Hacker News new | past | comments | ask | show | jobs | submit login
Dangerous domain corp.com goes up for sale (krebsonsecurity.com)
406 points by DemiGuru 11 days ago | hide | past | web | favorite | 290 comments





The end of the article the owner talks about why he doesn't just give the domain name to Microsoft for the good of security, and he has imo a good reason - Microsoft fucked up and should shoulder the responsibility. Even more incredibly is it seems some requests were coming from Microsoft owned machines. He talks about how massive fortune 500 companies may be aware of the issue but unwilling to do anything about it.

So it seems, as ALWAYS, we're going to have to wait for state sponsored actors to buy the things, embarrass the shit out of a couple CEOs by posting their dick pics they're inexplicably sending over company mail, and THEN corps will start doing something about it.

Why we have to get on and off this merry go round every time is beyond me. Short-sightedness of those with decision making power boggles my mind daily.


As cynical as I may sound, but cybersecurity threats like this will continue to be ignored until they sufficiently escalate into consequences.

And that statement, while obvious, is darker than it seems. Companies going under aren't sufficient consequences (many ransomware cases). Universities going offline isn't enough (look for the uni giessen). The bureaucracy of cities going offline isn't enough (e.g. New Orleans).

This is just going to continue to escalate until something really really ugly happens and kills many people. And then we'll be presented with some grand legislation that I don't look forward to.


Let me share this thought experiment.

- most companies are really bad at security

- most people do not care about the security of their data, passwords, etc.

Based on these facts, I've been operating for a decade now under the assumption that one day within my lifetime, all of our logged online activity may become public after some hack. All of it that's logged somewhere. Chats, pics, posts, history, notes, cloud drives...

It may be slightly paranoid, but better safe than sorry. I should add that I live "normally", I don't care about my pics or discussions becoming public when it happens to everyone else too. I just remain cognizant that there's high probability here.

As outlandish as this assumption might be, the opposite (that security holds and most of our stuff never gets hacked) seems even more implausible to me. Educated guess, you know, which speaks less of tech/security than it does of human nature (carelessness or laziness, until a real crash happens). Hopefully this is very Western-centric and other cultures are better at long-term wisdom and planning.


The danger of these kinds of threats is not limited to exposure of personal information, though.

For example, take a look at Norsk Hydro. A ransomware situation took down the control systems of an aluminum plant. The company mostly got lucky - they still had senior engineers around who could control the system by pen and paper. Otherwise, you'd have a lot of half-processed slag solidify inside the line. At that point, there's little to do besides ripping all of it out and rebuilding the line in a newfound empty factory building.

And at that point, there are two scary areas to research: Industrial control networks which are abused in a wide area scenario. And the industrial ability to recover from these kinds of outages, if rebuilding a factory takes years. And I guess the security practices and budgets in that sector.


I think most people do care about security, they just don't understand it. People will just assume that they're secure instead of actually figuring out the true state of things, and then they'll be surprised when something happens. This kind of "not my problem" mentality is common across everything humans do, and while it can be due to laziness, a lot of it is just ignorance.

> I've been operating for a decade now under the assumption that one day within my lifetime, all of our logged online activity may become public after some hack.

Unfortunately we can't control which information about ourselves other people exchange in conversations with us or between them. Anything they know about us could be stored and hacked later on, even if we never went online or used a computer or phone.


I think this is actually by design. My theory is they built a panopticon intended to move humanity towards being more cooperative and docile. A feature of this is that people become self policing much like in the USSR. You yourself just admitted to what is equivalent to thought policing.

Instead of downvoting, I'll reply with my own logic:

1. Science and clear thinking demonstrates more often than not that the world is chaotic and random.

2. Conspiracy thought like yours can be a psychological attempt to quell one's unease from seeing such chaos by insisting that everything is controlled, so that you gain an emotional feeling of control and security once more.

Like 9/11, I think what you speak of (people's increasing self censorship as a result of draconian dragnet surveillance) is more pure accident - not design - but it's then taken advantage of by opportunists (where in the case of 9/11, it was warmongers and American oil barons).


https://medium.com/insurge-intelligence/how-the-cia-made-goo...

Both Facebook and Google were nurtured by In-Q-Tel and Highlands Forum members. I don't think this is wrong or bad. Just like Huawei and ZTE are highly correlated with the Chinese government, our biggest tech companies are interwoven with our national defense organizations.


Why — store everything you don't want to ever be public (like your private documents allowing for ID theft, medical records, business plans, nudes of yourself, etc) encrypted, and be the only one to know the key. Those are not many. Use SpiderOak, or Tarsnap, or any backup program that does this.

Anything you share with others, online or not, has a fair chance to become more widely known; just keep it in mind. This has always been si, afaict.


What's the point of having identity documents, medical records, business plans, or nudes of yourself that you don't share with anyone?

Identity documents should be public information, if they lack an irrefutable connection to you (e.g. photo ID unless you've got an identical twin) they're bad identity documents. But there may be accompanying information you should keep private, for example it's not unheard of for passport authorities to provide an additional document that helps them if your passport is lost or damaged, no need to let anybody else have that.

Medical records it certainly can make sense for you to keep documents that medics don't need right now but might be relevant later. If you've got them, somebody else can't lose them.

Business plans ought to be obvious. You won't get far telling everybody what your plans are, keep them to yourself.

And nudes while it seems lots of people do send them to somebody else - perhaps much better looking people than me - if you've got nude images of yourself for some other reason then it's better to keep them private than risk some outfit accidentally losing them. For example I had images of my penis from when I had surgery done on it to fix a problem, I was tracking the healing process because I was interested in how the stitches behave. No reason to put those photos in the Clown or whatever where they're one fat finger away from being available to anybody curious.


"As cynical as I may sound, but cybersecurity threats like this will continue to be ignored until they sufficiently escalate into consequences."

I guess an even more cynical take would be that nothing will be done even after extreme consequences become visible.

The analogy that occurs to me is war. Every politician theoretically wants to stop war but for the modern state, there is never an end to war and conflict, just rearrangements and strategies based on power and circumstances. IE, they expect war forever and just want to win it. Lack of cyber security seems similar and the plan seems to be to merge them.


The war analogy is not really adequate. War is an extension of diplomacy, a continuation of policy with other means, an instrument that may allow politicians to achieve certain foreign policy goals which they could not otherwise. War is not something that magically happens on it's own, it's started intentionally to achieve certain goals, by a politician who did not want to stop that war but who wanted and chose to start it.

Even in the absence of actual conflict, having that option (and others knowing that you have that option) gives you lots of leverage and influence, and unilaterally abandoning that capability gives up that influence and ensures that you'll have to concede things to others who do have that option.

And it's not just that unilateral withdrawal doesn't work (si vis pacem, para bellum), but also that a multilateral agreement to end all war and capability for it is not something that all politicians and countries desire - some do, but some countries are militarily more capable than others, and they benefit from that, so it's simply not in their best interest to have a world where war isn't an option and they lose that influence. Case in point - nuclear disarmament; the powers that do have nuclear weapons have a strategic advantage over those that don't, and they would not be willing to give that up to have a world with no nuclear weapons even if it would be possible to have a working multilateral agreement between all of the nuclear powers.


The idea that nations go to war for clear, well-considered purposes is stretching things mightily.

But it's also irrelevant to my point. Computer insecurity isn't like war as such. Computer insecurity is like floating military technology, insecure borders, foreign sponsored "rebels" and all things that make war more likely. My actual point is that states oriented to ending these problems but taking advantage of them.

But by all spend a lot of verbiage to show some knowledge about states.


> Every politician theoretically wants to stop war

What? No they don't.


Government has a role to play here. How about fining corporations for cyber security f-ups? I live in Japan which doesn't have much to teach the world in terms of good governance. But if a Japanese company leaks PII the government already has legislation in place to impose heavy fines and even halt trading for a period of time. Makes for sober reading during company orientation.

A more cynical interpretation is that he almost certainly tried to sell this to MS privately, and they didn't bite at the price he was asking. The public offering at $1.7M is likely an attempt to force their hand.

Frankly that doesn't sound to expensive given the context, it's probably less than Microsoft's existing bug bounty budget anyway. I don't know why they couldn't work this out, or why they never bothered to try to address the issue over the multiple decades this guy has been keeping this domain out of dangerous hands.

Just write the check, Satya.


With a large organization like Microsoft, people who understand this don’t have the power to make this happen. And people who the power will WTF this for 6 months. By the time they make the decision, it will be too late. I doubt Satya will read this.

It took me half hour to understand what is going on. Imagine an MS executive


Sure. But Microsoft has known about his domain, and this issue, since 1997, if not earlier. So they've had over 20 years to think about it.

They’ve just changed default settings to neuter the issue, and hoped the problem with established networks would eventually go away on its own as people upgraded.

In fact, I bet that domain was much more valuable in 2005 than it is now.


Perhaps. But TFA reports a recent test that was frightening enough.

> Imagine an MS executive

Which is the problem.

Like politics, the people driving the bus have no idea what happens under the hood. That's an incredibly stupid way to run society!


The article says MS offered $20k a while back and he passed.

That's an insulting offer, no?

It is. "adventus.com" just sold for 22k. "mymind.com" sold for 36k. "rude.com" sold for 100k. "gorilla.com" sold for almost 500k and "voice.com" sold for 30 million!

Any offer below 500k would be downright ridiculous.


Yeah, I dabble in domain trading and this domain would fetch $500k minimum on the open market.

Who would pay that though? “Corp” is going to pretty hard for any company to establish as a brand.

I think the NSA might.

And when if they use it, the registration should be cancelled for abuse, like any other domain, no?

Maybe the NSA has adequate resources.

Any state-actor would find it a very worthy investment for $2-5m. Absolute gem for passive intel collection.

Fantastic name for corporate lawyers and B2B companies

Until they understood what sorry of internal info they could get, then they'll pay that 500k before anyone else could bid it up.

50/50/90 a chunk of my work records for the past ten years could be accessible if someone hits this domain and just sponges it up. Shivers.


> Just write the check, Satya.

Why should they? The sale will surely be heavily scrutinized and if the new owner tries anything then the domain will quickly be shut down for abuse.


Because it's fundamentally Microsofts mistake? The asking price for the domain isn't unreasonable given it's a 4 letter .com and Microsoft can easily afford it.

All this does is make Microsoft look incompetent.


It's fundamentally Microsoft's mistake, sure, but that doesn't entitle this guy to extort them for 2 million dollars.

Extortion would be 20milion. 2 mil is not unreasonable given the circumstances.

Indeed, one could argue that Microsoft has been encouraging its customers to effectively spoof the domain. So it's totally obvious that it ought to buy it.

Still, this is the funniest thing that I've seen in months.


Is just invalidating the domain an problem? DNS exists to serve as a useful tool to society. If a particular domain becomes a public liability, just shut it down.

If there's credible reason to believe Microsoft is responsible for the liability, take them to court over it, but don't keep innocents at risk for the sake of trying to get Microsoft to own up to a mistake.


Regardless of whether that's legally possible, saying Microsoft deserves to "pay" for their mistake does not imply that this guy is owed millions of dollars for sitting on this domain for decades. That's silly regardless of what MS did or didn't do.

He owns the domain, and it's worth millions of dollars because of Microsoft's mistake. He may not deserve to own something so valuable, but he does. If you owned something worth millions of dollars, would you just give it to Microsoft?

> He owns the domain, and it's worth millions of dollars because of Microsoft's mistake.

I think it's worth millions itself as a 4 character .com. It's value because of the mistake and potential that represents is likely orders of magnitude higher than that.


> The end of the article the owner talks about why he doesn't just give the domain name to Microsoft for the good of security

I can't even take that type of statement (in the article) with a straight face. You have an ordinary person presumably of typical wealth let's say average and he should just give something away for free 'for the good of security'.


Maybe he should ask for reimbursement on registration fees and a token manipulation fee?

He registered a bunch of short domains, probably with the intent on profiteering and AFAICT he sold off some of them. By what logic or morals is he entitled to profit?


Where are you from where do you live? Does not work that way in a capitalistic system in the US. He has the domain and it's lawfully his to decide what to do with it. It's not owned by the public. He's not wrong for selling it for a profit anymore than someone selling their house or car will try to maximize in any legal way they can the amount they can get.

I consider ethics, morals and decency to be a higher authority than law - and I believe many other people do as well.

AFAIK DNS was made to serve society, not domain speculators. IMO, domain squatters holding 90%¹ of good domains would be better served with a public whipping rather than monetary reward. Legal and practical status quo is another matter.

If I go to <lastname>.com, it says for sale and probably has been since registration. What is the benefit? Would it not be better if those domains were used for a genuine purpose? I wouldn't really mind if someone else was using it.

I'm in EU. I had trouble finding exact definition of speculative registration referenced in Terms and Conditions[2]: ".. complaint .. on the basis of speculative or abusive registration, as referred to in Articles 21 and 22(1)(a) of the Public Policy Rules",

but here is an excerpt from eurid FAQ [3]:

If you want to dispute a domain name (under .eu, ..) registration and you believe that:

- you .. hold a trademark, .., family name, etc); and

- the current holder has registered or uses the domain name for speculative or abusive purposes,

you can challenge its registration via .. (ADR) procedure or in a regular court.

AFAICT, domain speculation / squatting are explicitly forbidden, though probably sparsely enforced. I believe I have seen similar wording for applicable ccTLDs, and would not be too surprised to see something similar for .com, .org etc.

¹ Number made up.

[2] https://eurid.eu/media/filer_public/f5/d2/f5d22bc1-9d62-4ba9...

[3] https://eurid.eu/en/register-a-eu-domain/domain-name-dispute...


> Would it not be better if those domains were used for a genuine purpose?

I own (as many others do) a vacation home. Wouldn't it be better if that home was used by someone who was homeless and needed a place to live? Why should I have enough money to keep a home empty? (Why? Because you earn money and then you can buy things that others can't, that's why it's capitalism and the way it is here).

And who is talking about .eu anyway? I am not and the domain in question is not a .eu domain either.

With .com the only thing that you can't do is very carefully defined by the UDRP process and there is further an entire industry devoted (like there is with real estate) to buying and selling domains that don't run afoul of those rules.

You are barking up the wrong tree here honestly starting with the feeling you have that the wrong thing is happening here. It's not.

And 'DNS' was not 'made to serve society' and even if it was (by some stretch) that would not prevent something else that is lawful or legitimate from happening with a registered domain name.


> Wouldn't it be better if that home was used by someone who was homeless and needed a place to live?

Yes.

> Why should I have enough money to keep a home empty?

Because the system worked for you. It doesn't for everyone - and let's not pretend hard work correlates to the system working for someone.

> that's why it's capitalism and the way it is here

Nobody is denying that, but your OP is arguing that that system is immoral. I happen to agree.

> And 'DNS' was not 'made to serve society'

If it doesn't serve society, who does it serve?

> that would not prevent something else that is lawful or legitimate

We can decide what is lawful or legitimate, that's kind of the point. "But law" as an argument doesn't work. We can change the laws to reflect our values.


Pain is required in order for people to make change.

As a Joe Shmoe I honestly think I would do the same thing as this guy, and I'd sleep OK about it. Should I forgo an 'exit' for me and my loved ones based on feeling some responsibility for the errors in cyber security of various profit seeking corporations owned by someone else?

>>The end of the article the owner talks about why he doesn't just give the domain name to Microsoft for the good of security,

Microsoft should buy it for the good of security. Why gift anything to a Trillion dollar company?


> Why we have to get on and off this merry go round every time is beyond me. Short-sightedness of those with decision making power boggles my mind daily.

Because someone will have to cut a 7 digit check. And nobody is going to volunteer their budget for that.

Until the bigwigs gets pantsed and command someone to cut the check, it simply won't happen.


> Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

> That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

If only Gates had gotten more annoyed back then and bought the domain just to stop the emails...


I love how GoDaddy lets you add the corp.com domain, has a checkout page showing the $1690000.00 and a buy now button. It even has a promo code field, so I wonder if I can get a discount?

That sounds cheap.. Seriously, the potential to make a far bigger business out of *.corp.com is better than whatever current startups that VCs have been smoking.

You're funny, but I tried that with a GoDaddy account and I see no such thing. Screenshot?

You can see a similar thing if you search "corp.com" on Namecheap: https://www.namecheap.com/domains/registration/results.aspx?...

You can't add it to cart it changes into a chat button if you try.

Usually those 'premium'-listed domains are an integration with a third-party service, where high-value domains are handled one-on-one by individual salespeople. There's pretty extensive anti-fraud and anti-money-laundering measures involved to protect the companies involved.

Nice!

Name"cheap"

At least they wouldn't be charging an exorbitant annual registration fee on top of the purchase price.

I wasn’t logged into godaddy at the time. Maybe that’s the reason.

I can't believe this situation.

This is a guy who, by his own admission, wants it to go to Microsoft, but is also holding an auction. He could just quote Microsoft $2M and be done with this whole thing.

Instead, he and this "security firm" publish a big article on one of the internet's most lauded security blogs where they outline how blown away they were with how much data was being sent to this domain. They left it open for 15 minutes and got millions of emails, passwords, etc. "Wow, bad people reading this, look at how much data you could get. You better join in on the auction. Microsoft, you seeing this? You better get in on this too. Bid often and bid well, friends."

I wonder what kind of authority ICANN has in revoking domain name registrations in extreme circumstances. Microsoft fucked up here, but we're long past that being a relevant component in this discussion. This registration should be pulled out from under O’Connor and blocked from registration for 100 years.


I am totally OK with the sale of this domain to anyone. He owns the domain and he has the right to sell it.

Perhaps the fallout would be good for computer security, as it would stop corporations from making boneheaded security decisions. Pain seems to be the only way to make corporations evolve anyways.


Would it be the corporation experiencing the pain of identity theft and fraud? Is it just the people in charge of Microsoft whose personal data is being waved around?

No it’s any windows computer from a certain time frame used off it’s internal network which was set up with the default Active Directory settings for the internal domain.

If a third party got burned, they should turn around and sue Microsoft.

MS deserves some responsibility for causing this. And "take your entire AD network down for some amount of time and break backwards compatibility" is not a reasonably fix.


I don't see why those third parties wouldn't sue the owner that sold this domain to unknown parties fully aware of the security risk.

Sue on what grounds? He has no legal obligation of any kind towards them, and they're the ones who incorrectly sent their traffic to him.

Microsoft certainly screwed up here, but all this guy did was... exist.


Technically, the domain owner probably has grounds to sue Microsoft.

By effectively configuring AD / Windows to DDoS the domain, on multiple protocols, MS deprived him of usability.

Seems pretty open & shut on loss of value.


That configuration is the only reason the seller is able to publicly demand such a high price without the universe laughing at him in concert.

To put it in perspective, dating.com sold for 1.75m.


To put it in perspective, Microsoft products have been spamming his domain for 26 years.

>To put it in perspective, [in 2010] dating.com sold for 1.75m.

That was 10 years ago.

"myworld.com" sold for 1.2m in 2017, "jade.com" sold for 1.25m, "vivo.com" went for 2.1m

In 2019, "voice.com" sold for 30 million usd.


Outlier. My search turns up 10 sales since 2017, only one was higher than 3.5m, and that's "voice.com." I chose a sale that was in the ballpark of the stated figure for "corp.com."

"California.com" sold for $3m this past year, so let's not pretend that much has shifted in the market for these domain names in the span of this decade. $1.7m is a hefty sum for a domain name that isn't even a word.

But it's an irrelevant debate.

My point is that the counterargument against any lawsuit would be that the high value of the domain name "corp.com" comes from the Microsoft issue, so it'd be pretty tough to argue that the owner was harmed by Microsoft.


Because he has no legal responsibility whatsoever. He is not responsible for the content that others send to a domain her controls.

As I've said before, this is like saying that nuclear war is a good thing because it demonstrates the danger of nuclear weapons.

I do wonder sometimes just how effective nukes would have been as a deterrent, if Hiroshima and Nagasaki weren't there as a case in point on just how devastating they are to civilians specifically.

Isn't that true though?

Let's not & say we did

no

Why not?

I would agree except he is quoted as “fearing” it won’t go to Microsoft. He could just make that happen.

Not if Microsoft wasn't willing to buy it at a reasonable price. For all we know he offered, they refused, and this is O'Connor's attempt to publicly pressure Microsoft into buying it at his asking price.

Microsoft's willingness to buy it is, in my opinion, irrelevant in this discussion.

If everything this "security team" from the article has said is true, this domain is Persona Non Grata. Its an armed nuclear warhead. There is no positive outcome for this story that begins with "And then the domain was bought by".

Its Microsoft's "responsibility" to "clean up after their mess". No; We're beyond fighting about who should take responsibility. Throw the ball in Microsoft's court and they'll offer $20k. Throw the ball back to O'Conner and he'll say it's worth far more. He throws the ball to the market. Terrorists notice that, wait, actually, that ball is a nuke. Cool, its at auction; Microsoft now has to pay millions of dollars. So our two options are: Microsoft buys the thing and we're safe, or they don't and we're fucked, and a couple people on reddit are mad at Microsoft for cheaping out, but they live on like it never happened, and we all forget for 18 months until, one day, at the top of hackernews we get a nice new HaveIBeenPwned.

At this point, this domain is like example.com; IANA owns that one. Its too generic. Its used in documentation. People mistake it for being meaningful. The only reason it hasn't caused issues is because the owner has, all thanks to him, not intended to cause harm to the public. But we're now in a place where we can do something about it, and this domain should be removed from public registration.


Microsoft have the money, 1.7mil is a rounding error for them. They could've paid the money, solved their problem and nobody would be discussing this on HN now. Instead everybody now knows how incompetent/boneheaded Microsoft are around this issue and they'll probably still end up buying the damned thing.

More to your point, this domain is now "too generic" because Microsoft made it so. example.com is going to be used by a wide collection of people, "corp.com" really only has this issue because of Microsoft, there's no generic reason why people would use "corp.com" in the same way they use "example.com".

Microsoft created this situation and effectively made that domain toxic, surely it's on them to fix it?


> Its Microsoft's "responsibility" to "clean up after their mess". No; We're beyond fighting about who should take responsibility.

I feel opposite. It is definitely MS's responsibility, but they don't care because they are not going to be pawned. Its the poor users who MS suggested to use corp as their AD domain without buying that domain in the first place.

Every time any corp fks up, the people have to pay for it (maybe by getting hacked, or being saved by state) and corps don't care.

> Its too generic

Right, and who chose it ? This domain is like example.com except it ain't because people don't mistake it for being meaningful, MS advised people to use it explicitly.


Microsoft has deep enough pockets to make that happen.

But it's very valuable and he wants (needs?) the money for his retirement. Microsoft may not be willing to pay up.

From the article:“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it."

What right does he have to 1.7 million dollars? The fact that he was the first person to register a domain? That's ridiculous. He did no work for it. He did not do anything to benefit society. His is just trying to extort society for that money by threatening to help criminals if we don't give it to him.

He owns it and can offer to sell it at any price. And it sounds like he's certainly helped to keep the security issues contained all this time.

Your statement is completely ridiculous. There's no requirement to "work" or provide benefit to society before you can sell something you rightfully and legally purchased.

Everyone investing in the stock market is the first to buy something at a lower price. Do they not own the stock? What work did they do when it increases in price? Do they have to prove to society that they're a good person when they offer to sell the stock?


A domain is a registry entry in a database, a contractual right, not property. Sure, some people have treated it as property with IP mechanizations, but it is not an asset in the sense of a house or other tangible. If a decision is made you can't trade in them, or makes it difficult (ARIN with IP block space comes to mind), you're outta luck.

Intangible virtual items can be legal assets with ownership. This is not a new concept.

> "If a decision is made you can't trade in them"

Ok, but it hasn't been made. Ownership can be sold and transferred so that's what's happening.


Registration information does not equal ownership. My phone number is assigned to my mobile provider account. I do not own my phone number, as it is not tangible property.

This is a pedantic argument that I suspect you know is completely irrelevant. The ownership is of the registration itself.

When you buy a share of a company, it's also just assigned to you. But you still own it.


Actually, when you buy a share of a company in the US, unless you're getting a physical stock certificate (which no one does), the registration isn't even assigned to you. It's assigned to the Depository Trust Company. You as an individual are then several layers of indirection removed from that.

This example is working against you here, as people do have a right to retain their phone number, similar to domain names. Your phone company cannot take your number away from you, and you have the right to transfer it to another company whenever you want.

There's decades of case law supporting the idea that domains are in fact property. So you are, in fact, not "outta luck".

Stock ownership is just an entry in a database.

Codified in law. The others I mention, not so much.

As far as I know, there's nothing specifically codified into law prohibiting others from stealing my wheelbarrow. It just fits into the general category of theft of an item owned by someone else. Domain names are treated in exactly the same way. The concept of private ownership of things (tangible or sometimes intangible) is definitely codified into law. And domain names are actually much more tangible than most IP. If I pirate a film, I'm only making an unauthorized copy; I'm not actually depriving the copyright owner of anything save for maybe some hypothetical revenue. But domain names aren't copyable; they are globally unique, and if you take someone else's then you are completely depriving them of their right to use it. It's theft in a very real sense, unlike piracy. The courts have found as such.

Do you have a link to a court case you can reference establishing precedent that a domain is considered tangible property? If so, I’m happy to eat crow.

https://www.casebriefs.com/blog/law/property/property-law-ke...

https://freedom-to-tinker.com/2008/10/18/kentucky-vs-141-dom...

They're intangible property (I never said they were tangible), though that distinction doesn't really make a big difference here anyway since the physicality of the property isn't relevant.


>Your statement is completely ridiculous.

Criticism of loose capitalism isn't automatically ridiculous.

>There's no requirement to "work" or provide benefit to society before you can sell something.

Well, obviously some people think that that is a problem with our current system of wealth distribution :)


I fail to see the criticism here, and yes it's ridiculous to say someone can't sell something they own without a subjective moral evaluation on how they benefited society first.

Some people believe ridiculous things. Doesn't make it any less true, and I've yet to hear of any magic utopia system that's any better than capitalism in reality.


I don't get what you're saying. That any possible alternative system of allocating DNS domains rather than "auction to the highest bidder" is necessarily a "magic utopia"? Sounds rather bizarre to me, personally.

You said "Criticism of loose capitalism" and "current system of wealth distribution", and nothing about the domain auction process.

I would argue yes just buying it first is all he needed to do to deserve to be able to set his own price. People buy and sell domain names all the time and the ones who scooped up Nike.com or NBA.com likely sold it for a pretty penny. They didn’t benefit society. I would argue there are lots of profitable ventures that don’t benefit society but we allow them I think smoking right away as one example. He is trying to take advantage of Microsoft mistake from what I understand. In the giant corporate world a mistake only costing 1.7mil seems like pennies and they should just grab it and put it behind them. On a side note what do you think of Bitcoin? I wanted to buy it back when it was less then 100 a coin but was broke. It would have shot up in price me doing absolutely nothing to benefit society and actually maybe one could argue hurting the environment as bitcoin mining is very energy intensive and also some may argue bitcoins facilitate criminal activities. But I would bet most here on HN would be okay with bitcoin as an investment. I see his domain no differently.

> take advantage

An asking price of $1.7 million is hardly "taking advantage" of a $286 billion company. Microsoft hoist themselves by their own petard here by letting this problem sit for 26 years: that's only about $65,000 per year, which is more than reasonable pay for somebody who's been effectively giving them free IT services that entire time.


I completely agree. It is pennies to this company this is no hardship for them. My personal name as a domain is being squatted on the .com domain for several thousand dollars. It is worthless and I can not imaging a time it will be worth something. But I don't complain and think I should get it for free. If I want my name domain I have to pay several thousand dollars. Had I bought it 20 years back it would have been pennies also. Such is life.

I agree that it's not taking advantage of Microsoft, but it's not because of the dollar amounts involved. If I do a fake refund scam to the tune of $20 on Amazon (which is a ~$1T company), that's still "taking advantage" of them. It doesn't matter that it's peanuts compared to their market cap, I'm still doing something wrong.

And as an aside, your stated market cap for Microsoft is off by more than a trillion dollars.


> They didn’t benefit society

Yes. However, whoever managed raise 1.7 mil probably did through earning it. Money goes both ways.


He has an asset that he values at $1.7 million. His right is that he owns it and can sell it as he see fit.

He has no obligation to M$FT or any of their customers.


Agreed. As much as I would appreciate Mike acting for the public's benefit here, society isn't entitled to him giving away his property.

In his position, I would absolutely capitalize on the domain; consider that selling is one of the more harmless ways that value could easily be extracted from it. Maybe if I were a billionaire I would consider giving it away, but even then I would rather take the money and donate it than leave it in Microsoft's pocket, considering this is 100% their screwup.


He has no legal obligation. But we can also call him an asshole. Plenty of assholes never break the law.

Microsoft has had 25+ years to fix this. They could have offered to buy the domain at any time.

Instead they leaned on free benevolence from this guy.


What asset?

He has an informal agreement with a informal group of organizations to respect his decision of what records to return in response to DNS requests. No one is obligated to follow that agreement. This form of abuse of that informal agreement should result in the group of organizations unilaterally terminating that agreement.


This kind of reply reminds me of the vitriolic replies that companies leveled back in the day against the guys who registered donotreply.com.

They would try to alert companies using a domain they didn't own for communications to their customers that this was a bad idea, and soon after got nastygrams from the company's lawyers saying they'd stolen their intellectual property and wiretapped their communications.

http://voices.washingtonpost.com/securityfix/2008/03/they_to...


If this were a meat space address, this wouldn't even be an issue. Then or now

Consider this hypothetical: You buy a house, and its address somehow gets listed as an internal corporate postal address at BigCorp. You regularly get bag-fulls of corporate mail containing personal information. BigCorp refuses to changes their internal directories, and refuses to buy your home at a reasonable value.

The only real difference in the corp.com case is that instead of just one BigCorp, it's one BigCorp that's gotten a bunch of other SmallCorps and BigCorps to all incorrectly list the same address too.

On the same general note, "a business listed my phone number as theirs and refuses to change it" stories are pretty common, and often have the same "the business refuses to change it" quality.


And you're perfectly within your right to sell that address to anyone you so please. For whatever price.


What I mean is that no one will piss their pants about "morality" if that couple wanted to sell their house.

It's their house, they can sell it and the associated addresses to whomever they see fit


> He has an informal agreement

It’s a legally binding agreement. I guess we should start yanking peoples’ homes because all they have is an “informal agreement” with the seller?


No it's not. He has no legal agreement with my DNS provider for them to do jack shit.

He has some legal agreement with his registrar, and maybe indirectly with ICAAN, but that legal agreement means jack shit to DNS providers, who are the ones that ultimately matter.

For an example of DNS providers already using this fact for the public good, see AdGuard DNS


So call your DNS provider and have them not resolve to his address.

It probably won't surprise you to learn that my DNS provider reads HN... so in a sense you could say I am doing that.

How is it abuse? Giant companies auction off lots of domains every day.

He is literally advertising to criminals... how is it not abuse.

He is not. He's saying it can be valuable to criminals, just like many other products sold everyday.

The fact that a criminal may acquire them and/or use them for nefarious purposes does not mean selling them is a problem.


Knowingly aiding and abetting criminals puts you right in jail.

He's selling the domain through an auction/resale service [1], so any question of "aiding and abetting" goes to them, not him. At the high end, these services have extensive anti-fraud and anti-money-laundering checks (speaking from personal experience working for a small registrar), so the question of direct liability is pretty well covered.

[1]: https://www.namecheap.com/domains/registration/results.aspx?...

Otherwise, you end up with a world where anyone who comes into possession of a dangerous item is obligated to potentially keep it forever and force all of their descendants to keep it forever.


The keyword is "knowingly". He's clearly well aware of the security risks and is doing his best to keep it safe (including asking Microsoft to acquire it for 10% of the revenue they make in an hour).

Yes, you're right, that is the keyword. This article, and statements like the following make it perfectly clear that if he follows through on his threat he will be knowingly aiding criminals.

> O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.


A person can be reasonably confident that their immediate sale of an item is going to go to someone who will use it responsibly... while still worrying about its disposition five or ten years down the line. (Microsoft has already let this problem sit for 26 years, after all.) That still doesn't mean the person has any particular legal or moral responsibility to monitor their original customer indefinitely just because there's a future risk.

That is neither a threat nor proves that he knows anything about the buyer being a criminal. He's only worried about that possibility, which is a good thing considering he has been a good steward of the domain this whole time.

He doesn't know a criminal will buy it. In fact, because it's an auction, he doesn't even know who the buyer will be until it's sold.

There's little difference between this situation an one in which someone buys a property that then becomes famous in a movie or show.

Except in my hypothetical example your response makes you sound like some sort of communist outraged by the profit your neighbor made off their house, when you bought the decidedly unfamous one next to it.

> His is just trying to extort society for that money by threatening to help criminals if we don't give it to him.

Is he? Where's your proof? Perhaps he's just sharing his very novel experience of a property he owns that the world honestly should know about for security reasons. What if this man dies in a few months and we didn't know about this, then his kids sell it to the NSA or Russia, would you rather that?


He does not have the right to sell it. He has the Privilege of selling it.

Be very careful about that use of language; your rights, as a citizen of whatever country you live in, are generally limited and legally defined. Domain name ownership certainly does not qualify as a Right.


Except what's the human cost of this? If there is a stream of sensitive info, real people will be impacted.

Big corps are not usually the ones that are affected the most.


He doesn't own shit. DNS is a centralized database entrusted to a non profit to serve the good of the internet.

Verisign is a nonprofit now?

Verisign has a business contract with ICANN to operate as a registry for .com. The contract has a bunch of legalese clauses which can be interpreted in a bunch of ways. They all encourage treating names as property because it makes them alot of money but it's bullshit, you get a limited "license" to a row in the database with a bunch of legal clauses and exceptions. The ultimate guidance for ICANN is supposed to be to protect the health of the internet, though they mostly focus on making money these days.

You're saying a domain ownership should be revoked based on a third party having bad defaults and the owner talking up the value of the domain?

Yes. Its a combination of several things, and I stress "extreme circumstances"; this qualifies.

The domain clearly would have a broad security impact if it fell into the wrong hands. It is generic. It is being squatted, rather than actively used in any value-generating capacity. The owner has demonstrated poor stewardship of the domain.

This person does not have the right to compromise the security of millions of people just because he was early to registering a domain name. Domain name registrations are not a Right; they're a Privilege granted to registrants by custodians of the internet that we all help build, secure, and maintain.

Its not enough that Microsoft simply buy the domain (though this would be a fine outcome). ICANN should just shut it down. Revoke the registration and refuse to issue it again. We've proven that there are hundreds of thousands of clients sending personal data to this domain; it simply should not be in the hands of anyone, period.


Certainly, it's a squatted domain the owner has never had any interest in actually using and is now no longer even interested in holding. If what is in the article is true then I don't even think Microsoft should necessarily own the domain let alone put it out for public bid to see if a good guy is willing to pay more than a bad guy could make off of it.

The guy even claims "I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it." so revocation and locking seems perfect, it's exactly what he wants.


You're putting up two completely different arguments here:

1. The domain was squatted and the owner did not put it to good use.

2. Because of a third party the domain is so toxic that it should be disabled for eternity.

Those are very different reasons, which one warrants a revocation?

The first one is true for very many domains and probably a large reason that ICANN and registrys have large revenues. The second one is probably unprecedented under a gTLD.

If this was under a cTLD I would agree that it would be okay, if accordance under that countries laws and a proper legal process, but under a gTLD I think these measures should not be taken.


Two arguments yes but they aren't presented independent as you pose. Scenarios where 1 xor 2 is true is a much more complicated conversation that we don't need to get into in this case. Is there a general solution to those scenarios independently? Maybe but I don't know for sure in that case.

What I do know is an inactive domain the owner wants to get rid of because it's a massive burden due to being so toxic should be revoked and locked not sold to the highest bidder. I don't know what we should do if it were an active domain and the security question were posed or what we should do about squatting in general (though I will say the money from the sale does not go to ICANN or the registrar).


Scenarios 1 & 2 have very different rationales for being applied to a gTLD though. Scenario 1's problem (domain squatting) has been the fact for basically forever for all TLD's. Scenario 2's problem would be pretty novel to fix at least for gTLD's, so it doesn't really matter as long as Scenario 2 is in the game.

I'd also be interested if he said he would willingly give up the domain for free if it would not pose a security risk? From my read he still wants to sell it to the highest bidder.


> the owner has never had any interest in actually using

What are you basing this on? Did you even try to research the history of this domain? https://www.haven2.com/index.php/archives/corpcom-registry


I think an extreme circumstance would be someone hijacking microsoft.com and trying to ransom it off but I'm not really familiar with ICANN's specific powers.

Why should everyone in the world not get to use a thing because Microsoft has some naming scheme? These places have been shouting whatever data at a random (edit: unintentional and uncontrolled rather than random) spot on the internet for years and that's a huge problem.

Opening up an auction is a nice way to draw attention to the problem, get MS to literally&figuratively pay for it (even if the price 10x'd it's not like M$ couldn't handle $17MM), and make it no longer the seller's problem.


The story is not fully clear. It's possible he already tried to contact Microsoft and tried to sell it to them. They might have refused. But the idea of it going on an auction might pressure them into buying it.

Brian did contact Microsoft for comment, and their response doesn't mention that they want to buy it.

I consider it bad reporting that Brian doesn't mention whether Mike already contacted Microsoft or not.


Thank you for your comment. Made me recall an important bit of reporting that I somehow omitted from the original story (now updated and rectified). O'Connor told me that several years back he got a $20k offer from Microsoft for the domain, but at the time he thought that was too low and didn't reflect the market value of the domain. He turned it down.

Hi Brian. Sorry to contact you through this, but could you please make your website responsive. It is hard reading your blogs from mobile phones. Thank you.

BTW, where do I go to buy it? Who's mediating the auction and how to I put my bid in?

Visiting http://corp.com/ takes me to a GoDaddy parking page and tells me that GoDaddy will happily convey my offer to the owner for $69.99 plus a 20% buyer broker fee. Is that the plan?



> I consider it bad reporting that Brian doesn't mention whether Mike already contacted Microsoft or not.

To my other comment you say 'contact Microsoft' as if there is a phone line which goes directly to the decision maker for this type of 'purchase'.


It's incredibly easy to find someone at a company like Microsoft who would know who the person is to make a decision like this. For example; I'd start on Linkedin or Twitter, searching for someone with a title that contains "Security", "Senior", "Distinguished", "Manager", etc. You'll find a dozen people. Send a few messages out that outline the situation. They're not the person who makes that decision, but they'll know where to direct it, and if its serious, they'll direct it.

No, there's no phone line. No one calls anyone anymore. Find an entry into their corporate graph, and let them resolve it internally. Or, get an article published on a high-profile blog outlining why they should buy it, and they'll be calling by Monday. Its not that hard.


Brian could have said Mike tried or that Mike didn't know how to contact Microsoft. And Brian contacted Microsoft, so they could have offered the deal to them at that time, but the article doesn't mention it.

My BigCorp experiences make me picture events happening this way: somebody made Microsoft an offer, got told "let me ask my manager about that", and then the message got lost in twelve layers of management and/or just outright discarded by one of the human spam filters in one of those layers of management.

From TFA: > Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said Microsoft actually offered to buy the domain several years back for $20,000.

As krebsonsecurity said, he edited the article to add that because of my comment.

> I wonder what kind of authority ICANN has in revoking domain name registrations in extreme circumstances.

Not even close to the way this works ICANN does not 'revoke' domain names. There are ways to take possession of a domain name but that would not be the process (nor should it be).

> He could just quote Microsoft $2M and be done with this whole thing.

If you think selling anything and in particular a domain name is that easy you should try to sell a domain name to a large corporation and report back the results. It's not trivial and to a large corporation in particular and further for any amount (much less way less) not assured in any way.


Because if he'd have done that, this wouldn't be news, it wouldn't be on HN, and this somewhat invisible security hole would remain in the shadows. Perhaps O'connor would be just fine with ICANN ripping this away from him, but perhaps that bluff needs calling.

> He could just quote Microsoft $2M and be done with this whole thing.

He could but MS would laugh in his face. The auction and publicity are the only way to establish the domain's actual market value and to pressure MS to pay it.


Am I wrong, or does one update from Microsoft make this whole drama go away and the "problem" a moot point?

Can't update old windows boxes that refuse to update. And there are a lot of those.

We're not just talking about Windows boxes. We're talking about entire Active Directory networks.

In this sense, it's more like the ipv4 -> ipv6 migration.


Why bring up ICANN? They don’t control .com, verisign does.

Perspectives like this and others are one of the many reasons I greatly enjoy HN. I didn’t even consider the situation in this way, yet is makes much more sense than what I constructed in my head. Thank you for that.

What a persona this paints of the seller.

Would like to add that I also share your wonder. To me, this needs to evolve to anecessity for them (ICANN, in terms of ability) rather than just an “if”.

Please forgive me my lack of context surrounding this, but would love to learn more about why Corp.com is being sent various data (some sensitive, as mentioned in the article) from various parties in the first place. Did it use to serve a purpose for MS or other?


> What a persona this paints of the seller.

Yeah! How dare he care about his own livelihood rather than “security”?!? What an asshole!


If your livelihood is based on squatting domains you bought in 1992, you won't find me crying tears of sorrow for your loss when you only make a couple million dollars instead of whatever number you think you're owed for adding zero productive value to the world.

Scratch that; domain "investing" actually removes productive value from the world. Someone else might own that domain and actually do something incredible with it. Microsoft clearly could have; they use it all over their documentation (and they're idiots for doing so, but what's done is done).


> domain "investing" actually removes productive value from the world

Does it? These domains are available for those who want them at fair prices. Why is the current situation any worse than one in which these domains would be snapped up for low effort personal sites?

> Someone else might own that domain and actually do something incredible with it.

Why? What would be an example of "something incredible" that'd require a very specific domain name like this?


It's hard for me to have sympathy for him "protecting his livelihood" when we are talking about a lucky gamble that appreciated by 140000x, he's already successfully sold several of them, and almost the entire value is driven by scamming opportunities

> and almost the entire value is driven by scamming opportunities

That’s a bizarre claim. Maybe you should read up on previous high value domain name sales before making such statements.

The asking price is perfectly reasonable even if you disregard all the “scamming opportunities”.


Pretty much any four-letter .com domain (even gibberish) would sell for upwards of a million dollars these days, too. $1.7 million for a recognizable four-letter domain is if anything substantially lowballing it.

The whole affair seems bordering on blackmail: “pay me, MS, or your customers will get hacked”.

If you were truly concerned about security, you’d have just transferred the domain over. If you want to make a good profit off of that, though, please—don’t make a theater.

If you are both genuinely concerned about security but also desperately need money, what you would effectively end up doing is a reverse auction—start high and go lower until the one buyer you want agrees.


> please—don’t make a theater

Why not? If Microsoft is unwilling to pay a reasonable amount for the domain, the logical action to take is to publicize the flaw in their system.


Giving security flaws the publicity they deserve: I’m most unreservedly in favor.

Using publicity to hold someone hostage in order to extract money while hiding behind security concern claims: not a good image.

If I were in a situation where I have nothing to eat and urgently need to liquidate such a domain, I would raise awareness publicly but negotiate in private. If I were relatively well-off, I would arrange a pro-bono handover, publicly or privately, and of course try to raise awareness anyway.

To make matters worse, the sale appears to be handled via an auction. The wide publicity given to the event via Brian Krebs’s website must have attracted attention of a wide range of players, motives unknown. For a reputable corporation to find itself bidding against a theoretical Bitcoin millionaire blackhat is far from desirable on a couple levels (I doubt auction’s KYC can really prevent that, but if it is strict enough then I take back this particular concern).

Thus, the situation as it is just seems to smell to me, though I’m not entirely ruling out good faith with unfortunate execution.


Why not take microsoft.com then in the same way. One could argue the software there has led to a ton of criminal activity. Since we've now decided that private property laws don't matter anymore, then this domain should be blocked from registration for 100 years. Let's throw in google.com. That has led to tons of crimes too, just from the malware ads, let alone everything else.

Obviously all these suggestions are equally ludicrous.


Also if this is such a big issue, you can simply configure your local DNS server to point that domain to whatever you want and ignore its original SOA.

If everyone would do that the domain would be worthless.


The easy resolution here would be for microsoft to push an update that does the moral equivalent of adding hosts file lines

    127.0.0.1 corp.com
    ::1 corp.com

That would break internal workflows for a lot of companies—they’re relying on “corp” as a bare TLD to resolve to an internal network endpoint.

I bet many IT admins would find this “quick fix” that would “make it work again” by effectively removing that /etc/hosts entry.

Perhaps a better patch would be to remove the [TLD] => [TLD].com DNS failover resolution feature.


If .corp is successfully resolving this change should have no impact, since the problem is only when .corp fails to resolve and the resolver falls back to .corp.com.

Sorry - you’re right. I misread.

But I still think failing over from corp to corp.com is a bug, not a feature.


> But I still think failing over from corp to corp.com is a bug, not a feature.

I think it was a mistake, but you probably can't fix it now. Too many random pieces of code are going to be relying on it.


That doesn't make sense. When .corp fails to resolve now, .corp.com is also a deadend because O'Connor turned the domain off, so nothing should happen to any software by not trying to access .corp.com.

Surely a rule can be made in the resolver code that specifically in the case of .corp failing to resolve, short-circuit it there and do not failover to internet domains.


Right, what you're suggesting is one implementation of what I meant by "the moral equivalent of adding these lines to /etc/hosts".

I think TimTheTinker was suggesting the much more general fix of breaking the fallback for all domain names, not just .corp domain names.


What Microsoft should have done was read and implement https://tools.ietf.org/html/rfc1535 and apply a bit more learning from others and a bit more foresight when they were setting up this disaster in the 1990s.

I have a small bit of sympathy for them, because when Active Directory was first learning how to do domain names, they cost $100 per year and required a huge amount of bureaucratic nonsense. MS wanted to be able to sell their software to businesses that might never connect to the Internet. But they could have done a much better job.


1) windows has a hosts and resolve.conf file (don’t ask me where it is but I’ve seen it and it works)

2) what are likely the most risky applications tend to ignore the libc resolver and its configuration.


The Windows hosts file is usually at C:\Windows\System32\drivers\etc\hosts. Winsock was modelled after BSD, hence the resemblance in the filename.

/etc/resolv.conf is available from Bash when WSL is enabled. It reflects the settings from the registry by default, but can be made to be independent of them.


I always wondered why it was in such an awkward location. It makes sense now.

And, of course, a great many internal computers will _never_ get an update from Microsoft. https://gs.statcounter.com/os-version-market-share/windows/d... Windows 7 still has a quarter of the market...

As I said elsewhere, if it's not getting updates, it's fucked anyways.

Support for Windows 7 can be purchased dates up to 2023... https://www.zdnet.com/article/microsoft-to-offer-paid-window...


That's hardly a resolution, because it assumes such an update would actually be applied to all the machines in question.

If a machine is connected to the internet and not getting updates, it's fucked anyways.

Yes, I'm not sure, why Microsoft doesn't do that by default from within Windows? (I mean that or any other way to hardcode whatever the domain is currently answering) Looks like it would fix most of the problem.

This may be, if as stated in the article, a national-security-level threat.

It should be handled as such. Not an auction to the highest (perhaps even foreign) bidder.


I wonder if buying it and participating in bug bounties en masse would be profitable in the long run.

Probably not, especially since I'm not sure what your legal footing would be in this scenario. If you weren't concerned about selling the information you found to the rightful owner, then you could almost certainly turn a profit. I'm sure criminal groups and governments would find it to be a gold mine.

You could always argue that somebody could MITM the company's connection to a public resolver.

Still probably not quite the gold mine...


OK, so a bunch of years ago, Microsoft suggested that AD domains/hosts should end in ".corp".

But where does the .com part come in to the picture?

Does corp.net or corp.ninja have the same type of issue?


This gets covered in one of my favorite conference talks. "Defcon 21 - DNS May Be Hazardous to Your Health" https://www.youtube.com/watch?v=9Sgaq6OYLX8&t=900s (skip to 15:00 if you just want the answer to your question. but the rest of the talk is brilliant)

But basically when the computer can't resolve ".corp" it assumes it isn't an FQDN and starts adding other stuff to try and get an FQDN that does resolve.


> when the computer

Meaning browsers? The answer there is stop doing stupid things with the URL. When I type “localhost” into Firefox I’m not expecting a google search.

If libc does that then that’s surprising and probably also wrong.


It’s the resolver search feature for making unqualified domain names easier to use. The security problems and safe implementation advice were documented over 26 years ago https://tools.ietf.org/html/rfc1535 so Microsoft does not really have a good excuse for getting it so wrong.

This goes way back before browsers combined the address bar and the search bar. Back then when you typed a bare word into the browser, the browser would try to be helpful and add suffixes like ".com" to try to make it work.

It has nothing to do with the URL. This is lower-level resolution of hostnames. Lookup “search domains”. DHCP can hand it out as an option, it can be set with policy, etc etc

I'm pretty sure both the Win32 libc and applications do this. Try typing "http://example" into Firefox. You'll get example.com.

Win32 socket API doesn't do it. Python wraps it more or less directly, and:

   Python 3.8.1 (tags/v3.8.1:1b293b6, Dec 18 2019, 23:11:46) [MSC v.1916 64 bit (AMD64)] on win32
   Type "help", "copyright", "credits" or "license" for more information.
   >>> import socket
   >>> socket.gethostbyname("example")
   Traceback (most recent call last):
     File "<stdin>", line 1, in <module>
   socket.gaierror: [Errno 11001] getaddrinfo failed
   >>> socket.gethostbyname("example.com")
   '93.184.216.34'

mh, can't reproduce on Windows 10 and Firefox 73 get a "Server not found" page as expected

It's application dependent behavior, AFAIK. Windows internals / APIs add .com by default, I believe. You probably hate this behavior like I do, and at some point in the past set "browser.fixup.alternate.enabled" to false in Firefox's about:config.

Win 10 and Firefox 72.0.2 here.

New Private Window -> http://example -> http://www.example.com/


>Meaning browsers? The answer there is stop doing stupid things with the URL. When I type “localhost” into Firefox I’m not expecting a google search.

We could go back to the days of manually typing "http://www.google.com/index.html" every single time instead of "google.com" but I don't think many would thank you.


It's never been the browser sticking index.html on the end, that's 100% the server since time eternal.

It's the same reason you can't navigate to a bunch of TLDs even though the owners have configured it to serve something.

DNS Search Domains are the reason: they're a mechanism for resolving a hostname to a fully-qualified name.

Many companies I've worked for would (for example) have a search domain set for 'wherever.internal', so if you typed 'jira' then having failed to find the 'jira.' TLD, the local DNS resolver would then try to find 'jira.wherever.internal'. That way, you could correctly resolve hosts based on just their names and avoid extra typing.

The problem comes when machines move off the corporate network but keep their search domains. Now we're making public lookups, and the network infrastructure has no idea how to resolve the names you're looking for.

In an AD environment, the AD server is typically the DNS server and does know how to resolve the AD domain as a name. So the machine's lookup for 'corp' works. But move off the AD network and we're back to search domains. And apparently enough Windows machines have a '.com' in their search domains for there to be a lot of 'corp.com' lookups. Which cause the problems listed when they succeed.

If you put '.net' in your search domains then corp.net would have the same issue.

What I'm still not sure about is that I'd thought that you needed an _explicit_ search domain. Maybe there's enough AD servers set up to hand out '.com' as a literal search domain?


Sounds like when you enter a name without a TLD, some aspect of Windows assumes you're looking for a .com.

Not just Windows itself, but a lot of software and tooling. If I'm working on my website, I have an entry in my hosts file so battlepenguin goes to a local web server. But I have to type it in with the leading http:// and end with a slash, or else Firefox might automatically add a .com to the end and suddenly it's going to my production/live site and not my local copy.

Some issues might have to do with the way DNS is resolved by the operating system (the Start > Run \\resource example in the article) and others by the way some applications (like web browsers) do fallbacks for unknown DNS records.

Tangential: I worked at one company that had lower environments end in .dev and they started running into issues when Google purchased (and now sells) .dev domains and one of their project dependencies was hosted in an open source project repo that ended in .dev .. it had fallen out of use at the company and they just trashed the hosted zone, but I imagine at other shops, there's still domain overlap in the wild.


> or else Firefox might automatically add a .com to the end and suddenly it's going to my production/live site and not my local copy.

browser.fixup.alternate.enabled = false

alternatively:

browser.fixup.dns_first_for_single_words = true


Formerly in the industry. I remember when .dev came out and I was in shock that ICANN thought that would be a good idea. They should have known better.

.dev, .local, .home, .corp. I don’t know how many of those are tlds, as I’ve let all that knowledge leave me; but, there are some tlds that just should be permanently blocked from being real tlds.


People are idiots. The first idiot thing you can expect is that they'll deny they are idiots and will insist that you shouldn't idiot-proof things.

The second is, since they're idiots, they'll hurt themselves on the things you didn't idiot proof.

The .int Top Level Domain has existed since the 1980s. Nevertheless plenty of people decided they'd use names ending in .int for "internal" stuff. Then they were astonished that this doesn't work as expected. We even had to smack CAs for issuing certificates for such "internal" names back when they were allowed to do that (today CAs trusted in the Web PKI are not allowed to issue for names that aren't part of the Internet DNS hierarchy with a narrow exception for the .onion pseudo TLD).


> I remember when .dev came out and I was in shock that ICANN thought that would be a good idea.

RFC 2606 had .test, .example, .invalid, and .localhost clearly established as the right TLDs to use in 1999. It's not ICANN's fault that random people then decided to use domains not in that list, even after being warned that those are the only TLDs guaranteed to never be used.


The ones I'm thinking of are mostly for internal environments.

It's my understanding (could be very wrong) that ICANN did a survey of some sort to see what TLDS are currently being used by companies and was intending to not release TLDs that are in that list, for backwards compatibility, at least for some time.

And even if it isn't, ICANN should have known that some people weren't following the official rules, and should have adapted, to maintain compatibility. It's not that big of a list of TLDs they needed to avoid. Pragmatism is important, you know?


Two things:

1. Stop having a parallel internal name hierarchy. This has always been a terrible idea, and effort to try to make it work less badly is unnecessary if you instead don't do it at all. IF you're EXA Metal Pole Europe and you own example.com then put the internal stuff in internal.example.com or whatever, don't put it in a "private" TLD named .example. If it's very important to you, you can use Split Horizon DNS to prevent outsiders looking up names in internal.example.com from your DNS servers.

2. Yes, measurements were made for potential TLDs and ICANN designated some potential TLDs as "High risk" and agreed not to try to delegate them (ie sell them). .corp and .home were on that list. Nevertheless you should not use these names.


My suggestion for a tld unlikely to ever be issued in future is "icann-sucks" but it might not be appreciated by the average business.

Could someone tell me in what world this sort of assumption could have ever made sense?

Why in God’s name would you design a system that redirects your requests like that? Are the security implications not painfully, frustratingly obvious?


Imagine a world without search engines and omni bars. This newfangled world wide web thing comes along and looks like it might become popular, but it's totally new to most people, who happen to be 99% of your customers. If they type `cnn` in the bar, chances are they want to go to cnn.com, so you make it so and don't lose most of your market share.

Besides as far as painfully, frustratingly obvious security implications are concerned you have done much worse before for less end-user benefit like making your main word processing application the world's premier networked virus delivery platform.


> so you make it so and don't lose most of your market share.

lose it to whom though? other software that also doesn't behave the same way?

And, per earlier comments, this wasn't a browser thing - this is a lower level windows hostname resolver issue.


.dev is making a lot of money for example , it is not easy to argue that they/google lose money because others didn’t read the spec.

This is the doing of a company that gave us Internet Explorer 6 & Office Macros.

Microsoft prioritized user experience over security for the longest time of their existence and I think they had a little bit of success with it :)


To the best of my recollection, before the address field ended up doing double duty for web searches, the defaulting to .com happened across several browsers (never thought it was just Windows, though). — So for a while, I ended up getting .com domains, even when I had and wanted country domains, and redirected the .com to the country specific domain.

Oh wow, this is fun. Legitimate question: Where can I bid on this? There's no link in the article and a Google search doesn't yield anything but spam.

From https://www.haven2.com/index.php/domains it seems the preferred method is email, or maybe looking up his address and sending him snail mail. It's not a formal auction. Also, the EstiBot service he links only appraises corp.com at $112k. The million dollar figure comes from Namecheap/GoDaddy but I don't think Mike will use that as a reference point.

Makes me wonder what's happening over at example.com, prod.com, dev.com, ad.com, and whatever other common similar names are out there.

Luckily example.com is reserved by IANA, so no one can register it.

test.com

In the case of people using .test as a TLD we should be safe(r); .test is a reserved TLD along with .example, .invalid, .localhost and .local (the last being reserved in the long proposed mDNS RFC).

Wait, so if Microsoft or done legitimate company doesn't buy it then it will automatically go to cybercriminals?

No. It's an auction. If you have 1.7+ million USD then it may go to you. You are one of the good guys, right?

Microsoft turned $43B in profits last year, I don't think they'll have an issue winning this if it's as big of a deal as the article makes it out to be.

It will likely auction to the highest bidder, which (in a perfect market) is the person who extracts the most value out of it. They then make a compelling case that cyber criminals are very high on that list, probably in a strategic PR attempt to scare Microsoft a bit in what could happen.

$1.7MM. cheap, considering. honestly if I had the money I’d snatch it up

share your monetization idea I'm sure we can crowdfund 2M in minutes if you have a good idea. This is, after all, Y Combinator.

Three step

1. Provide budget email services (your.company@corp.com)

2. Provide a company directory (corp.com/your.company)

3. Profit??


Sell subdomains:

nissan.corp.com


This was actually Mike's intention when he first purchased the domain, he just never got around to it.

Blackmail and extort executives with the leaked data

I am sure Michael "Big Mike" DeSantis and the like would be interested in your proposal...

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: