Category: Uncategorized

The Transportation Authority of the City of Marin County is hacked to pieces, serving malware and porn.

Here’s the website:

But here’s a sampling of what’s actually hidden away there on their servers, which a simple Google search provides (warning: graphic content).

Click on one of those links, and you get redirected to a porn site pushing malware:

Ok, so this happens and we see it all the time. I contacted them today by email, but another security researcher here also tried vainly to contact them yesterday. As she tells me “I sent them 2 emails and left a message on their voice mail at the number on the site. They have not responded and the site is still hacked up the ying-yang today.”

Here’s a suggestion: If you have a public facing site, make it easy for people to contact you. And read the emails when they come in.

We had better luck today with a government agency. We emailed the contact, and were provided with a phone number. A pleasant call was had, and they are working to clean their site (the only problem being the site is hosted somewhere else). But at least we got someone.

Alex Eckelberry

Gromozon (here as “Newtech, Inc. Panama”), one of the most notorious pieces of spyware out there, is digitally signed by Thawte (part of Verisign). This isn’t the first time spyware has been signed by a certificate authority.

VirusTotal results for this “signed” piece of garbage here.

Alex Eckelberry
(Credit to Sunbelt researcher Francesco)

Update: Verison has notified me that the cert is being revoked.

The latest scam which sends people to trustedprotection(dot)com. Notice the fake “Windows antivirus” popup.

Patrick Jordan

Zango apparently sends a press release to all kinds of press people, including blogger Chris Boyd (aka Paperghost).

Let me get this right……you decided to send a press release to me……Paperghost……known for my enthusiastic response to all things Zango…..who happens to work for an Instant Messaging Security Company…..to tell me about how awesome Zango’s new adverts….that look like Instant Messaging Notifications……will be?

Link here.

Alex Eckelberry

Back in the antediluvian times of the industry (that is, before the flood of the Internet and the ubiquity of Windows), I used to be a product manager. In my opinion, it’s probably the best job you can ever have in a software company, but its downside is represented by the PM’s motto of “accountable for everything, responsible for nothing”.

So I enjoyed this article by David Pogue, who relates some tales of his dealings with PMs.

The product manager (P.M.) is an interesting beast, sort of a crossbreed: somebody who knows a lot about the product and its target audience, as the engineers and programmers do, but who’s also there to promote the product, as the P.R. people do. (Just as the P.R. person is a gatekeeper for the P.M., the P.M. is a gatekeeper for the engineers if the questions get too tough.)

Link here.

Memories…. I recently came across this old article from 1994 when I was a product manager in the old PC DOS days. No, I’m not old. Just a bit creaky around the edges.

Alex Eckelberry
(Thanks, Phil)

What’s the Network Projector?
One of the new features in Vista of which many users are unaware is the ability to connect to a projector over the network, to give presentations from a PC without having to directly connect the computer to the projector. A network projector is connected to the local area network via wired or wireless technology and you can connect your Vista computer to it by using its URL (web address) or its UNC name (the network path and name). from a PC without having to directly connect the computer to the projector. A network projector is connected to the local area network via wired or wireless technology and you can connect your Vista computer to it by using its URL (web address) or its UNC name (the network path and name). You can also ask Windows to automatically search for a connected projector.

You set up the connection from Start | All Programs | Accessories | Connect to a Network Projector. Your presentation is sent over the network to the projector using the Remote Desktop Protocol (RDP), which is encrypted for better security. You can even connect to more than one projector at a time, and give your presentation to groups of people who are in two different locations, from your own third location. To find out more, click here.

How to use the Cipher command to wipe data from your disk
As you probably know, when you delete files off your Windows XP or Windows Vista computer, those files aren’t actually gone. The only thing that happens is that the “pointer” to the deleted files is removed and the space on the hard disk is marked as available to put new data. But until new data is put in the same location as the deleted data, the deleted data remains on the hard disk and can be recovered by hackers and other malicious users.

