Acro.net - Technology Rants & Raves by Acroplex®

Less than 24 hours after introducing a series of features that exposed seller data to anyone with the will to acquire it and basic scraper-scripting skills, Sedo.com changed the way the “Meet the seller” link functions.

In a dry and short statement issued on DNForum, Sedo’s Customer Relations Associate Monica Ibrahim said:

“As a quick FYI, our tech team has made sure to remove all personally identifiable member ID data from the Seller’s Activity Index. We apologize for the initial issue. Please note that member IDs are not present in the Seller Activity Index or on the Domain Portfolio Links (which can be deactivated if you wish as mentioned earlier)”

Prior to this statement, Sedo vehemently denied that any privacy breach had taken place while maintaining their position that the newly introduced features will benefit the sellers and buyers that use Sedo.com as their domain marketplace.

Indeed, Sedo programmers scrambled to change the database interfacing from using an open sequential id to a hashed (encoded) string unique for the period of time the user clicks on the “Meet the seller” link. Upon my suggestion that Parked.com should offer assistance to the Sedo.com programming team, Donny Simonton exclaimed:

“I wish we could offer some help. As a programmer I do understand what they are trying to do. They are being lazy, been there many times. I would think they could easily change it to a md5 hash of the id + the domain or something similar. Something that can not be reversed.”

Despite the fact that these changes were quickly implemented upon my public announcement of how exposed the seller info has been, Sedo has yet to fix the way their auctions are referenced, using the same non-hashed open id. Currently, all 39,000-something completed and on-going auction pages are exposed to scraping by data miners.

Most importantly, Sedo has not changed the way the new features are utilized under a user’s profile: the user’s country location, seniority at Sedo, arbitrary ratings (zero to five stars) as a seller and a buyer and how long a particular domain has been at Sedo - all these are openly available to any logged-in user, without permitting the account holder to turn these features off.

Sedo has so far kept a low profile on the matter, but the reaction of the serious, active traders has been sharp and full of negative criticism towards the way that Sedo has decided to shove down the throat of users these new features. With offices in the UK and Germany, Sedo is challenging a series of strict laws protecting the privacy of individuals and corporations; stricter than US regulations about personal data safekeeping. Meanwhile, Sedo has stated that if a user decides to leave the Sedo selling platform and delete their user profile, their data remains with Sedo indefinitely. This has serious implications for any potential data breach in the future: user accounts contain a lot of financial and other private information and Sedo’s programming methods reveal a lax approach to security.

Keep contacting Sedo via the email support@sedo.com and their support hotline at (617) 499 - 7200 (keypress 3) to voice your opposition to the lack of an ON/OFF switch for the newly introduced features.

Yesterday, I ate lasagna for dinner. I bought two history books from Barnes & Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee.

These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that occur, more or less often, in various forms. Unless you live with me or you have a view through my home windows, they remain private to me or to whoever I decide to disclose them to.

Privacy, in today’s electronic maelstrom of a society, is a commodity as rare as honesty and loyalty. We have somehow been led to believe that if we buy items at the store using a credit card, it’s okay for the store to call or email us with offers of similar products. We have been led to believe that our eating, drinking and partying habits are okay to be shared, in photographs and videos on MySpace, hi5, Facebook and other “social networking” venues.

We have been shown the wrong way of living.

As if Mondays are not *the* worst days of the week alongside Fridays, today Sedo.com announced that a new set of features will be enabling users to conduct sales and business in an easier, transparent manner.

In all reality, what Sedo created today, is the prelude to doomsday as it pertains to privacy of domain transactions on this marketplace, that boasts millions of domains for sale.

Essentially, Sedo stopped short of announcing a “MySpace” type environment, with options such as seniority of sellers, the geographic location that they trade from, a rating system and a display of their tax options fully displayed via a link to any other person logged in the Sedo platform. Other added features that somehow made it past beta-testing without any concern from the management or the programmers, include displaying how long a domain has been listed for sale on Sedo and the option to link to their entire portfolio via the profile of any other domain they have on sale.

Sedo did one thing right and all of the rest wrong.

