Domain Names

https://gacweb.icann.org/display/gacweb/GAC+Early+Warnings

Some interesting reading ahead for people interested in internet policy and domain names.

A couple fun stats:

Country with the Most Objections: Australia (90)

Most Objectionable gTLD: Africa (17 countries objected)

Guest Post I wrote for DomainNameNews

I was reading Mark Cuban's thoughts about Facebook trying to get him to pay to reach his fans. It's an interesting opinion and one I can empathize with. The crux of it is this picture:

Brands have spent millions of dollars getting people to 'Like' their brands. Now, Facebook is asking them to pay more to reach the audience they already paid to build. It feels fundamentally unfair because Facebook has changed the rules of the game half way through.

Of course, there is another perspective to consider: the users. They probably don't want every brand spamming them. There is some ambiguity to the word 'Like'. Some would argue it's not a laissez faire situation where brands are free to advertise to every user as much as they want. Facebook's EdgeRank is supposed to improve the user's experience by curating what users see in their feed (and it just so happens that more money greases the EdgeRank wheels).

That's a quick synopsis of the article. Let's get back on topic.

Why is this important to domainers?

Mark Cuban is advocating for brands to maintain more control over the way they communicate with their audience. He's promoting Twitter, Tumblr, Instagram and MySpace (no joke!). It's not mentioned in the article, but there is still only one place that the brand still maintains full control: their domain name(s).

I've argued in the past that domains are becoming less necessary as brands opt to use social networks for their primary web presence. Facebook has about one sixth of the world's population as users. It's easier to manage, easier to share content and easier to reach your audience (assuming you have money to spend).

This is a real kick back from brands. Maybe it's just one guy. Maybe not. But it should be a good reminder that when you buy into these social networks, you're potentially making a deal with the devil. They control the rules and you are beholden to them and the changes they decide to make in the future. Your relationship with your fans is moderated by someone else.

In the developer community we worry a lot about building our software on top of someone else's platform. We've seen Twitter take out competitors it didn't like and restricting their API to control what developers can do. Perhaps it's reckoning time for brands. Maybe they will experience the risk they've put themselves at by investing into social media on platforms they don't control and that don't have an established business model.

Let me be clear: I don't think this will stop brands from using social media. However, it may be the first of many tiny cuts in Facebook's business model which moderates how it will deal with brands. Some brands may decide to try to control their fans' experience more and invest in their own domains. At the margin, there may be some increased demand for domain names. Which is good news for domainers and the first good news I've seen in a while for the industry. I think the longer term outlook is still fairly grim for most of the industry, but end user demand is the only bright spot in my mind.

I took the top 1500 sites from Alexa.com and checked their registrar. Some companies have already said they were moving (Hi StackOverflow!). Huge thanks goes to Mike St John for his help in querying the registry.

Here are the 144 companies using Godaddy as a Registrar :

woothemes.com
proboards.com
stackoverflow.com
alot.com
wowhead.com
xkcd.com
seriesyonkis.com
exoclick.com
flipkart.com
goodreads.com
twitpic.com
babylon.com
bytes.com
opera.com
foursquare.com
r7.com
thechive.com
realclearpolitics.com
yousendit.com
dreamstime.com
justdial.com
ilivid.com
github.com
multiply.com
imesh.com
optmd.com
wimp.com
youm7.com
urbandictionary.com
amung.us
informer.com
pingomatic.com
networkedblogs.com
histats.com
chicagotribune.com
grooveshark.com
infusionsoft.com
buzzfeed.com
trulia.com
yoo7.com
hawaaworld.com
bearshare.com
slutload.com
piriform.com
incredimail.com
noticias24.com
ioffer.com
buysellads.com

I would advise anyone thinking of an .xxx domain to reconsider. Although you can register the rather pricey domain (~$95 a year) The ICM Registry are in full control of whether or not the domain resolves.
According to their website you need to register as part of their 'sponsored community'. 'Fair enough' you say, 'where do I sign up'? Well you can't. At least not until the ICM send you an email with a valid link to a sign-up form. What they don't tell you is when you will get that email, and no amount of emails to ICM will enlighten me either. For me it has been seven days so far. Meanwhile the domain is earning me nothing and the registered year ticks along.
When will I get the email? Two months, three, never? Who knows. All I know is this is a very shady practice and I would stay the hell away.

Source: http://www.reddit.com/r/web_design/comments/nattk/the_great_xxx_con/

It seems Godaddy has finally plugged a hole in its whois privacy system which allowed users to see the domain owner's email address domain (ie ****@kevinohashi.com) if they tried to retrieve passwords. Now it requires the user the enter that email address instead of verifying that the asterisked email address is in fact the proper domain associated with the account. I highlighted the fix in the image below. Privacy at Godaddy just got a little bit stronger.

