Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft takes down No-IP.com domains (technet.com)
315 points by anExcitedBeast on June 30, 2014 | hide | past | favorite | 251 comments

> On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

Something about this bothers me. So the courts granted MS the rights to essentially take over No-IP's DNS in order to "identify" ... "bad traffic?"

The implications of this are... chilling. As much as I want to reserve judgement, this makes me uneasy (malware aside).

Agreed. Arguably the net effect in this particular case was positive, but I can easily imagine reading this press release in a parallel universe:

"Today, Sony Pictures has upped the ante against global cybercrime, taking legal action to clean up piracy... We're taking YouTube to task as the owner of infrastructure frequently exploited by cybercriminals to infringe copyrights by uploading unauthorized movie clips... On June 26, the court granted our request and made Sony the DNS authority for youtube.com, allowing us to identify and route all known infringing traffic to the Sony sinkhole and identify users who posted unauthorized content."

Isn't that close to what happened to Mega Upload and domain handed over to the government?

Of course a court can seize domains. But if an investigation follows, it should be carried out by the police, not by private companies (and especially not by the plaintiff).

At least that's what I'd expect from a constitutional state ;-)

Police have failed to take any action on this.

If people gave the money they can (at least in England) mount a private criminal prosecution. That's very rare, but it does happen.

I'm pleased that MS is doing this. So long as it stays open, scrutinised by the courts, and restricted to massive malware botnets the results are good for almost everyone.

The Police DO NOT have the necessary hardware and software to take on such a task Andor. The Private Sector does because that is what they do.

Exactly. Here is another one:

Microsoft failed to secure Windows XP against malware and botnets, so all Windows XP users will now be redirected to Ubuntu.com when they try to access the internet through Internet Explorer.

That's quite a stretched analogy. A fully updated Windows XP computer will still be vulnerable to malware and botnets.

That is because Windows, OS X, Android and Linux allow their users to install third party programs without whitelisting them. There is nothing stopping users from installing malware. OS X and Linux have less malware because they're not as popular as Windows and Android.

That's opposite to iOS, Windows Phone/RT, XBox and Playstation which are pretty much free from malware because everything has to go through an app store.

A fully updated Windows XP computer will still be vulnerable to malware and botnets.

That is because Windows, OS X, Android and Linux allow their users to install third party programs without whitelisting them.

<Devil's advocate>Then clearly Microsoft aren't doing enough to look after their own back yards, and their domains should be seized and potential Microsoft customers rerouted to information about the dangers of using Microsoft products and safer alternatives.</Devil's advocate>

This is a highly impractical response to the problem of malware, of course, but I don't find the analogy stretched at all. The action Microsoft have reportedly taken -- and the support they appear to have been given by the courts -- are just about as absurd as my tongue-in-cheek response above.

We seem to have grown up and stopped assuming everyone using P2P protocols obviously wants to pirate films, and we don't assume everyone using Windows XP obviously wants to be part of a botnet, so why would we assume everyone using Dynamic DNS obviously wants to distribute malware?

[Edit: There are now quite a few HN posters in multiple discussions about this action who are saying their innocent use of No-IP is being undermined because Microsoft's sinkhole is getting in the way.]

Because you're a fucking expert, huh?

On OSX you actually have to whitelist software as a user. If something doesn't come from an approved developer, user has to say "Yup, I really do actually want this to be able to run"

(unless we're talking things installed through homebrew, pip, gems and whatnot, but those aren't likely to be used by inexperienced users)

Yeah but what fraction of home users are going to consider that prompt as opposed to just clicking on the OK button? I've noticed a lot of software will include that in its install steps.

You now actually need to specifically open the application with a right click to even have the option to open it, simply double clicking just says it's unsafe and closes. I think that safeguard probably has saved significant numbers of people from unsavory malware.

That's the very first option everyone turns off because it gets in the way.

It's the first option everyone you know turns off, but don't mistake anyone who even knows that Hacker News exists with a typical computer user.

Good point.

It seems highly irregular: did the court misunderstand, or were they misrepresented to, that No-IP themselves were playing a witting part in botnet C&C coordination?

I doubt No-IP will settle out of court. They'll probably countersue - they have nothing to lose, and that sounds like a company lawyering up and getting ready to kick ass - and I'd expect they'd ask for very big, even punitive damages. The $200k bond isn't even two orders of magnitude enough to hedge against MS literally destroying their business, in what may have been an ultimately well-intentioned, but spectacularly reckless, action.

How long until MS reverse the DNS changes, I wonder, especially given they can't keep up and they're all effectively down? 12 hours? 24?

It's no surprise, btw, that domains in US jurisdiction are under US jurisdiction.

We could use some more TLDs that aren't, I think, and I've held for some time that the root DNS should be held by some kind of international treaty entity acting as IANA.

https://en.wikipedia.org/wiki/Namecoin Distributed DNS is the only solution

And meshnets. DNS is just a layer on top of an already vulnerable IP stack.

IP can work between broad and anonymous mesh nets, but when an IP address can be resolved to a business or person it provides an exploit vector.

Like MaidSafe? Are there other alternatives?

It doesn't serve No-IP's market, because No-IP is for frequently changing IP addresses. Namecoin charges for each record change, to my knowledge.

How often are updates necessary? It costs 0.8 cents to update a namecoin domain.

It depends on how often a router may disconnect; they typically receive a new IP address every time they connect. It's also a matter of the ISP's policy, some ISP's force a disconnection once per day while others don't.

One of the main reasons to use a dynamic DNS service is because your IP address changes frequently. A service that requires you to pay for each record update is a non-starter for that use case.

> It costs 0.8 cents to update a namecoin domain That's not fair to say.

It costs like this because the namecoin price is so low. However, if it was used more, the price would skyrocket.

So malware authors will be able to operate with impunity? As in all things, the solution is somewhere in the middle.

And they say America is a democracy... this is one step away from the courts granting Microsoft the power to take over no-ip's business and domains permanently.

Reminds me of the old days of communism when you could have your "property" sized since legally speaking everything belonged to the state.

And no you can't say this is different because the courts ordered it since no-ip was not given a chance to defend itself.

How much would like to bet Microsoft presented the case as some rogue Arab sounding names(terrorists?) running shady bot-nets in cooperation with no-ip a company obviously involved in that criminal activity.

Not the largest and well known freed DNS provider in the world that happens to be used by a large number of bot-nets as well.

If this is ok I'm sure you could find millions of reasons to seize goggles domains like indexing warez sites or websites like the pirate bay.

This is the singlemost monstrously misrepresentational and dubious thing I have seen any tech company do in my 20 years experience as a tech. It also profoundly concerns us all that this type of judgment can be made by our government without any of warning or consent by the people. Millions of users lost their home security and surveillance systems instantly due to this ill-advised decision. We should hold the federal government and Microsoft directly responsible for any losses that happened today, and any that happen in the future as a result of any such action. We might as well go ahead with emotional damages for causing the concern in the first place.

This decision is very disturbing indeed.

Don't use .com, .net, .org, .edu; use domain names in your own sovereignty! Microsoft would have it much harder to get no-ip.ru or no-ip.zh (granted, a little easier grabbing no-ip.fr).

Microsoft was able to demonstrate that they were actually involved in committing the crimes. The court didn't give them the domains so that they could then come up with evidence. They already had the evidence.

Oh nevermind...NSA...M$ is teh suxor...oh mer gurd!!!!

Really... so the hundreds of thousands innocent users that was not doing any crimes? What about them?

This just proves that the current authorized domain system is not working, and its the beginning of the end.

"On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. "

How can this be legal? Does this mean that if I get malware from a hotmail.com address, I can file for a TRO against Microsoft and control their domains?

I honestly don't understand why Microsoft should be given this ability.

It's an ex parte order, so presumably Vitalwerks didn't show up in court despite the summons? If you filed for a TRO against Microsoft and their lawyers ignored it, something bad might happen to them too.

Ex parte means "from (by or for) one party", the judge acts upon the moving party's request without hearing from the other party. They are supposed to be rare and meet a high bar -- generally involving emergencies (and occasionally involving actions that need to remain secret).

Given that the allegations span many months, it's hard to see how it was an appropriate form of action here. I'd be very interested to see if there was a written decision granting the TRO.

Edit: This appears to be it http://www.noticeoflawsuit.com/docs/Second%20Amended%20Order...

I mean, it's not like nuclear warheads are going off, so why should Microsoft get so much power over this situation? Plus NOIP's reply seems to point that they all along had a way to communicate openly with one another.

