Acro.net – Technology Rants & Raves by Acroplex®

Right at a turning point for the economy with good signs of improvement, Sedo begins a week-long themed auction of “Career” domains. With more Americans looking for employment than ever, it’s a good opportunity for businesses and individuals to invest in domains that represent a large portion of the job-related keywords searched daily.

Two of my domains appear at the auction:

CorporateCareers.com – Registered since 1996, this Google PR2 domain is best suited for Human Resource (HR) professionals that want to possess a dynamic pair of keywords in their domain portfolio, or domain investors that plan to build a database of international, national or regional jobs. A lot of the job searches specifically look for mid to upper management positions that also pay premium salaries.

Job-Hunting.com - Registered since 1995, this Google PR4 domain is ideal for professionals that seek employment, or “headhunters” who want an aggressive domain that supplements their corporate brand. The keywords turn up a solid 5.75 million results in Google, in quotes! The domain is taken in all major TLDs; that’s another indication that well it’s sought-after. Do not let the dash deter you, these are top notch keywords for SEO!

Each domain goes on auction with a reasonably low reserve price of $1,500 which will pay itself many times over when used to promote and facilitate career placement functions.

Careers Auction – Starts June 3, at 12:00 PM EST and ends June 10, at 12:00 PM EST

When I acquired 360.org a little over a year ago, I was not intimidated by its seller’s asking price. In fact, the purchase of 360.org took very little negotiation behind the scenes; I was willing to pay the $2,500 price tag but ended up paying five hundred bucks less. To me, paying two grand for a perfect number was worth it.

Wikipedia explains why 360 is such a special number. You don’t have to be a freak of numerology to recognize it as the definition of a full circle in degrees, and the circle as a shape does seem to maintain both actual and apocryphal qualities.

When I acquired the domain name, I envisioned creating a web site about earth, communication, the environment – something global and related to nature. A lot of companies use domains that end in “360.org” and I did have several inquiries from such entities, claiming “not for profit” status and thus making rather symbolic and unsatisfactory offers, which I had to decline. I am in this business for profit and although charity has its place in my personal and professional life, I was not going to let go of this domain cheap.

A few months later, I listed 360.org at TRAFFIC / Orlando 2008, with an optimistic reserve of $6,000. At the live auction, the Moniker guys presented it by gesturing the shape of a circle to the bidding crowd. It was instant recognition of what the number signifies.

Fortunately, the domain did not sell; I realized afterwards that a room full of domainers looking for single word .com’s with traffic did not present me with the best selling options. However, it’s interesting seeing that none in this educated crowd shared my 360-degree vision!

At the end of 2008, a year after the domain’s acquisition, I received a couple of private inquiries – one of them was a rather arrogant email “demanding” a selling price instead of bearing the burden of placing an offer through Sedo. I have little tolerance for behind-the-keyboard snubs and my response was definitely a non-politically correct one.

Right before Christmas, the second inquiry started with a low offer of $2,000 via Sedo and ended at $10,000 with the bidder withdrawing their bid when I asked for more. Now, I am not one who shuns ten grand easily, as it represents a considerable amount of money; after the bidder canceled their round of offers I had that clutching feeling in my stomach thinking, “Did I just throw $10,000 in the garbage?”

I contacted Sedo and attempted to learn more information about my mysterious bidder; they responded that although they were not an active member they were a company. This small bit of information gave me the chance to a) feel better about having just declined a ten thousand dollar offer and b) initiated a secondary round of contact via Sedo’s brokers. They were instructed to inform the bidder that the domain was worth much more than their final bid and that I was willing to negotiate a sale – if only we could meet in the middle.

The secret to successful domain sales seems to be simple: stick to your gut feeling guns. Evaluate a domain’s worth using your own intuition and don’t listen to the obligatory surrounding noise telling you that the economy is down, that the domain’s worth a registration fee, or that you’re simply crazy. At least, be objective with the value of your own assets and learn the methods required to evaluate them.

Right after New Year’s, the same bidder placed a direct offer at Sedo, much higher than the previous one. At that point I was confident that this transaction was almost complete; despite that, I took the chance of counter-offering a higher amount (the “stick to your guns” element) but lower than what I wanted during the first round. The bidder responded with a counter-offer a few thousand dollars lower; I played my final round of “cat and mouse” with one more offer, confident that they would accept it and close the deal.

I went to bed that night knowing that in the morning I’d have a sale.

So the agreement was made a week ago and the exchange occurred this week, making the transaction complete and official. As far as I know, it’s the largest recorded sale of a 3-number .org; perhaps of any number in .org. After all, a perfect number like 360 requires a perfect sale!

To find out the exact selling price, check out DNJournal next week. For several years now, Ron Jackson’s highly commendable efforts of recording and re-energizing the domain community through the research, publication and analysis of domain sales have been producing superb results for our industry.

Have a fabulous new year!

Less than 24 hours after introducing a series of features that exposed seller data to anyone with the will to acquire it and basic scraper-scripting skills, Sedo.com changed the way the “Meet the seller” link functions.

In a dry and short statement issued on DNForum, Sedo’s Customer Relations Associate Monica Ibrahim said:

“As a quick FYI, our tech team has made sure to remove all personally identifiable member ID data from the Seller’s Activity Index. We apologize for the initial issue. Please note that member IDs are not present in the Seller Activity Index or on the Domain Portfolio Links (which can be deactivated if you wish as mentioned earlier)”

Prior to this statement, Sedo vehemently denied that any privacy breach had taken place while maintaining their position that the newly introduced features will benefit the sellers and buyers that use Sedo.com as their domain marketplace.

Indeed, Sedo programmers scrambled to change the database interfacing from using an open sequential id to a hashed (encoded) string unique for the period of time the user clicks on the “Meet the seller” link. Upon my suggestion that Parked.com should offer assistance to the Sedo.com programming team, Donny Simonton exclaimed:

“I wish we could offer some help. As a programmer I do understand what they are trying to do. They are being lazy, been there many times. I would think they could easily change it to a md5 hash of the id + the domain or something similar. Something that can not be reversed.”

Despite the fact that these changes were quickly implemented upon my public announcement of how exposed the seller info has been, Sedo has yet to fix the way their auctions are referenced, using the same non-hashed open id. Currently, all 39,000-something completed and on-going auction pages are exposed to scraping by data miners.

Most importantly, Sedo has not changed the way the new features are utilized under a user’s profile: the user’s country location, seniority at Sedo, arbitrary ratings (zero to five stars) as a seller and a buyer and how long a particular domain has been at Sedo – all these are openly available to any logged-in user, without permitting the account holder to turn these features off.

Sedo has so far kept a low profile on the matter, but the reaction of the serious, active traders has been sharp and full of negative criticism towards the way that Sedo has decided to shove down the throat of users these new features. With offices in the UK and Germany, Sedo is challenging a series of strict laws protecting the privacy of individuals and corporations; stricter than US regulations about personal data safekeeping. Meanwhile, Sedo has stated that if a user decides to leave the Sedo selling platform and delete their user profile, their data remains with Sedo indefinitely. This has serious implications for any potential data breach in the future: user accounts contain a lot of financial and other private information and Sedo’s programming methods reveal a lax approach to security.

Keep contacting Sedo via the email support@sedo.com and their support hotline at (617) 499 – 7200 (keypress 3) to voice your opposition to the lack of an ON/OFF switch for the newly introduced features.

Yesterday, I ate lasagna for dinner. I bought two history books from Barnes & Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee.

These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that occur, more or less often, in various forms. Unless you live with me or you have a view through my home windows, they remain private to me or to whoever I decide to disclose them to.

Privacy, in today’s electronic maelstrom of a society, is a commodity as rare as honesty and loyalty. We have somehow been led to believe that if we buy items at the store using a credit card, it’s okay for the store to call or email us with offers of similar products. We have been led to believe that our eating, drinking and partying habits are okay to be shared, in photographs and videos on MySpace, hi5, Facebook and other “social networking” venues.

We have been shown the wrong way of living.

As if Mondays are not *the* worst days of the week alongside Fridays, today Sedo.com announced that a new set of features will be enabling users to conduct sales and business in an easier, transparent manner.

In all reality, what Sedo created today, is the prelude to doomsday as it pertains to privacy of domain transactions on this marketplace, that boasts millions of domains for sale.

Essentially, Sedo stopped short of announcing a “MySpace” type environment, with options such as seniority of sellers, the geographic location that they trade from, a rating system and a display of their tax options fully displayed via a link to any other person logged in the Sedo platform. Other added features that somehow made it past beta-testing without any concern from the management or the programmers, include displaying how long a domain has been listed for sale on Sedo and the option to link to their entire portfolio via the profile of any other domain they have on sale.

Sedo did one thing right and all of the rest wrong.

What Sedo did right, was the *option* to link to the rest of the domains in one’s portfolio – defaulting it to “No linking”. This, is solid programming concept at work. It’s the well-thought design of the programmer who wants to offer options but also respects people’s choices.

What Sedo did wrong, was the rest of it.

To create a Sedo account one needs a few seconds. It’s like signing up for Gmail or registering with Papa John’s pizza online. Once you create a Sedo account, the fun begins. The newly introduced features allow *anyone* with very basic programming skills to scour the live data of Sedo and scrape it.

It’s as if Sedo allows *anyone* with an account to take a long, satisfying snoop into your lounge while you eat. While you order books from Amazon.  Whether your home loan was approved. How many kills you landed at Counter-Strike. If you’re wearing aftershave or not.

It’s all about offering raw data, easy to be mined by anyone.

Sedo programmers need to be fired for a series of fundamental programming flaws. First off, the same suicidal approach that was used with the identification of the auction system is being used again: sequential numbers, ranging – for example – from 000001 to 99999999 and beyond. In order to view and gather transaction details, all one has to do is increase the number of the parameter describing the auction and store the results in a database. No confirmation needed. No session variables. Just full path variables that are exposed and tweaked to reveal the next in line. No captcha used in order to stop a scraper dead in its feet.

Having fun yet?

Sedo’s new profile features can be exploited to store aggregate data, linking each and every auction on Sedo to the person that made it. It’s not just like NameBio storing domains and sales prices scraped off the front page of Sedo; it’s about storing *every* auction’s info, the seller’s profile, their location, their ratings as seller and buyer, how long they have used the Sedo platform and how long the domain has been offered for sale – all IDENTIFIED by a unique, open (not hashed) id number.

Read further to understand how poorly Sedo thought of this new set of features.

Once our rogue scraper guy has created their Sedo profile, they can scrape the entire database of Sedo’s users – all 1.3+ million of it – including their unique id number and their location. Then, that unique id number can be further looked up and store their seller and buyer profile info. Once a sale occurs, the auction’s information can be stored as well.

The problem lies with the ability to link all these three together. It’d be a database containing identifiable information that can very easily be enriched with WHOIS data to fully pinpoint a seller’s achievements, strategies in pricing and time that these sales occured.

Did I mention that a lot of domains have WHOIS privacy protection but once listed on Sedo the seller’s location is revealed?

I will refrain from creating a proof of concept, at this time. But frankly, it takes $50 to pay a programmer from India that’d rummage through the freely available “features” and safely store it all away, without Sedo even being aware of it happening. To them, these are “features” that enable users to conduct business better. To me, it’s a violation of my privacy rights and an open welcome to data miners.

Programmers take orders from project managers. Whoever managed this project needs to go back to college.

I urge everyone who sells domains on Sedo.com to contact support@sedo.com and raise their strong objection to this set of wide open trapdoors on the domain selling floor.