
The Passport Payment (2000) - csapdani
https://web.archive.org/web/20031002153020/http://www.doublewide.net/
======
dannyw
Could you imagine doing this today? You'd probably get lawyers making you sign
agreements saying your payment of the domain renewal is not a ownership
interest in the domain and threatening to take you to court for renewing their
domain.

~~~
dewey
I actually think it would be the opposite now. Things like bug bounties or a
huge PR problem by the affected problem posting it on Twitter are new things.
It was more prevalent to send lawyers for accessing public but not meant to be
public URLs back in the days than it's now.

------
kijin
According to the story, it took somewhere between 13 and 19 hours for
passport.com to resolve properly after he renewed it for Microsoft. Is that
normally how long it takes to reactivate a domain name that has gone into a
renewal grace period, or was something different back then?

Perhaps the NXDOMAIN response was cached by ISPs for an especially long time
because it was such a frequently visited hostname?

~~~
DanielDent
It used to be that nameserver changes with TLDs were measured in days, not
minutes. Even today some TLDs continue to operate this way.

~~~
evolve2k
What are reasonable timeframe expectations for nameserver changes now?

~~~
DaiPlusPlus
That depends on the TTL of your DNS records. But if it’s a brand-new
registration for a dot-com then I’ve found DNS queries work within 3 minutes
of me completing GoDaddy’s regustration (and using GoDaddy’s DNS zone hosting)
even through my ISP’s DNS servers (provided there’s no cached NXDOMAIN
results).

------
terenceng2010
Try to go passport.com nowadays. It redirects you to Bing and search
"passport" as result. Handy.

~~~
calvinmorrison
I had an issue with my router which now uses myfiosgateway.com as the router
config though it is hosted on the router (presumably so it can serve https?)
And mark monitor showed up with a big "this is the actual internet so you
don't wanna visit it" page when I was routed to the actual .com, kinda similar

------
raverbashing
> in addition to a new copy of Visual Studio 6.0 (which I need to compile and
> run the decss program to decode my DVD's so that I can play them under
> Linux)

Why would you need VS6 to compile a program for Linux?

~~~
0x0
DeCSS was a windows-only program back in those days.

~~~
Lammy
Also, because it's a joke and is funny :p

------
StavrosK
I'm confused, how did he pay for someone else's domain? Was there no
authentication?

~~~
namibj
Back then, control was authenticated as necessary for the proper functioning,
but even today I see no reason why renewal should have to be gated behind
login walls. Actually, I'd even prefer it not to be, because you might, in a
pinch, be prevented from paying for them yourself electronically, having to
call in a favor and promise to pay back as soon as you see that friend.

Or you just prefer to pay someone cash for them to top up your domain, because
you don't like mixing money and the internet, but have e.g. a personal domain
for email.

~~~
jedimastert
> even today I see no reason why renewal should have to be gated behind login
> walls.

This actually reminds me on a somewhat interesting social engineering
"vulnerability" a little while back[0].

1\. The hacker would call into Amazon and say that the website was acting up
and they needed to add a card to the victim's account. It wouldn't take much
effort because why would it?

2\. The hacker'd call right back and say that "their" email had been
compromised and they needed to change it/add a new one and reset the password.
You supply the card you just gave (and name/billing address, but those aren't
too hard to find)

3\. Use that to hop on to the account and grab the last 4 digits of the
victim's real card.

You now have the victim's billing address and last 4 of a credit card. A
surprising amount of authentication power.

I think the lesson here is if it _can_ be privileged information, it _is_.
Even if it's privileged for someone else.

[0]: [https://www.wired.com/2012/08/apple-amazon-mat-honan-
hacking...](https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/)

~~~
wolco
That's a useless hack at the time. You could generate your own credit card
numbers back then using a formula. The name/expiry date or address were not
used for verification.

So ordering from a fake credit card was easy. Finding the drop shipping
location was the hard part.

~~~
dannyw
Your fake credit card isn't going to have a balance.

~~~
wolco
It didn't matter because in order to check someone had to call and wait an
hour so no one did in mail order purchases/shopping networks because you had
an address to send the police to.

------
swyx
perhaps the most surprising to me is the apparent willingness to enter credit
card info online in 1999. I wasn't around for this period but wasn't the
conventional wisdom back then that this was insecure? hence PayPal?

~~~
gruturo
No, not at all?

SSL had been around for 6 years already, credit card transactions were quite
common, especially with known, reputable hosts (Network Solutions can be
safely be assumed to have qualified at the time)

~~~
TedDoesntTalk
Unfortunately, not all websites used https or enforced it on pages that should
have had it. It was very common to see payment forms submitted over http. That
is why browsers evolved to the point where Chrome now won’t submit certain
types of html form fields over non-https.

~~~
gruturo
I'm aware of it - even talked some people out of attempting ecommerce without
SSL about 20 years ago (not all successfully).

But the linked article specifically mentions an HTTPS link.

------
ChrisMarshallNY
It’s always nice to hear about people doing the right thing. Thanks for
sharing the story.

------
ncmncm
Biggest anachronism is his mailing (maybe home) address and phone number at
the bottom.

------
spyc
Great move, kudos to Micheal!

------
A_No_Name_Mouse
This happened in 1999/2000, maybe someone could add (2000) to the title?

