Acro.net - Technology Rants & Raves by Acroplex®

Yesterday, I ate lasagna for dinner. I bought two history books from Barnes & Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee.

These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that occur, more or less often, in various forms. Unless you live with me or you have a view through my home windows, they remain private to me or to whoever I decide to disclose them to.

Privacy, in today’s electronic maelstrom of a society, is a commodity as rare as honesty and loyalty. We have somehow been led to believe that if we buy items at the store using a credit card, it’s okay for the store to call or email us with offers of similar products. We have been led to believe that our eating, drinking and partying habits are okay to be shared, in photographs and videos on MySpace, hi5, Facebook and other “social networking” venues.

We have been shown the wrong way of living.

As if Mondays are not *the* worst days of the week alongside Fridays, today Sedo.com announced that a new set of features will be enabling users to conduct sales and business in an easier, transparent manner.

In all reality, what Sedo created today, is the prelude to doomsday as it pertains to privacy of domain transactions on this marketplace, that boasts millions of domains for sale.

Essentially, Sedo stopped short of announcing a “MySpace” type environment, with options such as seniority of sellers, the geographic location that they trade from, a rating system and a display of their tax options fully displayed via a link to any other person logged in the Sedo platform. Other added features that somehow made it past beta-testing without any concern from the management or the programmers, include displaying how long a domain has been listed for sale on Sedo and the option to link to their entire portfolio via the profile of any other domain they have on sale.

Sedo did one thing right and all of the rest wrong.

What Sedo did right, was the *option* to link to the rest of the domains in one’s portfolio - defaulting it to “No linking”. This, is solid programming concept at work. It’s the well-thought design of the programmer who wants to offer options but also respects people’s choices.

What Sedo did wrong, was the rest of it.

To create a Sedo account one needs a few seconds. It’s like signing up for Gmail or registering with Papa John’s pizza online. Once you create a Sedo account, the fun begins. The newly introduced features allow *anyone* with very basic programming skills to scour the live data of Sedo and scrape it.

It’s as if Sedo allows *anyone* with an account to take a long, satisfying snoop into your lounge while you eat. While you order books from Amazon.  Whether your home loan was approved. How many kills you landed at Counter-Strike. If you’re wearing aftershave or not.

It’s all about offering raw data, easy to be mined by anyone.

Sedo programmers need to be fired for a series of fundamental programming flaws. First off, the same suicidal approach that was used with the identification of the auction system is being used again: sequential numbers, ranging - for example - from 000001 to 99999999 and beyond. In order to view and gather transaction details, all one has to do is increase the number of the parameter describing the auction and store the results in a database. No confirmation needed. No session variables. Just full path variables that are exposed and tweaked to reveal the next in line. No captcha used in order to stop a scraper dead in its feet.

Having fun yet?

Sedo’s new profile features can be exploited to store aggregate data, linking each and every auction on Sedo to the person that made it. It’s not just like NameBio storing domains and sales prices scraped off the front page of Sedo; it’s about storing *every* auction’s info, the seller’s profile, their location, their ratings as seller and buyer, how long they have used the Sedo platform and how long the domain has been offered for sale - all IDENTIFIED by a unique, open (not hashed) id number.

Read further to understand how poorly Sedo thought of this new set of features.

Once our rogue scraper guy has created their Sedo profile, they can scrape the entire database of Sedo’s users - all 1.3+ million of it - including their unique id number and their location. Then, that unique id number can be further looked up and store their seller and buyer profile info. Once a sale occurs, the auction’s information can be stored as well.

The problem lies with the ability to link all these three together. It’d be a database containing identifiable information that can very easily be enriched with WHOIS data to fully pinpoint a seller’s achievements, strategies in pricing and time that these sales occured.

Did I mention that a lot of domains have WHOIS privacy protection but once listed on Sedo the seller’s location is revealed?

I will refrain from creating a proof of concept, at this time. But frankly, it takes $50 to pay a programmer from India that’d rummage through the freely available “features” and safely store it all away, without Sedo even being aware of it happening. To them, these are “features” that enable users to conduct business better. To me, it’s a violation of my privacy rights and an open welcome to data miners.

Programmers take orders from project managers. Whoever managed this project needs to go back to college.

I urge everyone who sells domains on Sedo.com to contact support@sedo.com and raise their strong objection to this set of wide open trapdoors on the domain selling floor.

So I check my domain access logs today and I notice a sizable traffic increase, that points back to some blog run by fellow Greeks. The first hunch was that someone points to my domains, Acroplex.com and Acro.net because they found something of interest; instead, there is a bunch of crap about an adult traffic domain, which I sold back in January!

Apparently, the new owner - a Greek Australian - has set up a porn site and started spamming the Blogger forums pimping his “ladies”. Which is fine by me, but because he uses WHOIS shield, there is no indication of me not being linked to the domain anymore. I contacted his web host and his account was promptly suspended. I’m also his eNom domain registrar (reseller) and I will consider unlocking his info. The sad part is that once again, people that have no access to the proper information jumped to conclusions in an instant. Gotta love the Internet lynch mob.

Once again, be careful about who you sell your domains to, they might be used wrongfully in the future.

From behind the iron curtain of a middle Eastern nation known for its anti-American sentiment, a self-proclaimed hacker seems to be the perpetrator of a series of recent, high profile purchases of domains - using stolen credit cards.

Using proxy servers located in Iraq, he took control of a Network Solutions user account and its main domain, Get-Hosted.com. Then, using either a credit card associated with the account or other stolen credit cards, he made purchases of domains offered for sale via the Network Solutions marketplace. These domains are brokered by two major players in the domain after-market field, BuyDomains and Fabulous.

Apparently, he tried the fraud scheme first at Fabulous, as their domains are typically priced lower. After testing the waters of his process by making several small purchases, he turned his attention to the higher-priced domains offered by BuyDomains. A week or so later, his appetite was large enough that one of these purchases made it on DNJournal: DomainTools.net was sold for $4,088.

Fabulous reacted quickly, reversing between 5 and 6 purchases of about $350 each and regaining control of the domains within days of the incident. The perpetrator, having gained experience from this test run, then decided to alter his process; the roughly 6 large purchases he made from BuyDomains were immediately transfered out to the compromised Network Solutions account and WHOIS protection was added.

Having used stolen credit cards - in other words, other people’s money - it was time now for the hacker to capitalize on the value of the assets; an estimated $25,000 worth of domains. Not too shy about declaring his location (Iraq), he created two accounts at DNForum and offered the domains for a quick sale, at extremely low prices. These aged or otherwise generic names were being offered for $200 to $500 each, with a couple of others seeking offers.

The DNForum sales thread about one of these domains, xdev.com, had a short lifespan; the domain was still listed for sale at Afternic by BuyDomains with a hefty $9,700 price tag on it. And yet, the seller was eager to take any amount of money, ranging from $1,500 up to a BIN price of $5,000. After all, he never paid a penny out of pocket for these domains. The DNForum community was quick to determine that the sale was extremely suspicious and to alert the moderators about the ongoing scam.

Other domains offered for sale included Getting.net, DomainTools.net, DoTrust.com and OrbitPay.com - all of them were being offered at unreasonably low prices. Thankfully, DomainTools.com maintains historical data on domain ownership; it was easy to see that all these domains followed the same pattern: they were sold recently by BuyDomains and were instantly transferred to Network Solutions, to an account with WHOIS shield.

It’s probably the first time that several major players in the domain market were involved as the direct victims of a scam:

• BuyDomains and Fabulous were defrauded, giving up domains in exchange for stolen funds
• Network Solutions & potentially Afternic were used as a Trojan Horse to facilitate the purchases through their respective marketplaces
• Sedo was consequently used by the scammer as a point of sale for some of these domains

Additionally, Visa and Mastercard obviously had to reimburse funds and to reverse charges to the legitimate owners of these credit cards.

Currently, all of the domains appear to have been recovered in a special trust account at Network Solutions. The investigation is ongoing, with regards to the legal ramifications of this act which could amount to tens of thousands of dollars in billable time. It would not be surprising if finally the FBI and Interpol are involved in this case.

Over the course of recent years, Internet scams have proliferated into segments of the global market that were left untouched by traditional crime. It’s imperative that international politics ensure a smoother relationship and cooperation between nations, instead of leaving predatory “black holes” such as Iran, Iraq and North Korea. These criminals operating from such countries feel untouchable by the lack of law and punishment in their own countries and often engage in these acts as a “sport” or a “hobby” - gaining bragging rights among their peers.

However, when other people’s money is involved, it’s not a game anymore.

As the fireworks fill the night sky on the 232nd Independence Day of America, now it’s the time for some introspecting.

I witnessed my first 4th of July extravaganza in 1998, my 1st year in the US as a transplanted immigrant. To be in the “land of the free” was a great accomplishment, that sustained me through the tough times, both financial and emotional. The sensation was that everything is possible; with hard labor any dream can become a reality - in the US of A.

Today, America has lost its luster, both to the world and internally. After almost eight years of the Bush administration presiding over the choices and freedoms of the American people, it is evident that a lot of damage has been done to the statue of Liberty - its patina depicts an aging of outdated ideas and acts.

On Independence Day, there are 4,113 fallen soldiers that lost their lives fighting an invasive war in Iraq, thousands of miles away from home. This second Vietnam has no lesser effect to the lives of the families that lost their sons and daughters, husbands and wives, friends and relatives - to the pretext of freedom fighting. One man’s ego has led these men and women to an untimely death - all 4,113 of them so far.

With elections approaching fast in less than 120 days, now it’s the time to ponder about the words that politicians use with regards to what constitutes freedom, independence and patriotism. While the US liberated Europe in WWII and offered its strong arm assisting the distraught European nations, today’s America is not a liberator - it’s an enforcer of political will unrelated to the basics that this great nation was built on. Americans cannot sustain four more years of conservative, aggressive, insanely uncivilized politicians like Bush and Cheney through a McCain presidency.

On this Independence Day, let’s watch the movie “Born on the 4th of July” to realize that freedom is not gained by launching and perpetuating wars but by ending conflicts, ensuring international cooperation and symbiosis, educating the people and by reaching out in the middle of the fire to cease it.

The fireworks are definitely beautiful - but war isn’t.

As kids, we used to play that game called “broken telephone“. Other names for this game included, “operator“, “grapevine” or “pass it down“. It involved a chain of kids that would relay a short but quickly spoken phrase, rather silently. By the time the phrase reached the last kid, the phrase would be completely distorted and in many ways funnier than the original one.

The following is excerpted from the movie Johnny Dangerously:

Lil: Get this to Johnny on the grapevine: Vermin is going to kill Johnny’s brother at the Savoy Theater tomorrow night. Got it?

Polly: Got it.

Polly: Vermin is going to kill Johnny’s brother at the savoy theater pass it on.

Prisoner: Vermin is going to kill Johnny’s brother at the Savoy Theater tonight. Pass it on.

Prisoner: Vermin is going to kill Johnny’s mother at the Savoy Theater tonight. Pass it on.

Prisoner: Vermin’s mother is going to kill Johnny tonight at the Savoy Theater. Pass it on.

Prisoner: [gibberish]

Prisoner: There’s a message on the grapevine, Johnny.

Johnny: Yeah, what is it?

Prisoner: Johnny and the Mothers are playin’ “Stompin’ At The Savoy” in Vermont tonight.

Johnny: Vermin’s going to kill my brother at the Savoy Theater tonight?

Prisoner: I didn’t say that.

Johnny: No, but I know this grapevine.

This morning, the news in the domain grapevine had it that a domain name, Israel.com, had sold for $5.88 million via Moniker’s auction platform. Before noon was over, blog after blog and forum after forum had passed along the information, adding their own little twist to the story. Some said the buyer was an Israeli tycoon, others said it was a Jewish woman investor from a large corporation in New York City. Others, preferred to ponder how much Israel.mobi would sell for.

It turns out that the domain was not sold after all. So much for the rich Jewish lady from NYC; if you know her, I’d like to get her number.

The point is, today’s media possess powers that by far exceed those of the traditional media. In the old days of centralized points of information, the newspaper with the false piece of news would frantically retract all the issues and the poorly-paid paperboys would deliver a fresh edition of the news. On the radio or the tv, an announcement would be made, correcting the mistake - obvious or not - and everything would be put in place, more or less.

After news of the alleged sale broke out, the Moniker people scrambled to issue frantic statements that no such sale had taken place; but by that time, the cat was out of the bag: blogs relay news in a non-linear fashion, they beam out information to all directions, that is picked up from other info processing points on the web; some are rather influential in the way that such information is passed along. All of a sudden, a non-sale became a sale.

So bloggers, amateur or semi-pro, be careful out there: the grapevine game has consequences. Double-check your sources, or better still, differentiate from the rest of the media and provide content, criticism and analysis on your blogs, instead of plain xeroxing of random press releases.

Now, did you hear the one about the upcoming sale of a two-word, hyphenated IDN .mobi for over seven figures?

When I signed up for TRAFFIC / Orlando, my expectations from attending the conference were cut very dry and specific. I envisioned selling domains at the auction, meeting with other professionals dressed in suits and sharing ideas with the very core people of the domain industry. I’m able to say that I achieved my goals one-hundredfold in a much broader manner which I had not anticipated, because simply being part of the TRAFFIC event is an achievement of its own.

TRAFFIC is not your average type of conference. It’s a gateway to a multitude of opportunities, an entry point, an initiation to what’s behind the conference name and its mythology. The biggest challenge is shedding the attitude of a strict business person while acknowledging the contribution and success of hundreds of other professionals. As an entrepreneur and a person who believes in communication with other individuals, I entered TRAFFIC prepared to not only talk but to also listen carefully to what others had to say. It was an opportunity to sharpen my social skills, display my work, my assets and also repair damage done by my well-known online persona at various forums.

The people attending TRAFFIC are professionals that all maintain their own distinct personality. They are men and women of various ethnic and social backgrounds, races and ages. They are there to not only benefit their business but to also contribute to the very industry that generates their wealth. It’s an approach and attitude that differs from the cut-throat world of broader technology and it’s a method designed to know and appreciate the person behind the business and the brand.

At TRAFFIC, I was able to learn from the speakers and exhibitors about the directions our domain industry is currently heading to. Every single day, I learned from the subjects presented, the questions that were asked and I gained more confidence for myself and my future ventures. TRAFFIC was at times intense, other times fast-paced and at other times relaxed and entertaining.

Walking up to talk to people that I had never met before in my life was surprisingly easy. Some stood out because they are famous; talking to Rick Schwartz while he’s munching on a tasty canapés was definitely a far cry from simply reading his blog. Sharing a table at lunch or dinner with Donny, Mike, Monte and Christian from Parked.com was an opportunity to enjoy food and talk about things in a manner that no number of trouble tickets or emails can take care of. Brainstorming with Matt Bentley and the others from Sedo was easy, all while going back to greet the personnel at the TrafficZ booth and DomainSponsor or Skenzo.

Going around the exhibits when sessions were not active, one would meet people he or she interacted with at a previous time of the event and also meet others, who’d introduce even more to the circle of communication; just like a social chain reaction of ideas. In fact, the four hours I spent after my registration on the first day until the event officially started, were extremely beneficial; a relaxed prelude that built anticipation about the event itself.

The first thing one has to consider is whether they want to be an island, surrounded by waters and isolated from the rest of the world - or a cloud, free-flowing and able to meet other clouds that also roam in search of opportunities to interact. These clouds can sometimes clash with each other, thus producing thunder and lightning; but the resulting rain invigorates the land and feeds the lakes and the oceans, which in turn create more clouds and more free-flowing enterprises are born.

I think that I’d rather be a cloud and at TRAFFIC I discovered just that.

Till now, I had no name for this abominable practice of lowering the price one is willing to pay for a domain, right after a verbal agreement is reached. After watching a CNN video about the British real estate market, I realized it already had a name: gazundering.

According to everyone’s favorite resource of general information, Wikipedia, the term “gazundering” is defined as “the practice of demanding a reduction in price to secure the sale of a property. This is usually done during contract negotiation. The timing of this demand is usually intended to prevent the seller from rejecting the lower price, as the sale could collapse if they did, although it may also reflect a genuine downturn in property prices in an area.”

Apparently, the British law gives little value to hand-shaking, virtual or not, unless it’s finalized with a written contract bearing the signatures of both parties. Long gone are the days of committing to one’s offer that was negotiated through an exchange of communications between buyer and seller and which was accepted.

In the domain market, this practice appears to work as follows: an offer is made, through a non-committing medium e.g. via a phone-call or an e-mail. The seller agrees to a selling price and proceeds with the drafting of a contract agreement, potentially involving a third party who’s an expert in the composing of such documents - for example, an IP attorney or a paralegal.

Then, as soon as the iron is hot off the deal anvil, the buyer changes their initial offer by means of counter-offering less money for the exchange. The process might involve the feedback of real or imaginary business partners who, during the course of negotiation, seem to have changed their appraisal of the domain or its business costs; all, at the financial and emotional expense of the seller who’s now left wondering if this is a bad joke.

Where I come from, a deal is a deal. No need for a handshake even, especially in today’s electronic, global market. And yet, even in the acclaimed domaining world, one will find individuals that resort to such a low tactical warfare approach. One’s word reflects their business and personal ethics; it’s a projection of anything done in the past and a prediction of anything that will be done in the future.

A game of chess obviously unfolds the parties’ strategy on the negotiation table. If an offer is not high enough to be accepted, the potential buyer then usually returns with a higher offer in order to close the deal and obtain the goods. But in chess, the rules are known in advance and the most important one is: if you pick up your chess piece, you have to move it.

Domain gazundering will apparently lead more people to offer their domains via centralized selling platforms that allow for a lock-down of the agreement as it is reached; once the price is viewed by the seller as acceptable, it’s as if both parties’ signatures were instantly recorded on the contract.

In an ideal business world, instant buying and selling is a smooth, painless operation that offers inventory and receives monetary funds in exchange. In the real world, a person with no scruples, no ethos and little regard towards the seller’s time and property will try to gazunder a deal, whenever possible.

To counter such gazundering activity, one has to disengage themselves emotionally from the deal, flat out refuse the post-agreement lower offer and, whenever possible, seek legal advice that would potentially entitle them to compensation, should such an act of pulling out of a deal occurs.