What you need to do is “wipe” the data off the hard disk. You can do this by using the cipher command that comes free with Windows XP and Windows Vista. Here are the instructions, compliments of Tom Shinder:

1. Close all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space. For example, if you have a deleted files in folder c:SECRET, you would enter cipher /W:C:SECRET

The wiping process can take a long time, so be patient. Once the files are wiped by the cipher utility, no one will be able to recover your deleted information from your hard disk.

Order Microsoft hot fixes without calling Support Services
Hot fixes are released to address specific problems and Microsoft recommends that you install them only if you’re actually experiencing the problem (unlike security updates and service packs). Until recently, to get a hot fix you had to call Microsoft support services. Now they’ve made it easier by providing a web site where you can order hot fixes you need by filling out a hotfix request submission form, and someone from Microsoft will contact you via email. Go here to find out more.

Zune gets cheaper: Apple’s not the only one cutting prices
If you’ve been waiting around to buy new electronics products, last week was a good one for you. In addition to the iPhone price cut, Microsoft dropped the price of their Zune music player by $50, to $199. Read more here.

What happened to that rebate?
Unopened rebate applications found in dumpster… (thanks Martin M.).

New Windows Live Suite available
On September 5th, Microsoft released a new version of their Windows Live services that can be installed as a suite rather than having to install each program individually. The suite includes Windows Live Mail, Version 8.5 of Windows Live Messenger, Windows Live OneCare Family Safety, the Windows Live Toolbar, the excellent Windows Live Writer blogging program, and the first public beta of Windows Live Photo Gallery for sharing pictures on Windows Live Spaces. Check it out here.

Evaluating the credibility of Wikipedia entries
Wikipedia is a vast resource for information about all sorts of things, but its strength – the fact that anyone can enter or edit the information – is also its biggest weakness. How do you judge the credibility of what you read there? Now a professor has come up with software that purports to do just that, based on the reputations of the contributors. If it works, it sounds like a step in the right direction. Read more about it here.

September 11 Marks a light Patch Tuesday
Patch Tuesday falls on September 11 this month, reminding us that vigilance when it comes to security is important on many different fronts. This month sees relatively few patches being released by Microsoft; only five security bulletins are expected with only one of them labeled as critical. The critical patch deals with a vulnerability in Windows itself, while there are also patches for Windows Live Messenger and MSN Messenger and Visual Studio. Read more here.

What can I do when my computer is losing time?
QUESTION: My Vista computer doesn’t seem to keep time properly (like a watch that’s going bad). It seems to lose time. Is there anything I can do? Thanks! – A. R.

ANSWER: Your Windows Vista computer is able to synchronize its clock with a time server on the Internet. But if you find that your computer time isn’t right, maybe you need to change your time server. Here’s how you do it:

1. Click Start and then click Control Panel
2. In the Control Panel, click the Classic View link on the left side of the Window
3. In the Classic View Control Panel Window, double click the Date and Time icon.
4. In the Date and Time dialog box, click the Internet Time tab.
5. On the Internet Time tab, click the Change Settings button.
6. Click Continue in the User Account Control dialog box.
7. In the Internet Time Settings dialog box, click the Server down arrow and select another time server. The default is time.windows.com. Try using time.nist.gov first and see how that works for you.
8. Click OK in the Internet Time Settings dialog box.
9. Click OK in the Data and Time dialog box.

Can’t install WMP 10 on XP with SP2
If you try to install Windows Media Player version 10 on an XP computer with Service Pack 2, you may get an error message that says “This version of Windows Media Technologies is incompatible with this version of Windows.” That may be because you have Windows Media Format 11 installed, and must uninstall it before you can install WMP 10. If that’s not the issue, there is another resolution. For the “how to” in both cases, see KB article 914223.

How to log onto XP if you forget your password
A forgotten password can keep you from being able to log onto your Windows XP computer. But you may be able to reset the password and access the account again – if you have a password reset disk that you created beforehand or if you know the password to an administrative account. For more info, see KB article 321305.

