J. Timothy King's Blog » Intellectual Property

Grand Theft Internet (part 5)

J. Timothy King — Tue, 06 Apr 2010 21:54:40 +0000

This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page.

Chapter 5

Sunday, March 28, 8:06 PM EDT

“They stole vl.com!!!!!!!!!!!!!!!!!!!!!!!!”

By 7:45, Glen had discovered that the attacker had been manipulating the DreamHost support people in order to crack into Tom’s account and steal VL.com, a tactic called “social engineering.” Glen discovered this just minutes too late.

Glen immediately promised to gather forensic evidence in order to get back Tom’s domain, to insist on reforms of DreamHost’s policies and practices, and to pursue prosecution. He confirmed that there had been a security breach at DreamHost, and that the support people on chat were not supposed to be making changes on customers’ accounts. DreamHost serves as registrar for over a half-million domain names, and hosts close to a million websites, and the attacker could have gone after any of these— and still could. No doubt, the story, as he reconstructed it, stunned and panicked him and everyone else at DreamHost.

In most incidents of stolen domains, once the domain is transferred away, there’s little the rightful owner can do to get it back. File a police report: check. But aside from the blank stares, you’re likely to get little response. File a report with the FBI: check. But while the FBI is very interested in being informed, unless there’s substantial monetary loss, they can’t justify the resources needed to investigate and prosecute. Challenge the domain on trademark grounds, but that will cost thousands of dollars and take God-knows-how-long. You could even beg with the foreign registrar, but without conclusive evidence of fraud, they won’t undo the transfer. Most businesses who lose their domains to domain hijacking or domain theft, they simply give up.

The break in the case was perhaps Glen’s enthusiasm. Many companies would have clammed up in the face of these circumstances— Indeed, many have done so, whether to avoid being sued or just to avoid being bothered. And without DreamHost’s help, Tom’s situation would have been as bleak as the rain-soaked skies that week. If Tom had complained to the registrar in the Bahamas, they probably would have dismissed him. But when an official DreamHost representative did so, they listened. They locked down the domain, which at least kept Tom’s Internet services up and running. They considered the evidence that Glen had dug up, which clearly showed fraud. And they promised to return the domain, once the paperwork had been processed.

Interestingly enough, the cracker refused to give up. He opened a fake Gmail account, impersonating Tom, in an attempt to trick the registrar in the Bahamas into releasing the lock on the domain. And he hit DreamHost support again at about the same time, trying to get them to stop asking for the domain back. Then he attempted again to break in to Tom’s Google-hosted domain, by trying to trick DreamHost into modifying the domain configuration— using the same MO: claim he tried to make the change himself, make up a story about encountering an error, and ask the support person to make the change for him. This would have allowed him to access all the email stored in all the accounts on that domain. But he probably only wanted to impersonate Tom, in order to call off the investigation. He may have made other attempts as well, attempts that we do not know of yet.

But the real question is how to proceed going forward.

This story is not about DreamHost. It’s about the domain industry. Domain theft happens on the Internet, and social engineering is one of the thief’s primary tactics. The most famous case is probably the theft of Sex.com, which is probably famous because of the letters S, E, and X. It took Gary Kremen years to get that domain back.

Moving my domains away from DreamHost doesn’t necessarily solve the problem. Because a cracker can attack any registrar. If I have a diamond necklace worth $100,000, I can keep it in a bank safe-deposit vault. And short of a Mission-Impossible-style heist, I can feel pretty safe that it’ll remain in my possession. If I have a domain name worth $100,000, there is no safe-deposit vault, and the quality of security at different registrars varies.

Additionally, the law is only beginning to see domain names as “property,” even though, of all the things we call “intellectual property,” domain names bear the closest similarity to real property. Until the law catches up to modern technology, we have to fend for ourselves.

As a defense, maybe there’s some value in looking for a registrar who’s as paranoid as I am. Maybe right now, that’s still DreamHost, because they’ve been spooked. And maybe there’s also some value in a registrar who will come clean when there’s a break-in, and do their best to set things right. Maybe that, too, is DreamHost. But I find it disheartening that if I go into a crowded room full of IT gurus and ask, “Where can I register my domain to keep it safe?” the best I get is, “Well, I’ve been happy with such-and-such a registrar, but no one’s ever tried to rip me off before.” No one cites any systematic studies of domain registrar security practices, and there’s no single registrar that comes to the top as the name in domain security for the average business.

Even so, there’s some value in looking for registrars that offer increased security and services, even at slightly increased prices and with longer waiting times:

positively identifying the domain owner before releasing a domain to another registrar, such as with two-factor authentication being offered by some registrars;
confirming domain transfers through phone calls or cellphone text messages, as well as the standard email;
approving domain transfers through multiple, independent means, or multiple, independent accounts, all of which must approve before the transfer goes through;
effective crisis procedures, when a break-in does occur;
effective forensic and recovery procedures, when a theft occurs;
insurability—if a domain name is stolen, the insurance company will pay for recovery or losses.

Notice I did not include domain locking in the above list, even though that’s the first thing most people mention when they talk about protecting your domain. Why not? Because (1) it’s a standard feature, (2) usually all the cracker has to do to turn it off is to click a button on some administrative panel, and (3) it can’t protect you from lax security at your registrar or a break-in of your account. However, I might add confirmed domain locking to the list, that is, require approval through an independent email address or cellphone text message before anyone can unlock the domain.

Changes to approval email addresses also should use the same approval process. So for example, no changes should be made to my account email address without affirmative approval via that email address. The current standard system, which at best sends out a “email address has changed” message, that’s inadequate for domain security, because a secure system is only as strong as its weakest link.

Even registrars of high-profile domains such as Amazon.com, BarnesAndNoble.com, and Coke.com don’t offer services like these. And some high profile domains (such as Comcast.net) have indeed been hijacked. Fortunately, if you’re Amazon or Coke, you can probably get your domain back pretty quickly with a simple phone call. But if you’re not, you need a registrar that’s going to stand up for you, no matter how small you are. And you can expect it to take days at best, or weeks, or months, or years, or forever.

There are some additional safety measures you can take to slow up a thief trying to steal your domain:

Use a secret email address for your account email.
Always use a secure computer and encrypted connection to download email.
Use long, random passwords for each email and domain account.
Use secure secrets for any “secret question,” obscure facts that no one else can find out.
If you have multiple domain names or web holdings, split them up between multiple registrars and hosting services.
Use low-value domains for daily activities, if possible. (So if someone steals away VL.com, your email will still continue uninterrupted through VentureLogic.com.)
Know how to get in touch with your registrar in an emergency, whether by phone, email, or web form, even if you’ve been locked out of your account by an attacker.
Establish secure, authenticated communication channels with people you are likely to work with to resolve a crisis: obtain email certificates, exchange public keys, and set up secure IM.
At least ask yourself, “Will that busty model come to my rescue when I have a problem with my domain?”

Unfortunately, as long as an attacker can trick the registrar to bypass security, neither strong passwords nor two-factor authentication nor double confirmation nor any other security measure will be effective.

