Does Your Registrar Have Your Back?

Ever since I first read about Godaddy taking the SecLists.Org site offline because of a request from Myspace, they had objected to some content someone posted to a mailing list that they archive, I have wondered if I should be looking to change to another registrar, and I figure I am not alone. The gentleman who owned the website, he says his name is Fyodor, says that Godaddy left him a voicemail telling him that his domain was scheduled for suspension, followed by the Domain Suspension Notice exactly 52 seconds later, and that neither had any contact information at all, meaning he had to call general support and spend hours on the phone just tog et the reason why, let alone get it fixed. He has posted the full story here.

He has also registered the domain name Nodaddy.com and is using it to build a community around people who have had similar trouble, or, I assume any kind of trouble, and start their own anti-godaddy site. It has news and links to more articles about this story, as well as a call for members, a Nodaddy girl and more.

Even after this episode made news worldwide, GoDaddy refused to admit they were wrong. In a News.Com article, GoDaddy general counsel Christine Jones “pointed out that GoDaddy’s terms of service say the company ‘reserves the right to terminate your access to the services at any time, without notice, for any reason whatsoever.’” In that same article, Jones refuses to rule out suspending a site such as News.Com if a reader posts illegal information in a discussion forum. In another article, Wired reporter Kevin Poulsen catches Jones in a lie. When Kevin notes that GoDaddy shut down the domain only 52 seconds after leaving the voicemail, not one hour as Jones previously claimed, Jones “admits she doesn’t know exactly how much notice [Fyodor] had” and declares that “I think the fact that we gave him notice at all was pretty generous”. Is this the sort of company you would hire to manage your domain names? This could happen to any site which allows reader comments or other user generated content. Source: Nodaddy.com

Of course companies expect stuff like this to happen, but this guy has some traffic he can use, some media coverage he can take advantage of and a clue on how to build up a website. So, this is definitely a losing situation for them, unless of course the site dies and no one submits any other stories, etc.

News.com has an article today that discusses this, asks the question is your registrar free speech friendly and poses 10 questions to the 12 registrars that they “tried” to interview as some did not answer the questions. Two registrars stood out, Gandi.net and New Orleans-based DirectNIC, Gandi.net said they would take extensive steps to contact them, DirectNIC said they would only take down a site without a court order if the site focused on child porn or phishing. The folks from Gandi.net even said someone claiming to be from Myspace made a similar request, but because they gave no justification and they could not get in contact with Myspace, no action was taken. Here are the questions they asked, for responses and more info, read the News.com article here.

1. Under what circumstances will you suspend a customer’s domain name based on the content of his or her Web site, in the absence of a court order?

2. How many times a month, on average, do you suspend a customer’s domain name based on the content of his or her Web site?

3. What are the most common reasons for suspension?

4. How many domain names do your customers currently have registered through you?

5. Go Daddy last week suspended its customer’s domain, Seclists.org, because of a complaint from MySpace. Would you have done the same thing in the same way if Seclists.org happened to be your customer?

6. If you do suspend domain names in the absence of a court order, what procedures do you have in place to ensure that the customer is notified beforehand and given adequate opportunity to respond?

7. Do you believe that your most important responsibility is to provide technical services to paying customers–or is it to police the content of their Web sites, FTP sites, and so on?

8. Are you attempting to recruit Go Daddy customers as a result of last week’s news about Seclists.org?

9. If you do suspend domain names in the absence of a court order, how do your customers go about getting their sites restored?

10. Do you have a dedicated department or person who handles issues related to domain name suspensions?

Dotster, Melbourne IT, NameKing, Network Solutions, Register.com, Tucows and eNom did not respond to the survey, and Moniker.com just sent a statement that answered some of their questions.

Posted by Jimmy Daniels Posted in: Domain Registrars, Security 2 Comments » February 2007

Homemade Key Opens Diebold AccuVote-TS Electronic Voting Machines

We have discussed before how easy it would be to rig an election using some of today’s e-voting machines, like the ones made by Diebold. Ed Feltenof the Freedom to Tinker blog first told us how easy it would be to change the vote totals using malicious code, now he has posted how, using Diebold’s own website, you can make your own key to unlock the flimsy cover that they use on the voting machines! They sell the key to the locks to people, who have accounts only, but they had a detailed picture of the key posted to their online store, and Ross Kinard of Sploitcast made three keys from the picture and two of them actually opened the lock. Video is below.

By now it should be clear that Diebold’s AccuVote-TS electronic voting machines have lousy security. Our study last fall showed that malicious software running on the machines can invisibly alter votes, and that this software can be installed in under a minute by inserting a new memory card into the side of the machine. The last line of defense against such attacks is a cheap lock covering the memory card door. Our video shows that the lock can be picked in seconds, and, infamously, it can also be opened with a key that is widely sold for use in hotel minibars and jukeboxes.

Security experts advocate designing systems with “defense in depth,” multiple layers of barriers against attack. The Diebold electronic voting systems, unfortunately, seem to exhibit “weakness in depth.” If one mode of attack is blocked or simply too inconvenient, there always seems to be another waiting to be exposed. Source: Diebold Shows How to Make Your Own Voting Machine Key

This is amazing, these people shouldn’t even be allowed to talk about security, let alone claim that they have any. Two out of the three keys worked. Why not just hand people a card with the malicious code on it, show them how to use it and then ask them not to change the vote totals. According to that website, nearly all of the machines deployed across the country use the exact same key as the one that was shown on the Diebold site, so almost anyone, almost anywhere could affect an election using a simple homemade key and a little bit of code. Ross said he sent many emails to Diebold and the never removed the picture, Ed posted on his blog Tuesday and now they have removed it, finally. Pictures are still out there though, hopefully the ones who posted them will remove them, because, if the past is any indicator, this won’t be fixed and Diebold and their supporters will spin their way out, again.

Posted by Jimmy Daniels Posted in: E-voting, Politics, Security No Comments » January 2007

How Hard is Election Fraud?

Just reading about the new Diebold e-voting machines and how little security seems to have been a consideration, as there has been multiple reports on how easy it is to hack into. From USA Today,

A Princeton University computer science professor added new fuel Wednesday to claims that electronic voting machines used across much of the country are vulnerable to hacking that could alter vote totals or disable machines.

In a paper posted on the university’s website, Edward Felten and two graduate students described how they had tested a Diebold AccuVote-TS machine they obtained, found ways to quickly upload malicious programs and even developed a computer virus able to spread such programs between machines.

The marketing director for the machine’s maker — Diebold Inc.’s Diebold Election Systems of Allen, Texas — blasted the report, saying Felten ignored newer software and security measures that prevent such hacking.

Of course he is going to say that, he’s not going to admit one of his cash cows are not secure, and he has to get the uncertainty and doubt going on whether these tests were accurate or not.

Felten and graduate students Ariel Feldman and Alex Halderman found that malicious programs could be placed on the Diebold by accessing the memory card slot and power button, both behind a locked door on the side of the machine. One member of the group was able to pick the lock in 10 seconds, and software could be installed in less than a minute, according to the report.

The researchers say they designed software capable of modifying all records, audit logs and counters kept by the voting machine, ensuring that a careful forensic examination would find nothing wrong.

So, it sounds like it would be very easy to break into early in the voting process to make sure everything went “their” way. Election fraud is not new, it has been going on for years, but to what extent? Lots of people believe we had fraud in the presidential election when Gore lost Florida, and we’ve all heard the stories of people buying votes, dead people “voting” and people voting multiple times, but a commenter on Techdirt relayed just how easy it used to be to commit election fraud.

I used to prepare the old lever type voting machines for our local elections and talk about insecure! All I had to do while I was in the back of the machine is turn the counting wheel to start say at 1000 instead of 0 and this took no technical training or electronic hacking. At least the new electronic machines take technological savvy to pull off election fraud. The old machines could be rigged by a monkey. I just think a lot of this is fear of technology which always happens with anything new. I am in no way letting Diebold off the hook here. They should tighten up the security on these boxes but it always has been easy to pull off an election fraud.

Sounds like lots of testing needs to be done, as well as hiring people you think are trustworthy to man the polls. Election fraud will always be around because the positions are so important, so it’s crucial to start with good personel as well as secure equipment.

Added: After reading the rest of the comments, this commenter added something he read from the report,

The machine we obtained came loaded with version 4.3.15 of the Diebold BallotStation software that runs the machine during an election.1 This version was deployed in 2002 and certified by the National Association of State Election Directors (NASED) [11]. While some of the problems we identify in this report may have been remedied in subsequent software releases (current versions are in the 4.6 series), others are architectural in nature and cannot easily be repaired by software changes. In any case, subsequent versions of the software should be assumed insecure until fully independent examination proves otherwise.

Posted by Jimmy Daniels Posted in: Election Fraud, Politics, Security 3 Comments » September 2006

Google Says We Will Keep On Storing User Search Data

Even though it’s been a terrible week for AOL, and 650,000 of it’s users, Google Inc CEO, Eric Schmidt, said the mistake by AOL will not change Googles practice of storing the user search data for use in it’s search engines.

“We are reasonably satisfied … that this sort of thing would not happen at Google, although you can never say never,” Schmidt said during an appearance at a major search engine conference in San Jose.

I’m sure AOL and all the other search engines were reasonably satisfied that “bad things” would not happen for them either, but it did, and now people are actively trying to take advantage of the data that was released. Websites are already popping up to use the data, although I won’t like to any of them from here.

News.com also has an article called, Google says it won’t pull an AOL,

“We have systems in place that won’t allow it to happen,” Schmidt told reporters Wednesday after a keynote discussion at the Search Engine Strategies conference here. “Our No. 1 priority is the trust our users have, and that would be a violation of trust, so the answer is that would not happen.”

Let’s hope so, I use Google as much as the next guy, I KNOW anyone who gets hold of that data could find out lots of stuff about me. The thing is, as Wayne Porter reminded me recently, Google uses a unique id for each user as well, even on separate computers, no two id’s are the same. This data ends up in the wrong hands and it’s hard to tell what could be figured out with it.

Don’t say I didn’t warn anyone about Google’s use of a GUID. A globally unique identifier (GUID) is used for unique IDs. No two GUIDs are the same no matter what computer they were generated on. One day the police might start playing match the “GUID”.

Schmidt also said,

“We’ve always wanted to expand our advertising reach and our advertising network and monetize other forms of content,” Schmidt added.

Oh, we already know that, ask any of the thousands of webmasters whose sites are no longer listed in Google, they already know it, if you are currently making money from Google, don’t count on it always being there, it’s their search engine and they want to be the only ones who make any money from it. Period. Do no evil? They should change their motto to “Give us your money”, as long as users are happy, it will continue going in this direction. They’ve proven that by making people who pay Google for visitors, to pay more money for “quality” purposes. The pages Google said I need to pay more money for, earn more money per click than sending the visitors straight to the same merchant, no lie. I am also working on a post about Google and Censorship, but am not completely done with it yet.

“Maybe it wasn’t a good idea to release the data,” Schmidt said in the conference session.

You think so Eric? I know it was, User 4417749 knows it was, as do most other people, so, keep that shit under lock and key, encrypted and offline.

Posted by Jimmy Daniels Posted in: AOL, Google, Search Engines, Security No Comments » August 2006

AOL User No. 4417749 Found Easily

Just finished reading this article from the New York Times about how one reporter easily found search user No. 4417749, a user found because AOL Released the Searches of 650,000 users.

Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently searches for her friends’ medical ailments, problems, or researches issues just to help, and she loves her three dogs. Over the three months of data that AOL released “by mistake” she conducted hundreds of searches on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything”, or “termites,” then “tea for good health” then “mature living,” all of these searches and the others she conducted lead to a reporter finding her and asking if these were her searches.

“Those are my searches,” she said, after a reporter read part of the list to her. Ms. Arnold, who agreed to discuss her searches with a reporter, said she was shocked to hear that AOL had saved and published three months’ worth of them. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.”

That’s one of the troubles with the Internet, it is way to easy to figure out who someone is, where they live and lord knows what else. This is one example of what can go wrong online, and how one company can help ruin your life. Not saying that AOL did this intentionally, but when you keep data like this, you have to have strong policies on keeping this information safe from people who will use it for their own profit and or other motivations. Either someone bypassed the chain of command at AOL, they didn’t give ANY thought to releasing such data or someone seriously dropped the ball, none of which is good for surfers using the AOL site.

Asked about Ms. Arnold, an AOL spokesman, Andrew Weinstein, reiterated the company’s position that the data release was a mistake. “We apologize specifically to her,” he said. “There is not a whole lot we can do.”

Mr. Weinstein said he knew of no other cases thus far where users had been identified as a result of the search data, but he was not surprised. “We acknowledged that there was information that could potentially lead to people being identified, which is why we were so angry.”

We know, we already saw the lame apologies, and they aren’t going to be as angry as some of these searchers are going to be, I would imagine, this reporter tracking down Ms. Arnold is just one example, and certainly one of the most public, so far. And, as this story notes, it would be easy for these searches to look like one thing, but be something completely different. Ms. Arnold frequently searched for all kinds of ailments, like numb fingers, hand tremors, nicotine effects on the body, dry mouth and bipolar, leading one to think she might have some medical problems, which, in this case was completely wrong, as she frequently searched for friends ailments to assuage their anxieties. But, what about the more extreme examples, as noted on The Paradigm Shift and this blog entry AOL Search Data Shows Users Planning to commit Murder, where users were searching for “how to kill your wife”, “how to kill a wife”, “wife killers” and many more. What if that user was trying to help a friend, say a friend who is abused and in fear for his or her life? I know by looking at the searches it would seem like they were researching for themselves, but without context, what does it really show? BTW, that site has received 207 comments, definitely some interesting reading. As an example,

If you were an author of thriller/horror fiction, you might commonly enter “how to kill my wife” into Google…
Search is an extension of our inner thoughts. Doesn’t mean we’re going to do anything about it (recent case in Sweden aside).
Perhaps Google will be the real-world incarnation of the Minority Report law-enforcement model? I hope not.

Another interesting possibility, and another reason no one should have access to this data, user 17556639 could already be marked by police as a potential wrong doer, and it could be for the wrong reasons. My friend Wayne Porter is a security researcher for Facetime Communications, and in a recent post talked about how he had researched a case of UA pornography, if he was one AOL at the time, he could already be marked by someone as a pedophile.

It reminds me of my reaction to some of the chat transcripts from Perverted-Justice.com. After investigating a case of UA pornography during my job as a security researcher I realized how little I knew about the subject. I went to the site and began reading one of the transcripts and became physically ill. I simply stopped and cried and could not even finish the first transcript. Was it ugly? Yes. Was it terrible? Yes. Did I need to read it? Yes. I am a security researcher- it is my job to understand the criminal and how they operate and not assume I know what is really going on. I didn’t know as much as I thought- I was naive.

Wayne is most definitely not a pedophile, he is a scholar and a gentleman, even if he is hated by many people.

Ms. Arnold says she loves online research, but the disclosure of her searches has left her disillusioned. In response, she plans to drop her AOL subscription. “We all have a right to privacy,” she said. “Nobody should have found this all out.”

Exactly right Ms. Arnold, but AOL has let the “cat” out of the bag, so to speak, so what do we do now? Should companies like AOL, Google, MSN, and other search engines keep this kind of data, or should they purge it frequently, or not even save it at all? Using it internally for improving search is one thing, but this kind of data should not be saved for very long, and it definitely should not be released in the “wild.”

As one commenter on Techcrunch noted, this is only the tip of the iceberg,

Anyways, search engines aren’t the only ones keeping logs, I find ISP logs thousands of times more scary…

And another,

I imagine anyone who isn’t a prude or bland tends to momentarily wonder about various topics with queries that, at face value, sound twisted or odd. Imagine being judged just for being curious about life (something as tame as medical conditions to the diverse range of literature and depths of dialogue). The ability to have curiosity and freely explore information is the greatest ability of a free culture. When people become afraid of seeking information — from fear of being viewed as a criminal — it will set society back into repression and darkness.

Posted by Jimmy Daniels Posted in: AOL, Google, Research, Search Engines, Security 4 Comments » August 2006

Deleting Online Predators Act (DOPA) Passes the House

US House Resolution 5319, the Deleting Online Predators Act (DOPA), was passed by a 410 to 15 vote tonight. If the Resolution becomes law social networking sites and chat rooms must be blocked by schools and libraries on those institutions computers or the will loose their federal internet subsidies. And with a margin as big as that one, one would think it would pass the Senate easily as well.

So, if it passes, what does this mean? Will it be applied to blogs like this one, where you create a login and can describe yourself? Or will they apply it loosely and just block the big sites?

From Techcrunch,

An incredibly vague law, DOPA will require schools and libraries to block access to a potentially huge range of sites on the internet. The goal is to protect children from adult predators. Sites that must be blocked include those that allow people to post profiles, include personal information and allow “communication among users.”

Which would include all blogs, all chat rooms, news sites like News.com, shopping sites like Amazon, all the social sites, not just MySpace, but sites like Digg, Slashdot, Reddit, Facebook, but most of the talk has been about sites like MySpace. So, it makes you wonder, do they REALLY know what they are doing? If you’ve read any of my other posts, like the one from Senator Ted Stevens who is Senate President Pro Tempore, and is also Chairman of the Senate Committee on Commerce, Science, and Transportation, then you know how little some of these people know, and these are the people that are deciding the internet’s future right now, and this during an election year.

From Declan McCullagh at Zdnet,

Fitzpatrick’s re-election campaign is one reason why the Republican leadership, which is worried about retaining their slender House majority, arranged a vote on DOPA. Fitzpatrick, who represents a politically moderate district outside of Philadelphia, has found himself in a tight race against challenger Patrick Murphy, an Iraq War veteran and prosecutor.

Technology lobbying groups, which were taken by surprise by this week’s speedy approval of DOPA in the House, are now scrambling to throw up roadblocks to the measure in the Senate. Some expect that the Senate leadership will hold a vote as early as next week. (Libraries also oppose the measure.)

So the time is short for this one. I would say this one will end up in court, as one commenter on the Techcrunch site said,

U.S. Constitution: First Amendment
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Social Networking site are just peaceful assemblies. This is against our right to free speech.

Just one argument, and a good one, if you can get them to see that it is an assembly, even if it is one person on a computer at a time.

Posted by Jimmy Daniels Posted in: Blogging, Digg, MySpace, Online Predators, Politics, Security, Social Networks, Technology 2 Comments » July 2006

Banner Ad on Myspace Infects Over 1 Million Computers

In an article from The Washington Post, an ad for DeckOutYourDeck.com was using the Windows Metafile flaw to load a Trojan horse program that loaded crap from the PurityScan/ClickSpring family of adware. The users pc would then be bombarded with popups and their internet usage would be tracked, and, unfortunately, at least half of the available antivirus programs flagged this software as bad.

Using software that captures and analyzes Web traffic, La Pilla found that the installation program contacted a Russian-language Web server in Turkey that tracks how many times the program was installed, presumably because most of this adware is installed by third parties who get paid for each installation. The data there indicate that the adware was installed on 1.07 million computers, La Pilla said, adding that all seven of the Internet addresses contacted by the downloader Trojan appear to be inactive at this time.

La Pilla said he also spotted the ad trying to serve up adware on Webshots.com, a popular photo-sharing site. It’s not clear when this particular campaign started, he said, but an anonymous user at the invaluable CastleCops security forum posted information about a similar attack spotted on MySpace on July 12. Users at this online gaming forum apparently spotted the same WMF exploit being served via the DeckOutYourDeck ad as early as July 8.

So, it appears there are lots of users who haven’t patched their machines in awhile, since Microsoft made patches available in January. Most of these users are MySpace users, probably, and if they are like my kids, I make them use their own computers, so they probably don’t get patched and they get ate up with spyware/adware. Occasionally, after much complaining from my boy, I will re-image his machine and I will lecture him on how he is supposed to use the internet, which goes in one ear and out the other and he does it again. So far, learning the hard way is not helping him any, so maybe I need to come up with a new approach.

Posted by Jimmy Daniels Posted in: MySpace, Security, Social Networks, Spyware 1 Comment » July 2006

SQL Injection Attacks on the Rise

According to Secureworks, the number of SQL injection attacks, where the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to an organization’s resources or to make changes to data, are on the rise. These type of attacks can be used against many different types of web applications and using it, they can determine the structure and location of databases so they can either download the database or compromise the server. From January to March they block from 100 to 200 attacks a day, as of April that number has jumped to 1,000 to 8,000 attacks per day.

“The majority of the attacks are coming from overseas,” said Ramsey. “And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack.” This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.

“Depending on the sophistication of the attacker, the online criminal can potentially gain access to a bank or utility company’s key customer databases containing social security numbers, account numbers, credit card numbers, email addresses, etc,” continued Ramsey.

Always secure your servers, and if you don’t know how, contract with someone who does, you’ll sleep better because of it.

Posted by Jimmy Daniels Posted in: Attacks, SQL, Security No Comments » July 2006