If you read through the comments there's a lot of angry users demanding refunds and questioning the service. There's a fair chance that they won't be able to bounce back after this. Especially if the domain doesn't come back up within a day or two.
In other words, this might very well kill a company that someone worked hard to get off the ground. And if you have any usergenerated content it might happen to your company too. Apparently without due process, and without warning.
This is why the Pro IP Act from 2008 needs to be repealed as soon as possible. It's worse than SOPA for Americans because it can pretty much do all SOPA could do, but for domestic domains (.com, .org, .net, .us) rather than foreign ones. The Pro IP Act managed to pass by us just like SOPA almost did it, too.
Those comments really got to me too. What really struck me was that they seemed to be angry at Jorform! These angry users are talking about security too as if they were attacked or something. I really feel for the users but at the same time I'm angry at them for placing the blame where it doesn't belong. Instead of being mad at Jotform they should be mad at the government.
A while back I was advocating that we reach out to such people and explain this SOPA censorship stuff in a way they understand and this is precisely why. SOPA's supporters have done a really great job of training regular folks to think like some of these angry users making them think that somehow it was Jotform that did wrong. If they only knew how totally arbitrary this stuff is I think they'd be mad at the Feds like they should be.
It's so sickening that the government probably just hurt not one but maybe thousands of companies in one fell swoop and everyone's pissed at the wrong guy. Then the politicians want to go around talking about creating jobs... Ha! How about destroying them? That's what it looks like to me.
Why shouldn't they be angry at jotform? It looks like they had no expedited process for reporting phishing forms which had to have been a known risk somewhere around #1 on their list of known risks, they actually made it easier to go upstream instead of searching for their contact page (only linked in the footer) and hoping someone replies today.
Did they have any automated detection? If they didn't have a "report a bad form" button then maybe they didn't even try and find bad forms ... like anything with a sign in button or password field. 2 million forms is too many to inspect, but you could narrow that list down very easily.
What happened to them sucks but it seems like the problem could probably have been avoided.
Edit: it let me make a form with "Account number" and "Password" complete with emailing me what people put in it which is suggestive of no preventative measures at all.
GoDaddy's actions don't cancel it out because ignoring or not adequately preparing for phishing was wrong every single day and a foreseeable problem for about a decade now. They had a responsibility to prevent this for their paying users.
Maybe it wouldn't have saved them, but there are a lot of free-x-hosting companies out there that haven't been shut down in spite of abuse.
This isn't really some unforeseeable edge case that nobody could have reasonably expected to happen - their site lets you build a form, embed it on a page, and they either email or save the form data for you. Not anticipating phishing would be fine if it was 10 years ago.
benologist please stop trying to make it sound as if there is any dependency between your 1 and 2.
How can anyone who has ever used the Internet or has even a basic understanding of the Domain Name System believe that it is a registrar's right or responsibility to take down a domain, especially without notice, and that does nothing to contravene the conditions of owning that domain name?
I wouldn't even say you are beating a dead horse with that dependency. It was never a horse to begin with!
The blame obviously lies squarely with the US federal agencies - you do not see this happen in other developed countries, for example (UK does not count since its a US colony in all but name).
In particular, to be able to shutdown or ruin the reputation of a business at the drop of a hat due to alleged breaking of the law - not even by the business itself - before it has even been processed by the justice system!
Just imagine if this had been a takedown of Google, Microsoft, Apple or Facebook site, all of which easily meet or have met the conditions for alleged infringements of US IP or other laws at some point, if for no other reason than hosting user-generated content...
You misread what I'm saying. Jotform users deserve to be angry about this situation which in the last decade has been successfully avoided by many free-x-hosting companies who actually prepared for obvious problems.
Do you think this would have been averted if they took all the measures you are proposing ? There are no set guide lines here according to which the government is taking down stuff.. This is not DMCA related to create an process to take down stuff.. Even if they could not find the contact page, taking the whole website seems to be ridiculous thing to do.
I think things like this will make websites with user generated content to move away from .com domains and even move into countries where there is more due process to things like this.
The same risk existed last year alongside the many exploitable-by-phishing flavors of hosting. Although this wasn't even a domain seizure, this is just an overzealous domain registar which has also, always, been a risk to web services.
I'd like to think that this is still a free country, and that there are some companies that still act as though we live under the rule of law, rather than automatically complying with every whimsical demand our government agencies dream up.
