Domain Names

You are still emailing me lost passwords in plaintext. This just isn't acceptable.

I contacted you, worked my way through your support team until the manager I spoke to who was supposed to be connected to the dev team asked me what email client I used and said maybe it was outlook that was revealing my password. My email client (oh, I don't even use outlook) was allegedly cracking the passwords or something. I am not even sure what they were trying to say or imply. Whatever it was, it's ridiculous.

I only noticed this because I reactivated an old account because I thought listing with you guys would be a good idea to complement listing on sedo since you were also free now. I want to be your customer. I also want you to treat my information with respect and keeping my password secure is something I simply cannot compromise on. Please fix this issue so we can get back to selling domain names, because I simply won't do business with you until you do.

This is a warning to at least one major domain company. I will be naming names Monday (April 25th) unless it gets fixed. This type of behavior puts customer information at risk and has been hacked before.

YOUR PASSWORDS AREN'T SECURELY STORED

They store passwords in plaintext or a system where they can get back to plaintext (which for all intents and purposes are the same).

What does that mean? It means instead of data being stored in the following format:

accountName | 5f4dcc3b5aa765d61d8327deb882cf99

It gets stored like this:

accountName | password

How do I know if my password is securely stored (as a customer)?

There is no way to tell for sure it isn't stored as plaintext. However, the most common giveaway is trying the password recovery system. If they email you your original password, they are storing it in plaintext. If they force you to generate a new password, they most likely are storing it in a hashed form and have to generate a new hash on your new password because neither of you knows your old password.

Why does this matter?

If they were ever broken into, your passwords are exposed and the attacker can simply read them. If they are encrypted, the attacker would have to decrypt them first, which takes an incredible amount of time (assuming they use Salt). Thus making it exceptionally difficult if not practically impossible to do anything with a hashed password.

Huh? what? I am lost...
Ok, here is a simple explanation of how logins work:

User visits website.

User types in account and password.

In a PLAINTEXT system, the computer matches user entered account:password combo with an account:password combo in a user database.

In an encrypted (secure) system, the computer hashes the password using an algorithm (such as MD5) to produce a hash ('password' after md5 encrypt becomes '5f4dcc3b5aa765d61d8327deb882cf99'). The computer then matches the hash to a stored hash in the database, if the hashes match, it is the correct password. Only your password will generate the same hash, but nobody with access to the database will ever know what your password is because it's stored as a hash.

UPDATE: I am not going to recommend MD5 after further reading, there are apparently stronger algorithms such as bcrypt and SHA-2 which will keep passwords more secure than MD5.

If you have any questions - as a company or as a customer - feel free to contact me and ask.

I published a post listing 24,000 available brandable domain names that anyone could register a couple days ago.

It was far more successful than I ever imagined receiving over 17,000 page views. Ranking 3rd on HackerNews frontpage and 2nd in a major subreddit with over 30,000 subscribers.

I wanted to go through the entire setup of the article, the marketing, the goals, the traffic, the results and conclusion.

This is a continuation from this article.

My pickups were:
Hipeo.com
Docey.com
Blisu.com
Bliro.com
Releq.com
MuteU.com
Ocane.com
Smizi.com

There is a lot Japanese sounding names in there which I liked but didn't take. Enjoy!

Update 7:09 pm: Request for an affiliate link. So I picked my favorite consumer facing registrar NameCheap.

DISCLAIMER: these domains were checked against the zone file, NOT the registry. Some names ARE TAKEN but for whatever reason did not have name servers when the zone file was downloaded. Possible causes: somewhere in the delete cycle or simply no name servers registered.

This is in response to this article.

I think the original article hits some really important points about lock-ins and timeliness for most types of customers. However, the article misses the biggest reason why it's so hard to find a good registrar.

Registrar and Customer interests are NOT aligned.

We agree that the registrar business is a commodity for most people and treated as such. This causes a race to the bottom in pricing, service and other aspects. The problem this has created is: how do registrars earn more money?

Screwing domain registrants and keeping/selling/monetizing their domain names.

A incomplete list of the ways registrars do/have screw(ed) over domain registrants:

• Automatically parking domains on their own PPC, creating the potential for legal issues for the owner and collecting any income made.
• Creating barriers to domain transfers such as 'faulty' email systems (looking at you eNom - over 4 years and you still claim it's on my end, yet every transfer in from the same email address works perfectly)
• Keeping domains that expire for themselves
• Selling off expired domains without them going through the delete process (Pre-Release)
• Marking up Redemption Grace Period renewals (often hundreds of dollars)
• Spamming (hi intrustdomains.com)
• Upselling useless products/services (godaddy is the worst offender)
• No incentive to create good user interfaces once you've registered domains
• Non-existent support (looking at shell registrars used for drop catching)
• Domain Tasting
• Exposing whois queries
• Frontrunning (buying a domain as you go through the registration process before you actually purchase)

Registrars watched others make money in the domain name business but saw razor thin margins. The biggest problem in my opinion is expired domain names. They make pennies for each domain I register but can potentially make thousands for each domain I expire through pre-release partnerships and drop catching (mostly pre-release these days).

With those sort of incentives, it becomes obvious why there are no (or few) good registrars. It takes a special level of commitment and someone who truly cares about creating a service that's good for their customers.

Just read an article by Nathan Hammond complaining about their registration agreement.

Apparently they automatically park the domains, waive all liability and then don't share any of the PPC profit with their customers. The article emphasizes the race to the bottom we're seeing in this industry from service providers (with a few exceptions of course).

The interests of the registrars and their customers just simply aligned anymore. This type of behavior won't end until it's fixed.

This is part 1 of a series I would like to call, the end of the 'there are no more good domains left' problem.

I heard it once too many times and cracked. I also was stuck on a particularly challenging problem and needed to distract myself for a while to distance myself and gain some perspective. So in the meantime, I came up with a way to generate millions (first run generated 350 million+ domain names, which is about 3.7 times the size of the .com zone file). Too many, to start with at least without ranking them somehow.

Ranking attempts:

• Using letter frequency and assigning points based on frequency in English language.
• Using bi/tri-grams and their frequencies from Peter Norvig's data
• Modifying these techniques to penalize duplicate letters (stuff like rererer.com was ranking at the top

Ultimately, none of it worked well enough to filter the top, it only removed the crap. So I went smaller (down to 5 letters from 7) and used only certain pronounceable patterns and only put letters that made sense in certain positions/orders.

The other problem is that, I couldn't find any objective way to identify what was or wasn't appealing as a brand name. It depends on a lot of factors such as country, language, region, business area, founders names, etc. There is no ultimate way to rank them (I tried using google search volume for a small sample... gave some very strange results).

I cherry-picked a few for myself for future projects and to give you an idea of what I found here are a few:
Hipeo.com
Smizi.com
Bliro.com

So I will present them alphabetically in the full story.

DISCLAIMER: these domains were checked against the zone file, NOT the registry. Some names ARE TAKEN but for whatever reason did not have name servers when the zone file was downloaded. Possible causes: somewhere in the delete cycle or simply no name servers registered.

This train of thought occurred to me while having lunch with another domainer and discussing a company that approached me about entering the domain space.

This new company was trying to innovate a way to sell more domain names. We discussed the idea, it wasn't novel in concept, but still hasn't been executed successfully. (Note: I am being vague and speaking in theory because I have no idea if the company has launched or if I am allowed to speak directly about them as I was approached privately)

I expressed my doubts about success and listed the reasons. The primary reasons were a lack of credibility and lack of their own portfolio.

Let's investigate those assumptions:

Lack of Credibility

Domainers are a pretty small group of people and it seems you're only ever 2 degrees away from virtually anyone in the business (a mutual acquaintance). Everyone knows everyone loosely. Reputations often precede any interaction. We are a fairly xenophobic bunch, don't trust people from the outside and have this view that everyone would like to take advantage of us, given the chance.

If you just look at the language used when talking about ICANN, Google/Yahoo PPC accounts, parking companies, there is this inherent mistrust that our interests aren't being looked after. I won't debate whether it's legitimate or not, but getting a positive reputation (credibility) is a difficult task in this business. The fastest route seems to be big sales or at least the claims of such.

Not Having Your Own Portfolio
This ties into lacking credibility, having good domain names and big sales generates credibility and trust. So if you don't have anything notable in your portfolio or didn't sell something that made headlines, it's infinitely more difficult to launch any domain related innovation. Who is going to signup and test you out? Not me, not other domainers. We are generally risk averse with our domain names (think the absurdly high reserves we see at auctions time and time again).

One of the biggest successes in recent years has been Rick Latona's mailing list. Who absorbed that initial risk and attracted buyers by offering good deals? He did. He sold his own domain names to attract people before anyone else would list with him. Once the sales were happening, I think he probably had more people interested than he could handle. What made it possible? He owns his own domain portfolio.

Innovating in the Domain Space
If we return to our original question/problem: do domainers block innovation in the domain space?

I think the answer has to be an unequivocal yes. I think we harm our own interests by being so risk averse and have created unconscious barriers to entry which prevent many people who might have entered from entering.

So what? Why does that matter?
The result of this system is that innovation is endogenous in the domain industry. Only domain industry players can successfully 'innovate.' Who has the credibility and funds to launch new domain innovations? A very select few that meet our basic criteria.

If you've been around the domain space for a long time, you may feel like I do (yes, I am getting personal now and it's anecdotal), there isn't much going on in the space. I often wondered why, but only now have I had the time to sit down and think about it. I am still using the same tools I wrote 8 years ago and they are still really effective. Perhaps that's a testament to my awesome skills or more likely, there hasn't really been any major waves in the business in a long time.

Don't you have a solution?
I don't think there is a clearcut solution for this problem. It's a systemic issue. Most successful innovations in the domain space are scalable and take advantage of economies of scale. Domainers will bandwagon any success and companies are generally rewarded by this bandwagoning. Thus, whomever takes the initial risk isn't disproportionately rewarded, therefore, let someone else do it is the consensus.

If we really want to see innovation flourish within the domain ecosystem was need to take more risks, try more new services and encourage outsiders to enter the space. SO next time a company approaches you, make an extra effort to help them. Also don't dismiss their chances because they don't have any credibility or their own domains to absorb the risk with. Maybe even lend them a domain or two!

I just read that Libyan Spider, a reseller for .ly has been suspended by it's hosting company for violating US/UN sanctions. This is posted on the front of their website:

March, 31. 2011

Dear LS clients,

Our servers have been shut down by softlayer.com

We are currently trying to resolve this issue. They believe we fall under the blocked list of the UN/US sanctions.
We are a private company run by ordinary citizens that have no affiliation with the government. We are currently trying to
resolve this issue as soon as possible. This is out of our hands until softlayer.com can reactivate our servers. Please contact
them too to show them that you too are affected by this shutdown. We really are sorry that this error of judgement has occurred.
It is a complete injustice to us. They shut us down without even checking to see if we fell under that category. We will release a statement shortly.

Please email us at support@libyanspider.com
We hope that this issue will be resolved soon.

Best regards,
Hadi Naser
CEO Libyan Spider, LLC.

So the interesting question becomes, what sort of extensions really are sensible for a company to use? Can you imagine that you're violating a UN sanction for buying your domain name from a country that is attacking it's own people?

This registry in particular has a history of questionable practices which have brought up the concern about what extension/registry/country you use for your domain name. Is this just another concern nobody conceived of until it happened?

It seems to me, sticking with the popular gTLDs (com/net/org, hell, I will even throw in info/biz for stability) is an even safer bet these days. Is that better sounding name from a foreign country really worth it?

To finish this the only way I can see appropriate, a little domain humor.

Beeth> Girls are like internet domain names, the ones I like are already taken.
honx> well, you can stil get one from a strange country :-P

Source: bash.org

If 500 people subscribe to the DomainToad newsletter by April 1, 2011.

Oh look, a catch! Shocking!

Why would I do that? Because I spent a fair amount of time and some money to create the website and I would like to see that people at least try it. Releasing the code publicly will also take some more of my time to clean it up a bit and package it. If nobody cares enough or finds it useful enough to use, then I won't bother spending my time to release it to everyone for free.

I've released a lot of software I've written over the years for free or provided access to them publicly for free. Most probably never got used by anyone but me, if people are genuinely interested in having a copy of the code I wrote for Domain Toad they will subscribe for the newsletter and get their friends to subscribe as well. It's free and provides headlines from major domain blogs in your email daily. Other websites charge for that 'luxury.'

If the newsletter gets 500 subscribers before April 1, 2011 I will release the code with the open source MIT license. How will people be notified? I will post on my blog and email the newsletter subscribers a notice if it has 500 subscribers by April 1, 2011.

If someone is really that desperate to buy it, I will sell copies for $250 as is with 1 hour of support to get started with a non-exclusive license to use/modify it but not distribute unless it becomes open source. Contact me.