Ex parte order can be given even if Vitalwerks does show up (source: divorce court). Ex-parte simply means that it was an emergency and couldn't wait.

However, it also means that a new full hearing has been setup (likely in 2 weeks or so) where both parties can argue their case. The full decision will be taken then.

According to Reuters, Microsoft is only sending traffic from computers that are infected with malware to Microsoft instead of No-IP.


That may still make people uncomfortable, but it seems much less egregious than Microsoft taking control of No-IP's domains, which is what this press release implies.

Edit: the reuters article is in error here, not the Microsoft Blog. See below. Turns out this really is as egregious as it sounds.

> Microsoft is only sending traffic from computers that are infected to Microsoft instead of No-IP.

Unfortunately that's false. See below:

dig -t ns no-ip.biz

; <<>> DiG 9.9.2-P2 <<>> -t ns no-ip.biz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7020 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;no-ip.biz. IN NS

;; ANSWER SECTION: no-ip.biz. 7154 IN NS ns8.microsoftinternetsafety.net. no-ip.biz. 7154 IN NS ns7.microsoftinternetsafety.net.

;; ADDITIONAL SECTION: ns8.microsoftinternetsafety.net. 3560 IN A

;; Query time: 3 msec ;; SERVER: ;; WHEN: Mon Jun 30 14:14:47 2014 ;; MSG SIZE rcvd: 117

The funny thing is that "microsoftinternetsafety.net" sounds just like a domain that a fake antivirus software would use.

so true, I would not trust that domain at all.

What DNS are you using?

On Google ( or Comcast DNS I'm not seeing this for their top domains (no-ip.org, no-ip.biz, no-ip.info).

I wonder if your ISP is working with Microsoft.

This is simply a side-effect of how DNS updates. The data is propagating right now, as the root nameservers for the .biz tld are already returning the Microsoft DNS servers as the correct response. The TTL for the root appears to be a day, so you should see this everywhere in 14 hours from this post.

Source: 'whois' and 'dig +trace'

Ha. Good point. This was done at work, where we use MS Server's DNS.

<strike>I'm not sure if this is an artifact of our longer TTL, if MS is updating MS server DNS entries, or something else. Either way, at some point in time or in certain places, traffic resolved by no-ip was/is under Microsoft control.</strike>

EDIT: Looks like it may actually be a result of our shorter TTL, since google DNS appears to have 5.7 hours left on their records for no-ip.

Confirmed by a couple queries to the {a..k}.gtld.biz nameservers.

It's strange, I've yet to see it too, in Canada. Must be within a limited area for the ISP, or thanks to the collaboration with A10 Networks.

E.g. https://www.whatsmydns.net/#NS/no-ip.com

Microsoft has been doing more and more of this stuff lately, and it does start to worry me quite a bit. The last time they worried me was when "Microsoft shut down a million-strong Tor botnet, by uninstalling Tor from the computers".

I don't want Microsoft to have that kind of power, let alone use it. Worse yet, they make it sound like it's some kind of PR win for them. "Microsoft the hero, takes down evil network". But they usually try to hide how they did it. Very few articles mentioned they were uninstalling Tor from the computers the last time around. Most were just churning Microsoft's press release and the hero narrative.

> The last time they worried me was when "Microsoft shut down a million-strong Tor botnet, by uninstalling Tor from the computers"

They did not uninstall Tor. They disabled it. More importantly, this Tor was NOT installed by the user of the computer. It was installed by the malware for its own use, without the knowledge of the computer user [1].

> I don't want Microsoft to have that kind of power, let alone use it

Actually, if you are running anti-malware software, you DO want them to have this power, as finding and disabling things that malware has installed on your computer is the whole point of anti-malware software.

[1] http://www.tripwire.com/state-of-security/top-security-stori...

It is almost like giving one company monopoly control of the personal computer industry through a proprietary OS nobody can audit might not be the best plan.

Not necessarily "nobody". They do have a shared source program:


Which incidentally doesn't let you access all of the source...

Not saying that it's right but Amazon, Google and Apple also have admin rights on their devices... (for example: http://www.nytimes.com/2009/07/18/technology/companies/18ama... , also http://www.computerworld.com/s/article/9213641/Google_throws... )

>The last time they worried me was when "Microsoft shut down a million-strong Tor botnet, by uninstalling Tor from the computers".

>Very few articles mentioned they were uninstalling Tor from the computers the last time around. Most were just churning Microsoft's press release and the hero narrative.

Microsoft's security software did that, that too only stopped it from automatically starting if it was installed by a known virus. So if you install and run a virus scanner, why wouldn't you expect it to block such attacks?

If you didn't want it to do that, I am sure there are ways to opt out from using Microsoft's security tools. Were there any reports of legitimate Tor users getting affected by the action?

To opt out uninstall Microsoft's malicious software removal tool.

An awesome free tool imo.

Ironic name. Software removal tool is malicious.

Debatable. When you install it and agree to the Terms and EULA you agree to allow Microsoft to uninstall software that it deems as malicious. I don't know if that means the tool is malicious.

Most people don't read EULAs. Caveat installing users.

My home VPN is unable to connect right now. I use a noip.me domain. The actions of both the courts and Microsoft are extremely concerning to me.

Same here, I was confused this afternoon when my home vpn hosted on a servebeer.com subdomain wouldn't connect. Now it makes a lot more sense, but I'm left with a very bad taste in my mouth.

Buy your own domain, preferably with a company outside the US. I use gandi.net and http://code.google.com/p/gandi-automatic-dns/

It's more expensive, but you control it.

>you control it.

Hardly. Any domain in the existing domain name system can be seized.

I'd like to see that on a global TLD. If you mean that any arbitrary country can seize a TLD belonging to that country, then yeah I guess you are right. You can always get a distributed TLD but then you have the problem of them not being resolvable unless the PC you are at is correctly configured.

What's a global TLD?

Sorry, I should say international non-US tld, or in other words, a TLD not under the control of the US.

US controls root/'.' via ICANN and can theoretically seize anything under the DNS system

Only reason they don't for gTLDs is because of the political fallout

Has I understood this correctly? Microsoft, a private company, has been granted the right to filter all dns traffic, and choose what will bee forward to this other company, No-IP. No-IP will so bee allowed to run there service for the remaining customers Microsoft approves?

Is this common practices in the us legal system? Would it work like this in the offline world also? If my neighbor sometimes had loud parties that bothered me, could I be granted the right to stand in front of his door and turn any potential troublemakers away.

>If my neighbor sometimes had loud parties that bothered me, could I be granted the right to stand in front of his door

What if they were bothering 7.4 million people and inconveniencing many more?

And then didn't show up in court in spite of summons? The police or courts will take that far more seriously.

Hotmail.com and outlook.com are regularly used to send out malware. I know this because I have received some personally every couple of months for the last 4-5 years.

It's highly likely that over the years, more that 7.4 million spam emails have been sent through Microsoft's systems.

Under the bar set by this judge, I should be able to apply for, and receive, ownership of outlook.com based on the fact that Microsoft doesn't always rush to comply with emails that I send them.

It won't happen, of course, because Microsoft has more money than I do (and because it's a fucking stupid idea).

This is an appalling remedy and I hope Microsoft and the Judge in question face serious repercussions for it.

Microsoft is not the police or courts.

It was the court that allowed Microsoft to do this.

the court deciding that a company (Microsoft) should act as the police (or in this analogy, a bouncer) is still terribly short-sighted, especially when that company has been historically accused by the DOJ of attempting to form varying monopolies.

a capable government should not be in the habit of contracting valuable state-needed cyber-defense to private companys, as the 'keys to the kingdom', in this case domain records, should not be in the hands of a company that can benefit privately but rather a state-ran agency which employs proper check and balances.

A court appointed a private corporation to act as a police agency.

It's a temporary restraining order. It obviously affects Microsoft's products and its customers. It would be equivalent to say, blocking a phone switch that was misbehaving and calling you continuously causing a denial of service attack. That Microsoft customers are suffering more than Microsoft itself and that No-IP appeared to be in denial seems to support the temporary restraining order -- No-IP, aware of such reports via blog posts, chooses to do nothing by asking for reports rather than investigating and stopping the behaviour themselves.

Is this common practices in the us legal system?

Courts not understanding the social effects of technological law and making an order in favour of the more "respectable" looking party? Happens all the time.

It's just plain outrageous that this court order was granted. It essentially puts no-ip out of business when they were not complicit in anything illegal.

