The Advisory Boar

By Abhijit Menon-Sen <ams@toroid.org>

Namecheap suspended my domain without notification

2017-01-14

My mother called to tell me that people were complaining that mail sent to her address at one of my domains (menon-sen.com) was bouncing. Here's an excerpt from the bounce message she sent me:

DNS Error: 27622840 DNS type 'mx' lookup of menon-sen.com responded with code SERVFAIL

I thought it was just a temporary DNS failure, but just for completeness I tried to look up the MX for the domain, and got a SERVFAIL response. I checked WHOIS for the domain and was horrified to find this:

Name Server: FAILED-WHOIS-VERIFICATION.NAMECHEAP.COM
Name Server: VERIFY-CONTACT-DETAILS.NAMECHEAP.COM

In a near-panic (because this meant email to one of my work addresses was also being bounced), I checked a bunch of stuff: No, the whois details for the domain were not incorrect (nor had they been changed recently). No, Namecheap had not sent me any whois verification mail about the domain. No, Namecheap had not sent me any notification that it was going to suspend the domain. No, the Namecheap admin page didn't say anything about the domain having been suspended.

I couldn't find any relevant articles in the support knowledgebase, so I opened an emergency ticket with Namecheap support. They responded in an hour, and helped to resolve the problem immediately. They did admit that I didn't receive a notification because of an error on their part:

We have double-checked contact details on the domain in question and registrant details appeared to be missing on the domain due to a one-time glitch at our end. That is the reason you have not received verification email. Please accept our most genuine apologies for the inconvenience caused you.

I have always found Namecheap support to be responsive and helpful. I do appreciate their candour and the prompt response in this case as well, but I am deeply shaken that their system has no controls in place to prevent a domain from being suspended without any sort of notification (especially since they were sending me notifications about other domains registered under the same account in the same time period).

I don't know when exactly the domain was suspended. I have actually lost mail because of this incident—and at least one of them was an important response to some mail I sent. But thanks to my mother's correspondents, I think the problem was discovered before very long. I cannot afford to worry about this happening for my other domains that are up for renewal in the near future. If the same thing had happened to toroid.org, it would have been catastrophic.

I have been a happy customer of Namecheap for more than five years, and recommended it to any number of friends during that time. Along with EasyDNS (which is much more expensive), it's by far the best of the dozen or so registrars I've used over the past two decades. I have no idea where to move my domains, but I'll start keeping an eye out for an alternative.

Update, moments after writing the above: my friend Steve points out that there's something to be said for having a vendor who admits to their errors honestly; and only a pattern of errors rather than a single incident would justify moving my domains away to an unknown registrar. A few days from now, I hope to be able to properly appreciate Steve's wisdom in this matter. Meanwhile, I'm saved from precipitous actions by the fact that I haven't the faintest idea where to migrate anyway.

Malicious pollution reports

2016-12-30

Before we installed a towel rail in the bathroom, we kept clean clothes on an old newspaper on the washbasin counter while bathing. It kept the clothes dry and kept me entertained while brushing my teeth for several months (I would unfold and refold it differently every few days when the top stories began to seem familiar).

Pollution report malicious, incorrect: Javadekar” dated June 7, 2016 quoted the reaction of the Union Minister for Environment, Prakash Javadekar, to a paper that was widely reported with headlines like “Life expectancy in Delhi has reduced by six years because of air pollution, reveals study”. Here's a clipping:

Pollution report malicious, incorrect: Javadekar

The original paper, “Premature mortality in India due to PM2.5 and ozone exposure”, written by scientists at IITM Pune and published in Geophysical Research Letters, was not immediately available for download. The Minister's scathing indictment shows that he is only too aware of the threat posed by Elsevier journals.

Of course, this is hardly the first attempt to maliciously target India with overblown pollution reports:

Volcanic activity in modern-day India, not an asteroid, may have killed the dinosaurs, according to a new study.

Tens of thousands of years of lava flow from the Deccan Traps, a volcanic region near Mumbai in present-day India, may have spewed poisonous levels of sulfur and carbon dioxide into the atmosphere and caused the mass extinction through the resulting global warming and ocean acidification, the research suggests.

Barely a month after his astute recognition of this pattern, however, a cabinet reshuffle saw Prakash Javadekar reassigned to the Ministry of Human Resources and Development.

(Aside: “Javadekar does a U-turn after questioning pollution study”.)

One month after demonetisation

2016-12-13

A little over a month ago, our Glorious Leader eliminated corruption, black money, terrorism, and poor people in one bold and innovative move by declaring most of the currency in circulation to not be legal tender.

We are fortunate that we can get by without much cash in hand. We eat mostly what we grow, or is grown nearby in the village, and what few additional expenses we have (e.g., milk) have so far been met by the ten— and twenty-rupee notes we had collected to save time by paying exact tolls on the highway.

Our one visit to the nearest bank yielded a two-thousand rupee note and a bag of coins each—the most the branch could spare per person, given that they've received no cash for several days.

In Delhi, Ammu is not so lucky. Her landlord demands the rent in cash, and in exam season, she has had to stand in queue for several hours at an ATM to withdraw a quarter of her rent (which is the maximum one can withdraw in a day). Strangely, the vegetable and fruit sellers in her locality do not accept digital payments yet.

I was looking forward to hearing what the Supreme Court of India had to say about demonetisation, but they haven't said much, because they're busy with matters of real importance to the nation, like how often the national anthem should be played and how straight one should stand to properly demonstrate one's “constitutional patriotism”.

Decathlon.in: terms of disservice

2016-09-17

I wanted to buy a jacket from Decathlon, so I went to create an account on their site, which involved wading through as convoluted and boring a "terms of use" statement as I've ever seen. (Alas, I can't link to it because it's just in a textarea on the account creation page.)

Most of the terms were unremarkable (obnoxious and officious, but still unremarkable), until I encountered this gem about halfway down.

«11. The Buyers shall be responsible to up keeping the providing information relating to the products proposed to be sold by Us. In this connection, The Buyers undertake that all such information shall be secured in all respects. The Buyers shall not defame the attributes of such products or services so as to mislead other Buyers in any manner.»

I created an account anyway (and the jacket is rather nice), but I didn't want to be responsible for “up keeping” information relating to the products they sell. So I wrote to their customer support to ask what this ridiculous verbiage was supposed to mean. Much to my surprise, they not only responded to my mail, but actually asked their lawyers for a clarification.

I had a word with our legal department and they mentioned that the clause means if a customer has an issue with or an opinion about a product, they contact us first for us to help them with their issue and not post it on social networking sites or the media.

Not being a fan of idiotic and underhand (and poorly-written, to boot) attempts to restrict what one's customers can and cannot say, I tried to delete my account. The terms of service said I could delete my account at any time, but I could find no way to do so on the web site. So I asked Decathlon to delete my account.

First they said they had deleted my account. I could still login, so I wrote back to ask them to delete it again. Then they said that I had registered two accounts (which I had not; I had just changed my name to "ABC" in my profile), and asked me to send them a list of addresses I had used (which I did—one address). Then they stopped answering my mail.

Eight weeks later, I can still login to my account.

Technically, I don't think this post violates their terms of service, because I did contact them for help first. But they do have a stern profanity policy, so here's a little something to help the account suspension process along: What the fuck, Decathlon? You're a bunch of incompetent nincompoops!

Update (2016-12-13): The account still works, but the “you may delete your account at any time” clause has been removed from the terms of use at some point. Of course, the vital “responsible to up keeping the providing information” clause is still there.

Vodafone India snoops on e-mail

2015-12-28

An article about Vodafone injecting javascript into web pages reminded me of a problem I investigated last year when Hassath couldn't send mail when connected through her phone's mobile hotspot.

My first response to any network problems is to run tcpdump, and I saw the following EHLO response from my own SMTP server.

250-raven.toroid.org
250-PIPELINING
250-SIZE 307200000
250-VRFY
250-ETRN
250-XXXXXXXA
250-AUTH PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Vodafone is transparently proxying outgoing SMTP traffic and replacing STARTTLS in the EHLO response with XXXXXXXA, so that the client doesn't try to negotiate TLS. If you issue STARTTLS anyway—which no normal SMTP client would, but openssl's s_client can do—the TLS negotiation fails. So it's not just a downgrade attack, it's actively sabotaging TLS connections too.

This was the case in mid-2014, and it's still the case at the time of writing. I wonder how many terabytes of email logs they have collected in the meantime, how they are stored, and who is reading them.

While I was tethered to my phone, I did a bit more testing. Vodafone India doesn't seem to mess with HTTPS connections, and IMAP connections are not downgraded either (i.e., the server's STARTTLS advertisement is not modified, and the TLS negotiation succeeds). Nor did it inject any Javascript into the web pages I tried (yet).

How much is IIPM paying The Hindu?

2011-08-17

Today's The Hindu—not for the first time—had an extra front page devoted to an advertisement from IIPM, complete with gushing top-half copy masquerading as news reporting. Over the past year or so, Arindam Chaudhuri's snake-oil salesman grin has been a frequent visitor to the back page of The Hindu, and many an innocent exclamation mark has been sacrificed to extol the virtues of IIPM. I can't even begin to imagine the amount of money that must change hands for this kind of coverage.

I'm not sure if it's more depressing that IIPM has accumulated such vast quantities of money by selling snake-oil, or that The Hindu is happy to soak it up and print acres of whatever drivel is sent its way.

(For those who are wondering, IIPM is the Indian Institute of Planning and Management, an unaccredited business school that is in the habit of suing anyone who points out that their advertisements are full of lies.)

Air2Web is avoidable

2011-06-02

An application I've been working on sends random challenge tokens by SMS to confirm certain user actions. My client had an account with Way2SMS already, so I used their simple HTTP API to send out the tokens. Later, we discovered that messages to some networks were delayed by fifteen minutes or more, and we decided to find a backup provider. I relayed a friend's recommendation of Air2Web to my client, and they signed up for the starter package.

They got our account set up quickly, and I sent myself a message through their HTTP API (which, like Way2SMS, was just a URL which took the phone number and message as query parameters). The message never arrived, so I wrote to "aircare" to complain. They replied promptly that my number was on the Do-not-call registry, so they would not deliver messages to it.

Read more…

Airtel's Fair Usage Policy

2011-05-14

This morning, I got an email (and SMS) alert from Airtel:

Dear Airtel Customer,
You have consumed 100% of your high speed data transfer limit of 10000
MB. Now you will be getting a revised speed till the end of this bill
cycle (as per the bill plan subscribed by you) and the speed will be
back to normal at the beginning of the new bill cycle. You are still
on an unlimited plan and all your data transfer remains free.

Airtel was forced to institute a Fair Usage Policy for "unlimited" data transfer plans, because A very small number of customers use an excessive amount of the network bandwidth, to the extent that it can impair the experience of others. But …needless to mention, the usage levels set are very generous such that most customers will not be affected. And remember, they're only defining a "fair usage level", not a "limit".

I humbly apologise to everyone whose "experience" I unfairly impaired by downloading 10GB at 512Kbit/s in one month. The strain on the Airtel network must have been enormous.

But wait, there's more! The email goes on to say:

However, if you need a higher speed, you can visit www.airtel.in/sod
and subscribe to speed on demand - a service from Airtel where you
can increase your browsing speed by paying a nominal charge.

Oh good, I should have known a nominal charge could fix everything. I feel so… unlimited now.

(P.S. airtel.in/sod says "Unexpected error" when you try to sign up.)

Metro station robbery: redux

2011-01-06

Ramit's police complaint (made by way of some suitable boffin) resulted in the police going to the station the next day and arresting two people expanding their cellphone collection by the same means as before. They may not be the same people whom Ramit met, but the indications are that at least ten people are involved and—as we suspected—this is something that has been going on for a while.

I wonder if the earlier victims complained to the police. It's hard to believe that none of them did; so perhaps their complaints arrived too lown down the police hierarchy to prompt any serious action.

But I hope the cops find every one of the robbers now.

Armed robbery outside a Delhi Metro station

2011-01-04

Ramit was robbed of his mobile phone by four armed men on two scooters with no license plates at 0730 this morning, while waiting outside the New Ashok Nagar Metro station for me to pick him up on our way to the Okhla Bird Sanctuary. When he handed over his phone, they immediately discarded the SIM (which he recovered), and left. Fortunately, Ramit was not hurt.

We drove to the Police Chowki nearby, but there were no policemen there. Some hours later, we returned to the Metro station and spoke to the CISF personnel in charge of security. They said they would have tried to help if we had reported the crime immediately, but that they were responsible for security only inside the station premises. The CISF superintendent told us to file a complaint at the Yamuna Bank police station, and also said there had been other thefts in the area recently, but the Delhi Police personnel deputed to patrol the outside of the station never turned up as scheduled.

I submitted a report of the incident as feedback on the Delhi Metro web site, and also called them up and spoke to a Ms. Rita Kumar at the DMRC to report the robbery. She promised to "forward" the information I gave her, for whatever that is worth, but again said that incidents outside the station were solely the problem of the Delhi Police.

Aside: the Metro station in question is (like many others) an elevated structure built around a platform. The road passes under it, and Ramit was waiting there on the sidewalk in front of a pillar with a "Station Entry" sign on it. While it may technically be outside the premises of the station, it seems somewhat irresponsible for the DMRC to wash its hands of security directly underneath the station, barely thirty metres from the entrance.

Despite his traumatic morning, Ramit (who says he has been mugged before in Nairobi) wanted to stick to our plan, and we had a nice bird-watching session at Okhla and Khadar. Notable sightings include the first Citrine Wagtail of the black-backed calcarata race this season, close-up views of Black-breasted Weavers, four Ferruginous Pochards, and a number of White-tailed Stonechats, Striated Babblers, and Graceful Prinias. I also relished the opportunity to study various species of grasses in detail.