- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Not sure whether anyone else has explained this already:
This is how domain transfers are done. I've done it before: type up some letterhead and do the transfer. And it's not broken.
The thing is, no one is going to pretend that this is a security measure, or any way of preventing people from transferring domains fraudulently. It's just to cover the registrar's ass. If the rightful domain owner comes to them and says "why did you transfer this domain?" they need to be able to pull out a fax that's on something that looks like company letterhead and say "we got this transfer request, here's all the documentation, here's why we thought it was legit."
I've transfered signing authority on bank accounts for student groups a few times, and there's a similar requirement: if you want to transfer signing authority and the previous signing authorities aren't there, you need some official meeting minutes from your AGM that say exactly whom the signing authority is being transfered from and to, and why. Of course, this means I could probably get signing authority on any student group account if I wanted to, but that doesn't matter: all the bank cares about is that they have a record of what happened and why. If I get signing authority on someone else's account and the someone else shows up at the bank, the bank needs some documentation to show them, namely "look, here's the meeting minutes we got, if they're not legit then tell us and we'll fix it."
My point is, you've misunderstood the purpose of the system, and it's not actually broken. Yet another shitty WTF that makes me think the editors aren't really as smart as they think they are.
Admin
First you have to imagine that everyone in Africa has electricity and eats every day. And isn't more interested in killing the next tribe over than doing something (anything) productive).
Admin
This isn't a security WTF. It's a way for the provider to cover their asses for when the screw up a transfer.
The real WTF is that the provider doesn't give a flying fig about security and hasn't actually attempted to implement any security measures and is instead only doing CYA.
Admin
Did something similar recently with a paypal purchase.
Bought $350 worth of merch from the lowest bidder at pricegrabber. I got an email back from customer service saying they only shipped to addresses that were confirmed in paypal, as an anti-fraud measure. So I was to go through the verification process, and send back a screenshot.
I saved myself a little time by skipping the whole verification step, and just sending back a (doctored) screenshot. There are several firefox extensions that make it trivial to alter the (local copy of the) HTML of any page you visit.
Not much of an anti-fraud measure...
Admin
Ahh a common mistake. I believe it works like this. "The amount of intelligence in the world is constant, population is increasing"
Admin
I just registered a SkypeIn number and use it as cell phone or landline as the case may be. It has the added advantage of following me wherever I am in the world.
Admin
How do you pay your rent?
Admin
Bank transfer ... the money goes out every month without me needing to do anything ... that's the way that most people do it in the UK (students and people in shared houses are the exception).
Mike
Admin
I've had exactly the same request for exactly the same thing - transferring a domain, and I responded in exactly the same way.
When it came to renewal, I wanted to change the admin contact - again they wanted letterhead. Being the hoarder that I am, I found the request for transfer, and made sure that everything on the letterhead for this request was different from my last request.
Of course it was approved.
P.S. Captcha - xevious. Yes, I was feeling xevious when I fooled em.
Admin
I pay my rent by EFT (electronic funds transfer) just like everyone else I know. Why do you ask?
Admin
It could be worse... ARIN still "authenticates" IP address assignment changes via simple email from the listed contact address. Forge an email from that contact address and you can change the reverse DNS delegation for that IP range.
<barbie>Security is HARD. Lets go shopping!</barbie>
Admin
Soooooooo..... how does an individule that owns a domain name get it transfered in the UK or Au? Do you have to start your own business to own a domain there?
Admin
I've had experience with this form of security. I worked with a law enforcement agency, it doesn't matter which, and in the course of my employement I needed a mug shot from an individual's criminal record. All that was required was a phonecall to a specific police branch and a fax with our letterhead on it. How is THAT for scary?
Admin
At most, they deserve a D- for effort. They realized that someone might try something funny, but they come up with a completely retarded solution.
Admin
No, its the wars - we take a large portion of the healthiest, best and brightest and kill most of them off, leaving mostly the "less than best" (putting it charitably) to procreate. That's why we have so few GOOD (intelligent, innovative, knowledgeable, etc.) IT types, doctors, engineers, etc. And I don't mean only those who made it through a 4-year, and have a piece of paper (some of them are good, most are not). I mean those who can make it happen in the real world. If you are honest with yourself, you know what I mean. And no, it is not 'politically correct' to express thoughts like these.
