Lazy Domain Squatters

January 30, 2017

As someone who owns a few domains, I periodically(at least once or twice a year) get emailed by a domain squatter that contacts me in an attempt to sell a domain that is similar sounding to one I already own.

For those that are not familiar, a domain squatter is someone that purchases a domain with the intention of selling it(or holding it and then selling it,) for profit as opposed to using it. For example, if the .com version of a domain is taken and the .net version becomes available, a squatter, likely through the use of automated services/programming, may scoop up the .net version when it expires and then attempt to sell it to the .com owner at much higher than the likely $10-60 it cost them to purchase it.

So, when I received an email with legal jargon offering to sell me the .com version of a domain I already own, I almost tossed it in the trash, as I typically do when receiving these sorts of emails. However, for some reason, I decided to check the whois registration anyway and was surprised to find that the domain had fully expired and was available for purchase at regular rates.

It turned out that this lazy domain squatter was trying to sell me a domain, at an exorbitant rate, that they didn’t even own. They were making the minimum investment, an email, in the hopes that it would pay out, without even owning the domain.

I suppose this could just mean their automated tool is broken, but I like to think it is a lazy squatter hoping to make a quick(and cheap) buck, with little to no monetary risk.

While I still recommend not responding to or legitimizing domain squatters and their quasi-extortionist tactics, as unless you are Google, Paypal, or Amazon, you really don’t need to own every iteration of your domain name, if you get an email from someone trying to sell you a domain that you want, it is worth at least checking the whois to see if it is available for purchase!

Advertisements

Merkur 34CFor the past month or so, I have been using a safety razor and wanted to share my experiences with them. The TLDR is that even though it takes a bit longer than my previous shaving method, I’ve grown to enjoy it and think I am sold on the double edged safety razor.

Trying out a safety razor has been something I have wanted to do for some time now. However, the initial cost of ownership and vast difference from my normal shaving method had always gotten in the way of me jumping in.

For the past ten or so years, I’ve been what you could call a lazy shaver. Rather than getting caught up in the newest Mach XXX $haver from Gillette(whom seems to always be adding one more blade,) I’ve been using 2-blade disposable razors for years. I’ve found that as long as I keep them dry, they last for a long time and when they only cost a few cents, it ends up being a really easy way to go. So, I’d shave in the shower without shaving cream, touch up in the mirror afterwards, and be done in a few minutes. Probably not the best way, nor did I always have an exceptionally clean shave, but it was really easy and in-expensive.

I’ve been reading about the safety razor for a couple years now, possibly just because like Arch Linux, it’s proponents are often quite outspoken, so it is something that has intrigued me for some time.

One of the main things that has been preventing me from jumping in was the initial cost of the shaving kit. By the time you buy a halfway decent razor(unless you get lucky at Goodwill or something,) shaving soap, optional stand, aftershave, and a brush, you are looking at around $40 – $60. For someone who is buying a new Mach-16 blade every week, $40-60 is incredibly cheap, but with the way I use disposable razors, that is at least 20 years of razors.

So, for me the biggest hurdle was a mental one overcoming my the frugal part of my brain. The common argument is that it is actually cheaper than using a regular razor, but this simply isn’t the case for me. Using a safety/double edge razor is actually more expensive and takes longer for me. I’m extremely glad I finally did take the plunge though, as I have grown to enjoy the ritual of the shave. It is sort of like how brewing coffee, reading the news in the morning, or disassembling old hard-drives can be…cathartic.

I’m sure my process needs some work, but I watched a few videos and am doing a three pass shave, following a hot shower. My kit could use a bit of work, as I just went with the standard Merkur 34C that everyone gets, after reading through a few guides/faqs over on /r/wicked_edge. Likely a razor upgrade will be due at some point, but for now this one seems to work well. For now, the short of it is that I enjoy the wet shave and can’t see myself going back to my old lazy-shower shave!

This morning, I was greeted with an announcement from the Adblock Chrome Extension stating that it had been sold to a new owner and that they were now participating in Adblock Plus’s Acceptable Ad Program.

In the message, there is a link to disable the program, although I have verified on a different machine that if you do not click that link, users will get automatically opted into the acceptable ad program with this update.

What Is Adblock’s Acceptable Ad Policy?

For those that are not familiar with it, Ad Block Plus started a program several years ago with a stated goal of promoting sites that have non-obtrusive ads by disabling Adblock on these sites. The program allows a website’s advertisements to bypass Adblock’s filters, provided it has been deemed that the ads they show are not terribly intrusive.

In some cases, although likely not all, companies are paying to be put on this list and there are some big names that are paying to bypass the filters, like Google and Microsoft.

Since money is changing hands and the list has grown from a relatively short one to one that is now over 7,000 lines long, it has drawn a lot of criticism and concern over the years. Some feel that it is contrary to the spirit of the plugin and are concerned with the implications of third-party tracking/ad networks. However, some laud it as a necessary way of encouraging ‘good’ sites and rewarding content producers.

Recently, Ad Block Plus announced that an independent board would now review the sites to provide some transparency and likely alleviate some of the criticism that this program is just a money grab that extorts users/site owners.

Plugin Sold, Updated, and Users Opted In

In the announcement from the developer of the Chrome Adblock Plugin(different from Adblock Plus) it was stated that in part due to the change to an independent review board, he was fully on-board with The Acceptable Ad Policy and was selling the plugin.

The update opts-in existing users to the program, which bypasses filters of the plugin.

The vagueness of the message, along with the opting in of this setting and no mention of who the buyer is is concerning and does not instill trust that this is a good faith transition.

He States:

Now, Adblock Plus will be transferring custodianship of Acceptable Ads to an impartial group of experts. I love this idea — in fact, it was my wife Katie‚Äôs suggestion! Due to this change, I’m happy for AdBlock to join the program. As a result, I am selling my company, and the buyer is turning on Acceptable Ads.

No one can say what they would do when offered the right amount of money for their project.

The message shown after you install his plugin has been a donation request for years, which has a picture of him and his wife and states that he(they?) quit their job to work on the plugin. As far as I know that was the only monetization and donations can be fickle, so if that really is his only job he may feel it isn’t worth his time or effort, he could be burnt out, or perhaps he just wants to move on to something else. This is, of course, conjecture, but the point is, I can see many reasons why an attractive offer would be jumped upon and can not say what I would do if I were in his shoes.

It is not clear who the new owner is yet, although it has been announced that Adblock Plus’s parent company is paying ad-blocking plugins to take part in this program, so this appears to be a way of monetizing the popular chrome plugin. For instance, Crystal(one of the first ad-blockers for IOS9) is now accepting payments to default opt-in their users to the acceptable ad program.

The Fragility of Trusting Plugins

This highlights the fragility of trusting plugins and in a big way.

It only takes a bit of money to purchase an incredibly large user-base, per their plugin page ‘over 40 million users,’ and make a significant change that is likely contrary to the reasons the end-user installed the plugin, while almost certainly offering a monetary benefit to the new owners…it wouldn’t of been bought unless someone had plans of how to monetize it.

This is something that has played out before and is often worse, as there are documented instances of malware or adware vendors buying a popular plugin and subverting it.

It is a difficult issue to address…how do you ensure that a plugin you trust isn’t going to be sell out to someone who will turn the plugin sides., Both Chrome and Firefox do take some action to keep this from occurring, but it is often caught after the fact and after damage has been done.

Thoughts on Acceptable Ads

As a content creator and someone who makes money off advertisements(there may even be some on this page that WordPress.com is making money off of,) I fully understand and support the end user blocking ads. In fact I encourage it and install ad blockers when fixing people’s computers to help protect them. Third-party ads can be dangerous and are a leading cause of malware infections.

Even without clicking on the ad, the network is still accumulating a ton of data that they can use/sell about your browsing habits. Networks that are very well moderated, like Googles, can show bad ads or link to sites that are dangerous. Until relatively recently, doing a search for popular open source software like VLC Media Player or Firefox would yield results on Google and Bing for third-party bundles that were not safe to install. Smaller networks are even worse and often show dangerous ads that install PC Optimizers and Tune Up Programs that hijack computers…or adware browser bars that track and inject ads while browsing.

So, I feel that browsing is much safer place without ads and getting your site whitelisted because you paid an adblocking company some money is not a good alternative.

Not to mention, there is a huge performance boost when you aren’t loading 20 random trackers and ad networks.

What About Content Creators

Whenever this is brought up, the argument is inevitably that sites/content creators are not being paid for their work. By using an advertisement blocker you are stealing from them and depriving them of a way to monetize their work. Instead, you should just not visit their site if you don’t want to be tracked/advertised to.

And this isn’t exactly wrong. It isn’t free to host a website and putting your site behind a paywall probably doesn’t work out well for people. I haven’t researched the numbers, but I would be pleasantly surprised if the New York Times or Washington post paywall is(was?) a big money maker for them. I would imagine most people just bypass it or ignore links to their site.

Some have suggested an easy way of making micro payments for accessing sites or simply ads that are targeted to the site content(rather than re-marketing) and self hosted might be a good alternative. I think it is inevitable that ad-networks will eventually evolve to bypass third-party network blocking. They are typically a leader in this sort of development.

So, this is a tricky problem and I can certainly see both sides to the issue. However, opening yourself to tracking/malware, aggressive marketing, and obtrusive adverts really shouldn’t be the solution.

While visiting Google Maps I saw what is(at least to me) a new noscript warning. A screenshot of it is below, the message is:

When you have eliminated the JavaScript, whatever remains must be an empty page.

I got a kick out of somewhat proverbial warning. Sure beats the common “we have detected that javascript is disabled in your browser” warning that is so often used. They even came up with a graphic for it, which thanks to a commenter below, is because this is apparently play on a Sherlock Holmes quote.

Can’t argue with them about it either on Maps…you need Javascript for that. Now if it were Google groups… ;)

Google Maps no Script

google switch search engine

While doing a Google search this morning, I noticed an interesting message from Google above the search results. It said, ‘Switch your default search engine to Google.’

Clicking the Learn how button takes you to a page with steps and screenshots showing how to change your default search engine in Firefox.

This is in response to a recent deal between Firefox and Yahoo, where Yahoo replaced Google as Firefox’s default search engine. According to reports the change has provided a small boost to Yahoo’s already rather small percent of the search market, with Google also loosing 1 percent during the same time.

Whether this is due to actual concerns over loosing customers or just not letting their competition have anything easy is anyone’s guess. However, this is not the only time Google has used it’s market position to attack their competition. For years, Google has been pushing Google Chrome on Firefox and Internet Explorer users.

google switch search engine

Update 03/20/2015: The following adblock element hiding rule seems to work to get rid of it: google.com##DIV#taw

please_upgrade_your_please_upgrade_pageIf you have visited windows.microsoft.com lately using Internet Explorer 7, you would probably see the “It’s time to upgrade your browser” nag, which explains that IE7 and IE6 no longer supported and blocks you from browsing their site until you upgrade.

This is a great step, as even with XP support going away, Vista shipped with Internet Explorer 7, so it will not be dead for some time. When they first started doing this on the Windows site, I thought it was cool that they were finally doing something to clean up the mess they created with their fragmented browser ecosystem.

However, Internet Explorer 8 is still a pretty bad browser…certainly better than IE7, but that isn’t saying much.

If you are going to break your website to force an upgrade, it would be great to use that as a platform to get them into the latest version of Internet Explorer that you can. So, if they are on Vista, go ahead and tell them to upgrade to IE9. Better yet, go ahead and add an optional tool they can use to verify automatic updates is on and set to update automatically, as if they are running IE7, they may not be getting security updates either. And, if they are on IE8, go ahead and add a nag for that too! Although, I think that one may be trickier, as in a in corporate environments, upgrading past Internet Explorer 8 may not be possible. So, rather then fully breaking the site, probably a nice warning would suffice. Be a nice kick in the butt for companies that haven’t upgraded yet as well.

This seems like the right thing to do, especially as dropping support for IE8 has already begun on a number of popular websites. Even Microsoft’s Office 365 has recently announced they are no longer supporting IE8.

php_may_harm_your_computerSome time yesterday, Google’s Safe Browsing service detected malware on PHP’s main site, php.net. As a result, if you visit it right now in a browser that uses Google’s Safe Browsing list, like Chrome or Firefox, you will get a warning message and when viewing it in Google serps, you will see the ‘This site may harm your computer’ warning.

I use php a great deal and think that a lot of the dislike/feelings people have against the language are misplaced, but I do see the humor in the warning message showing up when you search for ‘php.’

Were PHP’s Server’s Compromised?

Ramsus, as well as a few others involved with PHP, have stated on Twitter and in a Google Groups thread that the file in question, ‘userprefs.js,’ was not compromised. In a Tweet from this morning, rasmus said ‘They[Google] point to a js code injection which was deliberate’

However, in the same Google Groups thread, someone from Google indicated the userprefs.js file had changed and on YCombinator, someone found a version of the file in their cache which had what appeared to be an obfuscated javascript payload in it. The same google employee also later posted on the YCombinator thread, stating quite clearly that it was not a false positive and that the obfuscated version was similar to what they found.

I checked a number of PHP mirrors and while I did find two different versions of userprefs.js, neither were the obfuscated version.

Will update this post with some more later, as it becomes available.

Update 2013-10-24 13:00: As of now, the warning message is no longer appearing when doing a google search and visiting the site doesn’t result in an warning, so it appears that the Php.net has been removed from the safe browsing list. Haven’t seen an update from Ramsus or others with any more details yet.

Update 2013-10-24 17:00: An update has been posted to PHP’s News Section and confirm that they were compromised. They state that an rsync job was reverting changes being made to userprefs.js, presumably because the local server was compromised. An initial code review has been preformed and they don’t think the PHP source was compromised, but are working on a more thorough review and post mortem.

Update 2013-10-26: Another update has been posted to PHP’s main website. They state that two servers were compromised, likely between 10/22/2013 and 10/24/2013. During this time, they served up javascript malware. The servers were responsible for hosting php.net, static.php.net, git.php.net, and bugs.php.net, but they do not think the php source or any of the downloads were compromised. They have reset their SSL certificate, as well as migrated to new servers, and are looking into the cause of the issue.