Conceptually, you could even test a domain registrar. Try to convince them to shortcut security for you, in order to make legitimate changes to your account. And if they do, bolt. I can’t comment on whether that’s legal or not. But as for me, I’d be interested in a broad-based study of how tight security really is at the Internet’s top domain registrars.

-TimK

Additional resources:

Other mentions of the theft of VL.com:

Share this post:

Grand Theft Internet (part 4)

J. Timothy King — Mon, 05 Apr 2010 16:00:40 +0000

This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page.

Chapter 4

Sunday, March 28, 2:40 PM EDT

Glen, from DreamHost’s abuse-response team, replied to our support request, saying that Tom should provide certain billing details, in order to verify that he owned the account. That’s DreamHost’s standard procedure. But we believed that someone might be listening in on DreamHost’s email. How to convince Glen that this issue needs looking into? Tom emailed him back, explaining that he believed that DreamHost’s email servers had been compromised, asking to talk via phone or to send the data via fax.

Tom said to me, “I’m sure they’ve chalked this up to some customer with sloppy security getting their email compromised.”

Shortly thereafter, Glen confirmed that suspicion. He said that while he was open to evidence that DreamHost’s network had been compromised, there hadn’t been break-ins on any other accounts. He suggested that Tom scan his computer for viruses, to make sure there wasn’t something installed on it that was listening in on his email.

Tom shot back, “It’s a Linux machine with a secure password behind a firewall. I have a clue about security. The only place I am seeing any evidence of a breach is with DreamHost. The attacker attempted, and failed, to reset the password on my Google-hosted account. If he had compromised my machine here, he would have been able to intercept that email.”

That seemed to have been persuasive, as Glen looked at the situation in more detail. Although he didn’t find any record that Tom’s account password had been accessed, he accepted that Tom knew enough about security in order to avoid the common mistakes that people usually make. He also restored the account’s original email address, which gave Tom access again.

At around this time, Tom’s Google-hosted account received an email that someone was trying to transfer VL.com away to another registrar. Unfortunately, Google thought it was spam. Tom wouldn’t find the notice until another day had passed.

Sunday, March 28, 6:09 PM EDT

The dark figure had requested that VL.com be transferred away to a registrar in the Bahamas. But by the time the request had gone through, he had been locked out of the DreamHost account. If he could crack back in, however, maybe he could still complete the transfer.

Using a tried-and-true method, he chatted with DreamHost support. “Need update current email on file, but still not successful,” he said in his trademark broken English.

He was on the line with Schroder, who tried to walk him through the process.

But that would do the dark figure no good, because he couldn’t actually log into the account. His goal was to beg, trick, or badger Schroder into making the change for him. “Can you done it for me?” he asked.

“No,” Schroder replied, “I’m sorry. I can’t change it for you.”

“I can verify ownership,” the dark figure said. He gave Schroder the answer to the security question, which he had set earlier just for this contingency. He also recited the last four digits of the account’s credit card, which he had gotten from the account’s control panel and written down.

Schroder said, “If you can’t walk me through the method you’re using to change the info, then, I’m sorry, but I can’t help you with this.”

“Ok. Thanks,” the dark figure wrote, resolving to try back later with a different support rep.

Sunday, March 28, 6:52 PM EDT

While Tom waited for his browser to start up, he told me that he had two different contract programming jobs to work on this weekend, and he wanted to upgrade his operating system and switch his MythTV box over to a digital tuner. I guess he wasn’t going to make any progress on any of those projects.

“Look on the bright side,” I said. “Can’t think of what that is. But I’m sure there’s one there… somewhere.”

“Metaphorical bruises are often good to motivate you to take corrective action against repeating the mistake,” Tom replied.

He finally got back into his account, changed the account’s login email address, locked out the attacker, and reset the passwords. He examined his domains. They were all still there. He couldn’t tell whether VL.com was still locked, but all the domain-name configuration looked correct.

By then, it was at 7:08 PM.

Meanwhile…

Sunday, March 28, 7:07 PM EDT

The dark figure tried again with DreamHost’s support chat. This time, he got Jeremy. He explained, impersonating Tom, that he was trying to change the primary address on Tom’s account.

Within a few minutes, Jeremy had solved his problem.

The dark figure used the automated system to reset the password on Tom’s account, knowing that as soon as he could get in, he would be able to complete the theft. But before he could lock Tom out, someone had already overridden the request. Clearly, Tom was onto him, logged into the system, and actively fighting with him for control of the account.

Time to switch tactics.

Sunday, March 28, 7:19 PM EDT

Tom was on the DreamHost support chat with Jason. “Help. My DH account is actively being hacked.”

“Unfortunately,” Jason said, “any inquiries pertaining to hacked sites or accounts need to be taken care of via email so our abuse/security team can assist you. This isn’t something I can help you with via Live Chat.”

“Glen reset my password about an hour ago,” Tom explained, “and the attacker is repeating the attack.”

“Okay, you will need to submit a support ticket for this. Thank you!”

Meanwhile…

Sunday, March 28, 7:19 PM EDT

The dark figure contacted Seohee via the DreamHost support chat, still impersonating Tom, told him he was having trouble transferring VL.com away, and asked for help.

He was worried that Tom may have already discovered the pending transfer and may have locked down the domain. “What’s current status of ‘TRANSFER AWAY’?” he asked. “It’s canceled?”

No, it wasn’t canceled. It was still pending. The dark figure told Seohee a story about trying to approve the transfer but receiving an error. “Please approve it from your admin end. Restarting transfer request taking few days.” Sadly.

“Please hold,” Seohee said.

Within a couple minutes, the dark figure was able to write: “I can see it’s approved. And in new registrar.”

“Thanks for hanging in there. sorry for the confusion,” Seohee wrote.

“Thanks again. Have great day,” replied the dark figure.

“You too!”

Finally, everyone was happy.

(to be concluded, tomorrow)

Share this post:

Grand Theft Internet (part 3)

J. Timothy King — Fri, 02 Apr 2010 16:00:19 +0000

This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page. (If you’re looking for my usual “Friday Fun” column, it will return next week.)

Chapter 3

Tom and I speculated on how the intruder broke into Tom’s DreamHost account, and what damage he might be doing there. I thought he might trash Tom’s account, and I was concerned that Tom be able to restore any lost data quickly. But Tom really didn’t have any data in that account. All of his Internet services were served from elsewhere.

He thought the cracker was probably setting up a phishing site. That is, the guy would put up a fake web page that looked like a real company web page, maybe for a bank. Then he would send people to that fake page, maybe with fake spam emails, and then try to trick people into giving him their bank logins and passwords. Tom even feared the guy might charge up fake domain names on his credit card.

Fortunately, there was no way for the attacker to obtain Tom’s credit card number, except for the last 4 digits. Nor could he charge up services or domain registrations on the card, because DreamHost’s system always asks for new credit card information when you make new purchases. So that was good.

