87 percent of them don’t believe the general public should be informed if a data breach happens. Over half (61 percent) also didn’t think the police should be informed.
The stated reasons were cash, or rather, lack of it, and damage to reputation. When asked about the possible impact of data breach notification legislation, almost half (49 percent) of UK respondents thought their total annual IT spend would increase by at least five percent, and 26 percent of IT managers expected the increase to be at least ten per cent.
Interesting. However, I'm not so sure how far to trust the survey results. The survey polled 398 UK IT managers -- that's fair enough, it's a representative sample. Slightly strange that 60 percent of them didn't know about the proposed UK data breach notification law -- but ok, although we in the tech press have been banging on about it for a while, maybe Clearswift (which did the survey) picked IT managers who don't follow the subject too closely.
However, what was truly bizarre about the survey results was that 51 percent of IT managers were in favour of a data breach notification law. How on earth can you have a law which informs all parties involved in a data loss (51 percent of IT managers in favour), and yet doesn't inform the general public (87 percent of IT managers against informing Joe Public)? The whole point of a data breach notification law is that it's a consumer protection mechanism, designed to incentivise companies to take better care of people's personal details. Weird.
Of the UK organisations polled by Clearswift, 15 per cent had suffered a data loss in the last 12-18 months, and of those, 58 per cent had experienced more than one. The majority of businesses that had lost data had done it more than once. Surely that's a clear argument for a data breach notification law to incentivise businesses to take better care of data?
Meanwhile, another survey, undertaken by Ipsos Mori on behalf of security company Symantec, found that the general public most definitely do want to be informed if an organisation compromises their personal details. 96 percent of the general public would want to be notified if a public or private sector organisation lost personal details about them, the survey found.
One of the surveys, commissioned by security company Clearswift, asked IT managers whether the UK should enact data breach legislation. Overwhelmingly, IT managers said 'No' -- 87 percent of them don’t believe the general public should be informed if a data breach happens. Over half (61 percent) also didn’t think the police should be informed.
The stated reasons were cash, or rather, lack of it, and damage to reputation. When asked about the possible impact of data breach notification legislation, almost half (49 percent) of UK respondents thought their total annual IT spend would increase by at least five percent, and 26 percent of IT managers expected the increase to be at least ten per cent.
Interesting. However, I'm not so sure how far to trust the survey results. The survey polled 398 UK IT managers -- that's fair enough, it's a representative sample. Slightly strange that 60 percent of them didn't know about the proposed UK data breach notification law -- but ok, although we in the tech press have been banging on about it for a while, maybe Clearswift (which did the survey) picked IT managers who don't follow the subject too closely.
However, what was truly bizarre about the survey results was that 51 percent of IT managers were in favour of a data breach notification law. How on earth can you have a law which informs all parties involved in a data loss (51 percent of IT managers in favour), and yet doesn't inform the general public (87 percent of IT managers against informing Joe Public)? The whole point of a data breach notification law is that it's a consumer protection mechanism, designed to incentivise companies to take better care of people's personal details. Weird.
Of the UK organisations polled by Clearswift, 15 per cent had suffered a data loss in the last 12-18 months, and of those, 58 per cent had experienced more than one. The majority of businesses that had lost data had done it more than once. Surely that's a clear argument for a data breach notification law to incentivise businesses to take better care of data?
Meanwhile, another survey, undertaken by Ipsos Mori on behalf of security company Symantec, found that the general public most definitely do want to be informed if an organisation compromises their personal details. 96 percent of the general public would want to be notified if a public or private sector organisation lost personal details about them, the survey found.
