
Microsoft buys corp.com so bad guys can’t - DyslexicAtheist
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/
======
LeonM
For those not familiar with the corp.com situation:

Corp.com was (is?) the default example domain in many applications from
Microsoft. As a result many badly configured networks are attempting to
connect to this domain, often sharing credentials in the process.

He who owns corp.com will have access to tens of thousands of corporate
networks. So the only move that MS had was to buy the domain, regardless of
the price.

I guess mr O’Connor (who sold the domain) made a nice retirement today.

~~~
swyx
always wish i could be a fly on the wall for these kinds of negotiations.

if O'Connor demanded something ridiculous like 10 billion dollars... how do
you talk him down when the situation is this onesided?

~~~
jawns
It's not one-sided. There is an incentive on both sides to come to a
reasonable agreement.

It's not like O'Connor can do anything (legally) with the sensitive data
that's hitting his domain. If he could, I could understand why he might be
reluctant to sell, even if given a strong offer.

But the fact is, if Microsoft walks away from the negotiations, he gets
nothing, and there are likely few other buyers he could ethically sell to, and
those buyers are unlikely to offer as much as Microsoft can.

~~~
adventured
> and there are likely few other buyers he could ethically sell to

Anyone that wanted to develop a real business based on a tremendous four
letter .com address, which is a vast selection of potential buyers he could
ethically sell to.

The name itself, independent of the inbound sensitive stream of data, is worth
a lot. Any major enterprise company in the US could trivially develop policies
to deal with the inbound sensitive data while using the name for a legitimate
business. This one guy has been dealing with it just fine for two decades.

~~~
myself248
I think it'd be a lot of fun to set up a responder of sorts, that would handle
the incoming traffic, discard the sensitive bits, and feed back something like
"Your administrator needs to apply KBxxxxxx patch" in any fields of whatever
sort of traffic may apply.

I'm sure someone would get their undies in a twist and sue me, which is why
I've never done anything of the sort with the juicy traffic that's come my way
(in a similar, though long in the past, situation that shall remain
unspecified).

But 1 packet out of 100,000 gets upsidedownternet.

------
scalableUnicon
My D-Link router had domain.name as the default dhcp domain name, which caused
some of my devices connected to it to resolve <whatever.tld>.domain.name when
<whatever.tld> fails to resolve and someone have set up ad pages in many
.domain.name pages to take advantage of the flaw. I've recently blogged about
it([https://harigovind.org/articles/who-is-hijacking-my-
nxdomain...](https://harigovind.org/articles/who-is-hijacking-my-nxdomains/)).
Need to be always careful when configuring things like this especially since
we now have hundreds of tlds like .email, .work etc.

~~~
myself248
I feel like there should be fines for using anything other than reserved-by-
RFC names. When will it end?

~~~
MichaelApproved
Supposedly, the free market should correct this when consumers stop buying the
flawed product. Companies will recognize that poor security is not profitable
and make improvements.

In reality, consumers aren't (and can't) be educated enough to avoid products
with these types of flaws. So, it's up to government to regulate but consumers
(citizens) still need to care enough to ask the government to regulate with
fines and recalls.

EU citizens seem to have that type of government but US citizens would still
rather protect corporate bad actors than protect themselves.

If we see any kind of legislative pressure, my bet is it'll be from the EU
well before the US.

~~~
kryogen1c
>In reality, consumers aren't (and can't) be educated enough

this is a gravely serious statement. in America youre talking about a
fundamental shift in the relationship between the governed and the government.
many states would violently oppose the idea that the government knows whats
best for you and should create laws for you backed by lethal force.

>US citizens would still rather protect corporate bad actors than protect
themselves.

you missed the point. its not about protecting corporations, its about
allowing personal freedom, even if that freedom includes suboptimal results.
moreover, it is abjectly false that the government can simply do whats best
for everyone.

~~~
kdmccormick
> this is a gravely serious statement. in America youre talking about a
> fundamental shift in the relationship between the governed and the
> government.

Uh, consumer protection laws have existed in the US for over a century. The
FTC was founded in 1914. The mindset that laws should protect people from
things that they don't understand is not an abrupt or fundamental shift. If
not for the government, would you know how to find out if an apartment was
built and wired in a safe way? Or do you rely on government permits and
inspectors for that confidence?

~~~
kryogen1c
>The FTC was founded in 1914

the ftc was founded as an anti-monopoly arm of the government, and is not the
same thing as saying "consumers aren't smart enough to know whats good for
them"

IMO as a libertarian, trust-busting is one of the fundamental responsibilities
of the government because consumers and small businesses usually cannot
overturn a monopoly.

~~~
close04
> because consumers and small businesses usually cannot overturn a monopoly

But they can somehow fight the abuse and manipulation companies can expertly
unleash on them? How is the uninformed consumer better prepared to combat this
than a monopoly? Millions of individual consumers speaking with millions of
voices have absolutely no chance against a companies with a single voice and a
single goal. Companies hold far more cards than a regular consumer ever will.
How much time can you dedicate towards protecting yourself and not being
abused? Because a company can dedicate _a lot_ of time into finding better
ways to abuse or manipulate you.

It's a misguided belief that the Government intervening is intrinsically bad,
or that any decision taken at individual level is intrinsically good simply
because it proves "freedom". And this stems from lack of education and the
unwillingness to accept that most individuals are woefully unprepared to fight
back a never ending assault. But you can easily see the "converts" angrily
shouting at the Government whenever they get trampled by yet another company.
One of the more clear examples is when people who got scammed out of they
cryptocurrencies went from "boo regulation" to "why didn't the government do
anything" without missing a beat.

------
Eliezer
I unironically salute Microsoft for cleaning up the mess they created. Many
large actors don't. There was one right thing to do at this point and they did
it.

------
macintux
Seems like it’d be a consulting opportunity. Watch the traffic, identify
companies that need help reconfiguring their domain, and contact them.

Although I suppose to the recipient of such an email it might sound like an
extortion racket.

~~~
captncraig
"Yeah, we know it is wrong, but that single decision made 10+ years ago is too
hard to change now without unknown side effects. Microsoft owns it now, so
nothing too bad will happen"

------
athenot
This is a reminder to all of us to use example.com[1] for these types of
defaults, examples, illustrations.

And also to scan code bases & configs on a regular basis for the inevitable
"dummy yet resolvable" addresses that sneak back in out of bad habit.

[1][https://tools.ietf.org/html/rfc6761](https://tools.ietf.org/html/rfc6761)

------
KindOne
Previous discussion:

[https://news.ycombinator.com/item?id=22277185](https://news.ycombinator.com/item?id=22277185)
"Dangerous domain corp.com goes up for sale" \- Feb 9, 2020.

------
andy_ppp
To be fair if I was Microsoft I’d probably just do a Windows update that adds
127.0.0.1 corp.com to wherever they keep the hosts file on windows :-)

~~~
chills
Do you really think these organizations shipping their credentials off to
corp.com are applying Windows updates?

~~~
andy_ppp
In which case they aren't worried about security, so why does buying corp.com
matter?

------
kryogen1c
the problem is DNS, as one would guess:

>the default or example Active Directory path was given as “corp,” and many
companies apparently adopted this setting without modifying it to include a
domain they controlled.

whew boy. whats the right answer here? out of the box AD and DNS coming with
default settings that must be changed prior to use?

~~~
W4ldi
most linux server distributions come without a firewall installed/activated.
does this default mean it's linux' fault when users do not setup a firewall?

~~~
ed312
At least a little? That's extremely hostile behavior to new users. I could see
not shipping a lot of these things for a highly optimized server version etc.
For a standard end user (and let's be honest, middle/large company IT dept
guy), you should put some sane defaults in place.

~~~
crankylinuxuser
Another part about the firewall is that without profiling, it's pretty hard to
make a good firewall that allows "good traffic" and denies the "bad". It takes
a good amount of profiling and being a firewall admin.

And for a house, thats kind of overkill for the general network. Sure, set up
a restricted wifi for IoT crap, but having to fiddle with it daily is NOT
acceptable.

------
alberth
I've always wonder how large SaaS companies (e.g. Salesforce, Workday, etc)
ensure they don't let their domain mistakenly expire.

It'd be devastating to their business if someone were to purchase the expired
domain of say, salesforce.com (e.g. customers wouldn't be able to log into
their paid for SaaS service, potentially corp email would be down, etc).

~~~
spelunker
lots and lots of alarms, I imagine. Also plenty of DNS registrars will let
domains enter a grace period where the original owner can re-register the
domain before it's released back to the public.

Obviously being able to renew through an automated process is the best
solution (LetsEncrypt, etc)

------
2sk21
Years ago, one of my coworkers bought testcompany.com and got an amazing
amount of internal emails from organizations.

------
shayanbahal
This reminded me of `WPAD` namespace for DNS and DHCP:

[https://en.wikipedia.org/wiki/Web_Proxy_Auto-
Discovery_Proto...](https://en.wikipedia.org/wiki/Web_Proxy_Auto-
Discovery_Protocol)

I remember logging all requests to wpad.ir, there were many from Brazil for
some reason.

------
patall
Wasn't this one of the reasons why some organizations lobbied against the
extension on tld names? For example, in Germany we have lots of Fritz!box
routers that are managed via 'fritz.box' which is now also a valid URL.

------
thefox
But why did Microsoft use a domain in its products which they do not own?

~~~
myself248
RTFOA. They didn't.

They used an internal ActiveDirectory domain of "Corp" as an example. An AD
domain is not the same as a domain name.

....until it comes time for the Windows name service to try to idiotproof the
user, and say "well, this doesn't resolve to an AD server here, maybe they
meant it as a domain name, let me try appending .com and attempt a DNS query"

It's a case of the right hand not knowing the left hand's usability tweak
would turn into a security issue.

Unquestionably Microsoft's fault, but it wasn't as simple as you make it out
to be.

~~~
andrewaylett
"Let me try with the search domain. No, doesn't exist. Let's knock the first
element off the search domain and try again until we find it. What do you mean
you connected your laptop to a network that's not your work network so the AD
server isn't accessible?"

------
diebeforei485
Somewhat related: A lot of random networking hardware seems to use "1.1.1.1"

I have even had Wi-Fi networks ask me to go to 1.1.1.1 to load their payment
page so I can pay for the internet service.

------
MaysonL
I wonder if this is by any chance the same Michael O'Connor who wrote the Mac
application CompuServe Navigator back in the '90s?

------
pradn
This could be a case for "eminent domain"ing the domain from this user. If
domains are property, "eminent domain" must apply to them too.

------
chatman
Microsoft is the "bad guy".

~~~
_emacsomancer_
"Microsoft buys corp.com so the other bad guys can’t"

------
kseifried
We discussed this on the OpenSourceSecurity Podcast back in Feb 2020
[https://www.opensourcesecuritypodcast.com/2020/02/episode-18...](https://www.opensourcesecuritypodcast.com/2020/02/episode-184-its-
dns-its-always-dns.html) TL;DR: this is the least painful outcome of these DNS
shenanigans.

------
xiaodai
And the good guys are?

------
ChrisArchitect
did MS buy the domain from the guy for $1.7 million?

------
dancemethis
That's an Onion title right there.

------
gfiorav
This is why I use foo TLDs in the documentation. To make sure it won't work in
a copy-paste situation.

~~~
pix64
FYI, google owns .foo

~~~
gfiorav
ha, the more you know!