Our bigger concern was how he had managed to break in. The email box Tom had been using as a contact email for DreamHost, that account was still secure. Tom was also certain that his Linux desktop computer was secure, and he had found no breaches on his office LAN. He even had been using secure protocols he used to transfer email into the office LAN. That is, even if someone were able to listen in on his Internet connection, the cracker wouldn’t be able to decode Tom’s encrypted communications. The only alternative was that someone had cracked into a mail server at DreamHost, or maybe even the DreamHost control panel itself.

I joked that at least I would have something to blog about the following week.

I sent a message to DreamHost support, on Tom’s behalf, marked urgent. I explained that his control panel account had been cracked into, and that he had been locked out of it, so he could not contact support thereby. I gave them his phone number and told them he wanted them to call him immediately. By then it was almost 2 o’clock Sunday morning.

“Sure, self-hosted stuff is more likely to be poorly maintained and easier to breach,” Tom commented to me, “but if a problem happens, I can always hit the big red button and halt it.”

And this was certainly one of those situations. You’ve just discovered that someone has cracked into your account and locked you out. You want to be ableto scream that your account has been compromised, and before anything else happens, you want your service provider to freeze the account. You can sort it all out later, when the experts can dig up the forensic details. But for now, you just want to stop the attacker from whatever damage he’s trying to do.

Still no response from DreamHost support. No way I knew of to escalate the request. No way to phone DreamHost. (And as we discovered later, DreamHost’s policy is not to discuss security breaches over the phone, only via email, because they want a written record of the conversation.) At one point, we also discovered DreamHost’s chat-support feature, and I tried contacting someone thereby, but no one responded to my chat request at 3:00 in the morning.

In the past, I’ve defended DreamHost’s control-panel-based support system, because it’s more than effective for normal, “my website’s not working” support requests. But this was not that kind of support request. We urgently needed DreamHost to freeze the account, at least temporarily, to keep the attacker from doing any more damage than he’d already done. Then the normal support mechanism would have been sufficient to pick up the pieces.

“I’m not sure it’d be worth the savings,” Tom noted, “to host anything critical at an organization that is effectively unreachable. I get that phone support would be abused, but you have to have a ‘break glass when on fire’ option somewhere.”

At 3:01 AM Sunday morning, Tom realized that there was indeed some real damage the cracker could do. “vl.com is worth $100K+. So I need to escalate this somehow.”

We gave up on the non-responsive chat and on the support ticket shortly before 4 AM. We went to bed, long overdue for sleep.

Sunday, March 28, 11:05 AM EDT

“Hello. Welcome to DreamHost Live Chat. My name is Javier. How can I help you?”

“I’m sent transfer request from new domain registrar for my domain,” the dark figure posing as Tom typed into his computer. “Can you see transfer request on your admin end and verify if received request from other registrar? VL.com.”

He had already unlocked the VL.com domain, worth hundreds of thousands of dollars, and had transferred it to a registrar in the Bahamas. He had done this before, with other domains. Once the domain was out of the US, it would be harder for Tom to get it back, and much more difficult for anyone to prosecute the dark figure or his friends for stealing the domain. International law is a bitch, and that worked to the dark figure’s favor. At the very least, Tom would have to spend thousands of dollars to arbitrate the case, possibly with nothing to show for it. Some domains may be worth massive amounts of money, but they were not considered “property” by most governments. And that too worked in the dark figure’s favor.

But while the Bahamas were ready to receive VL.com, the dark figure still needed to approve the transfer away from DreamHost, and DreamHost’s interface didn’t appear to be cooperating. Indeed, Javier confirmed that DreamHost had not received the transfer request. The dark figure would have to contact the registrar in the Bahamas and have them resend it. Too much time wasted now, but there still was probably time to steal the domain away. Hopefully, no one would know what was happening until Monday morning.

(to be continued, on Monday)

Share this post:

Grand Theft Internet (part 2)

J. Timothy King — Thu, 01 Apr 2010 16:00:13 +0000

This is a true cybercrime story, which hit my friend Tom. Click here to read the story from the beginning. OR Click here to read the whole story as a single page.

Chapter 2

Saturday, March 27, 10:23 PM EDT

The dark figure waited for DreamHost support to respond to his chat request. He had requested the password be reset, eight times since 9:35, since he had tricked them into adding his email address to the account. But he hadn’t been receiving the password-reset messages in his email.

Brian answered the chat. “Hi there, how can I help you.”

Now impersonating Tom, the legitimate owner of the account, he explained his problem as best he could. “I’m trying to get login info in my new email address, but not receiving email from DreamHost.” He gave Brian the account ID and email address.

“You’re already logged into the panel, if you’re talking to me,” Brian said.

“Yes,” the dark figure replied. That was true. He was logged into the administration panel, just not into Tom’s account. Not yet. But hopefully soon. He told Brian that he had recently updated the email address, and that he needed to use the new address, not the old one.

Brian replied, “Both are actually listed on your account.” He explained that Tom could use the administration panel to make any changes he needed.

Yes, the dark figure said, he’d tried that many times, but it wasn’t working. He kept getting an error, he said in his typical broken English.

Brian asked him to try it again.

So he did. Of course, he didn’t actually try anything. His story was a complete fiction, but a believable one. He described the steps he would have gone through, had he actually had access to Tom’s administration panel. Every value he would type, every checkbox he would check, every button he would click on.

“Page still pending load,” he added after another minute.

Brian waited patiently.

“Now get the page cannot to display error,” the dark figure wrote, but he knew that wouldn’t be enough. He knew he needed to make it sound like an insurmountable, unsolvable problem. “I also tried from Firefox, Safari, and cleared caches. I think it’s Windows issue with AJAX. Need to re-install windows tomorrow. Please check it.”

This must have puzzled Brian. Maybe he thought he was dealing with a clueless user. Maybe he thought it was a strange, inexplicable problem that would take too much time to track down. Maybe he just wanted to get “Tom” off his back. The exact reason didn’t matter. What mattered was that he took the bait.

“That’s weird,” Brian said. “I just tried it, and it worked perfectly. I changed it for you.”

The dark figure said he would refresh his display and see if it worked. Another fiction, of course. He couldn’t refresh any display, because he wasn’t looking at the display. But he could determine whether it worked. He asked for another password reset. He still didn’t receive the email message, but that might just mean the computer was still processing the. So he tried again, and again, and again, in quick succession. And finally it worked.

He reported to Brian that the data had been updated.

Brian was clearly pleased to have helped.

The dark figure had access to Tom’s account now, but there was one thing he needed to do before stealing control over the VL.com domain. He needed to cover his tracks, and for that, he needed Tom’s email passwords. He logged into Tom’s account and looked up the email box ID’s. Then he contacted support again.

Unfortunately, he got Brian again. Brian was no doubt tired with him by now, but he gave it a try anyhow. He said he was trying to see the passwords of two users under his account.

Brian replied that “Tom” couldn’t see the passwords, but he could reset them.

Indeed, that was a security precaution that DreamHost had put in place some time ago, in order to stop people from doing what the dark figure was trying to do right now.

Brian suggested not making any more changes right now, just to keep everything working for now. Yup. He was clearly tired of dealing with “Tom.”

