OK, we ran into a slight problem. Being a VP Communications at one student organization, we have a web site that needs constant updating to keep in touch with students at our university.

The problem is that our association has been unable to locate the person in charge of the web site (he quit) and obviously forgot to report back with all the access information in regard of the web site.

So we're left with nothing. No usernames, no passwords, no client access information, no domain registrar information, no nothing... Zero. Zilch. Nada.

We're talking about a well-promoted at our university web site and hundreds of students who access the site.

So we are stuck in a very difficult situation - the site is still running and yet we have absolutely no power in changing anything on it.

I found out the site is hosted by http://uplinkearth.com , so I contacted them a couple of times on behalf of our university, explained the situation in details and heard nothing from them.

Things get worse - the domain name was registered to that guy's name, too, NOT on the association's name. Even though he was instructed not to do so.

Even if they get back to us, will they give this kind of information to us?

That's a very fuzzy line because someone could also use a story like that so they can gain access to a site without the owner's permission. I've had people try to do it before. Additionally, it happens at domain registrars all the time and it used to be that you could occassionally dupe a customer service rep into giving you the info. Fortunately, there are much stricter standards now.

If I were the host in this case, I would attempt to contact the customer on record personally with all available means. If no response, that would then lead me to contact the University and see what an official at the University had to say about it and if they could back the story up.

It would be possible I suppose, but only after a lot of investigation on the part of the host (at least hopefully they would investigate it fully).

That looks like a pretty big company though, so their willingness to go the extra mile might not be there.

The domain name definately won't be released without authorization from the owner. The web host probably won't release that information to you either unless they can contact the guy, which they should have that information on file. You can do a whois search and try to reach the guy through the information there unless it is bogus info.

This guy's a student? Shouldn't it be possible to track him down through his student profile?

If nothing else send a request for information on university letterhead to the host and registrar. I'd assume based on content that the domain's obviously being used for the club, by proving your affiliation and then showing the club's intent there shouldn't be too much hassle moving things around.

Sincerely,

-Matt

If I were the host, I would not release this data to you regardless of your story. This is how Mitnick and others like him broke into so many companies.

Its called social enginnering.

This should be a learning experince for your firm, since you all didnt keep tabs on this guy to make sure he registered the domain properly.

Additionally, the university - as the parties actually responsible for the site and its content, should have insisted on having the guy file the passwords with you from day one.

The guy was your employee, you have every right to demand that a InfoSys employee proviode you with full, unfettered access to your own network.

You guys have a major problem in the way you operate there, and I am sorry to say but I think you brought it on yourself. You dont ask employees for passwords on thier way out the door, you get them from thier first day of employment on.

I think you all need to have a policy meeting right now so that you get things straightened up, because by the looks of it, you guys are extemely poorly managed and have been begging for something like this to happen for some time.

The university is responsible for all content on a website. If it came to my attention that your website was engaged in the distributiuon of my copyrighted works and I sent you a DMCA notice demanding complaince, what would you do?

You can't even access the server to remove the infringing content.

Sure, you could argue that you couldnt comply because of circumstances beyond your reasonable control. But it wasnt beyond your reasonable control - it was the result of your own negligence.

You folks should learn from this mistake or you'll be condemned to repeat it in the future.

If the domain name Registrant listed in the whois record is under the "missing" person's name, you will not be able to retrieve the ownership without his approval. (If the Administrative contact is listed as him, however the Registrant shows the University's name, you may be able to take at least legal actions to prove it was registered on your behalf.)

In the case of the web hosting, it will depend on the "owner" and contact info they have on file for the site, as well as their particular policies. In some cases, if the company/organization were listed in the information for the account, it would be fairly easy to display proof to the host that you are an authorized part of that organization and therefore have rights to the site. It does happen from time to time, afterall, that certain employees leave an organization and are replaced by someone unexpectedly. (While I do agree that the org should be responsible for maintaining records of passwords and account info with head administrators..unfortunately, most businesses don't seem to do so.)

Some hosts might require that your org provide written documents, maybe notarized and physically mailed to them - for assurance that you are who you say you are - and perhaps there is other information on file with them that you can prove? Such as the credit card number it was paid with?

If the web host hasn't returned calls or emails to you, you may want to read their TOS to see if they require a mailed written claim. You may want to start looking for a back-up domain name, in case you are unable to reach the old webmaster. Good luck.

Artashes, I'm not sure about the domain registration, but in general, the higher up the ladder the request comes from, the better your chances of getting something done.
Perhaps a letter from the University's president on official letter head would persuade them. There may even be a notary public on staff to stamp the letter.

I would spend my time trying to track down the missing person. That would be alittle easier I'd think.

You're in for an uphill battle, though it depends.

Did the university pay for the hosting and domain, or did the missing student?

If it's on the universities tab and financial records can prove it, you might be able to use that as leverage with the registrar and the host to regain access. More specifically, billing information. That is, if the student didn't pay with his CC.

You can probably dispute the name and admin contacts if the university paid for it with more ease, other than just your word against his. Which at the moment, it's you against a ghost.

I'd definately track him down. Good luck.

Is client information confidential under these circumstances?

Yes it is, and always should be. If the web host can be provided with iron-clad proof to do otherwise then it's worth a shot, but as mentioned, that's one of the oldest tricks in the book to compromise a domain name, and any web host that would just hand out that information, or make changes becuase they were 'asked to' deserves to be whipped.

It's not good news of course, but people really need to make sure they have correct ownership of their domain names.

Well, thanks guys. I had no doubt all of you would testify that such information is confidential. Honestly, I prefer it to stay that way, realizing the danger if someone wanted to "get me" the same way.

I adviced the organization to continue searching... but the last 3 weeks didn't turn with success. In the meantime I told them how not smart that was not to keep at least one copy of all that information with them.

Thanks again. I knew we had no chances unless we ask the Dean of the University help us out.

Best,