It took me 5 minutes to switch my completely legitimate hosts over to ddns.net. I'm sure the evil botnet owners have backup hostnames and will do the same, or more likely switch to another provider entirely.

The end result will be a short-lived dip in criminal activity over the next 72 hours or so, inconveniencing many thousands of legit users, and putting a completely innocent company out of business. Nice move, MS.

The argument seemed to be no-ip wouldn't stop people who were reported for malware/abuse. If other DDNS providers are less complicit with malware/abuse then it should be harder for them to continually operate. Sure, it won't stop it. But if the most friendly DDNS host is gone, it seems like a marginal victory for everyone else.

> It took me 5 minutes to switch my completely legitimate hosts over to ddns.net.

Unfortunately .net is also under the jurisdiction of US courts so it's not any 'safer' from seizure

The registry for .info and .mobi is in Ireland, .me is Serbia and Montenegro. Might be worth looking for dynamic DNS options in those TLDs if you seek future-proofing.

How did you do? what was so simple to do in 5 min? Did you redirected your no-ip.org DNS to the ddns.net? How did you do it? thanks

No-ip was complicit in the illegal activity.

If you use a car wash that is also laundering money, your legitimate need for a clean car is not a defense against shutting the business down.

But that's an awful analogy and frankly you should be ashamed for even trying to paint it in that light. NOIP did nothing illegal whatsoever, their only "crime" was that they didn't do enough about malware distribution to keep Microsoft happy- which last I heard wasn't illegal.

To use your car wash analogy, it's more like the car wash unknowingly washed the car of a drug trafficker and then was essentially put out of business the next day for being "complicit in the illegal activity".

I am uneasy about this situation, but the car wash in question is more like the car painting shop in Grand Theft Auto. Even if painting cars is a legitimate activity, when 75% of your customers are trying to mask illegal activity you should be doing some due diligence to ensure that you're not enabling illegal activity.

I'm not totally okay with what happened here, but I'm confident that it was not a "oops, sorry, we'll ban that botnet" situation. no-ip's primary use case is botnets, and they do have a responsibility to minimize botnet use. They can't claim ignorance given the widespread use.

no-ip primary use case is certainly not botnets. It's used by dsl users to connect to their home network, or to get an easy to remember address for a vps, or maybe while developing something before getting a proper domain.

75% is a HUGE overstatement, No-IP allegedly has ~4 million active accounts. Of those 4 million, 3rd party security firms claimed ~12k of them were involved in the distribution of these two bits of malware, No-IP said the number was more like 2k. If those numbers are correct then you're talking thousandths of a percentile being the reason for this domain seizure.

So if some number of people use cars for illegal activities should we shut down the gas stations that they use to fuel them?

So let me get this straight. Microsoft got a court order to route all of another entity's DNS traffic to their servers. Giving them the ability to route a metric crap-ton of private traffic through their data centers. For "security". I call shenanigans.

I'm also assuming this is why my no-ip domain disappeared this morning, leaving me with no access to my home servers.

Perhaps the linux on my servers is considered malware. It sure is malicious to Microsoft's bottom line. I kid, but only a little.

Not exactly.

> allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

According to MSFT, they are only looking at known "bad" traffic. You can take their word for it... or not.

If that last line were true then surely the GP's noip domain would still work and traffic would be routing without any interference. Ergo, they are telling lies as they are not simply routing "bad traffic" elsewhere but also "good traffic".

How do they know that some data is "bad" before looking at it?

And I'm asking only because I know the answer - that it's impossible, they are looking at the entire traffic and (officially) deciding if it's "bad" afterwards.

That's what they said, but that is not what happened. They couldn't handle the load and every noip hostname stopped working. Every one.

FWIW, in my experience, No-IP is very, very responsive and helpful to abuse complaints. Though that is the extent of my experience with them, I've never thought them to be actively harboring malicious activity (unlike, say, CloudFlare).

At CloudFlare, we have a Trust & Safety team dedicated to dealing with the abuse of our network. We sit in front of more than 2 million sites. The vast majority of them are not controversial (the site you're reading this on, for instance), but some are not.

The majority of the abuse requests we receive are DMCA requests, but we get other reports as well. Dealing with these requests is a hard problem because a large number of the abuse requests we receive turn out to be attackers trying to get the origin IP in order to circumvent our protection. As I've blogged about before (http://blog.cloudflare.com/thoughts-on-abuse), we've designed an abuse system that attempts to act as a proxy: passing abuse requests to the customer and their host without exposing the customer's origin to attack.

Malware is one of the situations where we'll actually take content down because it is, per se, harmful. However, we also don't think terminating the customer who has malware hosted on their site is a good solution. Since we're a proxy, terminating the customer doesn't remove the malware from the Internet but instead just kicks the problem down the road to the host. Instead, we developed a system that replaces the infected URLs with a warning page to protect users. This has the ancillary benefit when a site is being used for botnet command and control of allowing us to gather data on machines that make up the botnet. This data is fed back into our system in order to better protect our customers and we're talking other organizations about a way of responsibly sharing this data.

Our Trust & Safety team works with trusted malware reporters regularly, including the team at Microsoft that handled the no-ip.com takedown. We will continue to adjust our process to walk the careful line between ensuring our network isn't causing per se harm while, at the same time, avoiding the risk of becoming a censor.

Matthew Prince / Co-founder & CEO, CloudFlare

My own comments about your company are based on what I described in https://news.ycombinator.com/item?id=7880514. Would you care to respond to my statements in that post?

And without your usual comment of "the attack traffic is not from our network, so it's not our problem".

Sure. Pardon the copy-and-paste reply, but it's a perfect opportunity for me to publish up a draft blog post I wrote half a year ago in anticipation of a Brian Krebs post on the topic of Booter sites. Brian's article didn't turn out nasty enough to warrant a response, but I've had the post sitting around in by drafts folder for a while and it addresses your points as well.


Why a Hunger Games-Like Vision for the Internet is Wrong

Earlier this afternoon Brian Krebs, a well-respected security writer, published a story which, in part, calls for CloudFlare to censor the websites of a handful of our users [http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...]. These websites are known as "booter" sites. The sites claim to offer point-and-click DDoS services. The thrust of Brian's argument is that CloudFlare is a hypocrite for allowing these sites that advertise DDoS services to be protected by our network while, at the same time, offering as a core feature the ability to stop DDoS attacks.

Brian acknowledges that there's a bit more nuance to the argument. He understands that CloudFlare is not a hosting provider and that terminating any customer wouldn't make the content of the booter sites go away, it would just make them slower and more vulnerable to attack. He also acknowledges that no attack traffic actually originates from CloudFlare's network. His assumption, which we discussed at length before he published the article, is that if CloudFlare weren't in the equation then the booter sites would simply DDoS each other into oblivion.

Stop for a second and think about that: Brian is arguing for a Hunger Games-like vision of the Internet. It's the functional equivalent of if the police stopped prosecuting crimes committed against people they suspected to be criminals.

Brian is not the first person to make this argument and he won't be the last. A few weeks ago Kayne West's attorneys contacted CloudFlare insisting that we terminate protection for a customer they said was causing irreparable harm to their client: the parody crypto currency called Coinye. Ken Carter, our legal counsel, explained to Mr. West's lawyers that terminating the Coinye CloudFlare account wouldn't make it go away, it would just make it more vulnerable to attack. They thought that would be terrific. Ken respectfully disagreed.

CloudFlare's mission is to build a better Internet. Inherently there is content on our network that I find distasteful or even harmful. In the past, we've been called to task by other journalists [http://blog.cloudflare.com/cloudflare-and-free-speech] for allowing controversial websites to use our network. There is currently a campaign that has gathered over 22,000 signatures [http://www.change.org/petitions/matthew-prince-remove-chimpm...] for us to terminate the account of what I consider a horribly racist and distasteful website.

While I, personally, agree that the site the petition was started over is truly awful, I don't believe my personal opinion of what is good or bad content should be what governs what is allowed online. If CloudFlare succeeds, even in small part, at building a better Internet, inherently we must honor and respect one of the Internet's greatest qualities: that it is a network open to anyone.

Note that this isn't everyone's policy. Amazon, for instance, terminated Wikileak's account after political pressure [http://www.theguardian.com/technology/2010/dec/11/wikileaks-...]. More recently an article circulated that they were censoring books where people fantasized about having sex with dinosaurs [http://observationdeck.io9.com/amazon-now-at-war-with-dinosa...]. Other CDN providers are notorious for taking content offline at the first hint of pressure. We don't do that, even when the pressure comes from someone we truly respect like Brian. Fundamentally, we won't play the role of the Internet's morality cops. It's above our pay grade.

Booter sites, you may argue, are different. But the key question is where do you draw the line. If a site says you can push a button and launch an attack should we take that down? What about one that has a phone number you can call? Or gives you instructions on launching the attack yourself? CloudFlare is many things, but one thing we are not is the Internet cops.

Don't get me wrong, we don't believe in a lawless frontier. While we believe deeply in principles of due process and will push back against what we deem abusive legal requests [http://blog.cloudflare.com/fighting-back-responsibly], ultimately if ordered by a court through valid legal process we will comply. While booter sites may be successful at using us to protect their content from being knocked offline by a DDoS attack, they will not be successful at using us to hide from law enforcement if they are breaking the law.

Brian and I have known each other for almost a decade. He left the Washington Post and started Krebs On Security around the same time as we were launching CloudFlare. I actually tried to hire him back then. Thankfully he didn't accept the offer because he has become one of the leading security journalists writing anywhere today. He breaks important stories, which is something we need in the security space.

On this issue, I respect Brian's opinion but think he's ultimately wrong, That said, I have no problem with him fostering the debate. I think the discussion is hard, but it is healthy and important. To that end, if there are any large security or technology conferences that would like to host such a debate between me and Brian on stage, just let me know when and where and I'm in.

First off, thankyou for a detailed and well laid out post.

I do however think that there is a material difference between hosting unpleasant speech (to which the counter is speech pointing out that the speaker is wrong/idiotic/etc) and hosting malware/botnet sites (to which the counter is... what? what IS the counter to a sufficiently large botnet? ultimately we all have a limit at which point we can receive no more traffic. You might not have hit it - yet - but you will).

The internet - as you are aware - is based on protocols not designed with any significant security in mind. No-one in their right mind would today sit down and design something like BGP, for example. With that in mind, any large provider (or large consumer with capability to cause harm) has the responsibility to be a good citizen of the internet, and not to (by action or inaction) advance the agendas of those who would see its demise. As much as it might be convenient from an operational POV, and justifiable from a moral POV, washing your hands of responsibility and saying "It's not up to us, it's up to the courts" just doesn't work when the infrastrucure we're all building on is so very fragile. I'd also like to note that there's a semi-hidden US bias here - what if the target of a botnet, who's admin interface is hosted by CF - is based in a country where there is no reasonable ability to recourse to the US courts? Iran, for example?

It's admirable that you do not censor content in response to political pressure, but there IS a difference between protecting freedom of speech and protecting malware, and saying that censoring the malware is a slippery slope is at least partly disingenuous - any vaguely controversial decision can be described as a slippery slope to something else. Please at least consider making it easier for those of us who are trying to fight malware, botnets, etc, etc to get the original source of the content. I know this will involve some human judgement, and invetiably some mistakes and poor descions - but that would still in my view be far prefferable to what we have now. Thanks.

Agree, which is why we do take malware and phishing sites, which we can judge as per se harmful, offline. Read more here:


Malware and sites advertising so-called "booter" services are different discussions.

(Sorry I'm just responding to all this now, 15 hours later)

> Malware and sites advertising so-called "booter" services are different discussions.

There's an important distinction here. You refer to "sites advertising so-called "booter" services." However, with the kind of sites I speak of, "sites providing so-called "booter" services" would be a better description. They aren't just advertising it; enter a valid username and password, enter an IP, click the "attack" button and an attack is launched, all from that single site.

Malware, phishing, and booters have two things in common: they have far-reaching effects (that is, they affect other, unrelated/unwilling people) and they are not in any way good for the target of the effort. Malware is only good for the operator who benefits from the keylogger, showing ads, or whatever; phishing is only good for the operator who benefits from the stolen information; booters are only good for the booter operator (who profits from selling it) and for the user who paid for it to attack a target. Based on that, it's difficult for me to see the difference between the harmfulness of any of these.

In your post, the standard you applied to malware and phishing was "harmfulness" (in your opinion). I agree with that standard, and I think you'll be hard-pressed to find a single person who agrees that any of these three issues are not harmful. So, in your opinion, what makes booters less harmful than malware and phishing sites, which you are willing to take offline?

Censorship is a slippery slope, indeed. But I think it is generally accepted that _some_ basic level of what is effectively censorship, is a necessary evil for the health of the Internet. For example, malware and phishing sites, as you mentioned; spam; DDoS attacks. That's why laws exist in so many jurisdictions to prohibit all of these, and why the AUP of every single reputable ISP in existence prohibits them. This isn't uncharted territory, this isn't something new CloudFlare is just getting into - the industry standard (and legal standard) is to prohibit all of these.

I find it interesting he never responded to this. He was on the site the next day, so he must have seen your comment.

His refusal to remove booter sites from CloudFlare is completely indefensible. Any attempt on his part to suggest otherwise can only be interpreted as evidence of guilt. There is no possible arrangement of words which can make it okay.

What makes a site hosting malware per se harmful, and how can you consider malware per se harmful while booters avoid being classified identically? Malware is illegal and obviously a detriment to the internet, as are booter services. Perhaps you're just willing to deal with malware so you don't end up in the same boat as No-IP did here.

Booter services are so incredibly common that the police aren't going waste their time on them, especially since once the cops get the real IP from your convenient obfuscation service, it's likely hosted in China, Russia, or some other country where no action will be taken.

> Booter sites, you may argue, are different. But the key question is where do you draw the line. If a site says you can push a button and launch an attack should we take that down? What about one that has a phone number you can call? Or gives you instructions on launching the attack yourself? CloudFlare is many things, but one thing we are not is the Internet cops.

That is incredibly disingenuous. It's simple: if you knowingly facilitate an illegal service on your site, your service gets terminated. Every other reputable CDN and hosting provider can figure this out but somehow you can't? Give me a break.

He appears to choose to let the decision as to whether they 'knowingly facilitate an illegal service' be taken by law enforcement rather than by Cloudflare.

So I don't see anything disingenuous whether you disagree or not.

Trust & Safety maybe, but it's still impossible to use CloudFlare in Russia, due to harboring some drug-selling websites at your services. ISPs ban them by IP, and taking whole subnetworks of websites that reside on the same IP down with them too.

As much as I love your services, it's not possible to use them here, and ministry of communication even issued a recomendation not to use your services due to your unresponsiveness about takedown requests.


While I'm not familiar with the exact situation here, I suspect the real problem is that the malware domains are being automatically created en masse, and No-IP have been slow or reluctant to do anything to slow that down. Being responsive to complaints is good for small-scale problems involving individual domains, but basically useless for large-scale abuse.

what if a company like microsoft approach you and say "look, i make billions while you make a few thousands, but please, go ahead and change your service because it is impacting my billion dollar windows sales and i can't be bothered to patching it on my product"

granted, i'm not familiar with the matter. but I know what I would answer. also, removing noip or noip enabling whatever microsoft was bullying them to implement, would just delay it a few days until the worm creators rolled out their own service. heck that can even motivate them to get creative and encode IPs in a obfuscated pastebin, or stenographed in cat pictures in reddit, or noise mp3 in soundcloud... maybe having them rely on noip was good....

but again, i have no knowledge of the matter. maybe noip was being paid even after knowing it was for worms. who knows?

> "look, i make billions while you make a few thousands, but please, go ahead and change your service because it is impacting my billion dollar windows sales and i can't be bothered to patching it on my product"

How can they patch it in their product without turning desktop Windows into something like iOS or Windows Phone/RT?

Even Android has a ton of malware so the notion that Windows is somehow more hole ridden than other platforms stopped being true starting about 10 years ago with their Secure computing initiative. If the user can install Firefox, they can install malware. If Firefox doesn't need to get permission from MS for their next version, Windows cannot distinguish between Firefox.exe and Codec_Flash_Shady.exe. Sandboxing will disable system level utilities.

MS is capable of making secure OSes. How many viruses and trojans do the 3 Xboxes, Windows Phone and RT have? Even Windows Server is pretty secure(atleast as secure as Linux) unless the admins start browsing on it. Malware is a real threat to any popular OS unless third party apps are entirely blocked or restricted by the use of a approval based App Store. Windows gives much more control to the user, which is why many users are able to stay away from infections. And it's ironic that you're blaming MS here instead of the folks that propagate it(including a YC company https://www.techdirt.com/articles/20130115/17343321692/why-a...) and people who install it(users).

Remember the shitstorm that was raised against MS on here and elsewhere when they tried to secure users by preventing undetectable rootkits by enabling Secure Boot?

Linux solved this problem almost twenty years ago. You have a package manager that does not contain malware and does contain 95% of the software any user would install on a regular basis, and you make the process of installing software outside of the package manager possible but not trivial. You download a binary and it doesn't have the execute bit set, and you don't get any kind of friendly thing that pops up to ask you if you want to set it. So the sort of person who can't distinguish between legitimate software and malware also can't figure out how to install the malware, but you don't prevent people who know what they're doing from doing what they want.

The problem with Windows is that it has no package manager, so the default method of installing legitimate software is identical to the method of installing malware. The problem with Android is that the malware is in the app store. All you need is a known-good repository where you can get almost everything safely and people can spend most of their time. You don't then need to build a prison around it and trap everyone inside because most people will want to stay in the safe place. The people who want to (and can figure out how to) wander outside are the people who know what they're doing, and know to be suspicious of the things that conspicuously haven't been vetted by anyone else.

Package manager and repositories are not completely foolproof.


If Linux were to get as popular as Windows, the problem is going to way worse.

Also, there's lot of Android malware that's installed from outside the app store, typically for piracy reasons which is another big malware vector on Windows.

> Package manager and repositories are not completely foolproof.

Nothing is completely foolproof.


> If Linux were to get as popular as Windows, the problem is going to way worse.

Everybody says this but it doesn't make any sense. Are the repositories going to get more malware when there are more people and funding available to notice and report it?

> Also, there's lot of Android malware that's installed from outside the app store, typically for piracy reasons which is another big malware vector on Windows.

All the more reason why it wouldn't happen on Linux. Nobody really pirates LibreOffice or gcc.

Hey pktgen: I'm new at CloudFlare, but I'd be really interested in chatting with you (or grabbing a beer) to hear if there's something we could do better. Contact info in my profile. I'll be at Defcon and HOPE too if that's easier.

(Free speech vs. keeping the overall network safe is a hard decision. I think all pro-privacy and pro-liberty services have had to answer this question -- same thing happened with cypherpunks list, HavenCo, Freenet, various payment systems, etc.)

Thanks, I'm also interested in having a chat with you about it, so I'll take you up on that offer in a bit. :)

(Offer is open to anyone who ever has security/privacy/etc. issues w.r.t. CloudFlare. I like talking to people about security and "Internet politics", either at conferences or at home.)

I use their service and am a bit concerned that I've not heard about this until now and taking a look at their blog/website I see no information about this.

Why would you expect them to be talking about this?

i believe everything I see in uncited hacker news comment threads too.

Which part of this is un-cited? The article linked is fairly conclusive evidence that this is in fact a real thing.

> unlike, say, CloudFlare

Care to elaborate?

I have multiple horror stories from my days at Malwarebytes about CloudFlare. They absolutely refuse to take down people who abuse their network- at best they'll block a single file from being distributed, but then the malware authors simply change the name of the file (or, more commonly, dynamically name the file something completely random). Their network is fantastic for malicious activity, not only because of the technology but because of their policies around it.

They will do everything to keep bad sites up, even flat out lying. Here's Matt Prince, their CEO, claiming that Malwarebytes was blocking their CDN because of "political" reasons, even though we had emailed him actual PCAP files showing that their network was distributing malware-


Despite the fact that Malwarebytes actively engages with communities and groups that teach people who to manage malware removal, and have always stood for free speech and only removes harmful software, Matt Prince tried to deflect front the truth of the situation by claiming this was about censorship. Really all it was about was that multiple clients of theirs were hosting pages that were actively infecting thousands of computers.

To make matters worse they put these customers who are hosting active exploits and malware right next to their small business customers, so any time someone threatens to block them they hide behind the innocent victims who are caught in the cross fire.

I should point out that I no longer work at Malwarebytes, and this all took place several years ago. I am only speaking about the portions of this that were public, and you can find all of that in the Malwarebytes forums and other places online.

Where exactly does Matt accuse Malwarebytes of blocking their CDN because of "political" reasons? Your whole post looks like blatant lies.

As a security analyst, Cloudflare is a great friend and a terrible enemy. I've had numerous scenarios where I request information or takedowns of websites hosting blatantly malicious content, and not only do they refuse to cancel service, but they won't even give you the real IP address of the domain even if you have considerable evidence that abusive content is hosted there.

The most they'll do is give you the name of the hosting company, and even then getting that is like pulling a tooth. And of course, once you contact the hosting company, it can become like a chicken-and-egg problem "you'll need to contact the DNS provider so I know what server this is being hosted on." A hosting provider that issues thousands of VPSs and has a big IP space may not be able to find the offending user just given a domain name.

On the plus side, I use Cloudflare on many of my sites for the free DDoS protection, IP anonymizing, and anti-bot features. So far it's been great.

In all 3 links this is the only relevant part I've been able to find regarding them being malicious:

> Heck, if the DDoS for hire services protect themselves against DDoS attacks by using CloudFlare then CloudFlare must be damn good!

So they protect their customers from DDoS attacks. All of them. I see nothing bad in this. Saying they shouldn't is like saying a government should put all criminals together in a village and then have them perform criminal activity on each other.

The link to Kreb's is basically the same: people protecting themselves. Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks". Like I said before, that person A kills another person doesn't mean that another person may kill person A, at least not within our current laws. Even if it did, is CloudFlare the one who should be calling the shots?

Finally your first link is someone complaining to CloudFlare about LOIC (or related perl scripts launched from VPSes) and cloudflare responds that they see no harmful traffic and that logs or other details should be attached. Merely saying "hey I'm having trouble" has never gotten anyone further in resolving issues. That's why we have logs so that CloudFlare can check their own logs to see what happened. Perfectly reasonable.

So yeah elaboration is necessary. I do not see why CloudFlare is harmful.

The point being made above is that Cloudflare charges users to protect them from attacks, but they're also providing protection (from attacks and identification) to the people performing the attacks. To many, it appears that they're helping to allow malicious activity because it benefits the sale of their services.

This sounds like the same argument would apply to selling bullet proof jackets to people who also own guns.

> Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks".

DDoS attacks are illegal in most countries, including the US where CloudFlare operates. It would be reasonable for them to include something in their terms about not allowing illegal activities. Then, if it's brought to their attention via a verifiable abuse complaint, yes, they should cease providing service to that user. They are a private company and do not have the obligation to provide service to any particular person; there is no "rights" issue here.

Proactively, as in proactively monitoring and reviewing each site they provide service to, would no doubt be a huge burden and difficult or impossible, but I don't think anyone has suggested that. The only thing they need to be doing is the same as any responsible ISP, have an abuse@ mailbox (which they do), review and take the appropriate action on complaints.

As far as I understand it the problem is as follows:

1. Bad guys get a site behind cloudflare, and host illegal content

2. You want to report said bad guys to their host, for whatever reason.

3. You discover they use cloudflare. You now do not know where they are hosted.

4. Cloudflare will not tell you their actual IP addresses.

If it's illegal and you're harmed I'm sure you can sue the people who did it and CloudFlare will have to hand over IP addresses. But is it CloudFlare's duty to police the Internet? Like ISPs, I think they should be content neutral unless illegal content like child porn is being hosted. Merely talking about services is not illegal as far as I know; only performing the DDoS attacks is.

1. Websites hosting services that have no other purpose but to DDoS other computers are absolutely illegal. Many such sites have been taken down by the FBI before, and both users and owners of the sites have been arrested. The problem is that there are many hundreds of such sites and tens of thousands of users, and law enforcement simply can't take down each and every one. Cloudflare is relying on the fact that most people won't be able to get a subpoena or file a lawsuit.

2. You could apply that same argument to any hosting provider. They're just letting people see content that you yourself have uploaded; why should they act as Internet police? And yet every hosting provider has a legal responsibility to take action if someone is using their services to spread malware, launch DDoS attacks, or hack other websites.

Cloudflare is able to weasel itself out of it because it is not actually a hosting provider. However, they won't even let you discover the real hosting provider after showing proof of extremely blatant criminal activity. This is why many criminals flock to them: they know they will be harbored and their botnet command & control / DDoS service / malware distribution network can stay up for longer than it would normally.

I work in the information security field and we're definitely seeing more and more malicious network operators moving to Cloudflare and staying there for a long time.

Is requiring legal due process such a bad thing?

In some cases? Yes.

The legal system simply cannot process every single civil or criminal complaint everyone in the US may have. If a security researcher had to go through a court, and/or law enforcement, every single time they wanted a malicious domain taken down then their work would be nigh impossible.

Legal due process should be required when there are legal penalties or punishments. In this case, the bot herders and malware distributors are not subject to any criminal or civil penalties in response to abuse complaints: they do not go to jail and are not fined. Some of them will be fined or imprisoned, many years later, but everyone's better off if their botnets are shut down immediately instead of in 2-5 years.

It's a dealing between private entities: private entity X agrees to stop providing server or domain hosting for the bot herder after seeing a good faith report. A provider has every right to stop offering you service.

Without this sort of cooperation between entities, the Internet would be even more of a mess right now.

I agree they should not be policing. Instead they should allow you to contact the people who are hosting the actual content. Which is where DMCA notices have to go to, for example. Since they do not host the content, they claim the DMCA should not be sent to them, but they won't tell you who to contact instead.

So what? It's not their job to help copyright holders, their job is to protect their clients' privacy. Even the cops have to get a court order to find someone's private data from a business, but since it's copyright every man and his dog claiming to be the copyright holder should be handed private information willy nilly?

So, would you consider a site where you can click a button and have a DDOS attack launched for you to be illegal? Because that's exactly what's being referred to here, "DDOS-as-a-service".

Have fun filing lawsuits and sending out subpoenas when you're just trying to host a game server as a hobby and not making money off it. Cross-jurisdictional issues will also make this very difficult, even if you know who the attacker is.

Fair trials are hard, let's go shopping!

Thanks, what I searched for didn't really bring anything up.

Sure. I made a post a few weeks ago at https://news.ycombinator.com/item?id=7880514. There's other relevant posts in the same thread as well, but that's probably the best overview.

So let me get this straight...Microsoft took down a free provider of dynamic DNS services because people have used those services to distribute and control malware?

Where is the due process? Where is the oversight in this? All I'm seeing is vigilanteism.

The due process is that Microsoft sued the malware distributors and the court granted them a restraining order.

"In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software — harming Microsoft, its customers and the public at large. ...

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats."

Ex parte means that only one party is before the court. That means No-IP had only no opportunity to respond to Microsoft's request to seize the names.

Due process, maybe. But not very good due process.

>The due process is that Microsoft sued the malware distributors and the court granted them a restraining order. //

In what way is the court at liberty to grant a plaintiff permission to enforce a restraining order though, sounds ultra vires? Aren't the only ones enabled legally to do so law enforcement officers?

Next time, read the rest of the article?

> Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

> On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

No-IP in the past has denied allegations, e.g. the Cisco blog post linked to by Microsoft was denied here: http://www.noip.com/blog/2014/02/12/cisco-malware-report/

This is also a temporary order, it's not permanent.

Sure, it's creepy when courts have control over DNS entries, but ... they do. The Internet isn't lawless, it operates within the legal bounds of each country that participates.

I wonder what No-IP will say next and if figures collected by independent groups verify their "swift action" against security threats. As a company providing DDNS services, I wouldn't expect them to understand and use the latest in packet filtering techniques, but ... abuse is abuse and I'm sure they submitted evidence that this was required, temporarily.

It's not clear who determines what "sufficient steps" would be, however. That could range from 'No-IP did nothing at all' to 'they tried and we weren't impressed'. The MS claim that "free dynamic dns is frequently exploited by cybercriminals" seems like hand-waving, to me. It's also used legitimately by millions of people who have home routers which came with support for No-IP baked into firmware...

> It's not clear who determines what "sufficient steps" would be

its perfectly clear. the courts.

Well, no, it isn't perfectly clear from the article - are the courts in a position to independently evaluate No-IP's efforts, or did they trust Microsoft's legal team regarding their insufficiency?

isn't this how all lawsuits work all the time? there's a finding of fact where each side presents arguments.

Except that only one side presented any arguments on this case.

> Sure, it's creepy when courts have control over DNS entries, but ... they do.

In this case it was a US court and between two US companies, what if no-ip.com was French or UK or...

Would the US court still have authority in this case? Would MS have to go to a French / UK court?

.com is US-owned, so it wouldn't have to. See e.g. megaupload

Which makes it infinitely creepier / problematic for non US companies.

I'll tack on the fact that Microsoft wrote the piece of crap software that the malware installs itself onto as well. Something smells awful about this whole thing.

Court-authorized vigilantism.

By definition, if it's court-authorized, it's not vigilantism.

If a court legalizes Batman then its court authorized, but he's still not a publicly controlled entity and those still a vigilante.

It's called "deputizing", and a deputy is not a vigilante pretty much by definition.

The judiciary has the ability to deputize law enforcement? I thought those were supposed to have independent structure.

Vigilante. N.

A member of a self-appointed group of citizens who undertake law enforcement in their community WITHOUT LEGAL AUTHROITY, typically because the legal agencies are thought to be inadequate.

1 - Court seems to quick to grant Microsoft control of the domains

2 - No-IP statement that they have an open channel with Microsoft executives but never (never?) received a complain from MS about any malicious activity is doubtful (sure MS can produce evidence to the contrary)

3 - What was the urgency and how was this presented to the judge? Personally I don't feel the urgency to use a takeover maneuver in this case, but is there information that shows the impact of not acting was too great?

4 - Our governments are so inept at fighting cyber-crime that instead of sending the request to a govt-regulated cyber-security unit they had to trust Microsoft's with the enforcement? That's sad.

Like others, I am uneasy but thankful to MS. Just wish more details would be shared.

> - Our governments are so inept at fighting cyber-crime that instead of sending the request to a govt-regulated cyber-security unit they had to trust Microsoft's with the enforcement? That's sad.

If this were true, I could sleep easier at night. I doubt it - the judge in question was probably just paid off or otherwise influenced to give MS just insane power, while probably being ignorant of networking in the first place.

I can't think of a software problem that is best served through the violent arm of the state.

> the judge in question was probably just paid off or otherwise influenced

That's a hell of an accusation.

I guess you haven't been reading comments and articles on Slashdot, Groklaw and even HN over the years. Such wild accusations against MS are the norm.

If you want a good chuckle, read this "article" and comments.


I know MS's reputation, and I remember when it was much worse.

I just expect more out of HN than "M$ is is buying judges with l00t."

No evidence, no simple argument, just "I don't like it so they must suck and do evil."

'influenced' could just be fast-talking

True, but that's not really the tone of the post. Accusations of bribery and calling court orders the "violent arm of the state" means he's lost benefit of the doubt.

This is quite outrageous. I've been using no-ip.com for very legitimate purposes and this will surely result with a lot of breakage. Thanks Microsoft. Thanks a lot.

As another completely legitimate user what strikes me the most with this is how they did their best to basically pull off a sneak attack. I mean really? Microsoft just couldn't be bothered to give any forewarning to the millions of customers who's services they were directly interfering with?

Tack on the dubious reasoning and the alleged failure to even contact NOIP at all before having this court order issued and this puts Microsoft in a really bad light. I'm not mad at NOIP about malware (frankly- I don't give a single shit), but I'm absolutely mad at Microsoft for pulling this bullshit and interfering with services I paid for completely out of nowhere.

Indeed. Luckily I have a domain: now I'm going to fix this by setting up a CNAME and an account at another dyndns provider. Now if the other provider goes down, it should be possible to quickly make a switch without changing it in 1000 places*

Should've thought of this earlier. Well, hindsight is 20/20

* includes git remote configuration, configuration files, scripts, bookmarked/saved links, and the worst: other people's links.

Well, for "bulletproof" hosters that really are complicit in their customers' activities, you need to pull a sneak attack, so the bad actors don't have the chance to switch hosts. So I'm fine with that part of it.

I'm not fine with classifying noip as complicit. It's not.

Just when you thought it had been a long time since Microsoft was last evil.

What I don't understand and haven't seen anyone ask is, why Microsoft?

I mean, obviously some shady legal tactics are at work here, but why did Microsoft got to control those domains instead of, Mozilla for example? or Google? even more so, why wasn't control transferred to ICE for example?

Not saying it's a better alternative or even that I agree with it, but it's very VERY unsettling (and I'm not even American) that a corporation can basically say "dibs on this" backed up by a court order!

I would understand if the procedure went some more like, MS cries wolf, a court order is issued and a gov agency takes temporary control. At least it's "the government" doing the policing (even if guided by a corporation or whatever).

What's next now? Comcast and Verizon sending their IP Police to arrest you because they have a log showing piracy was downloaded at an IP owned by you? And they get to seize your stuff and now your house is a Comcast/Verizon store?

Wtf is this? It's so unreal.

Edit: typo

Our government has a pretty long track record of privatizing law enforcement (not to mention prisons, warfare, etc...) so it's not surprising to see this handed off to Microsoft. If anything, a company like MS, Google or Mozilla at least has the expertise to do a good job.

Still not happy to see it, though.

I agree.

But it's pretty strange that control was not given to the corresponding government authority.

They could then have MS work as "consultants". I don't agree either, but at least that would have made some sort of sense. Maybe even better if it wasn't just one company but a panel of several institutions, including IETF for example, or something like that.

Apparently because Microsoft went to court to stop it. Google could have tried this, too.

So that would imply a first-come first-served basis? Meaning, whatever companies gets the court order first gets to control a competitor's assets? That's pretty scary.

I hope this process is sufficiently controlled so as to no provoke a "race to control other's assets" of sorts.

You can read No-IP's formal statement here: Thttps://www.noip.com/blog/2014/06/30/ips-formal-statement-mi...

This is craziness.

People were starting to forget why everyone hates Microsoft. Even on this site, I see a lot of comments about how Microsoft "isn't so bad" anymore. Hopefully this will lay that and similar naive comments to rest.

Wouldn't it make more sense to make Microsoft financially liable for damages caused by their continued [criminal?] negligence?

[1] http://www.zdnet.com/after-seven-months-and-no-microsoft-pat...

[2] http://www.microsoftproductreviews.com/microsoft-news/intern...

Just ran a dig +trace on no-ip.biz. Just... wtf. Who had acted upon that court order?! I thought that the days the US had full control over the internet were LONG past. `

    biz.                    172800  IN      NS      a.gtld.biz.
    biz.                    172800  IN      NS      b.gtld.biz.
    biz.                    172800  IN      NS      c.gtld.biz.
    biz.                    172800  IN      NS      e.gtld.biz.
    biz.                    172800  IN      NS      f.gtld.biz.
    biz.                    172800  IN      NS      k.gtld.biz.
    ;; Received 308 bytes from in 526 ms

    no-ip.biz.              7200    IN      NS      NS7.MICROSOFTINTERNETSAFETY.NET.
    no-ip.biz.              7200    IN      NS      NS8.MICROSOFTINTERNETSAFETY.NET.
    ;; Received 90 bytes from in 150 ms

    no-ip.biz.              76834   IN      NS      nf5.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf2.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf4.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf3.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf1.no-ip.com.
    ;; Received 206 bytes from in 344 ms

"full control over the internet" is distinct from control over US corporations. Dot biz is operated by Neustar and they are based in Virginia and thus subject to US Courts.

For example, they likely would have had less success enforcing a change on a .ir domain as the registry isn't located in US jurisdiction.

I bet that the US were not above to forcing the root DNS server providers to redirect the NS for .ir to some 3-letter-agency.

Their status twitter is interesting, they aren't going into any details as to why their service stopped working, and they haven't made any statements about the accusations against them.


Thanks, I checked their site and they had not posted a response when I commented.

So if I declare that the Bing web crawler is ignoring robots.txt and DDoSing my server then I can take over microsoft.com to "clean" out the bad stuff and redirect all traffic to zombo.com?

So based on Microsoft's ingenious logic someone could get a court order and take over part of their business because they have so many infected Windows XP machines out there. Right?

I'm wondering how Microsoft managed to take down the noip.me base domain, since the court stated (footnote 1 on page 5 of the 2nd amended TRO, 2:14-cv-00987-GMN-GWF-019) that the noip.me domain is controlled by the country of Montenegro and outside US legal system control. While there are noip.me 3rd level domains in Appendix A of the TRO, mine were NOT listed and yet I'm being sinkholed by Microsoft.

So does this mean no-ip.com is no more, or only a subset of their domains?

It means, temporarily, a subset of traffic known to be from these viruses should be blocked, within part of the US, it seems.

Being in the Netherlands I can confirm that I got the same results as https://news.ycombinator.com/item?id=7967853, so not just the US.

it's more than that. i cannot get to my (presumably clean, running linux, carefully maintained) home machine situated in chile, connecting from the uk.

No-ip is operational, but no longer handles the 22 domains Microsoft took over. I use no-ip's DNS for a domain name that's registered somewhere else, and it's unaffected. From what I read somewhere else, the reason legitimate domain names are being affected is because Microsoft's servers can't handle the load.

If the way to prevent malware is by blocking domains (which only prevent a few of them), with the same logic another great solution would be blocking Microsoft's operating systems (which would prevent most of them).

Ubuntu should ask the government the same power and show how little malware Ubuntu users has and how much Windows users has to suffer.

When are a group of no-ip customers going to file a class action suit against Microsoft?

Just because an ignorant judge gave them access to some no-ip domains did not give them the right bite more then they could che and fsck it up.

The whole thing is just bizarre, WTF were they trying to accomplish? ie they took over the business of providing name service to over 4 million hosts, way bigger more than most large service providers with the intention of traffic to and from the C & C servers, or identify which of the computers were infected and inform their owners?

Why didn't they simply set up some monitoring devices and get the judges or the FBI to compel no-ip to allow them to plug it into their network so they could monitor what they wanted without disrupting the service?

If the no-ip owners were directly involved in the scam then why didn't the hand the evidence to the law enforcement authorities and let them carry on from there?

Any alternatives for free dynamic DNS?

Hurricane Electric: https://dns.he.net/

Whoa, he.net is alive and kicking. These guys used to run an efnet server back in the day.

And I heard they do free IPv6 tunnels. Pretty cool.

HE is awesome.

If you own a domain name, a lot of registrars let you query some https endpoint to update DNS, which you can plug into firmware like DD-WRT. Namecheap, for one, does. I know this because I did it this morning after no-ip stopped working for me.

I've been using http://freedns.afraid.org/ ever since DynDNS went paid only.

afraid.org is a good alternative.

Wait what?

If I have a domain with no-ip.com will it continue to work? Does Microsoft effectively own them now?

They domain will work, subdomains on at least no-ip.biz and no-ip.org aren't going to work.

Mine is not working.

Complete BS. They claimed they were just going to stop bad traffic. But they can't handle the overall traffic load and so NO traffic is getting through. I was using the service to provide access to an API server in-house. A very simple server, nothing but JSON requests in-and-out. Absolutely NO malware. But since MS takeover - no traffic has gotten through.

I pay for my noip account, so I'm happy to join any lawsuits against MS for this action. Personally, I see a class action suit being VERY viable.

I also have issue with the courts even allowing this. Did they do ANY research on what is actually going on? I can't see how they could let this happen.

I feel violated!

Do they want a thank you? So sad really because lately they've shown some small steps in what I thought was the right direction. Ignorance is bliss.

microsoft now spying legitimate no-ip trafic based on non applicable us laws?

fuck you microsoft!

I would just add @andor, that the Police DO NOT own enough tools and equipment to do this. The Private sector has to, for better or for worse.

I have domains with NO-IP and I've had no problem with them. It would all have been better had Microsoft made a statement about seizing the DNS but I respect the DON'T TELL THE ENEMY WE'RE COMING AND ON TO THEM !

We are using a no-ip.biz address for the Taipei Hackerspace website (because need DynamicDNS due to stupid settings of our network provider). After the whole day it was still working, I thought we will be not affected. No such luck, microsoftinternetsafety.net took our address as well, and the website + all services associated is inaccessible.

Thanks a lot, M$!

So on a different side topic, if the service was free and I assume the TOS from noip didn't guarantee an SLA, does this mean all the end users are basically out of Luke suing Microsoft for failure to properly resolve their domains?

If the cliche isn't true, then I guess the next/new one is, if its free you're SOL.

I use no-ip in conjunction with my phone. I get within 200m of home and my home computer gets wakeonlan'ed.

Today that didn't happen.

I had originally blamed no-ip for this...

To me, Microsoft seems to be the bully and is now actually guilty of conduct No-IP was only peripherally involved in.

So shouldn't Spamcop.net (or anyone else) be able to seize microsoft.com, outlook.com and hotmail.com. They have been blocking those email servers for years due to spam sent from their domains and email servers.

I guess this is a shortcut to solve some problems. No-IP domains are used only by who hasn't a good infrastructure to support his infected network.

And especially, why don't Microsoft take care of making his OS more secure?

And I was wondering, why did my no-ip.biz subdomain stop working…

So they are not even forwarding legitimate traffic? Did they just take the entire company down?

It looks like it to me - I have personal services running through them as well and my stuff stopped working last week. Of course, I also had multiple concurrent hardware failures, so I was assuming it was just that.

This is an incredible action by Microsoft, and the courts.

