For those not familiar with the corp.com situation:
Corp.com was (is?) the default example domain in many applications from Microsoft. As a result many badly configured networks are attempting to connect to this domain, often sharing credentials in the process.
He who owns corp.com will have access to tens of thousands of corporate networks. So the only move that MS had was to buy the domain, regardless of the price.
I guess mr O’Connor (who sold the domain) made a nice retirement today.
It's more that `CORP` was the default short name for the AD domain, and also Windows ticks the "try superdomains" box in search domains by default.
So if you have your fully-qualified AD domain set to `ad.example.com`, that's the default search domain too, and a DNS lookup for `corp` will first check `corp.ad.example.com` then `corp.example.com` then `corp.com`.
Now, if you're using the AD server as your DNS server then it shouldn't get that far -- `corp.ad.example.com` should resolve. But if for whatever reason a device connected to AD doesn't use the AD server as its DNS server, for example if it's a laptop and not connected to the corporate network, then you'll be offered a _different_ search domain like `myisp.com`. Which probably _won't_ resolve `corp.myisp.com`. So the built-in resolver will after all walk its way up the search domain and check `corp.com` QED.
This is not an accurate explanation of the problem.
> Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.
While it's true that access used "corp.com" as a sample domain, the problem is what Krebs calls "domain DNS devolution"
> Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”
Krebs has written two articles about this that explain the problem.
It's not one-sided. There is an incentive on both sides to come to a reasonable agreement.
It's not like O'Connor can do anything (legally) with the sensitive data that's hitting his domain. If he could, I could understand why he might be reluctant to sell, even if given a strong offer.
But the fact is, if Microsoft walks away from the negotiations, he gets nothing, and there are likely few other buyers he could ethically sell to, and those buyers are unlikely to offer as much as Microsoft can.
> and there are likely few other buyers he could ethically sell to
Anyone that wanted to develop a real business based on a tremendous four letter .com address, which is a vast selection of potential buyers he could ethically sell to.
The name itself, independent of the inbound sensitive stream of data, is worth a lot. Any major enterprise company in the US could trivially develop policies to deal with the inbound sensitive data while using the name for a legitimate business. This one guy has been dealing with it just fine for two decades.
I think it'd be a lot of fun to set up a responder of sorts, that would handle the incoming traffic, discard the sensitive bits, and feed back something like "Your administrator needs to apply KBxxxxxx patch" in any fields of whatever sort of traffic may apply.
I'm sure someone would get their undies in a twist and sue me, which is why I've never done anything of the sort with the juicy traffic that's come my way (in a similar, though long in the past, situation that shall remain unspecified).
But 1 packet out of 100,000 gets upsidedownternet.
> anyone that wanted to develop a real business based on a tremendous four letter .com address
I genuinely wonder how much that matters these days. You've got app stores, Google searches, etc... I think having a memorable, short .com URL was a huge thing in the mid-2000s, but I'm less sure that it is today.
> It's not one-sided. There is an incentive on both sides to come to a reasonable agreement.
I believe that there was no agreement to be made. O'Connor put the domain up for auction, so MS was bidding against other buyers, not O'Connor.
> But the fact is, if Microsoft walks away from the negotiations, he gets nothing
I expect that the domain still would have sold, although not for price that MS now has paid.
Regardless of who O'Connor would have sold to it would have been a nice payday and he knew that. It was just a matter of waiting for the right moment to put the domain up for auction.
But they would be under the same constraints as him. And it would be easy to see if they tried anything (are those ports accepting connections or not?) at which point it would have been quickly seized. Plus, wouldn't knowingly selling it to a bad actor be a violation of his due diligence?
But this site would not be running a botnet. It would only be accepting data that others willfully send its way. If this is illegal, then I can shut down any site by sending my private data to it.
Of course actually doing anything with the received private data might be illegal, but that would be harder to track. How would the owner of a misconfigured network ever figure out how their data got "hacked"; whether the owner of corp.com did something or nothing with it?
Hence ancestor's use of "ethically" rather than "legally".
> It would only be accepting data that others willfully send its way.
Human knowledge and intent matters in legal matters. If a technology is accidentally misconfigured to send sensitive data to a third party, and that third party knows that the data they are receiving was not intended for them, then they are still responsible for not willfully misusing that data. That's clearly the case with corp.com.
> If this is illegal, then I can shut down any site by sending my private data to it.
No, if you knowingly choose to send your data somewhere, then you can't turn around and blame the people receiving your data. Again: human knowledge and intent matter for the law.
As an example, a charge of trespassing depends on permission (human knowledge and intent), not whether you leave your gate open (how a system is configured).
