
Dangerous domain corp.com goes up for sale - DemiGuru
https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/
======
komali2
The end of the article the owner talks about why he doesn't just give the
domain name to Microsoft for the good of security, and he has imo a good
reason - Microsoft fucked up and should shoulder the responsibility. Even more
incredibly is it seems some requests were coming from Microsoft owned
machines. He talks about how massive fortune 500 companies may be aware of the
issue but unwilling to do anything about it.

So it seems, as ALWAYS, we're going to have to wait for state sponsored actors
to buy the things, embarrass the shit out of a couple CEOs by posting their
dick pics they're inexplicably sending over company mail, and THEN corps will
start doing something about it.

Why we have to get on and off this merry go round every time is beyond me.
Short-sightedness of those with decision making power boggles my mind daily.

~~~
tetha
As cynical as I may sound, but cybersecurity threats like this will continue
to be ignored until they sufficiently escalate into consequences.

And that statement, while obvious, is darker than it seems. Companies going
under aren't sufficient consequences (many ransomware cases). Universities
going offline isn't enough (look for the uni giessen). The bureaucracy of
cities going offline isn't enough (e.g. New Orleans).

This is just going to continue to escalate until something really really ugly
happens and kills many people. And then we'll be presented with some grand
legislation that I don't look forward to.

~~~
K0SM0S
Let me share this thought experiment.

\- most companies are really bad at security

\- most people do not care about the security of their data, passwords, etc.

Based on these facts, I've been operating for a decade now under the
assumption that one day within my lifetime, all of our logged online activity
may become public after some hack. All of it that's logged somewhere. Chats,
pics, posts, history, notes, cloud drives...

It may be slightly paranoid, but better safe than sorry. I should add that I
live "normally", I don't care about my pics or discussions becoming public
when it happens to everyone else too. I just remain cognizant that there's
high probability here.

As outlandish as this assumption might be, the opposite (that security holds
and most of our stuff never gets hacked) seems even more implausible to me.
Educated guess, you know, which speaks less of tech/security than it does of
human nature (carelessness or laziness, until a real crash happens). Hopefully
this is very Western-centric and other cultures are better at long-term wisdom
and planning.

~~~
solotronics
I think this is actually by design. My theory is they built a panopticon
intended to move humanity towards being more cooperative and docile. A feature
of this is that people become self policing much like in the USSR. You
yourself just admitted to what is equivalent to thought policing.

~~~
mindfulhack
Instead of downvoting, I'll reply with my own logic:

1\. Science and clear thinking demonstrates more often than not that the world
is chaotic and random.

2\. Conspiracy thought like yours can be a psychological attempt to quell
one's unease from seeing such chaos by insisting that everything is
controlled, so that you gain an emotional feeling of control and security once
more.

Like 9/11, I think what you speak of (people's increasing self censorship as a
result of draconian dragnet surveillance) is more pure accident - not design -
but it's then taken advantage of by opportunists (where in the case of 9/11,
it was warmongers and American oil barons).

~~~
solotronics
[https://medium.com/insurge-intelligence/how-the-cia-made-
goo...](https://medium.com/insurge-intelligence/how-the-cia-made-
google-e836451a959e)

Both Facebook and Google were nurtured by In-Q-Tel and Highlands Forum
members. I don't think this is wrong or bad. Just like Huawei and ZTE are
highly correlated with the Chinese government, our biggest tech companies are
interwoven with our national defense organizations.

------
saghm
> Schmidt’s findings closely mirror what O’Connor discovered in the few years
> corp.com was live on the Internet after he initially registered it back in
> 1994. O’Connor said early versions of a now-defunct Web site building tool
> called Microsoft FrontPage suggested corporation.com (another domain
> registered early on by O’Connor) as an example domain in its setup wizard.

> That experience, portions of which are still indexed by the indispensable
> Internet Archive, saw O’Connor briefly redirecting queries for the domain to
> the Web site of a local adult sex toy shop as a joke. He soon got angry
> emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

If only Gates had gotten more annoyed back then and bought the domain just to
stop the emails...

------
quickthrower2
I love how GoDaddy lets you add the corp.com domain, has a checkout page
showing the $1690000.00 and a buy now button. It even has a promo code field,
so I wonder if I can get a discount?

~~~
michaelsbradley
You're funny, but I tried that with a GoDaddy account and I see no such thing.
Screenshot?

~~~
cedricium
You can see a similar thing if you search "corp.com" on Namecheap:
[https://www.namecheap.com/domains/registration/results.aspx?...](https://www.namecheap.com/domains/registration/results.aspx?domain=corp.com)

~~~
chx
You can't add it to cart it changes into a chat button if you try.

~~~
crooked-v
Usually those 'premium'-listed domains are an integration with a third-party
service, where high-value domains are handled one-on-one by individual
salespeople. There's pretty extensive anti-fraud and anti-money-laundering
measures involved to protect the companies involved.

------
013a
I can't believe this situation.

This is a guy who, by his own admission, wants it to go to Microsoft, but is
also holding an auction. He could just quote Microsoft $2M and be done with
this whole thing.

Instead, he and this "security firm" publish a big article on one of the
internet's most lauded security blogs where they outline how blown away they
were with how much data was being sent to this domain. They left it open for
15 minutes and got millions of emails, passwords, etc. "Wow, bad people
reading this, look at how much data you could get. You better join in on the
auction. Microsoft, you seeing this? You better get in on this too. Bid often
and bid well, friends."

I wonder what kind of authority ICANN has in revoking domain name
registrations in extreme circumstances. Microsoft fucked up here, but we're
long past that being a relevant component in this discussion. This
registration should be pulled out from under O’Connor and blocked from
registration for 100 years.

~~~
xvector
I am totally OK with the sale of this domain to anyone. He owns the domain and
he has the right to sell it.

Perhaps the fallout would be good for computer security, as it would stop
corporations from making boneheaded security decisions. Pain seems to be the
only way to make corporations evolve anyways.

~~~
gumby
I would agree except he is quoted as “fearing” it won’t go to Microsoft. He
could just make that happen.

~~~
CydeWeys
But it's very valuable and he wants (needs?) the money for his retirement.
Microsoft may not be willing to pay up.

~~~
gpm
What right does he have to 1.7 million dollars? The fact that he was the first
person to register a domain? That's ridiculous. He did no work for it. He did
not do anything to benefit society. His is just trying to extort society for
that money by threatening to help criminals if we don't give it to him.

~~~
huffmsa
He has an asset that he values at $1.7 million. His _right_ is that he owns it
and can sell it as he see fit.

He has no obligation to M$FT or any of their customers.

~~~
gpm
What asset?

He has an informal agreement with a informal group of organizations to respect
his decision of what records to return in response to DNS requests. No one is
obligated to follow that agreement. This form of abuse of that informal
agreement should result in the group of organizations unilaterally terminating
that agreement.

~~~
krebsonsecurity
This kind of reply reminds me of the vitriolic replies that companies leveled
back in the day against the guys who registered donotreply.com.

They would try to alert companies using a domain they didn't own for
communications to their customers that this was a bad idea, and soon after got
nastygrams from the company's lawyers saying they'd stolen their intellectual
property and wiretapped their communications.

[http://voices.washingtonpost.com/securityfix/2008/03/they_to...](http://voices.washingtonpost.com/securityfix/2008/03/they_told_you_not_to_reply.html)

~~~
huffmsa
If this were a meat space address, this wouldn't even be an issue. Then or now

~~~
crooked-v
Consider this hypothetical: You buy a house, and its address somehow gets
listed as an internal corporate postal address at BigCorp. You regularly get
bag-fulls of corporate mail containing personal information. BigCorp refuses
to changes their internal directories, and refuses to buy your home at a
reasonable value.

The only real difference in the corp.com case is that instead of just one
BigCorp, it's one BigCorp that's gotten a bunch of other SmallCorps and
BigCorps to all incorrectly list the same address too.

On the same general note, "a business listed my phone number as theirs and
refuses to change it" stories are pretty common, and often have the same "the
business refuses to change it" quality.

~~~
huffmsa
And you're perfectly within your right to sell that address to anyone you so
please. For whatever price.

------
gpm
The easy resolution here would be for microsoft to push an update that does
the moral equivalent of adding hosts file lines

    
    
        127.0.0.1 corp.com
        ::1 corp.com

~~~
gfodor
That's hardly a resolution, because it assumes such an update would actually
be applied to all the machines in question.

~~~
gpm
If a machine is connected to the internet and not getting updates, it's fucked
anyways.

------
zupreme
This may be, if as stated in the article, a national-security-level threat.

It should be handled as such. Not an auction to the highest (perhaps even
foreign) bidder.

------
perlgeek
I wonder if buying it and participating in bug bounties en masse would be
profitable in the long run.

~~~
snazz
Probably not, especially since I'm not sure what your legal footing would be
in this scenario. If you weren't concerned about selling the information you
found to the rightful owner, then you could almost certainly turn a profit.
I'm sure criminal groups and governments would find it to be a gold mine.

~~~
perlgeek
You could always argue that somebody could MITM the company's connection to a
public resolver.

Still probably not quite the gold mine...

------
kirstenbirgit
OK, so a bunch of years ago, Microsoft suggested that AD domains/hosts should
end in ".corp".

But where does the .com part come in to the picture?

Does corp.net or corp.ninja have the same type of issue?

~~~
acranox
This gets covered in one of my favorite conference talks. "Defcon 21 - DNS May
Be Hazardous to Your Health"
[https://www.youtube.com/watch?v=9Sgaq6OYLX8&t=900s](https://www.youtube.com/watch?v=9Sgaq6OYLX8&t=900s)
(skip to 15:00 if you just want the answer to your question. but the rest of
the talk is brilliant)

But basically when the computer can't resolve ".corp" it assumes it isn't an
FQDN and starts adding other stuff to try and get an FQDN that does resolve.

~~~
swiley
> when the computer

Meaning browsers? The answer there is stop doing stupid things with the URL.
When I type “localhost” into Firefox I’m not expecting a google search.

If libc does that then that’s surprising and probably also wrong.

~~~
snazz
I'm pretty sure both the Win32 libc and applications do this. Try typing
"[http://example"](http://example") into Firefox. You'll get example.com.

~~~
phit_
mh, can't reproduce on Windows 10 and Firefox 73 get a "Server not found" page
as expected

~~~
bscphil
It's application dependent behavior, AFAIK. Windows internals / APIs add .com
by default, I believe. You probably hate this behavior like I do, and at some
point in the past set "browser.fixup.alternate.enabled" to false in Firefox's
about:config.

------
ganstyles
Oh wow, this is fun. Legitimate question: Where can I bid on this? There's no
link in the article and a Google search doesn't yield anything but spam.

~~~
Mathnerd314
From
[https://www.haven2.com/index.php/domains](https://www.haven2.com/index.php/domains)
it seems the preferred method is email, or maybe looking up his address and
sending him snail mail. It's not a formal auction. Also, the EstiBot service
he links only appraises corp.com at $112k. The million dollar figure comes
from Namecheap/GoDaddy but I don't think Mike will use that as a reference
point.

------
jrumbut
Makes me wonder what's happening over at example.com, prod.com, dev.com,
ad.com, and whatever other common similar names are out there.

~~~
stevula
test.com

~~~
paxswill
In the case of people using .test as a TLD we should be safe(r); .test is a
reserved TLD along with .example, .invalid, .localhost and .local (the last
being reserved in the long proposed mDNS RFC).

------
wyxuan
Wait, so if Microsoft or done legitimate company doesn't buy it then it will
automatically go to cybercriminals?

~~~
wereHamster
No. It's an auction. If you have 1.7+ million USD then it may go to you. You
are one of the good guys, right?

~~~
FanaHOVA
Microsoft turned $43B in profits last year, I don't think they'll have an
issue winning this if it's as big of a deal as the article makes it out to be.

------
techslave
$1.7MM. cheap, considering. honestly if I had the money I’d snatch it up

~~~
chx
share your monetization idea I'm sure we can crowdfund 2M in minutes if you
have a good idea. This is, after all, Y Combinator.

~~~
WrtCdEvrydy
Three step

1\. Provide budget email services (your.company@corp.com)

2\. Provide a company directory (corp.com/your.company)

3\. Profit??

~~~
kevin_thibedeau
Sell subdomains:

nissan.corp.com

~~~
jowsie
This was actually Mike's intention when he first purchased the domain, he just
never got around to it.

------
gist
Fwiw the correct way for Microsoft should they decide to bid on this domain to
win this auction would be for them to make initial overbids that drive the
price up to prevent others simply playing a game of chicken from taking hold
and getting sucked into driving the price up even more.

~~~
pishpash
The correct way is to bid last and not reveal how much they'd be willing to
pay.

~~~
gist
Depending on the auction venue may not be a way to 'bid last'.

------
raleighm
He's known since 1997 (earlier?) that he has a dangerous domain. He had an
offer from Microsoft "several years back" (curious how long ago) but he's
holding out for something closer to "market"? I doubt he spent much money
purchasing and maintaining the site over the years. Yes, Microsoft should get
the purchase done at $1.7m. But O'Connor doesn't exactly come across as a
saint here. Pay a "market price" for my _sui generis_ dangerous domain or I'll
sell it to the highest bidder...

------
slyall
Amazing this sort of thing is still around. I remember there was a similar
sort of problem with WPAD (Web Proxy Auto-Discovery) domains like wpad.co.uk
and wpad.co.nz that was publicised back in 2007

[https://www.networkworld.com/article/2289705/windows-flaw-
co...](https://www.networkworld.com/article/2289705/windows-flaw-could-steer-
ie-to-hackers.html)

------
bluedino
Couldn't some organization buy it and let the IETF control it, like .local
(not really a TLD, but the idea is what counts)

~~~
amenod
Sure, except - why would some organization buy it to help MS's customers? If
anyone, MS is here in tight spot to either (quickly!) find another solution,
or win a bidding war for the domain.

------
kerng
These days its .local - we should keep an eye on that

------
RaceWon
If it is such a bad risk, why doesn't one of the gazillionairs on here, or
even YComb itself just write a check and park it. End of story.

I would; but sadly...I haven't hit yet.

------
gpm
A domain isn't property that anyone has to respect. I trust my domain resolver
to point me at reasonable IP addresses. Not to criminals, people trying to
entice criminals, or people trying to extort corporations. I appreciate the
fact that the third is likely redundant with the first in most places.

I am entirely on board with just killing this domain out from under him.

~~~
jrandm
Think of a different website: maybe goggle.com (no idea what's on this
domain), seems like a reasonable typo.

Would you be bothered if your computer or network was sending emails to
whoever "goggle" is, not "google"? Should goggle be penalized for receiving
things you freely sent to them?

The problem is more you're sending data you don't mean to than that someone
owns the place you're sending it.

~~~
reaperducer
I just checked that domain for you out of curiosity. Don't surf there. Looks
very malware.

------
wolfhumble
Just wondering, IANAL, if Microsoft would be afraid of some type of class
action lawsuit if buying the domain. Buying it could maybe be seen as taking
responsibility for the error earlier committed and could open up a can of
worms for Microsoft. In any case, I am sure Microsoft have their reasons for
being quiet; it would be an easy problem to solve after all.