The email the dark figure was trying to erase was actually being sent to a Google Apps account, but maybe Tom had used the same password on both his DreamHost email accounts and on his Google account. The dark figure also had asked for the Google password to be reset, and he hoped that a password-reset message then might have appeared in one of the DreamHost mailboxes.

So the dark figure waited another half hour and tried again. This time, he got Sam, who was more than happy to help. He was able to get the passwords for the two email boxes, but they appeared to be long strings of random characters. And neither of those email boxes contained the Google reset message.

The dark figure would not be able to crack into Tom’s email. His best hope was that he could complete the thievery he came here to do, before Tom realized what was going on.

Sunday, March 27, 1:16 AM EDT

Tom instant-messaged me: “Somebody is trying to break into my Dreamhost account.”

“How can you tell?” I asked.

He had gotten a bunch of email messages telling him that his DreamHost account password had been reset. But it particularly disturbed him that the last of these messages was also sent to an anonymous email address, at HushMail, an email address Tom did not control.

What to do? DreamHost’s primary means of customer support was via the administration panel, if Tom could still login.

He couldn’t.

I acutely realized that this is one of the instances in which you really need another means of contacting DreamHost support. Since then, I’ve discovered that DreamHost’s public contact form, as well as their abuse email address. Either would probably have worked at least as well as what we ended up doing.

We didn’t know how the attacker had cracked into Tom’s DreamHost account. Tom’s Google-hosted account had not been compromised, as far as we could tell. So the cracker had either found an exploit in DreamHost’s password-reset form, or else he was listening in on DreamHost’s or Google’s network. In any case, it was a scary prospect.

As a fellow DreamHost customer, I contacted support on Tom’s behalf and relayed his plea for help. It would be almost 13 hours before we received an initial response, and several more hours before we were taken seriously. Not fast enough to prevent the disaster that was to come.

Click here to read part 3 »

Share this post:

Grand Theft Internet (part 1)

J. Timothy King — Wed, 31 Mar 2010 16:00:50 +0000

This is a true cybercrime story, which hit my friend Tom. Click here to read the whole story. Or use this page to read only chapter 1.

Preface

This is a true cybercrime story, which hit my friend Tom this past weekend… a little too close to home. And I realized that this is something that could happen to me. Indeed, it could happen to any of us who owns his own business or website domain. Tom wanted this story told, in the hopes that the knowledge will help prevent similar crimes in the future, to encourage other victims also to come forward, and to increase the chances that crimes like this will be prosecuted as a result, and I agree.

I’ve drawn on chat transcripts, emails, and other forensic evidence, to reconstruct the timeline of events as accurately as I can. Naturally, when I portray the villain’s activities—and especially his thoughts and motivations—I’m speculating… but let’s call it “informed speculation.” The villain, although he may sometimes appear incompetent, never acts out of random whim. His goal is not merely to poke around inside someone else’s computer and see what he can find. No. He is pursuing a goal, so he has a purpose to everything he does. And I’ve written his character from this perspective.

I’ve mentioned DreamHost, our hosting company and domain registrar, by name, in the interests of full disclosure, because I have recommended DreamHost and have published affiliate links to their service, and I no doubt will in the future. Because in the aftermath, I’m still looking for another company who would have done better, who would have prevented the break-ins that occurred here.

Chapter 1

I expected a typical lazy weekend: read a book, get ready for the Passover holiday, watch a few seasons of Mythbusters with my new Netflix Wii streaming disc. I never expected the weekend to bring me in so close to the world of high-stakes Internet crime.

As you may know, before I wrote books, I programmed software, and before that, I studied Electrical Engineering at Northeastern University. During those days, I met Tom, now one of my oldest friends. Both of us EE students, both electronics hobbyists since we were young, both hired as co-op students by the same local company. Both of us went into developing software. In the mid-1990′s, Tom registered the Internet domain VL.com for his consulting business, Venture Logic. Shortly thereafter, I started JT Software Enterprises and registered JTSE.com. You can’t get 2- and 3- and 4-letter domain names anymore. But at the time, the Internet was still an open frontier, and we actually homesteaded these domains, building them from the ground up.

Fast-forward to the year 2010. JTSE.com is still just an arbitrary string of characters to most people. But VL.com could stand for almost any company name, and on the open market, it’s worth hundreds of thousands of dollars. (I wonder how much Barnes and Noble paid for BN.com.)

When Tom started getting genuine offers to buy his domain, we should have realized that it was like a diamond necklace, and that high-tech cat burglars would soon set their sites on it.

Saturday, March 27, 9:17 PM EDT

A dark figure lurked in the shadows, just outside the glow of the computer monitor. No one knew him. No one even knew he was there. He had been observing his prey, quietly collecting information using false names and stolen ID’s, and even trial-and-error. Over the Internet, no one could tell he wasn’t who or what he said he was. And by the time they put together all the pieces—if they ever put together the pieces—he would be long gone, with his quarry, having taken on yet another false identity.

He knew the VL.com domain he wanted was registered with DreamHost; that was a matter of public record. And he knew that DreamHost would have limited resources to deal with a low-profile Internet break-in, especially on the weekend, and that could give him more time. He had also managed to crack into a different DreamHost account. He had asked them to add a credit card to the account, then talked to a different person and used the credit card information to validate that he owned the account. Customer service was always anxious to shortcut security in order to aid a helpless user, and he played the part like a pro. Through a long series of subterfuges, he had also discovered the account under which the domain was held, had even tricked DreamHost into linking it with his current persona. And now he was ready to strike at his true target.

“How may I assist you?” asked Dan, the support technician on the other end of the online chat.

“I having trouble with updating primary email address on my account,” the dark figure replied, impersonating his last victim. He then explained to Dan how he had tried to change the email address on the VL.com account. The story was a complete fabrication, of course; he didn’t even have access to that account. But he made sure he sneaked in the name of the account and the email address he wanted to use. He then complained that his computer was acting up, said he needed to reinstall Windows. It added an air of authentic helplessness.

Dan suggested he reset his browser, or try a different browser. A common support-guy fix.

He explained that he had already done that, and had tried Internet Explorer, Firefox, and Safari. It wasn’t important that Windows users almost never even knew about Safari; it was more important that he hit all the magic keywords, and fast, before Dan began to suspect anything.

Dan asked him to answer his security question. “What city were you born in?”

It took a minute for the dark figure to look up the correct answer, but he did find it, and answered correctly.

But Dan did not respond.

“Are you still there?” the dark figure asked.

“Changing, hold on,” Dan wrote. And finally, “Done.”

“I can see that it’s updated,” the dark figure wrote. Another fiction: he did not yet have access to the account, so he could not actually see anything. But it was important for Dan to believe that he could see it, that everything was on the up and up. It was important that no one raise an alarm, not yet.

Neither Tom nor I use such weak security questions. Anyone can find out where you were born, or what school you went to, or your mother’s maiden name, or whatever. This became painfully clear to me after I wrote my romantic memoir (Love through the Eyes of an Idiot). I looked to contact the people from my past that I wrote about, to inform them about the book. In the process of searching for them, I ran across all manner of personal information about them. I wasn’t even looking for it.

How that security question got set at DreamHost is still a mystery, lost in the memories of time. Maybe it was an old security question, set when Tom first created his account. (Be assured that we’ve both verified and tightened up security on all our accounts, and no one will be pulling a similar stunt on either of us.)

Over the following hour, Tom would receive a dozen emails from DreamHost’s computer, telling him someone was trying to reset his password. Each email included the standard calming notice:

If you didn’t request this email, don’t fret, the security of your account has not been compromised. Somebody else must have requested your password. That’s exactly why we email it to you instead of just giving it out!

If Tom had been looking at his email inbox just then, he might have been able to cut off the cracker before he did any real damage. Unfortunately Tom wasn’t reading his email just then.

Click here to read part 2 »

Share this post:

Grand Theft Internet

J. Timothy King — Wed, 31 Mar 2010 15:59:55 +0000

Like any other small businessman, he assumed his Internet account was basically safe. Instead, he found himself another victim of the latest 21′st century crime wave, when his valuable domain name, VL.com, was hijacked in a high-tech heist. Told by a first-person witness to the crime, reconstructed from forensic evidence compiled in the aftermath, this gripping account takes you inside the mind of the attacker, showing in lay terms how domain thiefs bypass security at Internet registrars, and why domain name theft is a growing problem on the Internet that could strike any of us.

This is the detailed story of how VL.com was stolen. Click here for Domain Name Wire’s report on the incident.

Also available as a free downloadable eBook:

(Last updated April 3, 2010.)

Preface

Chapter 1

When Tom started getting genuine offers to buy his domain, we should have realized that it was like a diamond necklace, and that high-tech cat burglars would soon set their sites on it.

Saturday, March 27, 9:17 PM EDT

“How may I assist you?” asked Dan, the support technician on the other end of the online chat.

Dan suggested he reset his browser, or try a different browser. A common support-guy fix.

Dan asked him to answer his security question. “What city were you born in?”

It took a minute for the dark figure to look up the correct answer, but he did find it, and answered correctly.

But Dan did not respond.

“Are you still there?” the dark figure asked.

“Changing, hold on,” Dan wrote. And finally, “Done.”

Over the following hour, Tom would receive a dozen emails from DreamHost’s computer, telling him someone was trying to reset his password. Each email included the standard calming notice:

If you didn’t request this email, don’t fret, the security of your account has not been compromised. Somebody else must have requested your password. That’s exactly why we email it to you instead of just giving it out!

If Tom had been looking at his email inbox just then, he might have been able to cut off the cracker before he did any real damage. Unfortunately Tom wasn’t reading his email just then.

Chapter 2

Saturday, March 27, 10:23 PM EDT

Brian answered the chat. “Hi there, how can I help you.”

“You’re already logged into the panel, if you’re talking to me,” Brian said.

Brian replied, “Both are actually listed on your account.” He explained that Tom could use the administration panel to make any changes he needed.

Yes, the dark figure said, he’d tried that many times, but it wasn’t working. He kept getting an error, he said in his typical broken English.

Brian asked him to try it again.

“Page still pending load,” he added after another minute.

Brian waited patiently.

“That’s weird,” Brian said. “I just tried it, and it worked perfectly. I changed it for you.”

He reported to Brian that the data had been updated.

Brian was clearly pleased to have helped.

Unfortunately, he got Brian again. Brian was no doubt tired with him by now, but he gave it a try anyhow. He said he was trying to see the passwords of two users under his account.

Brian replied that “Tom” couldn’t see the passwords, but he could reset them.

Indeed, that was a security precaution that DreamHost had put in place some time ago, in order to stop people from doing what the dark figure was trying to do right now.

Brian suggested not making any more changes right now, just to keep everything working for now. Yup. He was clearly tired of dealing with “Tom.”

The dark figure would not be able to crack into Tom’s email. His best hope was that he could complete the thievery he came here to do, before Tom realized what was going on.

Sunday, March 27, 1:16 AM EDT

Tom instant-messaged me: “Somebody is trying to break into my Dreamhost account.”

“How can you tell?” I asked.

What to do? DreamHost’s primary means of customer support was via the administration panel, if Tom could still login.

He couldn’t.

Chapter 3

I joked that at least I would have something to blog about the following week.

“Sure, self-hosted stuff is more likely to be poorly maintained and easier to breach,” Tom commented to me, “but if a problem happens, I can always hit the big red button and halt it.”

At 3:01 AM Sunday morning, Tom realized that there was indeed some real damage the cracker could do. “vl.com is worth $100K+. So I need to escalate this somehow.”

We gave up on the non-responsive chat and on the support ticket shortly before 4 AM. We went to bed, long overdue for sleep.

Sunday, March 28, 11:05 AM EDT

“Hello. Welcome to DreamHost Live Chat. My name is Javier. How can I help you?”

Chapter 4

Sunday, March 28, 2:40 PM EDT

Tom said to me, “I’m sure they’ve chalked this up to some customer with sloppy security getting their email compromised.”

Sunday, March 28, 6:09 PM EDT

Using a tried-and-true method, he chatted with DreamHost support. “Need update current email on file, but still not successful,” he said in his trademark broken English.

He was on the line with Schroder, who tried to walk him through the process.

“No,” Schroder replied, “I’m sorry. I can’t change it for you.”

Schroder said, “If you can’t walk me through the method you’re using to change the info, then, I’m sorry, but I can’t help you with this.”

“Ok. Thanks,” the dark figure wrote, resolving to try back later with a different support rep.

Sunday, March 28, 6:52 PM EDT

“Look on the bright side,” I said. “Can’t think of what that is. But I’m sure there’s one there… somewhere.”

“Metaphorical bruises are often good to motivate you to take corrective action against repeating the mistake,” Tom replied.

By then, it was at 7:08 PM.

Meanwhile…

Sunday, March 28, 7:07 PM EDT

The dark figure tried again with DreamHost’s support chat. This time, he got Jeremy. He explained, impersonating Tom, that he was trying to change the primary address on Tom’s account.

Within a few minutes, Jeremy had solved his problem.

Time to switch tactics.

Sunday, March 28, 7:19 PM EDT

Tom was on the DreamHost support chat with Jason. “Help. My DH account is actively being hacked.”

“Glen reset my password about an hour ago,” Tom explained, “and the attacker is repeating the attack.”

“Okay, you will need to submit a support ticket for this. Thank you!”

Meanwhile…

Sunday, March 28, 7:19 PM EDT

The dark figure contacted Seohee via the DreamHost support chat, still impersonating Tom, told him he was having trouble transferring VL.com away, and asked for help.

He was worried that Tom may have already discovered the pending transfer and may have locked down the domain. “What’s current status of ‘TRANSFER AWAY’?” he asked. “It’s canceled?”

“Please hold,” Seohee said.

Within a couple minutes, the dark figure was able to write: “I can see it’s approved. And in new registrar.”

“Thanks for hanging in there. sorry for the confusion,” Seohee wrote.

“Thanks again. Have great day,” replied the dark figure.

“You too!”

Finally, everyone was happy.

Chapter 5

Sunday, March 28, 8:06 PM EDT

“They stole vl.com!!!!!!!!!!!!!!!!!!!!!!!!”

But the real question is how to proceed going forward.

Even so, there’s some value in looking for registrars that offer increased security and services, even at slightly increased prices and with longer waiting times:

positively identifying the domain owner before releasing a domain to another registrar, such as with two-factor authentication being offered by some registrars;
confirming domain transfers through phone calls or cellphone text messages, as well as the standard email;
approving domain transfers through multiple, independent means, or multiple, independent accounts, all of which must approve before the transfer goes through;
effective crisis procedures, when a break-in does occur;
effective forensic and recovery procedures, when a theft occurs;
insurability—if a domain name is stolen, the insurance company will pay for recovery or losses.

There are some additional safety measures you can take to slow up a thief trying to steal your domain:

Use a secret email address for your account email.
Always use a secure computer and encrypted connection to download email.
Use long, random passwords for each email and domain account.
Use secure secrets for any “secret question,” obscure facts that no one else can find out.
If you have multiple domain names or web holdings, split them up between multiple registrars and hosting services.
Use low-value domains for daily activities, if possible. (So if someone steals away VL.com, your email will still continue uninterrupted through VentureLogic.com.)
Know how to get in touch with your registrar in an emergency, whether by phone, email, or web form, even if you’ve been locked out of your account by an attacker.
Establish secure, authenticated communication channels with people you are likely to work with to resolve a crisis: obtain email certificates, exchange public keys, and set up secure IM.
At least ask yourself, “Will that busty model come to my rescue when I have a problem with my domain?”

-TimK

Additional resources:

Other mentions of the theft of VL.com:

Share this post:

Sued for Reading an RSS Feed?

J. Timothy King — Wed, 01 Aug 2007 19:58:19 +0000

The blogosphere is coming of age. And the story of my recent experience with a well-known blog network illustrates a contentious issue in the blogosphere, contentious because blogging technology is just progressing too fast, even for bloggers. And because the law is moving even more slowly than the bloggers themselves. Before the dust settles, no doubt, many people will have spent many, many thousands of dollars (or maybe millions) in legal fees, sorting it all out.

My story began with an email from said major blog network, an email that was obviously written by a lawyer.

To understand the story, first I have to go back to last November, when I created a website dedicated to fandom for the TV show Gilmore Girls. This is Gilmore-ism.com. Being a software geek, an innovative feature inspired this site, an on-line database of short quotes from the TV show Gilmore Girls, with analysis. But being a software geek, I couldn’t help but add feature upon feature to the site.

One of these features is an on-site feed reader. I chose and categorized a number of important Gilmore Girls-related RSS feeds, and I provided a feed-reader service on the site, for people who don’t know RSS and don’t want to. Very much like I can share my BlogLines subscriptions. I’m not the first person to provide an on-site news aggregator, of course. But this is another feature Gilmore-ism.com has that no other Gilmore Girls fansite has.

The on-site news aggregator is primitive, yes. Primarily, it’s useful only for sharing lists of RSS feeds with other Gilmore Girls fans. Indeed, these pages get less than 1% of the traffic on Gilmore-ism.com. Most visitors either sign up to the original site’s feed. Or they sign up to my email list, expecting me to keep them up to date.

I Receive a Nasty Email

One of the blogosphere’s Gilmore Girls fan blogs is a member of a well known blog network, which I will call “Network 23.” Not their real name. I’m calling them that, after the fictional TV network in Max Headroom. The Network 23 blog is one of the sites I’ve recommended to my fans. And it’s one of the sites I’ve linked to, many times, both on Gilmore-ism.com and in the Gilmore-ism.com e-Newsletter.

So imagine my surprise when I got an email from one of Network 23′s staff, with the subject line “Unauthorized Use of Network 23 Property.” The email was clearly based on a template that some lawyer somewhere came up with. And like most lawyers’ letters, it did not give Network 23 a good name. Even less did it resolve any conflict. I’ve put a lot of time and energy into making Gilmore-ism.com a unique and original website, with innovative features found on no other Gilmore Girls fan site. Sending this email could only have accomplished one thing. And that is to sow angst while simultaneously covering your legal ass-ets. (Note that I am not a lawyer, which is how I can say this with a straight face.)

Let me take a moment to reiterate something that needs to be said much more often, especially to small business owners: You may need a lawyer for legal advice. But always remember, he is not the businessman. He doesn’t know your market. He doesn’t know your customers. And he doesn’t go bankrupt when they all desert you. So use your own judgement, and be polite to your customers. It’s your neck on the line.

Why do I think this email originally came from a lawyer? Firstly, it began, “To whom it may concern:” even though everyone knows me by name. And the person who sent the email also knew my name, because my name is displayed right there on the “Contact” page of Gilmore-ism.com, whence he sent the email.

Secondly, it contained paragraphs like the following:

It has been brought to our attention that the web site located at gilmore-ism.com, for which you are the site author, is distributing, displaying and reproducing unauthorized copies of Network 23′s content.

Actually, it read an awful lot like the note that Paramount sent to The Movie Blog… (Cue Twilight Zone theme.) Except I could have handled receiving that note. It at least said exactly what Paramount objected to and what they wanted The Movie Blog to do about it. The email I got from Network 23 was missing these key elements. But I’ll get to that in a sec.

As I said, I frequently linked to and referred my fans to Network 23′s blog. I quote from the same original sources. And I once had a rather marked difference of opinion with an editorial posted on that blog (though very few people seemed to care about the issue). But copyright infringement? Imagine my shock at receiving this email!

I pride myself on being a legitimate website operator and a responsible, upstanding netizen. I use double-opt-in on all my email lists, never send spam, and my email subscribers even tell me when their email addresses are changing, so they won’t miss a beat. And I respect copyright, even though I don’t always think copyright holders act in their own best interest. Still, I believe the only correct solution is to persuade them to adopt a better way… Or to provide their readers with alternative sources of vibrant, original content. But to rip them off? Why would I even consider such a thing?

The Network 23 email also invoked the ever-fearsome 4-letter acronym “DMCA,” requesting my “assistance in the removal of all Network 23 content from this web site and any other sites for which you provide services.” But as I said before, it omitted key details. In particular, Network 23 did not tell me which URLs were infringing, even though this is a DMCA-notice requirement. So I replied, politely asking which URLs Network 23 believed were infringing their copyright, so I could address the issue.

Let me reiterate again: Do not let your lawyer tell you how to interact with your customers, against your better judgement. And do not let your fear of legalities bully you into doing something stupid. Emails like this scare the recipient at best, and anger them at worst. Witness how The Movie Blog reacted to the Paramount notice. And by making demands specific enough to appear to have the force of government behind them (even if they don’t), yet vague enough that the recipient can’t actually know what he’s actually being told to do, to the recipient, this message could only feel more like dealing with a mob boss than with a respectable business… Except that a mob boss usually tells you exactly what he wants, even if it’s unreasonable.

