It's amazing that (approximately) no one cares about stuff like this.
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
>If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
> As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Honestly, I'm more afraid of reputational loss than government fines. Our customers don't have to use our product. They do because they trust us. Lose that trust and it's awfully hard to get it back.
The whole thread is related to GoDaddy's numerous breaches not affecting their bottom line or market position. So it seems lots and lots and lots of people really don't care.
Also your data will probably just be leaked somewhere else sometime anyway. Punishing a single company once unfortunately does next to nothing at this point.
I think customers feel, rightly or wrongly, there's no alternative to CrowdStrike.
There are so many alternatives to what GoDaddy provides, it is quite commoditized.
But also... true, their customers don't seem to care anyway? Or it's "cost of switch", even just mentally? If you were starting fresh it really wouldn't be any harder at all to go with any of numerous alternatives, but if you already have godaddy...
I've actually not worked anywhere that has used CrowdStrike. It's usually ruled out as too expensive (I've mostly worked in public sector). I've had very good experiences with Sentinel One and Microsoft Defender. I've had terrible experiences with Trellix and Sophos."Oopsy" aside, is CrowdStrike really that much better than the competition?
I only worked at one shop that used CrowdStrike but TBH compared to the others I've had to deal with, definitely is the 'least' shitty compared to other competitors...
It's enterprise software. The people using the software and the people choosing the software are not the same people. In many cases they only buy it to satisfy a contractual or regulatory requirement and then the primary criterion is which one costs less or which one's sales reps give the best kickbacks, with considerations like "is it any good" not really playing a major role.
I always feel dumb and like I'm missing some fundamental principle thinking about companies like GoDaddy. They provide a pretty undifferentiated commodity with a relatively low bar to switching, don't seem particularly well run or trustworthy based among other things on events like this, and their brand and marketing give off a vaguely skeezy low-rent vibe. Is it just a perpetual motion machine of market sharing affording good marketing which then drives continued market share?
> Is it just a perpetual motion machine of market sharing affording good marketing which then drives continued market share?
Worse. It's a market where most of the customers are unsophisticated but price sensitive, so they tend to prefer the provider with the lowest apparent price, and then the big providers compete on the basis of who can present the lowest apparent price through the use of dark patters, misleading claims, bait and switch tactics and hidden fees.
Example: GoDaddy provides a "free" site builder but if you use it the resulting site can't easily be extricated from their service and now you're locked in if you don't want to recreate your site. Meanwhile the price you were quoted for various services was an onboarding price and now that you've sunk a lot of time creating and improving the site you can't move, the price is going up.
This is, incidentally, a major reason WordPress is so popular despite being fairly miserable. It makes it easy for unsophisticated users to get started and your site isn't tied to a particular host.
Not commodified as much as regulated. The personal data that banks collect is probably mandated by the government, so switching banks doesn't really change the risk someone faces. And probably a bunch of other things that would otherwise be competitive advantages for customers too. The lack of full reserve banks (or close enough too) despite what would be a reasonable level of customer demand, for example.
it takes time there are plenty of lawsuits flying around that incident .
Even if they win all the suits without settling or loosing, customers will negotiate far stiffer penalties and controls on next renewal or get steep discounts or just straight up switch vendors .
Sooner or later their ability to be competitive will get affected and they will likely become a target for acquisition and rebranding.
Organizations of that magnitude do not collapse overnight like startups
Crowdstrike's security reputation matters a lot more. I'll bet the customers assume the competitors have the same reliability problems, they can tolerate a little downtime, and going with nobody is even worse.
That reputational loss is almost exclusively among those who understand how the crowdstrike products work, but the Venn diagram with those folks and “people at companies who can approve large expenses” is nearly empty.
Yes, the CRWD ticker took a hard hit, dropping about 50% over the course of 2 weeks last July. But... it recently topped its previous high, only 7 months later (which is like 1/2 or 1/3 of an enterprise sales cycle!).
I feel this is more important for a younger or smaller company, and less so when stopping a product from one company to switch to another is a pain in the ass or has other problems / risks..
switching from godaddy to another registrar is not super hard, but there are hurdles and sometimes problems occur that even people with experience run into.
I think (some?) people also hope a place that suffers a breach learns from it and makes it near impossible for similar to happen again.
Most customers use your product because it was on the first page of their Google search results.
The only people who's reputation gets ruined are the D-Level Directors and Managers who run this stuff and regularly run into budget or resource shortfalls that prevent them from doing all that they are capable of doing.
Creating lock-in which prevents customers from having an alternative is a more effective use of money, because it "solves" not just the threat of reputation loss due to security failures, but many others at the same time.
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Depends on the industry. I'm in healthcare, and our legal department is always reminding the devs that even a small breach can be financially catastrophic for the company, as they are totaled as $xx,000 per person affected.
Except Change Healthcare got hacked, lost a ton of records and they are still operating. So those fines must be, could be up to xx,000 per person affected but in actuality, those affected will get Arbys coupon and C Suite will lose a week of yacht time.
I got a letter telling me they gave away my information with a link to an “identity monitoring” site that looks like the CEOs nephew built in a weekend and just errors out when I sign up.
You don't really have a choice, you have to have insurance for breaches (HIPAA term, not strictly the typical cybersec term, means any loss of control of information that results in potential of dissemination of PII).
So the answer is to put the same kind of onerous penalties that companies pay for leaking healthcare data and apply them to any PII / user data. If it can't hit the bottom line bigcorps don't care; liability is the only language they understand.
Then I (a normal user) find myself in the position of my data being stolen/mishandled AND have to either pay for it via increase fees, or my healthcare provider goes belly-up and I have to find a new one.
You have to provide your email to sign up for HN, however, it is not publicly visible. If YCombinator had to pay $10,000 for leaking a user email, this site isn't going to exist since it's not their core business and represents a huge liability.
It's also disproportionate. If my email is leaked in the context of receiving treatment for a stigmatized disease, that's a lot worse than an MMORPG leaking my real name.
Maybe some penalty is necessary but $10k or above per user is disproportionate for the vast majority of people. A $50/person penalty with gradations for sensitivity of the information is going to work better in practice. If leaking an SSN is more expensive than an email or site-specific ID, corporations might stop using SSNs to identify people to reduce their exposure
Have the C-suite hand back their compensation above minimum wage for the last 3 years. Fine the company, all profits, or a percentage of global revenue (and pay that back to customers).
If the outcome of ignoring data security is to not make any money then companies will actually do something about it.
Penalities should push the company to the point of failing.
> Then you get people on HN shouting "regulatory capture!" and "stifling innovation!"
You phrasing it like this is not a substitute for explaining why it wouldn't be those things.
Also, the most obvious thing is: if you're a healthcare provider, you would probably hire some hackers to go after your competition, and let heavy-handed fines take them down. Much easier than providing better value.
Yeah it sucks, but what can you do when you have titanic amoral agents stomping through society? You gotta speak their language. Maybe scale the penalty with the size of the company.
I have started to put together some resources to teach C suite, maybe new-to-the-field lawyers, other interested stakeholders - about website compliance issues..
looking to mimic other good training / learning materials, extra info to consider, maybe collab and send business I can't take on, etc.
Not the person you are replying to, but I work in security and have spent ~5 years of my career helping various companies set up and maintain security awareness programs.
There are some out-of-the-box solutions that can start you on your way to creating a security awareness training program, such as KnowBe4 and ProofPoint (there are others as well, but these are some of the big names). If you don't have in-house security staff, these types of offerings can be quite helpful.
For a more grounds-up approach, there are guidelines such as the NIST SP 800-50 "Building a Cybersecurity and Privacy Learning Program" guidance. (https://csrc.nist.gov/pubs/sp/800/50/r1/final)
If you have specific questions, I can try to answer them.
Very glad to these options and how they can be perceived by people, this should mean there are paths and that if they can be made better / different for different audiences that they may be well received.
Appreciate you and @ziddoap offering insight!
Looking at starting deck for FTC issues, Hipaa issues, and Google's policies - all for websites and apps specifically very soon and let the videos / webinars / interactive / discussions grow from here.
While I agree with you, that's why they are a starting point for someone looking to stand up a program, not an end point.
And, from my experience, many of the trainings that seem almost offensively easy to me (e.g. "How to read a URL") have been some of the ones that received the most positive feedback from non-technical departments.
The real key with security awareness training is ensuring the training is at the appropriate level of complexity for the trainee.
One way to relieve the boredom is to count the number of times you see the people in videos typing away on desktops/monitors with no cables plugged into them.
KnowBe4 is awesome. It trains everyone to be on the lookout. The penalty for barely screwing up is another boring training session that no one has time for. Very painful. Pain is a great teacher.
> And people wonder why Luigi is seen by some as "the good guy".
There are many reasons to explain why people wonder. No one single reason is enough to explain it.
Luckily, no penalty for breaches can be resolved with laws and/or regulations. I suggest you take this matter up with your lawmakers instead of making comments which incite those very same people you describe.
It's a bit exhausting that every time anyone says anything about executives in any context, we have to make sure to bring up the cold-blooded murder of one of them and make sure to remind everyone that some people on the internet think that that murder was justified.
It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
> It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
What makes you think it's not constructive?!
I think it's worth discussing why a large number (possibly even a majority!) of people want to murder executives. Telling those people to shut up removes yet another way for them to express their opinions. I think taking notice of the room is very constructive. I think having a point to discuss (even if it's violence) is constructive. Talk is cheap, after all; and talk is way cheaper than murder.
Moreover, I've heard many many many people insist that violence is never the answer. Alas, they forget that violence is how most countries were founded; ignore that many laws and regulations are written in blood; and rarely consider the situations where all other solutions have been explored and exhausted. Further, if business is so worried about costs, and violence can be cheaper than exploring all alternative options, then there's definitely a business mindset to that. And business is what you want to discuss anyway, right?
If you really think violence is never the answer then you should do everything in your power to prevent it. So instead of insulting someone for expressing an opinion, perhaps you should talk to them instead. You might discover a new/unique point of view, or you might even be able to change their mind.
Because it's completely and totally irrelevant to the topic at hand, the only connection is the general strata of the position that the people held—not even the same title, just the same class of title!
I'm generally not okay with people calling for murdering people based solely on their job title. Subtly hinting that it might be okay to kill those people is not much better.
> So instead of insulting someone for expressing an opinion, perhaps you should talk to them instead.
They didn't express an opinion, they casually referenced a mostly unrelated sensational story while intentionally avoiding expressing an opinion.
> Because it's completely and totally irrelevant to the topic at hand
Fun fact: topics can change while discussion continues.
> I'm generally not okay with people calling for murdering people based solely on their job title. Subtly hinting that it might be okay to kill those people is not much better.
To be clear, neither am I. But I do think it's important to discuss with people who think it is okay because, as I said earlier, telling them to shut up will result in worse situations.
> They didn't express an opinion
Perhaps the mere fact that you don't recognize their comment as an opinion is partly why people feel unheard.
They are also the worst hosting provider I have ever worked with, multiple times. Awful customer support and high prices. The only reason I work with them anymore is to migrate new customers to a different provider.
GoDaddy had really good marketing at one point and as of the last time I used it, which was years ago, they make it very difficult (I'm pretty sure by design) to leave. Their UX was one of the worst I've ever experienced in my life and they were consistently moving things around to make it worse. They essentially trap you, and someone without either the savvy or diligence will just give up.
The sad truth is that for the most part, the web hosting industry has normalized a fairly lax approach to security, and sees settlements like this, and even breaches, as a cost of doing business. Look at Wordpress maintenance, for example.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
I'd be less amazed if people could articulate why this matters. What is the harm being done here and why is it more costly than GoDaddy raising their prices by a few dollars?
One example: They're selling domain registration privacy, but don't sufficiently secure the private data. The entire Domains by Proxy dataset is available on the dark web.
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider, footing their businesses on shaky foundations.
Yeah - selection bias and apathy is the root of it, IMO.
GoDaddy attracts the unwashed masses who don’t care about security, and who remain unphased after learning about breaches. Meanwhile, the tech-savvy crowd who would care about breaches already know to avoid GoDaddy and view the inevitable breaches as the plebs reaping what they’ve sown.
Ergo, no one getting breached by GoDaddy cares, and nobody informed watching it happen feels a need to intervene.
Most companies are way too incompetent to even know how to secure their own data because it is just too expensive to actually hire someone that knows what they're doing - so most of the "cybersecurity" industry is just grifters talking about buzzwords and building dashboards to show how good they are at patching CVEs.
I have had to tell multiple cybersecurity vendors that brag about working with huge companies and governments that we cannot work with them because of how poor their own cybersecurity practices are (i.e. not using secure compute/hardware crypto when dealing with our private keys).
These are companies that should know better, I have had to stop ADP professional services more than once from disabling certificate validation on critical pipelines pertaining to confidential employee and customer information. I do not want to imagine what happens at 99% of companies with cybersecurity teams that don't even know what certificate validation is.
I worked for a medium sized company. They had a very large commercial e-commerce site for their customers. They used Wordpress sites that were hosted on GoDaddy. I worked there for two years. They never updated any of their passwords for GoDaddy or their Wordpress sites.
Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
I mean, someone gets access to their GoDaddy account and within minutes will have full control of a major bit of their business. Talk about playing with fire.
> Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
... but.. why?
Why let them live rent-free in your mind? Why admit to that in even a pseudonymous space?
I've had a dim view of them ever since my first interaction with Domains by Proxy (At the time, I recall finding that many 'windows support' scam sites and other malware distribution was showing up under their domains, and every attempt to uncover would only lead to a 'oh that account is now banned but we wont tell you thx'.)
... Honestly it reminds me of how some Internet VOIP providers won't tell the name of the business who actually bought the number (Which, of course, complicates the ability to collect on TCPA when it's a number used for spam.)
If you don't make the fines or whatever substantially more than the profit of the illicit or negligent conduct, it isn't a consequence. It's a budget line-item.
Every regulatory agency in America has been stripped to the bones by decades of budget cuts and never ending accusations of "stifling innovation" and we're shocked now that companies get away with both metaphorical and actual murder.
I know, that's exactly why I wrote "historic", but the current owners gave him an enormous amount of money, didn't clean up their act, and GoDaddy CONTINUES to be terrible.
The security breach we're discussing didn't happen 14 years ago, as you well know. They have a long and infamous track record and toxic corporate culture and unethical business practices and willfully misleading negligence of security that show no signs of improving.
So charming that you're on such a familiar first name basis with a piece of shit like Bob Parsons. Are you friends? Are you actually carrying the water for GoDaddy, or think it's ok to murder elephants and run incredibly sexist commercials while never giving a shit about security or customers? Yuck.
GoDaddy is one of the sleaziest companies I know of.
I ran a website hosted on GoDaddy for a local business when the server cluster was hacked. GoDaddy admitted it was their fault, but the business ended up having to pay me to fix the site. GoDaddy also managed to convince the business to pay for an additional monthly "security" plan, which included page caching. They set everything up over the phone without talking to me at all.
The next day I notice some odd behavior with the admin pages, then realize they're being cached, not only that but they're now publicly accessible. GoDaddy's improved security plan ended up being responsible for a data leak. They really screwed up twice but there was zero penalty, the only consequence was they made more money. The business chose to stay with GoDaddy, despite my recommendations. They saw the ads on TV and were convinced GoDaddy is the pinnacle of web hosting.
They seem to park so many domains it wouldn't surprise me if they park new domains based on domain searches. There is a clear motivation there so I always run whois in the terminal instead of searching on any domain registrar with the exception of cloud providers who don't make much of their money from domains.
I've definitely heard stories of people saying GoDaddy grabbed their domain right after they searched it. There's almost always someone following those stories saying that it was just coincidental.
I have zero trust in GoDaddy. I remember when I was kid using their service because my grandparents had bought a website and hosting services through them and they wanted me to create the site. Their interface was so confusing and I felt like I suddenly had no understanding of how computers work.
Fast forward to today, and yes, past me was not very knowledgeable, but not to the degree their site made me feel. They use custom terminology for industry standard things, group things together in weird locations, and have so many dark patterns.
My point: sleazy tactics like domain front-running would honestly be on brand. I tell people not to use GoDaddy and definitely not for domain searching.
I was shocked when I purchased a domain recently on GoDaddy (I normally use Cloudflare or AWS) and noticed that they have an 'upsell' with more security options (MFA and some other features) for something like $10/yr. Why wouldn't they want their customers to be more secure by default? To me it just reeks of money-grabbing for people that are none the wiser.
If every stolen or potentially stolen credential was billed to the breached provider at even $100/account*, SSO would become free so fast your head would spin.
Every credential in the provider's DB would be correctly seen as a liability.
* Arguably the number should be higher and contribute to a infosec response, detection, and preventative measures warchest. Though, ultimately, this would probably just enrich cybersecurity insurance firms.
SendGrid, pre IPO, had a GoDaddy security incident: someone social engineered one of the GoDaddy support reps into giving them control of our domain. We were able to re-secure the domain before the attacker fully locked us out. They could have powned all of our email links.
A good law would be that if a customer's data is leaked, any and all revenue that was made with/through that customer must be returned to the customer. All of a sudden companies will magically remember how to do half-way sober IT again.
This would be awesome, few if any companies would be able to take the risk of storing customer info, since they would need very good security, and very good reason for every piece of data they store, and insurance to cover themselves in case they do lose your data. In fact companies would go out of their way to not store any of your data.
As someone with 20+ years experience in IT/DevOps/Cloud/whatever, I disagree.
They would simply need to actually use the security that is already there. Data leaks that happen due to lack of "very good security" are extremely rare. In almost every case, someone was doing something very stupid that everyone already agrees is a very obvious thing to not do.
.
> In fact companies would go out of their way to not store any of your data.
The companies that already use existing IT systems, as they are already designed to be used, have no problem protecting customer data and not leaking it. The companies that can not properly hire our outsource competent IT people shouldn't be storing data in the first place. Commerce is subject to regulation, due to human nature, and different regulation is needed today.
.
> and insurance to cover themselves in case they do lose your data
I would prefer that this kind of insurance not exist.
GoDaddy will have known of this investigation since it began—probably for years. So it’s 90 days from now(ish), but they (should) have gotten a head start.
I can't pass by this comment about Network Solutions without an enthusiastic second. Several times per month I help various customers with their domains, and when I see that one is with Network Solutions, I know I'm going to have to waste a bunch of time with their terrible DNS editor and will have to wait around for at least 20 minutes before their own editor reflects the changes I've made.
The worst part is that when replacing an A record with a CNAME, it lets you delete the A record but then blocks you from adding the CNAME, because "a record with that name already exists" (referring to the one that was just deleted). This is where the 20+ minute wait changes from "inconvenient" to "downtime". It's been like this for at least 15 years.
You just brought back a fifteen year old memory. I have used a lot of hosting services but have always avoided GoDaddy. The name sounded too playful...and that was after being a Host Gator customer for years. They were decent back in the day and let me serve rediculous amounts of data from a shared hosting tier that always performed well...I was probably the noisy neighbor.
Years ago, before I was very computer literate, my friend turned me onto Network Solutions for hosting.
Long story short I got locked out of my account. It truly seemed like the support didn't want to help me get back in. This went for what felt like forever but was probably just a few weeks. I never got a resolution and was never able to log back in to my account.
I eventually did a chargeback because I couldn't use a service that I was paying for. They were all of a sudden proactive about reaching out - with an accusatory email nonetheless. In their view, the chargeback was fraudulent.
They should be looking into them for buying up all the competitors in domain selling. The bought two of the biggest competitors Dan.com and unregistery. Dan.com charge 9% on a sale of a domain now godaddy is charging 30%. Completely different company since Bob Parsons sold to a couple private equity firms.
I guess its just the power of advertising but its amazing to me that GoDaddy continues to be a popular solution for hosting, domain registration, etc given their absolute toilet of a reputation.
They bought out another registrar I was a customer of. Now I am paying 40% more for renewals. If I want to migrate I need to expose my whois info. They're always looking to upsell me into some horrible hosting garbage.
Update your whois to bogus information, transfer the domain, restore whois information. Cloudflare is the cheapest domain registrar long-term, you might get cheaper ones for the first year or first 3 years.
Using bogus whois info is a great way to lose your domain. If you are afraid of exposing your phone number and address, rent a P.O. box and get a throwaway number to use in the interim.
You will not lose your domain for having bogus information for 7 days. Having bogus information takes months of not an entire year to ever go through and the worst you will possibly get is a very stern warning to update your information or your domain will be taken away.
I still have a .com domain that I've registered from when I was a child and I've just never bothered to update the information on it, the regulations on these are as lax as godaddys security.
If you're a site with millions of views a day this might be different.
It's called the 60 day registrant change lock. Most changes to administrative or technical contact information will trigger it.
Although it's a real ICANN rule, the registrar is allowed to override it if they want. Of course very few registrars offer that kind of customer service, so that escape hatch might as well not exist...
I don't use GoDaddy, but I had to transfer some domains of NetSol a couple months ago, and it made my experiences with GoDaddy look like a happy dream.
People will put up with all kinds of awfulness if they don't know better.
This is the real key. They have an awful reputation amongst technical people (for good reason) but that reputation largely fades away the less technical you are. The average person knows them for their effective marketing, seemingly low prices, and seemingly decent products. They don't get into the weeds enough to expose how untrue those things really are.
For a long time, I worked in an office across from their (now former) headquarters in the Scottsdale Air Park. The number of clients we had come in amazed that we must work so closely with them and expecting great things made the location of the office so invaluable that when they moved to Tempe and Chandler, we had to seriously discuss internally if we needed to follow them.
Squarespace positions themselves as a website builder more than a registrar. In fact, I doubt the average person would even realize they are a registrar, since that is abstracted away in the website building process.
Squarespace is not 'tagged' in my brain under the "domain registrar" category yet. When I blindly think of domain registrars, as much as I dislike them, Godaddy is the first to come to mind.
Hilarious to see all the takedowns on these videos. Who the hell DMCA's a reposted advertisement? It's literally free advertising. The only reason they would take these down is because they were ashamed of them - and they probably should be.
By law the FTC, like the FCC, cannot have more than 3 commissioners from the same party.
When there is an opening and there are already 3 from the President's party traditionally the President asks the Senate leader of the other party who should be nominated and the Senators of the President's party do not vote against that nominee.
"Incoming senior Trump administration officials have begun questioning career civil servants who work on the White House National Security Council about who they voted for in the 2024 election, their political contributions and whether they have made social media posts that could be considered incriminating by President-elect Donald Trump's team, according to a U.S. official familiar with the matter."
That those charged with national security are culled for lack of loyalty should be very concerning - even to those who voted for this person.
Good for you! Myself, I agree with you that Chamberlain is a great model to understand Trump.
Pretends to be a pacifist while buying time to strengthen the national economy to fight a big war everyone knows is inevitable because everyone wants it.
FDR is also a great model for Trump to understand the political levers to crush both an unelected and disloyal deep state and legitimate opposition.
However, may I also recommend you read a history book that doesn't bracket the world wars?
Of course he is, he's a narcissist. A narcissist whose legitimate orders were disobeyed by the military and who has been shot at with the security state high on many people's suspect list.
A cagey narcissist.
But there was a very specific allegation that Trump is asking "civil servants" who they voted for. A claim that is, not only, unsubstantiated, but that deals with a very specific council that, above all others, serves at the president's behest.
May I add that the NSC has been a nest of murderous assholes who draft the infamous kill-list that included a US citizen that Obama bragged of killing (and his underage son)?
These people belong in a crime tribunal, not next door to the Oval Office.
Asking for citations of dubious claims is not asking for unpaid labor.
The reasonable reaction to a dubious unsupported claim is immediate out-of-hand dismissal. In asking for a citation, they are giving you the benefit of the doubt; i.e. doing you a favor.
Where are the "dubious" claims? No one's saying he's an alien or playing 4-D chess.
He's one of the most public figures in the world right now, with hours of video "evidence" widely and easily available. Asking someone to prove he did an obvious thing in public is demanding unpaid labor.
This is not the same as expecting someone to back up a claim of a homeopathic treatment for brain cancer.
My hopes aren't high at this point. Trump and the GOP are hellbent on implementing all of the P2025 agenda - many of the flurry of Eos this week were either literally cribbed from the P2025 document or strongly appear to AI-generated adaptations of the same.
Give it 6-12 months and we'll see how the courts react to challenges and if Congress suddenly grows a spine. And if a mid-term swing back to normalcy seems likely.
Luckily we have enough remaining guardrails that it's unlikely to happen within the next 4 years. But we're getting closer, that's for sure. And the Supreme Court's disastrous decision on presidential immunity is allowing Trump to play Generalissimo.
What guardrails are you talking about? Even ignoring the presidential immunity ruling that explicitly makes him Fuhrer, if Trump has ICE arrest all brown people tomorrow, what exactly is going to stop him? The courts? A judge can say whatever the hell they want from their bench, it won't stop an ICE agent from physically forcing you onto a C130 and taking you wherever.
Trump already "deported" legal american citizens his first term. Trump supporters openly insist on "deporting" a legal american citizen who dared to tell Trump that he's a meany.
The Constitution is just a piece of paper. None of the people in the Trump admin care about it or respect it. It will not save us. The guardrails are all gone.
I guess I've still been somewhat hopeful that the Legislative and Judicial branches will do their job and curb the worst of Trump's excesses or power grabs. But you're right that it's not looking good so far with the GOP Senate seeming to allow anything Trump wants so far. Hesgeth's confirmation was a really bad sign.
And you're right, ICE could well be on its way to turning into the Stasi.
It's back up, the only real announcements listed from the new administration are Ferguson as chair and anti-DEI changes (including a 2-1-2 vote to allow it where "Commissioners Rebecca K. Slaughter and Lina M. Khan did not participate.")
It's amazing that (approximately) no one cares about stuff like this.
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
>If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
> As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Honestly, I'm more afraid of reputational loss than government fines. Our customers don't have to use our product. They do because they trust us. Lose that trust and it's awfully hard to get it back.
The whole thread is related to GoDaddy's numerous breaches not affecting their bottom line or market position. So it seems lots and lots and lots of people really don't care.
I can take my business elsewhere and do.
but do I blame the average person for not caring? The kind of person who would use GoDaddy for hosting? I find it really hard to blame them.
Also your data will probably just be leaked somewhere else sometime anyway. Punishing a single company once unfortunately does next to nothing at this point.
Crowdstrike took down all windows boxes that had their software installed and didn’t really affect them.
I think customers feel, rightly or wrongly, there's no alternative to CrowdStrike.
There are so many alternatives to what GoDaddy provides, it is quite commoditized.
But also... true, their customers don't seem to care anyway? Or it's "cost of switch", even just mentally? If you were starting fresh it really wouldn't be any harder at all to go with any of numerous alternatives, but if you already have godaddy...
I've actually not worked anywhere that has used CrowdStrike. It's usually ruled out as too expensive (I've mostly worked in public sector). I've had very good experiences with Sentinel One and Microsoft Defender. I've had terrible experiences with Trellix and Sophos."Oopsy" aside, is CrowdStrike really that much better than the competition?
I only worked at one shop that used CrowdStrike but TBH compared to the others I've had to deal with, definitely is the 'least' shitty compared to other competitors...
The big four (CRWD, S1, Prisma, and MDE) all mostly comparable tbh.
EDR (especially Windows EDR) is heavily commodified.
A commodified market with no good product? Something is wrong here.
It's enterprise software. The people using the software and the people choosing the software are not the same people. In many cases they only buy it to satisfy a contractual or regulatory requirement and then the primary criterion is which one costs less or which one's sales reps give the best kickbacks, with considerations like "is it any good" not really playing a major role.
Race to the bottom.
I always feel dumb and like I'm missing some fundamental principle thinking about companies like GoDaddy. They provide a pretty undifferentiated commodity with a relatively low bar to switching, don't seem particularly well run or trustworthy based among other things on events like this, and their brand and marketing give off a vaguely skeezy low-rent vibe. Is it just a perpetual motion machine of market sharing affording good marketing which then drives continued market share?
> Is it just a perpetual motion machine of market sharing affording good marketing which then drives continued market share?
Worse. It's a market where most of the customers are unsophisticated but price sensitive, so they tend to prefer the provider with the lowest apparent price, and then the big providers compete on the basis of who can present the lowest apparent price through the use of dark patters, misleading claims, bait and switch tactics and hidden fees.
Example: GoDaddy provides a "free" site builder but if you use it the resulting site can't easily be extricated from their service and now you're locked in if you don't want to recreate your site. Meanwhile the price you were quoted for various services was an onboarding price and now that you've sunk a lot of time creating and improving the site you can't move, the price is going up.
This is, incidentally, a major reason WordPress is so popular despite being fairly miserable. It makes it easy for unsophisticated users to get started and your site isn't tied to a particular host.
Are banks not fairly commodified too?
Did you move to a new bank after yours had a security breach?
There are so many breaches these days, companies don’t even have liability — any damages can be blamed on another breach.
Not commodified as much as regulated. The personal data that banks collect is probably mandated by the government, so switching banks doesn't really change the risk someone faces. And probably a bunch of other things that would otherwise be competitive advantages for customers too. The lack of full reserve banks (or close enough too) despite what would be a reasonable level of customer demand, for example.
Yet.
it takes time there are plenty of lawsuits flying around that incident .
Even if they win all the suits without settling or loosing, customers will negotiate far stiffer penalties and controls on next renewal or get steep discounts or just straight up switch vendors .
Sooner or later their ability to be competitive will get affected and they will likely become a target for acquisition and rebranding.
Organizations of that magnitude do not collapse overnight like startups
I’ve been around long enough to see this not happen. Crowdstrike ticks a lot of boxes and no one buys them for anything else.
Crowdstrike's security reputation matters a lot more. I'll bet the customers assume the competitors have the same reliability problems, they can tolerate a little downtime, and going with nobody is even worse.
> they can tolerate a little downtime
A couple of days of production stopped can cost a lot of money.
That reputational loss is almost exclusively among those who understand how the crowdstrike products work, but the Venn diagram with those folks and “people at companies who can approve large expenses” is nearly empty.
Yes, the CRWD ticker took a hard hit, dropping about 50% over the course of 2 weeks last July. But... it recently topped its previous high, only 7 months later (which is like 1/2 or 1/3 of an enterprise sales cycle!).
I feel this is more important for a younger or smaller company, and less so when stopping a product from one company to switch to another is a pain in the ass or has other problems / risks..
switching from godaddy to another registrar is not super hard, but there are hurdles and sometimes problems occur that even people with experience run into.
I think (some?) people also hope a place that suffers a breach learns from it and makes it near impossible for similar to happen again.
Most customers use your product because it was on the first page of their Google search results.
The only people who's reputation gets ruined are the D-Level Directors and Managers who run this stuff and regularly run into budget or resource shortfalls that prevent them from doing all that they are capable of doing.
Creating lock-in which prevents customers from having an alternative is a more effective use of money, because it "solves" not just the threat of reputation loss due to security failures, but many others at the same time.
Many people consider building a business on customer trust to be a strategic mistake.
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Depends on the industry. I'm in healthcare, and our legal department is always reminding the devs that even a small breach can be financially catastrophic for the company, as they are totaled as $xx,000 per person affected.
We get training on it every six months.
Except Change Healthcare got hacked, lost a ton of records and they are still operating. So those fines must be, could be up to xx,000 per person affected but in actuality, those affected will get Arbys coupon and C Suite will lose a week of yacht time.
I didn’t even get an Arby’s coupon.
I got a letter telling me they gave away my information with a link to an “identity monitoring” site that looks like the CEOs nephew built in a weekend and just errors out when I sign up.
Not even that. You always have insurance for this stuff.
But then the insurance company has to pay, and they'll work hard to make sure it doesn't happen. This doesn't sound like an explanation to me.
You don't really have a choice, you have to have insurance for breaches (HIPAA term, not strictly the typical cybersec term, means any loss of control of information that results in potential of dissemination of PII).
So the answer is to put the same kind of onerous penalties that companies pay for leaking healthcare data and apply them to any PII / user data. If it can't hit the bottom line bigcorps don't care; liability is the only language they understand.
Then I (a normal user) find myself in the position of my data being stolen/mishandled AND have to either pay for it via increase fees, or my healthcare provider goes belly-up and I have to find a new one.
So the answer is to put the same kind of onerous penalties that companies pay for leaking healthcare data and apply them to any PII / user data
Then you get people on HN shouting "regulatory capture!" and "stifling innovation!"
You have to provide your email to sign up for HN, however, it is not publicly visible. If YCombinator had to pay $10,000 for leaking a user email, this site isn't going to exist since it's not their core business and represents a huge liability.
It's also disproportionate. If my email is leaked in the context of receiving treatment for a stigmatized disease, that's a lot worse than an MMORPG leaking my real name.
Maybe some penalty is necessary but $10k or above per user is disproportionate for the vast majority of people. A $50/person penalty with gradations for sensitivity of the information is going to work better in practice. If leaking an SSN is more expensive than an email or site-specific ID, corporations might stop using SSNs to identify people to reduce their exposure
Have the C-suite hand back their compensation above minimum wage for the last 3 years. Fine the company, all profits, or a percentage of global revenue (and pay that back to customers).
If the outcome of ignoring data security is to not make any money then companies will actually do something about it.
Penalities should push the company to the point of failing.
> Then you get people on HN shouting "regulatory capture!" and "stifling innovation!"
You phrasing it like this is not a substitute for explaining why it wouldn't be those things.
Also, the most obvious thing is: if you're a healthcare provider, you would probably hire some hackers to go after your competition, and let heavy-handed fines take them down. Much easier than providing better value.
Wouldn't that strongly incentivize companies to secure their data better, thereby achieving the goal?
It might achieve that goal, at the too-high expense of other things.
Yeah it sucks, but what can you do when you have titanic amoral agents stomping through society? You gotta speak their language. Maybe scale the penalty with the size of the company.
I'd like to hear more about this training -
I have started to put together some resources to teach C suite, maybe new-to-the-field lawyers, other interested stakeholders - about website compliance issues..
looking to mimic other good training / learning materials, extra info to consider, maybe collab and send business I can't take on, etc.
Not the person you are replying to, but I work in security and have spent ~5 years of my career helping various companies set up and maintain security awareness programs.
There are some out-of-the-box solutions that can start you on your way to creating a security awareness training program, such as KnowBe4 and ProofPoint (there are others as well, but these are some of the big names). If you don't have in-house security staff, these types of offerings can be quite helpful.
For a more grounds-up approach, there are guidelines such as the NIST SP 800-50 "Building a Cybersecurity and Privacy Learning Program" guidance. (https://csrc.nist.gov/pubs/sp/800/50/r1/final)
If you have specific questions, I can try to answer them.
As a technically-minded person, I've found both KnowBe4 and ProofPoint trainings to be very lacking/boring/superficial.
Very glad to these options and how they can be perceived by people, this should mean there are paths and that if they can be made better / different for different audiences that they may be well received.
Appreciate you and @ziddoap offering insight!
Looking at starting deck for FTC issues, Hipaa issues, and Google's policies - all for websites and apps specifically very soon and let the videos / webinars / interactive / discussions grow from here.
While I agree with you, that's why they are a starting point for someone looking to stand up a program, not an end point.
And, from my experience, many of the trainings that seem almost offensively easy to me (e.g. "How to read a URL") have been some of the ones that received the most positive feedback from non-technical departments.
The real key with security awareness training is ensuring the training is at the appropriate level of complexity for the trainee.
One way to relieve the boredom is to count the number of times you see the people in videos typing away on desktops/monitors with no cables plugged into them.
KnowBe4 is awesome. It trains everyone to be on the lookout. The penalty for barely screwing up is another boring training session that no one has time for. Very painful. Pain is a great teacher.
Yeah I got those trainings when I was merely healthcare adjacent adjacent adjacent.
It turns out HIPAA is a pretty good incentive to do the right thing, and the key difference is that there are actual consequences for violating HIPAA.
Even better, the consequences are stronger in the event that the company obviously wasn't giving a fuck about security.
I wish we had HIPAA for all PII.
But it does slow things down. Startups don't want to deal with that stuff. So they'd have to outsource it. I'm not sure how.
We’Ve eVaLuaTeD the RisKs
[flagged]
> And people wonder why Luigi is seen by some as "the good guy".
There are many reasons to explain why people wonder. No one single reason is enough to explain it.
Luckily, no penalty for breaches can be resolved with laws and/or regulations. I suggest you take this matter up with your lawmakers instead of making comments which incite those very same people you describe.
It's a bit exhausting that every time anyone says anything about executives in any context, we have to make sure to bring up the cold-blooded murder of one of them and make sure to remind everyone that some people on the internet think that that murder was justified.
It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
> It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
What makes you think it's not constructive?!
I think it's worth discussing why a large number (possibly even a majority!) of people want to murder executives. Telling those people to shut up removes yet another way for them to express their opinions. I think taking notice of the room is very constructive. I think having a point to discuss (even if it's violence) is constructive. Talk is cheap, after all; and talk is way cheaper than murder.
Moreover, I've heard many many many people insist that violence is never the answer. Alas, they forget that violence is how most countries were founded; ignore that many laws and regulations are written in blood; and rarely consider the situations where all other solutions have been explored and exhausted. Further, if business is so worried about costs, and violence can be cheaper than exploring all alternative options, then there's definitely a business mindset to that. And business is what you want to discuss anyway, right?
If you really think violence is never the answer then you should do everything in your power to prevent it. So instead of insulting someone for expressing an opinion, perhaps you should talk to them instead. You might discover a new/unique point of view, or you might even be able to change their mind.
> What makes you think it's not constructive?!
Because it's completely and totally irrelevant to the topic at hand, the only connection is the general strata of the position that the people held—not even the same title, just the same class of title!
I'm generally not okay with people calling for murdering people based solely on their job title. Subtly hinting that it might be okay to kill those people is not much better.
> So instead of insulting someone for expressing an opinion, perhaps you should talk to them instead.
They didn't express an opinion, they casually referenced a mostly unrelated sensational story while intentionally avoiding expressing an opinion.
> Because it's completely and totally irrelevant to the topic at hand
Fun fact: topics can change while discussion continues.
> I'm generally not okay with people calling for murdering people based solely on their job title. Subtly hinting that it might be okay to kill those people is not much better.
To be clear, neither am I. But I do think it's important to discuss with people who think it is okay because, as I said earlier, telling them to shut up will result in worse situations.
> They didn't express an opinion
Perhaps the mere fact that you don't recognize their comment as an opinion is partly why people feel unheard.
> Fun fact: topics can change while discussion continues.
That doesn't make it reasonable to insert a casual call for murder into every loosely related conversation [0].
[0] https://news.ycombinator.com/item?id=42860778
You're right, it doesn't.
It's the time we live in.
[flagged]
They are also the worst hosting provider I have ever worked with, multiple times. Awful customer support and high prices. The only reason I work with them anymore is to migrate new customers to a different provider.
GoDaddy had really good marketing at one point and as of the last time I used it, which was years ago, they make it very difficult (I'm pretty sure by design) to leave. Their UX was one of the worst I've ever experienced in my life and they were consistently moving things around to make it worse. They essentially trap you, and someone without either the savvy or diligence will just give up.
The sad truth is that for the most part, the web hosting industry has normalized a fairly lax approach to security, and sees settlements like this, and even breaches, as a cost of doing business. Look at Wordpress maintenance, for example.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
I'd be less amazed if people could articulate why this matters. What is the harm being done here and why is it more costly than GoDaddy raising their prices by a few dollars?
One example: They're selling domain registration privacy, but don't sufficiently secure the private data. The entire Domains by Proxy dataset is available on the dark web.
So basically like Microsoft ?
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider, footing their businesses on shaky foundations.
Yeah - selection bias and apathy is the root of it, IMO.
GoDaddy attracts the unwashed masses who don’t care about security, and who remain unphased after learning about breaches. Meanwhile, the tech-savvy crowd who would care about breaches already know to avoid GoDaddy and view the inevitable breaches as the plebs reaping what they’ve sown.
Ergo, no one getting breached by GoDaddy cares, and nobody informed watching it happen feels a need to intervene.
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider
If it wasn't for those old Super Bowl ads, GoDaddy wouldn't exist today.
Sex sells.
Most companies are way too incompetent to even know how to secure their own data because it is just too expensive to actually hire someone that knows what they're doing - so most of the "cybersecurity" industry is just grifters talking about buzzwords and building dashboards to show how good they are at patching CVEs.
I have had to tell multiple cybersecurity vendors that brag about working with huge companies and governments that we cannot work with them because of how poor their own cybersecurity practices are (i.e. not using secure compute/hardware crypto when dealing with our private keys).
These are companies that should know better, I have had to stop ADP professional services more than once from disabling certificate validation on critical pipelines pertaining to confidential employee and customer information. I do not want to imagine what happens at 99% of companies with cybersecurity teams that don't even know what certificate validation is.
True story.
I worked for a medium sized company. They had a very large commercial e-commerce site for their customers. They used Wordpress sites that were hosted on GoDaddy. I worked there for two years. They never updated any of their passwords for GoDaddy or their Wordpress sites.
Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
I mean, someone gets access to their GoDaddy account and within minutes will have full control of a major bit of their business. Talk about playing with fire.
> Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
... but.. why?
Why let them live rent-free in your mind? Why admit to that in even a pseudonymous space?
I've had a dim view of them ever since my first interaction with Domains by Proxy (At the time, I recall finding that many 'windows support' scam sites and other malware distribution was showing up under their domains, and every attempt to uncover would only lead to a 'oh that account is now banned but we wont tell you thx'.)
... Honestly it reminds me of how some Internet VOIP providers won't tell the name of the business who actually bought the number (Which, of course, complicates the ability to collect on TCPA when it's a number used for spam.)
If you don't make the fines or whatever substantially more than the profit of the illicit or negligent conduct, it isn't a consequence. It's a budget line-item.
Every regulatory agency in America has been stripped to the bones by decades of budget cuts and never ending accusations of "stifling innovation" and we're shocked now that companies get away with both metaphorical and actual murder.
The elephant in the room may be GoDaddy's historical total disregard for security, but hey, those pesky elephants won't shoot themselves!
GoDaddy CEO's graphic elephant hunt video sends his clients flocking to competitors, and helps raise $20,000 for elephant charity:
https://www.dailymail.co.uk/news/article-1374679/GoDaddy-CEO...
GoDaddy CEO Kills Elephant:
https://www.youtube.com/watch?v=YnM5yTW2B3g
Bob hasn't been CEO of GoDaddy since 2011
I know, that's exactly why I wrote "historic", but the current owners gave him an enormous amount of money, didn't clean up their act, and GoDaddy CONTINUES to be terrible.
The security breach we're discussing didn't happen 14 years ago, as you well know. They have a long and infamous track record and toxic corporate culture and unethical business practices and willfully misleading negligence of security that show no signs of improving.
So charming that you're on such a familiar first name basis with a piece of shit like Bob Parsons. Are you friends? Are you actually carrying the water for GoDaddy, or think it's ok to murder elephants and run incredibly sexist commercials while never giving a shit about security or customers? Yuck.
GoDaddy is one of the sleaziest companies I know of.
I ran a website hosted on GoDaddy for a local business when the server cluster was hacked. GoDaddy admitted it was their fault, but the business ended up having to pay me to fix the site. GoDaddy also managed to convince the business to pay for an additional monthly "security" plan, which included page caching. They set everything up over the phone without talking to me at all.
The next day I notice some odd behavior with the admin pages, then realize they're being cached, not only that but they're now publicly accessible. GoDaddy's improved security plan ended up being responsible for a data leak. They really screwed up twice but there was zero penalty, the only consequence was they made more money. The business chose to stay with GoDaddy, despite my recommendations. They saw the ads on TV and were convinced GoDaddy is the pinnacle of web hosting.
Also, check this out: https://www.butterflyave.com/
Those assholes have parked my old business name, and want to sell it back to me for $1,499.
They seem to park so many domains it wouldn't surprise me if they park new domains based on domain searches. There is a clear motivation there so I always run whois in the terminal instead of searching on any domain registrar with the exception of cloud providers who don't make much of their money from domains.
I've definitely heard stories of people saying GoDaddy grabbed their domain right after they searched it. There's almost always someone following those stories saying that it was just coincidental.
I have zero trust in GoDaddy. I remember when I was kid using their service because my grandparents had bought a website and hosting services through them and they wanted me to create the site. Their interface was so confusing and I felt like I suddenly had no understanding of how computers work.
Fast forward to today, and yes, past me was not very knowledgeable, but not to the degree their site made me feel. They use custom terminology for industry standard things, group things together in weird locations, and have so many dark patterns.
My point: sleazy tactics like domain front-running would honestly be on brand. I tell people not to use GoDaddy and definitely not for domain searching.
I was shocked when I purchased a domain recently on GoDaddy (I normally use Cloudflare or AWS) and noticed that they have an 'upsell' with more security options (MFA and some other features) for something like $10/yr. Why wouldn't they want their customers to be more secure by default? To me it just reeks of money-grabbing for people that are none the wiser.
It is outrageous and irresponsible to charge for MFA.
It show a cavalier attitude toward the greater security of the internet.
Same for OIDC (and even traditional SAML SSO).
If every stolen or potentially stolen credential was billed to the breached provider at even $100/account*, SSO would become free so fast your head would spin.
Every credential in the provider's DB would be correctly seen as a liability.
* Arguably the number should be higher and contribute to a infosec response, detection, and preventative measures warchest. Though, ultimately, this would probably just enrich cybersecurity insurance firms.
Agreed.
Another example is Microsoft charging extra for enhanced logging. This came to light during the SolarWinds debacle.
Not exactly the same but this reeks of https://sso.tax.
Why did you purchase a domain on GoDaddy if you know better?
SendGrid, pre IPO, had a GoDaddy security incident: someone social engineered one of the GoDaddy support reps into giving them control of our domain. We were able to re-secure the domain before the attacker fully locked us out. They could have powned all of our email links.
A good law would be that if a customer's data is leaked, any and all revenue that was made with/through that customer must be returned to the customer. All of a sudden companies will magically remember how to do half-way sober IT again.
This would be awesome, few if any companies would be able to take the risk of storing customer info, since they would need very good security, and very good reason for every piece of data they store, and insurance to cover themselves in case they do lose your data. In fact companies would go out of their way to not store any of your data.
> since they would need very good security
As someone with 20+ years experience in IT/DevOps/Cloud/whatever, I disagree.
They would simply need to actually use the security that is already there. Data leaks that happen due to lack of "very good security" are extremely rare. In almost every case, someone was doing something very stupid that everyone already agrees is a very obvious thing to not do.
.
> In fact companies would go out of their way to not store any of your data.
The companies that already use existing IT systems, as they are already designed to be used, have no problem protecting customer data and not leaking it. The companies that can not properly hire our outsource competent IT people shouldn't be storing data in the first place. Commerce is subject to regulation, due to human nature, and different regulation is needed today.
.
> and insurance to cover themselves in case they do lose your data
I would prefer that this kind of insurance not exist.
The FTC action is because GoDaddy claimed to have security when they didn’t - not because they didn’t have security in the first place.
Subtle but important difference.
Also the remedies include having a complete security program within 90 days IIRC, on what world would anyone think that’s remotely possible?
They wouldn’t even have an RFP drafted in 90 days.
GoDaddy will have known of this investigation since it began—probably for years. So it’s 90 days from now(ish), but they (should) have gotten a head start.
If you think GoDaddy is the most terrible, you have never been exposed to the hell that is Network Solutions.
GoDaddy is big, safe and terrible. Network Solutions is big, safe and even worse.
I can't pass by this comment about Network Solutions without an enthusiastic second. Several times per month I help various customers with their domains, and when I see that one is with Network Solutions, I know I'm going to have to waste a bunch of time with their terrible DNS editor and will have to wait around for at least 20 minutes before their own editor reflects the changes I've made.
The worst part is that when replacing an A record with a CNAME, it lets you delete the A record but then blocks you from adding the CNAME, because "a record with that name already exists" (referring to the one that was just deleted). This is where the 20+ minute wait changes from "inconvenient" to "downtime". It's been like this for at least 15 years.
You just brought back a fifteen year old memory. I have used a lot of hosting services but have always avoided GoDaddy. The name sounded too playful...and that was after being a Host Gator customer for years. They were decent back in the day and let me serve rediculous amounts of data from a shared hosting tier that always performed well...I was probably the noisy neighbor.
Years ago, before I was very computer literate, my friend turned me onto Network Solutions for hosting.
Long story short I got locked out of my account. It truly seemed like the support didn't want to help me get back in. This went for what felt like forever but was probably just a few weeks. I never got a resolution and was never able to log back in to my account.
I eventually did a chargeback because I couldn't use a service that I was paying for. They were all of a sudden proactive about reaching out - with an accusatory email nonetheless. In their view, the chargeback was fraudulent.
I can't believe they still exist. I remember having to fax my changes to them, pre-2000, when they were the only game in house.
Crazy.
I can't believe GoDaddy is still in business. Shows you can be a horrible company -- borderline scammy back in the day -- and somehow survive.
FWIW we've used Gandi for years and very happy with it.
I used Gandi for a long time and switched after they were bought out and registration prices started rising. HN article from 2023 - https://news.ycombinator.com/item?id=35080777
After that I've used spaceship.com, NameCheap's rebrand, without complaint and most recently porkbun.com due to support in dnscontrol.
The power of advertising and first-mover advantage. Outside of the tech space, people really only know of godaddy if they want to buy a domain.
Marketing and large captive audience.
Are there any security related accreditations for a company that are worth more than the paper they are(n't) printed on?
They should be looking into them for buying up all the competitors in domain selling. The bought two of the biggest competitors Dan.com and unregistery. Dan.com charge 9% on a sale of a domain now godaddy is charging 30%. Completely different company since Bob Parsons sold to a couple private equity firms.
In related news, their ISO 27001 certificate just expired. Seems in line with their overall security posture then https://img1.wsimg.com//Sitecore/6/1/registrar-iso27001-cert...
ISO 27001 doesn’t mean secure. It does mean they have invested money in compliance though.
I guess its just the power of advertising but its amazing to me that GoDaddy continues to be a popular solution for hosting, domain registration, etc given their absolute toilet of a reputation.
They bought out another registrar I was a customer of. Now I am paying 40% more for renewals. If I want to migrate I need to expose my whois info. They're always looking to upsell me into some horrible hosting garbage.
They've bought up a whole series of services I was using and ruined them.
Anyway. Nice to see the FTC getting a few wins in before they are defanged by the new administration.
Update your whois to bogus information, transfer the domain, restore whois information. Cloudflare is the cheapest domain registrar long-term, you might get cheaper ones for the first year or first 3 years.
Using bogus whois info is a great way to lose your domain. If you are afraid of exposing your phone number and address, rent a P.O. box and get a throwaway number to use in the interim.
You will not lose your domain for having bogus information for 7 days. Having bogus information takes months of not an entire year to ever go through and the worst you will possibly get is a very stern warning to update your information or your domain will be taken away.
I still have a .com domain that I've registered from when I was a child and I've just never bothered to update the information on it, the regulations on these are as lax as godaddys security.
If you're a site with millions of views a day this might be different.
How does this happen? I have a few throwaway domains on bogus whois info. How would they find out and wouldn't you get a chance to fix it?
Yes, you will receive a warning first, at worst your domain will go into reconciliation.
Can you temporarily change your whois info before you migrate to somewhere else?
I've had some registrars lock the domain from transferring for a few weeks after changing whois.
It's called the 60 day registrant change lock. Most changes to administrative or technical contact information will trigger it.
Although it's a real ICANN rule, the registrar is allowed to override it if they want. Of course very few registrars offer that kind of customer service, so that escape hatch might as well not exist...
I don't use GoDaddy, but I had to transfer some domains of NetSol a couple months ago, and it made my experiences with GoDaddy look like a happy dream.
People will put up with all kinds of awfulness if they don't know better.
They got their product out.
Who else is there that the average person would know about?
Correct. And the average person isn't aware of their "toilet of a reputation".
This is the real key. They have an awful reputation amongst technical people (for good reason) but that reputation largely fades away the less technical you are. The average person knows them for their effective marketing, seemingly low prices, and seemingly decent products. They don't get into the weeds enough to expose how untrue those things really are.
For a long time, I worked in an office across from their (now former) headquarters in the Scottsdale Air Park. The number of clients we had come in amazed that we must work so closely with them and expecting great things made the location of the office so invaluable that when they moved to Tempe and Chandler, we had to seriously discuss internally if we needed to follow them.
Squarespace advertises a lot too, probably more than GoDaddy nowadays, and they are also a domain registrar.
Maybe GoDaddy just sells themselves better? I see Squarespace as kind of an amorphous boring blob of internet business services.
Squarespace positions themselves as a website builder more than a registrar. In fact, I doubt the average person would even realize they are a registrar, since that is abstracted away in the website building process.
Squarespace is not 'tagged' in my brain under the "domain registrar" category yet. When I blindly think of domain registrars, as much as I dislike them, Godaddy is the first to come to mind.
Yup they dominate mindshare.
And their UI for choosing a domain name is excellent.
An unofficial ranking of the most NSFW GoDaddy commercials ever:
https://www.golfdigest.com/story/an-unofficial-ranking-of-th...
The Woman(!) Behind GoDaddy's Tasteless, Effective Super Bowl Ads:
https://www.forbes.com/sites/jeffbercovici/2013/02/06/the-wo...
Who Let These Commercials Be On TV?
https://www.youtube.com/watch?v=_rRopnyZaR0
GoDaddy's most infamous ads:
https://www.youtube.com/watch?v=u7yFCqOAb9Y
10 SEXIEST GoDaddy Super Bowl Commercials - Sexy Super Bowl Ads:
https://www.youtube.com/watch?v=4ECUIQv9ruo
Hilarious to see all the takedowns on these videos. Who the hell DMCA's a reposted advertisement? It's literally free advertising. The only reason they would take these down is because they were ashamed of them - and they probably should be.
To be fair, they should also have a site gaydaddy.com and tv commercials that objectify sexy men.
Moved all my domains to porkbun last year...could not be happier!
Time for GoDaddy's CEO to book a few rooms at Trump Hotel in DC.
I never thought I'd be a fan of a government agency. But here we are.
Press release is dated Jan 15. The folks who made this happen are gone now.
If you'd like to see what the new admin's FTC is spending your tax dollars on instead of this, take a look here: https://www.ftc.gov/news-events/news/press-releases
Why do you think they’re gone now?
(Sounds like hyperbole, as it’s not like non political people just all got replaced.)
Change "gone" to "out of power," if you like. The FTC Chair controls the agency's agenda, and the Chair switched parties last week.
The new chair was nominated for the FTC (as a commissioner, not chair) by Biden.
By law the FTC, like the FCC, cannot have more than 3 commissioners from the same party.
When there is an opening and there are already 3 from the President's party traditionally the President asks the Senate leader of the other party who should be nominated and the Senators of the President's party do not vote against that nominee.
Yes, and?
Federal employees are being asked who they voted for.
This is not hyperbole.
[flagged]
I am not sure what you mean by falsified but is this OK?
https://www.independent.co.uk/news/world/americas/us-politic...
"Incoming senior Trump administration officials have begun questioning career civil servants who work on the White House National Security Council about who they voted for in the 2024 election, their political contributions and whether they have made social media posts that could be considered incriminating by President-elect Donald Trump's team, according to a U.S. official familiar with the matter."
That those charged with national security are culled for lack of loyalty should be very concerning - even to those who voted for this person.
[flagged]
I am considering this in the context of 1930's history.
Good for you! Myself, I agree with you that Chamberlain is a great model to understand Trump.
Pretends to be a pacifist while buying time to strengthen the national economy to fight a big war everyone knows is inevitable because everyone wants it.
FDR is also a great model for Trump to understand the political levers to crush both an unelected and disloyal deep state and legitimate opposition.
However, may I also recommend you read a history book that doesn't bracket the world wars?
> So Trump is demanding loyalty from the members of the National Security Council. Not the FTC. Not the DOE.
No. He's demanding loyalty from everyone.
Of course he is, he's a narcissist. A narcissist whose legitimate orders were disobeyed by the military and who has been shot at with the security state high on many people's suspect list.
A cagey narcissist.
But there was a very specific allegation that Trump is asking "civil servants" who they voted for. A claim that is, not only, unsubstantiated, but that deals with a very specific council that, above all others, serves at the president's behest.
May I add that the NSC has been a nest of murderous assholes who draft the infamous kill-list that included a US citizen that Obama bragged of killing (and his underage son)?
These people belong in a crime tribunal, not next door to the Oval Office.
Uh, is Trump's mouth during both of his presidential campaigns citation enough? He's not even shy about his, um, desire for fealty.
Then link it unedited.
He's an asshole, I get it. But half of what is said about him is false (pee pee tapes?) that Americans don't give a darn about what is true.
Stop asking people to do unpaid labor for you.
Asking for citations of dubious claims is not asking for unpaid labor.
The reasonable reaction to a dubious unsupported claim is immediate out-of-hand dismissal. In asking for a citation, they are giving you the benefit of the doubt; i.e. doing you a favor.
Where are the "dubious" claims? No one's saying he's an alien or playing 4-D chess.
He's one of the most public figures in the world right now, with hours of video "evidence" widely and easily available. Asking someone to prove he did an obvious thing in public is demanding unpaid labor.
This is not the same as expecting someone to back up a claim of a homeopathic treatment for brain cancer.
Is the US turning into "fourth Reich"?
My hopes aren't high at this point. Trump and the GOP are hellbent on implementing all of the P2025 agenda - many of the flurry of Eos this week were either literally cribbed from the P2025 document or strongly appear to AI-generated adaptations of the same.
Give it 6-12 months and we'll see how the courts react to challenges and if Congress suddenly grows a spine. And if a mid-term swing back to normalcy seems likely.
Luckily we have enough remaining guardrails that it's unlikely to happen within the next 4 years. But we're getting closer, that's for sure. And the Supreme Court's disastrous decision on presidential immunity is allowing Trump to play Generalissimo.
What guardrails are you talking about? Even ignoring the presidential immunity ruling that explicitly makes him Fuhrer, if Trump has ICE arrest all brown people tomorrow, what exactly is going to stop him? The courts? A judge can say whatever the hell they want from their bench, it won't stop an ICE agent from physically forcing you onto a C130 and taking you wherever.
Trump already "deported" legal american citizens his first term. Trump supporters openly insist on "deporting" a legal american citizen who dared to tell Trump that he's a meany.
The Constitution is just a piece of paper. None of the people in the Trump admin care about it or respect it. It will not save us. The guardrails are all gone.
I guess I've still been somewhat hopeful that the Legislative and Judicial branches will do their job and curb the worst of Trump's excesses or power grabs. But you're right that it's not looking good so far with the GOP Senate seeming to allow anything Trump wants so far. Hesgeth's confirmation was a really bad sign.
And you're right, ICE could well be on its way to turning into the Stasi.
10% from each party support deporting legal immigrants.
Source?
Don't anger Orange Adolf.
[flagged]
Total dissolved solids?
Technical Documentation Services?
Time-driven switching?
[flagged]
(insert president name here, as it's not limited to any single person) Derangement Syndrome is definitely problematic.
Agreed.
ODS was pretty bad. CDS was very self destructive for the GOP. BDS helped give Jr a second term.
>NOTICE: The FTC website is currently unavailable. Thank you for your patience while we work to restore service.
It's back up, the only real announcements listed from the new administration are Ferguson as chair and anti-DEI changes (including a 2-1-2 vote to allow it where "Commissioners Rebecca K. Slaughter and Lina M. Khan did not participate.")
Latest press release: "FTC Grants Chairman Ferguson Authority to Comply with President Trump’s Orders to End DEI"
[dead]