Even if its not. Bail from Godaddy.com. Seriously. Granted the same problem may persist given that .coms have a US based organization that governs them (I think). Nonetheless, this is the exact same godaddy.com that supported SOPA. There have been so many forks in the road where the obvious choice was to bail on GoDaddy.com. Yet, they stayed and here they are.
That's not a very solid argument. GoDaddy sucking is besides the point here. I doubt many if any registrars would refuse the government like that. But even that's beside the point.
What the real issue here is, is that law enforcement pretty much busted in and took down a domain name without warning. They shot first and asked questions later. Jotform is a legit site, not even close to dubious like some others where you can actually argue that they might have been knowingly violating copyright and such. This is scary stuff. There was no due process, no warning, nothing. They just did it. It's proof that any more laws giving the Feds power to take down sites is totally superfluous and unnecessary as its already happening in a very public way.
You don't get mad at the company for not switching registrars (even if they are a douchey one). Jotform could have been able to take care of this situation had someone just alerted them to the problem. No way is this their fault, especially not for the reason you put forth.
Here is a chrome extension that notifies you if the domain you're on is registered through GoDaddy. Looks like it does an XHR request to who.is and then matches on:
This is a GoDaddy thing, plain and simple. They get one complaint--they shut your domain name down by changing the name servers to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM and NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM. Exactly what happened here.
Seriously. I was prepared to be sympathetic until I saw GoDaddy's involvement. Jotform chose to use a despicable company with a long history of behaving in this way. They shouldn't be surprised when they're the next to get screwed.
They're trying to get sympathy from the internet by framing this as an example of SOPA-like abuse after they financially supported a company which supported SOPA. That shouldn't fly.
Heh, that was exactly my reaction. I was literally reading the statement out loud to a friend of mine as we talked about it and stopped midsentence and said "ha! godaddy. No wonder."
But that wasn't because Godaddy supported SOPA, although that does make me feel shadenfreude, it's because I used to work in the domaining industry. I honestly thought that even average web site operators with limited knowledge about registrars would know not to have your business domain on Godaddy. Even accounting for their scale there are a lot of shady episodes like this.
The SOPA part is just icing on the cake they were eating instead of doing their due diligence.
That's assuming your local jurisdiction has a spine. I have multiple .com and .net domains all done through Canadian registars, for the sole purpose of not wanting to deal with the BS that is going on down south. If what I'm reading is true, they can be pulled offline whenever someone gives the word go and they're gone. I have no faith that the local courts will do anything of use, especially with the current government that we have. I'd be hard pressed to think of any western nation that would.
This is exactly what I thought. I think SS just emailed GoDaddy and GoDaddy just shut down everything.
Everyone is moving to different registrars, mainly NameCheap, I just hope they will be able to stand up for their users and ask for a court order. If other registrars start to shut down at the whim of the US Government, then we might have to move to registrars overseas. Unfortunately, that doesn't even seem safe to me, since there has been news of US pressuring other governments to put out SOPA-like laws. There is also the case of the British kid who was extradited to US.
Not saying this is what we would do (as a registrar) but an order from the government generally has a time stamp on it where you can verify the "order" and then comply. While I can't get into the time period allowed or any details like that I can say that it would be possible to alert the registrant and/or stall the request if one so chooses to do that. I'm not saying we would do this of course. I'm just saying that getting an order from the US Government, unless it appears on it's face to be a true emergency situation, a registrar could always take the time to check with legal counsel.
And if it were a true emergency the Government would go straight to Verisign (for .com/net) and not even bother with the registrar.
I somehow have the feeling that moving out of GoDaddy won't protect you from any of this. Potentially the US "authorities" can take down your dot com domain (operated by Verisign), your hosting if in US, or maybe even prevent DNS resolutions to your domain inside the US (they can ask large ISPs to update their DNS servers). What you are left with is using a non dot com, non US hosting, and avoid having too much business from US customers. Then you might run into the same in Europe, etc. That does not sound like a good long term strategy.
Founder of JotForm here. I’d like to thank you all for your sympathy.
JotForm.com has been suspended by Godaddy for more than 24 hours now. They have disabled the DNS without any prior notice or request. They have told us the domain name was suspended as part of an ongoing law enforcement investigation. In order to resolve the issue, they asked us to contact the officer in charge at U. S. Secret Service.
When I contacted the Secret Service, the agent told me she is busy and she asked for my phone number, and told me they will get back to me within this week. I told them we are a web service with hundreds of thousands of users, so this is a matter of urgency, and we are ready to cooperate fully. I was ready to shutdown any form they request and provide any information we have about the user. Unfortunately, she told me she needs to look at the case which she can do in a few days. I called her many times again to check about the case, but she seems to be getting irritated with me. At this point, we are waiting for them to look into our case.
Our guess is that this is probably about a phishing form. We take phishing very seriously. Our Bayesian phishing filter has suspended 65.000 accounts last year. We have been training it for many years, so it can detect phishing forms with great accuracy. We also take any reports about phishing very seriously and quickly suspend the accounts and let the other party know about it. By the way, we are also very serious about false positives. If we suspend an account accidentally, we will quickly resolve the issue, and apologize.
I believe this can happen to anybody who allows users to create content on the web. So, if you have such business, my recommendation would be to make sure that you can contact your most active users quickly if your domain is disabled. Many of our users are shocked and angry at us. But, many also thanked us for quickly letting them know about the issue by email and providing instructions to continue operating their forms. Since DNS propagation takes some time, many active users were able to switch their forms to the new domain before it went down. We still have not contacted all users, we are sending emails most active users first.
Whats happening to you is an absurd abuse of power. Call the EFF, get a good lawyer, and get in front of a judge as soon as possible. Call your senator, your representative, and the local media. Don't annoy the secret service agent who is destroying your business because it likely won't help.
Yeah, you need an experienced lawyer and you need to go after GoDaddy immediately. They are at fault here. The terms of any user agreement may be invalid.
Next, you need to spend 100% of your time raising hell about this. This story has all of the marks of stuff the tech press loves to eat up.
#1 Godaddy is run by a bunch of assholes who walk all over their customers rights.
#2 The secret service is still full of a bunch of buffoons. These are the same guys that raided a roleplaying game company because they couldn't tell the difference between an imaginary game and a hacker manual. I'm sure the press would like to answer the question, are they still hiring FBI rejects?
You have to turn this story the other way around. You can make jotform a name people remember.
I've used jotform myself for quite some time (2 years or close to it?) It is a great service. Obviously you were doing nothing illegal, and were going to great lengths to stop the bad guys. Thats a news story everyone wants to hear.
What if you give us the phone number of the agent in question?
Personally I think you made a horribly stupid decision to use GoDaddy, but it is what it is. Sounds like you need to launch a PR campaign about this.
Tell your customers to call the agent in charge. Tell your users to call GoDaddy to complain.
Put up a web page with a running ticker of how many people are getting their service interrupted because of this. Tell the world who is sitting on their hands while your business collapses. Call news stations. Put up a youtube video. Shine a light on this, don't just sit there hoping for an agent to give a crap.
Make this shit a bigger deal that the government and GoDaddy have made it. GoDaddy doesn't give a shit about your domain or your business. Make them give a shit. The agent in question couldn't care less about your troubles, their full time work is about making someone (hopefully the right person) miserable. You are just one more such person in the big stack. Make that agent give a shit.
I don't know much about your defences, but a good way of making your site less attractive to phishers might be to put an artificial delay inbetween when a form is submitted and when the owner can get access to the submitted data.
If that delay is longer than it usually takes for an abuse report to come in, and for it to be acted on, then it would prevent phishers from getting any data before the page is taken down. Maybe just do this for free users?
Although this might prevent (a bit) that the phishers get the actual data and hence protect the victims, I am pretty sure that it won't cause any drop in phishing attempts. However for the legitimate users it will probably have a huge negative impact.
It's comparable to trying to stop spam in forums/blogs by disabling url's in posts. Usually you'll get the same number of spam posts, but the url's will be plain text.
Uh... I feel sorry for you guys getting abused like this, but.... Godaddy? You had know you were putting your business at risk using this company. Did you save enough money to make it worth going out of business?
This is complete bullcrap! From everything I've read, Jotform polices itself and actively tries to remove illegal material. This is EXACTLY what Google does. However, you don't see Big Brother going after Google just because they did a search on child porn and some hits came up.
We are taught not to bully but this is exactly what the U.S. Gov't is doing. Mixed messages?
1. Identify all applications with user-generated content.
2. Move all associated domains to a non-US based registrar.
3. Migrate DNS, web serving and other critical services to non-US based servers.
4. Migrate yourself to a non-US controlled country.
I'm sorry for US sites and users. Your government is hell-bent on turning the internet into a read-only device like TV, easily regulated and controlled. The population will be required to sit quietly and keep their eyes glued on the screen so they don't miss the ads, with any infringers deemed terrorists and pedophiles and thus deserving of summary punishment by DHS squads.
