Hacker News new | comments | show | ask | jobs | submit login
This Site’s Domain is Stolen (css-tricks.com)
355 points by tbassetto on Dec 2, 2011 | hide | past | web | favorite | 167 comments

As a registrar I would like to point out that this is a good reason to not have privacy protection on your domain.

It raises the chance of losing your domain greatly. (Even though you can argue that having your email displayed exposes an attack vector).

Public info makes it much easier to recover a domain. And proper security on the email is required as always obviously.

I've helped several people recover domains by going to contacts I have at ICANN. Not having public info doesn't give me what I need to make a case. It's a non-starter many times. And it just confuses the issue for you as well when you are trying to correct things.

Registrars (we don't offer privacy by the way) want privacy because it is a) something they can offer and charge for and b) allows them to lock the customer in and create a barrier to exit. c) Many of them do this by changing ownership to them for the domain and giving you a contract that you are the beneficial owner. Not good for you. You want and need to be owner according to whois. (Read this again.)

If you want a private domain use a po box or a work address etc or your uncles's address. If you are a business you absolutely have no reason to have privacy (and many many businesses do because they have been sold some bullshit on this with respect to spam).

Public info also makes it easier to steal a domain.

Long ago, I (being childish) stole a domain from some random person who pissed me off in a video game. I spent three days calling the registrar's offices (along with a friend) over fifty times, writing the name of each service representative down so that we didn't dupe up on anyone and raise any red flags. (It was a huge registrar, though not GoDaddy.)

We were able to use the public info available on their whois records to weasel our way into getting additional account information from the employees. We'd simply call and ask for a small piece of the account information in a nonchalant manner, they'd ask for info we've already obtained from previous calls, and usually they'd either give us the info or say "we don't have access to that information".

The hardest part was getting the last four digits of the credit card on the account. Since we had all the rest of the user's information, we called maybe twenty times trying to get those numbers. Some employees would say they can't see them, but they could. All it took was one really stupid representative:

"Yes, I'd like to confirm the credit card on my account before I file a form to retrieve my account back. I have two cards that end with the same last two digits, what are the first two digits of the last four digits"

[she doesn't understand so we confuse the hell out of her for minutes on end]

"uh... 2... 6."

"And the last two?"


"Thank you, I have the right card. Good day."

Had a good laugh, filed a form, emailed it in, stole their domain before they noticed, and never gave it back. I talked to the owner and eventually redirected his website back, and he forgave me.

Keep your whois info private if you're on a crappy registrar. Likely, the OP uses the same password everywhere and some random kid stumbled on his godaddy account and took the domain from under his nose.

Wow. As much as I appreciate you coming forward and telling a good story about social engineering, this is really a total asshole move. I hope you look back on this experience with with no small amount of shame.

A very good point. Personally, I use Gandi.net as my registrar, and I use their privacy protection; however, they very specifically keep my name listed as the owner, and just provide a forwarding email address and a dummy postal address and phone. Gandi mentions this ownership issue as the reason, and points out the implications of other registrars which list their own name instead.

That's certainly better. And you have a somewhat unique name.

But imagine your name was "John Brown". Having address data (any address data) is additional protection. And it creates an additional public paper trail.

And even your name is coming up with approx. 42 potential matches (according to http://www.usa-people-search.com)

Why not just use the address data you use for apters.com ?

Thanks for this post. I don't have privacy protection, but I have been very lax about keeping the contact info on my domains up to date. This post made me see the error of my ways, and I'm off to fix that right now.

We don't do this of course but as a registrar we have literally the sole authority to cancel your domain if you have inaccurate whois data. Seriously.

See section


Yeah, my registrar sends me yearly e-mails to tell me to make sure my info is up to date, which I then ignore. This post was what finally got me off my butt.

I would warn everyone that reads this to be very careful. When a domain is stolen, it's usually not used for "legit" purposes. Be very careful when visiting this site - use a patched browser, Java + Flash + Acrobat, etc., in case the new "owners" decide to stick an exploit kit here.

Why would they need access to the domain to do that?

Because they would mirror the site and then add bad stuff, so it looks legit, and then change the DNS record to point to the mirror.

I cannot really recall that ever happening for, like, the last 10 years. I could see the case if they wanted to intercept mail or something, but then the administrator would notice quite fast what was going on (ie. not receive any mails...).

I see this all the time with Twitter. These days you don't even need to mirror the website; just run a proxy that edits the HTML on the fly. Of course, they just use existing malware to edit hosts file but easy to translate to simply stealing the domain.

I have done this with Facebook as part of a prank on a friend, its not hard to do!

Why would a mail interception not simply relay the mail back to the originally intended server (which, for obvious reasons, is happy to accept mail for the targetted domain)?

The point is very valid: someone who controls a domain can trivially MitM any communication with that domain over unencrypted HTTP. And given events of the past year, I wouldn't put it past them to be able to get a cert issued for the fraudulent domain too...

Unless they were making copies and forwarding the e-mails on.

This is why we have SSL. SSL protects against exactly these kind of Man in the Middle attacks.

It's not a man in the middle, it's a new man on the other end, and since he has the domain he can get a legit SSL cert for it.

If he has control over the domain but not the server, it's man in the middle. He'd have to redirect the nameservers to a new server, which would either request html from the original server and add malware on the fly, or create a replica of the original site with extra added malware.

Either way, though, without the private key to the SSL certificate, which he won't have without the original server, he can't pretend to be the original site on the other end of an SSL connection.

It doesn't matter if he has the private keys of the original server. He can MITM it with a brand new fully authenticated official SSL cert because he now owns the domain.

   Orig. Server <-- SSL --> MITM Server <-- SSL --> Client
The only thing that usually prevents this is that the MITM Server normally can't get an authenticated SSL cert for the domain and so the client can detect the fake cert.

If SSL worked like SSH then your browser would whine that the cert changed but the browsers currently don't do that. I think even convergence (http://convergence.io/) wouldn't detect this case because it looks to the outside world to be totally legit. Scary.

But I was told that Chrome will protect me and I don't need to whitelist content.

Problem goes beyond just css-tricks.com. I've been following David Walsh for a while, and apparently his domain has been nabbed as well, along with DesignShack.net, SohTonaka.com, and InstantShift.com


It also happened to mckmama.com (a crazy popular blog my wife follows who couldn't believe that domain hacking was even possible anymore.)

The more interesting aspect was that since mobile nameservers are slow to update, the site worked on her phone still. That lead to the lovely "Where does DNS come from" conversation we all have with our loved ones eventually:)

I thought something weird was going on since the sohtonaka.com domain is available when I checked at namecheap.com. Then I noticed that both the tweet and the above message misspell sohtonaka.com - it should be sohtanaka.com.

Judging from the comments on his website, it sounds like everybody and their grandma hates GoDaddy. I've recently been looking into getting a domain name and starting a website, can anyone point me towards a more reputable site to acquire a domain and host a site? (Yeah, I know, I read HN daily, and I'm still clueless when it comes to actually putting up a website)

I've used and trust http://nfshost.com/ and http://asmallorange.com/

Big ones like MediaTemple and RackSpace seem good too. I used 101domain for international TLDs, not pretty but everything is going fine.

I can second Nearlyfreespeech. They've been great as my registrar and DNS host for years. I host on http://prgmr.com VPS.

Plus one for Nearlyfreespeech. Their shared hosting is pretty nice as well, except for the fact that they don't have mod_wsgi.

NearlyFreeSpeech is wonderful. I drive people to them whenever I can.

Along with being trustworthy and protective of their customers, their web panel is simple and no BS. I don't know how people put up with other registrars with their upsell-threw-up-all-over-the-page web panels. Even "good" ones like NameCheap are eyesores.

I hope NFS never lets me down, because I talk them up like they walk on water.

I've used Dreamhost for years. They really work for their customers. Over time you accumulate points that you can use to vote for new features (which I just realized, I have never done... so I should have a decent amount by now!)

Dreamhost is definitely fantastic for customer support, but after a recent email exchange, I learned that they don't have a timeline for when they'll upgrade their password system, which does not use one-way hashes. Password reminder emails contain the password in plaintext. If you're reading this thread and are concerned about domain security, I'd suggest looking somewhere other than Dreamhost for the time being.

I just recently found out that dream host stores it's passwords in plaintext! I'll probably be looking to transfer away from this simply for that reason. If you haven't set your panel security to use email confirmation to let new IP addresses log in, I would strongly recommend it.

Wow, that's horrible. I wasn't aware of that. I use them for hosting but I use Google Apps for email. I'm sorry for making a bad recommendation.

namecheap.com is good if you're looking for something cheap (e.g. you've got 50 domains to register).

Gandi.net is great if you don't mind spending $15 per domain.

NameCheap is good.

second that, been using them for the better part of decade, never any problems.

Me too. No issues after many years of namecheap.

Just to throw in a slightly differing opinion: I've been with Namecheap more than five years, and overall I've been very satisfied with them. However, I have had a couple of minor issues. Most recently, when making a minor change their support messed up something with my domain. They were slow to respond to my request that they fix it, and seemed far too confused about what was going on. The domain in question wasn't important to me, but if it had been I'd have been pretty pissed.

Another vote for NameCheap. Have had ~50 domains with them for nearly 5 years now, never a problem.

+1 for NameCheap.

(Not to beat a dead horse, but back when we could see the karma numbers for comments, it was possible to visibly "second" an endorsement comment by upvoting it, instead of posting separate +1 comments like this one ...)

Another vote for NameCheap. And to make this comment more useful...

I especially love how easy it is to transfer domain names between NameCheap users. I had purchased a domain name once with my personal account. Then I created a company and wanted the domain to be officially owned by that entity and not me. So I created another NameCheap account for that company, then transferred it over very easily.

Of course, it's possible other registrars offer such a frictionless transfer process between account holders too. I've only used NameCheap for this and can say I was pleased with the results.

+1 for namecheap

Also loving namecheap thought it sucks that they don't support all extensions, for example I have sampl.es which I cannot transfer from GoDaddy

Same here, although I've only been a customer for two years. Never had any problems with their website either, always fast and responsive.

I recently switched over all of my domains from godaddy to hover.com, and I have been pretty happy with them.


Seconding the recommendation for gandi. They have very strong policies in favor of the domain owner. They also provide nice services such as email hosting for your domain. I use their server hosting as well, which works quite well, though not fast.

Also, they support quite a few good causes (https://www.gandi.net/supports/); they fund Debian's DebConf every year.

One flaw with Gandi's mail feature is that new accounts do not get wildcard accounts (forward all @example.com mail to.one address): you need to register each email address you want individually. Apparently they couldn't handle spam filtering.

Easy enough to move to Google Apps and use their wildcard option.

I'm usually a tight arse but in the case of gandi.net, I have no problem paying a premium so I don't have to put up with all the bullshit that customers of other registrars have to put up with

This may not be suitable for everyone, but I've been recommending Blacknight ( http://www.blacknight.com/ , affiliate linkage: http://tracking.blacknight.com/aff_c?offer_id=5&aff_id=6... ) for quite some time.

They're an Irish hosting and domain name provider, and have a great name, a great support team and are a genuinely pleasant company to deal with.

(Disclaimer: I don't work for them, but do know 1 or 2 employees there. Also, I pasted my affilate link above)

edit grammar

I've used Blacknight.com for over 3 years and have found them very responive

I use dynadot as a registrar (couple of years). They have been good. Never used them for hosting actual sites though.

I used markmonitor at a previous gig (requirement of a parent company) and they were good, but a bit expensive.

When I researched what domain provider to use this summer I found many good words about EasyDNS. I’ve only used them a half year, but I am really happy so far.

I love EasyDNS for domain hosting. I can't quite bring myself to use the same company for DNS hosting and registration; I've used Dotster as a registrar since the 90's.

You couldn't pay me to use huge, inept outfits like GoDaddy or Dreamhost who compete primarily on price. I have a similar, though evidence-free aversion to companies which put words like "cheap" in their name.

Namecheap is a pretty terrible name, and their site doesn't look great either. Still, the service is solid. Add me (five years, a handful of domains) to the list of satisfied users here.

I have used Dotster for quite a few years also. I have zero complaints with them.

Is there a reason you avoid using the same company for hosting and registration?

One thing to note about EasyDNS is that last I checked, glue updates require human intervention, and IPv6 glue is a good way to confuse the humans on the other side of the support channel. If you don't use glueful delegations, then you probably don't care, but this is the sort of thing that's harder to tell upfront.

Thought I'd mention softsyshosting.com. I've used them for a small IIS website, dataintegrationagent.com. Site setup was easier, and quicker than godaddy.com. They were also quick to answer my questions. I found that it was pretty difficult to find a place to host IIS websites, and I really recommend softsyshosting if your planing on using anything IIS related.

1and1 might not be popular here, but they're pretty cheap ($8.99 for .com), they have sales regularly and they throw in private whois info for free, plus your domain is locked down by default so the sort of thing described in the OP shouldn't happen.

Never had a problem with them in almost 5 years.

I've used them and didn't have a problem until I wanted to transfer to another domain registar. After painfully trying to find the transfer auth code and transferring the domain name, 1and1 continued to bill me for a couple of months. To their credit, they reversed the charges after I called them - but that didn't leave me with a satisfactory experience.

I can understand why a company might want to make it painful to leave their service, but continuing to bill me points to either incompetence (some bugs in their billing system) or a malicious act (doubt it though).

But otherwise, yea, a nice & cheap service.

One problem with 1and1 is that when your domains are about to be autorenewed, you don't get an email notification till the day of. I prefer registrars that give a few weeks heads up on that so I can cancel the autorenew if I want to let the domain expire (even GoDaddy gives advance notice).

Likewise, I've had a good experience with 1and1 for something approaching a decade. My GF and I have a couple dozen domains. Whenever she has a new creative idea, she gets a new domain.

1and1 is a terrible. Please do not listen to individual accounts of 'no problems'. If you do have a problem, you will be in trouble. 1and1 is a giant company that makes money by quantity, not quality. In other words, the majority will have no problem, so let's have millions of customers and screw those that have problems. Again, there's too many other good companies to use such a crappy company.

I've tried a few, have to recommend internetbs.net The website might seem pretty crappy, but they have really good customer support, plus the best API I've found. If you're looking to register domain names programmatically, definitely check them out.

I use dyndns for both the registration and dns serving. They've always been good to me.

Namespro.ca have excellent service and "not bad" prices. Highly recommended.

P.S. And yes, I despise GoDaddy with every molecule of my being.

Hover.com is awesome and they have actual friendly, knowledgable humans that answer the phone.

I've been using Domain Discover and I haven't had any problems.

I have been using NixiHost.com for a few years without issue.

I've never had a problem with Name.com.

name.com has been pretty good for me for the past few months. Very easy to use.

Also: Don't get a .com/.net domain name. You don't want the US government declaring your domain to be evil and taking it off the 'net.

I used name.com for a website once. I used them for my DNS also (because I don't know how to set up a separate DNS) and they parked there own auto-generated crap at everything except the www subdomain. Apparently, if you are savvy enough to set up your own DNS this isn't a problem, but I wouldn't use them because of this.

I think if you set up a wildcard *.mydomain.com rule to forward to your domain, you won't see their stuff.

I'm not quite sure what you mean (though I'm not arguing). I set up my own DNS manually.

Create a rackspace cloud server, grab that IP and use it in an A record on name.com.

If you're using name.com's DNS, then they've basically got a wildcard subdomain that points to a spammy domain-parked page.

So, say you have valid records for .yourdomain.com and www.yourdomain.com. Those two hosts will resolve as you would expect them, but *.yourdomain.com will resolve to a spam page.

Wow, that's pretty evil. I definitely won't be using name.com (I've been happy with Dreamhost as a registrar for years anyway, but would be interested in trying someone else in the future). Thanks for the heads up.

So, if a user came and visited my site, which was www.zideck.com (It's not there any more), they would see my web page. If they were to visit http://zideck.com they would see auto generated spam garbage that said stuff like "What you need, when you need it." In fact, ANY subdomain would result in link spam trash.

Thanks for the tip on setting up DNS. If I create a rackspace cloud server, I imagine there is something special I have to do to make it a DNS server, right? Does it just work straight out of the box?

Wait, I thought .com/.net (among others) were generic TLDs governed by ICANN? I would assume .us might fall into this warning (as would other country code TLDs), but .com and .net?

What matters is whether or not the operator of the TLD is within US jurisdiction, not the purpose of the TLD.

So, in that case, the FBI could seize any domain as long as the operator is within US jurisdiction?

Yep, pretty much.

Not exactly fair, but that's the current 'system'..

Yes, and be aware the operation of a lot of ccTLD's are outsourced to companies outside the country in question.

I don't know that much about how many are or aren't operated out of the US, but most of the generic TLD's are, and several ccTLD's definitively are too - for example .tv and .cc are operated by Verisign, and .co is operated by Neustar.


Thanks. I still have a question, though: if the FBI can seize these domain names, does that mean they can seize any domain names? I'm a little fuzzy on the control/management scheme here.

As anyone has said elsewhere in this thread, all they are doing is strongarming the administrators of the TLDs that operate primary offices inside the USA to alter the DNS entries for specified domains they feel are being used to break the law, because that is their jurisdiction, and prevent the owner from being able to change it back.

One of the more controversial parts of SOPA is the ability of ICE/Customs to be able to "un-resolve" domain names under other TLDs and country codes. Since the USA does not have jurisdiction over Russia (as an example), there is no current way to block a filesharing or spammer operating with a .ru address without having a partnership with Russia. This aspect of SOPA would allow the USA Government to block all domain name servers from resolving that address properly, by basically poisoning the legitimate DNS entry with one that resolves to some landing page operated by ICE. They won't be able to seize the domain, but they'll make it just as worthless to anyone inside the USA.

You're right. Anything governed by ICANN. And I'm not agreeing or disagreeing about the control issue just pointing out the for example .org .us .info etc. would be in the same boat.

I don't agree with what you are saying but more importantly the same is true for .org .info .us and any tld overseen by ICANN.

On that note, does anyone know what's the case with .eu? Can ICE do the same as they've done with .com/.net?

We use Network Solutions as our registrar for our "valued" domain names, and name.com or godaddy for everything else.

NetSol provides pretty good validation and security options for so-called "VIP" customers, but it's not perfect.

The next step up is paying exorbitant fees to a company like MarkMonitor for domain name management services. This is what the "big boys" tend to do.

Is NetSol still "reserving" any domain name that you search on their site (http://blog.domaintools.com/2008/01/network-solutions-steals...)? I swore I'd never go back there after that practice - and fortunately there are still enough better alternatives that I don't plan on it.

The only way the domain would be able to be moved from Go Daddy would be if the person stealing the name had access to the account, that's the only way to request the transfer authorization / epp code. Their support requires either a pin or last 6 of a CC used on the account to validate callers, if you can provide that they'll update the email on file and help reset the password, but he said his account email is unchanged. So the person taking the name would either have to know the account password, or have access to the email address on file where the reset requests are sent.

Given that this would have to happen from inside the customer account, I can understand why Go Daddy would want to confirm that this was indeed a nefarious act and not something like a domain being sold, transferred, then reported stolen to keep the cash and get the domain back. Or any number of other scenarios one might think of - shady domain stuff happens a lot. I can only imagine the hoops required to jump through for a registrar to get a domain back from another registrar under these circumstances.

"The only way the domain would be able to be moved"

Not sure that's the only way. That's like saying the only way you could get credit card information from Sony's playstation servers was if you worked in Sony's billing department.

Not saying this is necessarily a hack, as it most likely is insecure practices on the part of the user, be it passwords or phishing. But seeing a cluster of them raises some concerns that it could be some otherwise unknown method.

Thanks, I agree, 'the only way' is probably too absolute a phrasing.

I do wonder if the reason we see clusters is because they are the largest, and arguably the most publicized, registrar in the U.S., and in terms of market share, the world.

He said on the page that it apparently involved a Gmail hack of some kind, so even if it's not "the only way", it sounds like it was how it was stolen in this case.

There are a lot of posts blaming GoDaddy. Did anyone read the post by David Airey, linked in the article? The reason for his lost domain was that his Gmail account was hacked. The attacker performed a "legit" domain transfer through his registrar. It wasn't the registrar's fault, in this case. The only blame you could place was that perhaps the registrar didn't have enough security check points.

GoDaddy is certainly annoying with their obnoxious web site and sometimes, their tactics, but this could be another email-hijack attack.

One more great reason to set up two-step verification for your Gmail and Google Apps accounts.


I came here to say this, so thanks for saying it for me, calvin. Anyone reading on HN should probably set up two-step verification on their Google accounts.

Also, you should NOT have Gmail open while surfing the web. I won't even visit a link emailed to me directly. I'm either reading email or surfing, but never both; all private data gets wiped between sessions. Sure, it's a bit paranoid, but it eliminates quite a few attacks and opportunities for social engineering.

I've yet to do this. Reason being I wonder what will happen if I lose my phone...

Is there a way to set up two-step without a phone?

Google provides a set of numerical codes for you to print out and store in case you lose your phone. They're all one-time use, and allow you to get in and change the settings.

Does that mean that if ANY of them are used, the rest are invalidated? Or just that any one of them may be used once?

You get 10 codes per generation(and can regenerate them whenever you want), and each code can be used once.

You can use an alternate number to have a text message sent to you and there are printable one-time pads. The one-time pads have come in handy for me, because I always let the battery on my phone die.

The recommended way is to use the Google Authenticator app - available on Android, iOS, and BlackBerry devices - doesn't require an Internet connection, mobile service, or a data plan to generate verification codes.


I'm using it on my iPod.

In addition to the one time pad, you can specify other phone numbers. The system will call these phones and read the code aloud.

Perhaps it is domain registrars that need to implement two-step verification before transfers. It would be such a labour-saving move, and potentially safe so much time resolving disputes. Just offer people to "lock" their domains to be unlocked with a mobile phone number.

It would be a simple twillio app.

Yeah i am thinking this too.

I mean a day or two ago Gmail was showing and promoting users to enable 2 step verification because thousands and thousands of gmail accounts are stolen everyday (something to that extent).

Big fish are big targets and gmail like godaddy and bank of america may no longer be safe and or wise to maintain your businesses with!?! I have had issues with all 3 mentioned.

Yeah i am thinking this too.

I mean a day or two ago Gmail was showing and promoting users to enable 2 step verification because thousands and thousands of gmail accounts are stolen everyday (something to that extent).

Big fish are big targets and gmail like godaddy and bank of america may no longer be safe and or wise to maintain your business with!?! I have had issues with all 3 mentioned.

This makes me worry about my own domains. I have about 180 domains with GoDaddy (all registered for various projects -- I'm not a squatter). I wish there were a tool that would verify that they're all still registered under my account at GoDaddy. Especially since the "new owners" seem to keep DNS records the same.

I transferred all my domains to moniker.com and have an account rep that calls me if any odd activity occurs. I doubt this would happen with them. They allow you to lock down your domains so that it requires offline authentication to move them. Been with Moniker for 4+ years.

Another vote for Moniker. I transferred everything from GoDaddy to Moniker a couple years ago after GoDaddy pulled some other asinine stunt.

Problem with moniker is poor security, they have no protection against bruteforcing. You can endlessly try to login to an account, which isn't necessarily a problem for people with a secure password but it does open up my own concerns about poor security elsewhere...

How long did the process take, and did this create any issues with live sites?

"all registered for various projects -- I'm not a squatter"

One of the reasons domain prices are low is that people register domains they are not using.

Just like they buy books they don't read. Or buy jewelry they don't wear. (And yes bring on all the replies about the differences that you want but keep in mind the time you picked up the last item on the shelf at the drug store that maybe someone else had a greater need for down the road. Or took the last seat on an airplane.)

No problem with buying domains and letting them sit there until you decide what to do. No problem buying domains that you think you could sell either, in general. As much as this might piss people off who feel the domain should just be there ready when they want it.

Squatting would be registering a domain that specifically (edit: and reasonably) belongs to someone else. Say you hear the local pizzeria opening is called "xyz pizza" and you register "xyzpizza.com". Despite what the media and all the typical articles say about this.

By the way when you say "all registered for various purposes" there is no qualification about what the purpose is so essentially some people would define you as a squatter depending upon the way they see this issue.

I think the accepted definition of a domain squatter is someone who registers domains with the intent of flipping them for a profit. This is more broad than "specifically and reasonably belongs to someone else" since you could merely be speculating that someone, at some point in the near future, might want to open a shop called "XYZ pizza", but still doesn't include pud.

"domain squatter is someone who registers domains with the intent of flipping them for a profit"

Not true. See this:


(The definition I gave is actually more broad.)

Legally that may be what domain squatting is. However, colloquially, domain squatting means registering domains that you don't use just so you can sell them again for profit. While there may be no legal recourse against such domain squatters, most people would still consider it domain squatting and ethically dubious.

"colloquially, domain squatting means registering domains that you don't use just so you can sell them again for profit."

I agree that you are right with that statement. I don't agree that people are well informed about this enough to know that that the statement is wrong.

That belief is something that comes from the days of a few bad actors (panavision and mtv domains come to mind and some others) that made the practice which is now called cybersquatting what it is instead of what it should be based on. And by the way even the current definition was shaped by Intellectual property lawyers as a totally one sided law brought about to protect the interests of a certain class of owners. (As was UDRP process for that matter).

But yes that is the uninformed view of most people. Just like many ordinary people associate the word "hacker" with "bad" and not "good".

As has been pointed in another reply, people buy things all the time with the intent to profit from the sale of which they do not use. Since the beginning of time this has not been a bad thing. And why should it be? (Not to mention the fact that there are alternative TLD's it just happens to be that .com is the ubiquitous one.)

It is generally considered a bad thing to buy things that you don't intend to use, add no value, and sell them at a markup merely due to the fact that they are scarce (artificially, because you bought so many and are controlling the market).

It is considered to be good to buy things that you don't intend to use to resell them if you are adding some kind of value in the reselling; for instance, people who have a local retail store, who are adding the value of being close and convenient, rather than having to go all the way to the producer.

Domain squatters are adding no value. If you just buy a whole ton of domains speculatively, and then sell them off at high markup because so many domains are gone that it's impossible to find good ones, you are adding no value, you are only taking advantage of an artificial scarcity for your own profit.

We have plenty of other negative words for this kind of behavior in other domains. Ever heard of a scalper? There is really no significant difference between a domain squatter and a scalper; they are just people who induce artificial scarcity and use that to run a profit without actually adding any real value.

i fail to see the ethical dubiousness, though. people who can afford to buy land they don't build on are (in most cases) not doing anything unethical. for lots of arbitrary reasons domains are a limited resource. that could change but as it is, domains are like NYC cab medallions. there could be a very legitimate argument that they shouldn't be so scarce, but they are, and owning one is a good, somewhat risky investment. i don't see the difference between owning any of these limited resources with the goal being future sale and profit.

Most types of investments are either beneficial somehow to the market or economy - investing in the stock market is said to promote liquidity - or at least neutral. Domain squatting benefits only ICANN, and on the other hand is actively harmful to people trying to do interesting things with domain names.

Since practically there are a finite number of domain names available, wouldn't every registration increase the scarcity in the market, and thus raise prices?

At least in my own experiences, I've never seen a domain sold by a private party for less than 5x the typical price from a registrar. This would raise the average price of domains, not lower them as you suggest.

"finite number of domain names available"

It has definitely raised prices for a name that would be known in advance to be valuable. No question there. But the increase in number of people registering multiple names has supported a reduction in price.

The actual number of names, (not taking into account putting a dash in one or more places and the fact that there are only a few 1 letter names that aren't blocked and some other stuff) is approx 26 to the 63rd power.

1.3909801171074219559097425909479540384265584214249033... × 10^89

While that's finite it still a huge number of possibilities. (Like ipv6)

I have in my hand an invoice dated 1999 (my earliest domain was '96) and the charge is $70 (for two years). Before that if my memory is correct the price was $100 for two years. Before that the price was 0 (yes 0 when there were so few takers).

It's a little chicken and egg but the fact that a high volume registrar (like godaddy) registers so many domains allows them to make so little per domain. (Actually that's not entirely true they also make money by selling you things you don't need but that's a entire separate subject.)

So the bottom line is this. If you look at the registration activity speculators and non users of domains drive up registration volume greatly. But of the names they register, only a small percentage of those have anyone interested in buying at any price. So in the end the fact that they do what they do drives prices down for everyone.

Edit: Although I agree that's little consolation if they have the domain you want. But there is certainly no guarantee that the name you want wouldn't have been grabbed by someone before you anyway, right? (See woodrich.com below)

For example, the following are all available at a low low price:




But not "woodrich.com" (registered in '96)

"One of the reasons domain prices are low is that people register domains they are not using."

Reverse causality?

    I wish there were a tool that would verify that they're all still registered under my account at GoDaddy.

pud, we've talked domains before, through a mutual friend Jay W. Anyway, call Godaddy and ask them for an executive lock on all your domains. Also ask for an executive account rep. Once you have both of those, Godaddy actually calls you and your rep will request a pin number of you. Your names will only move if you give them permission to move. Other registrars have this level of security too. Hit me up if you want a referral to a good rep over there.

Quantcast uses MarkMonitor [1]. I bet it's expensive, and I have no idea how expensive, but you can configure your domain such that changing any registration information requires a phone call to a short list of people (ie CEO, CTO, or head sysadmin) and security codes. If your domain is important, it might be worth it.

Also, godaddy just got private-equitied, so it's going to be extra shit as they ruin the company, pay themselves an enormous fee, and sell it to the next greater fools [2].

[1] https://www.markmonitor.com/services/domain-management.php

[2] http://mashable.com/2011/07/02/godaddy-sold/

I use this and it's free and so far it's worked pretty quickly when I renew/transfer a domain intentionally : http://www.domaintools.com/monitor/domain-monitor/

Here's another tip when dealing with registrars that really relates to dealing with any business or person when in this situation.

People have much discretionary power to help you depending on how you treat them. While there are many people who get their way by instilling fear my personal belief is that you get more by being nice to people and making them want to help you (and this has always worked for me).

So when you have a problem with your registrar or hosting company or a meal at a local restaurant don't go off on a rant and tell them

a) It's their fault

b) They suck

c) you will never use them again

d) You will tell everyone a&b&c

(Did I forget anything?)

This will only make them defensive and will alienate them and get them to form a wall.

I'm not saying to not point out some truths about what happened. But do it in a way that makes them think you will be a happy customer if they manage to help you. Edit: And you still love them.

Yes, you are right - unless they are a service-oriented company, in which case, they will jump through hoops to make it right for you, no matter how surly you are when you present your issue.

In case the nameservers actually update:

and if it updates add this line to /etc/hosts: css-tricks.com

I think I got that right. :)

Why is all the blame being put on GoDaddy here? The problem is that his email account was compromised. Once that happens, it's game over. Everything online linked to that account is likely up for grabs at that point.

Use two-factor auth on your Google accounts, people.

How does this look specifically with Google?

Two factor auth? You just go into your account settings, elect to turn it on, it'll have you install the Google Auth app on your phone and scan a QR code, which configures the app. Then, when you try to log into your account next, it'll ask for the code generated by the app.

The authenticator itself is just HMAC-OTP with the seed as the current time quantitized to 30-second intervals. Very straightforward.

Also to use google services that don't support it (or can't, e.g. Smtp with gmail), you can have google generate a new "throwaway" password which it will display for you one time.

It was pretty straightforward and actual kind of fun to make the switch.

With the number of domains that are being discussed here as recently stolen (seemingly all from GoDaddy), I think we need some answers. How did this happen? GoDaddy account hacked? GoDaddy account social engineered? GoDaddy internal systems compromised? GoDaddy - person on the inside? New flaw/hack in the ICANN registration methods?

They don't seem to have an active Twitter account. Just sending an email through the contact form for now.

Wait, what? Since when is twitter a replacement for email?

Twitter often works better. The semi-realtime nature of the system means responses often come faster, worthless autoresponse systems haven't found their way onto Twitter yet, and the public-ish nature of Twitter means the other side is somewhat under a spotlight and this often improves their behavior.

Obviously, it depends on the situation and the company, but Twitter can be a great way to approach some places. For example, if I was having problems with Comcast's phone support, I'd rather tweet @ComcastCares than figure out how to e-mail them.

Since major corporations started having turnaround times of minutes when contacted in the public manner that is Twitter rather than days, weeks, or never.

I second what mikeash said about Twitter and I'd add that because of the nature of Twitter you'll be posting a support inquiry publicly (I doubt many DM's get sent) which makes the company want to resolve the issue and in the process make themselves look good.

It's like publicly saying "hey, we're a company that takes support seriously, just look at us being helpful". There was a great post on HN a few months back about a guy who got a steak delivered to him when he arrived home from the airport from his favorite restaurant because he tweeted something about really wanting one of their steaks before his flight departed and he mentioned them. The company had followed him on Twitter, knew he was a loyal customer and went the extra mile to personally deliver the steak when his flight landed. I always think of this story when I think about customer service for my own company.

The point is that Twitter's public nature can make or break you as a business and smart businesses know how to leverage that power for positive PR.

I'm curious to know if the domain was in REGISTRAR-LOCK at the time. According to GoDaddy's policies, they relock after 30 days, so it's likely it was locked. http://help.godaddy.com/article/410 (obviously an outside domain transfer is not the only option for takeover)

heh, this happened to us a month or so ago. we even got a ransom note!

(TLDR: godaddy eventually came through for us)

That ... sounds ominous and fascinating. Would you mind writing about your experience?

That was basically it, for the most part. I wasn't the one handling it, but essentially the guy was trying to get some of our server configs for some reason (I work on Postmark). We filed an FBI report and went back and forth with GoDaddy until they got our domain back a week later.

So not really as exciting as Hackers, but sort of.

If a business is unwilling to release information to you per a standard request, look into filing a lawsuit and submitting a subpoena.

Even discussing that option with them may get them to disclose. Lawyering up sucks for businesses as much as it does for you.

IANAL / IDEPLOTI, you may want to chat with one or several or even just find folks who've disputed stuff themselves.

Additionally: register complaints with any and all consumer protections services: BBB, chamber of commerce, your state's attorney general's office, etc. And post to HN (OK, check that punchlist item).

Godaddy stole phpiseasy.com from me too. Not sure who to trust anymore

I moved my domains away from GoDaddy primarily because I grew tired about all the desperate upsell spam they sent me ALL THE TIME.

Secondarily I moved because they are so big that if anything happens to my domains the chance I get to speak to a reasonable person are practically zero.

Find a smaller registrar, make sure you can get proper support from them, then move your domains there.

(Recovering a domain you have lost is orders of magnitude more expensive than taking steps to reduce the chance of it happening in the first place)

I remember reading about this happening to a few other design blogger websites over the last few weeks. I'm still trying to wade through the "I hate Godaddy" posts to find if anyone has any idea why this might be happening. I'm guessing weak passwords.

I waded through most of it and it seems as though the domain owner's email was broken into which then allowed the thief to begin the transfer process. So from what I'm reading here it actually wasn't GoDaddy's fault but just another Gmail account broken into.

I hate GoDaddy more than probably anyone here but it looks like their upselling and bad design didn't cause this one. Rats! I really wanted another excuse to talk shit about GoDaddy.

Here's what we know: Their GMail accounts are the common thread here: even Kirupa posts his addy with @gmail.com.

And we know that hackers have been all over Gmail. So obviously they got into their account. Their account probably had links to the registration... or they tried the same password, who knows.

But now they have them. I think the important thing is that the new 'Registrants' return them to Godaddy.com right now. They are trying to say that these people have to prove fraud?

That's ridiculous. With easy to provide proof, get them returned.

Also don't use GMail for important stuff... maybe your own mail server? One that you harden yourself? JK!

Would locking your domain name at GoDaddy help?


I am just wondering for my personal info, I have lots of domains hosted with them

I mostly use Google Apps with enom, since it gives me the domain + email & all other google apps goodies "for free".

That said, I want to move a few domains away from GoDaddy but I am a bit confused how to do it the right way. Anyone have a good order-of-events list? I'd hate to lose the domains over a technicality when transferring. [edit: misspellings]

Seems there is no idea how it happened yet. Perhaps a weak password... so weak that it was easily guessed? That would be my first bet.

This is scary, I have all my domains with godaddy!

First line: "... GoDaddy".

Laughed and closed the page. Even if it's not their fault for the original transfer, the headache of support is on you.

edit: Sorry you don't like to hear it? You get what you pay for, and you get what deserve for not shopping around and just going with the brand name that stuck because their CEO shot an elephant.

Once it's transferred away, GoDaddy has no power over it. Even the best support team can't do anything more than "give it back, please, new registrar".

I upvoted you but that's not true. The best support team can get on the phone with the other registrar and do something. They don't have to but they can. But sure they can just as easily go for the low hanging fruit.

As a registrar we have access to exclusive contacts at other registrars as well as in many cases personal relationships. If we want to help you there is plenty we can do. Yes in the end it's up to the other registrar. But there are professional courtesies as well and other ways of getting things done.

In no way have you disagreed with me. You just reworded my "Even the best support team can't do anything more than 'give it back, please, new registrar'" statement.

larrys' point is that there's a difference between begging the other registrar and using professional connections to ask for favors. Your original comment implied GoDaddy could do nothing the previous owner of the domain could do when that's not the case.

could it be related to this:

"After a series of one-sided hearings, luxury goods maker Chanel has won recent court orders against hundreds of websites trafficking in counterfeit luxury goods. A federal judge in Nevada has agreed that Chanel can seize the domain names in question and transfer them all to US-based registrar GoDaddy. The judge also ordered "all Internet search engines" and "all social media websites"—explicitly naming Facebook, Twitter, Google+, Bing, Yahoo, and Google—to "de-index" the domain names and to remove them from any search results."


Except... the domain was transferred AWAY from GoDaddy.

You think Chanel cares about a web design website called CSS-Tricks?

Absolutely not related. I truly hope you made this comment out of pure and sincere ignorance. This isn't a story about rights being trampled on no matter how hard anyone may try to frame it that way. This is just another case of someone getting their email broken into and the byproducts of that break in which in this case was a stolen domain.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact