How else is the CEO supposed to respond? He's in the tough position where he can't prove a negative; the burden of proof is on the original tweeter. So the CEO needs the "hacker" to either prove it or admit they were mistaken, and bug bounties are exactly how companies do this.
(Also, I feel like it's implied that "an account that isn't yours" doesn't mean "mess with any of our customers you want." He's clarifying that because with white-hat(ish) hackers, you'd be shocked how many people try to claim bug bounties from us because they "hacked" their own account using their own credentials.)
Thanks for your comment and you are correct with your latter point and assumption. It's hard to word things properly when you're limited with the amount of allowed characters on twitter.
love the bounty proposal but may I suggest creating a bounty target specifically for this and share it with everyone so whitehat folks can have a crack at it without raising concerns about hacking customers accounts? :)
For example, they'll inspect traffic and nab a session cookie. Then they'll use that session cookie on another internal API request to change a setting, and claim they were able to modify a setting by reverse engineering things.
They seem really scary at first, and then you dig into it and you're like "oh...".
I'd say that >90% of "security incidents" that I've seen reported are completely bogus. And we don't even have a bug bounty program. They will still beg for free stuff like t-shirts and other tiddletat.
I think the majority is just ignorance rather than malice though.
A few weeks ago I saw a vulnerability reported for an FTP server that claimed they could put a file on the remote server. With FTP! What madness! I wish I could find it but I cannot, still makes me chuckle.
Yeah, we get those too. We let people write JavaScript to build their sites (we're a site builder), and people will use that feature and add an alert and then claim it's XSS (on their own account).
> Also, I'll put my money where my mouth is. If you can make any changes to a domain that is not yours or a friend's via our help desk, I will send you 10k USD, no questions asked.
> and to clarify, said account must be protected by 2fa to begin with.
I appreciate what he's trying to say... but perhaps he should instead recommend white-hats instead create a test account and try to access it without using the 2FA mechanism.
I think that's reasonable. I was thinking in terms of cutting out the gaming aspect when I made that statement. I probably should have been more specific. The premise of the entire conversation was based on someone making an unjustified accusation without even following it through and testing it to begin with.
>without even following it through and testing it to begin with
You do realize that many companies will prosecute people just "following through and testing it", right?
Though the person you did say it to very likely has an international warrant out for them anyway for pissing off the DoD, so I guess it's all water under the bridge.
They could have started with their own account of course and then documented it but they didn't even bother with even that before making some baseless statements.
Inserting a TXT entry isn't a harmless change these days, because it's one way to authenticate ownership of a domain. Like recovering a google apps admin login.
It may or may not make a difference with what happens in the court system, but I assure you there is a set of people who think the tweet would be permission to hijack a domain. And some of that set overlaps with the group that might accept the $10k challenge. Whether they actually follow-through and are able to, hopefully not.
A bug bounty really ought to be thought out carefully.
>I assure you there is a set of people who think the tweet would be permission to hijack a domain. And some of that set overlaps with the group that might accept the $10k challenge.
And then from all those people you'd still need to find someone who 1) would successfully pull it off and 2) be stupid enough to demonstrate this in a damaging manner.
It’s also worth noting that this offer was made to only one person.
Arguably the offer was made to everyone. I don't know about your other point because, like I said in my post I think those people may exist. Perhaps you don't, but, you kind of made the initial statement that it doesn't matter, right? So isn't it on you to prove it?
Namecheap's primary business is as a domain registrar. Sensible customers don't let their domain registrar act as their authoritative DNS, you'd need to change something else; but maybe mild defacement of the contact name or address in whois would qualify, without being harmful.
You want to be able to switch registrars whenever it's convenient. But if your registrar is also your authoritative DNS and your webhosting, it makes it inconvenient to switch registrars.
Switching DNS is not harder than switching registrars, and keeping them in the same place is reasonable if that provider offers good service for both or you want to avoid the additional complexity of an additional vendor.
I thought your original comment made it sound like there was some obvious reason for keeping DNS and registrars separate.
