The title was NOT sensationalist, and the change here is a loss of information. They aren't "transitioning" to a .org, their domain was stolen. the .com shouldn't be trusted at this point, as it has apparently been taken over by some rogue former-team-member.
The new title is the same as the post title on Cyanogenmod.org.
The change doesn't really lose information; almost everything in the original title was false. Perhaps a better title would be "cyanogenmod.com hijacked by rogue admin, transitions to cyanogenmod.org". But the usual policy here when changing titles is to change it to the original title of the article, which is what it is now.
There is, so far as I've discerned, an automated bot running that changes submission titles to the HTML title of the URL. No human intervention, no human judgment.
This seems easy enough to test. Someone just needs to put up a page which changes the in-page TITLE to something new for every hit, and then let someone submit it. Then see if it changes, and what it changes to, and when. Then work backwards from the server logs to see who or what is doing it.
If it's a bot, you could have some random gunk in there, and it would flip over automatically. If it's human, they might not accept a (hex|base64|...) encoding of some magic number. Of course, said human could also read this, know what was going on, and modify their behavior accordingly.
Nope, as you can see, they originally changed it to "Transition to CyanogenMod.org", while the HTML title of the URL is "PSA: Transition to CyanogenMod.org". Then after complaints that that change went too far, they added the "Cyanogenmod.com hijacked" part. Now the title is better than either the original title of the submission or the HTML title of the original article.
I don't think it's a bot; it's just that the policy is that if the title is misleading or sensationalist, to prefer the original title of the article over anything else. So that's what the admins go with the vast majority of the time if anyone complains. In this case, the hijacking really is relevant, so they added that part back in again.
Maybe there was a middle ground, but the former title made it seem like CyanogenMod itself was taken offline, and made no mention to the domain itself. I'd say in situations like that it's just better to default to the actual article title.
As OP I agree. The title was not sensationalist. I guess moderators changed the link and title. I agree with changing link but not with the present title. The .com domain was my bookmarked domain and usually I will go this domain first before going to any other CM link. As a donor to CM I felt shocked that even the .com Google apps account is now taken down by rogue admin. Usually these accounts were used by users and other developers. All the social media were also linking through this .com email addresses AFAIK.
Why is everyone complaining about the title? Yes its a bit sensationalist but all of this is detracting from the actual story here.
While it's true that cyanogenmod.com going down may not serve a functional problem to most people but it is a pretty sad story. I have used Cyanogen on a couple phones and all my Android devices use the Clockwork recovery, which is an incredible tool. I don't know the specifics but I don't think anybody on the Cyanogen team was receiving money for their work. Granted, there are premium versions in the Play Store, but certainly nobody is getting rich of Cyanogen or clockwork.
The fact that somebody is screwing them over just to make a couple bucks seems pretty terrible to me. These guys do this for fun and for the good of the community (not to mention for the good of Google), so my heart really goes out to them. I hope you get everything sorted out and get everything back up.
There is a PayPal donation form at the bottom of their site. I have donated in the past when they have asked and I'm sure I will this time if they make an appeal to pay for legal fees.
Again, so sad to see this happen to such a great group of devs.
I like the idea of buying a related domain and donating it to the community as mentioned in another comment. I agree that we as community of hackers should try to figure out how can we help CM who are just a group a volunteers doing great work for the community.
And in the thread, he mentions that Swappa is doing the same thing, $500 a month plus $10 per device sold, though there's no way to verify if that's true. Swappa claims to donate $5 per device sold to Cyanogenmod, though who knows if that's been going to the actual project or this joker. http://swappa.com/cyanogenmod
That's some pretty serious fraud there, if this is true.
This is pretty scary now that CM has started to do OTA updates again. What server is that mechanism checking and trusting? Is there any cryptographic verification for update packages? Whose keys are used (the keys of the bad dude?)?
This is definitely important to find out in the wake of this incident, and I'm anxious to learn the answers myself. That said, CyanogenMod distributes its builds through a separate dedicated site [1] that appears to be unaffected.
If search engines are indexing your site with any regularity and you kill all your DNS records I'd say it's not terribly surprising to have your domain removed. That combined with the new .org being an exact match for a "cyanogen" search would probably do it.
It looks more likely that someone form the search team browses HN or uses Cyanogen (very likely) and they intervened and updated the index manually. I am sure google has a back-end to do stuff manually.
The .com site did completely disappear, and for a relatively high profile site like that, it's probably indexed pretty often.
There's also the possibility that the developers had access to the "Google Webmaster Tools" for cyanogenmod.com, even though they didn't own the domain, and so just told Google that the site had moved.
It's the #1 on Bing and DuckDuckGo as well, though interestingly you can still see links in the .com in both Bing and DuckDuckGo results, but Google has eliminated the .com completely from their results.
Cyanogenmod devs need to get PGP keys and start using cryptographic signatures like now. The guy never would have been able to impersonate in the first place if they were doing this, and now it's even more important that the @cyanogenmod.com domain is directing to a different mail server.
Not sure if that's the case. Most people he was impersonating himself to probably don't know enough to find and check PGP signatures; especially since most email does not come with PGP signatures, the lack of a signature is not something that would cause anyone to bat an eyelash.
If he prominently announced on his sites "DO NOT accept anything without a cryptographic signature as authentic", it is likely to have worked. It's not like the targeted victims had not visited Cyanogen's site or done any research before.
And at worst, a policy of signing all emails makes it so he can't be framed; someone can't alter mails and claim they were sent in that state, and if this guy thought he was going to be caught and went into the mail server to try and plant the evidence so that when the deals fell through the real Cyanogen was still on the hook, he wouldn't be able to reproduce a valid signature and one would say "Cyanogen was obviously framed, as he would never certify a deal in an email without a cryptographic signature".
How would have they distributed the keys? I can easily upload a key with an arbitrary id and username to any public keyserver. You have to actually check that you trust the key by utilizing the web of trust.
Alternatively, you could use SSL certificates, but since the attacker controlled cyanogenmod.com, he probably could have social-engineered the CA to issue him an email certificate.
Does anybody know how this "rogue" webmaster took undue advantage of the CyanogenMod brand? The Facebook post states something about referral deals with community sites. Any idea what that would mean in practical terms?
According to the conversation linked to by CM member koush[1], in one instance he approached a CM distributor requesting a 'contribution':
"Hi, we noticed that you are selling these cards with CyanogenMod builds. We do not however seem to have any agreements in place for this and feel it's only fair that you start contributing to the CyanogenMod project to continue selling your products."
It seems a nice idea, buying the CM.com domain and donating it to the project. Wonder if this sleazeball had a change of heart, or was he planning on embezzling referral traffic the whole time?
And due to the small size (and lack of funds), the CyanogenMod.com domain was bought by a third-party back in 2009 and donated to CM, when CM was a much smaller project and had no online presence besides XDA.
I must be missing something (and speaking from a US perspective), but was $10 really unattainable in order to secure a domain? Three years worth would have been $30-ish dollars now. Genuinely curious what led up to this scenario.
That's true. I made the assumption it was the same person based on:
The person owning the CyanogenMod.com domain was caught impersonating Steve to make referral deals with community sites. When confronted and asked to hand over control of the domain amicably, he decided he wanted 10K USD for it, which we won’t (and can’t) pay.
but, that could be a mistake if "owning" meant he simply took control of it at some point over the years.
It's slightly contradictory, because it says the original person "gave" them the domain. I at first took that to mean in all senses. But it does seem likely that if there were two different unnamed people associated with the website they would have made that distinction clear.
(The confusion could have been avoided by assigning a nym to anyone who they didn't want to name explicitly.)
It probably wasn't, but it was probably someone he worked with/knew pretty well/whatever and he never thought much more of it or was pretty broke and someone else offered to help him out a little. One of life's lessons and next time he (and we) won't be making the same mistake.
It's a lame situation, for sure, over what appears to be a strictly greedy or personal matter. And hindsight is alwasy 20/20. Fortunately, a good name was available and (hopefully) only an inconvience in time and effort is the major consequence (well, and all those now non-resolving links).
$10,000 dollars for a domain seems a bit much by itself. When you add the factor that you should have right to it and it was basically stolen.. there's no way they should pay that.
Why are large parts of the android custom ROM community unprofessional and immature?
I always shiver a little if I have to dive into xda-forums, but this takes it to the next level. Puts all the actual hard working developers in a bad light.
I think its because they grew out of the phone ROM community, which pre-Android, generally meant hacking up a binary blob and distributing them on forums. This was never quite legal, but lots of people did it anyhow. Like any community build around legal grey areas, like Xbox and PS3 modders, there's a lot more anonymity, less professionalism, and the like, than there is, say in the free software world, where people are legally, and in many cases professionally, writing software to run on their own machines.
Even once Android came out, there are enough binary blobs, like the actual phone firmware, drivers, the Play Store, the Google Apps, and so on, that a lot of the mods are just redistributions of the binary packages with a few configuration changes and some custom software on top, rather than a rebuild from source of AOSP.
Could you elaborate on why this issue shows that "large parts of the android custom ROM community unprofessional and immature"? As far as I can see, the developers trusted someone they should not have trusted. That is not necessarily a sign of being "unprofessional and immature", is it?
Any volunteer organization risks running into this at some point. --You generally don't have any sort of contract because you're not paying anyone.
I used to help run a convention, and one year the person who had designed the program book decided he deserved compensation and demanded a similar amount of money to let us use the design. We were left with only a couple of days to come up with a new design.
Seems the guy who stole the domain is trying to undo his damage and possibly hand the domain back (likely due to the negative attention this is bringing him). He posted this to his Twitter account a few minutes ago:
Yup, I have the same thing. Is this a(nother) change of heart from the owner? Or did ICANN intervene that quickly? I find it hard to believe its the later.
I don't know what this is, but as the guy asked for money for the domains, which he didn't own, I'd think about asking the police to look into this being extortion.
The ownership is in question. This guy bought the domain in its early days and "donated" it to the project. Does he own it? What if he paid for its continued registration? Does CM own it under trademark? Given the nature of how CM got started, I doubt there was a formal agreement between the parties.
I think he did/does own the domain, on behalf of cm. My best guess is that cm wasn't incorporated, so a human body had to own it. The human body then went full asshat.
I had this happen to me when I started a music blog in 2008. Some trust fund brat decided he would hijack the site and I was forced to basically start over. It was painful but 3 years later I'm glad I did. I was able to rebuild and now have a better site with a better team in place. It'll take time but these guys will recover too. Integrity always wins!
Because the title doesn't say "the website" was taken offline. It suggests CyanogenMod itself is no longer available from the developer.
Imagine the headline "LA Lakers Closes!" That tells me the basketball team is no more. But, if instead their website was closed for a planned relaunch, then the headline should read "LA Lakers' Website Closes!" or "LALakers.com Closes!"
Ah, could have sworn the headline said cyanogenmod.com.
Anyway, the current headline is now more misleading, since it omits what makes the story interesting, and they aim to get the original domain back in any case. (This is the case even though the blog post has that same title.)
Well we've got a solid one now, at least! Very clear.
But I totally get the judgement of the previous editor as well. When in doubt, and given a poor headline (nah, it didn't say .com), go with the headline of the article that is linked. It's a good rule of thumb, and this was the exception.
Thanks for rolling with the punches, whoever is pulling strings.
And it wan't by a developer. It was by a rogue admin. "By developer" implies that it was done by one of the core Cyanogenmod developers, perhaps even Cyanogen himself.
I'm mixed on whether this is a good way to handle reporting something like this to the public. On the one hand, they didn't release the guy's name, which is completely and entirely appropriate, and I commend them for doing so. On the other hand, giving so many details—many of which are not relevant to the public, and probably were not intended for the public—gives this PSA somewhat of a "well, screw you too" vibe.
I think a simpler "we've been betrayed by an insider with access to everything, here's how we're fixing it, and yes, we're pursuing legal methods for dealing with this" would have been better. Leave out the gory details about who's hurt and whatnot. This is business. Still, this is better than half of the other "we've been betrayed" posts I've seen.
Avoid doing side business with anyone claiming to represent Cyanogen, for starters. I'm sure they haven't released his name at the advice of a lawyer (or they just have good legal sense). They shouldn't do anything that would jeopardize their ability to pursue legal action against the hijacker.
His profile on twitter says "Entrepreneur, with a passion for website design, development and all things technology. Director of Metserve Enterprises. London, UK · http://www.mradeveci.com
Conversation... More like public poo flinging. I mean seriously? Use email or something, it's really unprofessional to "talk" these things out over twitter
Ideas will be stolen. I know this is a hotly debated topic, and I agree with the raw idea != actionable idea, yadda^3.
I cannot emphasize enough to developers and to startups: all war is about money, all business is about money. When you get to the point that you are making money, you are in business... and all business is war (imo). If you go in thinking like that (not freaked paranoia, but strategic defensive development), you will avoid a lot of this trauma.
Title is sensationalist. Should be something like "Transition to Cyanogenmod.org"; Cyanogenmod is not offline, just cyanogenmod.com
Google already give you cyanogenmod.org when you search for cyanogenmod. Was this always their preferred domain, or is Google just that quick to update?
For the sake of posterity, the original title was "Cyanogenmod taken offline by developer", and the link was to the same story, but posted on Facebook.
Just reading the title, I was under the impression that CyanogenMod itself was no longer available from the developer, not just the website. I'm not sure if "sensationalist" is the right word, but, it wouldn't pass an editor's muster.
Yes, perhaps "sensationalist" wasn't the right term; "false" would have been better. Cyanogenmod is not offline, and it wasn't the developer who took anything offline.
Good point about the old title saying 'by developer'. Probably since I knew what had happened already it didn't stand out to me, but I see how folks would think it meant Steve took it down.
Again I don't think the title was meant to read that way, but yeah I agree that was not clear and the new title/direct link is much better.
Oh I agree completely; I certainly don't think saket123 meant to mislead people at all. It was just an unfortunate choice of words causing a little bit of a dust up. Maybe now any relevant conversation can happen!
So let's all go answer or up-vote philp's comment!
Sensationalist because it is false, and misleads you in a way that makes you believe this is a bigger deal than it actually is.
Nothing is offline. All that has changed is the domain. "Cyanogenmod" is not offline. "cyanogenmod.com" is offline, but everything that was there is at "cyanogenmod.org" so even saying "cyanogenmod.com is offline" would be misleading.
Also, the "taken offline by developer" part is patently false. The website was taken offline by someone who donated the domain name, and is now using it to try and make affiliate deals and extort the developer.
Really, there is an actually interesting story here. The title could be "cyanogenmod.com hijacked by rogue admin"; that is just as interesting, and actually true. Almost nothing about "Cyanogenmod taken offline by developer" is true.
> Refusing to be extorted for funds, and then being threatened is “ending it bitter”? Today, it happened: all of our records were deleted, and cyanogenmod.com is slowly expiring out of the Internet and being replaced by blank pages and non-existing sites. @cyanogenmod.com e-mail is now being directed to a mailserver completely out of our control, too.
At one point CyanogenMod.com was down. The title could be clearer on that for sure, but I don't think it was meant to be sensationalist.
I'm not saying that this isn't a big deal. I'm saying that the headline is false. It implies that Cyanogenmod itself has been taken down by its developer. That is not true at all. The domain name has been taken down by the person who donated in the first place, and is now trying to make a quick buck off of it.
Sure, bookmarks may break. Yes, it's an important story. But Cyanogenmod has not been taken offline by its developer.
edit: thanks to the mod that fixed it :)