# GoDaddy: how not to treat your employees...



## ShelLuser (Dec 26, 2020)

Hi gang!

This is pretty offtopic I suppose and to make matters 'worse' it doesn't even directly concern me. But I got so _immensely_ pissed off after reading about this that I just couldn't help to share a small vent with my fellow techies.

I'm sure we all heard of GoDaddy before? For those who have not: GoDaddy is one of the larger domain hosting providers. They provide hosting services which vary between hosting of domain and e-mail as well as websites and virtual servers. You can also apply for other services such as SSL certificates.

Personally I've always been quite satisfied with their services, though I'll be the first to admit that they've always been a little pushy. For example: registering a new domain doesn't only take you through the required steps to set it up, naah, you're also going to have to go through dozens of suggested services. All optional, sure, but you're still going to click through several pages with several other "amazing" deals for you to consider. But from a technical point of view I've always been satisfied.

Until now 

*Christmas "bonus"*

See, GoDaddy had a wonderful idea this Christmas and they decided to sent all (or several?) of their employees an e-mail in which they promised them a $650 Christmas bonus. All the employee had to do was follow a link, fill out a form and things would be said in motion. Yah, but if they did then _another_ e-mail would follow 2 days later in which they were told that they failed the "Phishing test" and were expected to follow an internal training to regarding electronic security.

I'm *not* making this crap up!

What a way to treat your employee's in times like these, great job! 

I call that cyberbullying and/or trolling, and I have one very simple answer for that garbage...

Anyway, in the mean time they apologized although they obviously still believe that there was a great goal to keep in mind here, but even so I think this is just cruel and disgusting behavior in these already harsh times. What on earth were they thinking?

*I'm out*

Now... this is not your casual "_This company sucks_" thread because honestly I still think quite positively about the hosting services provided by GoDaddy and I'm also definitely not suddenly calling them out as being bad or something. It's also not my intent to urge others to dump them because, well, that would actually hurt those employee's even more! 

Even so, learning about this news seriously ticked me off so I wanted to share with other techies. I've already set a few things in motion for myself and all my domains which I still had with GoDaddy will be moved to another provider within a day or 3 - 5. This is no way to treat people, especially in times like these, and well... if they are this disrespectful towards their employees then what's stopping them to do the same towards their customers?

Maybe food for thought?


----------



## PMc (Dec 26, 2020)

ShelLuser said:


> Yah, but if they did then _another_ e-mail would follow 2 days later in which they were told that they failed the "Phishing test"


Well, yes, probably they did. Such tests are quite common practice in larger shops.


> if they are this disrespectful towards their employees then what's stopping them to do the same towards their customers?


Yes, that's indeed the question. But that is the question with all those shops that got big enough to take the money-making for granted and their employees for modern-day slaves.

Considering - the domain reservation business, just as the security certificate business, is basically a money-for-nothing business. The only thing they could probably be worried about is that the don't get hacked. And there we are.

But also, there are lots of other shops offering that same kind of service, and most of them do not try and strive for world domination, and some of them at least create the _impression_ that they would have a somehow familiar working atmosphere.


----------



## neel (Dec 27, 2020)

I use Dynadot for my domain names. GoDaddy is woefully overpriced.

GoDaddy is like Beats by Dr. Dre: you pay for the brand name and marketing. GoDaddy and Beats are both very pushy in marketing and selling when compared to other registrars/hosts and audio brands.

Many incorporation services in the US are also pushy the way GoDaddy is, although I never registered a company.


----------



## scottro (Dec 27, 2020)

I think they should have done something other than an email about bonuses, but, I don't know how much access these employees have to various godaddy stuff. For example, if some of them have access to godaddy's DNS servers, a lot of damage could be done.  Also, as far as I know, they're not getting fired, they're getting reprimanded, if they are, but  they're being told they have to retrain and they should be. They apparently took a course on avoiding this sort of thing and just clicked without looking closely.   

I have very mixed feelings on it though.  Seems they should have chosen something else equally attractive, but I don't know what that would have been.  Just think of what your reaction would be if godaddy is doing your DNS, and you read that they had a data breach, that started when an employee was fooled by a phishing email.

The simple solution is to make  everyone use mutt or other text mailer, and get rid of html email, but that ain't gonna happen. People gotta have their dancing kittens.  (Debates searching for a link to a video of dancing kittens, but is too lazy.)


----------



## PMc (Dec 27, 2020)

neel said:


> I use Dynadot for my domain names.


That was one of those I thought of. The other would be Porkbun, obviousely. (And you can always try nic.ru)


----------



## neel (Dec 27, 2020)

PMc said:


> That was one of those I thought of. The other would be Porkbun, obviousely. (And you can always try nic.ru)


Porkbun is  even cheaper, and I know about Porkbun, but I never bothered to transfer from Dynadot.

nic.ru is overpriced for a .org domain (which I use for personal email) thanks to RUB->USD conversion rate (I live in the US). I don't speak Russian, and I'm not sure if I can trust a Russian registrar considering what Putin is doing with regards to Internet Censorship/Surveillance. I'm involved in the Tor community, and I don't want to lose my domain if Putin ever blocks Tor!

