If you read through the comments there's a lot of angry users demanding refunds and questioning the service. There's a fair chance that they won't be able to bounce back after this. Especially if the domain doesn't come back up within a day or two.
In other words, this might very well kill a company that someone worked hard to get off the ground. And if you have any usergenerated content it might happen to your company too. Apparently without due process, and without warning.
This is why the Pro IP Act from 2008 needs to be repealed as soon as possible. It's worse than SOPA for Americans because it can pretty much do all SOPA could do, but for domestic domains (.com, .org, .net, .us) rather than foreign ones. The Pro IP Act managed to pass by us just like SOPA almost did it, too.
Those comments really got to me too. What really struck me was that they seemed to be angry at Jorform! These angry users are talking about security too as if they were attacked or something. I really feel for the users but at the same time I'm angry at them for placing the blame where it doesn't belong. Instead of being mad at Jotform they should be mad at the government.
A while back I was advocating that we reach out to such people and explain this SOPA censorship stuff in a way they understand and this is precisely why. SOPA's supporters have done a really great job of training regular folks to think like some of these angry users making them think that somehow it was Jotform that did wrong. If they only knew how totally arbitrary this stuff is I think they'd be mad at the Feds like they should be.
It's so sickening that the government probably just hurt not one but maybe thousands of companies in one fell swoop and everyone's pissed at the wrong guy. Then the politicians want to go around talking about creating jobs... Ha! How about destroying them? That's what it looks like to me.
Why shouldn't they be angry at jotform? It looks like they had no expedited process for reporting phishing forms which had to have been a known risk somewhere around #1 on their list of known risks, they actually made it easier to go upstream instead of searching for their contact page (only linked in the footer) and hoping someone replies today.
Did they have any automated detection? If they didn't have a "report a bad form" button then maybe they didn't even try and find bad forms ... like anything with a sign in button or password field. 2 million forms is too many to inspect, but you could narrow that list down very easily.
What happened to them sucks but it seems like the problem could probably have been avoided.
Edit: it let me make a form with "Account number" and "Password" complete with emailing me what people put in it which is suggestive of no preventative measures at all.
Edit: it let me make a form with "Account number" and "Password" complete with emailing me what people put in it which is suggestive of no preventative measures at all.
See this comment by the founder of Jotform: http://news.ycombinator.com/item?id=3597821 (Relevant quote: "Our Bayesian phishing filter has suspended 65.000 accounts last year.")
Then how do you rectify the statement you made that their customers should be angry with them, and that they shouldn't be destroyed? I really want to hear this.
GoDaddy's actions don't cancel it out because ignoring or not adequately preparing for phishing was wrong every single day and a foreseeable problem for about a decade now. They had a responsibility to prevent this for their paying users.
Maybe it wouldn't have saved them, but there are a lot of free-x-hosting companies out there that haven't been shut down in spite of abuse.
This isn't really some unforeseeable edge case that nobody could have reasonably expected to happen - their site lets you build a form, embed it on a page, and they either email or save the form data for you. Not anticipating phishing would be fine if it was 10 years ago.
benologist please stop trying to make it sound as if there is any dependency between your 1 and 2.
How can anyone who has ever used the Internet or has even a basic understanding of the Domain Name System believe that it is a registrar's right or responsibility to take down a domain, especially without notice, and that does nothing to contravene the conditions of owning that domain name?
I wouldn't even say you are beating a dead horse with that dependency. It was never a horse to begin with!
The blame obviously lies squarely with the US federal agencies - you do not see this happen in other developed countries, for example (UK does not count since its a US colony in all but name).
In particular, to be able to shutdown or ruin the reputation of a business at the drop of a hat due to alleged breaking of the law - not even by the business itself - before it has even been processed by the justice system!
Just imagine if this had been a takedown of Google, Microsoft, Apple or Facebook site, all of which easily meet or have met the conditions for alleged infringements of US IP or other laws at some point, if for no other reason than hosting user-generated content...
You misread what I'm saying. Jotform users deserve to be angry about this situation which in the last decade has been successfully avoided by many free-x-hosting companies who actually prepared for obvious problems.
benologist please stop trying to make it sound as if there is any dependency between your 1 and 2.
He didn't. In fact, his point was that there is not a dependency between the points - which is what it means that even if 1 is worse than 2, 2 is still a serious problem.
Do you think this would have been averted if they took all the measures you are proposing ? There are no set guide lines here according to which the government is taking down stuff.. This is not DMCA related to create an process to take down stuff.. Even if they could not find the contact page, taking the whole website seems to be ridiculous thing to do.
I think things like this will make websites with user generated content to move away from .com domains and even move into countries where there is more due process to things like this.
I think there's a decade of history that shows it could probably have been avoided - they're not the first free-x-hosting company to ever be abused for phishing.
The same risk existed last year alongside the many exploitable-by-phishing flavors of hosting. Although this wasn't even a domain seizure, this is just an overzealous domain registar which has also, always, been a risk to web services.
JotForm should have bailed from GoDaddy when most other people did. Instead, they were apathetic and took a chance with their business and all of their clients as well.
I'd like to think that this is still a free country, and that there are some companies that still act as though we live under the rule of law, rather than automatically complying with every whimsical demand our government agencies dream up.
Even if its not. Bail from Godaddy.com. Seriously. Granted the same problem may persist given that .coms have a US based organization that governs them (I think). Nonetheless, this is the exact same godaddy.com that supported SOPA. There have been so many forks in the road where the obvious choice was to bail on GoDaddy.com. Yet, they stayed and here they are.
That's not a very solid argument. GoDaddy sucking is besides the point here. I doubt many if any registrars would refuse the government like that. But even that's beside the point.
What the real issue here is, is that law enforcement pretty much busted in and took down a domain name without warning. They shot first and asked questions later. Jotform is a legit site, not even close to dubious like some others where you can actually argue that they might have been knowingly violating copyright and such. This is scary stuff. There was no due process, no warning, nothing. They just did it. It's proof that any more laws giving the Feds power to take down sites is totally superfluous and unnecessary as its already happening in a very public way.
You don't get mad at the company for not switching registrars (even if they are a douchey one). Jotform could have been able to take care of this situation had someone just alerted them to the problem. No way is this their fault, especially not for the reason you put forth.
https://github.com/astronoob/NoDaddy
Here is a chrome extension that notifies you if the domain you're on is registered through GoDaddy. Looks like it does an XHR request to who.is and then matches on:
new RegExp("/(registrar\.godaddy\.com|whois\.godaddy.com)/")
This is a GoDaddy thing, plain and simple. They get one complaint--they shut your domain name down by changing the name servers to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM and NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM. Exactly what happened here.
This has been going on for at least SIX years now; see http://seclists.org/nmap-hackers/2007/0 (and I saw a hosting company shut down for similar reasons a year before that.)
Wasn't their support of SOPA enough? When are we all going to wake up? How many times does this have to happen?! STOP. USING. GODADDY.
Seriously. I was prepared to be sympathetic until I saw GoDaddy's involvement. Jotform chose to use a despicable company with a long history of behaving in this way. They shouldn't be surprised when they're the next to get screwed.
They're trying to get sympathy from the internet by framing this as an example of SOPA-like abuse after they financially supported a company which supported SOPA. That shouldn't fly.
Heh, that was exactly my reaction. I was literally reading the statement out loud to a friend of mine as we talked about it and stopped midsentence and said "ha! godaddy. No wonder."
But that wasn't because Godaddy supported SOPA, although that does make me feel shadenfreude, it's because I used to work in the domaining industry. I honestly thought that even average web site operators with limited knowledge about registrars would know not to have your business domain on Godaddy. Even accounting for their scale there are a lot of shady episodes like this.
The SOPA part is just icing on the cake they were eating instead of doing their due diligence.
If it's anything like the others I've seen, GoDaddy will charge an "administrative fee" of hundreds of dollars to get the domain name turned back on, let alone unlocked and able to be transferred out.
I have been telling people this for YEARS. Yet everyone always thinks "It won't happen to me." Until it does.
Indeed, but there are zillions of good alternatives to GoDaddy (shouldn't the name be a clue???), many, sometimes no alternatives to PayPal.
(Wasn't I just reading something recently about a payments system startup that isn't likely to extend itself to Australia due to their laws and regulations?)
If you look at the spam-and-abuse.com domain, all the records pointed to it are GoDaddty domains, the IP addresses it uses are GoDaddy's, and the domain itself is registered to GoDaddy:
GoDaddy may not have fought very hard for Jotform, but I'm pretty sure any US registrar would be hard pressed to the US Government saying "Turn off this website or else."
If there's an actual law and due process, ok. If people are just supposed to automatically comply because somebody in a government agency says so...well, I hope we haven't sunk that far.
The USA judicial system might think you are under their juristiction, but your local juristicion might disagree.
I can't wait till they cross the line, and block some .com, then a group in that (non-US) country gets local injunctions forcing it to resolve. It could split DNS or wrestle it out of US control.
That's assuming your local jurisdiction has a spine. I have multiple .com and .net domains all done through Canadian registars, for the sole purpose of not wanting to deal with the BS that is going on down south. If what I'm reading is true, they can be pulled offline whenever someone gives the word go and they're gone. I have no faith that the local courts will do anything of use, especially with the current government that we have. I'd be hard pressed to think of any western nation that would.
Not saying this is what we would do (as a registrar) but an order from the government generally has a time stamp on it where you can verify the "order" and then comply. While I can't get into the time period allowed or any details like that I can say that it would be possible to alert the registrant and/or stall the request if one so chooses to do that. I'm not saying we would do this of course. I'm just saying that getting an order from the US Government, unless it appears on it's face to be a true emergency situation, a registrar could always take the time to check with legal counsel.
And if it were a true emergency the Government would go straight to Verisign (for .com/net) and not even bother with the registrar.
Fair enough, although that wasn't posted at the time I made that comment (which is why I asked).
Although to be fair, the SS just made a request, and GoDaddy had no responsibility to comply, they did so on their own accord without any type of process.
In my book, it's GoDaddy's responsibility to do the right thing, not the SS' responsibility to not complain. If they would have been with a reasonable registrar, this would not have happened.
This is exactly what I thought. I think SS just emailed GoDaddy and GoDaddy just shut down everything.
Everyone is moving to different registrars, mainly NameCheap, I just hope they will be able to stand up for their users and ask for a court order. If other registrars start to shut down at the whim of the US Government, then we might have to move to registrars overseas. Unfortunately, that doesn't even seem safe to me, since there has been news of US pressuring other governments to put out SOPA-like laws. There is also the case of the British kid who was extradited to US.
I somehow have the feeling that moving out of GoDaddy won't protect you from any of this. Potentially the US "authorities" can take down your dot com domain (operated by Verisign), your hosting if in US, or maybe even prevent DNS resolutions to your domain inside the US (they can ask large ISPs to update their DNS servers). What you are left with is using a non dot com, non US hosting, and avoid having too much business from US customers. Then you might run into the same in Europe, etc. That does not sound like a good long term strategy.
Founder of JotForm here. I’d like to thank you all for your sympathy.
JotForm.com has been suspended by Godaddy for more than 24 hours now. They have disabled the DNS without any prior notice or request. They have told us the domain name was suspended as part of an ongoing law enforcement investigation. In order to resolve the issue, they asked us to contact the officer in charge at U. S. Secret Service.
When I contacted the Secret Service, the agent told me she is busy and she asked for my phone number, and told me they will get back to me within this week. I told them we are a web service with hundreds of thousands of users, so this is a matter of urgency, and we are ready to cooperate fully. I was ready to shutdown any form they request and provide any information we have about the user. Unfortunately, she told me she needs to look at the case which she can do in a few days. I called her many times again to check about the case, but she seems to be getting irritated with me. At this point, we are waiting for them to look into our case.
Our guess is that this is probably about a phishing form. We take phishing very seriously. Our Bayesian phishing filter has suspended 65.000 accounts last year. We have been training it for many years, so it can detect phishing forms with great accuracy. We also take any reports about phishing very seriously and quickly suspend the accounts and let the other party know about it. By the way, we are also very serious about false positives. If we suspend an account accidentally, we will quickly resolve the issue, and apologize.
I believe this can happen to anybody who allows users to create content on the web. So, if you have such business, my recommendation would be to make sure that you can contact your most active users quickly if your domain is disabled. Many of our users are shocked and angry at us. But, many also thanked us for quickly letting them know about the issue by email and providing instructions to continue operating their forms. Since DNS propagation takes some time, many active users were able to switch their forms to the new domain before it went down. We still have not contacted all users, we are sending emails most active users first.
Whats happening to you is an absurd abuse of power. Call the EFF, get a good lawyer, and get in front of a judge as soon as possible. Call your senator, your representative, and the local media. Don't annoy the secret service agent who is destroying your business because it likely won't help.
Yeah, you need an experienced lawyer and you need to go after GoDaddy immediately. They are at fault here. The terms of any user agreement may be invalid.
Next, you need to spend 100% of your time raising hell about this. This story has all of the marks of stuff the tech press loves to eat up.
#1 Godaddy is run by a bunch of assholes who walk all over their customers rights.
#2 The secret service is still full of a bunch of buffoons. These are the same guys that raided a roleplaying game company because they couldn't tell the difference between an imaginary game and a hacker manual. I'm sure the press would like to answer the question, are they still hiring FBI rejects?
You have to turn this story the other way around. You can make jotform a name people remember.
I've used jotform myself for quite some time (2 years or close to it?) It is a great service. Obviously you were doing nothing illegal, and were going to great lengths to stop the bad guys. Thats a news story everyone wants to hear.
What if you give us the phone number of the agent in question?
Personally I think you made a horribly stupid decision to use GoDaddy, but it is what it is. Sounds like you need to launch a PR campaign about this.
Tell your customers to call the agent in charge. Tell your users to call GoDaddy to complain.
Put up a web page with a running ticker of how many people are getting their service interrupted because of this. Tell the world who is sitting on their hands while your business collapses. Call news stations. Put up a youtube video. Shine a light on this, don't just sit there hoping for an agent to give a crap.
Make this shit a bigger deal that the government and GoDaddy have made it. GoDaddy doesn't give a shit about your domain or your business. Make them give a shit. The agent in question couldn't care less about your troubles, their full time work is about making someone (hopefully the right person) miserable. You are just one more such person in the big stack. Make that agent give a shit.
Thank you for the details. Is your .net domain safer than the .com? and if yes, why? Also, do you think the domain suspension could have been avoided if you had used another registrar?
I don't know much about your defences, but a good way of making your site less attractive to phishers might be to put an artificial delay inbetween when a form is submitted and when the owner can get access to the submitted data.
If that delay is longer than it usually takes for an abuse report to come in, and for it to be acted on, then it would prevent phishers from getting any data before the page is taken down. Maybe just do this for free users?
Although this might prevent (a bit) that the phishers get the actual data and hence protect the victims, I am pretty sure that it won't cause any drop in phishing attempts. However for the legitimate users it will probably have a huge negative impact.
It's comparable to trying to stop spam in forums/blogs by disabling url's in posts. Usually you'll get the same number of spam posts, but the url's will be plain text.
It might actually be a good thing commercially. It gives them something to upsell. If you have a paid account, you get instant access to your form data. Free accounts have to wait.
Uh... I feel sorry for you guys getting abused like this, but.... Godaddy? You had know you were putting your business at risk using this company. Did you save enough money to make it worth going out of business?
This is complete bullcrap! From everything I've read, Jotform polices itself and actively tries to remove illegal material. This is EXACTLY what Google does. However, you don't see Big Brother going after Google just because they did a search on child porn and some hits came up.
We are taught not to bully but this is exactly what the U.S. Gov't is doing. Mixed messages?
1. Identify all applications with user-generated content.
2. Move all associated domains to a non-US based registrar.
3. Migrate DNS, web serving and other critical services to non-US based servers.
4. Migrate yourself to a non-US controlled country.
I'm sorry for US sites and users. Your government is hell-bent on turning the internet into a read-only device like TV, easily regulated and controlled. The population will be required to sit quietly and keep their eyes glued on the screen so they don't miss the ads, with any infringers deemed terrorists and pedophiles and thus deserving of summary punishment by DHS squads.
Hopefully the internet will route around the damaged segment, and the rest of us can continue to enjoy the amazing interactivity it has brought our society.
It doesn't stop there. USA has been known to curb Internet Freedom by threatening foreign governments in private despite their hypocritical attitude of condemning censorship regimes.
You can see the list of governments whose policies is controlled by USA with the signatories of ACTA.
As someone who has been in the Internet business from the beginning with a number of startups under my belt and who "migrated myself to a non-US controlled country" (East and SE Asia) 25 years ago I would offer my the following formula for happiness:
1. Set up your company outside of the US.
2. Don't keep a bank account in the same country that your company is in.
3. Don't have customers in the same country that your country is in or where your bank account is.
4. Don't live in the country where your company, bank account or customers are.
5. Don't live in the same time zone as your in-laws.
I live in Thailand (for 13 years now) and have a company in Singapore. We are opening companies in Laos this year then Cambodia and then Burma over the next two years. My Bank Accounts are in Hong Kong. I try to find customers in any country other than those listed above, and the States.
Bandwidth is better out here than in most places in the States. And hardware is cheaper because you're buying closer to the source. And as long as you aren't living in Singapore, Hong Kong or Toyko, the cost of living is far cheaper than in the States.
This is not as difficult as it might seem. It's great living out here, and I would encourage everyone to do the same.
BTW our latest startup is an infrastructure for the semantic Web and about as cutting edge as you could hope for, so don't whine about how you can only do your startup in Silicon Valley. The future is here, not in the States.
"hell-bent on turning the internet into a read-only device like TV"
At the behest of mostly the music and movie industries - who are so dead set on their antiquated business model, who see the free and open internet as a big big threat on all fronts. On one side you have this so called "rampant piracy problem" (lol) but on the other side you have the internet as a medium for artist to create, distribute, advertize, and sell their work without any need for the big players in the industry. This is what scares them most.. How dare this free and open thing put a chink into our profits, and forcing us to come up with a different way of thinking about the future. But instead their plan is
to assault it, with the help of our bought lawmakers, and bring it under their control.
I like to bash GoDaddy as much as anyone else, but it's not only their fault if they obeyed a law enforcement agency that issued an ilegal order. I'd like to see government officials being punished for that kind of authoritarian atitude more frequently (we have plenty of that here in Brazil too).
A tax audit is crippling enough for business. Registrars like GoDaddy are exposed to a huge vulnerability in the form they don't know exactly with whom they do business. All you need is a credit card.
A well response but possibly a useless one. I could not put this in words like you did but I believe, this process we are going through is not only US related.
It is by no means limited to the US, but various sources (such as wikileaks cables) make it clear that it is mostly the US government pushing for such draconian measures worldwide. So moving your business away from there to make it clear that you don't agree is a good thing.
You might find step 4. a bit difficult, finding a "non-US controlled country" isn't easy these days, and I'm not sure I'd like to live there.
Much as I like my country (Uruguay), I know we'd cave in faster than New Zealand did with Kim Dotcom.
China might not be US-controlled, but they have their own issues. And a smaller country means it's probably going to be bullied by the US. Maybe Switzerland? (that does sound like a nice place to live :) ).
How about Iceland? At least this web hosting company http://www.orangewebsite.com/ is touting "better level of privacy and lower censorship" as a selling point. (Although, I note it itself is using .com) Anyway, I think it won't be long until some countries or territories will wisen-up to create internet freedom friendly jurisdictions as a competitive advantage to lure tech capital and talent away from the increasingly hostile US with its IP and military industrial complex weapons of wealth destruction.
What about the good old Swiss? Probably one of the strongest tech industries on the planet and (apart from banks doing biz in the good ol' US of A) rather uninterested in listening to other govt's.
Bankers have more power and influence in Switzerland than in the US. UBS handed Phil Gramm a vice chair position. They've bought into Casino Capitalism hook, line, and sinker.
I am of two minds about these draconian attempts to maintain IP laws. Although, I abhor the corporatist position that they need harsher more invasive tools to maintain their IP claims against piracy, the creation of such laws and enforcement tools will push the wider public to understand and perhaps embrace tools that make them free. Free software and practices that enforce one's own privacy and free will might only became widespread when the average citizen understands in a personal way the need for a free and open set of tools for living in an information based culture.
On the other hand, it is only rational to look at the history of oppression and see the harm this pattern of legislation can foster. We should, as educated free individuals collectively speak out and act out against legislation which furthers the trading of freedoms for corporate or personal profit.
"Internet Privacy" is an oxymoron.
Safety and freedom are incompatable; you can have one or the other but not both. America says "Safety first"; humanity says "No thanks!".
Maybe what we need is an intercontinental virtual RAID array so that no one country can shut it down?
(Disclaimer: I use Linux, I live in Thailand.)
If Al-Qaeda really wants to piss off the USA they should just open a censorship free anti-takedown compliant web hosting company. They could run it as a non-profit putting most of the profits back into expanding their business and attracting more clients. LOL
People can do that now. Check out "TOR hidden services". Doesn't cost you anything if you already have an internet connect and a machine to run the software.
The European gambling sites are normally in the Isle of Man, Gibraltar or Malta. Many Caribbean countries have online gambling companies. Belize is another for the more shadier operators.
good luck. if any of your users then criticises the kremlin you might be involved in a tragic accident, like countless other people advocating free speech in .ru
Well put. Like some said its not only in the US. Count Europe in also. Perhaps even or more badly. I'm chocking in Europe. Must get rid of their power. The Central Banks
A large (10m uniques/mo) web site I used to work for had a complete DMCA takedown process in place. Links on every page, web forms, contact emails, physical addresses, etc. Then our site went dark one evening. I spent an hour frantically trying to figure out where our main web servers had gone, only to discover that a "online anti-terrorism team" had taken issue with some user-submitted content that didn't seem very friendly towards Americans. They contacted Softlayer, our hosting provider, and said that anti-American content was in violation of some commerce law--don't recall the exact details. It wasn't what I would describe as a "credible legal threat"--they left no name, no physical address, their web site looked like a vigilante operation. Softlayer, in turn, sent us a "generic you have a support ticket" email and b.) 72 hours later, unplugged the web server NICs. We suffered hours of downtime without any idea what was happening.
We juggled dozens of Softlayer tickets at the time, so another anonymous tracking number just got lost in the shuffe. Never underestimate the power of unaccredited strangers to fuck you through your hosting provider.
Hosting provider sysadmin here. We're required to do exactly what soft layer did here, and 72 hours is pretty generous. We typically call the client if they don't respond to the DMCA takedown notice within 24 hours an give them another 24 to take down whatever content they're being DMCA'd for. It's shit and I hate it, but if they don't respond, we do the very minimum damage possible to make the content unavailable, as required of us by DMCA safe harbor provisions.
If it is a managed service, we'll just chmod the image to 000 or whatever does the least damage to their site. Unfortunately, if we don't have the login to the server (unmanaged) or if it's a colo, we just have to disable that IP on the switch or router (or null-route their IP for a bit) until they contact us and can take their "illegal" content down.
My point: hate DMCA, not SoftLayer, for this. They (assuming unmanaged service) just did what they were legally
required to do.
[edit] It's good that you call the clients. Nothing drives me nuts more than trying to sift through a painful ticket system where everything is tracked only by reference number.
What pisses me off was that this wasn't even a DMCA request--SL had no legal responsibility to take action. It was just some random internet vigilantes making an unsubstantiated threat.
Come to think of it, SL may have taken us down for DMCA as well. We had an obvious path for handling abuse that both the accusers and SL could have used. After some negotiation I think we were able to convince them to just forward abuse emails to our address--but it took some doing.
Ahh, Gotcha. When that ("frivolous legal threats")happen to us, we just don't even reply to the person reporting it in most cases. If they're persistent, we say in so many words "get a court order, then we'll talk".
We've had India law firms call us screaming at 6PM on a friday, and we told them:
- we require that they submit all abuse matters to our abuse@ e-mail address per RFC 2142 (kinda, but this sounds official when you say it to some law intern chump)
- they can scream all they want; we're not taking it down unless they submit a "valid legal order" to us (I don't even mention DMCA because I don't want to give them ideas)
- we're not responsible for the content of our clients, so they need to take it up with them
>"We had an obvious path for handling abuse that both the accusers and SL could have used."
They (accusers) don't, and they do this on purpose. They don't really want the content just gone, they want collateral damage as revenge for your "violation".
>"After some negotiation I think we were able to convince them to just forward abuse emails to our address--but it took some doing."
Sorry that that even required negotiation. We forward all abuse e-mail besides spam complaints for managed services. With anything like this, we try our best to do as little damage as possible to our clients.
No, everyone involved is to blame, just nobody has the fortitude to do do anything about it as long as they are getting paid. If a hitman is paid to kill you, is he not guilty? The problem is everyone is okay with everything, as long as the gun isn't pointed to their heads. This is wrong. People need to realize this and start protesting for the laws to change. Everyone needs to wake up and start taking responsibility for being a pawn in this chess game.
Compliance does not excuse them from responsibility. Yes, both are trying the best job they can in the face of a request, but both also have the individual freedom to choose not to execute a hit job. Outrageous actions call for outrageous metaphors.
>"Compliance does not excuse them from responsibility"
Please read about how DMCA Safe Harbor works. If we don't comply with it, we are held responsible for the "violations" of our clients.
Because we're in the US, it's critical that we comply with all the DMCA crap, otherwise DHS/FBI/CIA/whatever will come in and seize our equipment. They've actually done it before when we SWIP'd some stuff for a client, so we didn't get the abuse mail. They just ignored it, and one day some people showed up with a court order and we had to hand over their server (it was a colo.)
I see now that this JotForm issue might not be due to DMCA, which is pretty appalling, but to put it lightly, "they [gov't] have ways of making you comply".
"GoDaddy had complied with a Secret Service request to take down the domain"
Are you suggesting that service providers should say "no" to the secret service? Real talk: I really don't think that telling the secret service to get stuffed would turn out well. In fact, since ATT is so in bed with gov't at this point, they'd probably just have our uplink shut off if we tried to pull that.
We established multiple datacenters across different providers with active-active DNS, so neither of them could take us down. It's not really for the faint of heart, though. We spent a fair amount of time trying to get the right services to communicate correctly across DCs.
Sure. This is a really quick off the cuff summary, so I'm gonna say some things that are loose, out of date, or maybe flat out wrong. Comments welcome. :)
The ideal situation is that both datacenters can handle your total load, but when one fails, the other doesn't explode under the thundering herd of traffic rerouted its way. So you need to plan your systems in such a way that they're elastic under load; response times rise within these limits, but you won't see outright failures.
You use a DNS failover service to provide each client with the appropriate DNS. There are various issues around caching and preferred A records--for instance, some name servers or DNS clients will pick the first A record, sorted, which can send all your traffic to one datacenter. Typically you hand out different combinations of A records depending on locality, so clients are hitting, say, the two closest datacenters to them.
When a DC fails, you remove the DNS entries which pointed to that datacenter's IPs, and lookups start returning only the known good ones. Clients which already have your multiple A records can detect the failure and fail over immediately. Where client software doesn't support that, they have to wait until DNS caching expires to get the new records.
The datacenters themselves need to contain enough of your infrastructure to function autonomously, but also should share state. Cassandra, Oracle, Riak MDC... there are lots of options out there. We were on MySQL at the time, and maintained a slave in the secondary DC which could be promoted in the event that the primary DC was, say, nuked from orbit. This system was not partition-tolerant; if the mysql link between datacenters failed, one DC would become functionally read-only. We proxied DB traffic back and forth over SSH tunnels managed by upstart init jobs. This was shockingly reliable. We actually started off using mysql's SSL support but as it turns out mysql will segfault if it gets more than, say, 8 ssl connections in a short timeframe. So we tunneled everything--redis, mysql, stats, over SSH.
The rest of the infrastructure had little shared state, so we ran the typical web stack: two identical boxes running nginx (static content) -> haproxy (load balancing) -> rails and ramaze apps spread across various boxes. Each nginx forwarded to both haproxies, both haproxies forwarded to all the app servers, so you could lose either machine in a given DC and service would keep running. We used heartbeat to manage a shared virtual IP interface between the two forwarding boxes, so you'd drop TCP conns but failover switch time was generally in the tens of milliseconds--however long it took to ifup and gratuitous-arp the rack's L3 switch.
We ran memcache independently in both DCs--since user sessions almost never switched between DCs it was OK for us to just have two distinct pools. Queues were split up as well. Some services weren't critical enough to split across DCs so we just accepted that if the primary DC died they'd be down for a few hours, until we could deploy another copy on the backup DC. Non-critical things like statistics, garbage collection, etc. Automated deployment made that a lot less painful.
I wouldn't recommend doing this at an early stage--dual environments, especially on different hardware, takes a lot of testing to get right. You have to worry about doing everything twice--two DNS zones, two Redis clusters, etc. You also have to worry about asymmetries if you're doing master-slave replication. All of this comes with operational and development overhead; your app needs to be aware that might might running in a partitioned state, that writes might take much longer than reads if you're doing master->slave across DCs, etc. I'm a strong believer in planning for that stage of your growth--but you always have to strike a balance between the ultimate reliable configuration and getting other things done.
I have been using MySQL's master-master scheme for a long while for fail-over situations. Though, my databases are relatively simplistic. The master-master thing is nice because one server uses even values on auto-increment fields and the other uses odd values. Thus, no chance for collisions if all of your tables are designed with an auto-increment id field.
Thats a great way to handle it. In our case we had an, er, extensive legacy schema to preserve. Moral of the story: plan to scale early. You don't have to actually build that scaling infrastructure ... but keep its requirements in mind.
I looked into round robin dns recently (for performance reasons, not for reliability), but decided not to go there just yet.
I'm curious - I keep hearing that some clients don't support this. Which clients are that in particular? Is it a real issue, or a rather esoteric case?
Honestly I never found a briowser that didn't support multiple a record failover. Older versions of ie mostly. You do need to be aware that many nameservers will reorder a records by integer sort or delta to their own IP, which can make your traffic pattern uneven. There are various managed DNS products to handle that, and you can build it yourself with enough time.
I agree. That was really interesting. I might not have understood half of it, but enough to get the general gist and it's really cool to read about advanced solutions like this.
And indeed you might want to consider reposting that explanation on your or your company's blog--just for showing off ;-)
I have no idea what you're talking about, but I find it very interesting. I think it would be well received if you wrote a blog post expanding on this experience.
The time has come to publicly shame any YC or startup that has a godaddy domain. Switching registrars is not hard, and using godaddy is like having an @aol.com email address.
I spent a few minutes checking the registrar for YC companies with press in techcrunch:
I'll do my small part. I have over 200 domains registered with them as well as a couple servers (to play with, not for anything important).
I'll start to transfer everything as soon as I identify a registrar that won't fuck over their clients like this.
Any registrar care to make a statement of loyalty here on HN so we know that you have our backs?
I am really starting to think that a coalition of large internet companies needs to stage a full and real shutdown. I am talking about something substantial, like a full day. This would send a strong message home to idiots running this country.
This could be advertised and announced on a daily basis over the Internet and TV for a full month. Then, on that Monday morning, all services go quiet for a day while displaying an appropriate announcement on their sites. If the event is well communicated to all users this should protect all involved from legal action. If you've been told about it every day for thirty days that should pretty much cover it.
Due process should apply to everything. We want due process. Sites that engage in criminal behavior are one thing, but, when the government is the criminal you are dealing with something entirely different.
Not that I know of, but they do bulk pricing like GoDaddy does, and they have a decent referral program. You might try emailing their customer service and see if they'll cut you a deal.
Nicely said. I'm did the same. The elephant incedent was more than enough incentive for me never to do business with them again.
EDIT: Foxylad, you're the kind of ethical person I would like to work with in the future. Please leave some contact info in your profile so I can reach you. Thank you.
Frankly, cost and a call from a GoDaddy rep. I decided to hang tight and see how it played out. Mission accomplished. Now it's just a matter of deciding where to go. I have zero interest in playing musical registrars.
This can happen to any web site that allows user generated content.
How come we don't see Youtube, Yahoo, Facebook suspended? Do they have procedure in place? Does that mean that you're much weaker if you're small? What are the legal safeguards for UGC startups?
There should be equal rights for all companies. Right now it seems the US government is picking those it can easily bully.
> How come we don't see Youtube, Yahoo, Facebook suspended? Do they have procedure in place?
Yes, they do. And if you allow users to post content, you should too. You need to formally register as a hosting company and have a DMCA process published and usable.
Then post a notice on a Policy page linked from every page of your site. For example:
In compliance with the Digital Millennium Copyright Act (the “DMCA”), please send DMCA notifications of claimed copyright infringements to: Advection.NET c/o Jonathan Band PLLC, 21 Dupont Circle NW, 8th Fl, Washington, DC 20036, with electronic copy by e-mail to...
Pursuant to the DMCA, Advection.NET will terminate the accounts of repeat infringers. Advection.NET will cooperate fully with any civil and/or criminal litigation arising from the violation of this policy.
EVERY .com, .net and .org website should do this, whether you support user generated content or not (e.g. remember, user comments on your blog are user generated). Without it, you are risking this kind of thing happening.
wow - didn't know you had to find a designated agent to register. It must be simpler than it actually looks. Definitely very hidden. Thanks for pointing out this.
I had no idea that this existed and was about to ask whether you knew if there was a place online that consolidated the many legal considerations one must take to start an online business, but then I found this page on the Citizen Media Law Project ( http://www.citmedialaw.org/legal-guide/legal-issues-consider... ), which covers both DMCA-related issues and how to pick hosting providers that will fight for your rights. The entire site seems to be a treasure trove of information about things like this. I'm posting this here in case it could help anyone else.
I notice the linked guide mentions DirectNIC as the US registrar with the most extensive guarantees against unnecessary domain name suspensions. Consider this a +1 recommendation.
We've used DirectNIC for nearly a decade and never had a problem even when Echostar (improperly) tried to make them take us down because of one of our clients. We also recommend http://www.puregig.com/ as a web hosting colo for the same reasons along with their distance from natural disasters.
They do have a proper procedure in place, but they have a lot of other advantages. First of all, they're all multi-billion dollar companies, and can afford a great legal team. Secondly, average people use these sites, so if they were taken down, a LOT of people would be angry. Jotform might have a few thousand users, but that's not enough to get people angry at the Feds. For Facebook, Youtube etc., which has probably at least millions of American users who use at least one daily, it would be a HUGE deal, and would cause a great outcry. Plus, it would be covered by a lot of news. The US government doesn't want to cause that much PR damage, thus it is only targeting sites that most people don't care about.
yes there should be but unfortunately that's not how the world works. In politics (which this clearly is) you always pick a fight with someone you know you can beat. It's hard to beat facebook or youtube.
Well, according to some data I found[1], GoDaddy has 36 million registrations, while the next closest registrar is Enom at 9.7 million. In fact, GoDaddy has more registrations than the next six most popular companies combined. So, it probably makes sense that most of the registration-relation things you hear about involve GoDaddy.
To be clear, these are instances of domains specifically being moved to GoDaddy.
When I have spot-checked lists of seized domains in other cases, domains registered with GoDaddy were serving the ICE seizure page while domains with other registrars were simply down.
I'm starting to think that the DNS as a whole needs to be replaced by something that is more resilient against broken legal and political systems.
I'm not saying governments should not fight crime or that there should be no way to shut down a website, but what we're witnessing these days is a total breakdown of long established principles of law, including due process and proportional justice.
It may sound strange and some would say nonsensical, but I feel that legal systems worldwide and especially in the US have gone down hill since 9/11. What seems to have changed is that governments have given up the idea that global problems can be solved within the framework of established legal principles.
It feels like everything they do is guided by a mindset of martial law. It's all a helpless thrashing about. It's going to take a long time for the globalised world to find its footing again and until then we have to find better technical solutions to limit the damage they're able to do.
I'm as eager as anyone else to blame overzealous US authorities and GoDaddy, but something doesn't fully add up. This doesn't fit the pattern of other seizures we've seen.
Why isn't there a big scary US ICE seizure banner on the domain? They're usually quite proud of their work.
Why is his .net domain still operational?
This looks to me more like GoDaddy operating on their own.
This form of law enforcement is wrong on so many aspects.
Out of online community, these kinds of law violations are handled in a more sanely fashion. For instance, if a firms one department has a law violator, law enforcers makes a case against the violators in obscurity and proceed to handle violators trying to be as low damaging as possible. They won't block any roadblocks that leads to every building or holding to that firm and try to exclude any not related property or individual. But the things are different on the Internet. It's ridiculous. The law enforcers treat online entities like there is no business going around and every business is crime oriented. So they just go forth and block every way of execution of the entity.
We must stand against this.
Also this is an ongoing trend over the world. And seems like it won't end any time soon.
Governments are revolting against the Internet.
I think they believe Internet is becoming uncontrollable , so they are trying to make every ridiculous move to make online entities miserable so they will settle with hard control instead of these unbelievable ones and be happy.
This is actualy a perfect example. The specific laws aren't the only concern. once the atmosphere is created where registars are expected to take down domains in response to legal claims, complaints, and such it exists. once this becomes part of their job they will seek to do it with minimal costs and risk. Since the cost of losing one customer to godaddy is so out of sync with the cost of to the customer of being taken down, we can expect these kinds of results.
Shutting down a domain will always be a lot cheaper than any involvement of a legal team.
EasyDNS is excellent, but more expensive. It isn't a good place to park a lot of domains, but a great place to host a few important ones. YC/HN uses them, I've contacted them a few times, nice Canandian group.
I think they'd be opening themselves up to liability from the US government through the revocation of their DMCA safe harbour provision by not complying.
I'm failing to see any indication that the government was actually involved. Did the US government serve upon GoDaddy?
JOTFORM.COM nameservers are set to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM, and spam-and-abuse.com is owned by GoDaddy. Just doesn't seem to be the normal way the government has been involved, but then again, nothing should be normal about domain seizures.
This is probably standard procedure at GoDaddy, and since GoDaddy is very loyal to the authorities, they probably considered the regular way of seizing the domain unnecessary.
People making new sites need to stop making that mistake! Get something that isn't .com (.me .info etc) and register it at a non-US based registrar. We KNOW that US registrars always cooperate with corrupt government agencies, so stop giving them business just to save a buck, and risk your whole business.
I am not quite sure if 'Seized by US" is the case, if you check out the dns look up it points to NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM which is owned by Godaddy. After some searching it appears that that's what happens when Godaddy suspends there service to you, from similar cases it seems that they can transfer the domain to another registrar.
This is nothing to do with copyright issues: its to do with phishing and scamming forms being setup by a handful of users. One would think they could just remove those users and be done with it - this heavyhanded approach by govt. is a total disgrace. When scam ads were found being run on the NYTIMES website (without the knowledge of the NYTIMES) a while ago, did the govt. shut down that domain? No f---ing way - because that would have p---ed off too many people.
Am I the only one who has slightly less sympathy with this company for staying on the shitty webhost known as godaddy? Even after the SOPA debacle? You wait until they affect you personally before doing the right thing?
such willfull misunderstanding in those comments. my sympathy to the people behind jotform.
the only way this can be (legally) fixed is by a court deciding that despite all the mumbo-jumbo in the registrar terms of service, domain names look an awful like property, and are not to be yanked without due process. unfortunately it seems courts mostly write opposite-minded decisions these days.
So? The same is true for real estate and most everything else with a central registry. Jotform is paid up with ICANN through 2020. Even a commercial tenant can't be evicted instantaneously.
Is it possible for any distributed human-meaningful name to be allodial? You're always at the mercy of a network of nodes to agree that you hold a name, and probably have to incentivize them even. A non-human-meaningful public-key based name would be allodial (even if you're relying on others to distribute that fact). The latter system could certainly replace many uses of DNS, but doesn't solve the introduction problem (granted, introductions could be needed a lot less, ie Jotform forms would still be working, as they wouldn't require a reintroduction to 'jotform.com' for every visit)
(You're right in that I was incorrectly implying a domain name would be property owned by the registrant. But it certainly could be considered property that the registrant is currently in possession of)
Any details on what the content was? The post implies that only a small amount of user generated content is being investigated. This is the first I've heard of a website being taken down entirely when only a small amount of it's content is questionable.
I feel like a huge chunk of this story is missing.
What we ought to be talking about is moving .com/.net/.org out of US jurisdiction entirely, not just diversification. This will eventually happen in one of two ways, one of which will leave US customers with a completely separate com/net/org registry from the rest of the planet.
I don't think we'd get much further than we already have in earlier anti-SOPA talks. The irony of the situation gave me a chuckle though. Hopefully they move away after this, to a company which would at least try to put up a fight.
There are a large number of companies still using GoDaddy even after hearing so many horror stories. Even some YC companies use them. If I had to choose a service provider, then I would most definitely forego the ones who are reliant on GoDaddy, even if it they are really awesome. After all being there trumps being awesome by a huge margin.
I guess it's time customers started calling up these companies and telling them that the reliance on GoDaddy is something that they are worried about.
Who needs SOPA when you can do whatever the hell you want. Great to know our taxes are being put to good use and helping create new jobs and services. Thank you US Government.
I'm glad it isn't being tolerated by the new one. Look at the protests on the streets. That is amazing by itself, but even more so is that it actually appears to have some effect.
This can happen to any web site that allows user generated content. Yes, that's true that it can happen just as almost anything can happen. But to act as if this comes as a surprise for which such a company should not be prepared is either ill-informed or disingenuous, and somewhat unbelievable in light of all the publicity around DMCA law recently. A company like Jotform, or any company hosting user-generated content (not just to pick on Jotform), can do a lot to help prevent it and protect their legitimate customers.
DMCA lays out several things which can be done to at least attempt to have the appearance of qualifying for safe harbor. If you host user-generated content, do you do one or more of these?
- adopt and reasonably implement a policy of addressing and terminating accounts of users who are found to be “repeat infringers?
- remove or disable access to the allegedly infringing material upon notice?
#1, you're not Facebook, #2, I am quite confident these days Facebook has a quite extensive understanding of their legal position and the policies and procedures they must follow (http://www.facebook.com/legal/copyright.php is only a start), and #3, I am rather sure they have a direct line to whoever is the registrar of record for facebook.com and pay well to be kept up to date on any potential developments.
"As a part of an ongoing investigation about a content posted in our site, a US government agency has temporarily suspended our jotform.com domain. We are fully cooperating with them, but it is not possible to say when the domain would be unblocked."
The dns is set to a godaddy domain which has over 224,000 domains attached to it.
As a registrar that has been contact by the US Government this (change of dns) isn't consistent with what we have experienced when contacted about a problem site. It's more consistent with an individual registrars policies.
If the government was seizing a domain, generally, they would change the whois information. It wouldn't still be listed in the name of the registrant.
This isn't an attempt by the way to get one up on godaddy. They are a gazillion times bigger than we are and they cater to an entirely different market segment.
I've been searching for a good .com domain for my upcoming CMS (SaaS), but after reading this I'll probably get a non-US controlled domain at least for the service itself, and just use .com for a marketing site, if at all. Moreover, .com is already overcrowded.
It's so wrong that a legit business can be killed overnight.
"Because of a Godaddy suspension, our jotform.com domain is currently disabled. Since, we do not know when the issue might be resolved we recommend changing your forms from jotform.com to jotformeu.com. "
So their .com domain is suspended, and they move to a new .com domain?
I don't understand; why don't they move to a European country top level domain like jotform.co.uk (that one's been domain squatted, but I'm sure they could find one they like.)
Reading the comments below, am I safe if I have my domain name registered with Namecheap? How can I make sure that this won't happen to one of my sites? Is this Godaddy specific or all domain name registrars affected by this? What about non-US registrars (can you guys name some)?
Any .com, .net, .org, .biz, .us, .tel, and .travel domain is subject to seizure by a US court order. What company you register the domain at (and what country it's in) is irrelevant since the registry itself (Verisign for .com/.net/.org, NeuStar for the others) is in the US.
From http://www.isnic.is/en/:
"The registration of a domain confers rights to the use of the domain name according to ISNIC rules at any time but does not confer ownership of the domain."
Sometimes you need to disregard legal advice (though, you do need to be aware of the legal issues), else you wouldn't get anything done.
I had a nice startup idea, it was shot down by my legal adviser (which happens to be my father :P ), and Google went ahead and implemented it (well, at least he saved me from competing with Google).
Worth noting that this is a top 5,000 global site, roughly speaking. The fascist machine is definitely continuing to raise the bar on the commoners they're willing to take down (they were always willing to go after a site like MegaUpload, but this is a different category of assault).
Cycle it a few years forward and it wouldn't be surprising if 1% to 2% of the biggest 10,000 .coms have been seized (100 to 200 sites).
It's time for a widespread revolt against domain name seizures and suspensions without due process. Where do we start? This path will undermine the internet economy and sets precedents for horrible oppression and control by large interests down the line.
We need a replacement for ICANN. In other words, we need a replacement for DNS. It is going to take a while to get enough of the public on board but it seems inevitable to me.
In other words, this might very well kill a company that someone worked hard to get off the ground. And if you have any usergenerated content it might happen to your company too. Apparently without due process, and without warning.
This is preposterous.