Corp.com was (is?) the default example domain in many applications from Microsoft. As a result many badly configured networks are attempting to connect to this domain, often sharing credentials in the process.
He who owns corp.com will have access to tens of thousands of corporate networks. So the only move that MS had was to buy the domain, regardless of the price.
I guess mr O’Connor (who sold the domain) made a nice retirement today.
So if you have your fully-qualified AD domain set to `ad.example.com`, that's the default search domain too, and a DNS lookup for `corp` will first check `corp.ad.example.com` then `corp.example.com` then `corp.com`.
Now, if you're using the AD server as your DNS server then it shouldn't get that far -- `corp.ad.example.com` should resolve. But if for whatever reason a device connected to AD doesn't use the AD server as its DNS server, for example if it's a laptop and not connected to the corporate network, then you'll be offered a _different_ search domain like `myisp.com`. Which probably _won't_ resolve `corp.myisp.com`. So the built-in resolver will after all walk its way up the search domain and check `corp.com` QED.
> Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.
While it's true that access used "corp.com" as a sample domain, the problem is what Krebs calls "domain DNS devolution"
> Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”
Krebs has written two articles about this that explain the problem.
if O'Connor demanded something ridiculous like 10 billion dollars... how do you talk him down when the situation is this onesided?
It's not like O'Connor can do anything (legally) with the sensitive data that's hitting his domain. If he could, I could understand why he might be reluctant to sell, even if given a strong offer.
But the fact is, if Microsoft walks away from the negotiations, he gets nothing, and there are likely few other buyers he could ethically sell to, and those buyers are unlikely to offer as much as Microsoft can.
Anyone that wanted to develop a real business based on a tremendous four letter .com address, which is a vast selection of potential buyers he could ethically sell to.
The name itself, independent of the inbound sensitive stream of data, is worth a lot. Any major enterprise company in the US could trivially develop policies to deal with the inbound sensitive data while using the name for a legitimate business. This one guy has been dealing with it just fine for two decades.
I'm sure someone would get their undies in a twist and sue me, which is why I've never done anything of the sort with the juicy traffic that's come my way (in a similar, though long in the past, situation that shall remain unspecified).
But 1 packet out of 100,000 gets upsidedownternet.
I genuinely wonder how much that matters these days. You've got app stores, Google searches, etc... I think having a memorable, short .com URL was a huge thing in the mid-2000s, but I'm less sure that it is today.
I believe that there was no agreement to be made. O'Connor put the domain up for auction, so MS was bidding against other buyers, not O'Connor.
> But the fact is, if Microsoft walks away from the negotiations, he gets nothing
I expect that the domain still would have sold, although not for price that MS now has paid.
Regardless of who O'Connor would have sold to it would have been a nice payday and he knew that. It was just a matter of waiting for the right moment to put the domain up for auction.
He could have sold the domain to someone not concerned with the "legally" part.
They can't seize a domain because you were running some service on it, can they?
Just one example: https://www.cyberscoop.com/vpnfilter-botnet-fbi-seizure-apt-...
Of course actually doing anything with the received private data might be illegal, but that would be harder to track. How would the owner of a misconfigured network ever figure out how their data got "hacked"; whether the owner of corp.com did something or nothing with it?
Hence ancestor's use of "ethically" rather than "legally".
Human knowledge and intent matters in legal matters. If a technology is accidentally misconfigured to send sensitive data to a third party, and that third party knows that the data they are receiving was not intended for them, then they are still responsible for not willfully misusing that data. That's clearly the case with corp.com.
> If this is illegal, then I can shut down any site by sending my private data to it.
No, if you knowingly choose to send your data somewhere, then you can't turn around and blame the people receiving your data. Again: human knowledge and intent matter for the law.
As an example, a charge of trespassing depends on permission (human knowledge and intent), not whether you leave your gate open (how a system is configured).
The point is that it would be hard-to-impossible to go after someone who owns corp.com even if they use it for nefarious purposes because the actual nefarious action would be so hard to discover or prove.
Besides which, the bad actor here could easily live somewhere without an extradition treaty to the US or simply remain pseudo anonymous (via shell companies, bitcoin, etc). So, it would be possible for an unethical owner of corp.com to find a buyer who intends to use it for ill.
Playing along in that dance is arguably unethical and shows intent.
There are circumstances where I would consider it ethical. For example, publishing the logs after a month (or whatever) delay and after notifying the relevant parties to fix their configs and change any secure information exposed.
In that case, it's similar to security researchers releasing the information, and I imagine it also protects him from liability in some ways. Firstly, he treats all traffic the same and has a public policy of exposing it, I think that more clearly puts the problem on the people sending the data to a public location, and secondly, people at a company that are looking at a security problem won't notice some some info went out to him and grasping at straws look to cover their own asses by trying to say that's where the problem must have come from.
"O’Connor said Microsoft actually offered to buy the domain several years back for $20,000. He turned them down, saying that at the time he thought it was too low and didn’t reflect the market value of the domain."
Land is nothing but objective and quantifiable qualities like its distance from the city, natural resources, size, fertility.
Domain names are arbitrary. If people want to swap $millions for vanity, I say let them.
The only downside is that well capitalized bidders could harass small owners with outsized bids, if they were willing to possibly end up with ownership.
An actual land value tax would be even better!
Not an auction. There's no indication the owner did anything beyond mentioning the desire to auction it.
The original article said he was trying to auction it starting at $1.7M. There's no indication that an auction ever took place, however. It also sounds like the owner wanted Microsoft to buy it and was willing to work with them, and ultimately this is what happened. My guess is that it went for well under $1.7M.
"Ugh, I can't believe he made money by acquiring a large pile of Apple stock for $1 each back in the 90's, squatting on it, then slowly selling it at extortionate (read: market) prices a few decades later. He's done this many times before and already retired because of these payouts. I'm not happy to hear he got a single cent."
When you purchase stock at an IPO, you're providing value because you're giving a company funds which they can use to build their business. Later buyers of the stock are providing value because they're incentivizing the buyer at IPO. All further purchases of the stock flow out of that.
When you purchase a domain, you're taking a valuable, limited resource, and paying, typically, a pittance for it. You're not providing value, period, at all. Ostensibly the reason we let people do this is that they will use the domain to provide value in the form of a website that people use.
So stock buyers are providing value to the market, while domain squatters are actively removing value from the market.
They're not limited, the short ones are. I'm not sure why people think they're entitled to short domain names.
> You're not providing value, period, at all.
I mean, you pay an annual maintenance fee do you not? That funds the registrar, which funds ICANN.
> So stock buyers are providing value to the market, while domain squatters are actively removing value from the market.
Maybe squatting on a domain provides them some satisfaction, who are you to judge how people choose to use their domains? If I choose to host pics of cats on "cats.com" (as the current squatter is doing) am I any less entitled to the domain than PetSmart? Just because you don't approve of what I choose to do with it?
Yes domains aren't specifically fungible, they're slightly different with regards to how memorable they are. You can still do exactly the same with each of them: host a website.
Sounds like there's more market oriented ways to resolve this issue. If you feel like short domains provide the world outsized value, why charge the same $10 annual maintenance fee as a 15-letter domain? The shorter, the higher the registration fee. Problem solved?
It's not as obvious with something like cats.com how this harms society, but I've worked with nonprofits numerous times who had to pay tens of thousands of dollars for their domain names because someone squatted them.
Let's not pretend there aren't widely-agreed-upon values being trampled here. Your argument is moral relativism.
> Sounds like there's more market oriented ways to resolve this issue. If you feel like short domains provide the world outsized value, why charge the same $10 annual maintenance fee as a 15-letter domain? The shorter, the higher the registration fee. Problem solved?
Given you haven't even agreed that there is a problem, it's pretty clear you just want to propose a market-oriented solution regardless of what the problem is, or whether the market can even solve it. This is not how problems get solved.
An often overlooked complication as well comes in the form of programming language package management reliant on reverseddomain names. Fail to renew your domain claim, and you may find yourself having to repackage healthy chunks of code.
The vast majority of squatted domains aren't squatted by "the little guy", so nothing you say starting from that incorrect assumption has any validity.
I'd argue that domain names are limited: there is exactly one of each domain name, the fact that there is a practically infinite number of other different domain names isn't necessarily relevant.
Web domains function in a thousand different ways, and in some cases a medium of exchange metaphor may work (e.g. people want the domain to make more money). In this case, it's more akin to hoarding hand sanitizer and toilet paper until people have to pay scalper's rates out of fear of repercussion. The only reason this is a story is because of the security risks it presents, and holding that risk hostage is pretty obviously unsociable behavior (even if it is Microsoft's dime).
Not really, right, Microsoft could go back and fix this another way. They could release patches to all the major OS versions that had this bug, and push their customers to upgrade or face security issues at their own peril. I'd have to imagine all the customers with this problem have long-term support contracts, and if they don't, well, I don't know what to tell you.
What he's providing Microsoft is a dramatically cheaper, easier way out of a problem they made for themselves with poor/buggy domain resolution. He didn't create the bug. He's selling them a patch that costs a fraction of a fraction of what they'd have to pay to get themselves out of their own mess.
Think of it more as someone who acquired a tow truck as an inheritance, and sees an armored car in the ditch. The armored car could get themselves out, they could remove their gold bricks one piece at a time, then pull the car out and load the bricks back on. Or, they could give a brick to this guy and call it a day.
He didn't push them in, he's offering them a much more cost effective way out.
You may not like it, but this is capitalism.
Second, when you invest you are offering financial value. He just contacted someone, said "hey can I have these domains please?" and did nothing with them for 25+ years, until he was finally able to demand a payout. again.
are all the people who tried to sell their hoarded toilet paper people who "identified something of value early on before anyone else did"?
The other aspect is thinking about which activity is actually economically productive. In the case on investing in Apple, you're producing value, since Apple wouldn't otherwise been able to exist without the capital. In the case of domains, me buying a domain in 1990 is completely unproductive (the domain is still "there" regardless if I buy it or not). I don't see the value to society in rewarding people for rent-seeking on monopoly goods, while the value in encouraging capital investment is clear.
Capitalism doesn't require this sort of rent-seeking, and Adam Smith (as well as other thinkers) identified (and formulated solutions) this problem in the case of land, which is similar.
Another poster used the stocks analogy but I think the real estate one is more appropriate. Someone who bought land a long time ago that is now desirable to another party can has no obligation to sell at all (let's not bring eminent domain into this). Let's say instead of corp.com this was land next to Microsoft Campus in Redmond. Why shouldn't someone ask for as much as they can get for their land?
Example.com exists for a reason.
How could anyone trust MS for security anything?
This seems like Microsoft in a nutshell, when example.com has been the official standard example since at least 1999.
In reality, consumers aren't (and can't) be educated enough to avoid products with these types of flaws. So, it's up to government to regulate but consumers (citizens) still need to care enough to ask the government to regulate with fines and recalls.
EU citizens seem to have that type of government but US citizens would still rather protect corporate bad actors than protect themselves.
If we see any kind of legislative pressure, my bet is it'll be from the EU well before the US.
Choice has a cost, and we're all completely DDoSed by issues in our lives.
So yes, the router turns out to redirect NXDOMAIN to a page full of ads. Also, my back aches, I'm burned out at my job, my spouse has a bad mood today, I should've bought flowers in the morning but I forgot (maybe if I leave work 20 minutes early I'll manage to get them on the way back?), I've just discovered my bank is severely overcharging me for my account relative to the competition, the city council has just passed a bullshit increase in garbage collection rates, also the asshole who owns the apartment above has put it on AirBnB and we can't get a good night's sleep now, and .... and yes, my router is redirecting NXDOMAIN to a page full of ads.
There's this belief that people are too whiny these days. I start to feel it's opposite: we're too saturated with bullshit to have time to be whiny enough - enough to turn it into meaningful purchasing choices.
Naturally people don't want to pay for it, but it costs money to provide it, so what do you want?
The best thing the government could do is provide the same service for free.
It's a stop-gap solution, yes. Unfortunately, AFAIK there's nothing like this in my country, at least not trustworthy. For general electronics, I trust WireCutter and have never been anything but completely happy by just buying one of their top recommendations in a given category.
The question is, is the complexity of our lives all necessary, or is most of it incidental? And regardless, the point is: existence of this complexity makes the market mechanisms of ranking of products and services quite weak.
So this is a separate question entirely. And it's not a bad question -- why is there so little true scarcity of necessities but so much scarcity of time? There is actually quite a lot of artificial scarcity keeping everybody running on a treadmill. Like, how many hours are you working just to pay for the increase in housing costs caused by restrictive zoning rules? How many hours are you working just to pay off student loans from artificially inflated college tuition costs?
It's quite important that we address these things but it's kind of a different problem domain than consumer router security.
> And regardless, the point is: existence of this complexity makes the market mechanisms of ranking of products and services quite weak.
I would think it would be the opposite. If people have lots of free time and resources to read specifications and understand the inner workings of what they're buying then you don't need to pay someone to do it for you because you can do it yourself. It's when everybody is busy that someone trustworthy can make money by selling or identifying products of a given minimum quality, because people find their time more scarce than money and are willing to pay somebody so they don't have to do it themselves.
But in that case you would tend to have more dissatisfaction and buyer's remorse, because general purpose recommendations and minimum quality standards don't yield as good a result as you making an informed choice yourself. "One size fits all" is never really as good as choosing the right size for you. But government regulations can't fix that any better than consumer product ratings because they have the same problem -- a minimum standard still doesn't help you choose between a zillion different products that all meet the minimum standard, even though some of them are significantly better in your specific circumstances. The best product for some people may even be one which is below the so-called minimum standards, because they have atypical requirements.
Which I guess brings us back to your original point. Maybe we should do something about everybody being completely swamped for time.
Check to see if your local library offers Consumer Reports access! Mine does, and since the library is part of the municipal government, I suppose you could say that your statement has already come true (at least for some people).
Any free market purist will tell you that all transactions must be both mutually consenting and informed. If these conditions are not met, it is the governments job to step in.
The best the government can do and should do is reduce power imbalances and market monopolies which give rise to information asymetry. Reducing wealth inequality should be the government's priority.
Money can buy trust. People are too focused on presentation instead of substance. People these days are incapable of seeing substance where it exists and they are easy to fool into seeing it where there is none.
It's only when the customer doesn't even have the information that the product which is $10 cheaper is also less secure that you run into a problem.
It seems to me the government should be involved in almost every transaction.
What gets done about that? Weights and Measures. I agree to pay you $3 for a spigglywig of asparagus.
Then I worry your spigglywig is deliberately under-size. The market town gets an officer to check you're selling asparagus in correct spigglywigs, and next thing you know you've got a multi-billion dollar metrology (the science of measuring things) research lab and they're defining the fundamental constants of nature so as to be right certain exactly how much a spigglywig is every time.
So yes, "free market" is at best a model that can only be approximated and at worst it's a filthy lie.
Yuck. I'm not a hard free-market-only libertarian (I believe in single payer healthcare for example) but economic transactions between two private parties should never have government involvement. Hell, I dislike the banks and credit card companies having involvement, we tolerate them because we have no choice.
Depending on your definition of "involved", every libertarian I know would agree with you.
Most people's conception of libertarianism is a massive straw man. I promise we are not as insane as you've been lead to believe ;)
And the few libertarians who actually know what it means are usually quite cruel and heartless, fighting tooth and nail against universal heath care even today, because their ideological principles outweigh their empathy and humanity.
But as a result of your ideological evangelism, you own all the self-described "libertarians" who your philosophy appeals to simply because they want to hurt and punish poor people, but don't understand what it "really means".
Sorry if this annoying inconvenient health crisis has knocked the blocks out from under your religious philosophy (and that the invisible hand of the market saw it necessary to bitch slap Rand Paul into quarantine after he downplayed the severity Coronavirus, got it himself, tested positive, and continued to selfishly spread it while awaiting the predictably positive results), but we NEED government intervention and universal health care right now to save people's lives, so please spare us the "no true Scotsman" lecture.
> Sorry if this annoying inconvenient health crisis has knocked the blocks out from under your religious philosophy, but we NEED government intervention right now to save people's lives
This is a strawman, and there's no reason for you to be so offensive. I absolutely agree that government action is proper and necessary to protect the population, especially right now. "Provide for the general defense" is one of the government's jobs.
I think you should take a minute to examine your assumptions about what libertarianism is instead of reacting emotionally whenever you hear the word.
I've done nothing anywhere near as offensive and self-centered as what Rand Paul has done, first parroting Trump by downplaying the risk of Coronavirus, then knowingly spreading the highly contagious disease after he was exposed to it, by following Trump's idiotic advice to go about your normal daily life, instead of following sound medical advice to quarantine until he got his test results, which were positive. On top of his medical training and long career of opposing universal health care.
He's a physician: he should have known (and does know) better than to do that, and that makes his policies and behavior perfectly aligned with the stereotype of the heartless libertarian who doesn't care about anyone but himself. He can't fall back to Trump's ignorant "I'm not a doctor, but take this pill from a company I've invested in" defense.
We needed universal healthcare BEFORE the pandemic struck. Why have you and your ideological colleagues fought tooth and nail against it for so long, to the point of lying about and sabotaging Obamacare? Are you finally changing your tune, when it's way too late?
So what was your position on universal health care before, and what is it now, and does that align with the "true libertarian" philosophy, or are you "no true Scotsman" yourself? I'd love to hear your defense of Rand Paul's actions. Is he a true libertarian like you? And how about Eric S Raymond: do you think he knows what he's talking about?
America has more doctors and more hospital beds per capita than Europe does. This is one of the reasons that Europe has seen more coronavirus cases and more deaths per capita than America - their healthcare system is starved for resources.
I am in no way claiming that the American healthcare system is perfect, but I don't see universal healthcare as a panacea, because we are seeing in real time that it is not.
As far as what my stance on healthcare is: I think healthcare is a unique market where there is rarely the ability for you as the patient to make an informed decision about your medical care. In other words, a free market approach is not entirely feasible. I think a system similar to our school system would be ideal: publicly operated hospitals available for little to no charge, with the freedom to start a private hospital that has to compete with the public ones. This would mean high quality care at reasonable prices all around.
This has always been my stance. I've met libertarians who agree and disagree with me, but I can defend my stance using libertarian "first principles". So I think it's fair to call it "true libertarian" philosophy.
A libertarian is not a republican, and a libertarian is not an anarchist. A libertarian simply believes that individual rights should be protected. That should not be such a controversial statement.
Judging from https://en.m.wikipedia.org/wiki/List_of_countries_by_hospita... your assertion is false.
More telling is how reluctant he is to defend Rand Paul's indefensible and stereotypically libertarian antics, how not once has he mentioned his name, and how he pretends he didn't read anything about him I wrote.
Fundamentally there are only two ways in which the activities of a large number of people can be co-ordinated: by central direction, which is the technique of the army and of the totalitarian state and involves some people telling other people what to do; or by voluntary co-operation, whch is the technique of the market place and of arrangements involving voluntary exchange. The possibility of voluntary co-operation in its turn rests fundamentally on the proposition that both parties to an exchange can benefit from it. If it is voluntary and reasonably well informed, the exchange will not take place unless both parties do benefit from it.
You will see a similar disclaimer in any bit of free-market libertarian thought, because you can't have voluntary exchange without informed consent.
If transactions without informed consent are taking place, it is easy to argue that someone's property rights are being violated. Any libertarian since John Locke will tell you that protecting your rights is the first and foremost job of government.
I don't think such a person exists outside of some libertarian fantasies.
In practice, the right side of the political spectrum is about preserving the free market insofar as it protects incumbent wealth.
Surely this is only true if the consumer _values_ security? Even assuming every (potential) consumer is educated enough to recognise security flaws, that doesn't necessarily mean the typical consumer will value security enough to purchase an alternative product they deem inferior in some other aspect
I'm not sure if "tragedy of the commons" is the right term for this, but I feel it's in the ballpark. Insecure devices create a form of pollution on the internet, let's say. And perhaps we should think of them like other polluters.
Obviously pollution controls have a cost, just like security, but we all understand that it's in everyone's interest to have air we can breathe, and ultimately lowers health care cost. Likewise, it could be argued that it's in everyone's interest (and perhaps a national security priority, as well) to have devices that don't allow themselves to be taken over by arbitrary attackers.
I think these are the regulatory models we should be considering.
Why is the proposed answer to information problems always bans and fines? Is the government, or anyone else in the market, lacking in the capacity to instead provide people with better information?
If you want the government to do something, why not have them go out and evaluate the products that exist in the market? Then if they find vulnerabilities, they can report them to the manufacturers before they're discovered by attackers, and they can rate the vendors on their security practices and publish the information so that customers do have the information on which vendors make better products.
How is this not vastly superior to the thing where they destroy all small vendors with onerous regulations and then everything costs fifty times as much because the only vendors big enough to comply with the regulations are Oracle and IBM?
What's my recourse as a consumer in this case? return to target? return to dlink or whoever manufactured it?
this is a gravely serious statement. in America youre talking about a fundamental shift in the relationship between the governed and the government. many states would violently oppose the idea that the government knows whats best for you and should create laws for you backed by lethal force.
>US citizens would still rather protect corporate bad actors than protect themselves.
you missed the point. its not about protecting corporations, its about allowing personal freedom, even if that freedom includes suboptimal results. moreover, it is abjectly false that the government can simply do whats best for everyone.
Uh, consumer protection laws have existed in the US for over a century. The FTC was founded in 1914. The mindset that laws should protect people from things that they don't understand is not an abrupt or fundamental shift. If not for the government, would you know how to find out if an apartment was built and wired in a safe way? Or do you rely on government permits and inspectors for that confidence?
the ftc was founded as an anti-monopoly arm of the government, and is not the same thing as saying "consumers aren't smart enough to know whats good for them"
IMO as a libertarian, trust-busting is one of the fundamental responsibilities of the government because consumers and small businesses usually cannot overturn a monopoly.
But they can somehow fight the abuse and manipulation companies can expertly unleash on them? How is the uninformed consumer better prepared to combat this than a monopoly? Millions of individual consumers speaking with millions of voices have absolutely no chance against a companies with a single voice and a single goal. Companies hold far more cards than a regular consumer ever will. How much time can you dedicate towards protecting yourself and not being abused? Because a company can dedicate a lot of time into finding better ways to abuse or manipulate you.
It's a misguided belief that the Government intervening is intrinsically bad, or that any decision taken at individual level is intrinsically good simply because it proves "freedom". And this stems from lack of education and the unwillingness to accept that most individuals are woefully unprepared to fight back a never ending assault. But you can easily see the "converts" angrily shouting at the Government whenever they get trampled by yet another company. One of the more clear examples is when people who got scammed out of they cryptocurrencies went from "boo regulation" to "why didn't the government do anything" without missing a beat.
Does anyone actually belief it’s workable to require every single consumer to be informed about the most minor details of a router’s DHCP configuration in order to stop such shenanigans? And how does this fantasy work when the router is provided by your cable company? There must be thousands of issues of that magnitude you would need to research when deciding among the two options for internet most people have. Although I guess it’s easier once you notice both provides use the same routers and you don’t have a choice after all.
Do you also favor the government leaving food safety to the individual consumer? If yes, do you routinely research the full supply chain of all ingredients that go into your cheeseburger, to be sure nobody is using lead as a convenient sweetener? Do you check every restaurant’s kitchen for hygiene?
You sure about that? The FDA, USDA, CPSC, FCC, FAA etc all exist already.
Isn’t that exactly what a police force is? Doesn’t that exist in every part of the US and act to uphold laws designed to protect the people who live there?
It's also quite possible to turn off walking up the search domain: it's just a checkbox.
None of which makes it a good idea, and the best thing to do is actually to just _not set_ the search domain.
Although I suppose to the recipient of such an email it might sound like an extortion racket.
And also to scan code bases & configs on a regular basis for the inevitable "dummy yet resolvable" addresses that sneak back in out of bad habit.
https://news.ycombinator.com/item?id=22277185 "Dangerous domain corp.com goes up for sale" - Feb 9, 2020.
> Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.
> However, experts say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time.
> Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations. Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low.
>the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.
whew boy. whats the right answer here? out of the box AD and DNS coming with default settings that must be changed prior to use?
As for being activated: my recent experience with is mostly with RedHat-derived Linux server distributions (like CentOS), and they do come with the firewall enabled (which more than once made things not work until we noticed it was the firewall again). That didn't use to be the case in the distant past, however.
And for a house, thats kind of overkill for the general network. Sure, set up a restricted wifi for IoT crap, but having to fiddle with it daily is NOT acceptable.
Don't get me wrong, making users be explicit is ideal, but this doesn't feel like it belongs in the same boat.
A default/pre-filled value should be an acceptable value to use. By prepopulating "Corp", they implied that it was an acceptable value their customers could use.
What else would you think a prepopulated value would mean?
Fixing a flaw this big for what we assume is under $2 million seems like a bargain.
> Confusion and conflict can be caused by the use of a current or future top level domain name in experimentation or testing, as an example in documentation, to indicate invalid names, or as a synonym for the loop back address. Test and experimental software can escape and end up being run against the global operational DNS. Even examples used "only" in documentation can end up being coded and released or cause conflicts due to later real use and the possible acquisition of intellectual property rights in such "example" names.
Meaning that in this case the MS customers are not "end customers", they are highly specialized (in theory) and highly paid (in practice) IT specialists setting up (part of) a complex (and security sensible) corporate network backbone such as Active Directory.
This leaves us with only a part of small businesses (the ones where the owner let his daughter's son, or his cousin, which is "good at computers" manage their network).
This allows you to make up a bunch of 2LDs in documentation e.g. https://cat-food.example/ https://dog-food.example/ and https://pet-food.example/ might be three different companies that sell pet foods, or they might all be brands of the same company, whereas if I used names like https://cat-food.example.org/ and https://dog-food.example.org/ that's confusing because we'd say it's very unlikely for rival companies to share a 2LD this way.
It'd be devastating to their business if someone were to purchase the expired domain of say, salesforce.com (e.g. customers wouldn't be able to log into their paid for SaaS service, potentially corp email would be down, etc).
Obviously being able to renew through an automated process is the best solution (LetsEncrypt, etc)
I remember logging all requests to wpad.ir, there were many from Brazil for some reason.
They used an internal ActiveDirectory domain of "Corp" as an example. An AD domain is not the same as a domain name.
....until it comes time for the Windows name service to try to idiotproof the user, and say "well, this doesn't resolve to an AD server here, maybe they meant it as a domain name, let me try appending .com and attempt a DNS query"
It's a case of the right hand not knowing the left hand's usability tweak would turn into a security issue.
Unquestionably Microsoft's fault, but it wasn't as simple as you make it out to be.
I have even had Wi-Fi networks ask me to go to 126.96.36.199 to load their payment page so I can pay for the internet service.
As Heraclitus said, no man ever steps in the same river twice.
Yet the river is just as eager to sweep you away as it ever was. Unless you intend to be willfully naive, past encounters with the river should inform your future expectations of the river. Who in the 1990s could have predicted that in the 2020s Microsoft would be a distributor of spyware? Every damn Microsoft critic saw that coming.
You're describing the exact methodology that led to this problem.