What Sedo did right, was the *option* to link to the rest of the domains in one’s portfolio - defaulting it to “No linking”. This, is solid programming concept at work. It’s the well-thought design of the programmer who wants to offer options but also respects people’s choices.

What Sedo did wrong, was the rest of it.

To create a Sedo account one needs a few seconds. It’s like signing up for Gmail or registering with Papa John’s pizza online. Once you create a Sedo account, the fun begins. The newly introduced features allow *anyone* with very basic programming skills to scour the live data of Sedo and scrape it.

It’s as if Sedo allows *anyone* with an account to take a long, satisfying snoop into your lounge while you eat. While you order books from Amazon.  Whether your home loan was approved. How many kills you landed at Counter-Strike. If you’re wearing aftershave or not.

It’s all about offering raw data, easy to be mined by anyone.

Sedo programmers need to be fired for a series of fundamental programming flaws. First off, the same suicidal approach that was used with the identification of the auction system is being used again: sequential numbers, ranging - for example - from 000001 to 99999999 and beyond. In order to view and gather transaction details, all one has to do is increase the number of the parameter describing the auction and store the results in a database. No confirmation needed. No session variables. Just full path variables that are exposed and tweaked to reveal the next in line. No captcha used in order to stop a scraper dead in its feet.

Having fun yet?

Sedo’s new profile features can be exploited to store aggregate data, linking each and every auction on Sedo to the person that made it. It’s not just like NameBio storing domains and sales prices scraped off the front page of Sedo; it’s about storing *every* auction’s info, the seller’s profile, their location, their ratings as seller and buyer, how long they have used the Sedo platform and how long the domain has been offered for sale - all IDENTIFIED by a unique, open (not hashed) id number.

Read further to understand how poorly Sedo thought of this new set of features.

Once our rogue scraper guy has created their Sedo profile, they can scrape the entire database of Sedo’s users - all 1.3+ million of it - including their unique id number and their location. Then, that unique id number can be further looked up and store their seller and buyer profile info. Once a sale occurs, the auction’s information can be stored as well.

The problem lies with the ability to link all these three together. It’d be a database containing identifiable information that can very easily be enriched with WHOIS data to fully pinpoint a seller’s achievements, strategies in pricing and time that these sales occured.

Did I mention that a lot of domains have WHOIS privacy protection but once listed on Sedo the seller’s location is revealed?

I will refrain from creating a proof of concept, at this time. But frankly, it takes $50 to pay a programmer from India that’d rummage through the freely available “features” and safely store it all away, without Sedo even being aware of it happening. To them, these are “features” that enable users to conduct business better. To me, it’s a violation of my privacy rights and an open welcome to data miners.

Programmers take orders from project managers. Whoever managed this project needs to go back to college.

I urge everyone who sells domains on Sedo.com to contact support@sedo.com and raise their strong objection to this set of wide open trapdoors on the domain selling floor.

Stephanie was in distress.

The loss of her parents in an fiery car accident left her an orphan at a young age. She was raised by her paternal grandfather, whose chronic ailments brought on many bills she was struggling to assist with. At the young age of 20, she had already become a mother and a wife, unhappily married to her military husband who was on his way to his 3rd tour of duty in Iraq. She was glad he was gone, because when her husband stayed at home he was abusive to her and the kids, forcing her to participate in acts of swinging and had, in her own words, “messed her mind up so much“.

As a stay-at-home mother of two, she cared for her little ones by undertaking online jobs: quick and dirty web design projects, programming of small portals, database creation and reselling domains of questionable value and of adult nature. Her friends of the same age went out partying, studied at college and held steady jobs. She was in a tight place, battling life’s unfortunate surprises, doing the best she could - when disaster hit again. Her oldest son, a beautiful boy with curly hair and big brown eyes, got infected with staph - and after developing high fever, he quietly passed away - on the last day of winter. He would have been 3 years old a few weeks later.

Stephanie was devastated. She had to arrange for her son’s funeral, pay the bills and care for her other child, while her husband was stationed thousands of miles away, battling insurgents in Baghdad. Her grandfather was bed-ridden, his mobility lost after suffering several strokes. She had nowhere to turn to and time was running short.

