Hacker News new | past | comments | ask | show | jobs | submit login
My .in domain has been transferred to another registrant without notification (twitter.com)
374 points by susam 12 days ago | hide | past | web | favorite | 153 comments

The OP here is also the author of MathB.in, a popular math pastebin. He has decided to shut down MathB.in now as a result of this incident. Quoting from http://mathb.in/6 below:

> I have considered shutting down this website several times in the past. But when another of my domain, susam.in, where I used to host my personal blog (archive) was seized and transferred to a law enforcement organization without any notification or authorization, it was the last straw. I do not wish to spend my weekends worrying about spam and unlawful content. I do not wish to maintain constant vigilance on my online servers to maintain ownership. It consumes time, more time than I can afford.

This is sad for WWW. We need more independently run websites, not less. The web of early 2000 is rapidly disappearing.

It's time for a new search engine -- and no, ddg is not it. We need a search engine that doesn't search the new internet. The instagrams, the pinterests, the wikihows, the seemingly every single blog on the internet that is designed to take your time away from you by hydrating you in droplets between sweat lodges.

We need create a new internet on the internet that does not search the new internet. DDG brings back content from the same sites google and bing does.

I want a new search engine focused on the passionate creatives who produce for the web. The early adopters of the web who have been overshadowed by the adwords and the interstitials and lightboxes.

I want content. I want a recipe site with the ingredients at the top and a list of instructions below it. Not 6 paragraphs of why you want to eat this food because of your grandma making it and then people come NO, just tell me what to put in it and how to do it and that's it and load in .1 seconds instead of 100 seconds and then stall every time I try to scroll because you need to tell your advertisers which part of your page is looked at the most.

Your advertisers are more important than your readers and it's not cool.

> I want a new search engine focused on the passionate creatives who produce for the web

Serious question: Do you think the 'old Internet' still exists to such a degree? I'm not just talking about link rot (although most of my links from a decade ago sadly no longer work), but also things like outdated content, like a car review of a 2010 Toyota.

I don't know if the old internet exists anymore, as much as I want it. Sure, we are at an old internet site right now (Hacker News), but what more?

I think it does, the signal is just overwhelmed by the commercial internet. I imagine the number of creative, interesting people who publish their content is approximately linear growth, while the number of ways the commercial internet tries to "reach out" and expand is geometric.

Shameless plug: I've recently started working on a recommender system/search engine built on RSS/Atom feeds (https://findka.com).

Check out https://millionshort.com/ Where you can skip the first x sites and exclude lot of sites to skip the promoted and SEOd crap from the results

Serious question: Would you be willing to pay to access/consume the content found on the search engine?

I would. I know that because I spent a lot of time on the internet in 1992 and 1993, when the vast majority of internet content was produced by people not expecting any monetary reward.

Today we have the concept of "user-contributed content", which means content produced without expectation of monetary reward, then uploaded to a site operated by an organization with an expectation of monetary reward. In 1992 these for-profit organizations did not exist: the services through which people accessed the content were created and operated without expectation of monetary reward, too.

It was glorious. There are some valuable content and valuable services that weren't produced in 1992 and would not be produced in the future if it became impossible to profit from producing it, so I don't want to remove the profit motive from the internet. But search results from Google (and its competitors) are now almost completely dominated by for-profit actors, and I agree with grandparent that we need a new search engine that essentially specializes in content produced without expectation of monetary reward.

> 1992 and 1993, when the vast majority of internet content was produced by people not expecting any monetary reward.

I don't have any figures - that would be interesting - but I guess even today the 'vast majority of internet content' is produced not expecting any monetary reward. It depends how you count the stuff what exact figure you'd arrive at. 99.9% seems closer to what it might be than 50%. Maybe I'm super-wrong about that.

Good point. The big difference between 1992 and today is the profit-seeking middlemen between the reader and most of the user-contributed content. These middlemen show ads, track people, require people to sign in and force people to shift their attention to the task of getting rid of modal dialogs (e.g., "sign up for our newsletter") before they will display the user-contributed content. They make it hard for the reader to concentrate on the current web page by showing many links to other web pages on the site or on the sites of the middleman's commercial partners. (Even Stack Exchange, named by another comment in this thread as one of the good middlemen, does that.) In contrast, navigating Usenet and the web of the 1990s was a lot more streamlined; to a greater extent than is possible today, a reader could stay focused on the user-contributed content or on his or her reading goal.

Of course there are middlemen today like Hacker News and Wikipedia that pretty much stay out of the reader's way, but they are the middlemen for closer to 0.1% of the user-generated content than 50% of it.

Very graceful disagreeing, thank you! I appreciate it. I have a book called Talking Philosophy that says that when a philosopher at Oxford wishes to express disagreement they say "Quite. But at the same time...", and that one in Sydney says "Bullshit!" p.s. I'm in Sydney :-)

Yeah this is an important question. A big reason why the internet is the way it is today is because creating and updating quality content takes time and a certain amount of skill, which most people want to be compensated for.


* Stack Exchange Sites

* Wikipedia

Compensation does not have to be only monetary. In stack exchange & wikipedia, the contributors are rewards with points & special titles.

While true, this thread was about paying for the "old internet" which implies monetary compensation.

