So it seems, as ALWAYS, we're going to have to wait for state sponsored actors to buy the things, embarrass the shit out of a couple CEOs by posting their dick pics they're inexplicably sending over company mail, and THEN corps will start doing something about it.
Why we have to get on and off this merry go round every time is beyond me. Short-sightedness of those with decision making power boggles my mind daily.
And that statement, while obvious, is darker than it seems. Companies going under aren't sufficient consequences (many ransomware cases). Universities going offline isn't enough (look for the uni giessen). The bureaucracy of cities going offline isn't enough (e.g. New Orleans).
This is just going to continue to escalate until something really really ugly happens and kills many people. And then we'll be presented with some grand legislation that I don't look forward to.
- most companies are really bad at security
- most people do not care about the security of their data, passwords, etc.
Based on these facts, I've been operating for a decade now under the assumption that one day within my lifetime, all of our logged online activity may become public after some hack. All of it that's logged somewhere. Chats, pics, posts, history, notes, cloud drives...
It may be slightly paranoid, but better safe than sorry. I should add that I live "normally", I don't care about my pics or discussions becoming public when it happens to everyone else too. I just remain cognizant that there's high probability here.
As outlandish as this assumption might be, the opposite (that security holds and most of our stuff never gets hacked) seems even more implausible to me. Educated guess, you know, which speaks less of tech/security than it does of human nature (carelessness or laziness, until a real crash happens). Hopefully this is very Western-centric and other cultures are better at long-term wisdom and planning.
For example, take a look at Norsk Hydro. A ransomware situation took down the control systems of an aluminum plant. The company mostly got lucky - they still had senior engineers around who could control the system by pen and paper. Otherwise, you'd have a lot of half-processed slag solidify inside the line. At that point, there's little to do besides ripping all of it out and rebuilding the line in a newfound empty factory building.
And at that point, there are two scary areas to research: Industrial control networks which are abused in a wide area scenario. And the industrial ability to recover from these kinds of outages, if rebuilding a factory takes years. And I guess the security practices and budgets in that sector.
Unfortunately we can't control which information about ourselves other people exchange in conversations with us or between them. Anything they know about us could be stored and hacked later on, even if we never went online or used a computer or phone.
1. Science and clear thinking demonstrates more often than not that the world is chaotic and random.
2. Conspiracy thought like yours can be a psychological attempt to quell one's unease from seeing such chaos by insisting that everything is controlled, so that you gain an emotional feeling of control and security once more.
Like 9/11, I think what you speak of (people's increasing self censorship as a result of draconian dragnet surveillance) is more pure accident - not design - but it's then taken advantage of by opportunists (where in the case of 9/11, it was warmongers and American oil barons).
Both Facebook and Google were nurtured by In-Q-Tel and Highlands Forum members. I don't think this is wrong or bad. Just like Huawei and ZTE are highly correlated with the Chinese government, our biggest tech companies are interwoven with our national defense organizations.
Anything you share with others, online or not, has a fair chance to become more widely known; just keep it in mind. This has always been si, afaict.
Medical records it certainly can make sense for you to keep documents that medics don't need right now but might be relevant later. If you've got them, somebody else can't lose them.
Business plans ought to be obvious. You won't get far telling everybody what your plans are, keep them to yourself.
And nudes while it seems lots of people do send them to somebody else - perhaps much better looking people than me - if you've got nude images of yourself for some other reason then it's better to keep them private than risk some outfit accidentally losing them. For example I had images of my penis from when I had surgery done on it to fix a problem, I was tracking the healing process because I was interested in how the stitches behave. No reason to put those photos in the Clown or whatever where they're one fat finger away from being available to anybody curious.
I guess an even more cynical take would be that nothing will be done even after extreme consequences become visible.
The analogy that occurs to me is war. Every politician theoretically wants to stop war but for the modern state, there is never an end to war and conflict, just rearrangements and strategies based on power and circumstances. IE, they expect war forever and just want to win it. Lack of cyber security seems similar and the plan seems to be to merge them.
Even in the absence of actual conflict, having that option (and others knowing that you have that option) gives you lots of leverage and influence, and unilaterally abandoning that capability gives up that influence and ensures that you'll have to concede things to others who do have that option.
And it's not just that unilateral withdrawal doesn't work (si vis pacem, para bellum), but also that a multilateral agreement to end all war and capability for it is not something that all politicians and countries desire - some do, but some countries are militarily more capable than others, and they benefit from that, so it's simply not in their best interest to have a world where war isn't an option and they lose that influence. Case in point - nuclear disarmament; the powers that do have nuclear weapons have a strategic advantage over those that don't, and they would not be willing to give that up to have a world with no nuclear weapons even if it would be possible to have a working multilateral agreement between all of the nuclear powers.
But it's also irrelevant to my point. Computer insecurity isn't like war as such. Computer insecurity is like floating military technology, insecure borders, foreign sponsored "rebels" and all things that make war more likely. My actual point is that states oriented to ending these problems but taking advantage of them.
But by all spend a lot of verbiage to show some knowledge about states.
What? No they don't.
Frankly that doesn't sound to expensive given the context, it's probably less than Microsoft's existing bug bounty budget anyway. I don't know why they couldn't work this out, or why they never bothered to try to address the issue over the multiple decades this guy has been keeping this domain out of dangerous hands.
Just write the check, Satya.
It took me half hour to understand what is going on. Imagine an MS executive
In fact, I bet that domain was much more valuable in 2005 than it is now.
Which is the problem.
Like politics, the people driving the bus have no idea what happens under the hood. That's an incredibly stupid way to run society!
Any offer below 500k would be downright ridiculous.
50/50/90 a chunk of my work records for the past ten years could be accessible if someone hits this domain and just sponges it up. Shivers.
Why should they? The sale will surely be heavily scrutinized and if the new owner tries anything then the domain will quickly be shut down for abuse.
All this does is make Microsoft look incompetent.
Still, this is the funniest thing that I've seen in months.
If there's credible reason to believe Microsoft is responsible for the liability, take them to court over it, but don't keep innocents at risk for the sake of trying to get Microsoft to own up to a mistake.
I think it's worth millions itself as a 4 character .com. It's value because of the mistake and potential that represents is likely orders of magnitude higher than that.
I can't even take that type of statement (in the article) with a straight face. You have an ordinary person presumably of typical wealth let's say average and he should just give something away for free 'for the good of security'.
He registered a bunch of short domains, probably with the intent on profiteering and AFAICT he sold off some of them. By what logic or morals is he entitled to profit?
AFAIK DNS was made to serve society, not domain speculators. IMO, domain squatters holding 90%¹ of good domains would be better served with a public whipping rather than monetary reward. Legal and practical status quo is another matter.
If I go to <lastname>.com, it says for sale and probably has been since registration. What is the benefit? Would it not be better if those domains were used for a genuine purpose? I wouldn't really mind if someone else was using it.
I'm in EU. I had trouble finding exact definition of speculative registration referenced in Terms and Conditions: ".. complaint .. on the basis of speculative or abusive registration, as referred to in Articles 21 and 22(1)(a) of the Public Policy Rules",
but here is an excerpt from eurid FAQ :
If you want to dispute a domain name (under .eu, ..) registration and you believe that:
- you .. hold a trademark, .., family name, etc); and
- the current holder has registered or uses the domain name for speculative or abusive purposes,
you can challenge its registration via .. (ADR) procedure or in a regular court.
AFAICT, domain speculation / squatting are explicitly forbidden, though probably sparsely enforced. I believe I have seen similar wording for applicable ccTLDs, and would not be too surprised to see something similar for .com, .org etc.
¹ Number made up.
I own (as many others do) a vacation home. Wouldn't it be better if that home was used by someone who was homeless and needed a place to live? Why should I have enough money to keep a home empty? (Why? Because you earn money and then you can buy things that others can't, that's why it's capitalism and the way it is here).
And who is talking about .eu anyway? I am not and the domain in question is not a .eu domain either.
With .com the only thing that you can't do is very carefully defined by the UDRP process and there is further an entire industry devoted (like there is with real estate) to buying and selling domains that don't run afoul of those rules.
You are barking up the wrong tree here honestly starting with the feeling you have that the wrong thing is happening here. It's not.
And 'DNS' was not 'made to serve society' and even if it was (by some stretch) that would not prevent something else that is lawful or legitimate from happening with a registered domain name.
> Why should I have enough money to keep a home empty?
Because the system worked for you. It doesn't for everyone - and let's not pretend hard work correlates to the system working for someone.
> that's why it's capitalism and the way it is here
Nobody is denying that, but your OP is arguing that that system is immoral. I happen to agree.
> And 'DNS' was not 'made to serve society'
If it doesn't serve society, who does it serve?
> that would not prevent something else that is lawful or legitimate
We can decide what is lawful or legitimate, that's kind of the point. "But law" as an argument doesn't work. We can change the laws to reflect our values.
Microsoft should buy it for the good of security. Why gift anything to a Trillion dollar company?
Because someone will have to cut a 7 digit check. And nobody is going to volunteer their budget for that.
Until the bigwigs gets pantsed and command someone to cut the check, it simply won't happen.
> That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.
If only Gates had gotten more annoyed back then and bought the domain just to stop the emails...
This is a guy who, by his own admission, wants it to go to Microsoft, but is also holding an auction. He could just quote Microsoft $2M and be done with this whole thing.
Instead, he and this "security firm" publish a big article on one of the internet's most lauded security blogs where they outline how blown away they were with how much data was being sent to this domain. They left it open for 15 minutes and got millions of emails, passwords, etc. "Wow, bad people reading this, look at how much data you could get. You better join in on the auction. Microsoft, you seeing this? You better get in on this too. Bid often and bid well, friends."
I wonder what kind of authority ICANN has in revoking domain name registrations in extreme circumstances. Microsoft fucked up here, but we're long past that being a relevant component in this discussion. This registration should be pulled out from under O’Connor and blocked from registration for 100 years.
Perhaps the fallout would be good for computer security, as it would stop corporations from making boneheaded security decisions. Pain seems to be the only way to make corporations evolve anyways.
MS deserves some responsibility for causing this. And "take your entire AD network down for some amount of time and break backwards compatibility" is not a reasonably fix.
Microsoft certainly screwed up here, but all this guy did was... exist.
By effectively configuring AD / Windows to DDoS the domain, on multiple protocols, MS deprived him of usability.
Seems pretty open & shut on loss of value.
To put it in perspective, dating.com sold for 1.75m.
That was 10 years ago.
"myworld.com" sold for 1.2m in 2017, "jade.com" sold for 1.25m, "vivo.com" went for 2.1m
In 2019, "voice.com" sold for 30 million usd.
"California.com" sold for $3m this past year, so let's not pretend that much has shifted in the market for these domain names in the span of this decade. $1.7m is a hefty sum for a domain name that isn't even a word.
But it's an irrelevant debate.
My point is that the counterargument against any lawsuit would be that the high value of the domain name "corp.com" comes from the Microsoft issue, so it'd be pretty tough to argue that the owner was harmed by Microsoft.
If everything this "security team" from the article has said is true, this domain is Persona Non Grata. Its an armed nuclear warhead. There is no positive outcome for this story that begins with "And then the domain was bought by".
Its Microsoft's "responsibility" to "clean up after their mess". No; We're beyond fighting about who should take responsibility. Throw the ball in Microsoft's court and they'll offer $20k. Throw the ball back to O'Conner and he'll say it's worth far more. He throws the ball to the market. Terrorists notice that, wait, actually, that ball is a nuke. Cool, its at auction; Microsoft now has to pay millions of dollars. So our two options are: Microsoft buys the thing and we're safe, or they don't and we're fucked, and a couple people on reddit are mad at Microsoft for cheaping out, but they live on like it never happened, and we all forget for 18 months until, one day, at the top of hackernews we get a nice new HaveIBeenPwned.
At this point, this domain is like example.com; IANA owns that one. Its too generic. Its used in documentation. People mistake it for being meaningful. The only reason it hasn't caused issues is because the owner has, all thanks to him, not intended to cause harm to the public. But we're now in a place where we can do something about it, and this domain should be removed from public registration.
More to your point, this domain is now "too generic" because Microsoft made it so. example.com is going to be used by a wide collection of people, "corp.com" really only has this issue because of Microsoft, there's no generic reason why people would use "corp.com" in the same way they use "example.com".
Microsoft created this situation and effectively made that domain toxic, surely it's on them to fix it?
I feel opposite. It is definitely MS's responsibility, but they don't care because they are not going to be pawned. Its the poor users who MS suggested to use corp as their AD domain without buying that domain in the first place.
Every time any corp fks up, the people have to pay for it (maybe by getting hacked, or being saved by state) and corps don't care.
> Its too generic
Right, and who chose it ? This domain is like example.com except it ain't because people don't mistake it for being meaningful, MS advised people to use it explicitly.
Your statement is completely ridiculous. There's no requirement to "work" or provide benefit to society before you can sell something you rightfully and legally purchased.
Everyone investing in the stock market is the first to buy something at a lower price. Do they not own the stock? What work did they do when it increases in price? Do they have to prove to society that they're a good person when they offer to sell the stock?
> "If a decision is made you can't trade in them"
Ok, but it hasn't been made. Ownership can be sold and transferred so that's what's happening.
When you buy a share of a company, it's also just assigned to you. But you still own it.
They're intangible property (I never said they were tangible), though that distinction doesn't really make a big difference here anyway since the physicality of the property isn't relevant.
Criticism of loose capitalism isn't automatically ridiculous.
>There's no requirement to "work" or provide benefit to society before you can sell something.
Well, obviously some people think that that is a problem with our current system of wealth distribution :)
Some people believe ridiculous things. Doesn't make it any less true, and I've yet to hear of any magic utopia system that's any better than capitalism in reality.
An asking price of $1.7 million is hardly "taking advantage" of a $286 billion company. Microsoft hoist themselves by their own petard here by letting this problem sit for 26 years: that's only about $65,000 per year, which is more than reasonable pay for somebody who's been effectively giving them free IT services that entire time.
And as an aside, your stated market cap for Microsoft is off by more than a trillion dollars.
Yes. However, whoever managed raise 1.7 mil probably did through earning it. Money goes both ways.
He has no obligation to M$FT or any of their customers.
In his position, I would absolutely capitalize on the domain; consider that selling is one of the more harmless ways that value could easily be extracted from it. Maybe if I were a billionaire I would consider giving it away, but even then I would rather take the money and donate it than leave it in Microsoft's pocket, considering this is 100% their screwup.
Instead they leaned on free benevolence from this guy.
He has an informal agreement with a informal group of organizations to respect his decision of what records to return in response to DNS requests. No one is obligated to follow that agreement. This form of abuse of that informal agreement should result in the group of organizations unilaterally terminating that agreement.
They would try to alert companies using a domain they didn't own for communications to their customers that this was a bad idea, and soon after got nastygrams from the company's lawyers saying they'd stolen their intellectual property and wiretapped their communications.
The only real difference in the corp.com case is that instead of just one BigCorp, it's one BigCorp that's gotten a bunch of other SmallCorps and BigCorps to all incorrectly list the same address too.
On the same general note, "a business listed my phone number as theirs and refuses to change it" stories are pretty common, and often have the same "the business refuses to change it" quality.
It's their house, they can sell it and the associated addresses to whomever they see fit
It’s a legally binding agreement. I guess we should start yanking peoples’ homes because all they have is an “informal agreement” with the seller?
He has some legal agreement with his registrar, and maybe indirectly with ICAAN, but that legal agreement means jack shit to DNS providers, who are the ones that ultimately matter.
For an example of DNS providers already using this fact for the public good, see AdGuard DNS
The fact that a criminal may acquire them and/or use them for nefarious purposes does not mean selling them is a problem.
Otherwise, you end up with a world where anyone who comes into possession of a dangerous item is obligated to potentially keep it forever and force all of their descendants to keep it forever.
> O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.
Except in my hypothetical example your response makes you sound like some sort of communist outraged by the profit your neighbor made off their house, when you bought the decidedly unfamous one next to it.
> His is just trying to extort society for that money by threatening to help criminals if we don't give it to him.
Is he? Where's your proof? Perhaps he's just sharing his very novel experience of a property he owns that the world honestly should know about for security reasons. What if this man dies in a few months and we didn't know about this, then his kids sell it to the NSA or Russia, would you rather that?
Be very careful about that use of language; your rights, as a citizen of whatever country you live in, are generally limited and legally defined. Domain name ownership certainly does not qualify as a Right.
Big corps are not usually the ones that are affected the most.
The domain clearly would have a broad security impact if it fell into the wrong hands. It is generic. It is being squatted, rather than actively used in any value-generating capacity. The owner has demonstrated poor stewardship of the domain.
This person does not have the right to compromise the security of millions of people just because he was early to registering a domain name. Domain name registrations are not a Right; they're a Privilege granted to registrants by custodians of the internet that we all help build, secure, and maintain.
Its not enough that Microsoft simply buy the domain (though this would be a fine outcome). ICANN should just shut it down. Revoke the registration and refuse to issue it again. We've proven that there are hundreds of thousands of clients sending personal data to this domain; it simply should not be in the hands of anyone, period.
The guy even claims "I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it." so revocation and locking seems perfect, it's exactly what he wants.
1. The domain was squatted and the owner did not put it to good use.
2. Because of a third party the domain is so toxic that it should be disabled for eternity.
Those are very different reasons, which one warrants a revocation?
The first one is true for very many domains and probably a large reason that ICANN and registrys have large revenues. The second one is probably unprecedented under a gTLD.
If this was under a cTLD I would agree that it would be okay, if accordance under that countries laws and a proper legal process, but under a gTLD I think these measures should not be taken.
What I do know is an inactive domain the owner wants to get rid of because it's a massive burden due to being so toxic should be revoked and locked not sold to the highest bidder. I don't know what we should do if it were an active domain and the security question were posed or what we should do about squatting in general (though I will say the money from the sale does not go to ICANN or the registrar).
I'd also be interested if he said he would willingly give up the domain for free if it would not pose a security risk? From my read he still wants to sell it to the highest bidder.
What are you basing this on? Did you even try to research the history of this domain?
Why should everyone in the world not get to use a thing because Microsoft has some naming scheme? These places have been shouting whatever data at a random (edit: unintentional and uncontrolled rather than random) spot on the internet for years and that's a huge problem.
Opening up an auction is a nice way to draw attention to the problem, get MS to literally&figuratively pay for it (even if the price 10x'd it's not like M$ couldn't handle $17MM), and make it no longer the seller's problem.
Brian did contact Microsoft for comment, and their response doesn't mention that they want to buy it.
I consider it bad reporting that Brian doesn't mention whether Mike already contacted Microsoft or not.
Visiting http://corp.com/ takes me to a GoDaddy parking page and tells me that GoDaddy will happily convey my offer to the owner for $69.99 plus a 20% buyer broker fee. Is that the plan?
To my other comment you say 'contact Microsoft' as if there is a phone line which goes directly to the decision maker for this type of 'purchase'.
No, there's no phone line. No one calls anyone anymore. Find an entry into their corporate graph, and let them resolve it internally. Or, get an article published on a high-profile blog outlining why they should buy it, and they'll be calling by Monday. Its not that hard.
Not even close to the way this works ICANN does not 'revoke' domain names. There are ways to take possession of a domain name but that would not be the process (nor should it be).
> He could just quote Microsoft $2M and be done with this whole thing.
If you think selling anything and in particular a domain name is that easy you should try to sell a domain name to a large corporation and report back the results. It's not trivial and to a large corporation in particular and further for any amount (much less way less) not assured in any way.
He could but MS would laugh in his face. The auction and publicity are the only way to establish the domain's actual market value and to pressure MS to pay it.
In this sense, it's more like the ipv4 -> ipv6 migration.
What a persona this paints of the seller.
Would like to add that I also share your wonder. To me, this needs to evolve to anecessity for them (ICANN, in terms of ability) rather than just an “if”.
Please forgive me my lack of context surrounding this, but would love to learn more about why Corp.com is being sent various data (some sensitive, as mentioned in the article) from various parties in the first place. Did it use to serve a purpose for MS or other?
Yeah! How dare he care about his own livelihood rather than “security”?!? What an asshole!
Scratch that; domain "investing" actually removes productive value from the world. Someone else might own that domain and actually do something incredible with it. Microsoft clearly could have; they use it all over their documentation (and they're idiots for doing so, but what's done is done).
Does it? These domains are available for those who want them at fair prices. Why is the current situation any worse than one in which these domains would be snapped up for low effort personal sites?
> Someone else might own that domain and actually do something incredible with it.
Why? What would be an example of "something incredible" that'd require a very specific domain name like this?
That’s a bizarre claim. Maybe you should read up on previous high value domain name sales before making such statements.
The asking price is perfectly reasonable even if you disregard all the “scamming opportunities”.
If you were truly concerned about security, you’d have just transferred the domain over. If you want to make a good profit off of that, though, please—don’t make a theater.
If you are both genuinely concerned about security but also desperately need money, what you would effectively end up doing is a reverse auction—start high and go lower until the one buyer you want agrees.
Why not? If Microsoft is unwilling to pay a reasonable amount for the domain, the logical action to take is to publicize the flaw in their system.
Using publicity to hold someone hostage in order to extract money while hiding behind security concern claims: not a good image.
If I were in a situation where I have nothing to eat and urgently need to liquidate such a domain, I would raise awareness publicly but negotiate in private. If I were relatively well-off, I would arrange a pro-bono handover, publicly or privately, and of course try to raise awareness anyway.
To make matters worse, the sale appears to be handled via an auction. The wide publicity given to the event via Brian Krebs’s website must have attracted attention of a wide range of players, motives unknown. For a reputable corporation to find itself bidding against a theoretical Bitcoin millionaire blackhat is far from desirable on a couple levels (I doubt auction’s KYC can really prevent that, but if it is strict enough then I take back this particular concern).
Thus, the situation as it is just seems to smell to me, though I’m not entirely ruling out good faith with unfortunate execution.
Obviously all these suggestions are equally ludicrous.
If everyone would do that the domain would be worthless.
I bet many IT admins would find this “quick fix” that would “make it work again” by effectively removing that /etc/hosts entry.
Perhaps a better patch would be to remove the [TLD] => [TLD].com DNS failover resolution feature.
But I still think failing over from corp to corp.com is a bug, not a feature.
I think it was a mistake, but you probably can't fix it now. Too many random pieces of code are going to be relying on it.
Surely a rule can be made in the resolver code that specifically in the case of .corp failing to resolve, short-circuit it there and do not failover to internet domains.
I think TimTheTinker was suggesting the much more general fix of breaking the fallback for all domain names, not just .corp domain names.
I have a small bit of sympathy for them, because when Active Directory was first learning how to do domain names, they cost $100 per year and required a huge amount of bureaucratic nonsense. MS wanted to be able to sell their software to businesses that might never connect to the Internet. But they could have done a much better job.
2) what are likely the most risky applications tend to ignore the libc resolver and its configuration.
/etc/resolv.conf is available from Bash when WSL is enabled. It reflects the settings from the registry by default, but can be made to be independent of them.
Support for Windows 7 can be purchased dates up to 2023... https://www.zdnet.com/article/microsoft-to-offer-paid-window...
It should be handled as such. Not an auction to the highest (perhaps even foreign) bidder.
Still probably not quite the gold mine...
But where does the .com part come in to the picture?
Does corp.net or corp.ninja have the same type of issue?
But basically when the computer can't resolve ".corp" it assumes it isn't an FQDN and starts adding other stuff to try and get an FQDN that does resolve.
Meaning browsers? The answer there is stop doing stupid things with the URL. When I type “localhost” into Firefox I’m not expecting a google search.
If libc does that then that’s surprising and probably also wrong.
Python 3.8.1 (tags/v3.8.1:1b293b6, Dec 18 2019, 23:11:46) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
socket.gaierror: [Errno 11001] getaddrinfo failed
New Private Window -> http://example -> http://www.example.com/
We could go back to the days of manually typing "http://www.google.com/index.html" every single time instead of "google.com" but I don't think many would thank you.
Many companies I've worked for would (for example) have a search domain set for 'wherever.internal', so if you typed 'jira' then having failed to find the 'jira.' TLD, the local DNS resolver would then try to find 'jira.wherever.internal'. That way, you could correctly resolve hosts based on just their names and avoid extra typing.
The problem comes when machines move off the corporate network but keep their search domains. Now we're making public lookups, and the network infrastructure has no idea how to resolve the names you're looking for.
In an AD environment, the AD server is typically the DNS server and does know how to resolve the AD domain as a name. So the machine's lookup for 'corp' works. But move off the AD network and we're back to search domains. And apparently enough Windows machines have a '.com' in their search domains for there to be a lot of 'corp.com' lookups. Which cause the problems listed when they succeed.
If you put '.net' in your search domains then corp.net would have the same issue.
What I'm still not sure about is that I'd thought that you needed an _explicit_ search domain. Maybe there's enough AD servers set up to hand out '.com' as a literal search domain?
Some issues might have to do with the way DNS is resolved by the operating system (the Start > Run \\resource example in the article) and others by the way some applications (like web browsers) do fallbacks for unknown DNS records.
Tangential: I worked at one company that had lower environments end in .dev and they started running into issues when Google purchased (and now sells) .dev domains and one of their project dependencies was hosted in an open source project repo that ended in .dev .. it had fallen out of use at the company and they just trashed the hosted zone, but I imagine at other shops, there's still domain overlap in the wild.
browser.fixup.alternate.enabled = false
browser.fixup.dns_first_for_single_words = true
.dev, .local, .home, .corp. I don’t know how many of those are tlds, as I’ve let all that knowledge leave me; but, there are some tlds that just should be permanently blocked from being real tlds.
The second is, since they're idiots, they'll hurt themselves on the things you didn't idiot proof.
The .int Top Level Domain has existed since the 1980s. Nevertheless plenty of people decided they'd use names ending in .int for "internal" stuff. Then they were astonished that this doesn't work as expected. We even had to smack CAs for issuing certificates for such "internal" names back when they were allowed to do that (today CAs trusted in the Web PKI are not allowed to issue for names that aren't part of the Internet DNS hierarchy with a narrow exception for the .onion pseudo TLD).
RFC 2606 had .test, .example, .invalid, and .localhost clearly established as the right TLDs to use in 1999. It's not ICANN's fault that random people then decided to use domains not in that list, even after being warned that those are the only TLDs guaranteed to never be used.
It's my understanding (could be very wrong) that ICANN did a survey of some sort to see what TLDS are currently being used by companies and was intending to not release TLDs that are in that list, for backwards compatibility, at least for some time.
And even if it isn't, ICANN should have known that some people weren't following the official rules, and should have adapted, to maintain compatibility. It's not that big of a list of TLDs they needed to avoid. Pragmatism is important, you know?
1. Stop having a parallel internal name hierarchy. This has always been a terrible idea, and effort to try to make it work less badly is unnecessary if you instead don't do it at all. IF you're EXA Metal Pole Europe and you own example.com then put the internal stuff in internal.example.com or whatever, don't put it in a "private" TLD named .example. If it's very important to you, you can use Split Horizon DNS to prevent outsiders looking up names in internal.example.com from your DNS servers.
2. Yes, measurements were made for potential TLDs and ICANN designated some potential TLDs as "High risk" and agreed not to try to delegate them (ie sell them). .corp and .home were on that list. Nevertheless you should not use these names.
Why in God’s name would you design a system that redirects your requests like that? Are the security implications not painfully, frustratingly obvious?
Besides as far as painfully, frustratingly obvious security implications are concerned you have done much worse before for less end-user benefit like making your main word processing application the world's premier networked virus delivery platform.
lose it to whom though? other software that also doesn't behave the same way?
And, per earlier comments, this wasn't a browser thing - this is a lower level windows hostname resolver issue.
Microsoft prioritized user experience over security for the longest time of their existence and I think they had a little bit of success with it :)
1. Provide budget email services (email@example.com)
2. Provide a company directory (corp.com/your.company)