Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft buys corp.com so bad guys can’t (krebsonsecurity.com)
477 points by DyslexicAtheist on April 7, 2020 | hide | past | favorite | 183 comments



For those not familiar with the corp.com situation:

Corp.com was (is?) the default example domain in many applications from Microsoft. As a result many badly configured networks are attempting to connect to this domain, often sharing credentials in the process.

He who owns corp.com will have access to tens of thousands of corporate networks. So the only move that MS had was to buy the domain, regardless of the price.

I guess mr O’Connor (who sold the domain) made a nice retirement today.


It's more that `CORP` was the default short name for the AD domain, and also Windows ticks the "try superdomains" box in search domains by default.

So if you have your fully-qualified AD domain set to `ad.example.com`, that's the default search domain too, and a DNS lookup for `corp` will first check `corp.ad.example.com` then `corp.example.com` then `corp.com`.

Now, if you're using the AD server as your DNS server then it shouldn't get that far -- `corp.ad.example.com` should resolve. But if for whatever reason a device connected to AD doesn't use the AD server as its DNS server, for example if it's a laptop and not connected to the corporate network, then you'll be offered a _different_ search domain like `myisp.com`. Which probably _won't_ resolve `corp.myisp.com`. So the built-in resolver will after all walk its way up the search domain and check `corp.com` QED.


This is not an accurate explanation of the problem.

> Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

While it's true that access used "corp.com" as a sample domain, the problem is what Krebs calls "domain DNS devolution"

> Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

Krebs has written two articles about this that explain the problem.


always wish i could be a fly on the wall for these kinds of negotiations.

if O'Connor demanded something ridiculous like 10 billion dollars... how do you talk him down when the situation is this onesided?


It's not one-sided. There is an incentive on both sides to come to a reasonable agreement.

It's not like O'Connor can do anything (legally) with the sensitive data that's hitting his domain. If he could, I could understand why he might be reluctant to sell, even if given a strong offer.

But the fact is, if Microsoft walks away from the negotiations, he gets nothing, and there are likely few other buyers he could ethically sell to, and those buyers are unlikely to offer as much as Microsoft can.


> and there are likely few other buyers he could ethically sell to

Anyone that wanted to develop a real business based on a tremendous four letter .com address, which is a vast selection of potential buyers he could ethically sell to.

The name itself, independent of the inbound sensitive stream of data, is worth a lot. Any major enterprise company in the US could trivially develop policies to deal with the inbound sensitive data while using the name for a legitimate business. This one guy has been dealing with it just fine for two decades.


I think it'd be a lot of fun to set up a responder of sorts, that would handle the incoming traffic, discard the sensitive bits, and feed back something like "Your administrator needs to apply KBxxxxxx patch" in any fields of whatever sort of traffic may apply.

I'm sure someone would get their undies in a twist and sue me, which is why I've never done anything of the sort with the juicy traffic that's come my way (in a similar, though long in the past, situation that shall remain unspecified).

But 1 packet out of 100,000 gets upsidedownternet.


> anyone that wanted to develop a real business based on a tremendous four letter .com address

I genuinely wonder how much that matters these days. You've got app stores, Google searches, etc... I think having a memorable, short .com URL was a huge thing in the mid-2000s, but I'm less sure that it is today.


> It's not one-sided. There is an incentive on both sides to come to a reasonable agreement.

I believe that there was no agreement to be made. O'Connor put the domain up for auction, so MS was bidding against other buyers, not O'Connor.

> But the fact is, if Microsoft walks away from the negotiations, he gets nothing

I expect that the domain still would have sold, although not for price that MS now has paid.

Regardless of who O'Connor would have sold to it would have been a nice payday and he knew that. It was just a matter of waiting for the right moment to put the domain up for auction.


It's not like O'Connor can do anything (legally) with the sensitive data that's hitting his domain.

He could have sold the domain to someone not concerned with the "legally" part.


But they would be under the same constraints as him. And it would be easy to see if they tried anything (are those ports accepting connections or not?) at which point it would have been quickly seized. Plus, wouldn't knowingly selling it to a bad actor be a violation of his due diligence?


> And it would be easy to see if they tried anything (are those ports accepting connections or not?) at which point it would have been quickly seized.

They can't seize a domain because you were running some service on it, can they?


They frequently seize domain names used for malware or controlling botnets.

Just one example: https://www.cyberscoop.com/vpnfilter-botnet-fbi-seizure-apt-...


But this site would not be running a botnet. It would only be accepting data that others willfully send its way. If this is illegal, then I can shut down any site by sending my private data to it.

Of course actually doing anything with the received private data might be illegal, but that would be harder to track. How would the owner of a misconfigured network ever figure out how their data got "hacked"; whether the owner of corp.com did something or nothing with it?

Hence ancestor's use of "ethically" rather than "legally".


> It would only be accepting data that others willfully send its way.

Human knowledge and intent matters in legal matters. If a technology is accidentally misconfigured to send sensitive data to a third party, and that third party knows that the data they are receiving was not intended for them, then they are still responsible for not willfully misusing that data. That's clearly the case with corp.com.

> If this is illegal, then I can shut down any site by sending my private data to it.

No, if you knowingly choose to send your data somewhere, then you can't turn around and blame the people receiving your data. Again: human knowledge and intent matter for the law.

As an example, a charge of trespassing depends on permission (human knowledge and intent), not whether you leave your gate open (how a system is configured).


You seem to be trying to contradict that it is legal to own corp.com, but actually you are saying that misusing collected data is illegal, which I never denied.

The point is that it would be hard-to-impossible to go after someone who owns corp.com even if they use it for nefarious purposes because the actual nefarious action would be so hard to discover or prove.

Besides which, the bad actor here could easily live somewhere without an extradition treaty to the US or simply remain pseudo anonymous (via shell companies, bitcoin, etc). So, it would be possible for an unethical owner of corp.com to find a buyer who intends to use it for ill.


Don't the issues of intent only come up after some legal kerfuffle? What law-breaking event would cause an investigation here?


As shawnz hinted at there is a protocol dance that happens before the data is sent over. I don't know exactly what it consists of, but I suspect it's more than just tcp-level responses saying the port is open and ready to receive.

Playing along in that dance is arguably unethical and shows intent.



Lol...tens of thousands are taken down every single day. Facebook sues the providers that don't take them down "fast enough" https://news.ycombinator.com/item?id=22497391


I'm surprised NSA/CIA/China weren't looking to purchase. Would be a list of free backdoors at a very cheap price.


