Acro.net – Technology Rants & Raves by Acroplex®

In yet another hasty move, Sedo has inexplicably begun to remove political domains from its marketplace. It is uncertain how far the pattern searcher reaches, however Carolyn from the support department mentioned that their legal department decided to remove domains that contain the name of the US political candidates, Obama and McCain. I expect that the black-listing filter contains the names of Palin and Biden as well.

Now, I am not an opportunist that’d go around registering dozens of names of every possible combination for the party tickets, like others did. I own two domains, both hand-registered for their brandability value: Obamagram.com and Oreobama.com

Sedo’s email was yet another blow in the face of the growing number of users that choose the Sedo marketplace as a selling platform:

We are writing to inform you that the domains listed below have been suspended from Sedo’s services because this domain(s) is a potential violation of Sedo’s policy against domains that include obscene or illegal subject matter. While Sedo strives to protect our users rights to exercise free speech and maintain a marketplace with a vibrant and diverse collection of domain names, we apologize any inconvenience that this may cause.

It’s definitely ironic to see the words “free speech” and “blacklisted” in the same email. Currently there are dozens if not hundreds of political domains on Sedo’s marketplace so the blacklisting process has just begun.

Time to move your domains to Parked.com or elsewhere.

Less than 24 hours after introducing a series of features that exposed seller data to anyone with the will to acquire it and basic scraper-scripting skills, Sedo.com changed the way the “Meet the seller” link functions.

In a dry and short statement issued on DNForum, Sedo’s Customer Relations Associate Monica Ibrahim said:

“As a quick FYI, our tech team has made sure to remove all personally identifiable member ID data from the Seller’s Activity Index. We apologize for the initial issue. Please note that member IDs are not present in the Seller Activity Index or on the Domain Portfolio Links (which can be deactivated if you wish as mentioned earlier)”

Prior to this statement, Sedo vehemently denied that any privacy breach had taken place while maintaining their position that the newly introduced features will benefit the sellers and buyers that use Sedo.com as their domain marketplace.

Indeed, Sedo programmers scrambled to change the database interfacing from using an open sequential id to a hashed (encoded) string unique for the period of time the user clicks on the “Meet the seller” link. Upon my suggestion that Parked.com should offer assistance to the Sedo.com programming team, Donny Simonton exclaimed:

“I wish we could offer some help. As a programmer I do understand what they are trying to do. They are being lazy, been there many times. I would think they could easily change it to a md5 hash of the id + the domain or something similar. Something that can not be reversed.”

Despite the fact that these changes were quickly implemented upon my public announcement of how exposed the seller info has been, Sedo has yet to fix the way their auctions are referenced, using the same non-hashed open id. Currently, all 39,000-something completed and on-going auction pages are exposed to scraping by data miners.

Most importantly, Sedo has not changed the way the new features are utilized under a user’s profile: the user’s country location, seniority at Sedo, arbitrary ratings (zero to five stars) as a seller and a buyer and how long a particular domain has been at Sedo – all these are openly available to any logged-in user, without permitting the account holder to turn these features off.

Sedo has so far kept a low profile on the matter, but the reaction of the serious, active traders has been sharp and full of negative criticism towards the way that Sedo has decided to shove down the throat of users these new features. With offices in the UK and Germany, Sedo is challenging a series of strict laws protecting the privacy of individuals and corporations; stricter than US regulations about personal data safekeeping. Meanwhile, Sedo has stated that if a user decides to leave the Sedo selling platform and delete their user profile, their data remains with Sedo indefinitely. This has serious implications for any potential data breach in the future: user accounts contain a lot of financial and other private information and Sedo’s programming methods reveal a lax approach to security.

Keep contacting Sedo via the email support@sedo.com and their support hotline at (617) 499 – 7200 (keypress 3) to voice your opposition to the lack of an ON/OFF switch for the newly introduced features.

Yesterday, I ate lasagna for dinner. I bought two history books from Barnes & Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee.

These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that occur, more or less often, in various forms. Unless you live with me or you have a view through my home windows, they remain private to me or to whoever I decide to disclose them to.

Privacy, in today’s electronic maelstrom of a society, is a commodity as rare as honesty and loyalty. We have somehow been led to believe that if we buy items at the store using a credit card, it’s okay for the store to call or email us with offers of similar products. We have been led to believe that our eating, drinking and partying habits are okay to be shared, in photographs and videos on MySpace, hi5, Facebook and other “social networking” venues.

We have been shown the wrong way of living.

As if Mondays are not *the* worst days of the week alongside Fridays, today Sedo.com announced that a new set of features will be enabling users to conduct sales and business in an easier, transparent manner.

In all reality, what Sedo created today, is the prelude to doomsday as it pertains to privacy of domain transactions on this marketplace, that boasts millions of domains for sale.

Essentially, Sedo stopped short of announcing a “MySpace” type environment, with options such as seniority of sellers, the geographic location that they trade from, a rating system and a display of their tax options fully displayed via a link to any other person logged in the Sedo platform. Other added features that somehow made it past beta-testing without any concern from the management or the programmers, include displaying how long a domain has been listed for sale on Sedo and the option to link to their entire portfolio via the profile of any other domain they have on sale.

Sedo did one thing right and all of the rest wrong.

What Sedo did right, was the *option* to link to the rest of the domains in one’s portfolio – defaulting it to “No linking”. This, is solid programming concept at work. It’s the well-thought design of the programmer who wants to offer options but also respects people’s choices.

What Sedo did wrong, was the rest of it.

To create a Sedo account one needs a few seconds. It’s like signing up for Gmail or registering with Papa John’s pizza online. Once you create a Sedo account, the fun begins. The newly introduced features allow *anyone* with very basic programming skills to scour the live data of Sedo and scrape it.

It’s as if Sedo allows *anyone* with an account to take a long, satisfying snoop into your lounge while you eat. While you order books from Amazon.  Whether your home loan was approved. How many kills you landed at Counter-Strike. If you’re wearing aftershave or not.

It’s all about offering raw data, easy to be mined by anyone.

Sedo programmers need to be fired for a series of fundamental programming flaws. First off, the same suicidal approach that was used with the identification of the auction system is being used again: sequential numbers, ranging – for example – from 000001 to 99999999 and beyond. In order to view and gather transaction details, all one has to do is increase the number of the parameter describing the auction and store the results in a database. No confirmation needed. No session variables. Just full path variables that are exposed and tweaked to reveal the next in line. No captcha used in order to stop a scraper dead in its feet.

Having fun yet?

Sedo’s new profile features can be exploited to store aggregate data, linking each and every auction on Sedo to the person that made it. It’s not just like NameBio storing domains and sales prices scraped off the front page of Sedo; it’s about storing *every* auction’s info, the seller’s profile, their location, their ratings as seller and buyer, how long they have used the Sedo platform and how long the domain has been offered for sale – all IDENTIFIED by a unique, open (not hashed) id number.

Read further to understand how poorly Sedo thought of this new set of features.

Once our rogue scraper guy has created their Sedo profile, they can scrape the entire database of Sedo’s users – all 1.3+ million of it – including their unique id number and their location. Then, that unique id number can be further looked up and store their seller and buyer profile info. Once a sale occurs, the auction’s information can be stored as well.

The problem lies with the ability to link all these three together. It’d be a database containing identifiable information that can very easily be enriched with WHOIS data to fully pinpoint a seller’s achievements, strategies in pricing and time that these sales occured.

Did I mention that a lot of domains have WHOIS privacy protection but once listed on Sedo the seller’s location is revealed?

I will refrain from creating a proof of concept, at this time. But frankly, it takes $50 to pay a programmer from India that’d rummage through the freely available “features” and safely store it all away, without Sedo even being aware of it happening. To them, these are “features” that enable users to conduct business better. To me, it’s a violation of my privacy rights and an open welcome to data miners.

Programmers take orders from project managers. Whoever managed this project needs to go back to college.

I urge everyone who sells domains on Sedo.com to contact support@sedo.com and raise their strong objection to this set of wide open trapdoors on the domain selling floor.

Ever since I started registering domains with the intention to develop or resell (the option to monetize was added much later) I decided to stick to the same basic principle: if it’s in the dictionary, it’s something I can use. If I can use it, others can. If others can, then I have established the motive to register or purchase it.

I can honestly say that the selling potential of dictionary .com, .net, .org domains – the original TLD triad – is a sure winner. As long as I don’t need a dictionary to establish what the word means! Of course, there are dubious spellings or common typos, but the bottom line is that a positive dictionary word serves its purpose well, in real life and in the online commerce world.

I recall buying Gravity.org for a mere $105 on DNForum, at a time when everyone else was looking to buy domains with type-in traffic or typos. I’ve stuck to my guns of picking up dictionary domains as often as I can and this principle has paid off in the long run, more times than I can recall. Four years ago, Gravity.org was sold to a nice guy, who has since then developed it into a beautiful web site depicting his literary work.

Later on, I discovered a great source of such dictionary domains in the form of a well-known parking guru who decided to do what was best at that time, having had thousands of domains that generated little parking income and had renewal fees to be paid. I managed to pick up a lot of these domains in private transactions or via forums; others I bought on eBay and via direct communication with their owners.

There were so many dictionary domains in these days between 2002-2005 that could be had for as little as $20 to just over $100 – I became more organized when such sales would occur, by keeping Notepad open to paste into it the entire list and then I’d delete quickly the names I did not want. I found that to be faster than pasting over the ones that I might want.

It’s shocking even to me, that one such domain that I picked for $50 at a “feeding frenzy” sale on DNForum three years ago, was just sold for a whopping $6,000 via Sedo. Then again, I’ve had other such large sales of dictionary domains in the past – but none resulted in such a high return on investment. I will have to thank my traffic guru seller for this. By the way, it’s an .ORG!

It’s often frustrating trying to sell dictionary domains with inherent potential at reseller forums; the expected responses immediately inquire about traffic stats. When the brand is built around a domain that cannot be misspelled or mistyped, the traffic shall come. What won’t come again, is an abundance of dictionary words in the original three TLDs.

Frank Schilling, in his last blog post in months made this monumental statement:

A few years back I was approached by a company and encouraged to place my domain names for sale through their marketplace. I was given a host of reasons why this was a good idea. “These names don’t make any money”.. “ Selling the names will actually improve my overall portfolio’s value”.. “Selective pruning is just prudent”. Shortly thereafter, a second domain marketplace called. They suggested I sell my names through ‘them’ and that I should cap my purchase prices at $5,000 because that was the limit of automated credit card processors in their scenario.. They even sent me a list of names that I should sell.. tens of thousands of them that don’t make enough to cover their renewals.. and If I could get $2,000-$5,000 each wouldn’t that be Fabulous?! The problem as I looked through my list was that many of the names they suggested I sell were pretty good. I’d pay more than 2-5k for many of these names if they were dropping at auction. I politely declined their offer.

One should employ additional means of measuring the potential value of a domain, other than its visitor figures, and dictionary domains maintain a strong reselling potential regardless of the existing traffic. An experienced domainer will soon acquire a “gut feeling”, an “on-the-fly” evaluation ability that only comes after several successful transactions – and a few monumental failures.

At the same time, one should ensure that a solid business plan is in place; for which I recommend the services of a qualified Certified Public Accountant (CPA) so that every dollar earned or expended is accounted for. I know that I will paying a whole lot more in taxes next year.

What is the domain that resulted in an 120-fold ROI ? You’ll have to keep your eyes peeled on Sedo‘s sales for that, in the next few days

The day started with my usual cup of coffee and a surprisingly smooth commute on Interstate 4. This time around I found my way inside the Disney resorts without getting lost. I managed to arrive about 15 minutes before the sessions would begin. I ran into Donny from Parked.com who gave me a brief intro about what his 11am speech was going to be about.

Rick Schwartz kicked off Day 2 of the TRAFFIC conference with his keynote speech. He mentioned that while it’s time to slow down and assess the opportunities offered, we also need to be aware of the dangers that are rising in today’s economy. In the financial crash of 2000-2001, everyone seemed to run away from the online ventures, abandoning their assets. In 2008, everyone seems to be running towards the venues available on the Internet. Even though we are living in thriving industry times, it’s time to also be proactive during the equally challenging financial times.

Rick closed mentioning the Snowe bill and how it is a time for the domain industry that the fittest will survive, as the industry shifts and changes its focus.

Howard Neu then took the stand, unfolding the opportunities that all the TRAFFIC attendants have with the range of exhibitors, stressing how this is not a trade show but rather, a get-together of the best and foremost-thinking members of the domain industry. While forums and chatrooms bring domain owners together, in a real life event such as TRAFFIC people have the opportunity to facilitate deals and establish relationships at a personal level.

Michael Collins, executive director of ICA then talked about the challenges that the industry is facing with the introduction of the Snowe bill that stirred the domaining calm waters and created a lot of tension. As a result of ICA’s efforts with raising awareness, ICA membership doubled since February 2008. He stressed the importance of domainers being represented in an organized form, lobbying at Washington DC, ICANN and the media.

Phil Corwin, legal councel for ICA, then described in detail the legal aspect of the Snowe bill, that is being promoted aggressively against domain owners from a group of major trademark holders. Wrapped up as an anti-phishing bill, it attempts to hold domain owners liable for millions of dollars in damages, without limitations. He mentioned that the politicians must be educated about the dangers of this bill, while defending the domain industry by building stronger alliances. Finally, Yahoo, Google and Microsoft maintaining their separate existence serve a positive purpose to online advertising, as the industry needs transparency and competition, instead of monopolies.

Michael Gilmour spoke about the future of domain parking, stating that currently only 20% of the world’s population is using the Internet. The percentage is increasing in Asia, in such countries as China and India. In fact, the growth in Asia is quite explosive. In India, the market is highly educated; there are also more millionaires in India than in the US. He concluded that domain owners need to develop up to three domains as businesses and utilize the rest of their portfolio as a revenue generator from parking.

Donny from Parked.com gave us all a history lesson, citing data of PPC for a domains over the course of 4 years, showing in effect that advertisers currently don’t care about top placement in search engines like Google and seem content with second or third places which are more affordable. He also mentioned that parking pages in the future need to be more visually appealing and look more like “real” web pages.

This concluded part one of Day 2. We had a great lunch that helped everyone unwind and yet network even more. I met with members of Domainsponsor and TrafficZ that seemed to like eachother a lot, despite both being Los Angeles based companies.

The dessert was delicious, the coffee invigorating and …I will continue Part 2 of Day 2 once my laptop batteries get recharged.