Which dynamic DNS service will be next?

But I have a better idea. Windows are an easy target for cybercriminals; maybe someone should step up and take Microsoft down.

Funny how I got all this downvoting because I used the exact same phrase as Microsoft did in their blog post to justify why they took down noip domains.

Microsoft wrote “Free Dynamic DNS is an easy target for cybercriminals”. Are my concerns that more free dynamic DNS services will follow unfounded?

What kind of a thug do you have to be to think like this?

A microsoft employee probably.

I suddenly feel a lot better for having set up my own dynamic DNS solution. (Using plain Dynamic DNS and nsupdate(1) on the clients.)

Oh.. That explains the issues we were having today. This seems to be affecting our no-ip even when we have no malware or threat.

I've spent years of efforts on my site, people like it, now it's unreachable, fuck you Microsoft...

what the fuck is wrong with the world this days!!!??? are you all in prison because few morons stole something??? wtf Microsoft is wrong with you and you damn courts!???? i will sue you bastards because i am loosing money due to your stupid actions!!!!

Holy fuck... if this doesn't get solved my company is dead in the water...

I'm sorry man, but if your business is predicated on a free dynamic dns provider?

Do I even have to finish that statement?

There are serious problems with this, firstly that it's technically impossible to implement effectively, beyond that it's extremely impractical. Any benefit will be so so transient as to render the entire exercise pointless.

For the moment, let us ignore the scary implications of the court's part in this and consider this from a technical perspective in a logical manner:

The hypothetical sub-domain abc.no-ip.org resolves to, a host somewhere that contains malicious payloads, is botnet C&C or is a member of a botnet. In any case, he's the bad guy - one of the people Microsoft are looking to exclude from the Internet.

So how can this be accomplished? Let's ignore for the moment that the bad guys are free to use any other dyndns service they please and assume that no-ip is the only one.

Approach 1


Every time a host connects to no-ip to update its IP, Microsoft scans tcp & udp ports of the host looking for known C&C services, scans hosted data (public web or ftp). This will simply result in the bad guys hiding all of this in an undetectable manner, many bot-nets already use either Tor or SSH for C&C - without authentication it will be impossible to differentiate Joe Average with an SSH or Tor exit from the "targets".

As for scanning for content, this is possible assuming the content has to be public (ie. malicious payload) but even then, it's not practical - payloads can be hidden in anything and obfuscated beyond detection. Essentially all that's accomplished is another arms race based around signature detection for malicious content, with the disadvantage that unlike AV solutions this scanning is conducted remotely and the scan source is known. So the malicious guy with 2 or three lines just uses a stateful firewall to point microsoft's "scanning service" to good content, everyone else to the bad.

So what other options are there? A blacklist of IPs? Well, they're dynamic IPs, sooner or later you'll end up with every dynamic IP in the entire ipv4 range blacklisted as the bad dudes just release/renew.

Then there's banning the sub-domains/users! Also impractical because for each user and domain you ban, another will emerge.

Approach 2


Microsoft resolves every request for abc.no-ip.org to their own service, all the time, this service performs stateful packet analysis before forwarding it on to the destination host. Impractical because you're essentially routing all no-ip traffic via Microsoft and once again you can only filter what you can detect -- and once the requests themselves are encrypted, that becomes impossible. This is effectively a MITM attack.

All the while we've assumed no-ip is the only alternative, it's not - and many others are beyond Microsoft and the courts jurisdiction. So ultimately the only way this "approach" could be temporarily feasible is if all Internet traffic were routed through Microsoft's service. So effectively you need to give control of every domain, TLD, ipv4 and ipv6 range to Microsoft. Not workable.

Someone is bound to point out that Microsoft's approach in this may be distributed, agents running on installs of their operating system which does address some aspects of my points above, but once again -- if Microsoft is capable of implementing effective detection on the workstation, remind me again why any of this is needed?

I must be missing something fundamental.

You are missing the late 90s adage: "Where does the 900-pound gorilla sit?" The answer is, of course, "Anywhere it wants to."

Anyone got a link to the TRO? Is this part of the public record?

Appears as though Level 3's dns servers are still pointing where they should.

Loads of self-congratulating tripe. Microsoft why don't you simply provide free OS upgrades or fixes for the millions of XP computers out there? They are not going anywhere soon.

Next thing we know your lawyers and lobbyists are going to come up with some legislative wheeze and you will be running the biggest botnet in the world. You created the problem so fix it yourself.

Probably because Windows XP is well over 10 years old. You can't possibly expect them to support it forever just because some organisations can't be bothered to upgrade.

"Software doesn't wear out or breakdown like a physical good"

Well, uh, then why does Microsoft need to do anything, if it's still as good as they day it was first sold?

> Well, uh, then why does Microsoft need to do anything, if it's still as good as they day it was first sold?

It is, it's just that it was broken the day it was first sold.

They need to fix the bugs that are being exploited by hackers. If major corporate customers are still receiving fixes why can't they be extended to every one else? After all it is the same software everyone is running.

10 years is young in industry. I recently saw a VAX 11/780 in the field still operating doing real work.

To throw the towel in on an OS which has the same subset API as a recent one yet has many minor incompatibilities through shoddy API design (win32) is a shitty business model which people shouldn't have to shovel cash at over and over again.

To hell with them.

What organizations? Do you have an idea about how many small business and home users are still running Windows XP?

As far as they are concerned if it is capable of doing what they bought it for, why should they upgrade? Software doesn't wear out or breakdown like a physical good and a lot of the hardware is still fine. Those systems are going to be around forever until the hardware breaks down.

They are also committed to providing upgrades for their bigger customers, so why can't they extend to everyone else, as though it will cost them extra? The only caveat for the non corporate customers should be that if they are not under a support contract and the upgrades break their systems they are out of luck.

Wholly predictable downvoting by anonymously cowardly Microsoft brown-nosers.

Fine. I downvoted you, and it's no longer anonymous. I downvoted you because both of your comments were filled with passionate garbage rather than any well-reasoned thought. I'd be willing to bet other downvoters were not simply cowardly Microsoft brown-nosers.

Its hard to stay calm if you were relying on no-ip's services for very legitimate purposes. Maybe the action coming from Microsoft is whats garbage - not the resulting emotional outbursts.

Apparently the sheer abuse of power entailed by Microsoft hijacking and disrupting the inbound traffic of a lot of innocent no-ip customers to track the few C&C servers is entirely lost on you.

If something like that is to be done it should be done by a state body, not a private corporation. What gives them the right to spy on innocent peoples traffic?

Did the judges even understand the nature of the power they were granting Microsoft? Couldn't it have been handled differently?

kordless is right - you still don't get the point. People aren't downvoting you because they like what Microsoft did (or Apple, in one of your more recent outburts). People are downvoting you because your comments contained little intelligent thought and were passionate outburts, and people on this forum tend to look down on that. This most recent comment, however, is a good one. Instead of just blaming downvotes on other people's ignorance, look at the way you communicate. You replied to my comment 3 times over the course of several hours when I wasn't even online. Why? You started calling people Microsoft brown-nosers and Apple brown-nosers. Why? It was childish and immature. You got downvoted because people didn't like the way you were acting, not because of your opinion.

In any case have you read the Microsoft blog statement at all?

IT IS smug, self preening, self congratulatory tripe.

I suggest you read it if you haven't.

Which ever way you cut it technically speaking Microsoft runs the biggest botnet because they have control all the computers running Windows upgrade, and if they can't shut them down, they might as well fix them.

Whether you like it or not for better or worse a botnet is an economic resource whose value is not lost on Microsoft and sooner or later they are going to come up with a wheeze to exploit them.

You are missing the point. He said why he downvoted you and you replied with a general rationalization on why he should agree with you, when that's entirely NOT the point. You'll catch more flies with honey than you will with vinegar. We probably all agree with you in some fashion, just not the way you put it.

And, just in case YOU can't figure it out, the blaming statements you are making are due to the use of 'you' in your comment.

I read the statement on the Microsoft blog, before coming to see the comments and that blog statement IS smug, self preening, self-congratulary tripe created by a lawyer and a company who want to ingratiate themselves with government for whatever agenda they have in mind.

That blog entry is not targeted at computer users, it is targeted at the government.

Downvoted you. And Apple should be providing free updates to people still using 10.1 Puma.

- signed, owner of an iMac, two rMBPs, two iPhone 5Ss, two iPad Airs and an Apple TV (no Microsoft brown-nose here).

An Apple brown-noser then. It is hard to tell which of the two are worse.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact