Yes, the question was along the lines of, why is Microsoft seizing other company's property, even with a court order... sounds to me like Law Enforcement should have done the actual seizure, even if Microsoft is consulting for them.
And there was no prior warning to noip.com -- they woke up one day and their domains were seized. They only found out why after the fact -- and, given the nature of free Dynamic DNS services, it's very unlikely noip.com was even aware that a botnet was using their services (the justification for the seizure).
And, I can't help but feel Microsoft could have obtained the same data by politely asking noip.com -- nobody likes to harbor botnets (and we have no reason to suspect noip.com of trying to do so). Seems domain seizure was heavy-handed at best.
> And there was no prior warning to noip.com -- they woke up one day and their domains were seized. They only found out why after the fact -- and, given the nature of free Dynamic DNS services, it's very unlikely noip.com was even aware that a botnet was using their services (the justification for the seizure).
No-ip was DEFINITELY aware of it. OpenDNS published an article in April 2013 identifying no-ip as the top used provider for malicious use [1] and a representative from no-ip posted a comment on that article which proves that no-ip was aware of it.
Cisco published a similar article on February 11, 2014 [2]. We know that no-ip was aware of this because they posted a comment in response, and posted a blog entry about it at their site [3].
"The report noted many domains that the Cisco Security Team thought were abusive. We have not received any report from Cisco about any domains, or any supporting information. If Cisco wished to report abuse, they could have easily contacted our Abuse Team at abuse@no-ip.com."
It seems odd that people aren't reporting this there, or if they are reporting it there, are not documenting that.
They (noip.com) had zero pre-warning of a domain seizure. Regardless of any literature you dig up from years ago that states some botnets use Dynamic DNS services such as noip.com, it does not mean they had warning they were about to be seized. Others have commented that the court order forbid anyone, including Microsoft, from informing noip.com prior to the seizure.
It should be noted, that most/all "cloud" services likely have some sort of illicit behavior being conducted through them... Ec2, Azure even, etc. Botnet's use the same services me and you do... that does not for even a second make noip.com responsible for the botnet's actions.
"We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity...We provide a valuable service for free, but because of this, it is common for users to abuse our service. Our abuse team is amazing and they are usually pretty quick to shut them down, but sometimes a few can slip through the cracks".
No-ip was aware of the potential and had an abuse team to deal with such cases. They were also aware of other experts finding their abuse team wanting. But that doesn't seem to be enough evidence to suggest they were partly culpable in any particular case. Perhaps there were examples of particularly galling incompetence in their abuse team, or the abuse team tipping off fraudsters but otherwise informing them seems to be the most reasonable and responsible action.
Every domain provider must have an abuse team or at least an address to send abuse notices too [http://who.is/whois/cloudapp.net/], that PR statement from No-IP states no facts or figures of many abuse notices they combat - which I would cite if my abuse team actually did stuff "look how amazing our team is - we had x,000's requests and took down x00 of malicious hosts just last month."
The big question is how the court could rule in a dispute between two US companies, by seizing the defendants domains without even hearing the defendant.
How is that possible in a state of justice? How anyone dares to run a company in a state where you are not allowed to defend yourself in court escapes me.
I can not believe this is the normal legal process. There must have been some extraordinary circumstances that I am not aware of. I would be very interested to hear what they are.
(Given that Microsoft probably hasn't got more legal rights than anyone else, could No-IP do the same to Microsoft? Surely Azure is the host of a few of them C&C servers.)
> I can not believe this is the normal legal process.
It's not.
> There must have been some extraordinary circumstances that I am not aware of.
Possible, but so far, the case is mostly sealed (refer to the above statement). From what we know, Microsoft identified some botnet(s) using noip's service as part of their infrastructure. Nothing points to noip knowing about the botnet, so we must assume until we know otherwise that they had no knowledge. This leaves us with a US company waking up one day to find their property seized by another US company, supposedly with the backing of a US court.
> Given that Microsoft probably hasn't got more legal rights than anyone else, could No-IP do the same to Microsoft?
Probably not -- Microsoft has a history of helping Law Enforcement track down botnets -- in the past they have literally marched into data centers and seized all the servers from a company without their knowledge (they even did this overseas outside of the US once). It's unlikely if noip were to bring suit against Microsoft, that it would go anywhere.
(It's as scary as it sounds when a private company is leading Law Enforcement, instead of the other way around).
Considering how little the public knows about this case, I wouldn't be surprised to find out that no-IP refused to respond to the court process, so the court simply ruled against them. Just as with lavabit, a petulant refusal to respond to legal process does not result in good outcomes. Instead it results in the forfeiture of your rights within the process.
Not really. We've got the text of the actual restraining order under which the domains were seized, and it's quite clear on the fact that No-IP wouldn't get advance notice of the fact that Microsoft were trying to seize their domains or a chance to challenge it:
"Microsoft’s request for this emergency ex parte
relief is not the result of any lack of diligence on Microsoft’s part, but instead based upon the nature of Defendants’ unlawful conduct. Therefore, in accordance with Federal Rule of Civil Procedure 65(b) and Civil Local Rule 7-5, good cause and the interest of justice require that this Order be Granted without prior notice to Defendants, and accordingly, Microsoft is relieved of the duty to provide Defendants with prior notice of Microsoft’s motion." (Microsoft's motion in question being their attempt to seize the domains.)
The basis for this was "unlawful and/or negligent conduct". Basically, Microsoft managed to convince the courts that because in their eyes No-IP weren't policing their services well enough, Microsoft had the right to seize all their domains and shut them down without giving them the opportunity to challenge this in court first.
I seem to remember the massive DDoS Microsoft enacted against the blackhole servers of the RFC1918 in-addr.arpa zones for example, that was borderline criminal. I could probably think of a dozen other occasions, including the contant stream of spam that was Hotmail for quite some time after the takeover. Could I have had windowsupdate.com or hotmail.com seized then? I strongly doubt it.
However, given the tone of noip's public statement regarding this issue -- there seems to be no indication they had any forewarning, be it refused court order or not.
Since we know very little at the moment -- it has to remain a possibility that the other happened -- we are left in the dark on purpose due to the nature of the event... and possibly some favorism from the court (citing Microsoft's past aid to law enforcement)
According to No-IP's previous official statement, the order was served without prior notice: http://www.noip.com/blog/2014/06/30/ips-formal-statement-mic.... Courts do not have carte blanche - they have laws that govern the bounds of their authority. The implication of the parent comment is that even if Microsoft was given a court order, it wasn't necessarily legal for the court to do so.
(Obviously not legal advice. Not a lawyer qualified in that jurisdiction. General discussion.)
Ex parte literally means "without notice". It's what you use when it's an emergency - there's no time to explain! - or if you served the other party they'd cover something up or do something nasty (say, a domestic violence case, or child abduction).
It is, shall we say, not a good match for a dispute like this. This round is over now (judge is already declaring it moot, although I don't know why, did they just let a temporary order expire? There's not a lot readable on the docket yet).
Importantly, No-IP now may have a clear shot at a pretty vicious countersuit, because what MS requested in their TRO (which has not been continued ahead of the hearing on... Thursday? I can't read US dates well...) caused them, and their customers and the internet at large, damages - serious, huge, actual reputational damages with people moving away from their service which thrives on high uptime and reliability. They had no opportunity to answer the case against them - the action MS requested the court make against them was unilateral, which is... unusual.
MS will probably try to climb down in the most graceful manner they can, and settle out of court. However, No-IP will not want to accept a token settlement for MS destroying their business: on the face of it, they have a very strong case and I doubt MS will be able to offer enough to compensate their ire, so we'll probably see a countersuit instead, and - speculation - it'll probably not go well for MS at all, unless they have hard evidence that No-IP were actively complicit in abusive activity, which seems to have been what they (mis?)represented to the court in their TRO application (but we're missing that particular piece of the jigsaw, because it was sealed; and again, it shouldn't have been sealed). If MS had that, however, I speculate they wouldn't have dropped the TRO ahead of the hearing, and that prospect, shall we say, seems unlikely overall compared to the prospect of them making a huge mistake.
Huge company attacking small business - that's a powerful angle. They might even be competitors of No-IP, thanks to Azure (and the gimped version they used to host these domains clearly couldn't hold a candle to No-IP, because all the domains were down). If I ate popcorn, I'd be getting a bag, but don't expect Thursday to be fireworks. I actually expect it to be de-listed as moot and the action dropped until No-IP countersue, and they could take their time on that - in fact, they might want statistics of how many of their customers jumped ship on having their domains down for several days at MS's whim. And they might want another jurisdiction, 'cause I gather jurisdiction shopping is a thing over there?
MS might've got lucky with the judge. They're not necessarily going to keep being lucky.
I don't understand why everyone thinks MS should have given the notice, then noIP would have sent emails to all their customers "MS is about to take all our domains down" and the C&C's would have had time to reconfigure or transfer domains etc.
Speed and silence were key to the botnets being taken down.
Also it is very naive to think noIP doesn't know that it makes a lot of it's money from botnet hosters - according to previous discussions the abuse@ address does not respond and they don't take action against malicious hosts.