Stack Exchange is a private, profitable business. Wikimedia Foundation collects a hundred million dollars in donations each year and spends 40% of it to keep functioning. The contributors are effectively volunteers supporting these companies, which is a lot different than running your own site or channel and pumping content into it regularly.

It's not just sad or inconvenient for independent websites, it could lead to identity theft. I've got my own domain name specifically to not be dependent on the whims of Google or my ISP. I control my own email domain, or so I thought. If someone can take my email domain like this, they can also it access all sorts of sensitive information.

The internet really, really needs to be more reliable than this. Losing a domain name for an unknown reason should be impossible. Also, losing a domain name by accident should be a lot harder.

> This is sad for WWW. We need more independently run websites, not less. The web of early 2000 is rapidly disappearing.

Its still there, but there is a lot less of it. Recently I've decided to go back to ownership of my music and rebuild my old (~20 000 track) collection. Some of the stuff is rather obscure so I end up on niche blogs with pixelated-animated favicons, no weird whitespace and sometimes almost bare HTML. Definitely makes for nostalgic feelings..

But the independent sites are dying for a reason

Because you'll try to put something up and you get flooded with spam/hacking attempts and whatnot

Because registering a domain, deploying wp, etc if not so trivial

Gmail and other "big email providers" are needed since there's no litigation against email abusers, and there's a constant flood of crap to the spam folder

Walled gardens are surely problematic but they're less trouble than going independent.

And losing the domain for "unlawful content" is bullshit.

The OP wouldn't be talking like this if he were actually responsible for the "unlawful content".

And seriously, does Twitter lose its domain because someone posted malware or child porn or whatever?

Edit: So where's a safer place to register domains?

Maybe China?

Can we build another one?

We can build a GNU one! https://gnunet.org/en/

With .org's recent debacle...


The project is on the dot-org TLD, which has seen some recent discussion, compiled in this thread:


1) Both have to do with gTLDs/ccTLDs and sketchy behavior by TLD operators

2) Both have to do with site operators experiencing a sense of uncertainty due to problems with the ICANN landscape.

Is it really so hard to comprehend relevance? I'd tell you to try to keep up, but that's against HN rules & regulations, so I won't say that.

What is going on in the ICANN landscape (outside of the .Org profitization)?

.org isn’t a ccTLD?

You're absolutely right, it's a gTLD.

why is this downvoted?

gnunet is an application. the fact that the development is hosted on a .org is entirely irrelevant. gnunet's function doesn't depend on it.

I remember reading urbit's launch. It didn't make sense how things worked. What are your thoughts on it?

They could definitely do a better job of explaining what it is, how it works, and why I need it. I am interested though

Long story short, the creator and the relevant technology has strong fascist tenancies and should be stayed away from at all possible.

Cite: look up Mencius Moldbug or Curtis Yarvin. Alt-right 'darling'.

The tech itself has him residing as the root node, and able to 'kick anybody off the island'.

Didn't he leave Urbit earlier this year?

I have no clue. All I know is that it's tainted personally by him. Haven't looked back.

It's easier than ever to built the web of 20+ years ago. Running a VPS with PHP where you had to patch the server and worry about hackers and malware has always been a concern, this is nothing new. But on today's web you can get around all of that with PaaS solutions like Heroku. $7/mo and you can host your custom site all you want without worrying about security or infrastructure.

A domain being seized by law enforcement for hosting illegal content (even if it was put there by hackers) is nothing new and has nothing to do with the state of the modern web.

It is not easier. If you don't host your website behind cloudflare it can be easily ddosed.

The only way to get good ddos protection is to centralize because it requires you to have close personal relationships across the world in order to get good bandwidth at every location.

You could be. But you won't be. Getting denial of serviced on the web running a personal site is like getting attacked by terrorism. Sure, it happens, but it only ever directly effects the lives of less than half of a percent of people even with the most generous definitions of "terrorism". It's the reactions to it that cause damage.

And it's the same reactions to it on the internet that hurt and not the DoSes. Just run your website. If it gets DoS'd no big deal. It's not like you even need a single nine of uptime consistency.

I've run my for 20 years from my home connection, I've been a jerk on IRC, I've used it for gaming clans, I've hosted and continue to host tor onion services. I have never been DoS'd.

At all my past jobs we've been hit with DDOS (either directly or indirectly via our customers). If the odds are like terrorism I must work at firms with the world's unluckiest businesses.

Sounds like you are involving money. Don't do that.

Plenty of non-profits have been ddosed. Your website is either small or is just lucky to have an audience that isn't inclined to ddos.

Yes. Like most websites.

The threshold for "small" is a lot smaller than it was in 2000.

There are a lot of people in this thread who have very valid complaints about the web, but don't make any sense at all in context. This one is a great example. Sure DDoS sucks but what at all does that have to do with the difference between today's web and the web of the 2000s? Today's web offers DDoS protection (optionally) and the web of the 2000s did not.

The first DDoS happened in 1996. Absolutely nothing to do with the current topic at hand, completely off topic.

It is way easier to ddos a website today than back in the 2000s. Back in 2000, you could block almost every ddos simply by having gigabit. Now there are millions of more exploitable devices.