Bad nerd humor is hilarious sometimes.

TechStars TV Episode 3 (around 15 minutes)

What happened: SocratED renames to Veri and gets the domain Veri.com

Transcript (might be a few mistakes, I went through 3-4 times to try and copy this word for word):

David Tisch: Socratic + Education = crap name

Founder: Seeing how no one was able to pronounced our old name, SocratEd, we thought it might be a good idea to move to a much shorter 4 letter domain that meant something, so we moved to veri.com

David Cohen: That's a good name, veri being truth.

Fred Wilson: four letter domains? impossible. you can't get a four letter domain.

David Tisch: where did they get the money for that is the first question I asked?

David Cohen: so here is the crazy thing, Lee has owned that domain for the past 6 years.

Fred Wilson: There you go. They are the team of that week for that alone, that's going from the out house to the penthouse.

I thought this was interesting for a couple reasons.

From a startup perspective, it's interesting to see how impressed investors can be from a domain name. A strong domain truly does send a signal.

From a domainer perspective, it's shocking to realize that it stuns these investors that a startup has such a good domain. They don't think they have the money and it's not sure if they believe a company should be spending that money so early either on a good domain.

I was recently introduced to Amartya Sen's Liberal Paradox and found it quite interesting. The Wikipedia page does an ok job explaining it, I liked this article more.

Sen’s liberal paradox is meant to demonstrate that when autonomous agents act with complete freedom, it is impossible for the agents to produce an outcome that is a net improvement to everyone. While this is not to argue for government intervention, it is to say that a pareto optimal improvement and libertarianism cannot coexist. In other words, the paradox shows us that the invisible hand of the marketplace is incapable of producing net improvements in welfare for a given society.

When you think about the domain industry in the context of the liberal paradox it makes sense why everyone is so unhappy.

You are still emailing me lost passwords in plaintext. This just isn't acceptable.

I contacted you, worked my way through your support team until the manager I spoke to who was supposed to be connected to the dev team asked me what email client I used and said maybe it was outlook that was revealing my password. My email client (oh, I don't even use outlook) was allegedly cracking the passwords or something. I am not even sure what they were trying to say or imply. Whatever it was, it's ridiculous.

I only noticed this because I reactivated an old account because I thought listing with you guys would be a good idea to complement listing on sedo since you were also free now. I want to be your customer. I also want you to treat my information with respect and keeping my password secure is something I simply cannot compromise on. Please fix this issue so we can get back to selling domain names, because I simply won't do business with you until you do.

This is a warning to at least one major domain company. I will be naming names Monday (April 25th) unless it gets fixed. This type of behavior puts customer information at risk and has been hacked before.

YOUR PASSWORDS AREN'T SECURELY STORED

They store passwords in plaintext or a system where they can get back to plaintext (which for all intents and purposes are the same).

What does that mean? It means instead of data being stored in the following format:

accountName | 5f4dcc3b5aa765d61d8327deb882cf99

It gets stored like this:

accountName | password

How do I know if my password is securely stored (as a customer)?

There is no way to tell for sure it isn't stored as plaintext. However, the most common giveaway is trying the password recovery system. If they email you your original password, they are storing it in plaintext. If they force you to generate a new password, they most likely are storing it in a hashed form and have to generate a new hash on your new password because neither of you knows your old password.

Why does this matter?

If they were ever broken into, your passwords are exposed and the attacker can simply read them. If they are encrypted, the attacker would have to decrypt them first, which takes an incredible amount of time (assuming they use Salt). Thus making it exceptionally difficult if not practically impossible to do anything with a hashed password.

Huh? what? I am lost...
Ok, here is a simple explanation of how logins work:

User visits website.

User types in account and password.

In a PLAINTEXT system, the computer matches user entered account:password combo with an account:password combo in a user database.

In an encrypted (secure) system, the computer hashes the password using an algorithm (such as MD5) to produce a hash ('password' after md5 encrypt becomes '5f4dcc3b5aa765d61d8327deb882cf99'). The computer then matches the hash to a stored hash in the database, if the hashes match, it is the correct password. Only your password will generate the same hash, but nobody with access to the database will ever know what your password is because it's stored as a hash.

UPDATE: I am not going to recommend MD5 after further reading, there are apparently stronger algorithms such as bcrypt and SHA-2 which will keep passwords more secure than MD5.

If you have any questions - as a company or as a customer - feel free to contact me and ask.