How else is the CEO supposed to respond? He's in the tough position where he can't prove a negative; the burden of proof is on the original tweeter. So the CEO needs the "hacker" to either prove it or admit they were mistaken, and bug bounties are exactly how companies do this.
(Also, I feel like it's implied that "an account that isn't yours" doesn't mean "mess with any of our customers you want." He's clarifying that because with white-hat(ish) hackers, you'd be shocked how many people try to claim bug bounties from us because they "hacked" their own account using their own credentials.)
Thanks for your comment and you are correct with your latter point and assumption. It's hard to word things properly when you're limited with the amount of allowed characters on twitter.
> Also, I'll put my money where my mouth is. If you can make any changes to a domain that is not yours or a friend's via our help desk, I will send you 10k USD, no questions asked.
> and to clarify, said account must be protected by 2fa to begin with.
I appreciate what he's trying to say... but perhaps he should instead recommend white-hats instead create a test account and try to access it without using the 2FA mechanism.
I think that's reasonable. I was thinking in terms of cutting out the gaming aspect when I made that statement. I probably should have been more specific. The premise of the entire conversation was based on someone making an unjustified accusation without even following it through and testing it to begin with.
Not really, they don't often advertise that you should attack their customers directly. The closest I can remember was the LifeLock guy putting his social security number up publicly.
Otherwise, they prefer you hit test or personal accounts rather than paying customers...
Hacking accounts without consent of the victim is probably illegal. So normally you'd use an account you own (or your friend/colleague owns), but the challenge is excluding those. The company setting up special test accounts can be a good option as well, but needs to be done in good faith and is problematic when the attack is social engineering based.
So the challenge is either giving attackers permission to hack accounts of strangers, or requires the attacker to engage in potentially illegal behaviour. Neither of which is acceptable.
I assume this is just badly phrased, and what was actually intended was a requirement that the victim doesn't collude with or help the attacker.
You're not supposed to cause actual substantive changes to actual customers. In addition to being questionably ethical, that would usually disqualify a researcher from any possible bug bounties and forfeit legal protections offered by the program.
Well the CEO said they didnt think it was a problem because there is additional security (also a pin code required) to access the account. That is pretty standard for big companies. Saying that actually isnt a problem and either not fixing it or fixing it and not paying a bounty on it.
No, this is illegal and can put namespace into huge trouble.
Responsible Disclosure Programme needs to explicitly state that access to other users data is illegal and test/self owned accounts need to be used for security testing.
This is why legal departments exist, you cannot just say this as a CEO without consulting to your advisors.
Maybe you could put your actions where your mouth is and just add a 2fa step to the support portals login process? As a namecheap user I don't want to be randomly targeted to prove a point in some face saving contest.
Coincidentally I just received an email request to reset my password on Namecheap (not issued by me), anyone else? On top of that, my account has been locked for 24 hours for three consecutive failed password or username entry attempts.
You should watch your domains and look out for any friends who suddenly have a new car or a new nice watch :-).
My strategy for things is to use a unique username and email address (and password..) for critical services, that way any hacks/leaks of other sites don't reveal my entire web presence. It may be that your email was found in another dump, or from a domain whois lookup.
I'm way less upset by this than a large number of people in that twitter brawl. I can agree that this probably isn't the best way to go about things, but in the end, all I see is a CEO taking a firm stance of confidence behind his products - let's just hope this doesn't turn into a real bad situation for namecheap customers. Ballsy? Yeah. But pitchfork and torch worthy? Not really.
Off topic- is there a way to see info on twitter without creating an account? I used to look at tweets from my local meteorologist on twitter but now I can’t seem to be able to view info on twitter without a modal blocking the window and asking me to sign uo
If the result of this tweet is that one of my domains is altered, and that I lose income, users, or other useful metrics to measure the value of my site, this seems like a great piece of evidence to be litigious towards Namecheap
I guess this makes sense. On the other hand such actions might have had legal implications before. I mean until the CEO actively allowed / awarded them.
Namecheap is good. They are my registrar, even though Amazon would be easier, because their support + personability makes me feel like I'm dealing with human beings.
Time to move somewhere else because the CEO is so confident they can't be hacked he publically offers money to anyone who can do it? You want to be with one that thinks it is insecure?
"Go commit a crime against a third party who didn't consent and I'll give you 10k$" is what this amounts to, given he excludes friends domains from the targets.
[+] [-] gkoberger|3 years ago|reply
(Also, I feel like it's implied that "an account that isn't yours" doesn't mean "mess with any of our customers you want." He's clarifying that because with white-hat(ish) hackers, you'd be shocked how many people try to claim bug bounties from us because they "hacked" their own account using their own credentials.)
[+] [-] NamecheapCEO|3 years ago|reply
[+] [-] muhehe|3 years ago|reply
Wait ...what? Like, seriously?
[+] [-] LeifCarrotson|3 years ago|reply
> and to clarify, said account must be protected by 2fa to begin with.
I appreciate what he's trying to say... but perhaps he should instead recommend white-hats instead create a test account and try to access it without using the 2FA mechanism.
[+] [-] NamecheapCEO|3 years ago|reply
[+] [-] jonny_eh|3 years ago|reply
[+] [-] giancarlostoro|3 years ago|reply
[deleted]
[+] [-] nebukadnet|3 years ago|reply
https://www.techtimes.com/articles/271004/20220125/apple-rew...
https://www.pcgamer.com/security-researchers-aka-hackers-mak...
[+] [-] zdragnar|3 years ago|reply
Otherwise, they prefer you hit test or personal accounts rather than paying customers...
[+] [-] CodesInChaos|3 years ago|reply
So the challenge is either giving attackers permission to hack accounts of strangers, or requires the attacker to engage in potentially illegal behaviour. Neither of which is acceptable.
I assume this is just badly phrased, and what was actually intended was a requirement that the victim doesn't collude with or help the attacker.
[+] [-] sp332|3 years ago|reply
[+] [-] AlwaysRock|3 years ago|reply
[+] [-] DethNinja|3 years ago|reply
Responsible Disclosure Programme needs to explicitly state that access to other users data is illegal and test/self owned accounts need to be used for security testing.
This is why legal departments exist, you cannot just say this as a CEO without consulting to your advisors.
[+] [-] politelemon|3 years ago|reply
[+] [-] renewiltord|3 years ago|reply
The gain is quite a bit higher than $10k for the right domain. Give me a break.
[+] [-] jjjjjjjjjjjjjjj|3 years ago|reply
[+] [-] prvit|3 years ago|reply
[+] [-] treesknees|3 years ago|reply
My strategy for things is to use a unique username and email address (and password..) for critical services, that way any hacks/leaks of other sites don't reveal my entire web presence. It may be that your email was found in another dump, or from a domain whois lookup.
[+] [-] tennisflyi|3 years ago|reply
[+] [-] teeceetime2|3 years ago|reply
[+] [-] tonmoy|3 years ago|reply
[+] [-] vorvac|3 years ago|reply
[+] [-] cgb223|3 years ago|reply
[+] [-] s_dev|3 years ago|reply
[+] [-] deletescape|3 years ago|reply
[+] [-] eknkc|3 years ago|reply
I guess this makes sense. On the other hand such actions might have had legal implications before. I mean until the CEO actively allowed / awarded them.
[+] [-] debacle|3 years ago|reply
They are the Linode of the domain space.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] EricE|3 years ago|reply
[+] [-] prvit|3 years ago|reply
[+] [-] rvz|3 years ago|reply
So many deranged folks on Twitter these days.
[+] [-] lmilano|3 years ago|reply
He doesn't even want to know how you did it.
[+] [-] kingofkyiv|3 years ago|reply
[deleted]
[+] [-] sva_|3 years ago|reply
> buyagf.com
What the hell am I looking at?
[+] [-] gnomesteel|3 years ago|reply
[+] [-] that_guy_iain|3 years ago|reply
[+] [-] mario_kart_snes|3 years ago|reply
[+] [-] davidgerard|3 years ago|reply
https://twitter.com/ReneReh1/status/1564349884106477573
There's at least one customer name in there.
[+] [-] nibbleshifter|3 years ago|reply