You seem to be trying to contradict that it is legal to own corp.com, but actually you are saying that misusing collected data is illegal, which I never denied.
The point is that it would be hard-to-impossible to go after someone who owns corp.com even if they use it for nefarious purposes because the actual nefarious action would be so hard to discover or prove.
Besides which, the bad actor here could easily live somewhere without an extradition treaty to the US or simply remain pseudo anonymous (via shell companies, bitcoin, etc). So, it would be possible for an unethical owner of corp.com to find a buyer who intends to use it for ill.
As shawnz hinted at there is a protocol dance that happens before the data is sent over. I don't know exactly what it consists of, but I suspect it's more than just tcp-level responses saying the port is open and ready to receive.
Playing along in that dance is arguably unethical and shows intent.
There are circumstances where I would consider it ethical. For example, publishing the logs after a month (or whatever) delay and after notifying the relevant parties to fix their configs and change any secure information exposed.
In that case, it's similar to security researchers releasing the information, and I imagine it also protects him from liability in some ways. Firstly, he treats all traffic the same and has a public policy of exposing it, I think that more clearly puts the problem on the people sending the data to a public location, and secondly, people at a company that are looking at a security problem won't notice some some info went out to him and grasping at straws look to cover their own asses by trying to say that's where the problem must have come from.
Check out the February article linked in the body of this article about when it went up for sale. It provides a little more context. Sounds like Mr. O'Connor was pretty reasonable about it.
"O’Connor said Microsoft actually offered to buy the domain several years back for $20,000. He turned them down, saying that at the time he thought it was too low and didn’t reflect the market value of the domain."
I can't even imagine how an appraisal system would work. How do you even do price discovery? Ask people how much they'd spend on it without actually having to put their money where their mouth is?
Land is nothing but objective and quantifiable qualities like its distance from the city, natural resources, size, fertility.
Domain names are arbitrary. If people want to swap $millions for vanity, I say let them.
Price discovery is easy. Every domain is available once a year. Anyone can bid. If you want to keep the domain, you pay 1% of the highest bid, otherwise the bidder gets it (they have to put in the money to secure the bid).
The only downside is that well capitalized bidders could harass small owners with outsized bids, if they were willing to possibly end up with ownership.
Agree, but economists do have a solution for this problem. Self-assess the value and pay taxes based on that value. If someone/the government makes an offer that is some percentage greater than that value, you must sell.
Sounds like a solution only an econ could think up of, which doesn't take into consideration other external factors that would apply specifically to the person holding the property, such as:
- human psychology (loss aversion, endowment effect, mental anxiety due to risk of being forced to sell your property)
- switching costs (monetary, mental, time spent searching for alternatives, costs to moving to something else)
- replacement costs (transaction costs, etc)
> On Monday evening, he wrote to say that Microsoft had agreed to purchase it. O’Connor said he could not discuss the terms of the deal, nor could he offer further comment beyond acknowledging the sale of corp.com to Microsoft.
Not an auction. There's no indication the owner did anything beyond mentioning the desire to auction it.
> I guess mr O’Connor (who sold the domain) made a nice retirement today.
The original article said he was trying to auction it starting at $1.7M. There's no indication that an auction ever took place, however. It also sounds like the owner wanted Microsoft to buy it and was willing to work with them, and ultimately this is what happened. My guess is that it went for well under $1.7M.
Although that's peanuts to MS - they've probably spent multiples of that over the years to plug the holes this creates. I'd personally be happy to hear Mr O'Connor got a windfall in this case.
I was listening to a podcast about this, apparently he registered a ton of domains (including Corp.com) for free a long time ago and has been squatting and slowly selling them back at extortion prices. He's done this many times before and already retired because of these payouts. I'm not happy to hear he got a single cent
Eh, he identified something of value early on before anyone else did. This is literally how the stock market works. Let's re-phrase:
"Ugh, I can't believe he made money by acquiring a large pile of Apple stock for $1 each back in the 90's, squatting on it, then slowly selling it at extortionate (read: market) prices a few decades later. He's done this many times before and already retired because of these payouts. I'm not happy to hear he got a single cent."
This is a great example of why argument from analogy is a fallacy. The fact that you can buy domains and they might go up in value is almost the only similarity they have to stocks, and certainly isn't a justification for letting people trade them like stocks.
When you purchase stock at an IPO, you're providing value because you're giving a company funds which they can use to build their business. Later buyers of the stock are providing value because they're incentivizing the buyer at IPO. All further purchases of the stock flow out of that.
When you purchase a domain, you're taking a valuable, limited resource, and paying, typically, a pittance for it. You're not providing value, period, at all. Ostensibly the reason we let people do this is that they will use the domain to provide value in the form of a website that people use.
