Last week I wrote that skepticism may be the most important thing you bring with you when dealing with the Internet. A few days later in the Wall Street Journal, Walter Mossberg said basically the same thing - "...the most insidious Internet security problems today rely on human gullibility, not tricky software."
His article, How to Avoid Cons That Can Lead to Identity Theft, included this advice "Don't click on links to offers for free software or goods that you receive in an email, especially from a sender or company you've never heard of."
The problem with this advice is twofold. First, the From address of an email message is very easily forged. You may get a scam message that seems like it came from a company you know, but really didn't. Also, identifying a company you know has its own issues.
Suppose, for example, you got an email message about a really cheap price for a subscription to the Wall Street Journal. The phony From address could well be subscriptions@wsj.com. Suppose too, that the scam sent you to the www.wsj.biz web site.
Many people know that the online version of the Wall Street Journal is wsj.com. But, wsj.biz has nothing at all to do with the newspaper or with Dow Jones. It belongs to Marc Gaines and the web page that currently displays is a temporary one that GoDaddy provides for their customers. The point being, Mr. Gaines, can do whatever he likes with that website, including tricking people into thinking it offers cheap subscriptions to the newspaper. What better way to learn personal information such as name, address, phone number and credit card number? Perfect for identity theft.
Just because a famous company owns the .com domain, it implies nothing at all about other domains.
In the case of the Wall Street Journal, Dow Jones owns wsj.net and wsj.us. However, wsj.info belongs to Seth Wilkof who is looking to sell it. Wsj.org is also a scam-in-waiting. Today, it is a temporary default web page, but it belongs to someone named Natalia Skuridina.
Even someone who doesn't know that wsj.com is the Wall Street Journal, certainly knows the organization behind wallstreetjournal.com. That's easy. But what about wallstreetjournal.net? And wallstreetjournal.org? They both belong to Dow Jones, but, that's where the good news ends.
It is not clear who owns wallstreetjournal.info, but Dow Jones definitely does not own wallstreetjournal.us or wallstreetjournal.biz.
You can see who registered a domain by doing a WHOIS lookup at the website of any registrar. For example, at Network Solutions, go to networksolutions.com/whois and at Regster.com go to register.com/whois.rcmx.
I focused on the Wall Street Journal, only because Walter Mossberg writes for the paper. The concept though, applies universally. I get bitten by it myself. Two websites that I visit are www.speakeasy.net and www.witopia.net. I don't, however, visit them often enough to train my fingers to type .net instead of .com. Neither company owns the .com version of their domain name.
See a summary of all my Defensive Computing postings.
In todays' New York Times, David Pogue reviewed an updated version of Microsoft's Office Live Small Business, a suite of online services for making Web sites (I'm simplifying a bit).
He failed to point out an important defensive computing aspect of any Web site, divorcing it from the domain name registration. In addition, trusting Microsoft to handle domain registration is not your best option. To fully understand this, some background is required.
A domain name, such as CNET.com or JavaTester.org is a unique name on the Internet, one that is used for both e-mail and a Web site. Conceptually speaking, all domains are registered in a big master file in the sky. Hundreds of companies, called registrars, are authorized to register domains into this huge master file. Registrars offer many services, but simply registering a domain name ranges from roughly $9 to $35 a year.
Associated with each domain is a pointer to the computer running the Web site and a pointer to the computer that receives e-mail sent to the domain. The pointer system is called DNS, for Domain Name System. The pointers are indirect. That is, rather than pointing directly to the computer(s) with the Web site or e-mail, they point instead to server computers running DNS software.* A company that hosts Web sites is obliged to run a DNS server computer to handle the finger-pointing for all the Web sites under its control.
A small business setting up a new Web site is likely to be tempted by the one-stop shopping offered by Office Live Small Business. Many registrars host Web sites and any company hosting a Web site will also register a domain name. But, you are better off getting these services from different companies.
My JavaTester.org Web site, for example, is hosted at a company called A2 Hosting and the domain is registered with GoDaddy. A2 runs a pair of DNS server computers, ns1.a2webhosting.com and ns2.a2webhosting.com, which GoDaddy associates with the domain in the big master file in the sky. (If you want to impress your friends, the ns1 and ns2 computers are technically referred to as authoritative name servers.)
For one thing, using two companies makes it easier to switch Web site hosting companies in the future, should the need arise. More importantly though, it insures the domain is yours.
There have been times when a Web site hosting company registered a domain in their name rather than in the name of their customer. For example, instead of my JavaTester.org Web site being registered to me in the big master file, it would be registered to A2hosting.** In this case, it is not my domain, even though I paid for it. For a small business, this can be a really big deal.
What about e-mail? Companies hosting Web sites can also provide e-mail, as can most registrars. Then again, you don't need either one, you can have a third party handle e-mail for your domain.
Pogue on Office Live Small Business
The first Web site I ever created was hosted on a computer run by a school. The name was something like computerdeptserver.someuniversity.edu/~michael. Everyone in the class was assigned a userid on the server, and that formed the rightmost part of the Web site address.
From what Pogue says, Office Live Small Business does a similar thing, giving out names like bobsfleabag.accommodations.officelive.com (his example) to customers only interested in free services. Using your own domain, instead of one that ends with officelive.com, is what Pogue means when he refers to "customized domains." I point this out because the term "customized domain" has no real meaning--all domain names are unique.
If you want to use your own domain name with Office Live Small Business, Pogue's review said that Microsoft charges $15 per year after the first year. While the price is certainly fair, having Microsoft handle domain registration scares me.
