
Update to Microsoft Takedown – Domains Fully Restored - thefreeman
http://www.noip.com/blog/2014/07/03/update-microsoft-takedown/
======
tonywebster
The existence of the case has been unsealed, so here's the latest docket:
[http://ia902509.us.archive.org/20/items/gov.uscourts.nvd.101...](http://ia902509.us.archive.org/20/items/gov.uscourts.nvd.101935/gov.uscourts.nvd.101935.docket.html)

Looks like there was a stipulation filed on July 1 to transfer the domains
back to No-IP, although the actual document isn't accessible in PACER.

~~~
jsmthrowaway
I found the TRO that pulled the trigger:

[http://www.scribd.com/doc/232961396/MSFT-Temporary-
Restraini...](http://www.scribd.com/doc/232961396/MSFT-Temporary-Restraining-
Order)

~~~
tonywebster
That was published by Microsoft before the case was unsealed, so that one has
been known for awhile, nothing new.
[http://www.noticeoflawsuit.com/](http://www.noticeoflawsuit.com/)

------
AndyKelley
noip.me got seized as well? ".me is the Internet country code top-level domain
(ccTLD) for Montenegro." \-
[https://en.wikipedia.org/wiki/.me](https://en.wikipedia.org/wiki/.me)

How did this happen? Since when did Montenegro fall under U.S. jurisdiction?

I thought my personal domain (andrewkelley.me) was safe, but now I'm not so
sure.

~~~
dsl
.me is operated by Afilias, a US corporation.

~~~
dublinben
Afilias is an _Irish_ corporation, not a US one.

~~~
dsl
An Irish holding company. Actual technical registry operations are handled by
Afilias USA, Inc. and subject to US law.

------
z92
Has Microsoft gained from this fiasco, or lost? Not sure.

~~~
Alupis
Microsoft seized the domains in order to discover command-and-control servers
of a few botnets.

Now... whether or not Microsoft seizing another legitimate company's property
without any notice is legal/ethical is another question (one that probably
should get more attention).

~~~
icebraining
Microsoft seized them by court order, I don't see how was it without notice or
how could they have done it illegally.

~~~
Alupis
Yes, the question was along the lines of, why is Microsoft seizing other
company's property, even _with_ a court order... sounds to me like Law
Enforcement should have done the actual seizure, even if Microsoft is
consulting for them.

And there was no prior warning to noip.com -- they woke up one day and their
domains were seized. They only found out why after the fact -- and, given the
nature of free Dynamic DNS services, it's very unlikely noip.com was even
aware that a botnet was using their services (the justification for the
seizure).

And, I can't help but feel Microsoft could have obtained the same data by
politely asking noip.com -- nobody likes to harbor botnets (and we have no
reason to suspect noip.com of trying to do so). Seems domain seizure was
heavy-handed at best.

~~~
tzs
> And there was no prior warning to noip.com -- they woke up one day and their
> domains were seized. They only found out why after the fact -- and, given
> the nature of free Dynamic DNS services, it's very unlikely noip.com was
> even aware that a botnet was using their services (the justification for the
> seizure).

No-ip was _DEFINITELY_ aware of it. OpenDNS published an article in April 2013
identifying no-ip as the top used provider for malicious use [1] and a
representative from no-ip posted a comment on that article which proves that
no-ip was aware of it.

Cisco published a similar article on February 11, 2014 [2]. We know that no-ip
was aware of this because they posted a comment in response, and posted a blog
entry about it at their site [3].

[1] [http://labs.opendns.com/2013/04/15/on-the-trail-of-
malicious...](http://labs.opendns.com/2013/04/15/on-the-trail-of-malicious-
dynamic-dns-domains/)

[2] [http://blogs.cisco.com/security/dynamic-detection-of-
malicio...](http://blogs.cisco.com/security/dynamic-detection-of-malicious-
ddns/)

[3] [http://www.noip.com/blog/2014/02/12/cisco-malware-
report/](http://www.noip.com/blog/2014/02/12/cisco-malware-report/)

~~~
Alupis
You seem to be missing the point.

They (noip.com) had zero pre-warning of a domain seizure. Regardless of any
literature you dig up from years ago that states some botnets use Dynamic DNS
services such as noip.com, it does not mean they had warning they were about
to be seized. Others have commented that the court order forbid anyone,
including Microsoft, from informing noip.com prior to the seizure.

It should be noted, that most/all "cloud" services likely have some sort of
illicit behavior being conducted through them... Ec2, Azure even, etc.
Botnet's use the same services me and you do... that does not for even a
second make noip.com responsible for the botnet's actions.

~~~
tzs
You wrote: "it's very unlikely noip.com was even aware that a botnet was using
their services (the justification for the seizure)".

The links I cited show that this is incorrect. No-ip was aware.

~~~
polymatter
"We would like to be on the record to state that at No-IP, we have a very
strict abuse policy. Our abuse team is constantly working to keep the No-IP
system domains free of spam and malicious activity...We provide a valuable
service for free, but because of this, it is common for users to abuse our
service. Our abuse team is amazing and they are usually pretty quick to shut
them down, but sometimes a few can slip through the cracks".

No-ip was aware of the potential and had an abuse team to deal with such
cases. They were also aware of other experts finding their abuse team wanting.
But that doesn't seem to be enough evidence to suggest they were partly
culpable in any particular case. Perhaps there were examples of particularly
galling incompetence in their abuse team, or the abuse team tipping off
fraudsters but otherwise informing them seems to be the most reasonable and
responsible action.

~~~
cones688
> abuse team

Every domain provider must have an abuse team or at least an address to send
abuse notices too
[[http://who.is/whois/cloudapp.net/](http://who.is/whois/cloudapp.net/)], that
PR statement from No-IP states no facts or figures of many abuse notices they
combat - which I would cite if my abuse team actually did stuff "look how
amazing our team is - we had x,000's requests and took down x00 of malicious
hosts just last month."

------
dang
Url changed from [http://threatpost.com/all-seized-domains-returned-to-no-
ip/1...](http://threatpost.com/all-seized-domains-returned-to-no-ip/107028),
which points to this.