So stock buyers are providing value to the market, while domain squatters are actively removing value from the market.
> When you purchase a domain, you're taking a valuable, limited resource, and paying, typically, a pittance for it.
They're not limited, the short ones are. I'm not sure why people think they're entitled to short domain names.
> You're not providing value, period, at all.
I mean, you pay an annual maintenance fee do you not? That funds the registrar, which funds ICANN.
> So stock buyers are providing value to the market, while domain squatters are actively removing value from the market.
Maybe squatting on a domain provides them some satisfaction, who are you to judge how people choose to use their domains? If I choose to host pics of cats on "cats.com" (as the current squatter is doing) am I any less entitled to the domain than PetSmart? Just because you don't approve of what I choose to do with it?
Yes domains aren't specifically fungible, they're slightly different with regards to how memorable they are. You can still do exactly the same with each of them: host a website.
Sounds like there's more market oriented ways to resolve this issue. If you feel like short domains provide the world outsized value, why charge the same $10 annual maintenance fee as a 15-letter domain? The shorter, the higher the registration fee. Problem solved?
> Maybe squatting on a domain provides them some satisfaction, who are you to judge how people choose to use their domains? If I choose to host pics of cats on "cats.com" (as the current squatter is doing) am I any less entitled to the domain than PetSmart?
Yes.
It's not as obvious with something like cats.com how this harms society, but I've worked with nonprofits numerous times who had to pay tens of thousands of dollars for their domain names because someone squatted them.
Let's not pretend there aren't widely-agreed-upon values being trampled here. Your argument is moral relativism.
> Sounds like there's more market oriented ways to resolve this issue. If you feel like short domains provide the world outsized value, why charge the same $10 annual maintenance fee as a 15-letter domain? The shorter, the higher the registration fee. Problem solved?
Given you haven't even agreed that there is a problem, it's pretty clear you just want to propose a market-oriented solution regardless of what the problem is, or whether the market can even solve it. This is not how problems get solved.
That just ensures that over time the shorter domain names go to those with deeper pockets.
An often overlooked complication as well comes in the form of programming language package management reliant on reverseddomain names. Fail to renew your domain claim, and you may find yourself having to repackage healthy chunks of code.
I agree, and that could either be what the parent wants (i.e. let Apple have apple.com) or it could be the opposite, but if you want domain names to remain in the hands of the "little guy" providing "no value" then squatting is something you have to live with right? I've got 4 or 5 personal domain names I'm squatting on because I haven't got around to doing anything fun with them yet.
> if you want domain names to remain in the hands of the "little guy" providing "no value" then squatting is something you have to live with right?
The vast majority of squatted domains aren't squatted by "the little guy", so nothing you say starting from that incorrect assumption has any validity.
I'd say this is an apples/aircrafts type comparison here.
I'd argue that domain names are limited: there is exactly one of each domain name, the fact that there is a practically infinite number of other different domain names isn't necessarily relevant.
Stocks function as a medium of exchange for the vast majority of cases. Squatting on a dollar to make interest isn't abusing the dollar.
Web domains function in a thousand different ways, and in some cases a medium of exchange metaphor may work (e.g. people want the domain to make more money). In this case, it's more akin to hoarding hand sanitizer and toilet paper until people have to pay scalper's rates out of fear of repercussion. The only reason this is a story is because of the security risks it presents, and holding that risk hostage is pretty obviously unsociable behavior (even if it is Microsoft's dime).
> The only reason this is a story is because of the security risks it presents, and holding that risk hostage is pretty obviously unsociable behavior (even if it is Microsoft's dime).
Not really, right, Microsoft could go back and fix this another way. They could release patches to all the major OS versions that had this bug, and push their customers to upgrade or face security issues at their own peril. I'd have to imagine all the customers with this problem have long-term support contracts, and if they don't, well, I don't know what to tell you.
What he's providing Microsoft is a dramatically cheaper, easier way out of a problem they made for themselves with poor/buggy domain resolution. He didn't create the bug. He's selling them a patch that costs a fraction of a fraction of what they'd have to pay to get themselves out of their own mess.
Think of it more as someone who acquired a tow truck as an inheritance, and sees an armored car in the ditch. The armored car could get themselves out, they could remove their gold bricks one piece at a time, then pull the car out and load the bricks back on. Or, they could give a brick to this guy and call it a day.
He didn't push them in, he's offering them a much more cost effective way out.
The issue is that squatters like him hold onto domains for years, even decades, with prohibitively expensive prices where they only need a small portion of the domains to sell to be profitable, meaning that the rest of the unsold domains remain unused and wasted for no reason other than to have a very small chance of being profitable to the squatter in the future. He is not generating value, but instead hindering the use of most domains for selfish reasons.