Logon screen not available when you remove a second monitor in Vista
If you have two monitors on your Vista computer and happen to remove one while the computer is in hibernation or sleep mode, you might find that when the computer resumes, you can’t see the logon screen and thus can’t log on to the computer. Ouch. Luckily, there is a hotfix for this problem. To find out more, see KB article 932339.

Deb Shinder

We’re all happy when prices drop, right? Well, not quite all of us. Apple caused quite a backlash last week when they decided to cut the price of the iPhone by $200. You’d think that would be a good thing but it made a lot of customers mad – specifically, those who who had already bought a phone at the higher price.

According to a story in the Washington Post at least one iPhone owner who felt gypped by the price cut proclaimed that he would never buy another of the company’s products.

I can understand their frustration. If I had shelled out $599 for something and a few weeks later, it was selling for $399, I’d be annoyed. In fact, I have been annoyed when that’s happened to me on several occasions. But I accepted a long time ago that when it comes to the technology market, you can pretty much count on the fact that the price you pay today for most electronics and computer equipment will be lower if you wait a while.

The iPhone folks are acting as if they’re the only ones who’ve ever been caught in this kind of situation. Yet when I got my Samsung i730 Windows Mobile phone from Verizon a couple of years ago, it was $600. Last spring, Verizon was offering the same phone for $299. It never occurred to me to swear off Verizon and Samsung forever. I just figured that $300 difference was the price I paid to have the device when it was brand new.

And it’s not like they weren’t warned. A number of industry insiders speculated that the price would come down fairly soon and advised those who didn’t just absolutely have to be on the cutting edge to wait a few months before buying. I even wrote an article for Tech Republic titled “Ten Reasons Not to Buy an iPhone (at least, not yet).” One of those reasons was the high opening price. I opined that the next version of the phone, which was rumored to be coming out as soon as this December, would cost less and (I hope) address some of the problems with the current version, such as the non-user replaceable battery.

Besides, I thought Apple fans had plenty of money to throw around. Otherwise, why would they pay so much more for computers with specs so much lower than what they could get in a PC for the same price? Seriously, though, anyone who’s been around the computer world for any length of time (and phones like the iPhone and the i730 are computers) knows that drastic price drops are the order of business over both the long and short term.

It’s that “short term” part that seems to be rubbing so many people the wrong way. They aren’t complaining so much about the fact that prices went down as the fact that they went down only ten weeks after the phone’s release. And I admit that most of us didn’t see it coming quite that quickly.

Apparently Apple didn’t see all these angry responses coming, either. Steve Jobs himself found himself apologizing for the price cut, and Apple is offering a $100 credit at the Apple store to customers who bought the phone at the higher price. Whether that will appease the angry mob is yet to be seen. Meanwhile, Wall Street reacted to the price cut with a corresponding drop in Apple’s share prices.

What about all those people who didn’t rush out to stand in line and buy an iPhone on the first go-round? Will this price cut motivate them to buy one now? Or will they think twice and wait, hoping it will go even lower? Personally, I’d need to see more changes than just a lower price before I’d buy one. A removable/replaceable battery is non-negotiable for me, and the limited support for Exchange server is another deal breaker with the current model.

I’m a Windows kind of person, and will most likely go with a Windows Mobile 6 device when I replace the venerable i730 – but I’ll never say never. Apple does make gorgeous products, and if iPhone 2.0 offered full Exchange support, a user- friendly battery, and worked on Verizon’s EV-DO network, I would be mightily tempted.

What about you? Did you buy an iPhone when they came out at the end of June? If so, are you angry about the price cut? How angry? If not, will the price cut motivate you to buy one now, or is $399 still too much to pay for a cell phone? Are you waiting for a new version with better features? What features would Apple need to add for you to want one of their phones? Or do you think the whole concept is silly? Are Apple customers justified in feeling cheated, or are price cuts always a good thing, even if some people get burned? Would you get angry if Microsoft announced they were dropping the price of Vista?

Deb Shinder

SC Mag’s Jim Carr interviewed me about about the Bank of India hack.  Podcast here.

Alex Eckelberry

Note: Fellow blogger Loren criticizes my example of hacks in educational institutions. My only answer:  Google, at least as of today (warning: link contains graphic content).

Professor Ross Anderson gives an excellent video on malware, phishing and spam, called “Searching for Evil”. Highly recommended viewing.

From the abstract:

Computer security has recently imported a lot of ideas from economics, psychology and … all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories – those who don’t want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I’ll describe a number of dubious business enterprises we’ve unearthed. Recent advances in algorithms, such as Newman’s modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I’ll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Speaker: Ross Anderson Ross Anderson is one of the top security researchers in the world.

Alex Eckelberry
(Thanks Rob)

In July, we wrote about Suntasia Marketing (also known as Strategia Marketing) and their misleading tactics. The company is now apparently in receivership, and in August, the Receiver published a preliminary report — which provides some very interesting reading if you’re interested in this kind of stuff. It details the high rate of refunds and returns, the misleading sales tactics and the poor quality of the products sold.

In summary, it appears that while the receivership defendants have a strong compliance function, the overall marketing goal is to obtain, often with misleading tactics, consumer banking information that is utilized to market and obtain payment for memberships and services of questionable value or utility. The Temporary Receiver will continue to suspend operations pending instructions from the Court.

The document also details the company’s assets and liabilities, including an outstanding loan on an 80 foot Lazzarra yacht.

Alex Eckelberry
(Hat tip)

Yesterday, we blogged about a “vaporware trojan” which tells people they’re “infected”, collects money for a “solution” and doesn’t actually deliver anything (except a popup that tells the user they’re protected).

It should be noted that this trojan is using graphics from the legitimate folks over at VirusFighter — which in itself is disgraceful.  However, we certainly want to make sure people know that the folks at VirusFighter are NOT associated with this trojan.

Alex Eckelberry

Remember F*cked company? Well, there’s a new website out that’s vaguely similar, but only now, for the current mortgage crisis — the Mortgage Lender Impode-o-Meter. Plus a bonus — the Hedge Fund Impode-O-Meter.

Alex Eckelberry
(Thanks, Paul)

Ok, look at this list. It’s TRUSTe’s list of certified “Trusted Download” applications.

Putting aside how you might feel about some of these apps being listed as “Trusted Downloads”, here’s the Big Question of the Day:

Smart Shopper shows up on TRUSTe’s website here as being a Trusted Download.

But it’s not on the list above.

Must be a simple mistake, right?

Well…no.

Ben Edelman contacted TRUSTe, curious.

The answer he got back is, frankly, baffling:

SmartShopper is certified by our Trusted Download Program and Web Privacy Seal Program as indicated on the validation page. In certain very rare exception cases,
TRUSTe may allow a company to not appear in our TDP whitelist even though they are certified by us.

Something smells rotten in Denmark.

Why wouldn’t SmartShopper want to appear on the list of Trusted Downloads? And how many other “very rare exceptions” are there?

This is a bit unnerving. It shows that in at least one instance, TRUSTe has chosen not to broadly publish the fact that an application has been certified as trusted. So, the list on their website is not complete.

A consumer “watchdog” organization like TRUSTe will only survive and gain respect if it consistently shows a policy of full and open disclosure and transparency.

Alex Eckelberry

Update 9/7: This response was received by Ben Edelman from TRUSTe:

“This is the only exception we have made. TRUSTe evaluated the request and approved the exception for the Beta period. SmartShopper is subject to the same disclosure and monitoring requirements as any other certified TDP application.

“During the Beta period, we are still evaluating what types of information will be listed on the TRUSTe whitelist and how we will present the information on our site. In preparation to roll out the full version of the program in 2008, we are seeking public comment during this beta phase and appreciate and welcome your input.”

Sunbelt researchers have discovered a bizarre Trojan.

It tries to scare you into buying a security application to handle a non-existent “infection”. Ok, nothing odd there — that’s standard rogue antispyware behavior.

But what’s bizarre is that it collects your payment, and never actually gives you an application. Instead, you get a popup that says “you’re protected”.

We call it the vaporware Trojan. But today, we are rolling out detections for it as Trojan.VirusFighter.

(It’s worth noting that the credit card number and other data are transmitted in clear text to a server in Germany.)

And that’s it — only a popup that tells you you’re protected. Nothing more.

Alex Eckelberry

Update: We want to make sure everyone understands that this trojan is not associated with the legitimate folks over at VirusFighter.

I’ve written about how our post-9/11 security policies have affected the travel industry. But is it affecting legal immigration?

Despite internment camps during World War II, decades of stereotyping and even lynchings, my grandfather’s generation never lost its belief that America was the greatest place on Earth.

Their zeal was inspired by Philip Mazzei, an olive grower from Tuscany who immigrated to 18th-century Virginia. Mazzei became friends with Thomas Jefferson and, as the story goes, helped the Founding Father construct the passage “all men are created equal.”

Today, as Davide Tidona tells it, that conviction in the Declaration of Independence vanished in the fear-mongering aftermath of Sept. 11.

“It just seems that America is now against everybody who isn’t already an American,” says Tidona, proprietor of the Ibl@Cafe in the village of Ragusa Ibla.

Link here.

Alex Eckelberry

More at SecuriTeam.

 

Alex Eckelberry

Yesterday, researchers at Sunbelt discovered a minor XSS issue in McAfee’s SiteAdvisor.  It lasted all of about 30 minutes and was rapidly and deftly handled by the SiteAdvisor team. In my eyes, the speed and responsiveness of the handling was a real credit to their organization and we were impressed.

We threw up a quick blog post on it and moved on.  The post was only intended in the spirit of a bit of fun — we knew the issue was extremely minor and that the SiteAdvisor team was already handling it. 

Regrettably, our little post apparently generated quite a bit of upset by some of our friends at McAfee — and for that, I apologize. We work closely with other security companies, including McAfee, on a broad range of security issues, and it’s not our intention to create rancor with other companies.  Rest assured that Sunbelt deals with any major security issues under industry standard responsible disclosure guidelines. So to our friends at McAfee — we apologize.   Drinks at VirusBulletin are on us (and I may really regret that offer…).

Alex Eckelberry

What caused the WGA goof-up
Last week, computer users experienced problems in trying to validate and activate their Vista systems with the Microsoft Windows Genuine Advantage (WGA) system, a situation that lasted for about 20 hours. Now it appears the culprit has been found: preproduction code that was installed on production servers. It’s fixed now, but not before frustrating many users. Read more here.

How to find out what programs on your computer are connecting to the Internet
Wondering if there’s a spyware program on your computer that’s surreptitiously sending information over the Internet? Want to know which of your legit programs are “calling home?” There’s a command line utility that will help you find out, and it works in both XP and Vista.

• Click Start.
• In XP, click Run and type cmd in the Run box. In Vista, you need to open the command prompt with elevated privileges, so click All Programs, Accessories, then right click Command Prompt and select Run as Administrator.
• At the command prompt, type netstat -nab

This displays a list of running programs, the protocol being used by each to connect to the Internet, and the IP address and port being used. You might be surprised to see, for instance, that PowerPoint is connected to the Internet – but it will be if you use the online Help function, search for clip art, etc.

Where, oh where are our Windows Home Servers?
Microsoft’s new Windows Home Server operating system was released to manufacturing way back in July, but we still haven’t seen any hit the retail shelves yet. What’s going on? Well, according to the official Home Server blog they’ve discovered ways to make it “even better,” and that accounts for the delays. WHS boxes are expected to be available in early September. Ummm, it’s early September now, guys.

Vista Service Pack 1 beta coming soon; expected to be a big one
SP1 for Vista is eagerly anticipated by many, including those users who have been waiting for it before they upgrade their operating systems. The service pack is in beta testing now and will go to 10-15,000 beta testers in September. One thing you can look forward to is a big file: about a gigabyte. Although that may not seem like much when today’s hard disks can easily hold 500 to 750 GB for a reasonable price, to put it in perspective consider that the entire Windows XP installation pack was less than 1 GB in size. Link here.

Chicago abandons plan for city-wide wi-fi
Just a few weeks after our editorial questioning the feasibility and appropriateness of spending taxpayer money to fund city-wide wireless networks, Chicago officials have announced that they’ve shelved their plans for 228 square mile wi-fi coverage due to the high cost. It appears they are, however, building a WiMax network there. Read more here.

New Yahoo Mail goes live at last
Yahoo has been beta testing its new mail software for almost two years, but it’s finally going live and several pundits, including Walter Mossberg (technology writer for the Wall Street Journal) say it outdoes its top two competitors, Hotmail and Gmail. It has built-in IM and even lets you send text messages to cell phones. It also offers unlimited free storage for email and attachments (Gmail limits you to 2.9 GB and Hotmail has just increased their limit to 5 GB). The new version of Yahoo Mail is rolling out in the next few weeks. If you use Safari or other incompatible browsers, you can continue to use the old (“Classic”) version.

Windows SideShow gives your laptop the “wow” factor
One of the coolest new features in Vista unfortunately isn’t supported by most of the hardware on which the OS is running today. That’s Windows SideShow, which allows a secondary display device on the outside of laptop computers to retrieve information from the computer and display it even if the computer is closed, asleep or turned off. For example, this small outer display could display email messages or web information through the use of gadgets, the same small applets that run in the Vista Sidebar.

Although laptops are the most common usage of the technology, it can also run on remote controls, keyboards, mobile phones and other hardware devices. Now if only we can get more hardware available that supports this. Meanwhile, you can read more about it here.

Cell Phone Security
My son recently lost his cell phone, and I had a few moments of sheer terror. I’ve read horror stories about lost or stolen phones resulting in five digit phone bills. I immediately called Verizon to have them suspend the account. We got lucky; it had dropped out of his backpack into the seat of a rental car and the car agency found my number in his speed dial settings and called the next day to tell me they’d found it. Verizon turned it back on (after I satisfactorily identified myself to them) and all was well again.

But many people who carry cell phones everywhere they go don’t realize the consequences if those phones fall into the wrong hands. This article recounts some real life experiences and offers tips on how to protect yourself.

What’s the best way to deploy redundant Internet connections?
QUESTION: I have been thinking seriously for the last couple of months, after my service went down for a morning, about getting redundant connectivity in the form of DSL. I currently have the very high speed version of Time-Warner’s Roadrunner. For the price of [approximately] $30 to $40 month more I can get DSL. My questions are:

1. What is the best way to do this?
2. What experience have others had and are there any tips from those already doing it?
3. How to configure if only using one router?
4. What are some router recommendations to allow simultaneous access and usage of the Internet or to use whichever one is available at the time?

ANSWER: Having two Internet connections from different providers is the best protection against being left without a connection – and with the right equipment, you can aggregate the connections into one faster connection when both are working.

The key is a router with dual WAN (wide area networking) links. That means two (or more) WAN ports to which you can connect your cable and DSL modems. The SonicWall TZ 170 is one of the best, but it’s pricey and may have more features than you need (or want to pay for). It’s around $500. The Xincom Twin WAN Router is available for around $200 and provides load balancing and backup. You can get it from Amazon here. D-Link and Linksys also make dual WAN routers.

Memory leak causes XP to lock up
If you have a program using Windows Management Instrumentation (WMI) running on your XP computer, you might get lock ups (unresponsiveness) because of a memory leak that occurs when the RPC cache gets too big. There is a hotfix for the problem, but you’ll need to submit a request to Microsoft Online Customer Services to get it. To find out more, see KB article 890196.

Safely Remove Hardware doesn’t work in Vista
Sometimes when you click the Safely Remove Hardware icon in the Vista system tray (notification area), the device may not be removed properly because of a timing issue that prevents the system from being able to find the information it needs about the device. SP1 is expected to fix this, but if you’re being severely affected and don’t want to wait, you can get an individual hotfix by submitting a request to Microsoft Online Customer Services. See KB article 91619.

Deb Shinder

Seems as if everybody who’s anybody has his/her own domain these days. A recent Associated Press article reprinted in many newspapers and online venues recounts how the latest trend is for parents to reserve domain names for their babies soon after they’re born – or even before – to ensure that the name won’t be snatched up before the child is old enough to want it.

One report stated that Angelina Jolie had reserved several variations of domain names for her new daughter within hours of the birth.

That might seem a little extreme, but if you happen to become well known, owning the domain named after you can become important. Those of us with fairly distinctive names usually don’t have much trouble getting the domain we want (I didn’t have to compete with anyone else for www.debshinder.com), but what if your name is John Jones or Mary Smith? Things might get a tad more complicated.

For celebrities, the issue can be even more perplexing. In a number of cases, fans have registered the names of famous folks as domains before the owner of the name got around to it. Many of these are fan sites, but what if the person who snags your domain namesake doesn’t like you and uses the site to post derogatory information about you?

Then there are the “cybersquatters” who buy up domain names with no intention of actually putting up web sites, but with the hope that those who do want sites with those names will pay dearly for them. Some people have made substantial amounts of money reselling domain names in this manner. Opponents of the practice accuse them of holding the names hostage. The squatters argue that they are just legally buying something that’s up for sale and then legally selling what they own to someone else – the same thing any retailer does. It can be a lucrative business. Business.com sold for somewhere between $7 million and $8 million, depending on which report you read, and sex.com is reported to have gone for 11 million euros, which translates to almost 15 million U.S. dollars.

Popular names are sometimes put up for auction. Last January, names such as hillaryrodhamclinton.mobi and duncanhunterforpresident.us were announced as available for public auction.

Not surprisingly, there have been many lawsuits filed over the ownership of domain names, especially in cases where the name is a trademark, as in the case of most celebrities. The World Intellectual Property Organization (WIPO) runs a domain name dispute resolution service that deals with many of these cases. According to their web site, they’ve handled 1425 cases in 2007 through the end of August.

Their policy labels registration of a domain name as being “in bad faith” if it’s done primarily for the purpose of selling or renting it to the owner of a trademark or to a competitor of the owner, if you do it to disrupt the business of your competitor or if you use it to defraud web site visitors by making them think the site belongs to or is endorsed by the trademark owner.

How important is it to have your own domain, anyway? Your mom will probably be just as impressed by your web site at www.earthlink.com/bobsmith as she would be by www.bobsmith.com, but in certain fields – especially the tech biz and the entertainment industry, owning a “real” domain is expected. And with registration as low as $6.99/year, it’s within the financial reach of almost anyone (of course, in order to make use of your registered name, you might need to pay a web hosting company or have a business-class Internet connection that allows you to host your own web server, or you may get free web hosting with your consumer-level Internet connection).

What about you? Do you have your own domain? If not, what’s stopping you? Is your name already taken? Don’t want a web site? Have a web site but see no need for your own domain? Should people be allowed to register domain names that are the names of other people? Should famous people be able to “take back” their domain names without paying? Or should domain names be registered strictly on a first come, first served basis and resold at whatever the market will bear? Would you reserve a domain name for your child, or is that just silly? Do you have more respect for a business person, author, or entertainer who has his/her own domain or does it not matter at all?

Deb Shinder

Go to http://www.siteadvisor.com/lookup/ and enter the following:

Alex Eckelberry
(Thanks to Sunbelt researcher Francesco)

Update: My compliments to my colleagues at McAfee. They fixed this xss bug with alacrity — literally in minutes. Well done — very impressive. (And apologies for my little bit of mischief.)