Switching DNS is harder than switching registrars, because there's more records, and you have to transfer them, and you ideally want the old service to send NS records pointing to the new service, and the old service should be cancelled only after sufficient DNS traffic has moved to the new service. For a seamless transition, you need a period of time with both services active, but some registrars with included nameservice will cancel your nameservice immediately when a domain is transfered to a new registrar; and you likely can't start service at the new registrar in advance either. Recursive resolvers do cache and use glue records, and 2 day TTLs are common at TLDs.
On the other hand, a registrar transfer is usually simple and quick and has no user visible changes. Unlock the domain, get a transfer code, do any confirmation stuff, make sure the glue records didn't change, you're done.
All of those arguments are arguments to use a good DNS provider, not specifically to not put the domain and the DNS on the same provider. I've seen DNS providers remove the namespace the instant they see the domain pointing somewhere else too.
I recommend that you not host DNS with your registrar. And if possible, that you not host DNS with your hosting provider (although, that can be more difficult).
If you have a high value domain, you might want to look for a corporate registrar, like MarkMonitor or CSC, or anyone else who can do Registry locks (which are very different than registrar locks and are rather inconvenient, but potentially very useful); but know it's going to be expensive. I also had a good corporate experience with register.eu, they've got a lot of ability to satisfy foreign presence needs for restricted TLDs, if that's something you need/want. If it's a low value domain (like my personal domains), I don't have strong feelings, except for the love of whatever you hold dear, don't use Network Solutions; they were a fine choice when they were the only choice, but ever since we had options, they should have been used. A lot of registrars are really pushy with upsells and what not, so I've tried to go with no fuss registrars over the years.
In terms of DNS services, I don't have any particular recommendations; I personally run my primary DNS on my hosted machine and secondary with Hurricane Electric, which is free for my usage. There are (or were) several free secondary DNS services out there, but the one I used to use stopped maintaining their website (TLS 1.0 only, certificate issued 2014, expired 2015) and I already had an account with HE's tunnel broker, so it seemed like a reasonable choice. I still have a domain I host for a friend that uses that old service, because I can't get my friend to update the glue records at her registrar; the service still works enough, I guess.
Not really, they don't often advertise that you should attack their customers directly. The closest I can remember was the LifeLock guy putting his social security number up publicly.
Otherwise, they prefer you hit test or personal accounts rather than paying customers...
> Davis publicly posted his Social Security number as part of a 2007 ad campaign to promote the company's identity theft protection services. However, Davis was a victim of 13 cases of identity theft between 2007 and 2008.
Hacking accounts without consent of the victim is probably illegal. So normally you'd use an account you own (or your friend/colleague owns), but the challenge is excluding those. The company setting up special test accounts can be a good option as well, but needs to be done in good faith and is problematic when the attack is social engineering based.
So the challenge is either giving attackers permission to hack accounts of strangers, or requires the attacker to engage in potentially illegal behaviour. Neither of which is acceptable.
I assume this is just badly phrased, and what was actually intended was a requirement that the victim doesn't collude with or help the attacker.
You're not supposed to cause actual substantive changes to actual customers. In addition to being questionably ethical, that would usually disqualify a researcher from any possible bug bounties and forfeit legal protections offered by the program.
Well the CEO said they didnt think it was a problem because there is additional security (also a pin code required) to access the account. That is pretty standard for big companies. Saying that actually isnt a problem and either not fixing it or fixing it and not paying a bounty on it.
No, this is illegal and can put namespace into huge trouble.
Responsible Disclosure Programme needs to explicitly state that access to other users data is illegal and test/self owned accounts need to be used for security testing.
This is why legal departments exist, you cannot just say this as a CEO without consulting to your advisors.
> Responsible Disclosure Programme needs to explicitly state that access to other users data is illegal and test/self owned accounts need to be used for security testing.
Why do you think so? You don’t lose out on any legal protections without explicitly stating that.
I think you meant legal protections for the security researcher? I was talking about legal troubles for the Namecheap.
Company can't encourage/allow security researchers to access private data of the users, at best this is against GDPR but it can also cause monetary damage to users which can be far worse.
If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.
As data controller, namecheap has the following duty "the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (GDPR 28.1)
Of course, if that tweet is treated as empty boasting, then there are no consequences - but if you take it at face value, namecheap is granting permission to access data without a proper limiting contract, and it is explicitly illegal for namecheap to do so (GDPR 28.3 - "Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller"); they have a duty to ensure that any subcontractors or licensees or partners or whatever accessing the data do so only in a strictly controlled manner.
This is why every proper external pentest in EU will have explicit GDPR clauses about the limitations of personal data handling if the pentester/auditor has any chance of accessing systems with such data - it's not acceptable for a company to hire external auditors without such restrictions, they can't simply grant access to other peoples' data to third parties.
And before someone says "...but terms&conditions..", no, terms and conditions can't override law, these restrictions apply no matter what namecheap has contracted with the individuals whose data they're storing. There are some clauses of GDPR which state "don't do X without informing the data subject" (in which case the T&C might inform the customer that you'll be doing X) but that's not the case for these requirements.
> If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.
I’m not sure that’s a credible interpretation, the CEO betting against you being able to work around their data protection measures does not turn you into a processor.
The big question is whether CEO betting against you being able to work around their data protection counts as namecheap permitting you to access that data.
If it does not (which IMHO is a reasonable interpretation), there is no issue and that's just empty boasting. But if it does, that's a violation - GDPR prohibits namecheap to allow anyone outside of company to handle that data without a proper controller-processor contract.
Not being a processor is a bad thing in this case, because being a processor is the only way how this can proceed legally. If you're not a processor, it's a violation for namecheap to give you that data; and if you're not a processor, it's a violation for you to process that data since you're also not a controller, you did not legally obtain this from the data subject, this is also not a purely household activity, no other exceptions seem to apply so the default condition applies i.e. that it's illegal for you to handle that data as you have no legal basis permitting it. (GDPR is a deny-by-default law; processing of private data is lawful if and only if specific conditions listed in GDPR are met. If some private data 'fell out of a truck', you can't legally do stuff with it).
Maybe you could put your actions where your mouth is and just add a 2fa step to the support portals login process? As a namecheap user I don't want to be randomly targeted to prove a point in some face saving contest.
Coincidentally I just received an email request to reset my password on Namecheap (not issued by me), anyone else? On top of that, my account has been locked for 24 hours for three consecutive failed password or username entry attempts.
You should watch your domains and look out for any friends who suddenly have a new car or a new nice watch :-).
My strategy for things is to use a unique username and email address (and password..) for critical services, that way any hacks/leaks of other sites don't reveal my entire web presence. It may be that your email was found in another dump, or from a domain whois lookup.
I'm way less upset by this than a large number of people in that twitter brawl. I can agree that this probably isn't the best way to go about things, but in the end, all I see is a CEO taking a firm stance of confidence behind his products - let's just hope this doesn't turn into a real bad situation for namecheap customers. Ballsy? Yeah. But pitchfork and torch worthy? Not really.
Off topic- is there a way to see info on twitter without creating an account? I used to look at tweets from my local meteorologist on twitter but now I can’t seem to be able to view info on twitter without a modal blocking the window and asking me to sign uo
If the result of this tweet is that one of my domains is altered, and that I lose income, users, or other useful metrics to measure the value of my site, this seems like a great piece of evidence to be litigious towards Namecheap
Well run bug bounty programs have strict guidelines on what is and is not out of scope, and changes like this would certainly be out of scope (in fact, generally social engineering as part of the exploit chain is itself wholly out of scope).
I guess this makes sense. On the other hand such actions might have had legal implications before. I mean until the CEO actively allowed / awarded them.
Namecheap is good. They are my registrar, even though Amazon would be easier, because their support + personability makes me feel like I'm dealing with human beings.
Absolutely not. The women are willing and come to me to help them leave Ukraine and move elsewhere. I screen my clients with background checks and proof of income.
Time to move somewhere else because the CEO is so confident they can't be hacked he publically offers money to anyone who can do it? You want to be with one that thinks it is insecure?
As for Cloudflare I'd recommend NOT hosting your DNS with your domain name provider, just in case one of them does something stupid (but often if your domain goes sideways there's not much you can do anyway ...)
"Go commit a crime against a third party who didn't consent and I'll give you 10k$" is what this amounts to, given he excludes friends domains from the targets.
Cool. This reminded me to delete my personal and business Namecheap accounts now that all the resources I had with them have been transferred or expired. Thanks, idiotic Namecheap CEO!
Really glad I moved my domains to Porkbun recently.
This is Namecheaps second blunder this year in terms of being a reliable service provider.
First engaging in politically cheap racial discrimination (their ban on Russia seemingly having hit anyone who ever in their history used a Russian IP adress and demanding evidence of a users current location before lifting it), now giving hackers carte blanche to screw with existing customers.
The problem isn't the decision itself. The problem is all the context surrounding it. Namecheap is a Californian company with it's support staff outsourced to Ukraine.
Cutting off Russia on it's own already subjects a bunch of probably already very stressed out Ukranians to the stress of dealing with angry Russians, most of whom have nothing to do with the war in Ukraine. These customers mind you, used Namecheap to host content the Russian regime disapproves of; they were pretty much the only reputable registrar offering domains to Russian customers that wasn't ran by the state. Getting rid of those customers pushes those people to Russian state registrars, who will gladly come knocking for contact details if someone hosts something that the Kremlin disapproves of.
Adding to that, the actual methodology used was basically the dumbest method. It seems they targeted everyone who ever had Russian bank details in their account, anyone who ever accessed the site over a Russian IP address and anyone who had a Russian last name. This included hitting several thousands of people who fled the regime over a decade ago, who upon contacting Namecheap support were told to hand over proof of their permanent housing outside of Russia, people who used their account over a VPN, people in neighboring countries because GeoIP isn't an accurate science and people who have Russian roots but haven't even set foot in the country.
The only way to prove this was to send fairly specific details of your housing to Namecheap support (reports at the time even indicated that affected customers had to send photographs of their own house to remain a client), something which can be very sensitive for some people, wrt OPSEC and it's also data they could easily verify with existing KYC data, but they categorically refused to do that.
Like, the methods employed and the complete lack of perspective on what Russians used Namecheaps domains for are what make it racial discrimination, the decision itself is justifiable enough, many companies dropped Russia after the invasion.
This is laughable, many of our people have Russian last names and Russian heritage to some degree. The last thing our Ukrainian support people wanted to do was to have to communicate in any way with Russians that lived in Russia. We weren't the only company that left that market. Most western based companies did.
Some Australian companies that used a VPN service that had a Russian exit node got hit with termination notices. There were a couple of reports from people in the UK and the US as well with similar patterns.
> I seriously doubt this too, but maybe my last name just isn’t Russian enough.
Admittedly that is one of the shakier ones, but there was at least one report from France that had a customer who had nothing to do with Russia beyond a very distant family member that caused them to have a Russian last name being hit with a termination notice.
Sorry for not having any references, this all was like... 6 months ago. I found the decision awfully shortsighted and made very ad-hoc rather than properly thought through. (Hell, the termination itself was ludicrously short-notice; people had less than a week to find a new registrar for their domains. Most companies give you at least the time to sit out your renewal period/contract expiration before they tell you to shove it.)
Namecheap cut ties with a country (Russia), not a race.
Namecheap has no ban on Russians outside of Russia using their service, and they very likely employ Russians, since so many Ukrainians have Russian backgrounds.
(Also, I feel like it's implied that "an account that isn't yours" doesn't mean "mess with any of our customers you want." He's clarifying that because with white-hat(ish) hackers, you'd be shocked how many people try to claim bug bounties from us because they "hacked" their own account using their own credentials.)