The Passport Payment (2000)
web.archive.orgCould you imagine doing this today? You'd probably get lawyers making you sign agreements saying your payment of the domain renewal is not a ownership interest in the domain and threatening to take you to court for renewing their domain.
I actually think it would be the opposite now. Things like bug bounties or a huge PR problem by the affected problem posting it on Twitter are new things. It was more prevalent to send lawyers for accessing public but not meant to be public URLs back in the days than it's now.
And - of course - the same lawyers would bill MSFT $5,000
According to the story, it took somewhere between 13 and 19 hours for passport.com to resolve properly after he renewed it for Microsoft. Is that normally how long it takes to reactivate a domain name that has gone into a renewal grace period, or was something different back then?
Perhaps the NXDOMAIN response was cached by ISPs for an especially long time because it was such a frequently visited hostname?
It used to be that nameserver changes with TLDs were measured in days, not minutes. Even today some TLDs continue to operate this way.
What are reasonable timeframe expectations for nameserver changes now?
That depends on the TTL of your DNS records. But if it’s a brand-new registration for a dot-com then I’ve found DNS queries work within 3 minutes of me completing GoDaddy’s regustration (and using GoDaddy’s DNS zone hosting) even through my ISP’s DNS servers (provided there’s no cached NXDOMAIN results).
The .com zone file is updated every few minutes. Caching behaviours will vary significantly. Frequently a significant fraction of traffic can be using new nameservers within minutes, with a long tail of traffic with older information.
Each TLD does their own thing. For example, last time I checked, .ca only seemed to be serving a new zone file every few hours. How long new nameservers take will depend on your luck in terms of where you are in their refresh cycle.
NXDOMAIN is often cached for much longer because it's assumed not to change soon. Sometimes, as in this case, that's a wrong assumption.
I thought NXDOMAIN results were cached for as long as the TTL in the parent SOA record?
For com. that's currently 24 hours!
Try to go passport.com nowadays. It redirects you to Bing and search "passport" as result. Handy.
I had an issue with my router which now uses myfiosgateway.com as the router config though it is hosted on the router (presumably so it can serve https?) And mark monitor showed up with a big "this is the actual internet so you don't wanna visit it" page when I was routed to the actual .com, kinda similar
> in addition to a new copy of Visual Studio 6.0 (which I need to compile and run the decss program to decode my DVD's so that I can play them under Linux)
Why would you need VS6 to compile a program for Linux?
He was compiling a Windows program to decode his DVDs so that he could play them on Linux
DeCSS was a windows-only program back in those days.
Also, because it's a joke and is funny :p
I'm confused, how did he pay for someone else's domain? Was there no authentication?
You can renew a domain without being authenticated, but you won't be able to take ownership of it. It's useful if you can't find your login details and are in a hurry.
Oh huh, I didn't know that, thanks.
Back then, control was authenticated as necessary for the proper functioning, but even today I see no reason why renewal should have to be gated behind login walls. Actually, I'd even prefer it not to be, because you might, in a pinch, be prevented from paying for them yourself electronically, having to call in a favor and promise to pay back as soon as you see that friend.
Or you just prefer to pay someone cash for them to top up your domain, because you don't like mixing money and the internet, but have e.g. a personal domain for email.
> even today I see no reason why renewal should have to be gated behind login walls.
This actually reminds me on a somewhat interesting social engineering "vulnerability" a little while back[0].
1. The hacker would call into Amazon and say that the website was acting up and they needed to add a card to the victim's account. It wouldn't take much effort because why would it?
2. The hacker'd call right back and say that "their" email had been compromised and they needed to change it/add a new one and reset the password. You supply the card you just gave (and name/billing address, but those aren't too hard to find)
3. Use that to hop on to the account and grab the last 4 digits of the victim's real card.
You now have the victim's billing address and last 4 of a credit card. A surprising amount of authentication power.
I think the lesson here is if it can be privileged information, it is. Even if it's privileged for someone else.
[0]: https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...
Ok, yeah, I see. Though, in that case, it's both a failure on his side, as well as an utter failure on apple's side.
Also, arguably, a plus for Google's stance on this: no answers to questions, no access. Sue us.
That's a useless hack at the time. You could generate your own credit card numbers back then using a formula. The name/expiry date or address were not used for verification.
So ordering from a fake credit card was easy. Finding the drop shipping location was the hard part.
In context, the exfiltrated info (last for of real card, billing address, email) was used as verification to get the victim's me.com account under the hacker's control, which was the back up for the victim's primary gmail used for everything else.
Your fake credit card isn't going to have a balance.
It didn't matter because in order to check someone had to call and wait an hour so no one did in mail order purchases/shopping networks because you had an address to send the police to.
It was and still is trivial to get stolen credit card info that do have balances or credit available.
yup, i use gandi for that reason. they support payment from anyone. it's especially convenient for volunteer community sites. we don't depend on the person who registered the domain and forgot to give access to others.
Very good to know. I use Gandi too, didn't realize I could do that.
In the UK, student loan payments can be made online without authentication: if you know the right details, it just works. Which was convenient for me, because I have never managed to log into my account.
There are other registrars that support paying for an arbitrary domain without having ownership.
Got an example? And could you use it to pay for my domain, which is not using "your" registrar?
> Got an example?
NetSol/Web.com, (maybe) Gandi SAS, easyDNS and (maybe) Tucows
Others may support it by request
> And could you use it to pay for my domain, which is not using "your" registrar?
No
perhaps the most surprising to me is the apparent willingness to enter credit card info online in 1999. I wasn't around for this period but wasn't the conventional wisdom back then that this was insecure? hence PayPal?
The general wisdom was (as it still is) that you couldn't trust that anyone with a credit card form on their website would honor your trust. In this case the recipient wasn't just anyone with a credit card form on their website, but Network Solutions.
No, not at all?
SSL had been around for 6 years already, credit card transactions were quite common, especially with known, reputable hosts (Network Solutions can be safely be assumed to have qualified at the time)
Unfortunately, not all websites used https or enforced it on pages that should have had it. It was very common to see payment forms submitted over http. That is why browsers evolved to the point where Chrome now won’t submit certain types of html form fields over non-https.
I'm aware of it - even talked some people out of attempting ecommerce without SSL about 20 years ago (not all successfully).
But the linked article specifically mentions an HTTPS link.
In 1999 Amazon (for example) was already 5 years old and plenty of people were using credit cards online.
People who used mail orders before the internet might remember that the options included sending a cheque along with the order form or filling in your credit card details on the order form (that's a paper form that you send in the post), and I think that this is still the case. So I don't think that average people really saw sending card details online any differently. I even remember being asked for my card details by email!
Memory's hazy (it might have been a year or two before 1999) but I remember in the UK buying a domain from Network Solutions with a credit card but then I had to fax a signed document to their US office to actually authenticate ownership. This wasn't an automated anti-fraud thing like you might see today, it was just standard procedure for on-line orders (or at least non-US ones).
But, yeah, paying on-line with credit cards was absolutely a thing in 1999.
Back then, I remember Internic let you register a domain and you had 30 days to pay up, because people would commonly put a cheque in the post ("mail a check.")
Average non-technical people used well-known companies, but that included eBay and Amazon.
Presumably Network Solutions was trusted by this customer of theirs.
I could be wrong, but I think in 1999 Amazon was still only selling books. Certainly they did not sell the variety of goods they have now.
There were thousands of online shops at the time, selling everything that Amazon sells today, and it was common to purchase from them using CC or PayPal.
Well we had https ("check for the lock icon") back then, you could pay for plenty of things with credit cards online. Of course there was some fear of it among the general public. PayPal by no means invented online payments they just popularised it.
>PayPal by no means invented online payments they just popularised it.
I'm not sure it's even so much that PayPal "popularized" online payments as it somewhat democratized them. When I had a small side software business in the early to mid-90s, it wasn't easy/cheap to get setup with a merchant credit card. Mostly, people mailed me checks although at some point I struck a deal with a local BBS operator/reseller for him to take payments for me when necessary.
It was fairly common. Paypal was around in 1999 (only just). More remarkably it was common to mail a personal check or money order for things on ebay and for the most part, it worked.
I regularly made normal payments for normal products such as movies and nothing. It generally was considered safe.
It’s always nice to hear about people doing the right thing. Thanks for sharing the story.
Biggest anachronism is his mailing (maybe home) address and phone number at the bottom.
Great move, kudos to Micheal!
This happened in 1999/2000, maybe someone could add (2000) to the title?