The Defensive Computing Approach
If you are interested in using Office Live (which I have no experience with) to create a new Web site, first go to a registrar and register your own domain. The two registrars I recommend are GoDaddy and DirectNIC. GoDaddy is cheaper ($9 per year) but DirectNIC ($15 per year) is easier to use.
If you already have a Web site, but it was registered by the hosting company, I suggest first moving the registration to GoDaddy or DirectNIC before getting started with Office Live, or start over with a new domain name. For more on this, see my posting from last month on How to fire a Webmaster.
Microsoft's documentation
Registration of a domain is too important to trust to a company, such as Microsoft, that does it as a sideline rather than it being its core business.
Consider what its FAQ page had to say after Pogue's review came out:
"Will I be charged a fee when my domain name comes up for renewal?
Domain names are renewed on an annual basis. Microsoft will automatically renew your domain name for you, and you will not be charged a renewal fee. If you already own a domain name and transfer it to Microsoft Office Live, Microsoft will pay for any future renewals."
This directly conflicts with Pogue's account and I believe Pogue.
Also, it appears that Office Live Small Business domains are renewed on an annual basis. This is an accident waiting to happen. A real registrar can lock it up for many years.
The Microsoft Office Live Small Business FAQ also refers to "redirecting" a domain and "domain redelegation." The two terms are used interchangeably. But for what? I've dealt with domains and Web sites a lot. If you asked me yesterday what these terms meant, I would have given a different definition for the first term and couldn't have guessed at the meaning of the second.
The Office Live Small Business folks use these terms to mean changing the DNS server computers associated with a domain. For an existing domain with an existing Web site, that is how you point the world to the new Web site (at Office Live Small Business).
Good news, bad news
The bad news about changing DNS servers is that the actual procedure differs for each registrar.
The good news is that Microsoft provides instructions for making the change at a number of popular registrars. See How to set up your new Web site with an existing domain name.
The bad news is that the instructions for GoDaddy don't exist. Clicking on the link results in a Page Not Found error. The instructions for register.com are also missing. In fact, all
the "redelegation" instructions are missing. Maybe they were filed under changing DNS servers.
Update. February 16, 2008: The instructions now exist, there are no more "page not found" errors.
* That the Internet grew to the extent it has over the years is due, in part, to the distributing of the responsibility for maintaining these pointers. No one company can screw everything up.
** I don't know that A2Hosting does this, I haven't tested it. This is only an example.
See a summary of all my Defensive Computing postings.
When my Defensive Computing blog went live in July, the Web page address (URL is the nerd term) assigned to it was blogs.cnet.com/8300-13554_1-33.html. Shortly thereafter, CNET assigned the friendlier address blogs.cnet.com/defensive-computing/
That's still a lot for me to remember, let alone repeat to someone else. When I wanted to find this blog, I started at blogs.cnet.com and then hunted for my name. The address/URL blogs.cnet.com is easy to type and easy to remember. Whenever someone asked where to find my blog, that is what I told them to do.
Until now.
I just invested $14 or so to reserve the domain defensivecomputing.info for a couple years. But there is no Web site there and I'm not planning on ever having one. Instead, the domain is forwarded here. I don't know how you found this Web page, but if you enter defensivecomputing.info into your browser you end up at this blog. It's the computer nerd equivalent of a vanity license plate. Try it.
The home page for this blog now has three names that all point to the exact same place:
- defensivecomputing.info
- blogs.cnet.com/defensive-computing/
- blogs.cnet.com/8300-13554_1-33.html
My vanity extends to defensivecomputing.us , which is forwarded to a Web page for a class of mine on, what else, defensive computing.
Which Name To Show?
In both these instances of domain forwarding, you end up seeing the forwarded-to name, not the one you originally typed. It doesn't have to be that way; forwarded domains can be set up to show the originally entered URL.
For example, a relative of mine owns the domain dmdworkin.com. There is no such Web site, however; the domain is forwarded. He is a photographer and has an account at the photo site Digital Railroad.
The real Web site address is www.digitalrailroad.net/DMDworkin/Default.aspx. Whichever name you type, you end up at the exact same Web page. In this case, however, the real or target Web page address is said to be masked. You see dmdworkin.com in the address bar of your browser, even though you are at the Digital Railroad site.
Practical Uses
In the above example, domain forwarding is used to give the impression that Mr. Dworkin has his own Web site, when technically he doesn't. You could get a free website from any of dozens (if not hundreds) of companies, with a name something like harveysfreewebsitecompany.com/userxyz123 and then set up a domain such as michaelsstartrekclub.com and point it to the free website. If the company providing the free site goes out of business, you can sign up somewhere else and then just forward the domain there.
In my experience, domain names cost from $7 to $35 a year. You could print business cards showing your own domain name and pay more for the cards than the Web site.
Domain forwarding can also be used to give multiple names to a single Web site. Suppose, for example, your name is Groucho, you own a cigar store and the Web site for the store is grouchoscigarstore.com. You can prevent someone else from using grouchoscigarstore.org, .us. info and the like by registering those names too. If you own them anyway, might as well set them up to auto-forward to the Web site with the .com name.
Another use is typos. Have you ever been confused about the spelling of "Noble" in Barnes and Noble? It could end with either "le" or "el", both are valid spellings (at least phonetically). In terms of finding the company's Web site, it doesn't matter--both barnesandnobel.com and barnesandnoble.com work fine. So too, does bn.com. Two of these domains are forwarded, one is the real Web site.
When you register a domain, check if the forwarding feature is included for free (both with masking and without). The two registrars that I have used the most, GoDaddy.com and DirectNIC.com do include it for free. In contrast, Register.com wants an extra $50 a year to forward a domain and not show an ad for themselves when doing so.
And remember, you learned about domain forwarding at defensivecomputing.info.
- prev
- 1
- next