Do a search, https://www.google.com/search?q=stresser

An attack that can cripple all but the largest networks can be had for $5-10.

I always take those speeds with a grain of salt as it is likely that they dont actually provide those speeds. What is someone gonna do if the speeds are wrong? Sue them in court for not commited the crime they are paying to commit enough?

Or to massively decentralize so that you need to bring down the entire network.

A web hosted in the hands of a few is exactly the problem leading to the problem here.

Centralization is the issue. May it be registries, ISPs, hosting providers or anything else. Heroku and PaaS do not solve this at all.

Was the Web of the 2000s really based on completely decentralized ISPs, registries, and hosting providers? I was there and I seem to remember there being a small number of ISPs, a small number of registrars, and a small number of hosting providers. A site like this would be registered at GoDaddy and hosted at DreamHost.

Of course many people could fill out the ICANN paperwork themselves and run a server from their own home, but many people can do that now too. And if you do that, you still run into the issue of hackers being able to install malware on your systems. But instead of the police seizing your domain, they kick in your door in the middle of the night with guns pointed at your family.

Maybe it would clear things up if you could lay out for me the exact scenario that combines "the web of the 2000s is rapidly disappearing" with "registrar, ISP, and hosting provider centralization is the issue" and ends with "if that wasn't the case, this website would never have had to shut down". I feel like you're remembering the web of the 2000s very VERY differently than I am.

In the early 2000s there were probably 10-20 national dialup services, plus tons of local services (it was an easy business to get into, either get a t1 for upstream internet and a t1 for your modem pool, or run a radius server and contract out through megapath), dsl had competition with clecs running in the central office and mandatory line sharing, and these were also in competition with cable (which had some minimal line sharing in areas).

There were a ton of hosts back then, but there still are. I don't remember exactly when registrars became a concept, i'd guess that might have been 1999 though; I don't think there's that many more or less now. A lot more registries with .ninja and .bike and whatever.

I agree though, if law enforcement wanted your domain back then, it would be about the same as now. Although, maybe someone would have called/emailed you about it with whois contacts back then.

Comcast, AT&T, Verizon, Charter, HughesNet, Exede, CenturyLink, Frontier, Cricket, MediaCom, Cox, Sprint, Windstream, T-Mobile, WOW, Dish Network, Cable ONE, Suddenlink, US Cellular, Google Fiber...

Actually it might just be easier to link to the Wikipedia article about ISPs serving the US because there are a lot: https://en.wikipedia.org/wiki/List_of_broadband_providers_in...

Sorry, one of my pet peeves is when people say "the Web of [insert time here] is dead!" when the Web has never been more accessible both from a consumer standpoint and from a developer standpoint. The existence of Facebook and Google can be completely ignored if you actually want to. Emphasis on if you actually want to.

That's a big list, but often, you only have 1 or 2 of those options available to you.

85% of Americans live in urban areas where they would have at least the choice of one cable provider (Comcast, Charter), one DSL provider (AT&T), all of the satellite providers (HugesNet), and at least the big four cell phone providers. Not to mention local dial-up providers which do still exist.

Again, it all comes back to the idea of some people "wish" the web of the 2000s still existed, but aren't willing to sacrifice the comforts of the 2010's web to make it happen. You can host your own lightweight website but Wordpress and Facebook is easier. You can search the web without tracking and Javascript but the modern websites don't work without it. You can pick from a huge variety of ISPs but they won't all be at 100 Mbps. Basically, you can have the web of the 2000s, but it comes at the cost of some of the conveniences of the 2010s web. A lot of people aren't willing to make that trade.

Nostalgia is hard. It seemed amazing back then but not many people would choose to go back to dial-up and phpMyAdmin. For those who say they would... what's stopping you? It all still exists today.

You should probably also be worried about VPS seizure by the hosting provider.

Additional information and discussion: https://gist.github.com/susam/3cb42e571c4ab12987b286791bdfe9...

Commenters have speculated that the domain was seized by law enforcement due to participation in a malware campaign. The domain in question may have been used by malware that was phoning home, perhaps because the Linode server hosting it was compromised. This stems from the fact that the domain's new nameservers are Shadowserver's sinkholes:

    Name Server: sc-c.sinkhole.shadowserver.org
    Name Server: sc-d.sinkhole.shadowserver.org
    Name Server: sc-a.sinkhole.shadowserver.org
    Name Server: sc-b.sinkhole.shadowserver.org
Edit: When querying the domain in RiskIQ, one of the Linode IP addresses formerly associated is tagged with `emerging_threats` and `kaspersky`. Other domains/subdomains associated with the same IP address have similar tags.

One such domain is MathB.in, which is a public pastebin. It's conceivable that malware was phoning home by creating pastes on that site.

Susam, I don't have much experience recovering domains in this state, but it's conceivable that Namecheap will be able to put you in contact with someone who can help resolve the matter. However, if there's something like a sealed court order involved, you may find that you're stonewalled at first. I don't know if there's any available recourse for this, especially since this appears to be an international effort.

At least as of a couple of years ago, Shadowserver could accuse you of botnet participation on such flimsy evidence that it was way too easy to frame someone else as being a botnet participant. I don't want to give ideas how, but it happened to me. Since then, I've configured my firewalls to block traffic to Shadowserver IPv4 space. I'm more worried about getting framed again than actually getting a botnet infection and not getting notified.

absolutely. I recognize those nameservers from my work in a registry, and usually came as a request from a federal agency.

Important to note here that the Registrar (Namecheap) is working the issue[1], and that the domain was pulled from them outside of their control[2].

[1]: https://twitter.com/namecheap/status/1200682593500483584?s=2...

[2]: https://twitter.com/namecheapceo/status/1200714718610153472?... (This is from Namecheap’s CEO)

Yeah, unfortunately, domain squatters have poisoned the well for .com domains. There are many, many domains which should be available for use, but are being squatted indefinitely for speculative purposes. This has caused pretty much every new company to migrate to TLDs like .co, .ly, .me, .ai, .in, and .io. Since these are almost all ccTLDs run by countries, governance is not great. .io has been particularly bad;

* https://news.ycombinator.com/item?id=15293578

* https://www.theregister.co.uk/2019/05/27/io_domains_uk_un/

The problem of allocating scarce resources is hardly unique to domain names. Here are some ways of doing it:

- Let the market set the price.

- Recurring fee for holding it to discourage unproductive speculation.

- An authority decides who deserves it and gives and takes according to their rules.

The 3rd option is particularly nasty. Usually, it's very hard and is what communists hope to do on a broader scale. It would certainly result in seizures whenever the authority decided somebody isn't fully utilizing their domain name. Maybe you spent too long setting up your business and right before launch, you get branded a squatter and your domain is taken after you've already used it in all your marketing material, registered a corresponding trademark, and everything. You might imagine the authority would be fair and not kick out a genuine owner like that, but it's unlikely to have the resources or incentive to investigate every case properly.

People who lawfully own a domain -- even if in a speculative fashion -- are not domain squatters.

If you had a hot new product called CyberTrk and someone ran and registered cybertrk.com, that is arguably squatting and can be legally enforced as such.

If you have what you think is a great new online notepad and notes.com is sitting registered but dormant, the inelegant but reasonable way to respond to your situation is "tough shit". Keep looking.

99% of the time that people rant about "squatting" they're talking about the latter case. Yet they are not entitled to a domain because of some imagined better use for it.

Sorry for the rant, but misclaims about "Squatting" lead to an iffy area where people have a profound misunderstanding about property rights. I have zero "parked" domains, but contemplating the issue long ago made me less outraged when I lazily searched for the most blatantly obvious domains.

Thanks for the reply, but this is quite a tangent to my point. I am not arguing that it is not legal to hold a domain indefinitely for investment purposes; I'm saying that since so many domains are being held this way, startups are being forced to sketchier ccTLDs.

It also paradoxically means that .com domains are not quite what they used to be: as more cool new companies have a .ai or .co, the public has stopped thinking that "only .com matters". Like I said, the holders of the .coms are just poisoning the well for the TLD.

To address your point directly, I do personally disagree with you that "squatting for speculation" or "parking" as you prefer is harmless. Since ICANN (or Verisign, I guess) controls the TLD, I do think they should disincentivize this holding behavior with some kind of property tax. It's as if vast tracts of Manhattan were just empty fields - not really in anyone's best interest, in the long run, not even the property investors, who are at risk of property developers going to more-hospitable jurisdictions.

I referred purely to the incorrect use of the term squatting. They aren't squatting.

Further, nowhere did I say that it was "harmless", or pass any value judgment at all on it. I just said that it's not squatting (cyber, domain, or any other prefix). Those people pay the same domain fees as anyone else.

"I do think they should disincentivize this holding behavior with some kind of property tax"

They are paying the same domain fees as everyone else. However let's imagine that they change it to charging some sort of "how lucrative is the domain name" property tax, like Google hilariously tried to do with some of their failed TLDs: We're currently talking about parked domains that cost an absolutely negligible amount...I imagine a lucrative fee would be a bit more disliked by these imaginary startups ready to fill all the good domains.

Sidenote - there was a rush to .io, .ly and other TLDs -- against all reasonable caution -- because people thought they were cool and new, not because they were their last resort

Georgism for the Internet!


Why does the sketchiness of some ccTLDs pass without comment? Shouldn't that be dealt with before casting the solution on other TLD/registrars/etc. like so much splash damage?

I think a few people, including myself somehow read too much into your comment. Actually, it sounds kind of positive now. If shortage of .com domains has pushed the "cool" websites to others, that naturally increases the supply of the preferred TLDs. Except of course your point about governance. There have been problems with some weird trendy TLD like .io, haven't there?

Internet domains are not property, and to the extent they are, they are all the property of ICANN. The delegation system is somewhere between leasing and feudalism.

You can tell it's not property because the one thing that's guaranteed to result in losing a domain is failing to pay the fees.

The idea that first registration entitles someone to (a) waste a finite resource forever and (b) sell it at arbitrary prices later was fought out in the early 00s, and the real WIPO trademark system won. A number of people who had squatted the names of famous companies in hope of extorting a payout were disappointed.

"You can tell it's not property because the one thing that's guaranteed to result in losing a domain is failing to pay the fees."

Don't pay your property taxes and you lose your property. Courts have argued that domains are property countless times, and they are treated absolutely as such. They are in the sense of contract law, with rights and grants, but obviously are a virtual good, of sorts.


"The idea that first registration entitles someone to (a) waste a finite resource forever and (b) sell it at arbitrary prices later was fought out in the early 00s, and the real WIPO trademark system won."

I specifically excluded trademark infringement, so why are you arguing that case? But yes, someone can "waste a finite resource forever" (by paying the same fee that a "useful" use of it would). Those are the rules of the game.

Those are the rules of the game.

That may be true according to the current authorities running the show, but clearly those rules are far beyond their useful lifetime now. For practical purposes, domains often function as a primary form of identification, for websites, email and other functions. Both the domain registrant and anyone trying to reach them have a reasonable expectation that the identity in question will not silently and suddenly be changed, a huge amount of everyday activity now depends on that expectation, and the consequences of violating it can be severe. We are well past the point where such critical infrastructure should not be in the hands of private businesses or individuals without sufficient regulation to safeguard the common good.

> Those are the rules of the game.

I don't think anyone disagrees that those are the rules we have. I think everyone who actually creates websites thinks those rules are not working as intended and should be changed.

I refuse to believe that having speculators pay for thousands and thousands of empty domains is "working as intended".

There's no shortage of possible company and product names without a failure of imagination.

well, yeah, I get that. I spent 3 months trying to come up with something decent for the last one, and it did drive a lot of imaginative thinking about the brand, which was actually useful.

I'm more thinking of the waste and expense. Clogging up infrastructure with utterly useless "holding pages". People spending vast amounts in registration fees in the hope of getting that big win. And that big win being at the expense of a company that genuinely needs the name but is forced to spend massively more than it needs to in order to get it.

If this was what was intended, then whoever designed it was evil.

Also a corporation is a person because judges have ruled that too.

I certainly agree that opinions can differ whether various things (e.g. intellectual property) should be called property or not. But personally I don't like the dilution of the concept. "Ownership" of a URL is more like a contractual right.

As for your home/land, if you don't pay property taxes the govt may begin a legal proceeding to seize it which must satisfy the usual checks and balances when the govt wants to violate your rights. Then they probably auction it off and the balance minus your back taxes goes to you. The point is you have real rights. Meanwhile your domain may be worth a million bucks at auction but you aren't getting squat because you forgot to pay the $12 fee, or violated some other detail in the contract.

With physical property, we have adverse possession...

> You can tell it's not property because the one thing that's guaranteed to result in losing a domain is failing to pay the fees.

There's a sibling comment that points out that courts recognize it as property, and certainly trademarks are a similar "property" that requires active enforcement.

But while the law is a good authority because they've gone through many disputes and have had to work out good arguments, I don't think it's the final authority; laws can change after all.

That a domain requires upkeep doesn't make it not property. Even in the absence of taxes, your house or any of your stuff requires some degree of upkeep.

But a domain is certainly not chattel, and intangible property always does seem like... not property. (Though, even with tangible property, it feels fuzzy, and that's part of why fences are used to reify borders.)

To my mind, a bigger issue with calling it property is that there's not necessarily a single registry system.

My thought experiment is to ask what we'd do without registrars. We'd all simply advertise our domains to the DNS servers, with all the obvious conflicts that registration is meant to avoid. And we'd have to resolve those conflicts by having the DNS providers agree that a particular advertisment was correct. I think that gets a bit closer to the heart of what "owning a domain name" means.

Owning an agreement with these entities to manage those disputes looks very similar to any other kind of security or bond. It also has qualities of an asset: you can trade it, it's not very liquid, you can derive an income from it by developing things on it, etc. That's why I lean on the side of the "domains are property" camp.

I don't think you have the same understanding of what domain squatting means as most people. Speculative ownership of unused or parked domains is basically exactly what I would consider domain squatting.

And you'd be wrong.

I'm not trying to be spicy -- the literal definition of domain squatting is intentional trademark infringement or confusion. Someone else sitting on your grand plan doesn't make it domain squatting because someone else has their own grand plan they want to sit on.

Squatting by definition is illegally occupying property that you don't own, which would be a trademarked term.

e.g. If someone builds a hut at the back of your property, they're squatting. If someone else looks at your property and decides they want to make it a lucrative Taco Bell location, it'd be pretty rich for them to call you a squatter and claim right to it, yet that's exactly what's happening in that incorrect usage.

This is hardly a hill I want to die on, but on HN -- of all places -- I'd expect we'd have a somewhat proper use of terminology.

You're talking about law and legal terms of art, but the conversation is about English. There is often specific legal meaning to terms of art that does not align with the lay definition. I think you are making the case that this is another example of that. I'm not even sure that it is — the US legal term defined by ACPA is "cybersquatting," not "domain squatting. The latter appears nowhere in the text of the bill, whereas the former appears something like 66 times.

No, I'm talking about the literal definition everywhere. Not in some abstract textbook.

"the US legal term defined by ACPA is "cybersquatting," not "domain squatting."

Okay? What is the point of this? The key is the term squatting -- illegally occupying property that is not your own. Calling completely legal, completely compliant ownership of something squatting because you personally don't like it is...well...it's nonsense. It's the dumbing down of terminology.

You're still talking about squatting, the legal term of art.

Why does it matter how far in advance or how speculatively someone took the domain?

If they are indeed different, I would argue that learning of an emerging product and preemptively buying the domain is not cybersquatting but more like IP theft.

Regardless, the point remains that the .com TLD is saturated with parked domains, meaning folks must go to more poorly managed TLDs for reasonably priced domains. Personally, that’s not the way the world should work. A parked domain does not offer value to the world the same way that undeveloped/underdeveloped land does. Indeed, a small store holding its own against gentrified land often provides more value to the community that if it were consumed by public domain. And even with physical property, it is possible to seize underutilized land in the name of public good.

TL;DR: I get that you #define cybersquatting in a way that excludes speculative parking. Not only do I disagree with your definition, but I don’t see how speculative parking or whatever you call it is reasonable.

I have a few domains I don’t host public-facing websites on - they’re used for either email, or internal things at home, or just hosting txt records.

There’s no sane way to validate a domain isn’t in use.

I'd argue that a "buy this domain! offers start at $1500" parking page and no e-mail or other DNS records set up, over years, is a pretty good indicator you're not actually using a domain.

Also the fact that you exceed some personal limit (or limit per legally registered company), let's say 25. For example, the general case we're all talking about, a company with 10,000 domains on sale for minimum bid of $2,500 would exceed 25 and would have to pay the penalty on all but the first 25.

"I get that you #define cybersquatting in a way"

This is such a self-defeating effort, but I don't define it that way, most everyone does. Because the root -- squatting -- refers to occupying someone else's property. This isn't a point in debate -- a quick search verifies that every single authoritative source seemingly in existence is in agreement with me.

"And even with physical property, it is possible to seize underutilized land in the name of public good."

That is an extraordinary action that happens incredibly rarely and is extremely contentious. It does happen, but it's certainly not comparable with "I got an idea and I want that domain".

And let's be real here -- those domain resellers usually sell the domains they are "squatting" [sic] on for an absolute _pittance_. If a couple hundred dollars is what ruins some great startup plan, I'm going to go on a limb and say it wasn't such a great startup plan.

Indeed, what most people want is to say "Hey that's unfair that he's parked on that! Let ME park on that and sit on it indefinitely because I've got a Great Idea that I'm going to get around eventually". That's what 99% of the parked domains already are.

> I would argue that learning of an emerging product and preemptively buying the domain is not cybersquatting but more like IP theft.

Or how about investment? If you can see the future, pay for the valuable domain before it's valuable, then get your return by selling it to the company that wants it. Isn't that quite a lot like giving money to the company in exchange for a share of the profits? The risk is that you might misjudge and waste money on worthless domains, just like traditional investing.

In investing you control real resources that you offer to the company to further their goals in exchange for future gains. When you squated on a good name you seized an opportunity from them by registering a name you had no use for for a legally defined minimum fee and demanding payment for something you had no use for ensuring they must pay someone hundreds or thousands instead of the legally defined minimum fee.

It would make more sense to let registrars charge what they please instead.

It's the opposite of investing. Squatters aren't providing value they are pure parasites. People are most apt to learn of the parties smartly chosen name not through their marketing but via being the second person to come up with it and learning they must pay the squatter.

It matters because the startup hasn't chosen their name yet (and presumably will check available domains before choosing a name because they're not fools). It's pretty much the same as land speculation. Don't found a business and claim your address is an empty lot you saw downtown under the assumption that this is freely available land.

Fascinating. The NameCheap CEO is in the replies, and seems to be saying that the registration was pulled at the registry level for some "perceived violation or legal request" -- I'm kind of curious regarding what protocol is for these kinds of situations, and how much they vary from TLD to TLD. I think about the once-popular .ly TLD becoming less popular after instability hit Libya, but I'm curious about what the other case history is here.

I work at a registrar and as far I know there are no protocols. We are an intermediary between the registry and registrant (in those TLDs which have a registry/registrar/registrant model), but the business relations involved are a bit more complex. The registrar's job is mostly set to only handle the technical and billing aspect, while the legal relationship is between the registry and registrant. Who owns a domain and which registrar handled the billing and technical aspects is a legal decision which is outside the control of the registrar.

The variation between TLD and TLD is massive. Practically all ccTLDs have their own home made rules and more often than not their own technical solutions to match. A big reason why the more exotic ccTLD's can cost a lot of money is the hoops that registrars need to jump through, both legal and technical, and the "workarounds" for both.

There are even ccTLDs like .af (afghanistan) where the root zonefile is edited by hand for every new domain, in this case by some persons at the "ministry of communications" in kabul.

This was pulled at the registry level:

Registrar: NIXI Special Projects Registrar IANA ID: 700066

For the curious, NIXI is the "National Internet Exchange of India", a government non-profit in India. INRegistry, the organization responsible for the .in TLD, was created by NIXI and operates under them.

There are other threads that mention this, but his domain was transferred over to Law Enforcement.

I had this happen to a .com domain I own, also at Namecheap.

In my case it was actually a trademark infringement legal action. My domain got listed as hosting a site that sold knock-off sunglasses[1] . The plaintiff in the case got a court order to transfer all the suspected domains to them, a list of about 1,000 domains. I got no notice, my domain just suddenly disappeared.

I had my lawyer contact the plaintiff, in which we apologized, told them we had no idea this had happened, and promised to up the security (in reality I just nuked the WP site.) About a week or so later they transferred the domain back. For me this was annoying and cost a few hundred bucks in legal fees, but not that big a deal. Obviously not the case for Susam.

[1] My (largely abandoned) self-promotion Wordpress site got hacked, and was used to host an e-commerce site. Weirdly the domain was ${my_real_name}.com, hardly an obvious choice for selling knock off sunglasses.

I actually think wordpress has contributed significantly to the decline of the web. It's not secure. It proliferates so it's easy to hack. It's easy to embed untested plugins in it that are also vectors. It's plagued by all the same problems as microsoft windows.

If someone steals your domain registration, they can then change the MX records and start receiving your email. In some scenarios, I think that could be a more serious consequence than the website being down or replaced.

Same reason that deliberately letting domain registration lapse for a domain that was used widely for email is a scary prospect.

This is a malware takedown. And must definitely have happened at international law enforcement level.

NIXI is regulated by Indian law and is the cctld registrar of .in . The domain records show a registry lock and the new owner being "The Verden Public Prosecutor's Office".

This is not common in India.

More or less in a lot of countries with fishy legal system you have zero protections with their .cctlds. Even then the courts might rule that the name is not property or whatever.

In a lot of countries you will lose the name if the well connected person there wants. They'll find a justification that doesn't pass any smell test but you're out of luck. Nothing, absolutely nothing can be done. So use them, but be prepared to lose your names. Everything is fine, until it isn't.

The same thing happened to my .cm domain with Namecheap a few weeks ago. They were eventually able to recover it. But there was no communication from them for quite a few days.

I was able to recover my .in domain too. Here is the full complete story: https://susam.in/blog/sinkholed/

In order to reduce risk I really wouldn't recommend running any service that hosts any user content on the same domain and TLD you host your personal stuff.

I've sometimes wondered if it would be worth getting something like 4e4eee247a69fab841ec36eabc95eee9.com [1] and only using it for email hosting to host my contact emails and for my other services.

The idea is:

1. By having no other services on it that minimizes the chances that it could get hacked and used for nefarious purposes that might get it seized by law enforcement.

2. By using a meaningless name like 4e4eee247a69fab841ec36eabc95eee9 there is no chance someone will come along with a trademark claim or an accusation that I'm squatting on a name that they have a better claim to.

[1] dd if=/dev/urandom bs=1 count=16 | xxd -g 16

I have a domain name like that, I primarily break login forms with it but that was the initial idea, yes.

If it's just for a non public contact for a domain registrar and/or strictly similar functions I personally believe so.

Same domain I get but a new TLD? I like to keep stuff in '.com'

The point was to avoid having all your eggs in one basket, basket being a jurisdiction in this case.

I think "domain and TLD" is a single clause in that sentence.

I just bought a .in domain for a side project and was a little worried about this sort of thing being possible based on my experiences with registration.

There's an update on susam.in. He got the domainname back.

So. Namecoin? Onion domains? Opennic? Ipfs? How else can u opt out of icann's influence?

Seems like the most likely case is that law enforcement clawed the domain for suspicious activity.

Which brings up the question, is this problem limited to ccTLDs or TLDs like com, net as well?

You have much more protections on gTLDs than on ccTLDs (where you have none).

I've always wondered why so many people are using .io domains (and now .ai domains).

I think some is hype, but also there are so many .com domains being squatted on. I'm only willing to pay so much to host my personal site.

There are hundreds of gTLDs available now, all operating under the same contract with ICANN (i.e. you as the registrant get there same protections).

The gTLDs seem expensive. I usually use .us for cheap domains, and the free monitoring the NSA gives me is a bonus.

A lot of them are quite inexpensive. And don't forget you can find much shorter/better names on new gTLDs.

> I've always wondered why so many people are using .io domains (and now .ai domains).

Most people do not know the difference between gTLD and ccTLDs. They think .io and .ai are just like .com. Registrars like Namecheap ought to do a much better job informing their customers about the risks of using ccTLDs.

> You have much more protections on gTLDs than on ccTLDs (where you have none).

Hum... No. On ccTLDs you have the protections the issuing country gives you. On gTLDs, you have the protections the US gives you.

Some countries won't protect your domains at all, others will protect it even more than the US.

It's about more than just legal jurisdiction. gTLDs are required by ICANN to adhere to certain standards whereas ccTLDs are not. As a result, the majority of ccTLDs are incompetently and/or capriciously operated.

On gTLDs you have the protection afforded by ICANN. ICANN is an international NGO that was spun out from US government control awhile ago.

What ccTLD would you describe as more protected than .com?

.de has quite amazing protections for a TLD, and if you forget to renew, it won't automatically lapse, but will be "in transit" for 2 weeks until you decide what to do with it.

Registrars also can't just change owner data, or move a domain between registrars easily, that requires a two-factor authentication.

It depends what you're hosting. bodog.com is a legal Canadian-owned online gambling website. But since online gambling isn't legal in the United States they had their domain seized: https://www.cbc.ca/news/world/bodog-gambling-site-shut-down-...

It looks like after going through the courts they have had their domain returned.

That's a bit of a different situation though. They were illegally running a gambling operation in the United States at a time when that wasn't legal, and they lost a lengthy court case to that effect. The domain seizure was incidental.

Contrast with the situation in the linked post, in which a .in domain was randomly seized without warning, and crucially, without due process. Bodog had the benefit of due process.

If you're hosting warez streaming, any non-US/western EU coutnry?

The domain susam.in has been transferred back to me. I've updated the original Gist post with recent updates on why this issue occurred and how it was resolved: https://gist.github.com/susam/3cb42e571c4ab12987b286791bdfe9... (see the "Updates" section).

Summary: The Shadowserver Foundation contacted me by email and informed me that my domain name was sinkholed accidentally as part of an operation they were performing. They have now examined my domain name and found that my domain name should be excluded from their operation. They worked with NIXI to transfer the domain name back to me.

Thank you, everyone, for your support as well as for the great quality of discussion on this thread.

Which TLDs are immune to this kind of takedown request?


If I could magically put this at the top, I would.

There are other options, but they require hosting on overlay networks, and running your own name servers. But then people must install suitable gateway routers to reach your sites. Those can be VMs, but it's nontrivial for most people.

malware is my guess. New registrant is The Verden Public Prosecutor's Office which shows up on:

"Over the following years, the Luneberg police and the Verden Public Prosecutor’s Office, in combination with the BSI, FKIE, BFK, and numerous other law enforcement and industry partners, continued investigating the Avalanche network, discovering a massive operation responsible for controlling a large number of compromised computers across the world.


I’ve run a .in site through Namecheap for 6 years. Glad they are responding to the issue.

> I owned this domain for 12 years ...

Rented. They rented this domain for 12 years.

Not to excuse the appropriation. But no one owns their domain, except possibly govs and mega-corps by virtue of mass.

Legally it’s neither. It’s more like paying for a listing in a phone book.

That's a problem with all country-specific TLD's. At any moment country 'X' can decide to take over '.xx' and nothing anyone can do.

I wish we could switch to a system like Tor's onion services where each URL has an embedded key, it would solve so many problems!

I think he should change his name and get a new domain. It must be hard to have a name like that and trying to live a normal life.

I have purchased domain on namecheap based on yc feedback. Looks like i have to rethink.

Capitalist interests prefer less competition, the end goal is monopoly. People are trying to raise the prices of .org domains too, so I feel like a hammer is about to fall as far as the practical level of involvement and presence on the internet goes for individuals the world over. Keep an eye on the canary in the coal mine, or even deploy several of them.

Please don't take HN threads on generic ideological tangents. They lead to generic ideological flamewars, which are all the same.


We detached this subthread from https://news.ycombinator.com/item?id=21671771 and marked it off-topic.

Sad, but also promising. Our WWW was only V1 of the people’s internet. There will surely be another, more radical in its decentralization.

I love the WWW, but I don’t mind if Capital will take it. They’ve already ruined much of it... the ads, the surveillance, SquareSpace’s cookie cutter stores, ES6, Webpack, etc. Erasing everything that was good about the old days.

The old will rise again anew.

One more reason why DNS must as quickly as possible be migrated to a decentralized blockchain.

I'd say DNS is the poster-child example of why - in spite of all the naysayers - blockchain is a desperately needed technology.

DNS is already a decentralized database, much more efficient than a blockchain. A blockchain only works for time series data.

I think the original (down-voted) poster meant that DNS should be decentralized to something more than 13 servers, from which any government can decide to seize a domain. A decentralized DNS system would improve free speech, and it would help with due process when it comes to the involvement of law enforcement.

you are exactly right and this is the reason that DNS will eventually move to the blockchain. As with money and bitcoin, the internet isn't truly free until this happens

There are 13 well known logical servers (~1000 physical) but they all synchronize the root zone from ICANN just as anybody can https://www.internic.net/zones/root.zone

If it's authentication of authoritative response data you're looking for then that's what https://en.wikipedia.org/wiki/Domain_Name_System_Security_Ex... is for.

It amazes me that anyone with any awareness of how much Bitcoin has been lost or stolen (to name just one issue) can demonstrate this kind of magical thinking.

It's all been lost by third parties, though. Any idiot can make a pretty webpage advertising BitCoinBank and all the best thieves in the world can try to break in.

> It's all been lost by third parties, though.

Sadly, no. In addition to the hive of scum and villainy that are Bitcoin exchanges and other ecosystem players, there are a thousand stories of first-party losses. https://www.wired.com/story/wired-lost-bitcoin/

I didn't consider user error because if we apply that objectively we'd have to say that standard fiat currencies don't work because people routinely lose cash to loss, theft, fire, flood, etc.

My point with bitcoin is that bitcoin itself works as advertised. But like gold, directly working with bitcoin requires a good deal of specialist knowledge.

That's why, as with any medium of exchange, you need an infrastructure to manage funds and enable transactions, and the crypto-monkeys are trying to replicate systems that developed over centuries.

They had namecoin for ages now.. but you need a browser extension to visit .bit domains in the browser

First I was like: what a stupid idea, silly blockchain guys. But than I thought: a decentral ledger is not much different from the original DNS idea.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact