> 1. Have a really, really good password, and change it often. Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense.
But really, I'm a bit puzzled by her 5 "recommendations". Turn off your devices while you're not using them? I feel like the most important one is missing - don't use HostMonster or Godaddy, their representatives are not paid enough to care about the implications of you losing your domain name.
If you read the comments she is no computer security expert. And she accepted the comments of others that passwords that "look like nonsense" are not necessarily best.
My guess is "turning off" relates to not leaving a device that is logged in and open available for someone at school/work/... to stop by and mess with.
She ends up advising 2 factor authentication for email (an old email that was compromised is he guess on the cause of the problem). It is a good article. For advice it might be nice to put a TLDR of: "use 2 factor authentication."
To follow up, I will say that my favorite way to create a password is to use sayings from two or more of your favorite books or other sources.
So, if you like Harry Potter and Enders Game, what are the phrases that come to mind?
Harry Potter - expelliarmus
Enders Game - win all the future fights
Now you have a great password: "winallthefuturefightsexpelliarmus" Nice and long (33 chars), with some made up stuff. Maybe tack some numbers on the end.
Modern password crackers are pulling all of wikipedia and youtube for seed words. If your words are in either of those, don't expect the password to stand to a dedicated attacker
There are 1160290625000000000000000 combinations of 5 words with a dictionary of 65000 words. That's not brute-forceable. If you take existing phrases it's another story, but random words works well.
Being a little loose with my estimates and a bit of Fermi Math, thats only about 300 years of computing time on a small home built GPU cluster.
Basically tells me that 4 random words are definitely crackable and 5 are theoretically possible (and definitely doable with 5-10 years of Moore's law)
lg(65k^4) is very nearly 64. If you worry about 4 random words being brute forced, you should worry about 64 bit symmetric keys being brute forced. I don't know where the current recommendations come down on that.
If you're picking with structure (including "phrases that spring to mind"), agreed. If you genuinely include enough entropy, then it doesn't much matter what mnemonics you layer on top.
Why not "Win all the future fights expelliarmus"? Passwords that don't accept spaces are pretty rare, and you end up with a longer password 'for free'.
The xkcd-style passwords may be less vulnerable to a brute-force attack, but they are more vulnerable to a dictionary attack.
There are (very) roughly 2^17 words in the dictionary, so if you pick 4 there are 2^68 possibilities, or 2.95e20.
There are 94 printable characters on a US keyboard. This means that an 11-character "hard to remember" password has over 16 times as many (~2^72, 5.06e21) combinations as a four-word xkcd style password.
But again, we are comparing two different types of attacks. I don't even know how feasible a 4-word dictionary attack is, or whether it's actually used "in the wild". Still interesting to think about.
The issue with the numbers you give is that nobody really has an 11 character password compatible with it.
The reality is that people have trouble remembering 11 truly random and unrelated things, so they try to simplify and group things - e.g. by taking a base word and changing the spelling, or adding numbers on. This is what leads to the easy to brute force passwords; the cracking techniques now cater for the most popular variations.
So again, while you may be right on paper, you can't compare a 4 word passphrase with a true 11 character random password; they are on completely different scales of difficulty to remember. If you're interested, take a look at how the xkcd comic constructs the difficulty of the two passwords, it is fairly realistic. For what it's worth, it considers only "common" words (top 1000 to 2000 most popular) from the dictionary, and the passphrase wins out even so. Throw in a word from another language, would be my suggestion.
I think you're missing the point. I'm not arguing that passwords like "H$&v46S13^a" are actually better in practice than passwords like "TheCowSaysMoo". I'm providing one specific case where they are superior in terms of difficulty, i.e. the unlikely event of a directed dictionary attack, and a rough comparison of the level of security in that case as compared to a brute force attempt.
As far as "true randomness", it's irrelevant here since we are only counting permutations, meaning "Hello,2048" is just as difficult as "^6H9Ox#g`!" (i.e. their length and superset are both equivalent).
I think we're mostly on the same page, but still talking past each other. In my opinion, the only _reasonable_ way to compare the two password styles is in a practical way, taking into consideration human memory limitations. In that sense, the equivalent to an 11 character "random character" password is NOT an 11 character sentence. It would be more like a 5 or 6 word sentence due to the way your brain works. When you compare these, the pass phrases do win out, even for directed dictionary attacks.
Essentially, what I'm saying is that your brain seems to have better memory (or compression?) for sentences than random character jumbles, allowing you to use longer / stronger ones. Even when you consider dictionary attacks. Again, the original XKCD article is fairly objective and accurate; what's shown there IS a dictionary attack.
They are more vulnerable to a dictionary attack for a given password length. The theory is that memorability (and ease of typing) decays more slowly with respect to the entropy contained in an xkcd style password than in a jumble of random characters.
The issue with "random" passwords is trying to remember them. XKCD-style isn't perfect, but it is loads better than "Password91" and "Dragon" style passwords which are what most people actually use.
Use PwdHash, it only improves the situation. [1] Even a bad password like "123456" turns into "rY9RHtJZ" (for HN). Turning computers off seems weird, but if that computer's got your ssh keys or your cached passwords, off is safest.
Two factor authentication should be one of the top recommendations. I'm not sure about the domain sites, but she mentioned a hacked Youtube account and it's possible to set up 2FA for that.
I am curious: does anyone here on HN have a registrar to recommend who they know (preferably from experience) would actually be more helpful in this circumstance?
Because from the sound of it, the unwillingness of the registrars (both of them) to take action here without being compelled to by a lawsuit is the root of the problem. The FBI's willingness to be helpful is nice, but doesn't solve the root problem, and as a law enforcement agency they can only really help in cases where they manage to "catch the criminal". And paying off the criminal just isn't an acceptable solution (although stopping the payment immediately is cool and all).
I would be willing to select a registrar on the basis of their policies, not their prices. Policies like this sort of dispute resolution and policies about how they handle DMCA notices or government subpoenas (and non-subpoenas), if only I knew which registrars had the best reputations for these things.
I lost a domain because Gandi refused to do anything about it; although I was well within the renewal period and tried to contact them many times Gandi refused to process any sort of renewal until it expired and was deleted by their system.
Gandi ONLY accepts support requests through their web form (no email, no phone), and generally ignores those or provides nonsense answers several days later.
As long as you never ever need any sort of support, Gandi is fine.
This was several years ago; what's done is done. I moved all my domains to another provider shortly afterwards. I'm not giving you another chance to screw me.
You publicly complained about their customer service. They have offered to right the wrong. You have a poor sense of fairness if you are willing to make a public claim and then aren't willing to address the issue when the company calls you out on it.
While I doubt neither the veracity of your claim nor your reaction to Gandi's actions (if such a situation happened to me, I would certainly not want to give a company my business going forward), I have had a very different experience with them: all of my queries to Gandi support have received prompt, relevant replies that addressed my issue.
Also, ny domain registered with Gandi can be renewed by any Gandi handle. In the event that you're having trouble accessing the handle that owns a domain or otherwise cannot renew it normally, you can create a new handle and use that to renew the domain. See https://wiki.gandi.net/en/domains/renew and https://www.gandi.net/domain/renew?lang=en for details.
I'm not sure if their "any handle can renew any domain" policy/system existed at the time of your situation, but it should prevent similar issues from occurring today.
One aspect I found puzzling about Gandi is that until recently they published your "handle" in the WHOIS information, which in effect gave away your username. Now, some may tell me hiding that is security through obscurity or some such, but in my mind it adds another protection layer.
I seem to remember that being the case with Network Solutions back in the early days.
Gandi seems to hide your handle these days for certain domains if you have whois privacy enabled: my .com/.net names with Gandi don't show the handle, but my .org domains do. My .us domains (which don't allow whois privacy) also show the handle.
Then again, one can easily enable two-factor authentication and it's essentially irrelevant if the handle is known.
Moniker claims that they have never lost a domain. I've got several domains (over 50) registered with them and never had a problem in almost 8 years. Many of them belonged to high traffic sites that might be desirable to thieves.
I also have many with Name cheap right now and haven't had a problem them either.
I use Moniker as well. I pay for their "Portfolio MaxLock" (https://www.moniker.com/domainnames/domainsecurity.jsp) service. Whenever I want to make a change (even DNS), I'm forced to answer the security questions that only I would know. In order to get around that, I'd have to contact their security team directly and provide a substantial amount of identification.
Aside from the security features, Moniker's site and technology seems to be fairly unimpressive.
I'd definitely be open to exploring other options if people have suggestions for truly-safer registrars.
Look at it from the GoDaddy's point of view: This woman is claiming she has rights to a domain in one of their customer's accounts. As far as they know it was legitimately transferred in by one of their paying customers. Her real issue rests with HostMonster and the ICANN dispute resolution system.
GoDaddy could seize the domain until the dispute is settled. If everyone recognized she was the previous owner, that should be enough to cause an investigation into the transfer.
Not saying a claim from anyone should cause a seizure, but the legitimate previous owner should be able to dispute it for a time period. Domains are stolen all the damn time.
I worked in webhosting for nearly a decade so I'm quite familiar with the volume of fraud and stolen domains. But to play the devils advocate how would you feel if somebody claimed a domain you own was stolen just to freeze your account and waste your time. You'd be furious at GoDaddy for freezing your account over a fictitious claim.
This. I want to upvote this comment a hundred times. If there's a dispute with probable cause, temporarily freezing the domain while launching an immediate investigation seems by far the best balance of thwarting domain theft and minimizing fraudulent claims.
No, GoDaddy was never in doubt: "No one at either company questioned my statement (supported by written proof) that the website belonged to me. No one doubted that it had been transferred without my authority".
So GoDaddy's refusal to help was ridiculous. At the very least, they could have frozen control of the site for a day or two while investigating.
By ICANN policy domains can only be moved once every 60 days. How did you want them to go about freezing the site? ICANN has a dispute resolution policy in place.
And given that both registrars acknowledged that she was the real owner, I'd expect the transfer (to the thief) would not be counted as a legitimate one within that period.
I use gandi.net never had any serious issues with them and since their located in France (yes i intentionally avoided American companies) all this suing problem may not apply to them or at least it would be a lot more difficult.
One thing is certain though most people i know have had issues with GoDaddy and avoid it like the plague.
Gandi now has offices in the USA, so they are effectively an American company as far as being subject to the US legal system and extraconstitutional orders from agencies and such. You won't get any privacy protection or immunity from illegal orders from Gandi.
Gandi does have an office in San Francisco, but our registrar service is accredited and located in France. It is under EU law.
Those who have been following the industry's responses to the massively reprehensible, illegal dragnet surveillance will know better than to take any company at their word as they swear up and down that they care about their users' right to privacy. So I know this will be taken with a grain of salt (hell, I take it with a grain of salt and I work here)...
But as far as I know, and I've asked around, we _actually_ do protect our customers' privacy to the maximum possible legal extent.
The day I find out otherwise is the day I no longer work here.
>I would be willing to select a registrar on the basis of their policies, not their prices.
Yes, absolutely this. I've searched through forums and read various reviews of various registrars and some say gandi is good, some name.com, some others, but at the end of the day nobody said "I've had this problem where my domain was stolen and this company was willing to help".
I'm also willing to pay more for good support when serious problems arise.
I would recommend Melbourne IT or Namecheap for what you are looking for. I would recommend you take advantage of WHOIS protection, two factor authentication, locking your domain at the registrar level (not just with Namecheap for example, but with the actual registrar), using strong passwords, etc.
The company can only do so much, so make sure you do everything you can do as well to make your domains as secure as possible.
I use iwantmyname.com and their service is amazingly good and fast. I never got my domain name stolen, but I'm confident they would do anything they could for me to recover it!
I wonder if her or her husband ever accessed any of their accounts using their cell phones. I've seen tons of stories lately about Samsung Galaxy phones being compromised so at this point I just assume that if top of the line phones are pwned, then all cell phones are.
I'm kind of shocked that there have been no class action lawsuits on phone manufacturers. Especially from banks.. just imagine the liability of millions of customers getting keylogged no matter what the bank uses to secure its site (even two factor authentication). It's almost unfathomable.
Someone really should make a one time pad login that doesn't work a second time even if you look over the user's shoulder. For example their password could be their favorite song and the site would ask them to enter the 2nd, 3rd and 4th letters of the 5th, 6th and 7th word respectively or something. Or how about a custom grid of letters printed on the back of the phone they’d look up positions on so it would have to at least be in someone's physical possession. Or how about a dongle in the headphone jack that's hardcoded and can't be hacked, that the user would type rolling codes through. There has to be a better way of doing this!
I feel for her but I do need to point out that some of the suggestions she makes for making it easier to get her stolen domain back would also make it easier for bad actors to cause mischief in the first place. But GoDaddy sucks. True dat.
GoDaddy has two-step authentication. If you make any type of money off of a website or other account, you should use two-factor authentication. Facebook, email, and godaddy would be a decent start. A similar incident occurred when the man lost his $50k? twitter account because he didn't use two-factor anywhere.
Godaddy also has proven their Phone Support personell are easy victims to social hacking, which negates any electronic security. If I can call up godaddy and have them change account details or the mobile number on the 2 factor settings then your 2 factor security is pointless.
GoDaddy may have great electronic protections, but I do not trust their phone support personnel at all
For me, their 2FA is essentially unusable. It uses a UK SMS gateway (no Authy / Google Authenticator support) and out of the 20 or so times I've tried to set it up, only once has the code actually come through to my phone. I've had an open support ticket for 6 months, 3 months since the last reply.
I never trust shared hosts provided by a registrar. I have my own blog software running on AWS and I am the programmer and only user. The fewer people involved is better security but that's not generally possible for the average person. At least I can't lose both the domain and the content.
Sounds like it was just social engineered out of HostMonster. Almost all of the EIG hosts (HostMonster, BlueHost, iPage, HostGator, etc) use awful outsourced support that are only rated on amount of tickets closed/solved. They are very lackadaisical with customer information and verify accounts based on the last four digits of the card used. I'm guessing the "hacker" in this case guessed the last four of the card via livechat or a support ticket and then got in and moved the domain over to GoDaddy.
"I remembered the notification from YouTube that someone had accessed my account from a different location – a notification I had ignored, assuming that I had logged in on a mobile device or that my husband had accidentally logged into my account instead of his own."
All of her accounts were compromised - seems more likely to be malware than social engineering.
Also the hosts you mentioned use in-house support.
Unless you're in Burlington you probably aren't familiar with the brands you don't work at. Most of them have support provided through GlowTouch. Even HostGator USA has GlowTouch Indians doing transfers and helping in ticket queues.
My guess is that the author's home computer was compromised or their gmail password was guessed. They mentioned that they ignored a warning that someone logged into their account remotely.
At home I have a Chromebox machine that I only use for online banking and no other purpose.
My other machines are used for the usual consumer Web activities, including Web site administration. I'm wondering if perhaps I should modify my approach to do the admin only from the Chromebox... which brings up the classic tradeoff of security vs convenience.
It is not reassuring to see the level of compromise, the cost of disclosure, and the abuse of antiquated protocols rising faster than the institutions that depend on them can respond. In particular there was a lot of resistance early on to using credit cards on the Internet, now it is nearly compulsory, and yet many of the fears that banks and others raised in the early days of e-commerce are coming to pass.
I have to believe there are some seriously rich criminals out there. What do they expect to do with their ill gotten gains?
* 2) Use DropBox or similar to share your encrypted vault between your devices
* 3) Secure your shard vault with a strong computer-generated password, and keep it written down somewhere
I wonder why strong password management isn't built into operating systems, thus educating everybody and making them ubiquitous. What am I missing? Where is MacPass? WinPass?
The advice on the blog and this comment thread isn't any good, but there's really no good advice besides use a password manager.
I don't see how much she paid to get it back. A civil suit filing with a demand for a temporary restraining order and preliminary injunction could be filed in a few hours and since godaddy and hostmonster are US companies, they would have had to comply. She'd have her domain back in a matter of hours for maybe a couple grand.
This was the most interesting (unique) thing about the whole ordeal.
I did not realize that wire transfers can be cancelled after the receiver has already had the funds placed in the account(else the thief would not have released the domain).
It's an escrow service, not a wiretransfer company.
The bit that I don't get is that escrow.com (the one party that didn't actually do anything wrong here) now has acted in a way which they probably should not have done, from their point of view the transaction actually is legit (buyer has control of the domain name, so funds should be released).
If Escrow.com can't be trusted to release the funds when the recipient has the goods then what point is there to use them in the first place?
I use Escrow.com a lot as a domainer, so I was initially concerned that a hold could be placed on the wire transfer after receiving the domain. The whole point of Escrow.com is that you are not able to cancel wire transfers and run away with my domain. However, it looks like they were operating under special circumstances due to the FBI investigation. Brandon Abbey is the president of Escrow.com and said “Escrow.com is holding the funds based on the proper legal authorities filing the necessary paperwork with the judicial system. We strictly follow the Escrow Law. That is what licensed escrow companies do.” Looks like it was just not explained correctly in the initial article.
I am absolutely shocked at how simple it is for this sort of fraud to take place. If someone calls GoDaddy, for instance, and says "Hi, I'd like to transfer a domain name. Here's all of my proof that I am who I say that I am." I understand that GoDaddy, ever dutifully obliged to their customers, will transfer the domain with haste. However, should there not be some sort of probationary period? 45 days or so where both GoDaddy and the new "owner" of the domain both have full, master control? It seems to me that an account manager in GoDaddy could handle this task easily enough. Simply coordinate with the new owner, notify that there's a dispute, and lock everything down until a resolution has been completed. Am I missing something here or are these companies simply lazy and unmotivated?
Is there any domain register that offers 2 factor authentication to make changes that are detrimental to a site?
I have Network Solutions, KVC Hosting, and have tried 1and1, but all of them...from a security standpoint...are lackadaisical when it comes to security.
Network solutions WANTS their clients to bundle userid's into 1 account...that makes it easy.
KVC, I emailed them to update my domain contact info, then I transferred one of my domains out with that new email.
I never did any test with 1and1...but then again the 2 above (with kvc and netsol) weren't even tests.
The most unfortunate part of this story is that the site owner had to use underhanded tactics of her own to regain control of her site. She didn't get her site back by going through formal legal channels, she got it back by using tactics similar to those used by the criminal she was dealing with. Different intent and legal standing, but same methods.
It would be interesting to know what would have happened if she had instead waited for the legal methods to play out. Instead, it's a story of one trick undoing another trick.
> That's a more unfortunate part of the story than the registrars' inaction?
Okay, fair enough, I'll give that fact a close second in the rankings. But to me, the fact that she had to descend to the level of the criminals she was dealing with, had to do things that under slightly different circumstances would have made her a criminal, is the most discouraging part of the account.
* use 2 factor authentication (if your registrar doesn't find one that does or better yet, have ICANN rule that all registrars must have it)
* ICANN rule that says if a domain has been recently moved it can be frozen by previous owner until the matter is cleared up
* whois privacy will not only hide who the owner of the site is but also who the registrar is (if you don't know who the registar is among the hundreds out there, you can't target the right one with social engineering!)
-Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense
I think this is a bad advice. You only need long password that are not feasible for a brute force attack and not trivial (personal data). If you have a password you can't remember you are going to write it somewhere and that can be a security issue
> 2. If possible, use a separate computer (an old one or a cheap one purchased for this purpose) for things like banking; if your family computer is the same one that you use for bank transactions you risk having your kids click on a bad link that results in a hacking.
Or don't let your kids use your work computer when you have very important privileges at stake? I would definitely keep all of this in a very encrypted environment that isn't accessible by my kids or anyone else.
Welcome to 1999. This reminds me of when sex.com was stolen with fake stationary. I see the "unauthorized transfer" in the blog post but I wonder if she forgot to renew the domain? Happens to good people all the time. I'm not a lawyer, but in that case, unless she's incorporated as "ramshackleglam" there's no cybersquatting argument. That's why it's helpful to use your real name--then a thief has no leg to stand on.
Isn't escrow.com supposed to prevent payments from being stopped after the domain is released? Obviously, in this case it's justified, but for regular customers, you don't want escrow releasing a domain and then the buyer stops payment.
The buyer can't stop the payment as the wire is already complete and money in escrow.com's account. Escrow.com had to stop the payment and in this case they did so because there was a request from law enforcement.
Yes, I'm pretty sure this is where the FBI comes in. So the solution to this is: you agree to buy back your stolen property using an escrow service, then the FBI tells the escrow service not to release the money to a thief. Eventually you get your money back.
I believe the thief demanded payment first, outside of escrow. Which seems odd considering they actually did return the name. Maybe they were afraid Escrow.com would determine the domain was stolen and simply return it to its owner?
Totally guessing, but it might be the thief was getting antsy and wanted to conclude a deal quickly. Maybe they did in fact have another buyer on the hook. Rather than spend all the extra time going through escrow and the potential risk of the buyer doing exactly what she intended to do (rely on raising the dispute of the domain after escrow had both halves of the transaction), the thief tried to pressure a quick sale through less regulated means.
From what I understand though, it isn't all that easy to actually stop a wire transfer once it is being processed. I wouldn't be at all surprised to hear that both sides might have actually gotten the money and the backing bank will be left trying to go after one or both of them for it.
Don't the companies have the lawsuit issue backwards? By not helping aren't they opening themselves up to being sued whereas if they immediately fixed the problem the person would have almost no reason to initiate a law suit.
This has a lot of good information in it and I put a lot of time into it, but I do realize it is hard to read since Hacker News doesn't start things on new lines. If someone can tell me how to do that if it is possible that would be great. If not here it is on Pastebin - http://pastebin.com/MspKq8sz.
Here is what I recommend for website security (this is a lot of advice and is not perfect - if you want me to write this up in a detailed blog post and cover more things let me know)... I also provided my contact information at the bottom if you have any questions or need any help settings this up.
- Enable WHOIS protection
- Enable domain locking - if you want more details on how to set this up let me know
- Enable email notifications and make sure you keep your account information up to date
- Log in from a computer using a VPN (I use and recommend proXPN - https://proxpn.com/) which encrypts your connection
DNS
1. Any of the domain registrars mentioned above
2. CloudFlare - https://www.cloudflare.com/ (offers performance benefits as well) Their DDOS protection, DNS, and performance benefits are why I use and recommend them. They are not very good in terms of their WAF or website security and that is why I use and recommend Sucuri as well.
3. DNS Made Easy - http://www.dnsmadeeasy.com/
- Follow advice from passwords section
- Delete unnecessary DNS records
- Enable DNSSEC if possible
- Follow advice from passwords section
- Take advantage of the security Google offers
Passwords
1. Create strong passwords using a password generator. I use GRC's Password Generator by Steve Gibson. - https://www.grc.com/passwords.htm
2. Store your passwords in a password manager such as LastPass. - https://lastpass.com/
3. With LastPass use a strong master password, limit login attempts to your country and the ones you travel to frequently, use two factor authentication, don't use a password reminder, don't write down your master password - only memorize it and don't ever share it, change your master password at least slightly every 3 months, and disable logins from the TOR network.
4. Use the same password only once (Don't use the same password on multiple sites).
5. Don't store your passwords in the browser or save them, so you are automatically logged in.
6. Make sure your password is at least 15+ characters (I use 50+ characters) and it contains lowercase letters, uppercase letters, numbers, and special characters.
7. If a site requires a secret question, make sure the answer to that question no one else would know or make it a password or phrase that you would remember.
8. Use the browser add-on HTTPS Everywhere and use Mozilla Firefox or Google Chrome as your browser.
9. Try to not share your passwords - I would like to say never share your passwords, but I know that is not possible :). If you have to share your passwords, do so using LastPass, change the password after they are done, make sure they haven't done anything that looks malicious, have a clear plan of what they need to do, and ask them how long it will take them.
3. Use a WAF - I recommend and use Sucuri CloudProxy - http://cloudproxy.sucuri.net/signup ($9.99 a month for the most basic plan - the two other plans are $19.98 and $69.93 per month)
4. There could be a lot more in this area, but that should do a pretty good job for you. If you are using a CMS such as WordPress, Joomla, or Drupal you have quite a bit more you can do in this area.
Hosting
1. It honestly depends on your needs, so I am not going to recommend anyone specifically. If you want help with this or anything you can find my contact information at the bottom.
Network Security
1. Use WPA2 for the encryption protocol
2. Make your network name random
3. Make your password to connect to your network very strong
4. Change the default login credentials to login to your network to a secure username and password.
5. Disable Wi-Fi Protected Setup (WPS)
6. Configure OpenDNS at the router level - http://www.opendns.com/
7. Follow the passwords section for your passwords
Computer Security
1. Use a antivirus program (Antivirus for Mac by Sophos for MAC computers and Microsoft Security Essentials or Avast for Windows)
2. Use an anti-malware program (Malwarebytes Antimalware and Malwarebytes Anti-Exploit for Windows)
3. Use a firewall (Windows Firewall or TinyWall for Windows)
4. Keep your operating system updated
5. Keep your programs updated (Secunia PSI or FileHippo Update Checker for Windows and AppFresh for MAC)
6. Remove Java and Quicktime if you don't need them
7. Replace Adobe Reader with Foxit Reader or Sumatra PDF
8. Make sure you keep Adobe Flash Player up to date
9. Uninstall programs that you don't need or don't use
10. Only download things from trusted sources (the browser extension Web of Trust would help with this)
11. For your browser make sure you are using Google Chrome or Mozilla Firefox. For Google Chrome and Mozilla Firefox, I recommend that you use Adblock Plus, Disconnect, and HTTPS Everywhere). If you want to be very secure and are somewhat technical, I recommend that you also use NoScript for Mozilla Firefox and NotScripts for Google Chrome.
If you have any questions you can email me at [redacted].
I would definitely make this a blog post, or even an infographic. What I would really like to see/ is all this as a step by step FAQ/how to.
If you tell me how to attribute you properly, I will do this. I'm about to embark on a year long experiment in a lifestyle app development business. The first step I will be taking is to buy a new PC, laptop, smart phones (android & iOS) tablets (again, android and iOS), set-up a blog and marketing website and get some form of cloud provider (I currently have AWS, but I'm looking at different options.
So I will be setting everything up from factory new hardware and brand new accounts (new email, hosting providers etc) putting all the info you've listed into a repeatable process would be beneficial to anyone else who wants to try the same experiment I'm heading out on.
This is really good advice. Some additional things that come to mind regarding domains:
- enable 2-factor authentication/IP-based login restriction,
- disable password reset via email,
- provide valid registrant data, in case you ever have to prove your identity
- for the extra cautious, contact the provider and ask them to add a note to your file to be extra wary of any requests.
Hey, I'm with Gandi and only after this thread did I realise you offered 2FA. I would have enabled much sooner had a i known it was available.
I know you guys don't often send out emails (and I really appreciate that), but perhaps a mail shot letting people know it's an option would be worthwhile. For security stuff I'm happy to receive unsolicited emails
The author did not mention that you can pay extra money to lock down a domain.
If it is locked down, it can not be transferred without, iirc, a picture of your driver's license or something like that. There may also be time delays. For my valuable sites, I pay for this service.
Go Daddy offers Protected Registration, which prevents a domain name from being transferred to another registrar. The product includes our privacy service, as well as a Deadbolt lock.
Our Deadbolt lock means that in order to cancel the service, you must show documented proof of your identification, which makes the lock more robust than a standard registrar lock. This may seem “cumbersome,” but that is the point; if the domain name is valuable to you, you would be well-served to use product that safeguards against making it easy for a hijacker to gain access.
I can't understand why people still use GoDaddy. They lose domains to hackers every week, you can just call them and they are more than happy to change contact information or email address for you. Freakin' amazing.
I once called a registrar (that I've never heard of before or since) to inform them that a domain they registered was missing WHOIS data, they asked me what I wanted to put in for the WHOIS data. I facepalmed. While I wanted the domain, I wasn't going to steal it.
This is why corporations with 12 million users need to establish personal relationships with every client. If that was the case, they'd have just known she was the real owner.
I'm unsure why this is relevant to a site like HN. People are compromised all the time. It's not news. It's not even helpful for avoiding the same mistake: the author does not tell the details of the attack and gives some pretty bad advice for avoiding "cyber hackers" (such as turning off your computer to prevent your email getting hacked).
I agree with you with the "bad advice," opinion. There's no glamour or valor with how she got her domain back. In reality...it appears from her article that she really just paid to get it back.
So I guess her suggestion is to have $30k stashed to make up for lack of security. From what I read...she's still out money, even though she did get her domain back.
And then I called the wire transfer company and placed a stop on the payment.
It's unclear to me how this works. At first, it seems as though she and Anthony pursued this action independently, which would seem quite risky: risk of the apparently-fraudulent stop payment not being processed in time, or at all, resulting in the loss of 30k; risk of legal action from the seller, however seemingly ridiculous and unlikely, is scary. Later it sounds like maybe this was done with the FBI's blessing (point 5 under "Here's what to do").
I (Anthony from the story) negotiated the price with the seller to $3,500. I had Jordan wire that to escrow.com while we waited for the domain, db and files to be transferred. We made this decision because nobody was helping (hosts/law enforcement) and with this action the worst case scenario became paying $3,500 for the site (assuming the seller didn't back out). After this the FBI took the case and they were involved in stopping the funds from transferring.
I'm positive she would have gotten it back eventually even if it did sell to someone else and they took control, but it could have been a more lengthy process and her entire living is derived from the website and the business associated with it. Having it out of her control for any amount of time could have been very damaging.
I had a Flippa account with history and no visible connection to her so the seller did not know that I was working with the actual site owner and she was working with the FBI.
The investigation is still ongoing and I've had some interesting conversations with the seller (thief is more accurate) since the money was frozen.
I sent you an email to your inbox mentioned in your user profile. Someone tried to sell me that website as well and I did some research about him (got his skype, his email, and even his address ).
We exchanged 47 emails from the 24th to the 28th. If I can grab some time I'll put a different kind of post together... more about the interactions, which were very up and down with this guy. I don't write a blog or anything so not sure where I'd post it though.
I don’t have my money back yet, but the man who stole my site from me doesn’t have it, either, and won’t be getting it, ever.
I don't think she got her money back, it may be held, but the method in which she got her domain back involved money transfer. The FBI, was really just sprinkled in the article. I understand the shock in how they handled the case immediately taking statements, but the resolution she had involved her money to get her domain back.
> Please don't submit comments complaining that a submission is inappropriate for the site. If you think something is spam or offtopic, flag it by going to its page and clicking on the "flag" link. (Not all users will see this; there is a karma threshold.) If you flag something, please don't also comment that you did.
http://xkcd.com/936/
But really, I'm a bit puzzled by her 5 "recommendations". Turn off your devices while you're not using them? I feel like the most important one is missing - don't use HostMonster or Godaddy, their representatives are not paid enough to care about the implications of you losing your domain name.