And I have my .org renewed until 2029: well, what if .org really did sell (fortunately it didn't)?


----------



## drhowarddrfine (Dec 27, 2020)

fwiw, GoDaddy was the first name registrar I used in 2003. Not only was I immediately turned off by the elephant killer owner but by the spam focused process and hoops you had to go through. I never used them again and do not understand why anyone uses them.


----------



## scottro (Dec 27, 2020)

I stopped using them when they supported SOPA, or whatever it was called, one of the anti piracy things that was going to make it even easier to accuse without proof.  After a lot of people did it, they changed their minds and decided to not support the act, but I was gone already.  (Just goes to show, on occasion, a lot of individuals with the same idea can make a difference.)


----------



## SirDice (Dec 27, 2020)

ShelLuser said:


> See, GoDaddy had a wonderful idea this Christmas and they decided to sent all (or several?) of their employees an e-mail in which they promised them a $650 Christmas bonus. All the employee had to do was follow a link, fill out a form and things would be said in motion. Yah, but if they did then _another_ e-mail would follow 2 days later in which they were told that they failed the "Phishing test" and were expected to follow an internal training to regarding electronic security.


That was definitely the wrong way to do it. The organization I currently work for does do phishing tests but never like this. Some of their fake phishing is blatantly obvious, some are more intricate but I always recognize them (they use a certain commercial software package for this, it sticks out in the headers). I think it's good they do those tests on a regular basis though, it keeps people on their toes. The way GoDaddy did it however reeks. That said, money is often a good incentive for people to click on anything. That's why we still get tons of those advanced fee scams.


----------



## ucomp (Dec 27, 2020)

SirDice said:


> ..... That said, money is often a good incentive . ......I always recognize...


yeah, I remember your phishing skills :








						Solved - IPFW logs
					

Hi!  I got many times logs of blocking 151.139.128.14 and less times 188.121.36.239. Are those  tracking companies or is something else, please?  Thank you.




					forums.freebsd.org
				



 ... just kidding..
Regards


----------



## phalange (Dec 27, 2020)

Without context, this is a hard call. 

Obviously head-faking employees with a bonus is ugly. But there are some problems with the story.

First, if the security team was specifically training employees how to recognize and avoid scams of this kind (which is one of a million sh**** phishing emails many of us receive), then testing the training is in bounds, and I would be pretty upset that the employees weren't paying attention.

Second, I know of no companies who spam out "click here for your bonus" links. That should be a massive red flag to anyone, and especially people in roles where they are desirable targets for scammers.

Third, it's not clear if these people got bonuses irrespective of the phishing simulation / reprimand. If the company canceled 2020 bonuses and then used bonuses as the phish bait, that's a low blow. But it's not clear that they didn't receive their regular bonuses as planned either.

Fourth, the reason security teams run these scam tests is not because they're sadistic, it's because the scammers will stoop to any low. My inbox has it all -- fake "dead relatives", phony "law suits", spurious "medical charges" -- there's nothing off limits. So training your team to be vigilant means preparing them for scenarios that make your skin crawl.

Ultimately it's our data at stake. Though I don't use godaddy and have never, I entrust personal information to companies by necessity, and frankly I'm tired of the "oops, data breach, we just lost everything you ever told us, sorry bro" routine. And nearly always from sloppy security management and poorly trained employees.

I don't side with godaddy, but I do side with strong, well maintained security policies and rigorously trained teams. Don't hate the player, hate the game.


----------



## a6h (Dec 27, 2020)

This is how I read emails:
1. HTML/CSS/Script/etc is disabled in al of my MUA (hard thing to do in web mail)
2. When I see a link, I copy it into a ASCII text editor.
3. I check the URL, and then do whatever I have to do!
4. in 99.99% cases I won't trust anything (web/mail/etc address) above ASCII aka ASCII/7!
5. I have all of my important URL in a text file. In such cases (important stuffs):
I. Copy the domain from my text file.
II. Extract the path (directory) from the suspicious link (email, search, etc)
III. Concatenate domain and path, and finally enter the final result in the browser address bar.
6. I'm using different email addresses, but generally I follow the "White listing" approach.

[EDIT 1] I should say this way of doing things will make life much more harder. But, here we are!
[EDIT 2] Web mail and reading email on the phone teach people to develop bad security habits.


----------



## Crivens (Dec 27, 2020)

If it sounds too good to be true, it prolly is. And I have no context, but these tests are too few IMHO. We need to weed out more of the click happy fools and keep them away from permissions and dangerous machines. Like network connected computers.


----------



## SirDice (Dec 27, 2020)

On a more fun note:








						This is what happens when you reply to spam email
					

Suspicious emails: unclaimed insurance bonds, diamond-encrusted safe deposit boxes, close friends marooned in a foreign country. They pop up in our inboxes, and standard procedure is to delete on sight. But what happens when you reply? Follow along as writer and comedian James Veitch narrates a...




					www.ted.com
				




Go look up James Veitch on Youtube, he has a lot more.


----------



## a6h (Dec 27, 2020)

In all fairness, there're situations, which are more disturbing than email Phishing. For example, sending an ASCII email, and receiving a WhatsApp voice message in response!


----------

