IMO No-IP is responsible for its legitimate customers' outages. Waiting around for other companies to do your job for you will result in ham-handed solutions like this one.
a) Windows is a piece of crap when it comes to staying clean. If it wasn't, Microsoft wouldn't have to go after people like this. Not joking but I clean out a fair number of PCs every year and they are crawling with malware.
b) Users are dumb and install any old crap on kit if prompted to. Microsoft's SmartScreen did very little to prevent this.
In the fallout from this, people are getting hurt. End users are getting their PCs and data stuffed and companies like this lose their reputation and business because they are a convenient mule (as are the end users) for malware pushers who's job has been made easy.
And don't give me the crap about probability based on the sheer number of windows machines or the plain bullshit security statistics. They're a pretty easy target as the architecture of Windows is incredibly complicated and they're playing plug the holes rather than designing it properly to start with. For ref, I know the NT kernel, win32 and CLR inside out and no longer would I poke it with a stick.
So, there's nothing here that's unique to no-ip.com's case. The problem is that Microsoft spewed out crap for years and people are suffering because the only way they can contain it is to scorch the earth.
Not sure what you mean by that. Does Linux have any protections beyond Windows to stop malware? Why does Android have a malware problem?
This is the text of a post I made yesterday in reply to a similar comment:
How can they patch it in their product without turning desktop Windows into something like iOS or Windows Phone/RT? Even Android has a ton of malware so the notion that Windows is somehow more hole ridden than other platforms stopped being true starting about 10 years ago with their Secure computing initiative. If the user can install Firefox, they can install malware.
If Firefox doesn't need to get permission from MS for their next version, Windows cannot distinguish between Firefox.exe and Codec_Flash_Shady.exe. Sandboxing will disable system level utilities.
MS is capable of making secure OSes. How many viruses and trojans do the 3 Xboxes, Windows Phone and RT have? Even Windows Server is pretty secure(atleast as secure as Linux) unless the admins start browsing on it. Malware is a real threat to any popular OS unless third party apps are entirely blocked or restricted by the use of a approval based App Store. Windows gives much more control to the user, which is why many users are able to stay away from infections.
And it's ironic that you're blaming MS here instead of the folks that propagate it(including a YC company https://www.techdirt.com/articles/20130115/17343321692/why-a...) and people who install it(users).
Remember the shitstorm that was raised against MS on here and elsewhere when they tried to secure users by preventing undetectable rootkits by enabling Secure Boot?
It doesn't help that Google is making money from infecting their users with malware. It's basically impossible for people to find popular Windows software though Google without begin directed to malware.
For example if you do a Google search for 'firefox', usually the top result (actually an ad) , will be a link to a site that downloads a copy of Firefox bundled with malware. This is from a search I did a few moments ago: http://i.imgur.com/lzKU3FO.png
It would be trivial for Google to block these malware sites and Adwords accounts - a lot of the ads that show up look to be pointing to the same sites as they were 6 months ago. Adwords has manual review of ads and the sites they link to. There is just no way that they don't know about these heavily profitable Adwords accounts that are running on hugely popular keywords.
This isn't a new problem, I've mentioned it time and time again: https://news.ycombinator.com/item?id=7101939 , https://news.ycombinator.com/item?id=7335401 , https://news.ycombinator.com/item?id=7089727
All operating systems at the face of the earth are a piece of crap when the users have admin rights and install every piece of sXXt they can put their hands on.
There isn't a single one that does it better.
"But mom! Why did you 'sudo sh LOVE-LETTER-FOR-YOU.txt.sh' in the first place? Didn't I tell you not to trust email?". Security's no1 problem is the user.
It was bad enough when ICE was doing it, this takes that bad practice to a whole other level......
What is even worse is they got the order ex parte, meaning No IP did not have a chance to defend or explain themselves to the judge before their business was irreparably harmed by the actions of their competitor.
Even if the malware claim is true (which I doubt because I trust MS about as much as the NSA) No IP should have been given basic Due Process to explain their side to the Judge before their business was harmed.
Goguen said while Microsoft claimed that there were more than 18,000 malicious hostnames involved, no-ip.com could only find a little more than 2,000 from that list that were still active as of Monday morning.
http://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sit...
It is in no way No-IP's job to protect Microsoft from malware yet by all accounts they employed both automated detection as well as a (very timely) manual reporting option. How can you possibly sit back and claim they're "incompetent" when you have absolutely zero knowledge of what happened within the company to address this issue? Microsoft wants to complain No-IP wasn't doing their job to their standards as if how they feel about it matters in the slightest.
Oh, and from the numbers I saw it was 12,000 accounts were deemed to be complicit in malware distribution by a 3rd party security firm. Another user posted they have ~4 million accounts total. If those numbers are accurate that means only .003% of total accounts had anything to do with malware; Sounds like a damn good job from the No-IP guys to me.
Even if you manage to delude yourself into thinking Microsoft is in the right in their domain seizure then you still can't justify the sneaky way they approached this with no forewarning to No-IP customers or even No-IP themselves. Had they actually established a dialogue maybe I wouldn't be experiencing any outages since they could have actually set up sufficient infrastructure in advance to handle the No-IP server load.
And yes, I actually used No-IP domains myself for completely legitimate purposes and am still unable to make use of any of the seized domains. No-IP is absolutely not responsible for this, that blame falls 100% on Microsoft and I honestly think you'd need to be misinformed or a Microsoft employee to feel otherwise.
[1] - http://blogs.technet.com/cfs-file.ashx/__key/communityserver...
To quote myself from the other thread, the approach they did take is more than slightly bizarre:
"There are serious problems with this, firstly that it's technically impossible to implement effectively, beyond that it's extremely impractical. Any benefit will be so so transient as to render the entire exercise pointless.
For the moment, let us ignore the scary implications of the court's part in this and consider this from a technical perspective in a logical manner:
The hypothetical sub-domain abc.no-ip.org resolves to 1.2.3.4, a host somewhere that contains malicious payloads, is botnet C&C or is a member of a botnet. In any case, he's the bad guy - one of the people Microsoft are looking to exclude from the Internet.
So how can this be accomplished? Let's ignore for the moment that the bad guys are free to use any other dyndns service they please and assume that no-ip is the only one.
Approach 1
----------
Every time a host connects to no-ip to update its IP, Microsoft scans tcp & udp ports of the host looking for known C&C services, scans hosted data (public web or ftp). This will simply result in the bad guys hiding all of this in an undetectable manner, many bot-nets already use either Tor or SSH for C&C - without authentication it will be impossible to differentiate Joe Average with an SSH or Tor exit from the "targets".
As for scanning for content, this is possible assuming the content has to be public (ie. malicious payload) but even then, it's not practical - payloads can be hidden in anything and obfuscated beyond detection. Essentially all that's accomplished is another arms race based around signature detection for malicious content, with the disadvantage that unlike AV solutions this scanning is conducted remotely and the scan source is known. So the malicious guy with 2 or three lines just uses a stateful firewall to point microsoft's "scanning service" to good content, everyone else to the bad.
So what other options are there? A blacklist of IPs? Well, they're dynamic IPs, sooner or later you'll end up with every dynamic IP in the entire ipv4 range blacklisted as the bad dudes just release/renew.
Then there's banning the sub-domains/users! Also impractical because for each user and domain you ban, another will emerge.
Approach 2
----------
Microsoft resolves every request for abc.no-ip.org to their own service, all the time, this service performs stateful packet analysis before forwarding it on to the destination host. Impractical because you're essentially routing all no-ip traffic via Microsoft and once again you can only filter what you can detect -- and once the requests themselves are encrypted, that becomes impossible. This is effectively a MITM attack.
All the while we've assumed no-ip is the only alternative, it's not - and many others are beyond Microsoft and the courts jurisdiction. So ultimately the only way this "approach" could be temporarily feasible is if all Internet traffic were routed through Microsoft's service. So effectively you need to give control of every domain, TLD, ipv4 and ipv6 range to Microsoft. Not workable.
Someone is bound to point out that Microsoft's approach in this may be distributed, agents running on installs of their operating system which does address some aspects of my points above, but once again -- if Microsoft is capable of implementing effective detection on the workstation, remind me again why any of this is needed?
I must be missing something fundamental."
>Microsoft could have just asked them to change the IP associated with the relevant accounts, disable update for them and/or hand over access to those accounts.
The botnet operators are using this service because of how transient it is. They likely have hundreds of accounts, each with thousands of domains, and can make more accounts and more domains on the fly.
What Microsoft should've done is worked with no-ip's team to implement some code in the account and domain registration process to catch these kind of patterns, in a way where the botnet operator thinks he's configured them correctly, but Microsoft is actually using no-ip's nameservers to point those domains to their sinkholes. After setting this up, they could've then generalized this checking process to catch and automatically ban (or shadowban) other registrants who appear to be using no-ip for botnet command & control or malware distribution. They also could implement evercookies and browser fingerprinting to track threat actors who keep making new accounts in combination with the heuristic detection.
They could've achieved a lot of good by doing this; but now every miscreant out there knows all about this due to the publicity, so they're not going to touch no-ip with a 50 foot pole.
If no-ip refused to implement something like this, then maybe Microsoft could've gotten a temporary court order so that they could basically force them to. But instead they forced them to give up control of their entire DNS space, all to take down 1 botnet.
Besides, knocking out no-ip still doesn't "fix" anything - there're a billion and one easy ways around it - C&C lists in alternate dyndns providers, 3rd party namespaces,Tor based C&C, pastebins, public/anonymous forums, hidden in bit-torrent blockchain etc etc etc
Heck, pushing an update to every Windows machine that simply resolved *.no-ip.org to 127.0.0.1 would be better than this. At least then folks that wanted to use it would have an easy recourse.
[1] http://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-febr...
