Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft IT Technology

Microsoft Buys Corp.com So Bad Guys Can't (krebsonsecurity.com) 76

Brian Krebs: In February, KrebsOnSecurity told the story of a private citizen auctioning off the dangerous domain corp.com for the starting price of $1.7 million. Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe. This week, Microsoft agreed to buy the domain in a bid to keep it out of the hands of those who might abuse its awesome power.
This discussion has been archived. No new comments can be posted.

Microsoft Buys Corp.com So Bad Guys Can't

Comments Filter:
  • by pimpsoftcom ( 877143 ) on Tuesday April 07, 2020 @09:52AM (#59917098) Journal

    Wow what will MS do with all this power I wonder?

    • Embrace and extend!

    • by thegarbz ( 1787294 ) on Tuesday April 07, 2020 @10:22AM (#59917230)

      Wow what will MS do with all this power I wonder?

      Nothing. You're talking about a vendor who can push nefarious code out to any computer they wish under the guise of a security update. They don't need some shitty domain to screw the entire world 100 times over.

      So the answer is nothing. They literally bought the domain so nothing at all would happen.

      • Wow what will MS do with all this power I wonder?

        Nothing. You're talking about a vendor who can push nefarious code out to any computer they wish under the guise of a security update. They don't need some shitty domain to screw the entire world 100 times over.

        So the answer is nothing. They literally bought the domain so nothing at all would happen.

        Exactly. They own the software supply chain from end to end. This just makes their lives easier than the alternative.

      • Are you implying that I couldn't do this on Linux?

        • Send my server an automated updated that took it over? Or register the default domain that all Linux systems and documentation use? The answer to both is no, because you don't own the trust chain that delivers updates to random computers, and a benevolent admin already registered example.com

          He could do it, but instead he uses his powers to reply to emails telling people their configured their mail forwarder wrong.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        You're talking about a vendor who can push nefarious code out to *any* computer they wish under the guise of a security update.

        I'd like to see them try that in my MS-free household.

    • Their only experience with Power is to make a Point.

    • I wonder how much they paid. The auction started at $1.7 million...
    • Because they don't already have the power to be looking at all those password hashes anyway, what with Windows Telemetry, Office365, ADFS, etc.?

      Take off the tinfoil hat - this is a cost that has been on the balance sheet for 20 years since publishing all that documentation and training materiel for Active Directory that used whatever.corp.com in every single example.

  • Sinaloa cartel buys North American distribution rights to keep it out of the hands of small timers.

  • Microsoft employs the world's best programmers, right?
    • Re:Not good (Score:5, Informative)

      by Freischutz ( 4776131 ) on Tuesday April 07, 2020 @10:10AM (#59917182)

      Microsoft employs the world's best programmers, right?

      Yes, and quite a few of them too.

    • Re:Not good (Score:5, Informative)

      by AmiMoJo ( 196126 ) on Tuesday April 07, 2020 @10:21AM (#59917224) Homepage Journal

      For once this isn't the programmer's fault. The problem is that the default domain used by old versions of Windows Server was corp.com. Lazy admins sometimes didn't change it.

      So if you had a server like outlook.corp.com to handle mail in your corporate network and whoever owned corp.com created an outlook subdomain computers on your network might accidentally connect to a remote server not under your control. Often this went unnoticed because internal DNS would resolve to the local machine first, but if that machine went down or was retired or a laptop was taken offsite and used without a VPN...

      In later versions they got rid of corp.com as the default.

      • Why not both? (Score:4, Interesting)

        by Thruen ( 753567 ) on Tuesday April 07, 2020 @11:19AM (#59917502)

        For once this isn't the programmer's fault. The problem is that the default domain used by old versions of Windows Server was corp.com.

        But wait, who made the default a domain they don't control? I'm not saying admins neglecting to change it aren't also to blame, but you can't really say it's the fault of one person for not fixing it and not at all the fault of the people who shipped it out with a problem by default to begin with. It's both! And I'd wager MS had more people checking their work than most admins, and setting the default affected many more than any individual admin not fixing it.

        I'm always a little surprised at how many people jump to defend corporations like Microsoft when they make a mistake, messing up doesn't make them a bad company or you a bad person for supporting them. It just means they made a mistake.

        • I blame the devs. Instead, .internal, .local, or maybe example.com. Don't put a domain in that is out of your control. What if the default was microsoft.com, slashdot.org, or whitehouse.gov? Totally the devs fault.

        • Re:Why not both? (Score:5, Insightful)

          by quetwo ( 1203948 ) on Tuesday April 07, 2020 @02:21PM (#59918334) Homepage

          It wasn't even a default. It was in their training docs. People used the domain that was in the training guides, didn't understand the big-ass warning that they needed to use their own domains, and most things just pretty much worked. People who had no right doing network administration just used it.

          That's why Microsoft has used contoso.com for the last 15 years in their training guides.... They at least owned that domain.

      • Yes, it is the devs fault or at least someone around that level. Somebody made the decision to have a default value in place instead of leaving it blank. By having the default value it led to this problem. If a blank value was used they would have forced to admin to enter a proper value for their situation . Then if the admin entered something that saw private information go to an outside party it would have been their fault.

        Yes, some responsibility goes with the admin for not changing the value but the dev

        • by AmiMoJo ( 196126 )

          If the user puts in a domain ending in .com it should probably just uninstall itself and order and Etch-A-Sketch off Amazon for them.

        • Yes, it is the devs fault or at least someone around that level. Somebody made the decision to have a default value in place instead of leaving it blank.

          This is standard practice in all software. Linux uses example.com as a default. That also happens to be a domain owned by someone.

    • There's a bridge down in San Diego with great cash flow. I can let you in, for a price.

      My animosity to anything Microsoft goes clear back to CP/M-80 and their C (sort of) compiler. I was working on some SCSI adapter code for NT 4 and had a weird time trying to understand the logic of adding the adapters to the registry. Turns out that they had totally messed up that code and you had to enter all of the HBA parameters as a string to be parsed by the driver, instead of intelligently having attributes, such

  • Major blunder! (Score:5, Insightful)

    by joseph777 ( 6558174 ) on Tuesday April 07, 2020 @10:05AM (#59917152)
    A major and prolonged blunder on Microsoft's part does not constitute them being heroes. It's clearly a liability mitigation strategy to buy this domain. --And $1.7m is chump change.
    • Re:Major blunder! (Score:5, Insightful)

      by thegarbz ( 1787294 ) on Tuesday April 07, 2020 @10:24AM (#59917244)

      No blunder involved. AD was not meant to pretend to be a domain outside of a company's control. This is like system admin 101 level stuff.
      Microsoft spends money again in an attempt to save stupid users from themselves.

      • Re: (Score:3, Interesting)

        by joseph777 ( 6558174 )
        Agreed, people are dull. As I understand, MS recommended using corp.com domain, (perhaps as an example), which dull people then use. Any sane person would use ".local". I've seen that sort of junk before, when a server inside a FW would declare itself as the organization's public domain for the propose of sending email internally. Which ends up wrapping that whole network around the axle. Changing the domain is not a cakewalk from what I recall.
        • Re:Major blunder! (Score:4, Insightful)

          by vux984 ( 928602 ) on Tuesday April 07, 2020 @10:58AM (#59917404)

          You can't call people dull and then immediately declare that you should use .local. That's not just bad advice it actually causes problems.

          The correct thing to do is use a domain you own, and control. If you own mydomain.com, your internal active directory domain should be corp.mydomain.com or ad.mydomain.com or something like that, either that or buy another domain just for internal use. Anything else is asking for trouble.

          Here's an old article on why it was already considered bad idea to use .local nearly a decade ago.
          http://www.mdmarra.com/2012/11... [mdmarra.com]

          • by Anonymous Coward

            Personally I just use china.com locally. Like no condoms in Haiti, what fun is life if it's not an adventure?

          • The point was the domain should be something that's not publicly resolvable. I was also thinking, and in fact agree with networkzombie below: A subdomain often makes good sense as well as using .localdomain if you don't have a domain name. I may be wrong, but didn't ".local" came into existence with Bonjour protocol? We can get into debates on best practices and who can be more pedantic, but clearly "corp.com" is not kosher. Microsoft shouldn't have used/endorsed/cited a valid name in the global domain
            • by vux984 ( 928602 )

              "The point was the domain should be something that's not publicly resolvable."

              And the ONLY way to know that, is to OWN the domain. Anything else may one day in the future become resolvable and is out of your control.

              The trouble with using "fictional" TLDs is that they may no longer fictional. I know of at least two companies using a fake TLD that now actually exists and fortunately isn't causing too much trouble because of the relatively low adoption of most of the new TLDs, but still; now theircompanyname.ltd is a now valid domain name in the global address space; since .ltd was ad

        • No sane person would use .local. You should use split-brain DNS or a sub-domain.
        • Any sane person would use ".local"

          .local wasn't reserved by the IETF until 2013. corp.com long predates this. Also using .local for AD breaks some mDNS setups.

          You should see that sort of junk all the time. It's standard practice not just by Microsoft but by all software. Linux for example (pun intended) uses example.com. Fortunately the owner of example.com is benevolent, but the reality is the same. It's a resolvable FQDN used to make documentation easier and to not break networks.

          • by Shimbo ( 100005 )

            Any sane person would use ".local"

            It's standard practice not just by Microsoft but by all software. Linux for example (pun intended) uses example.com. Fortunately the owner of example.com is benevolent, but the reality is the same. It's a resolvable FQDN used to make documentation easier and to not break networks.

            Yes, but example.com is reserved for documentaion in RFC 2606. Maybe a little late for Microsoft to use in W2K though.

    • by alexo ( 9335 )

      And $1.7m is chump change.

      Would you be so kind as to send some chump change to a fellow slashdotter?

  • ...look who's talking.

    Making a gardener out of the goat.

  • So Microsoft OS's have an enourmous, longstanding security problem resulting in an massive number of computers sending passwords and other information to the open Internet and, instead of fixing the problem, MS bought a domain name to try and mitigate it.

    Cool....

    • No, planet earth has a long standing issue with morons copy pasting examples verbatim out of the documentation and therefore misconfiguring their domains to point at "ChangeMe.com".

      • by ceoyoyo ( 59147 )

        No way. If you're setting up an *intranet*, no request from that system should default to sending credentials to some random web site on the internet. No matter how badly you configure it. Particularly not if you're using a non-fully qualified address.

        • Yes, but what happens is that people take laptops home, and being ignorant of the way things work, attempt to connect to corp.com resources without VPNs.

          So you have a stack of barely qualified button mashers configuring systems exactly as the training materials said 20 years ago, or ignoring the banners that say "DON'T USE THIS USE SOMETHING YOU OWN" and combine that with a stack of non-IT people who expect it "just works", and you get people attempting to connect to something.corp.com and sending an NTLM h

          • by ceoyoyo ( 59147 )

            By your argument, *all* the vulnerabilities in any piece of software are the user's fault for not using an appropriate VPN and firewall.

            A service that cannot resolve an internal host should not go "whelp, let's try the Internet!"

  • by Nabeel_co ( 1045054 ) on Tuesday April 07, 2020 @10:30AM (#59917274) Homepage
    "Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe." What? Why? Are people misconfiguring their DNSs? Whoever wrote this needs to elaborate a bit more on the reason owning corp.com is so dangerous.
    • by slazzy ( 864185 )
      I'm guessing a lot of people use corp.com rather than using example.com in documentation and as defaults in software? Personally I don't remember seeing it much in almost 25 years of web development.
    • by AmiMoJo ( 196126 )

      Even if your DNS is configured correctly it won't always save you. If a machine is taken to another site with a different DNS server, or if some app decides it is going to use its own DNS resolution for whatever reason...

    • by dissy ( 172727 ) on Tuesday April 07, 2020 @10:57AM (#59917398)

      "corp" was the example kerberos "DC" given in the documentation for active directory.
      If used this would become "DC=corp,DC=com" after upgrading from a windows 2000 domain.

      If you imagine "example.com" becoming active in the global DNS, you'll have an idea of the consequences of this, although limited to active directory.

      The biggest difference being that example.com is explicitly listed in RFC as safe to use for documentation and examples, stating it will never become active for that reason.

      Of course "corp" as a kerberos top level, and corp.com as a DNS zone, were never specified as safe for documentation let alone safe to be used.

      • If you imagine "example.com" becoming active in the global DNS, you'll have an idea of the consequences of this, although limited to active directory.

        example.com is active in the global DNS.
        QUESTION SECTION:
        example.com. IN A

        ANSWER SECTION:
        example.com. 4731 IN A 93.184.216.34

        Query time: 21 msec
        SERVER: 1.1.1.1#53(1.1.1.1)
        WHEN: Tue Apr 07 20:06:46 CEST 2020
        MSG SIZE rcvd: 56

        • by dissy ( 172727 )

          Sure enough it is.

          But the fact it resolves is violating the RFC. I still couldn't blame anyone else for using example.com for documentation or example, expecting the RFC to be correct.

          This one is completely the fault of IANA, unlike the corp.com example Microsoft used that was never specified as a special domain.

    • by BeerCat ( 685972 )

      "Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe."

      What? Why? Are people misconfiguring their DNSs?
      Whoever wrote this needs to elaborate a bit more on the reason owning corp.com is so dangerous.

      I wondered that too, so found this article [krebsonsecurity.com] that explains more.

      if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\\drive1\” alone will suffice, and Windows takes care of the rest.

      But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

      Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

      Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

      Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

      In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

      So Microsoft pretty much allowed a domain intended to be used as an example in documentation to be applied as the definitive value in a live setting.

  • So Microsoft made a bed and now they have decided to lie in it. What is the news here?

    Or rather is it merely a warning that one should not make the bed in a fashion that you would not lie in?

  • Clueless kids writing stories again?

    Next up: The "Unn" defeated Charlie Chaplin, riding a T-Rex.

  • I buy my .com for $8
  • Microsoft Buys Corp.com So Bad Guys Can't

    Checks URL... Wait what...?
    Sorry, I'm having trouble parsing the headline, it's like the closest thing you can get to a semantic divide by zero.

    Yeah I know, there's nothing bad they can do with it that they couldn't do without it. I'm still stuck with the div by nil.

Trap full -- please empty.

Working...