Certainly those who watch The Weather Channel will remember the family who was caught by a tornado, and the husband who told the reporter "we was told that a tornado sounded like a freight train, but we didn't hear no 'whoo whoo' or nuthin". Frightening, isn't it? I often wonder how people like that survive. Or a recent job interview I went on (I'm a programmer / technician - contractor) - I was asked to draw a diagram of a latching motor control circuit for my possible new supervisor. I drew a fully functional schematic of one possible circuit, only to have the 'supervisor' point at the ground symbol on my diagram and ask, "What is that?" He really didn't know! He then told me, being deadly serious, that it was obvious (because my schematic diagram didn't match his) that I didn't have much 'hands on' experience - amazing, as I have been making my living as an electronics engineering tech for over 30 years! I left that interview at a run - why would anyone want to work for an idiot?! How, in the name of God, does that company stay in business? So don't blame the schools (they are terrible) - blame the raw material they have to work with. The gene pool is getting really shallow now...
Admin
Pointing out the real-world legal implications of a policy such as this really doesn't make it any less of a WTF...it's just more legal WTF than technological WTF.
In either domain, the spirit of the problem is "Security by Professionalism", a strategy that works quite well in some scenarios. A business with a grand, expensive local office is probably not run by a scam artist about to skip town. It's harder to be sure of the mail-order business with no contact information other than a PO-Box. Back in the 70's, I doubt many people without criminal intent would go through the effort of forging a professional-looking letterhead.
It would seem that the legal system hasn't caught up with the idea that such assumptions are completely meaningless in this era.
I'm reminded of an old employer that implemented "digital signatures" via Wacom tablets.
Admin
So its not a WTF since its required by law??? I would say that is a much bigger WTF if a law requires something that is so easily manipulated.
Admin
Exactly the steps my friend, who was on after-hours hosting support at an ISP, had to go through with a co-location hosting provider to get a machine rebooted.
Co-lo: Sorry, only Jason, Matthew or Rupert can request that. Friend: Okay, thanks. click, redial Friend: Hi, this is Jason...
Africa, huh? That's where those Nigerians who sucker Americans out of their life savings come from, isn't it?
Admin
If this was true, Adam wouldn't be dumb enough to eat the f*cking apple!
Admin
Furthermore, the only Australian domain names an individual can hold are in the .id.au namespace, and they must be derived from the individual's name; so there is only a very limited need for transferring them. I don't know what the process for transferring a .id.au name is, though.
Admin
Addendum (2007-10-26 04:00): D'oh! Apparently even my stupidity is showing through! :-S
Admin
It's funny, sure, but I've done this. And the letterhead I made up became the company letterhead. No lie.
Admin
Exactly the same system that DNS.be uses with .be domains.
I needed to change something but the company i worked for changed its name. MS Word to the rescue!*
(*) It's not every day you hear that!
Admin
Me to.
Admin
Just curious... what proportion of the remaining 40% uses a fake computer on a daily basis?
Admin
This reminds me of "The Day of the Jackal" with Edward Fox creating his own birth certificate with a John Bull printing set - anyone else remember them?
Admin
Only accepting anything that looks like a letterhead does screen out the time wasters. But it can only make a quick and simple, first level of authentication. The WTF, of course, is that there is no more thorough authentication.
Admin
This sounds scarily familiar. The very very Irish sounding name also got me thinking. This sounds exactly like the way the IE Domain Registry do business. I've been in this situation, I've made up letter heads. I always thought it was retarded, mind you, there are many much more retarded things about the IEDR.
Admin
I may have dreamt this but...
...faxes are legally acceptable (binding) documents whereas, for example, e-mails are not.
This reminds me of a phone call I once had from my mobile phone provider. I asked them how I could be sure that they were my provider and their answer was:
"Well, you could set up a password so that next time we call we'll ask you for the password and when you give it we'll tell you if it's correct, that way you'll know it's us"
sighs (again)
Admin
I'll have to remember to do this too the next time some stupid company inists on it being on company letter head!!! Morons!
Admin
I actually got a call saying it was from my mobile phone provider and could I please confirm my password so that they knew they were talking to the right person.
I had to explain to the dumb f*ck why there was not a chance in hell that i'd be providing this information - mainly because I had no way to verify that they were who they said they were.
With all the phishing scams you'd think large multi-national corporations would have some clue!
Admin
Ever heard of money transfer or standing orders? Do you still carry money with you? I thought the US is THE country where credit cards are the predominant means for payments.
CAPTCHA: smile (well, makes me laugh, rather)
Admin
Only yesterday I got this email back after I requested XSLT support for PHP for a client's website. Spot the similarities...
I told them that they are really tempting me to spoof an email, but got no response yet.
Admin
Could you put this in proper English, please?
Admin
Hmmm... how politically incorrect can you get?
???Maybe there are actually some stupid people in America too?
regards, Francois Cape Town, SOUTH AFRICA
Admin
Which is why every checking account i ever had started at 1001
effing idiots. As measured in Houses of Congress.
Admin
Last time I looked, the requirements to join up for most armies didn't require the applicant to have more than rudimentary intelligence. And the US army isn't exactly making much of a case, currently, for being "the best and brightest." (To say nothing of the Pentagon and the State Department, not to mention the Commander-in-Chief. Mind you, they're not the ones getting killed.)
Nothing against the US Army, but I fail to see the connection here.
Admin
The Real WTF is that you requested XSLT support. Worked with that for about a year at my previous job, which was a year too much.
Admin
To be fair to the large multinational, that may have been a phishing call...
Admin
Yep - but who are the stupid ones in that sentence?...
Although it's not just Americans. I read something in a newspaper recently (here in the UK) that 10% of the adult population in the UK has been affected by this type of fraud. That's scary, and I thought it must be nonsense, but then they said that UK banks had received over 350,000 fraudulent cheques because of it - so if the UK banks have got that many, how many people have started the process to "claim the lost money" but not got far enough to receive a fraudulent cheque back...
Very scary indeed!
Admin
This happens all the time to me, from banks, insurance companies, utility companies etc etc as well. They really just don't get it. They call you up, and ask for birth dates, mothers' maiden names etc etc.
Some just can't understand why you won't tell them.
They've already got some indication that you're who you say you are - because you answered the phone! So they can be, say, 20% sure you're who you say you are, whereas you can be 0% sure that they're legitimate.
The really daft thing is that the security question can often be 'what's your postcode and the first line of your address?' Remember, they've phoned me on my home phone number! OK, I could be a guest or family member (or a burglar, who just happens to be in at the right time) - but I'm sure they'd know my address, and probably know, or be able to find, my postcode from something lying around easily enough.
I've had some who HAVE been sensible.
Me: "I'm not telling you anything unless you can prove you're who you say you are" Them: "OK, how about I tell you your birth date, and you tell me ...."
This tends to work well. Yes, they're giving out personal information - but remember they can be pretty confident they're talking to someone in the right household.
Admin
XSLT is beautiful!
Admin
Yet another shitty post by a moron who wasted about 200 words to explain something we all know. Please don't waste our time by being such an ass in public.
If you don't like the stories, don't read them. If you don't like the site content, stay away. Otherwise, STFU unless you have something worth saying.
Admin
Nothing new there - I've been in exactly the same situation. A colleague needed to make a change to a domain that was registered in the name of his company, but he'd never bothered to have a logo designed or stationery printed because it was merely a holding company that worked under a number of different brands. 20 minutes with Word/Photoshop and we had a letterheaded letter sent off, and the domain transfer went through just fine.
Admin
When I tried to do it recently, I was told that I needed to fax the request on letter headed paper. Since I wasn't a company however (yes, they actually bothered to check my details) I was told a signature on the fax would be fine. And it was.
Admin
That letterhead was fucking DELICIOUS
Admin
oh, wait...
Admin
T-Mobile BTW. I have no qualms calling them out.
I should have added that I called T-Mobile after this call, found that the call I had received was in fact from them and once again explained how f'in dumb they were.
Admin
Admin
So if a WTF is encoded in law, it's not a WTF?