Would it be legal for O'Connor to simply make his logs public? It certainly wouldn't be ethical, but it would show the value of what he has.


> It certainly wouldn't be ethical

There are circumstances where I would consider it ethical. For example, publishing the logs after a month (or whatever) delay and after notifying the relevant parties to fix their configs and change any secure information exposed.

In that case, it's similar to security researchers releasing the information, and I imagine it also protects him from liability in some ways. Firstly, he treats all traffic the same and has a public policy of exposing it, I think that more clearly puts the problem on the people sending the data to a public location, and secondly, people at a company that are looking at a security problem won't notice some some info went out to him and grasping at straws look to cover their own asses by trying to say that's where the problem must have come from.


Corp.com is a great name. Incorporate, get website, logos, web-hosting,marketing, taxes, all in one. IMO, $1.7 M is cheap


Check out the February article linked in the body of this article about when it went up for sale. It provides a little more context. Sounds like Mr. O'Connor was pretty reasonable about it.

https://krebsonsecurity.com/2020/02/dangerous-domain-corp-co...


This is the relevant part:

"O’Connor said Microsoft actually offered to buy the domain several years back for $20,000. He turned them down, saying that at the time he thought it was too low and didn’t reflect the market value of the domain."


We need Georgian land value tax for domain names.


I can't even imagine how an appraisal system would work. How do you even do price discovery? Ask people how much they'd spend on it without actually having to put their money where their mouth is?

Land is nothing but objective and quantifiable qualities like its distance from the city, natural resources, size, fertility.

Domain names are arbitrary. If people want to swap $millions for vanity, I say let them.


Price discovery is easy. Every domain is available once a year. Anyone can bid. If you want to keep the domain, you pay 1% of the highest bid, otherwise the bidder gets it (they have to put in the money to secure the bid).

The only downside is that well capitalized bidders could harass small owners with outsized bids, if they were willing to possibly end up with ownership.


Agree, but economists do have a solution for this problem. Self-assess the value and pay taxes based on that value. If someone/the government makes an offer that is some percentage greater than that value, you must sell.


Sounds like a solution only an econ could think up of, which doesn't take into consideration other external factors that would apply specifically to the person holding the property, such as: - human psychology (loss aversion, endowment effect, mental anxiety due to risk of being forced to sell your property) - switching costs (monetary, mental, time spent searching for alternatives, costs to moving to something else) - replacement costs (transaction costs, etc)


Logged in just to upvote your comment.

An actual land value tax would be even better!


I believe it was not a negotiation, but an auction. So all MS had to do was outbid the highest bid, which would not have been 10 billion.


> On Monday evening, he wrote to say that Microsoft had agreed to purchase it. O’Connor said he could not discuss the terms of the deal, nor could he offer further comment beyond acknowledging the sale of corp.com to Microsoft.

Not an auction. There's no indication the owner did anything beyond mentioning the desire to auction it.


I imagine homeland security can step in at some point if he was being totally unresonable.


> I guess mr O’Connor (who sold the domain) made a nice retirement today.

The original article said he was trying to auction it starting at $1.7M. There's no indication that an auction ever took place, however. It also sounds like the owner wanted Microsoft to buy it and was willing to work with them, and ultimately this is what happened. My guess is that it went for well under $1.7M.


Although that's peanuts to MS - they've probably spent multiples of that over the years to plug the holes this creates. I'd personally be happy to hear Mr O'Connor got a windfall in this case.


I was listening to a podcast about this, apparently he registered a ton of domains (including Corp.com) for free a long time ago and has been squatting and slowly selling them back at extortion prices. He's done this many times before and already retired because of these payouts. I'm not happy to hear he got a single cent


Eh, he identified something of value early on before anyone else did. This is literally how the stock market works. Let's re-phrase:

"Ugh, I can't believe he made money by acquiring a large pile of Apple stock for $1 each back in the 90's, squatting on it, then slowly selling it at extortionate (read: market) prices a few decades later. He's done this many times before and already retired because of these payouts. I'm not happy to hear he got a single cent."


This is a great example of why argument from analogy is a fallacy. The fact that you can buy domains and they might go up in value is almost the only similarity they have to stocks, and certainly isn't a justification for letting people trade them like stocks.

When you purchase stock at an IPO, you're providing value because you're giving a company funds which they can use to build their business. Later buyers of the stock are providing value because they're incentivizing the buyer at IPO. All further purchases of the stock flow out of that.

When you purchase a domain, you're taking a valuable, limited resource, and paying, typically, a pittance for it. You're not providing value, period, at all. Ostensibly the reason we let people do this is that they will use the domain to provide value in the form of a website that people use.

So stock buyers are providing value to the market, while domain squatters are actively removing value from the market.


> When you purchase a domain, you're taking a valuable, limited resource, and paying, typically, a pittance for it.

They're not limited, the short ones are. I'm not sure why people think they're entitled to short domain names.

> You're not providing value, period, at all.

I mean, you pay an annual maintenance fee do you not? That funds the registrar, which funds ICANN.

> So stock buyers are providing value to the market, while domain squatters are actively removing value from the market.

Maybe squatting on a domain provides them some satisfaction, who are you to judge how people choose to use their domains? If I choose to host pics of cats on "cats.com" (as the current squatter is doing) am I any less entitled to the domain than PetSmart? Just because you don't approve of what I choose to do with it?

Yes domains aren't specifically fungible, they're slightly different with regards to how memorable they are. You can still do exactly the same with each of them: host a website.

Sounds like there's more market oriented ways to resolve this issue. If you feel like short domains provide the world outsized value, why charge the same $10 annual maintenance fee as a 15-letter domain? The shorter, the higher the registration fee. Problem solved?


> Maybe squatting on a domain provides them some satisfaction, who are you to judge how people choose to use their domains? If I choose to host pics of cats on "cats.com" (as the current squatter is doing) am I any less entitled to the domain than PetSmart?

Yes.

It's not as obvious with something like cats.com how this harms society, but I've worked with nonprofits numerous times who had to pay tens of thousands of dollars for their domain names because someone squatted them.

Let's not pretend there aren't widely-agreed-upon values being trampled here. Your argument is moral relativism.

> Sounds like there's more market oriented ways to resolve this issue. If you feel like short domains provide the world outsized value, why charge the same $10 annual maintenance fee as a 15-letter domain? The shorter, the higher the registration fee. Problem solved?

Given you haven't even agreed that there is a problem, it's pretty clear you just want to propose a market-oriented solution regardless of what the problem is, or whether the market can even solve it. This is not how problems get solved.


That just ensures that over time the shorter domain names go to those with deeper pockets.

An often overlooked complication as well comes in the form of programming language package management reliant on reverseddomain names. Fail to renew your domain claim, and you may find yourself having to repackage healthy chunks of code.


I agree, and that could either be what the parent wants (i.e. let Apple have apple.com) or it could be the opposite, but if you want domain names to remain in the hands of the "little guy" providing "no value" then squatting is something you have to live with right? I've got 4 or 5 personal domain names I'm squatting on because I haven't got around to doing anything fun with them yet.


> if you want domain names to remain in the hands of the "little guy" providing "no value" then squatting is something you have to live with right?

The vast majority of squatted domains aren't squatted by "the little guy", so nothing you say starting from that incorrect assumption has any validity.


I'd say this is an apples/aircrafts type comparison here.

I'd argue that domain names are limited: there is exactly one of each domain name, the fact that there is a practically infinite number of other different domain names isn't necessarily relevant.


Stocks function as a medium of exchange for the vast majority of cases. Squatting on a dollar to make interest isn't abusing the dollar.

Web domains function in a thousand different ways, and in some cases a medium of exchange metaphor may work (e.g. people want the domain to make more money). In this case, it's more akin to hoarding hand sanitizer and toilet paper until people have to pay scalper's rates out of fear of repercussion. The only reason this is a story is because of the security risks it presents, and holding that risk hostage is pretty obviously unsociable behavior (even if it is Microsoft's dime).


> The only reason this is a story is because of the security risks it presents, and holding that risk hostage is pretty obviously unsociable behavior (even if it is Microsoft's dime).

Not really, right, Microsoft could go back and fix this another way. They could release patches to all the major OS versions that had this bug, and push their customers to upgrade or face security issues at their own peril. I'd have to imagine all the customers with this problem have long-term support contracts, and if they don't, well, I don't know what to tell you.

What he's providing Microsoft is a dramatically cheaper, easier way out of a problem they made for themselves with poor/buggy domain resolution. He didn't create the bug. He's selling them a patch that costs a fraction of a fraction of what they'd have to pay to get themselves out of their own mess.

Think of it more as someone who acquired a tow truck as an inheritance, and sees an armored car in the ditch. The armored car could get themselves out, they could remove their gold bricks one piece at a time, then pull the car out and load the bricks back on. Or, they could give a brick to this guy and call it a day.

He didn't push them in, he's offering them a much more cost effective way out.

You may not like it, but this is capitalism.


The issue is that squatters like him hold onto domains for years, even decades, with prohibitively expensive prices where they only need a small portion of the domains to sell to be profitable, meaning that the rest of the unsold domains remain unused and wasted for no reason other than to have a very small chance of being profitable to the squatter in the future. He is not generating value, but instead hindering the use of most domains for selfish reasons.


No it's not. Buying a bunch of Apple stock for $1 apiece doesn't prevent anyone else from buying Apple stock too. Buying and squatting on domains prevents people from using the domains. It's strictly rent-seeking behavior and is not productive in the least.


It does prevent other people from buying the stock. Stock is issued in finite amounts.


Apple has ~4B shares outstanding, and enough of the holders are willing to sell that for a buyer, it’s not a practical issue at all.


How many domain names are oustanding?


Stock is fungible. Domain names aren't. If I buy stock, as long as there continues to be sellers (and there will be for any functioning stock) you can buy stock too and the only effect my purchase can possibly have is, if I bought enough, it might affect the price you pay. If I buy a domain name, you cannot buy that same domain name too.


Domains are really more like land than stock. And while you can do something similar with land - buy undeveloped in places where you expect development in the future, then sell for a lot more - you have to pay property taxes while you hold it.


And you have to pay domain registration fees too, yeah?


Domain renewal fees are a small fixed amount, and not periodically revalued.


The difference is that in your example, they helped the company raise capital that they went on to use to build something valuable. Squatting domain names at best helps companies raise capital to go sell some more domain names.


I don't really see how this is related to stocks. First, he got these all for free, while you have to buy stocks. There's a risk that they might be worthless down the line and you lose all the money you spent

Second, when you invest you are offering financial value. He just contacted someone, said "hey can I have these domains please?" and did nothing with them for 25+ years, until he was finally able to demand a payout. again.

are all the people who tried to sell their hoarded toilet paper people who "identified something of value early on before anyone else did"?


It's disingenuous to say the domains were free. There was no purchase price prior to the mid 90s, but from then on, there were annual fees starting at $50 and later dropping to $35. They didn't drop below that for a while, and bottomed out around $10-15. Sitting on a domain for 25 years cost nearly $1000. That's great if you can sell the domain later for 5-6 figures, but if you have a large squatting portfolio, there are substantial costs. You might not like domain squatting, but there's no denying that it was an investment, and there were risks. This guy just saw the market early and it paid off.


The key difference is that almost all the value of the domain comes from the fact that you have a monopoly over it, whereas that is not the case with stock: I can buy an equivalent Apple stock from someone else if I don't like your price.

The other aspect is thinking about which activity is actually economically productive. In the case on investing in Apple, you're producing value, since Apple wouldn't otherwise been able to exist without the capital. In the case of domains, me buying a domain in 1990 is completely unproductive (the domain is still "there" regardless if I buy it or not). I don't see the value to society in rewarding people for rent-seeking on monopoly goods, while the value in encouraging capital investment is clear.

Capitalism doesn't require this sort of rent-seeking, and Adam Smith (as well as other thinkers) identified (and formulated solutions) this problem in the case of land, which is similar.


Microsoft didn't NEED to buy the domain, they could have patched their code to handle the issue. Clearly, they did a cost benefit and decided it was worth it to buy the domain to plug a hole they created.

Another poster used the stocks analogy but I think the real estate one is more appropriate. Someone who bought land a long time ago that is now desirable to another party can has no obligation to sell at all (let's not bring eminent domain into this). Let's say instead of corp.com this was land next to Microsoft Campus in Redmond. Why shouldn't someone ask for as much as they can get for their land?


If they patch their code, they still have to get people to update. I know companies still running Windows XP. If you think people outside of the tech industry update their systems regularly, you're in for a rude awakening. My uncle's company still runs a DOS app written in 1984.


The OP discusses patches.


Corp.com for example, belonged to whom exactly, 26 years ago? It's not squatting, its smart. Who did he extort? Can you buy a Manhattan lot at 1860 prices? Nope. If you want it pay the price or go build in NJ or PA.


This is why I support higher annual fees for domains. If you owned unused land in Manhattan, you'd still be paying a fortune in property taxes that would motivate you to put it to use. For squatters it's the exact opposite, they can let domains remain unused for decades at almost no cost, which benefits no one.


You want all domains including something like thisgeekyishwebsiteisminethanks.com? I haven’t thought it through. But just to make something like thecar.com to cost high $XX per year (not sure if you meant that price pt or $100+), that random useless to anyone else domain above should also have to cost that much?


The shortsightedness of not making the default domain something Microsoft already owned is, to put it mildly, breathtaking.


This is not the first highly popular domain he's squatted, so I doubt this made a significant impact on his wealth.


It's weird - I don't think I remember ever seeing corp.com as an example from Microsoft - they usually used contoso.com or microsoft.com. I do remember reading books that used corp.com however, but they weren't printed by Microsoft.


There seems to be a bunch of references if you look for it on their site: "corp.com" site:microsoft.com

Example: https://docs.microsoft.com/en-us/windows/win32/api/wsmandisp...


That nuts. MS has known about this bug for 20 years!

Example.com exists for a reason.

How could anyone trust MS for security anything?


How about people "stackoverflowing" solutions? Yea, blame the examples, not the implementers...


This may be an issue where only networks that have been around for a very long time have this issue due to preserving configurations through many years/cycles of upgrades. Unfortunately, there are many, many such networks.


Ok, naive question: Why the <expletive> did they do that in the first place?


I think that it was basically that Microsoft was very slow to adapt to the existence of the Internet.


> Corp.com was (is?) the default example domain in many applications from Microsoft.

This seems like Microsoft in a nutshell, when example.com has been the official standard example since at least 1999.


This is not the problem.

> Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”


My D-Link router had domain.name as the default dhcp domain name, which caused some of my devices connected to it to resolve <whatever.tld>.domain.name when <whatever.tld> fails to resolve and someone have set up ad pages in many .domain.name pages to take advantage of the flaw. I've recently blogged about it(https://harigovind.org/articles/who-is-hijacking-my-nxdomain...). Need to be always careful when configuring things like this especially since we now have hundreds of tlds like .email, .work etc.


That was a fascinating write-up! I too immediately looked for `domain.name` registration and would have marked it up to DNS trickery after that gave a NXDOMAIN. I'm glad you followed the rabbit down the hole on this one. I've added the resolving domains to my Pi-hole block list: https://www.github.developerdan.com/hosts/


Thanks!:) What was even more confusing, but I didn't mention in the article, was that visiting domain.name in my browser did take me to a similar website. That was because firefox will try www.<doman.tld> when <domain.tld> fails, so it was actually www.domain.name I was getting instead of domain.name. This behavior can be turned off by setting `browser.fixup.alternate.enabled` to false.


I had no idea about that config, but I've seen the behavior before. That behavior is even more interesting considering that Firefox will hide the 'www' subdomain in the URL[1]. So not only will it silently add the www, but it also won't show it in the URL! SMH!

1: https://www.ghacks.net/2020/02/28/firefox-75-address-bar-res...


I feel like there should be fines for using anything other than reserved-by-RFC names. When will it end?


Supposedly, the free market should correct this when consumers stop buying the flawed product. Companies will recognize that poor security is not profitable and make improvements.

In reality, consumers aren't (and can't) be educated enough to avoid products with these types of flaws. So, it's up to government to regulate but consumers (citizens) still need to care enough to ask the government to regulate with fines and recalls.

EU citizens seem to have that type of government but US citizens would still rather protect corporate bad actors than protect themselves.

If we see any kind of legislative pressure, my bet is it'll be from the EU well before the US.


Here's an underappreciated thing that makes free market's "customers will recognize Bad Aspect X and buy something else" not work. It's not a conspiracy, but it seems like something the market is naturally optimizing towards.

Choice has a cost, and we're all completely DDoSed by issues in our lives.

So yes, the router turns out to redirect NXDOMAIN to a page full of ads. Also, my back aches, I'm burned out at my job, my spouse has a bad mood today, I should've bought flowers in the morning but I forgot (maybe if I leave work 20 minutes early I'll manage to get them on the way back?), I've just discovered my bank is severely overcharging me for my account relative to the competition, the city council has just passed a bullshit increase in garbage collection rates, also the asshole who owns the apartment above has put it on AirBnB and we can't get a good night's sleep now, and .... and yes, my router is redirecting NXDOMAIN to a page full of ads.

There's this belief that people are too whiny these days. I start to feel it's opposite: we're too saturated with bullshit to have time to be whiny enough - enough to turn it into meaningful purchasing choices.


Is this not what the likes of Consumer Reports is for? You pay them money, they tell you what to buy and then you don't have to evaluate everything yourself.

Naturally people don't want to pay for it, but it costs money to provide it, so what do you want?

The best thing the government could do is provide the same service for free.


> Is this not what the likes of Consumer Reports is for?

It's a stop-gap solution, yes. Unfortunately, AFAIK there's nothing like this in my country, at least not trustworthy. For general electronics, I trust WireCutter and have never been anything but completely happy by just buying one of their top recommendations in a given category.

The question is, is the complexity of our lives all necessary, or is most of it incidental? And regardless, the point is: existence of this complexity makes the market mechanisms of ranking of products and services quite weak.


> The question is, is the complexity of our lives all necessary, or is most of it incidental?

So this is a separate question entirely. And it's not a bad question -- why is there so little true scarcity of necessities but so much scarcity of time? There is actually quite a lot of artificial scarcity keeping everybody running on a treadmill. Like, how many hours are you working just to pay for the increase in housing costs caused by restrictive zoning rules? How many hours are you working just to pay off student loans from artificially inflated college tuition costs?

It's quite important that we address these things but it's kind of a different problem domain than consumer router security.

> And regardless, the point is: existence of this complexity makes the market mechanisms of ranking of products and services quite weak.

I would think it would be the opposite. If people have lots of free time and resources to read specifications and understand the inner workings of what they're buying then you don't need to pay someone to do it for you because you can do it yourself. It's when everybody is busy that someone trustworthy can make money by selling or identifying products of a given minimum quality, because people find their time more scarce than money and are willing to pay somebody so they don't have to do it themselves.

But in that case you would tend to have more dissatisfaction and buyer's remorse, because general purpose recommendations and minimum quality standards don't yield as good a result as you making an informed choice yourself. "One size fits all" is never really as good as choosing the right size for you. But government regulations can't fix that any better than consumer product ratings because they have the same problem -- a minimum standard still doesn't help you choose between a zillion different products that all meet the minimum standard, even though some of them are significantly better in your specific circumstances. The best product for some people may even be one which is below the so-called minimum standards, because they have atypical requirements.

Which I guess brings us back to your original point. Maybe we should do something about everybody being completely swamped for time.


> The best thing the government could do is provide the same service for free.

Check to see if your local library offers Consumer Reports access! Mine does, and since the library is part of the municipal government, I suppose you could say that your statement has already come true (at least for some people).


> Supposedly, the free market should correct this when consumers stop buying the flawed product.

Any free market purist will tell you that all transactions must be both mutually consenting and informed. If these conditions are not met, it is the governments job to step in.


It's very rare that both parties engaged in any transaction are equally informed. But often the government is even less informed so they are utterly useless in terms of intervention.

The best the government can do and should do is reduce power imbalances and market monopolies which give rise to information asymetry. Reducing wealth inequality should be the government's priority.

Money can buy trust. People are too focused on presentation instead of substance. People these days are incapable of seeing substance where it exists and they are easy to fool into seeing it where there is none.


"Equally informed" isn't actually required. All you need is to be informed enough to make a reasonable decision. If you know one of the products is less secure but $10 cheaper, you know essentially what you need to know even if the manufacturers have a ton of information about specific algorithms used and electrical impedance that you don't know or understand but that don't change the high level conclusions anyway.

It's only when the customer doesn't even have the information that the product which is $10 cheaper is also less secure that you run into a problem.


Now name any transaction more complicated "I agree to pay you $3 for this bunch of asparagus" where the buying side has as much information as the selling side.

It seems to me the government should be involved in almost every transaction.


Real quick after this becomes normal, somebody is making an extra few cents by buying 10 bunches of asparagus from a farmer, redividing them and selling 11 bunches to customers.

What gets done about that? Weights and Measures. I agree to pay you $3 for a spigglywig of asparagus.

Then I worry your spigglywig is deliberately under-size. The market town gets an officer to check you're selling asparagus in correct spigglywigs, and next thing you know you've got a multi-billion dollar metrology (the science of measuring things) research lab and they're defining the fundamental constants of nature so as to be right certain exactly how much a spigglywig is every time.

So yes, "free market" is at best a model that can only be approximated and at worst it's a filthy lie.


Is that asparagus bio though? I can't tell by just looking at it. And I definitely can't tell if it tastes any good.


> It seems to me the government should be involved in almost every transaction.

Yuck. I'm not a hard free-market-only libertarian (I believe in single payer healthcare for example) but economic transactions between two private parties should never have government involvement. Hell, I dislike the banks and credit card companies having involvement, we tolerate them because we have no choice.


> It seems to me the government should be involved in almost every transaction.

Depending on your definition of "involved", every libertarian I know would agree with you.

Most people's conception of libertarianism is a massive straw man. I promise we are not as insane as you've been lead to believe ;)


Actually you are, because your pronoun "we" includes all the people whose conception of libertarianism is a massive straw man, but claim to be libertarians themselves. Which is now most self-described "libertarians", and a large swath of the Republican party. Now days it's just a meaningless euphemism people use when they don't want to admit they voted Republican.

And the few libertarians who actually know what it means are usually quite cruel and heartless, fighting tooth and nail against universal heath care even today, because their ideological principles outweigh their empathy and humanity.

But as a result of your ideological evangelism, you own all the self-described "libertarians" who your philosophy appeals to simply because they want to hurt and punish poor people, but don't understand what it "really means".

Sorry if this annoying inconvenient health crisis has knocked the blocks out from under your religious philosophy (and that the invisible hand of the market saw it necessary to bitch slap Rand Paul into quarantine after he downplayed the severity Coronavirus, got it himself, tested positive, and continued to selfishly spread it while awaiting the predictably positive results), but we NEED government intervention and universal health care right now to save people's lives, so please spare us the "no true Scotsman" lecture.


You are proving my point for me. You read the word "Libertarian" and immediately start rambling about Republicans and how cruel I am for my "religious philosophy".

> Sorry if this annoying inconvenient health crisis has knocked the blocks out from under your religious philosophy, but we NEED government intervention right now to save people's lives

This is a strawman, and there's no reason for you to be so offensive. I absolutely agree that government action is proper and necessary to protect the population, especially right now. "Provide for the general defense" is one of the government's jobs.

I think you should take a minute to examine your assumptions about what libertarianism is instead of reacting emotionally whenever you hear the word.


I think you should save your breath for defending libertarianism from the mindless hoards of people who actually claim to be libertarian themselves, but don't know what it means. Because I know very well what it means, and don't claim to be one myself.

I've done nothing anywhere near as offensive and self-centered as what Rand Paul has done, first parroting Trump by downplaying the risk of Coronavirus, then knowingly spreading the highly contagious disease after he was exposed to it, by following Trump's idiotic advice to go about your normal daily life, instead of following sound medical advice to quarantine until he got his test results, which were positive. On top of his medical training and long career of opposing universal health care.

He's a physician: he should have known (and does know) better than to do that, and that makes his policies and behavior perfectly aligned with the stereotype of the heartless libertarian who doesn't care about anyone but himself. He can't fall back to Trump's ignorant "I'm not a doctor, but take this pill from a company I've invested in" defense.

We needed universal healthcare BEFORE the pandemic struck. Why have you and your ideological colleagues fought tooth and nail against it for so long, to the point of lying about and sabotaging Obamacare? Are you finally changing your tune, when it's way too late?

https://www.businessinsider.nl/rand-paul-introduced-obamacar...

So what was your position on universal health care before, and what is it now, and does that align with the "true libertarian" philosophy, or are you "no true Scotsman" yourself? I'd love to hear your defense of Rand Paul's actions. Is he a true libertarian like you? And how about Eric S Raymond: do you think he knows what he's talking about?


Your focus on universal healthcare is understandable, but misguided.

America has more doctors and more hospital beds per capita than Europe does. This is one of the reasons that Europe has seen more coronavirus cases and more deaths per capita than America - their healthcare system is starved for resources.

I am in no way claiming that the American healthcare system is perfect, but I don't see universal healthcare as a panacea, because we are seeing in real time that it is not.

As far as what my stance on healthcare is: I think healthcare is a unique market where there is rarely the ability for you as the patient to make an informed decision about your medical care. In other words, a free market approach is not entirely feasible. I think a system similar to our school system would be ideal: publicly operated hospitals available for little to no charge, with the freedom to start a private hospital that has to compete with the public ones. This would mean high quality care at reasonable prices all around.

This has always been my stance. I've met libertarians who agree and disagree with me, but I can defend my stance using libertarian "first principles". So I think it's fair to call it "true libertarian" philosophy.

A libertarian is not a republican, and a libertarian is not an anarchist. A libertarian simply believes that individual rights should be protected. That should not be such a controversial statement.


> America has more doctors and more hospital beds per capita than Europe does. This is one of the reasons that Europe has seen more coronavirus cases and more deaths per capita than America - their healthcare system is starved for resources.

Judging from https://en.m.wikipedia.org/wiki/List_of_countries_by_hospita... your assertion is false.


Yes, that's exactly what I meant by "Gish Gallop"!

https://en.wikipedia.org/wiki/Gish_gallop

More telling is how reluctant he is to defend Rand Paul's indefensible and stereotypically libertarian antics, how not once has he mentioned his name, and how he pretends he didn't read anything about him I wrote.


Genuinely curious to see a source for that claim.


I think the implication is that, to quote Eric Weinstein from that Kayfabe article, "economic theory ... currently uses as it's central construct a market model based on assumptions of perfect information."


Does he say that? Because it's very wrong -- economics of imperfect information has been a dominant theme of microeconomics for the last 50 years. They gave Akerlof, Stiglitz, and Spence the Nobel back in 2001. They gave a second Nobel in 2007 for mechanism design, which is on when and how you can design institutions so that imperfect information doesn't wreck everything.


Here is an excerpt from Milton Friedman:

Fundamentally there are only two ways in which the activities of a large number of people can be co-ordinated: by central direction, which is the technique of the army and of the totalitarian state and involves some people telling other people what to do; or by voluntary co-operation, whch is the technique of the market place and of arrangements involving voluntary exchange. The possibility of voluntary co-operation in its turn rests fundamentally on the proposition that both parties to an exchange can benefit from it. If it is voluntary and reasonably well informed, the exchange will not take place unless both parties do benefit from it.[1]

You will see a similar disclaimer in any bit of free-market libertarian thought, because you can't have voluntary exchange without informed consent.

If transactions without informed consent are taking place, it is easy to argue that someone's property rights are being violated. Any libertarian since John Locke will tell you that protecting your rights is the first and foremost job of government[2].

[1] https://oll.libertyfund.org/pages/friedman-on-capitalism-and... [2] https://plato.stanford.edu/entries/locke-political/


>Any free market purist will tell you that all transactions must be both mutually consenting and informed. If these conditions are not met, it is the governments job to step in.

I don't think such a person exists outside of some libertarian fantasies.

In practice, the right side of the political spectrum is about preserving the free market insofar as it protects incumbent wealth.


> Supposedly, the free market should correct this when consumers stop buying the flawed product.

Surely this is only true if the consumer _values_ security? Even assuming every (potential) consumer is educated enough to recognise security flaws, that doesn't necessarily mean the typical consumer will value security enough to purchase an alternative product they deem inferior in some other aspect


Arguably many consumers, even if they _could_ evaluate a product's security before purchase, wouldn't _care_ because they don't understand how it affects them. And often, the effects (DDoS nets, etc) are against someone else anyway.

I'm not sure if "tragedy of the commons" is the right term for this, but I feel it's in the ballpark. Insecure devices create a form of pollution on the internet, let's say. And perhaps we should think of them like other polluters.

Obviously pollution controls have a cost, just like security, but we all understand that it's in everyone's interest to have air we can breathe, and ultimately lowers health care cost. Likewise, it could be argued that it's in everyone's interest (and perhaps a national security priority, as well) to have devices that don't allow themselves to be taken over by arbitrary attackers.

I think these are the regulatory models we should be considering.


> In reality, consumers aren't (and can't) be educated enough to avoid products with these types of flaws. So, it's up to government to regulate

Why is the proposed answer to information problems always bans and fines? Is the government, or anyone else in the market, lacking in the capacity to instead provide people with better information?

If you want the government to do something, why not have them go out and evaluate the products that exist in the market? Then if they find vulnerabilities, they can report them to the manufacturers before they're discovered by attackers, and they can rate the vendors on their security practices and publish the information so that customers do have the information on which vendors make better products.

How is this not vastly superior to the thing where they destroy all small vendors with onerous regulations and then everything costs fifty times as much because the only vendors big enough to comply with the regulations are Oracle and IBM?


how do I deal with this as a consumer when... I go buy a router from target... bring it home. 4 months later there's a security upgrade which also changes the DNS resolution behavior to give me ads.

What's my recourse as a consumer in this case? return to target? return to dlink or whoever manufactured it?


>In reality, consumers aren't (and can't) be educated enough

this is a gravely serious statement. in America youre talking about a fundamental shift in the relationship between the governed and the government. many states would violently oppose the idea that the government knows whats best for you and should create laws for you backed by lethal force.

>US citizens would still rather protect corporate bad actors than protect themselves.

you missed the point. its not about protecting corporations, its about allowing personal freedom, even if that freedom includes suboptimal results. moreover, it is abjectly false that the government can simply do whats best for everyone.


> this is a gravely serious statement. in America youre talking about a fundamental shift in the relationship between the governed and the government.

Uh, consumer protection laws have existed in the US for over a century. The FTC was founded in 1914. The mindset that laws should protect people from things that they don't understand is not an abrupt or fundamental shift. If not for the government, would you know how to find out if an apartment was built and wired in a safe way? Or do you rely on government permits and inspectors for that confidence?


>The FTC was founded in 1914

the ftc was founded as an anti-monopoly arm of the government, and is not the same thing as saying "consumers aren't smart enough to know whats good for them"

IMO as a libertarian, trust-busting is one of the fundamental responsibilities of the government because consumers and small businesses usually cannot overturn a monopoly.


> because consumers and small businesses usually cannot overturn a monopoly

But they can somehow fight the abuse and manipulation companies can expertly unleash on them? How is the uninformed consumer better prepared to combat this than a monopoly? Millions of individual consumers speaking with millions of voices have absolutely no chance against a companies with a single voice and a single goal. Companies hold far more cards than a regular consumer ever will. How much time can you dedicate towards protecting yourself and not being abused? Because a company can dedicate a lot of time into finding better ways to abuse or manipulate you.

It's a misguided belief that the Government intervening is intrinsically bad, or that any decision taken at individual level is intrinsically good simply because it proves "freedom". And this stems from lack of education and the unwillingness to accept that most individuals are woefully unprepared to fight back a never ending assault. But you can easily see the "converts" angrily shouting at the Government whenever they get trampled by yet another company. One of the more clear examples is when people who got scammed out of they cryptocurrencies went from "boo regulation" to "why didn't the government do anything" without missing a beat.


Yeah, that’s the cookie-cutter generic answer to any consumer protection.

Does anyone actually belief it’s workable to require every single consumer to be informed about the most minor details of a router’s DHCP configuration in order to stop such shenanigans? And how does this fantasy work when the router is provided by your cable company? There must be thousands of issues of that magnitude you would need to research when deciding among the two options for internet most people have. Although I guess it’s easier once you notice both provides use the same routers and you don’t have a choice after all.

Do you also favor the government leaving food safety to the individual consumer? If yes, do you routinely research the full supply chain of all ingredients that go into your cheeseburger, to be sure nobody is using lead as a convenient sweetener? Do you check every restaurant’s kitchen for hygiene?


>this is a gravely serious statement. in America youre talking about a fundamental shift in the relationship between the governed and the government. many states would violently oppose the idea that the government knows whats best for you and should create laws for you backed by lethal force.

You sure about that? The FDA, USDA, CPSC, FCC, FAA etc all exist already.


So, would you be ok with corporations selling things that are slightly radioactive? The average consumer isn't going to understand the implications and risks of such products. What makes a smoke detector safe vs. glowing paint that killed a lot of people painting watch hands/marks with it?


> many states would violently oppose the idea that the government knows whats best for you and should create laws for you backed by lethal force.

Isn’t that exactly what a police force is? Doesn’t that exist in every part of the US and act to uphold laws designed to protect the people who live there?


But it's useful! If your search domain is `internal.company.com` and you've got a Jira instance at `jira.internal.company.com` then all you've got to do is navigate to `jira` and it works.

It's also quite possible to turn off walking up the search domain: it's just a checkbox.

None of which makes it a good idea, and the best thing to do is actually to just _not set_ the search domain.


I unironically salute Microsoft for cleaning up the mess they created. Many large actors don't. There was one right thing to do at this point and they did it.


Seems like it’d be a consulting opportunity. Watch the traffic, identify companies that need help reconfiguring their domain, and contact them.

Although I suppose to the recipient of such an email it might sound like an extortion racket.


"Yeah, we know it is wrong, but that single decision made 10+ years ago is too hard to change now without unknown side effects. Microsoft owns it now, so nothing too bad will happen"


This is a reminder to all of us to use example.com[1] for these types of defaults, examples, illustrations.

And also to scan code bases & configs on a regular basis for the inevitable "dummy yet resolvable" addresses that sneak back in out of bad habit.

[1]https://tools.ietf.org/html/rfc6761


Previous discussion:

https://news.ycombinator.com/item?id=22277185 "Dangerous domain corp.com goes up for sale" - Feb 9, 2020.


To be fair if I was Microsoft I’d probably just do a Windows update that adds 127.0.0.1 corp.com to wherever they keep the hosts file on windows :-)


Depends if it's an update people/organisations would apply:

> Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

> However, experts say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time.

> Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations. Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low.


Do you really think these organizations shipping their credentials off to corp.com are applying Windows updates?


In which case they aren't worried about security, so why does buying corp.com matter?


the problem is DNS, as one would guess:

>the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

whew boy. whats the right answer here? out of the box AD and DNS coming with default settings that must be changed prior to use?


Currently when putting in a new AD the name field is just blank and you have to put something in to continue. There is no default setting.


most linux server distributions come without a firewall installed/activated. does this default mean it's linux' fault when users do not setup a firewall?


Well, it's hard for a Linux server distribution to not come with a firewall installed, since it's part of the kernel; all Linux distributions I've seen (including tiny floppy-disk-based Linux distributions) come with the firewall module enabled in the kernel configuration.

As for being activated: my recent experience with is mostly with RedHat-derived Linux server distributions (like CentOS), and they do come with the firewall enabled (which more than once made things not work until we noticed it was the firewall again). That didn't use to be the case in the distant past, however.


At least a little? That's extremely hostile behavior to new users. I could see not shipping a lot of these things for a highly optimized server version etc. For a standard end user (and let's be honest, middle/large company IT dept guy), you should put some sane defaults in place.


Another part about the firewall is that without profiling, it's pretty hard to make a good firewall that allows "good traffic" and denies the "bad". It takes a good amount of profiling and being a firewall admin.

And for a house, thats kind of overkill for the general network. Sure, set up a restricted wifi for IoT crap, but having to fiddle with it daily is NOT acceptable.


thats is one of the reasons i think its not smart to automatically start some services per default after package install on Debian. I guess its justified by having sane default service configurations but its still a bad idea in my opinion.


It's perfectly possible that many of the AD domains affected pre-date ubiquitous laptops, and desktops don't tend to roam so are unlikely to meet a differently-configured search domain.


I feel as though we hear about some horrible security flaw from Microsoft every other day.


Is this really a security flaw from Microsoft, necessarily, or just a convention adopted that leads to a lot of accidental misdirection of traffic?

Don't get me wrong, making users be explicit is ideal, but this doesn't feel like it belongs in the same boat.


It's definitely a security flaw created by Microsoft.

A default/pre-filled value should be an acceptable value to use. By prepopulating "Corp", they implied that it was an acceptable value their customers could use.

What else would you think a prepopulated value would mean?

Fixing a flaw this big for what we assume is under $2 million seems like a bargain.


but they didn't pre-populate it. they used 'corp' within their instruction text as a placeholder for whatever the corporation wanted to use. from my understanding, nothing was pre-populated.


I'll give them a break if the text predates RFC2606 (1999) and the product hasn't been touched since.

> Confusion and conflict can be caused by the use of a current or future top level domain name in experimentation or testing, as an example in documentation, to indicate invalid names, or as a synonym for the loop back address. Test and experimental software can escape and end up being run against the global operational DNS. Even examples used "only" in documentation can end up being coded and released or cause conflicts due to later real use and the possible acquisition of intellectual property rights in such "example" names.

(emphasis added)


I don't know.

Meaning that in this case the MS customers are not "end customers", they are highly specialized (in theory) and highly paid (in practice) IT specialists setting up (part of) a complex (and security sensible) corporate network backbone such as Active Directory.


Except that this was also the default in SBS, a product specifically designed for a small business with little to no IT staff. (Why a small business that didn't have IT staff would bother with AD I do not know, but I believe the package also included an email server?)


Yep, but come on, any small business owner won't even know what AD is or why it should be used, and they would be convinced to use it by an external consultant (as well in theory belonging to the highly spoecialised and highly paid IT people).

This leaves us with only a part of small businesses (the ones where the owner let his daughter's son, or his cousin, which is "good at computers" manage their network).


They are very transparent about security. Very few companies are on their level of security maturity maybe a handful.


There might be a reason why example.org was chosen for documentation purpose.


The example TLD is also reserved, for when your example needs a TLD rather than a 2LD or some other domain.

This allows you to make up a bunch of 2LDs in documentation e.g. https://cat-food.example/ https://dog-food.example/ and https://pet-food.example/ might be three different companies that sell pet foods, or they might all be brands of the same company, whereas if I used names like https://cat-food.example.org/ and https://dog-food.example.org/ that's confusing because we'd say it's very unlikely for rival companies to share a 2LD this way.


I've always wonder how large SaaS companies (e.g. Salesforce, Workday, etc) ensure they don't let their domain mistakenly expire.

It'd be devastating to their business if someone were to purchase the expired domain of say, salesforce.com (e.g. customers wouldn't be able to log into their paid for SaaS service, potentially corp email would be down, etc).


lots and lots of alarms, I imagine. Also plenty of DNS registrars will let domains enter a grace period where the original owner can re-register the domain before it's released back to the public.

Obviously being able to renew through an automated process is the best solution (LetsEncrypt, etc)


Many companies outsource domain registration to Mark Monitor or equivalent services, and Mark Monitor independently handles registration so that this doesn't happen. The larger the company, the higher the chance this is someone's job role or some company's service -- it's definitely on everyone's radar (at least today, MS has had a bad history in this department).


Years ago, one of my coworkers bought testcompany.com and got an amazing amount of internal emails from organizations.


This reminded me of `WPAD` namespace for DNS and DHCP:

https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Proto...

I remember logging all requests to wpad.ir, there were many from Brazil for some reason.


Wasn't this one of the reasons why some organizations lobbied against the extension on tld names? For example, in Germany we have lots of Fritz!box routers that are managed via 'fritz.box' which is now also a valid URL.


But why did Microsoft use a domain in its products which they do not own?


RTFOA. They didn't.

They used an internal ActiveDirectory domain of "Corp" as an example. An AD domain is not the same as a domain name.

....until it comes time for the Windows name service to try to idiotproof the user, and say "well, this doesn't resolve to an AD server here, maybe they meant it as a domain name, let me try appending .com and attempt a DNS query"

It's a case of the right hand not knowing the left hand's usability tweak would turn into a security issue.

Unquestionably Microsoft's fault, but it wasn't as simple as you make it out to be.


"Let me try with the search domain. No, doesn't exist. Let's knock the first element off the search domain and try again until we find it. What do you mean you connected your laptop to a network that's not your work network so the AD server isn't accessible?"


Does the Windows DNS client actually behave this way though? I have never seen it adding com, or any other tld.


Right? Why not just use microsoft.com, since they already owned that and presumably will for at least as long as the products' lifetimes. If you're going to use a default value at least use one you can control.


Somewhat related: A lot of random networking hardware seems to use "1.1.1.1"

I have even had Wi-Fi networks ask me to go to 1.1.1.1 to load their payment page so I can pay for the internet service.


I wonder if this is by any chance the same Michael O'Connor who wrote the Mac application CompuServe Navigator back in the '90s?


This could be a case for "eminent domain"ing the domain from this user. If domains are property, "eminent domain" must apply to them too.


Microsoft is the "bad guy".


"Microsoft buys corp.com so the other bad guys can’t"


We discussed this on the OpenSourceSecurity Podcast back in Feb 2020 https://www.opensourcesecuritypodcast.com/2020/02/episode-18... TL;DR: this is the least painful outcome of these DNS shenanigans.


And the good guys are?


did MS buy the domain from the guy for $1.7 million?


That's an Onion title right there.


[flagged]


I'm confused, article said Microsoft bought it. Not google.


You must not remember much about Microsoft in the 80/90s


80s were literally 40 years ago at this point. How many of the original employees are even at Microsoft at this point? At which point complaining about Microsoft's actions decades ago will be the same as complaining about Bayer making chemicals for the Nazis - as in, relevant historically, but not very relevant at the present?


some people just love to hate on microsoft no matter what they do, really.


I think this entire thread is a waste of space and deserves its negative votes, but Microsoft of today is no better than google. They both sell spyware disguised as OSes and consumer devices.


Of course, and they can get all the hate they can for this. But for the stuff they did 40 years ago? Somehow I feel like that's water under the bridge at this point.


That's totally fair.


> Somehow I feel like that's water under the bridge at this point.

As Heraclitus said, no man ever steps in the same river twice.

Yet the river is just as eager to sweep you away as it ever was. Unless you intend to be willfully naive, past encounters with the river should inform your future expectations of the river. Who in the 1990s could have predicted that in the 2020s Microsoft would be a distributor of spyware? Every damn Microsoft critic saw that coming.


Why is something that happened 30+ years ago relevant?


This is why I use foo TLDs in the documentation. To make sure it won't work in a copy-paste situation.


example.com is also always a safe one; RFC-2606 defines four top-level domains and three second-level domain names permanently reserved by IANA for testing purposes: .test, .example, .invalid, .localhost, .example.com, .example.net, and .example.org.


> This is why I use foo TLDs in the documentation. To make sure it won't work in a copy-paste situation

You're describing the exact methodology that led to this problem.


FYI, google owns .foo


ha, the more you know!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: