
Hundreds of Thousands of Google Apps Domains’ Private WHOIS Leaked - larrys
http://blogs.cisco.com/security/talos/whoisdisclosure
======
jewel
I wonder if it's time to stop requiring address and phone number information
in the WHOIS information. Unless registrars are required to verify it with a
confirmation letter and phone call, there isn't much guarantee that the
information will be accurate anyway.

The Internet isn't the nice place that it used to be, and I literally have
never gotten anything but spam snail mail letters for my domains.

Perhaps we could even drop the email, and suggest that every domain monitor
the abuse@ domain in order to receive DMCA requests, etc. If the abuse account
isn't monitored, DMCA requests can be sent to the owner of the IP address
block, which seems to be a popular approach anyway.

(For those who have never tried it, try doing a WHOIS on an IP address to get
the WHOIS records for several layers of IP block ownership. This is a use case
where contact information makes a lot more sense, as these blocks are going to
be owned by businesses where there'd be no point to guarding privacy.)

~~~
mox1
Unfortunately ICANN (acting on the wishes of Law Enforcement) enacted exactly
the opposite policy in 2013, requiring verification of certain WHOIS
information*.

[1] [https://www.icann.org/resources/pages/approved-with-
specs-20...](https://www.icann.org/resources/pages/approved-with-
specs-2013-09-17-en?routing_type=path#whois-accuracy)

~~~
27182818284
Without newer techs like Namecoin, is it even remotely possible to be
anonymous? Is it even possible with Namecoin?

I pay for Namecheaps hidden DNS stuff so I don't get spammed with offers and
whatnot, but I'm under no illusion that it means my information is _private_ ,
private.

~~~
dublinben
If your privacy is worth ~$100/year, you can register an anonymous LLC through
a registered agent in a state like Wyoming or Nevada. This would be your legal
point of contact for your domain registrations (and any other business
purposes) and comply with any ICANN requirements. Their business entirely
hinges on strong privacy/anonymity, and is well established within state law.

~~~
ryan-c
Have you done this? I'd be interested in details.

~~~
ChuckMcM
I did not, I went with the generic LLC in Nevada but looked into it. It is
pretty straight forward, you contact one of the registered agents (they
advertise and you can find them at your search engine of choice "Nevada LLC")
and you pay money and poof, you get an LLC. Your agent is a lawyer acting on
your behalf. Besides state law there is attorney-client privilege to aid in
keeping you secret.

Not surprisingly, when you talk to these folks they will assume you are either
very wealthy or doing something which will make your future LLC "disliked" by
a large number of people. Because I was neither of these things, the
recommendation was just file the paperwork myself, save some money.

------
kentonv
In an e-mail to eNom's google-clients-specific support address dated 6/18/13,
I informed them that I wished to transfer a domain away from them, and I said:

"PS. The reason I am transferring is because I signed up for whois protection
yet my whois info has not been protected. From what I can find on the
internet, this is a common problem with Google Apps, Google will not respond
to support requests for free domains, and the only way I can fix it is by
taking control myself. :("

Now two years later this problem is "discovered" by someone else and Google is
treating it as a security disclosure? Hey Google, maybe you should have
listened to the people all over your own fucking support forums that have been
complaining about this for years?

~~~
nikcub
This was the same with Superfish. If you look at the Lenovo forums and other
websites (Google search Superfish and set the time to before 2015) you'd find
_tons_ of complaints from users.

In these instances it was only when somebody recognized these issues as being
real security issues and repackaged them that they got the attention they
deserved.

It is a strange reverse problem in the security world - issues only get
treated seriously when they are reported by security people through a formal
vulnerability reporting and disclosure program (or informally via full-
disclosure and other lists/forums).

While Google and other companies take security reports through these formal
channels very seriously, I doubt they have anybody dedicated to trawling
through user feedback and forums and spotting anything that might be infosec
related.

------
x3c
If this happened on renewal, means the customers who explicitly asked for
Privacy protection didn't receive that service. Shouldn't Google at least
refund all the customers the privacy protection fee because Google failed to
provide the service it charged customers for?

EDIT: I understand that bugs are unavoidable but Google should be bearing the
cost of its bugs. Google should volunteer the refund of $6 X 300,000 (approx.
1.8M dollars) not including negligence penalty of course.

~~~
jhartmann
I had some domains that fell under this bug. Google has paid my registration
on the domains for an additional year, more than the price of the privacy
service.

~~~
pavel_lishin
Thus effectively locking you into their service for another year.

"Sorry about the rat feces in your soup, here's a coupon for another free
visit."

~~~
mod
Isn't that the point of any company who goes out of their way to correct a
mistake?

Are you arguing you'd rather not have them attempt to fix the problem?

~~~
fixermark
He's arguing that customers don't have to be satisfied with letting the
offending party decide what "making the victim whole" looks like. Which is
true.

------
ikken
I still struggle to understand why we need to have a real address of domain's
owner publicly assigned to WHOIS data. The registrar knows the owner so it is
available to law enforcement if lawfully necessary. Owners can also use SSL
certificate to show their address if they need to. But why force them to make
it always public?

~~~
compbio
It is useful to look at countries which require that you identify yourself if
you want to sell stuff online.

For commercial sites in Germany a "Web Imprint" (Impressum) is required by
law. This "Web Imprint" has to be on a prominent, easy to reach position on
the site. It lists the contact data for the owner(s) of the website.

Making anonymously-run webshops against the law shields the consumer against
fraud and always gives non-law enforcement a place of contact to file their
complaints.

Check for yourself the correlation between WHOIS protected/anonimized webshops
and shady business.

~~~
blfr
If they already have to feature a prominent web imprint, what does anyone gain
from an entry in an obscure (to most web users) whois database? An entry that
the registrar will happily cover with their own info for a small fee.

------
belorn
Having whois information protected is quite less useful than the article
pretend it is. Most the information is already available through much more
extensive databases, and where I live, there is at least two competing online
phone books that not only include name, address and phone number, and email,
but also time of birth.

For a service which is intended to serve those with hidden number or hidden
address, 94% opt-in rate sound to dilute that purpose which makes the people
in charge less careful in handling it. Might very likely even cause more leaks
in the future.

------
Animats
Any business with "private registration" is suspicious. As a business, you are
NOT entitled to anonymity. See California Business and Professions Code
section 17538[1] and the European Directive on Electronic Commerce.[2]. Even
if you're operating as a sole proprietor, if you're not a scumbag, it
shouldn't be a problem. If you're a company, the company's business address
should be listed.

There are legal ways to deal with this. There are D/B/A names and
corporations. But hiding under a rock is not a valid option.

I have my name and address on all my domain registrations. It's not much of a
problem. I've had two threats of litigation. One is now out of business and
the other backed down. I get occasional phone calls. I may be getting spam,
but my spam filters are dumping it before I see it.

[1]
[http://www.sitetruth.com/doc/californiabpcode17538.html](http://www.sitetruth.com/doc/californiabpcode17538.html)
[2] [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000L0031:EN:HTML)

~~~
kevingadd
One major motivation for hiding whois information is so that the internet scum
brigades don't send a SWAT team to your address with a malicious 911 call. But
this is mostly an issue for individuals, not businesses - so in the case of a
sole proprietor, you do have a pretty good motivation to hide your mailing
address and phone number even if you're doing business.

Sadly this is the reality for individuals these days, until society catches up
with technology - having your mailing address and phone number out and
publicly accessible is actually quite dangerous.

~~~
Animats
There are still telephone directories.

------
scott_karana
Some regional registrars (like CIRA) only publish whois infomation for
business and governmentally owned domains.

Personal ones don't even list email contacts! :)

------
driverdan
The best way to protect your privacy is through multiple layers of protection.
If one fails you aren't completely exposed.

1\. Get a mailbox (eg UPS Store) and use that instead of your home address.
This is worth the $5-15/m cost for package delivery alone. No worrying about
someone stealing packages from your home while you're at work. Privacy is a
bonus.

2\. Use a phone service like Google Voice to protect your phone number.

3\. Add WHOIS privacy on top of that if you really feel you need it.

Email protection isn't really an issue. I use domains@[mydomain] and all the
spam I get is filtered.

~~~
toomuchtodo
If you don't need package delivery, and don't care about mail showing up, use
general delivery. It's free at your local post office.

[http://about.usps.com/news/national-
releases/2012/pr12_125.h...](http://about.usps.com/news/national-
releases/2012/pr12_125.htm)

If you have been displaced and don’t have a permanent address, General
Delivery service allows you to pick up your mail for up to 30 days at a
designated Postal identified location in your current community. Make sure
senders of your mail use the ZIP Code for the area’s designated Post Office.
The ZIP+4 will indicate General Delivery. To find the Post Office that handles
General Delivery in any area, call 1-800-ASK-USPS (1-800-275-8777) and request
“Customer Service.”

An example of a properly-formatted General Delivery address looks like this:
JOHN DOE GENERAL DELIVERY ANYTOWN, NY 12345-9999

EDIT: I use it as a /dev/null physical address, as I have no need for paper
mail.

------
pasbesoin
Come on, Google. Do you have no QA whatsoever?

Seriously, Adam (at Google). You need to maintain some smart people who
continue to monitor what your products are actually doing in production in the
real world. People who can and do go beyond thinking and acting as insiders.
_User_ advocates.

It's not glamourous work. But it's necessary.

I can assert, through my use of a competitor's product, that I actively check
that their WhoisGuard is actually in place and renewed for each of my relevant
registrations. I find it difficult to imagine there's not a smart Googler,
using your services for their own private endeavours, doing the same. Or are
no Googler's privately using your registration services?

Trust, but verify.

P.S. I'll add that this is not the first time I've encountered, as an end
user, a significant security concern with Google products. The previous one
was fixed. And as an end-user, it was immediately obvious to me what the
problem was. Though it took a bit of arguing. To be brief, in the real world,
users share computers. That should not include cached access to private cloud
documents. Try selling that to e.g. the government (who is a customer).

------
grayfox
Good thing there is an advert for Enom's ident protect right there in this
press release.