For the record, this email did not come from the author of the Network 23 blog, but rather from a different Network 23 representative. And I don’t even know that the blog author had anything to do with it, even though it claimed to be written on his behalf. Again, that’s probably just legal boilerplate that means nothing. I’ve read plenty of legal boilerplate in my time, and plenty of it even contradicts the document of which it is a part.

Why BlogLines is Not Search-Engine Spam

Let me talk about how search-engine spam intrudes into my Gilmore Girls research. I see more search-engine spam than most people probably care to think about, because I use search feeds, from engines like Google and Technorati. For example, to get scoop on Gilmore Girls stories before anyone else does, in my feed reader, I have automatic searches set up to monitor the blogosphere for stories about Gilmore Girls.

Unfortunately, I’ll frequently see a story appear, followed by a dozen copies. All the copies are from spam blogs, which have illegitimately copied the original article. They do this so that when you go to Google or another search engine, and you type in “Gilmore Girls,” the spam site will be one of those listed. The site doesn’t actually contain any new information on the subject, much less any original content. But if you go there, you’ll see loads of ads.

Google and the other search engines hate search-engine spam, of course. And they have algorithms in place to filter it out. However, I end up seeing a lot of it, because I have my search feeds set up to give me up-to-the-minute results. I guess I see these results before the search engine’s filtering algorithm can kick in or something.

BlogLines also provides its own blog-search feature. But of all the feeds it tracks, and all the feeds that its users subscribe to, and all the subscriptions its users make public… Now, at this point, I was going to say that BlogLines prevents search-engines from scanning its users’ public subscriptions. Because I know I have a line in my robots.txt file to keep search engines out of my “aggregator” pages. This in fact is the default behavior in the latest Drupal. (Gilmore-ism.com uses Drupal, BTW.)

I assumed BlogLines did something similar. But then I double-checked. Google does index these pages. Which makes sense, because they’re not disallowed, either by robots.txt or by tags.

So… How do BlogLines public subscriptions differ from search-engine spam? One reason is that there aren’t many people using them for this purpose. Indeed, why would a spammer do so? If you want to do search-engine spam, you plop up WordPress blog with an aggregator plug-in and some pay-per-click ads. You’re trying to trick user into coming to your spam site, because some portion of them will click on your ads. You can’t do this with BlogLines, because you can’t put up your own pay-per-click ads.

BlogLines is similar to what I do with the Drupal aggregator. Sure, my news aggregator is primitive. It’s missing features you expect from any serious feed reader. For example, after you read an item, you can’t mark the item as “read.” But the Drupal aggregator does behave at its core like a reader. It aggregates feeds, which appear on a separate page and not with the other content on the site. And the software caches aggregated items only temporarily, purging them after a period of time, just as you expect a feed reader to do. And as I said, I get no search engine traffic from this content, because it’s merely displayed to my site visitors as a service to them, not actually published with the rest of the content.

Second Thoughts and Feed Readers

As I had designed the feed reader portion of the web site very carefully, when I received the email from Network 23, it never entered my mind that this was a problem. As I said, the email didn’t specify which URLs they found objectionable. It only made sweeping generalizations, leaving me to try to read between the lines. And reading between the lines is something I’ve never been very good at.

(This is an argument my wife and I are continually having, so much so that we’ve gotten used to it. She tells me what’s wrong, but always leaves out the part about what she expects me to do about it. And I have to ask her for specifics, which annoys her, and so forth. Engaging, challenging, and way better than being lonely.)

If you had been inside my head, you’d understand. At first I thought I might have quoted more from one of Network 23′s blog posts than they might have liked… Although most of these posts basically copy content from other sources. Then I thought it might have something to do with the heated exchange of opinion between our two blogs some months ago, even though that’s a long time. I did quote heavily when I wrote that piece.

After I thought a little more, I considered that Network 23 might be objecting to the on-site feed reader. But why would they? The feed reader is only available to visitors of Gilmore-ism.com, not to search engines. It does not replace Network 23′s blog, but rather aggregates it with other sources, linking to all the original sources, as a good feed reader does. And its only possible use is to allow users to read the RSS feeds, which is (I assume) what the feeds are there for– so that people can read them without repeatedly visiting Network 23′s and the other blog sites.

In fact, I’ve analyzed traffic patterns for the aggregator. Less than 100 people look at it each month–hardly worth the effort. And after they look at it, then they go off to visit the linked-to blogs! (Duh. Like, what else would you expect, man?) I gather that they probably subscribe to those blogs directly, or decide they’re not interested at all. Of course, this is what sharing RSS feeds is all about. But it’s hardly a benefit for me, if I’m interested in keeping people at my site. Rather, it’s a perk I provide my visitors when they come to my site.

Still, the whole topic is a gray area. There are no established rules for what makes a public, on-line feed reader okay or not. This is unfortunate, and it seems to be resulting in some silly demands by bloggers.

More and more bloggers are including a copyright notice on their blog feeds:

This feed is for personal non-commercial use only. If you are not reading this material in your news aggregator, the site you are looking at is guilty of copyright infringement.

There’s even a WordPress plug-in that adds a copyright message like this to your feed. Sounds pretty reasonable on the surface, but what does it really mean? The whole license hinges on the question, “What is a news aggregator?” And it seems, different people have different ideas of what a news aggregator is. (One notice I saw even said that I could only view the feed on a reader that had no ads!)

If you read an article on BlogLines, is BlogLines guilty of infringement because “your” news aggregator is a different service?
Okay, so what if you read it at work? Does that make the use commercial?
What if your feed reader stores items on a company computer? What if your company or ISP uses a caching web proxy?
What if the blog post inspires a million-dollar idea that makes you rich? Will the blog author come after you for copyright infringement? (Crazier things have happened.)
Since FeedBurner and FeedBlitz provide on-site renderings of their customers’ feeds, complete with their own embedded ads, does that make them copyright infringers? Neither’s terms of service claims a license to do this.
What about blog indexes with integrated feed views, especially popular among podcasting directories?
What right does any blog author have to tell you how you’re allowed to read his feed? He makes the feed available to be read. Fair use demands that you be able to use any suitable method to read it; and it’s your choice, not his.
If you choose to use a web-based feed reader, does that make you a copyright infringer?
What if you can access the web-based feed reader anonymously, without registering?
What if the feed reader provides public views of subscribed feeds, like BlogLines or NewsAlloy? How long before United Media sues NewsAlloy for copyright infringement because you can read the Dilbert feed there?
If you select a group of feeds your fans might like, and you link to (or frame) a BlogLines public view, so that your fans can read those feeds there, does that make you a copyright infringer?
What if you allow them to read those feeds via a public feed reader? Does that make you a copyright infringer? Just because you’re making it easy for a very specific audience to view very specific RSS feeds?

Well… I guess if I put it that way, it doesn’t even pass the laugh test, does it? How silly is it of me to make it easy for my fans to view someone else’s published content? Why would I even want to do that? Because it benefits us both. That’s the power of the blogosphere. And that’s one of the advantages of social media.

The scary part is that the rules aren’t clear. If I provide a news aggregator service innovative enough not to fit into a certain blogger’s unstated conception of a “news aggregator,” I could get sued. And if I read someone’s RSS feed on a non-approved aggregator, could I get sued? You wouldn’t think so, but the rules are unclear. In either case, even if I’m right, and even if I were to prevail in court, it would cost us both many thousands of dollars. Because in any court battle, there are 4 parties: me, my lawyer, my opponent, and his lawyer. Two are winners, and two are losers. The lawyers never lose.

What’s a Blog For, Anyhow?

If I wanted to keep my content off the Internet, I’d have it printed in a book. In fact, I’m actually having a small booklet printed, but not to keep it off the Internet. Rather, to make it available off the Internet. But that’s a different story.

If I wanted to make my electronic content available only to certain people, I’d put it behind a login screen. In fact, I do that on Gilmore-ism.com, and I’m right now planning other sites that have content and features that require a user login.

If I wanted to try to force people to visit my website every time they want to read my content, I’d avoid RSS. In fact, some pages on some of my sites are never in an RSS feed, for a variety of reasons. Actually, there are plenty of good reasons to avoid RSS. But trying to make people visit your site repeatedly is not one of them. Because now automated programs will visit your site on the user’s behalf, alerting him when the content changes.

And if I want to make my content available to a wide and growing repeat audience on an ongoing basis, I put up a blog. This allows people to read my content using a feed reader or feed-reading service, as they see fit. It allows services like Technorati and Google to store and coallate my content so that people can find it easier. And for those who don’t yet do RSS–and there are many who don’t–there’s still the web interface.

The thing is, once I let that RSS feed out into the wild, I have to expect users to do things with it that I didn’t anticipate. I expect them to use transport mechanisms, software, services, and storage mechanisms that I could never even have imagined. All four of these are present in any feed reader, of course. But too many bloggers assume the technology won’t progress. It’s like, they just learned RSS, and now suddenly people are doing new things with it, and all the rules are changing.

By publishing an RSS feed, I’m giving permission for users to view that information. I’m also giving them permission to copy it for personal use, because that’s fair use. I don’t expect them to only use the technologies that I already understand and have approved of. I do expect them to use the full power of the Internet. And I expect third parties to provide services that help them do all the things they can do with my content.

Moreover, I expect them to link to my blog posts, because this is also one of the prime characteristics of the blogosphere. A blog is not just a means to publishing content. It’s also a means to take part in the global conversation. Even if I didn’t support comments or trackbacks on my blog–and I do support them both. But even if I didn’t, I would still expect people to respond to my writings. And as a good netizen, I expect to reply in turn. This is also one of the great powers of blogs as marketing tools, something many corporations don’t yet understand. A blog is not just a one-way communication medium; it is 2-way. It enters you into the conversation. Before blogs, in order to do that, you’d have to go to an online bulletin board or forum. And that meant you had to give up control to the operators of the forum, or you had to create your own forum and turn it into a community. Now, you can become part of the community from your own website. This is all a primary purpose of a blog, because RSS is the technology that makes this all possible.

Unfortuantely, opinions differ, even among bloggers. And technology is progressing way too fast for the law to keep up, putting us right in the middle of a huge legal grey area. As Fred von Lohmann of the Electronic Frontier Foundation noted to me in an email:

The copyright issues around RSS feeds are one of the great unexplored mysteries of the cyberlaw world. The answers may differ depending on whether your site or servers actually copy the feeds, or simply link to or frame the feed source. But the most likely answer for any of these questions is “nobody knows for sure” and “if you get sued, it will be expensive no matter how it turns out.”

As RSS continue to become more ubiquitous, I fear, it will continue to become a legal quagmire waiting for victims.

But there is an ironic up-side to all this.

Here’s What I Did

I waited a day for a response from Network 23, but I got none. By that time I had decided to take down all references and links to Network 23′s blog from Gilmore-ism.com. If you go there now, you wouldn’t even know Network 23 had ever existed.

I am not the only blogger to react this way to a legalese-filled email. Bloggers take note! Blogging is more about community than it is about right. If you are too centered on controlling what others do, you will lose the friendships that make your blog worthwhile. As the writer to the Hebrews noted, “Do not forget to entertain strangers, for by so doing some people have entertained angels without knowing it.” Therefore, treat others with respect, and assume good intentions on their part. If you fail to do that, it may not matter whether you were right or wrong.

(I finally did get a response from Network 23, but they never identified which URLs they believed had infringed their copyright, and I still don’t know for sure what they were talking about. But I’m thinking my educated guess is probably correct. They didn’t want my site visitors to read their blog. And now my site visitors, and all the people on my email list, aren’t.)

One final note, for the record: You may with any of my RSS feeds, transport them, view them, and provide services that allow others to view them, using whatever technology you choose. That’s what they’re there for. This includes my upcoming fiction blog, The Conscience of Abe’s Turn. You can even share my RSS feeds with others. Just please keep them intact. I will never come after you for doing so…

In fact, I’m formalizing this statement. Even when I publish content that is “All rights reserved,” if that content appears in an RSS feed, the RSS feed itself is licensed under the Creative Commons Attribution-NoDerivs License. I’m currently updating my copyright notices to state this on each site and in each feed. (Of course, some of my content uses an even less restrictive Creative Commons license.) In brief, the CC BY-ND License (as it’s more affectionately called) allows you to distribute or “publicly perform” the RSS feed, as long as you don’t change it and you attribute the original author. I think that should cover it.

I’d also encourage you to do the same for your RSS feeds. And get this legal nonsense behind us, so we can continue building the blogosphere.

-TimK

Share this post:

If It Weren’t for the Innocent People Caught in the Middle

J. Timothy King — Wed, 26 Apr 2006 23:28:45 +0000

As a musician myself, I’ve been saying for years that the old music industry is on its way out. I get a good laugh whenever I read a news piece (usually in the establishment news) quoting some representative of the RIAA claiming that file sharing is going to destroy the music industry.

Idiocy. As long as there are musicians wanting to play music and audiences desperate to listen—and there will always be both—the music industry will continue on. It just may not continue in the same form that the RIAA is used to.

Now, if people share music, it’s because they think it’s ethical. It doesn’t matter what the law says. It doesn’t matter what the RIAA says. It doesn’t matter how much words like illegal or theft are thrown around. (By the way, copying a work may be copyright infringement, but it by definition can’t be “theft.”)

Music customers are defining the shape of the music industry. Projects like iTunes and podsafe music have benefited from giving customers what they want. The RIAA, however, has been fighting against this inevitable change, and anyone who continues on board with them is being left behind.

So I get a laugh out of the RIAA. I haven’t bought a CD in over a decade, and I’m not pirating music. Ever since MP3.com, I’ve gotten all the great music I want, completely legal, for free off the Internet. So I know first-hand it’s already possible to satisfy ones complete musical appetite without the cooperation of the RIAA. So if they want to put restrictions on who listens to their music, let them! And with the increase in on-line video, you can add the MPAA and television industry to that mix. Let them shoot themselves in the foot. What do I care?

Well, I wouldn’t care if it weren’t for the fact that average people have been forced to stare down the RIAA’s gun barrel.

-TimK

Share this post: