This language is such a turn-off. Very few organizations can use that type of flippant language successfully, especially in a serious email like this. Now's not the time to try to be hip or cool. This is a serious issue and the writer should be just as serious.
Edit: Their site is down now so here's a copy of their post
Many of you received our email or saw online that name.com was hacked. The truth is that it's one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.
Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.
The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).
We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.
I agree. I am prone to "swearing like a sailor" but in public (including the internet), I try to keep it pg-13-ish most of the time. Even on my personal blog, where some folks think I say waaay too much about my (lack of a) sex life, I try to limit the swearing. If I can figure out that this does not make a good impression, one would hope that "business people" could too (though perhaps not).
(Also, fwiw, I am grossed out by casual references to poop, no matter how nicely they say it, but especially when using the S word. I am very prone to F bombs, but, then, I actually like sex. But references to poop have me envisioning it. No thanks. Ick. Y'all are disgusting. And, though perhaps not the norm, I am probably not the only person who dislikes having images of poop forced upon them, even if others don't necessarily have the quirk of finding it more offensive than the F word.)
"Name.com is a fully accredited ICANN domain name registrar. In addition to great pricing and service, we offer SSL certificates, web hosting, premium and expired domains. Most importantly, we've been giving a $#*! since 2003!"
Holy shit, you're right! I thought this was a joke at first. Even after jonmrodriguez confirmed it, I thought he was continuing the joke but it's true. They actually say:
"Name.com is a fully accredited ICANN domain name registrar. In addition to great pricing and service, we offer SSL certificates, web hosting, premium and expired domains. Most importantly, we've been giving a $#*! since 2003!"
I still don't think it comes off well but, in that context, I guess it's not as bad as I originally thought. And that's probably why they put it in quotes in the message. It makes more sense now.
To me it's really not a turn off at all. I'd rather they swear away and have a personality than be a starchy, try-not-to-offend-anyone bland corporate drone.
Swearing is not the only way to show personality. In fact, it's one of the cheapest ways to do so. It's easy to say "fuck" and "shit" to break free form the usual generic writing but you can actually write a personal and honest message without cursing.
Is the word "shit" really that big of a deal? "Give a shit" is a colloquial way of saying they care without sounding like they're regurgitating some polished corporate-speak. It's not like they called the hackers cock-juggling thundercunt scriptkiddies while telling them to "bring it" now that they've fixed the problem. There's no element of juvenility in how they said what they said, and they're not using grown-up words to call people names for the sake of it. I sense no element of posturing.
In all cases I'd rather deal with real people than whitewashed "employees". In many ways I'm glad they offended someone over the word "shit" because it means they're being at least a little true to themselves.
I agree that sterile generic corporate speak is not good but it sounds like you're saying that the only way they could be true to themselves or to appear as real people is to use shit.
> Avoiding being generic without being crude: We want you to know that when we say that this matters to everyone in the company, we truly mean it.
If that doesn't sound like whitewashed corporate-speak, I don't know what does. It sounds like an empty platitude and I wouldn't even believe it if someone said that to me.
Nah, I've experienced plenty of situations where cursing just makes me lose respect for someone/thing. I'm not saying I'm against cursing (though I don't really curse much myself). I'm saying that cursing shouldn't be used flippantly. It loses its power if it is. This sounds flippant to me, especially when they put it in quotes.
They put it in quotes because its their company strap line. It's at the footer of every one of their pages: "giving a @&$#!! since 19xx (some year I don't recall)
You're right! I didn't notice this and it puts it all in context now. I thought you and others were joking but I saw it a few times so I finally checked.
I wish I could still edit my original post to put this in.
I don't think I'd want to use a domain registrar run by people who think that using the mustache meme on their "About Us" page [1] is professional. I'm not usually prudish about language or jokes, but hosting and domains are serious business.
I can understand why you'd be turned off by that but at least it's on a page that doesn't necessarily have to be serious. You're learning about the company and this is part of their culture. In fact, that's a great example of a company showing personality without resorting to crude language.
Honestly, I don't like the use either. It is a serious issue. They know that. The writer knows that. Nevertheless the writer, while perhaps in poor judgment, assessed the situation in need of a slight touch of relief. They're trying to calm their customers. It looks like this is where they shall begin.
This commentary though, it is unnecessary. They are making an attempt of remain open and communicate with their customers. Responses like these aren't going to aid further such attempts of similar observers. Others are going continue as many still do: skating by with such breaches unreported. Your data will be out there and you won't have a clue. Would that be better?
This very view has been much of what is wrong with HN these days. Comments with this air of pseudo-intellectual, overly-critical analysis over the inherent nature of intentions (and word use).
Same here. Given that they got hacked, given some of the other comments about the content of the post, and given that they apparently can't build a site that can handle a hackernews frontpage, I think I will continue to avoid them as a registrar.
Edit: And, their bulk domain search still appears to be broken for entering more than five domain names: http://www.name.com/names
I believe that you can transfer them right away without losing any time on your lease. Meaning if you have 6 months before a domain expires and transfer it to a new registrar and pay for a year, you'll have a year and a half before it expires.
I've never done it myself but I've read it in multiple occasions so it might be worth checking if you're really looking at moving away.
Correct. And some domains can be tough to transfer once you get too close to renewal time, so I'd recommend transferring sooner rather than waiting for the renewal date to come up.
Yes this is correct. You don't lose any time when switching. And actually any time a domain is switched 1 year is automatically added to the expiration date (.com/net/org/info).
Same here. Namecheap for the common domains, Gandi for the slightly more exotic ones. I've been happy with both.
I also have one domain at networksolutions (it was worth a $100 difference over five years vs gandi), but I definitely would avoid them in the future. As soon as I ordered, they started calling once per day attempting to sell further services. They are on my avoid list now.
This is a registrar that, if you use their DNS service, refuses to return not found records and instead serves up ads, on your domain. That's cheesy thing to do. I had started to move some domains to them from GoDaddy, found out about it, contacted them to see if they can remove it, and was told off.
Injury to insult: their TOS in no uncertain terms makes you, the website owner, liable for all content they forcibly redirect to. They're at the bottom of the barrel with GoDaddy. Total scumbags.
"The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords..." They mention passwords AND hashed passwords, I wonder if this means they had some passwords saved in the clear.
And also whether "hashed" means salted and hashed or just simply hashed.
Honestly, I would feel much more comfortable if sites publicly disclosed their password encryption strategy. Just saying "oh they're hashed" really doesn't make me feel any better -- how do I know they didn't just do a quick MD5 instead of a proper password-appropriate process?
> Honestly, I would feel much more comfortable if sites publicly disclosed their password encryption strategy.
Funny you should mention that.
I thought at one point that I could set up a http://tosdr.org/ like database, showcasing the best password securities in use. You could have lists of the people using MD5, scrypt, bcrypt, and so forth. Think of it as a trophy case of password storage algorithms. My sticking point was finding the information, aside from looking at already leaked databases, you just have to go and ask the developers.
I emailed about 35 companies with a standard block of text asking if they were willing to disclose their scheme, the responses were mostly in the following:
• "our passwords are encrypted, you don't need to worry"
• "we can't disclose this for security reasons"
• "you're trying to hack us!"
I don't know what I expected really. We will have to stick to laughing at the atrocities listed on on http://plaintextoffenders.com/ .
I would feel much better if passwords were just stored on a HSM (Hardware Security Module) instead of an local unix file system.
And, from a security perspective, it's mostly irrelevant as to whether passwords were hashed (where hash = MD5, SHA, or some other high speed hash function), or salted+hashed.
Why:
Look at two scenarios,
Scenario #1: The security of your Strong, high-entropy password.
Scenario #2: The security of all the n00b's weak passwords.
Then, look at two options:
Option #1: Hashed, no Salt
Option #2: Hashed + Salt.
In Scenario #1 - your password is secure in Option #1, because your password does not appear in a rainbow table.
In Scenario #2 - the vast majority (60%+) of those weak passwords can be brute forced with sophisticated dictionary attacks in a couple days even with a hash+salt - no need to use rainbow tables.
Ironically, Salt's offer no security for you (you don't need them), or the vast majority of people (whose password will be broken, even if they are salted+hashed). Salts+Hash were relevant from 1990-2010, prior to high speed GPUs and ASICs overtaking Rainbow Tables. People learned lessons then, that are no longer relevant.
Now, where Salts ARE important, is with a multi-iteration key-derivative function like bcrypt or scrypt. There, a salt (which is part of the bcrypt and scrypt algorithm) actually does offer (a lot) of security to the n00bs. Without salts scrypt/bcrypt would once again tip the balance back in favor of Rainbow Tables. But, of course, scrypt/bcrypt are inherently salted.
But your high-entropy password is safe regardless.
I think we all need to accept that once we've given a password to a website it's compromised. It does not matter how they protect it - it's no longer safe. If someone has walked in to their website and taken our information, it doesn't matter which hashing scheme they've used. It's no longer important. Assume that any password you ever give out is gone. Be prepared to change your password / key on a site at any time. Mine are 26 character keys I don't know and will change as required (or leave a service that loses them).
1password for me. You can choose whatever you want though. Write them on a piece of paper you keep in your pocket if that works for you. Whatever you do, don't reuse them between services. It's just a matter of time before someone loses them and all your accounts are wide open.
In an ideal world we wouldn't use passwords anymore. But right now we have no choice so we have to do whatever we can to mitigate our eventual compromised accounts.
> And also whether "hashed" means salted and hashed or just simply hashed.
That really doesn't make that much of a difference anymore, given the fact that it's known information that's easily parseable. Rainbow tables are really just a quick convenience, but it's not like there aren't programs that can automate the process of getting and appending the salt to a password string and then just brute forcing. Even with something like bcrypt, you're still working against 1) infinite time and 2) users who don't understand how dangerous a weak password is.
They're lying or confused, the data I have is definite proof. 9gag's password and ours were hashed unsalted with MySQL's PASSWORD(). I'll reply on that comment.
It says in the HTP5 release that Linode was placed in an intolerably difficulty situation between the HTP group and the FBI and were not in a position to make a public statement until they were directly instructed to by the FBI.
This is the big problem with their response. All I want to know two things: what they know, and when they knew it. After that, I want to know that they've fixed their problem and that's it.
The web server can write the credit card info to the database, but isn't able to read (and decrypt) that same info in case it gets hacked.
Presumably there is another machine that only does billing and has a much smaller attack surface, which is the only online place with the key to decrypt the card info.
I've seen web frontends that encrypt submitted credit card info with a public key, then had billing backends that re-encrypted with a symmetric key (usually in a HSM).
That was strictly for performance overhead and key rotation flexibility. Perhaps name.com didn't care about that.
Here is an excerpt from the email I received from them:
"Name.com recently discovered a security breach where customer account information including usernames, email addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals. It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com.
Name.com stores your credit card information using strong encryption and the private keys required to access that information are stored physically in a separate remote location that was not compromised. Therefore, we don't believe that your credit card information was accessed in a usable format. Additionally, your EPP codes (required for domain transfers) were unaffected as they are also stored separately. We have no evidence to suggest that your data has been used for fraudulent activities.
As a response to these developments, and as a precautionary measure, we are requiring that all customers reset their passwords before logging in. If you use your previous Name.com password in other online systems, we also strongly recommend that you change your password in each of those systems as well."
Based on their suggestion to change your passwords on other online services using the the same password one could assume that there is a good chance they could be decrypted. On the other hand they could just be overly cautious. In any case I agree it would be nice if they could divulge more information on the encryption strategies in use.
Passwords aren't (usually) encrypted, they're hashed. Hashing buys you time, nothing more; if an attacker has a copy of your hash you should treat your password as compromised.