Nowhere - except for her online group of associates, forum participants and other potential buyers of her assets and services. It was 4am when Stephanie posted online how her little child had passed away and coyly asked for support for his loss. She uploaded a picture of the little child, a smiling little angel who could not possibly foresee his untimely demise when the photo was being taken.

The response was overwhelming. From behind keyboards and screens located all over the world, out came messages of support and soothing words of admiration for her courage. Some people offered to send flowers, others pledged money in a fund that’d be created for the surviving child. Others sent virtual *hugs* and electronic postcards, feeling deeply touched by her loss.

Stephanie was crying tears of joy. The funeral would take place two days later, so she had to get some money fast. She listed 300 domains for sale - about a tenth of her portfolio - her online signature tagging each of her posts as a reminder of her family’s tragedy. The sales thread received hundreds of visitors in the first few hours and Stephanie was almost certain now that God had not abandoned her.

She logged out, turned the computer off and went to wash up in the bathroom. Her big, six-foot tall frame and burly physique was staring at her from across the mirror. She straightened her thick black mustache, well-groomed for the past 10 years to compensate for the loss of her cranial hair, and while standing up she took a much-needed piss.

Bobby flushed the toilet and could not hold back a belch of relief.

He adjusted his pants and checked out his teeth in the mirror. At the age of 53, he had to be careful with his physical condition; he was not a young pup any more. Having spent several years of his youth in prison for fraud, grand larceny and indecent exposure, he had to be careful when talking about himself. As a convicted felon, he knew that he faced criminal charges if he stole the identity of another person to conduct his business, so he, like another Norman Bates at the “Psycho” hotel, had invented a grand-daughter; the playful, sassy and disaster-prone Stephanie whose problems seemed to increasingly step out of the darkest pages of “Les Miserables“.

Back at the online forum, the sales thread was still going strong the next morning. Bobby smiled, looked outside the window and sat down to enjoy a hearty breakfast. Life was finally good.

——————

This story is based on actual events. The Internet offers the opportunity to unscrupulous individuals to devise and assume new identities, forging a lifetime of accomplishments and even change their own gender in order to suit their goals. One has to be particularly careful when conducting interpersonal or business transactions with people that inexplicably flaunt their gender or ailments and who cannot provide verifiable information about themselves. To gain one’s trust is easy, especially when people view such pleas of despair with a nature of goodwill. Regardless of financial gains, faking one’s identity can be a devastating event that affects the impersonator, their immediate circle of friends and family - while ruining the faith and trust of the community he or she reaches out to. And it’s also punishable by law.

Remember that high school kid that used to break into everyone’s lockers to steal your stuff?

Guess what, he’s now an adult and he still steals - only this time, it’s your virtual assets he’s after: your domains, your emails, access to your bank and credit card accounts. This kid simply changed the size of the game but the rules remain the same: he’s still a thief and you’re still the potential victim.

Welcome to the wonderful world of intangible property theft.

As I am typing this, there is a chance that a keystroke-recording program is storing my text, beams it out to an online location to be dissected later by unscrupulous thieves. When I hit submit to my e-mail, it can be copying its contents to someone else. While I am checking my bank account balance on my laptop from the living room via wifi, some person might be getting a nice view of it while web surfing on my dollar.

There are several rules that you must observe, to avoid such trouble; each and every one of them will make such an unfortunate situation less probable. I’ve compiled a list of rules, and the list grows larger by the day; the more we rely on technology, the faster we become a target.

• Install an anti-virus, firewall and anti-scumware application. There are lots on the market, some are free and some have extensive features that make the purchase of the full version worthy. If you run a business, such an expense is a write-off as well.
• Never use a wireless connection for logging onto your bank account. If you must, enable secure connections with long keys and disable wifi at your router when not in use. Absolutely do not use an Internet cafe for that purpose.
• Passwords are there for a reason: to provide privacy and access only to you. Do not use the same password across different accounts and forums. If it gets compromised, your entire online social activity will get compromised also. Make passwords hard to guess: use upper, lower case, numbers and symbols. Always use the maximum length allowed. For authorization questions stored alongside passwords, such as “Where are you located?” never answer the obvious but always give a surreal, unrelated answer e.g. “popsicles”. Never store your unencrypted passwords on electronic media, such as your PC; write them down on paper instead.
• Communication is essential. There are several instant message programs, such as Yahoo, MSN, AIM, ICQ etc. They offer convenience and they are quite often compromised by off the shelf tools that can scan your computer for vulnerabilities, often taking control of it. As a rule of thumb, avoid using them altogether for business; or at least, avoid talking to strangers or people you cannot trust 100%.
• Your domain Registrar offers the default tools of locking down domains, utilizing email alerts and other such precautionary measures to avoid losing domains. Lock your domains and consider registering the most valuable ones for several years in advance. There is nothing worse than an expired domain you lost due to negligence of your own.
• Never fall for the social engineering attempts either. When you get a call from your bank or the web host or someone who claims to be of a certain authority, do not provide any information. Ask who they are and tell them you will call back. If they provide you with a phone number, make sure it’s the official number of the institution that is listed at their web site. Never reveal your social security number or your bank account number.
• Online forums that offer the ability to trade are a haven for scammers to proliferate. If they ask for money to be transfered via Western Union or eGold, avoid them like the plague. Paypal does not offer a comprehensive protection either. For large amounts of money in transactions with strangers, prefer escrow services, such as Escrow.com, Moniker’s escrow, or Sedo’s escrow - or seek payment to be made via bank wire. Always, research the background of the traders and avoid “comets” that appear out of nowhere. Remember: if a deal is too good to be true, it probably is just that!
• Always shred documents such as old bills, bank offers, legal papers, credit card documents - never toss them intact or cut up in the trash. The easiest way for thieves to gain access to your information is by picking your trash apart. For the same reason, never leave your outgoing mail in the mailbox to be picked up. Don’t be lazy, drop it off directly at the post office facilities.
• Lastly, if you attend a convention party, be careful about having too many drinks and start disclosing personal information to that beautiful person that came out of nowhere. Social engineering via sexual attraction has worked since the days of Adam, when Eve bit the apple and gave it to Adam, with a kiss. God, being the keeper of the Eden BBS was mighty angry and instantly banned them both.

Humor aside, your virtual assets control your tangible assets. You’re responsible for being careful and prudent about the ways that will keep them safe. This way, you can sleep at night, without having bad dreams about an empty account.

Forget about wedding oaths: they exist in order to be broken. People are not computers that obey to strict code commands, without ever changing their behavior, opinions and preferences. People get married and quite often, they get divorced.

A lot of married people are domain owners, or a lot of domain owners are married people. Or something along these lines; sometimes one spouse is pursuing domaining as a hobby or business, sometimes both spouses do - as a couple. More often, one spouse is unaware of the other spouse’s entrepreneurial quests into the exciting domain universe and only discovers this per the request of Smith, Jones & Abernathy, Esq. - or whatever law firm handles their divorce proceedings.

I speak from experience. It’s fair to say, that while my first domain name was verbalized by me, it was my then lovely wife who tagged the “.com” to it and prompted me to register it. Eleven years later, I’ve been divorced for some time and the domain is orphaned in the hands of the Registrar. Ah, the memories. Not!

I was one of the lucky ones. When I started registering domains with the aim of reselling them, my obvious choice was to go with the cheapest and newest kids on the block: GoDaddy.com - at $12 a pop - a steep discount from Network Solutions’ $35 per registration.

Back then, GoDaddy’s homepage did not feature Danica Patrick and did not have Superbowl clips full of double entendre about her “beaver“. For if it had any such frolicking content, I would be in deep trouble - simply because my less-than-domain-savvy wife of that time, perceived all the credit card charges from “GoDaddy” as subscriptions to pornography. Ironic, isn’t it? Eight years later, Bob Parsons strives to bring domains to every American home by pimping all-American softcore beauties, but it was my former wife who discovered GoDaddy’s untapped pornography potential in 2000. Kudos to you, hon!

Going through a divorce is devastating, especially if it’s one-sided. When one is committed to the marriage and yet, somehow, the other decides to go their merry way. Under the pressure of these days, one can make desperate decisions that would not have made otherwise. Emotionally and financially, every divorce is a test for the person who - in disbelief - remembers the words they uttered at the wedding ceremony: Until death do us part.

A great guy I’ve known for the past 6 years, is going through an apparently bitter divorce, that has been sucking his physical and mental energy faster than an iPhone drains its batteries. He’s been paying ungodly amounts of cash as preliminary financial support. And deep down inside, I am certain he loves his wife - this is the hardest part of it all.

I exchanged a few words with him yesterday and our conversation sparked this very post, because I do not wish anyone to make the same hasty, desperate moves that I did when I was in the same situation. And trust me, they were plenty of them! At that point in time when one becomes desolate and uncertain about their upcoming financial obligations, when legal fees rise their ugly head in the not-too-distant horizon - that’s when one thinks that the best action would be to liquidate the most valuable assets first.

In all actuality, it’s a grave mistake to do this.

So I sold LLL .com’s for less than $1k, several actually, flipping them for a couple of hundred bucks in profit. And I watched my LL .net’s go for $1.5k - they sell for at least ten times that, today. And I sold dozens of 3-Char .com’s at a buck or two above reg fee; I could buy a new car today just by selling them at today’s $200 minimum. Eventually, after the divorce process was over, I had sold my very own domain to recover some of the divorce fees. I needed a new identity as well, to emotionally distance myself from my former spouse who had tagged the “.com” to the words of my choice.

Still, I consider myself lucky.

Ever since my divorce four years ago, I was able to focus onto my targets and goals, without fear of interference and without dreading any lack of support. I was lucky, because my ex never considered my domains to be worth anything and laughed at my practice of going through expiration lists of thousands of domains, one by one. Those “worthless” domains paid off my home and car loans and allowed me to pull myself out of a sticky financial and emotional situation. I was lucky, because I was able to prove myself - to succeed alone and unsupported - much like a gladiator relies on his own two feet and his own sword.

Life is hard when two people divorce; life can be considerably harder when one makes hasty decisions, selling off assets in panic in order to secure their position during a divorce. Us, domain owners, should be cool-headed and manage our assets, always planning for a better future - while always preparing for the worst.

A CEO of a construction company emailed me once, emphasizing how he’d have to “put food on the family table” than pay any type of fee for a domain I owned. In fact, he outright said that he needed the domain name and by declaring his inability to pay, I should hand it over to him. When I Googled his name and examined the location of his IP, it was evident that my family man lived in a very rich neighborhood in New England.

Then there was that email from a self-professed poor student from Central America, who had somehow discovered his true dream was to own the .com variant of a very busy .net domain. He needed the .com which I had, but he could not afford to pay for it, on his small budget. A little co-ordinated research done by my contacts in Latin America returned the location of the multi-national corporation that had set eyes on my domain.

Yet another time, a very inquisitive domain “speculator” called me up to share his excitement about “domain investing”. I wasn’t exactly excited hearing how he and his two partner buddies “scrounged up $300 each” to pay me a handsome grand for a 10-year old developed domain. When he made the mistake of giving me his phone number, I looked him up; only to find that his company had been bought up by Yellow Pages for several million dollars, a month earlier.

Greed, anyone?

Now, don’t think for a second that I am a heartless, frigid entrepreneur who enjoys to watch people suffer. On the contrary. I was never filthy rich and even by today’s standards I am neither rich or well-off. I’d say, I live comfortably by my own definition of comfort and needs. I don’t own a yacht, or an SUV, nor do I spend my time sipping pina coladas on some golden sandy beach. I do reside in Florida though - the state that pays in cents and sunshine.

But I detest beggars that think they can outsmart me in my own game. It used to be confusing at first, then intriguing, then funny - but once the emails started piling up with the proliferation of bulk emailing software, it’s combat time. As a former military, I am aware of the principles of being alert and I thoroughly examine the grounds around my perimeter. Every incoming offer is scrutinized, every generic “John Smith” with a Gmail address is seen as a 99% attempt to scam me - every inquiry from a “female investor” is seen as a lame attempt to capitalize on my XY genes.

I’d rather receive a lowball offer, which I’d then attempt to negotiate upon or not - again, based on my research of the person making the offer - than to waste time trying to reason with a preying, lying scammer, who uses a variety of social engineering methods to extract my property for free. I’ve learned that one has to earn their worth in business and life in general - begging as a profession does not cut it with me.