Hopefully the internet will route around the damaged segment, and the rest of us can continue to enjoy the amazing interactivity it has brought our society.
As someone who has been in the Internet business from the beginning with a number of startups under my belt and who "migrated myself to a non-US controlled country" (East and SE Asia) 25 years ago I would offer my the following formula for happiness:
1. Set up your company outside of the US.
2. Don't keep a bank account in the same country that your company is in.
3. Don't have customers in the same country that your country is in or where your bank account is.
4. Don't live in the country where your company, bank account or customers are.
5. Don't live in the same time zone as your in-laws.
I live in Thailand (for 13 years now) and have a company in Singapore. We are opening companies in Laos this year then Cambodia and then Burma over the next two years. My Bank Accounts are in Hong Kong. I try to find customers in any country other than those listed above, and the States.
Bandwidth is better out here than in most places in the States. And hardware is cheaper because you're buying closer to the source. And as long as you aren't living in Singapore, Hong Kong or Toyko, the cost of living is far cheaper than in the States.
This is not as difficult as it might seem. It's great living out here, and I would encourage everyone to do the same.
BTW our latest startup is an infrastructure for the semantic Web and about as cutting edge as you could hope for, so don't whine about how you can only do your startup in Silicon Valley. The future is here, not in the States.
I like to bash GoDaddy as much as anyone else, but it's not only their fault if they obeyed a law enforcement agency that issued an ilegal order. I'd like to see government officials being punished for that kind of authoritarian atitude more frequently (we have plenty of that here in Brazil too).
A tax audit is crippling enough for business. Registrars like GoDaddy are exposed to a huge vulnerability in the form they don't know exactly with whom they do business. All you need is a credit card.
It is by no means limited to the US, but various sources (such as wikileaks cables) make it clear that it is mostly the US government pushing for such draconian measures worldwide. So moving your business away from there to make it clear that you don't agree is a good thing.
You might find step 4. a bit difficult, finding a "non-US controlled country" isn't easy these days, and I'm not sure I'd like to live there.
Much as I like my country (Uruguay), I know we'd cave in faster than New Zealand did with Kim Dotcom.
China might not be US-controlled, but they have their own issues. And a smaller country means it's probably going to be bullied by the US. Maybe Switzerland? (that does sound like a nice place to live :) ).
How about Iceland? At least this web hosting company http://www.orangewebsite.com/ is touting "better level of privacy and lower censorship" as a selling point. (Although, I note it itself is using .com) Anyway, I think it won't be long until some countries or territories will wisen-up to create internet freedom friendly jurisdictions as a competitive advantage to lure tech capital and talent away from the increasingly hostile US with its IP and military industrial complex weapons of wealth destruction.
"hell-bent on turning the internet into a read-only device like TV"
At the behest of mostly the music and movie industries - who are so dead set on their antiquated business model, who see the free and open internet as a big big threat on all fronts. On one side you have this so called "rampant piracy problem" (lol) but on the other side you have the internet as a medium for artist to create, distribute, advertize, and sell their work without any need for the big players in the industry. This is what scares them most.. How dare this free and open thing put a chink into our profits, and forcing us to come up with a different way of thinking about the future. But instead their plan is
to assault it, with the help of our bought lawmakers, and bring it under their control.
I am of two minds about these draconian attempts to maintain IP laws. Although, I abhor the corporatist position that they need harsher more invasive tools to maintain their IP claims against piracy, the creation of such laws and enforcement tools will push the wider public to understand and perhaps embrace tools that make them free. Free software and practices that enforce one's own privacy and free will might only became widespread when the average citizen understands in a personal way the need for a free and open set of tools for living in an information based culture.
On the other hand, it is only rational to look at the history of oppression and see the harm this pattern of legislation can foster. We should, as educated free individuals collectively speak out and act out against legislation which furthers the trading of freedoms for corporate or personal profit.
"Internet Privacy" is an oxymoron.
Safety and freedom are incompatable; you can have one or the other but not both. America says "Safety first"; humanity says "No thanks!".
Maybe what we need is an intercontinental virtual RAID array so that no one country can shut it down?
(Disclaimer: I use Linux, I live in Thailand.)
If Al-Qaeda really wants to piss off the USA they should just open a censorship free anti-takedown compliant web hosting company. They could run it as a non-profit putting most of the profits back into expanding their business and attracting more clients. LOL