Hashed was indeed what I meant. I tend to use the words interchangeably, in error. What I meant to say is the strategies in use can vary quite a bit. Are they using a salt and/or a pepper? Are they using bcrypt or the like? Based on those answers one can usually guess if its feasible to break those in a reasonable amount of time.
Sorry, reading that again I sound like a dick. I know it's a common error and I didn't mean to nitpick.
I only mention it because there's an important difference in that with hashing, it doesn't really matter as much what the strategy is, since a bad password is a bad password. Better hashing only means a lower percentage of your intermediately-secure passwords are compromised right away. Since they (should) have no way of knowing which passwords are secure, they have to treat them all as compromised even if they were storing them "right".
They've clearly omitted the line “the private key was stored securely on a separate system which was not compromised” after the statement about card data and RSA. I'd go as far as to suggest that was deliberate.
Has anyone heard anything from Moniker, or the other registrars claimed to be hacked? I wasn't able to fetch the registrar data from the zine release, and haven't found another source, though it had sounded like HTP obtained root or privileged access on Moniker.
I haven't heard anything from Moniker. My trust for them has be waning for a while, and radio silence on this doesn't help -- though I haven't attempted to reach out to their support at all either.
What does scrypt offer over bcrypt? The only difference I seem to recall is that scrypt is more memory-intensive (making it so that the CPU/GPU/whatever isn't the only bottleneck).
scrypt is designed to be difficult on hardware. Both bcrypt and scrypt are currently difficult on GPU hardware, but it's unlikely to remain that way. Both are better than PBKDF2. scrypt is likely to be better longer. But really: throw a dart at any of the three of them.
It sounds like one of the Bitcoin alternatives is scrypt based, and they are putatively getting a roughly 10x speedup from GPUs: https://en.bitcoin.it/wiki/Litecoin#Scrypt_Proof_of_Work . Is that a new development, or is it in the neighborhood of how GPU-resistant it was supposed to be?
Someone asked this question on the post so I will answer it I run a registrar (but not name.com obv.).
"Hypothetically, what would happen if some bad guys managed to transfer domains? What recourse would there be: would it be dealt with by yourselves, or would the previous owners of the domains have to take legal action against whoever the domains were transfered to?"
There is a procedure in place between registrars to cover situations like this. Of course this assumes that the person who has the name stolen knows it has happened and that the proper people are notified fairly quickly. There are many cases where people might not know a domain was stolen (extra domain pointing to another site for example or an unused name) so there is definitely a risk here. But assuming this was discovered right away by the person whos name was taken it could be reversed and transferred back to the losing registrar. Of course all this can be time consuming and there is no guarantee that the registrar that the name was transferred to would act quickly etc. YMMV.
3 days after HTP supposedly hacked linode (and name.com in the process), name.com suddenly "give a shit" and did "an effort to maintain the open, honest, and transparent reputation". I do wonder if this would be made public at all without HTP announcement made.
Name.com isn't opposed to doing a little hacking of their own, on the DNS responses.
I'm glad a despicable company got hacked, but I do feel empathy for their customers--both because of the hack and because they have a malicious registrar.
This language is such a turn-off. Very few organizations can use that type of flippant language successfully, especially in a serious email like this. Now's not the time to try to be hip or cool. This is a serious issue and the writer should be just as serious.
Edit: Their site is down now so here's a copy of their post
Many of you received our email or saw online that name.com was hacked. The truth is that it's one of the more painful admissions that can be made on the Internet. We want you to know that when we say that we “give a shit” we truly mean it. In an effort to maintain the open, honest, and transparent reputation we’ve built for ourselves, we’re going to give you the lowdown on what happened and what we did in response.
Our security team alerted us that unauthorized individuals had accessed our database. After doing some digging we found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.
The information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised. For the techies who are wondering, the encryption on the credit card information is 4096 bit RSA. Since the password hashes were compromised we took proactive steps and initiated a site-wide password reset (hence the email, apologies for the inconvenience).
We are genuinely sorry for the annoyance and the scare. We’re taking this incredibly seriously and are doing everything possible to continue to improve the security of our systems. We greatly appreciate the support across the web and over the phones.