No it's not. Buying a bunch of Apple stock for $1 apiece doesn't prevent anyone else from buying Apple stock too. Buying and squatting on domains prevents people from using the domains. It's strictly rent-seeking behavior and is not productive in the least.
Stock is fungible. Domain names aren't. If I buy stock, as long as there continues to be sellers (and there will be for any functioning stock) you can buy stock too and the only effect my purchase can possibly have is, if I bought enough, it might affect the price you pay. If I buy a domain name, you cannot buy that same domain name too.
Domains are really more like land than stock. And while you can do something similar with land - buy undeveloped in places where you expect development in the future, then sell for a lot more - you have to pay property taxes while you hold it.
The difference is that in your example, they helped the company raise capital that they went on to use to build something valuable. Squatting domain names at best helps companies raise capital to go sell some more domain names.
I don't really see how this is related to stocks. First, he got these all for free, while you have to buy stocks. There's a risk that they might be worthless down the line and you lose all the money you spent
Second, when you invest you are offering financial value. He just contacted someone, said "hey can I have these domains please?" and did nothing with them for 25+ years, until he was finally able to demand a payout. again.
are all the people who tried to sell their hoarded toilet paper people who "identified something of value early on before anyone else did"?
It's disingenuous to say the domains were free. There was no purchase price prior to the mid 90s, but from then on, there were annual fees starting at $50 and later dropping to $35. They didn't drop below that for a while, and bottomed out around $10-15. Sitting on a domain for 25 years cost nearly $1000. That's great if you can sell the domain later for 5-6 figures, but if you have a large squatting portfolio, there are substantial costs. You
might not like domain squatting, but there's no denying that it was an investment, and there were risks. This guy just saw the market early and it paid off.
The key difference is that almost all the value of the domain comes from the fact that you have a monopoly over it, whereas that is not the case with stock: I can buy an equivalent Apple stock from someone else if I don't like your price.
The other aspect is thinking about which activity is actually economically productive. In the case on investing in Apple, you're producing value, since Apple wouldn't otherwise been able to exist without the capital. In the case of domains, me buying a domain in 1990 is completely unproductive (the domain is still "there" regardless if I buy it or not). I don't see the value to society in rewarding people for rent-seeking on monopoly goods, while the value in encouraging capital investment is clear.
Capitalism doesn't require this sort of rent-seeking, and Adam Smith (as well as other thinkers) identified (and formulated solutions) this problem in the case of land, which is similar.
Microsoft didn't NEED to buy the domain, they could have patched their code to handle the issue. Clearly, they did a cost benefit and decided it was worth it to buy the domain to plug a hole they created.
Another poster used the stocks analogy but I think the real estate one is more appropriate. Someone who bought land a long time ago that is now desirable to another party can has no obligation to sell at all (let's not bring eminent domain into this). Let's say instead of corp.com this was land next to Microsoft Campus in Redmond. Why shouldn't someone ask for as much as they can get for their land?
If they patch their code, they still have to get people to update. I know companies still running Windows XP. If you think people outside of the tech industry update their systems regularly, you're in for a rude awakening. My uncle's company still runs a DOS app written in 1984.
Corp.com for example, belonged to whom exactly, 26 years ago? It's not squatting, its smart. Who did he extort? Can you buy a Manhattan lot at 1860 prices? Nope. If you want it pay the price or go build in NJ or PA.
This is why I support higher annual fees for domains. If you owned unused land in Manhattan, you'd still be paying a fortune in property taxes that would motivate you to put it to use. For squatters it's the exact opposite, they can let domains remain unused for decades at almost no cost, which benefits no one.
You want all domains including something like thisgeekyishwebsiteisminethanks.com? I haven’t thought it through. But just to make something like thecar.com to cost high $XX per year (not sure if you meant that price pt or $100+), that random useless to anyone else domain above should also have to cost that much?
It's weird - I don't think I remember ever seeing corp.com as an example from Microsoft - they usually used contoso.com or microsoft.com. I do remember reading books that used corp.com however, but they weren't printed by Microsoft.
This may be an issue where only networks that have been around for a very long time have this issue due to preserving configurations through many years/cycles of upgrades. Unfortunately, there are many, many such networks.
> Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”
Corp.com was (is?) the default example domain in many applications from Microsoft. As a result many badly configured networks are attempting to connect to this domain, often sharing credentials in the process.
He who owns corp.com will have access to tens of thousands of corporate networks. So the only move that MS had was to buy the domain, regardless of the price.
I guess mr O’Connor (who sold the domain) made a nice retirement today.