"Microsoft had a plan in place to keep legitimate customers online, while stopping the malware, but it didn’t work."
Presumably Microsoft were able to convince a judge that their plan was acceptable on the basis that they had a plan and it would work.
IMHO, that should be enough in itself to hold Microsoft culpable for all damages as a consequence of their plan failing.
Nothing against Microsoft in particular here; anyone can screw up. It should just be a general rule that applies equally to everyone in this sort of case. Doing this "ex parte temporary restraining order" without any opportunity for the targeted party to respond presents enough of a risk to the target that it should only be permitted if the party requesting it is prepared to take the financial hit should they screw up.
Perhaps the funds should even be required to be held in escrow. Enough to cover the target's financial collapse.
>Nothing against Microsoft in particular here; anyone can screw up.
Well, except for the bit where they appointed themselves Sheriff without any legal authority. Sure, what they did may have been legal, but anointing themselves doesn't sound legal to me.
It's the moral equivalent of someone appointing themself the President because he or she has the biggest and most guns.
> Well, except for the bit where they appointed themselves Sheriff without any legal authority.
AFAICT, this is factually incorrect. They acquired a court order, did they not? They didn't appoint themselves as anything. They asked a court, and a court agreed.
This is how the legal system should work.
If you have a problem with it, then you can petition for laws that bind a court to do something else instead. This is what I am saying: a court should be bound by law to ensure the target is adequately protected financially in this sort of case.
Nonsense. The legal system is a two party system where both sides get to make an argument and an independent arbitrator makes a judgement.
The way Microsoft are using the law, effectively the other party never gets to argue and the first they hear about the lawsuit is when Microsoft has already won.
That isn't how the legal system is meant to work. The Lanham Act is broken.
> The legal system is a two party system where both sides get to make an argument and an independent arbitrator makes a judgement.
And in exceptional cases, an independent arbitrator can agree to something different where justice would be better served by doing so.
Search warrants are an example.
I don't have any problem with judges having this sort of power, because somebody has to be able to intervene when justice requires it. A judge whose job is to remain impartial is the best we can do. Provided that judgements are able to receive public scrutiny as soon as is possible, and that the public can (through their elected representatives) write laws for what they want done in specific situations.
This case is receiving public scrutiny, so the system is working well up to now. What happens next remains to be seen.
If your country has a problem with getting what the public wants written into laws, then you have a political problem, not a legal one.
I think Microsoft is liable for all the damage they did, (which could be in the 10s of millions of dollars), but There was nothing secret about this - the process server handed over everything, nobody was bound by law to not talk about this. This is nothing like the NSLs.
>Microsoft’s court maneuvering had played out in secret. Durrer’s company didn’t have the chance to argue its case in court. By the time Durrer was served with court papers on that June day, Microsoft had seized control of the company’s services and ejected the hackers using them, while also locking out all the legitimate users. Durrer eventually regained control of his company, but only after it had been offline for days.
The owner of a legitimate company was notified of the confiscation by MS of his business as and after it happened...
EDIT: Actually, read the entire paragraph under ‘As the hours creeped by, more and more people were falling offline.’ header.
I understand what happened in the Microsoft case - but it's important not to confuse this with an NSL. In the case of a search warrant, and Microsoft's court maneuvering's everything is done in secret, until it's executed (otherwise the parties could simply take action to avoid the warrant)- at which point everything comes out into the open.
In the case of an NSL, when it is served - the person who it's served upon is bound by law not to discuss it, and must keep it secret.
I invite you to Google the NSA's origin (especially it's special "birth certificate") and then think about your statement about the privilege a private company can enjoy.
In Canada (though the US is similar), you can file a petition under the mental health act, and have a court order a psychiatric evaluation. This means cops come to the person's house, and (forcefully if he/she refuses) escort them to a hospital of your choosing. The person doesn't get to do anything but act as seized property for almost a month before they get their first date in front a judge. This is how the legal system is meant to work.
In tax cases (according to Meads vs. Meads), the defendant is considered a tax evader if they argue before payment is made. You must first honor the contract before you're allowed to make the plaintiff prove you owed money in the first place. If they can't prove you actually owed, you get the money back. Not only is this how the legal system is supposed to work, but it's based on UNCITRAL (international trade law) conventions, meaning it's how this works in every jurisdiction (including sharia law jurisdictions).
Both sides eventually get to make an argument, but the arbitrator expects the defendant's performance (to restore the honor of the parties) before any arguments are made.
Judge Judy and The People's Court are valid ex acquo et bono courts, but one shouldn't take their conduct as the only way court proceeds.
If Microsoft can do it, so can you. You have as much authority as Microsoft does. The only difference is that Microsoft flexed those muscles, while the remaining 7billion of us did not.
> If Microsoft can do it, so can you. You have as much authority as Microsoft does. The only difference is that Microsoft flexed those muscles, while the remaining 7billion of us did not.
well, that and a legal department. I don't know many solo entrepreneurs that could deal with the drawing of '3 inches' of legal documentation to serve someone with while maintaining any level of profitability.
"The irony is that No-IP had worked with Microsoft in the past. The company had collaborated with Microsoft’s anti-piracy group, and it also worked on the takedown of the Mariposa botnet, which was dismantled in 2010. Especially give their prior relationship, No-IP’s Zigenis wishes Microsoft had reached out for help with the takedown instead of going to the courts. “All this action, all the work that Microsoft did,” he says. “Whatever they spent on their lawsuit could have been saved by a phone call.”
"His point is that, with the No-IP takedown, Microsoft didn’t work with others. It didn’t even work with No-IP. It served the company papers without asking the No-IP to shutdown bad actors or even telling the company what it planned to do."
Yeah, there's really no excuse for not talking to the people at the company first. The only reason I can fathom would be that if Microsoft suspected the owner of No-IP to be actually involved with the botnet operators. (Especially given that they had a previous relationship, this is inexcusable, but it shouldn't have mattered anyway.) If Microsoft had contacted them first, and No-IP had given them some reason to suspect that they were culpable, then, by all means, work through the legal system. The whole notion of sealed legal precedings, as with the FISA court, gives me the willies. It's almost like the exact opposite of what the Bill of Rights was supposed to ensure for protections of the populace against their government. How much more offensive is it that this type of action was used against a individual running a commercial company, not involved in any way with "national defense" issues?
> Yeah, there's really no excuse for not talking to the people at the company first. The only reason I can fathom would be that if Microsoft suspected the owner of No-IP to be actually involved with the botnet operators.
Or they knew that No-IP had long been aware of the abusive domains and had not done anything about them.
OpenDNS published a report on malware support domains in April 2013, identifying No-IP as the top provider of them [1]. No-IP posted a comment responding to that so we know they saw it.
Cisco published a report in February 2014 on dynamic DNS abuse [2], naming No-IP as a major provider for malware domains. No-IP posted a comment linking to a formal response on their blog [3].
The gist of their response is that they don't tolerate abuse, they actively work to find it and stomp it out, and they responsd quickly to reports sent to their abuse address, and they invite Cisco to send a report to their abuse address.
Ignoring well documented reports of abuse because they no not arrive via the right bureaucratic channel does not project the right image if you want to be seen as a white hat company.
This was an international case. The Bill of Rights of the United States of America does not apply. To impose the BoR on a non party would be a violation of their human rights, guaranteed by the Universal Declaration of Human Rights.
The US Constitution's Bill of Rights DO NOT IMPOSE ANYTHING ON PEOPLE. They are expressly written to IMPOSE ON THE GOVERNMENT. They DO NOT CONFER RIGHTS. They state certain unalienable rights of men, and RESTRICT WHAT CAN BE PASSED AS LAWS in relation to those rights. Or, they're supposed to, anyway. I don't blame you for getting it wrong. Most of the citizens of the US miss this as well. They're not a bargaining chip for "more rights." They were supposed to set hard limits against government abuse. Oh well. The NSA has made a laughingstock of the 4th Amendment in particular, and that's just an easy example.
The court was in Las Vegas, and Microsoft, No-IP and the company that was ordered to redirect the domains are all based in the US. In what sense is this an international case?
The documents were served to no-ip in Nevada, but the other parties were in an arabic-speaking country. The case was filed in multiple jurisdictions if you read the court documents. I invite you to read noticeoflawsuit.com and see what actually happened.
Microsoft was willing to hand over No-IP’s domains, but only if the company met certain terms.
Unbelievable. Microsoft was willing to hand over someone else's domains to their owner only if they play the ball. I hope they get targeted by malware even more after that.
On a side note, I wonder what's to stop theoretical malicious code from switching to bare IPs instead of domains? Were those exposed to the user somehow (to make it more user-friendly?)? Or is it because using domains grants the ability to actually switch remote IPs without altering malicious code?
It was an unfriendly conversation. Microsoft was willing to hand over No-IP’s domains, but only if the company met certain terms. Microsoft’s specific demands are protected by a confidentiality agreement, so we can’t say exactly what they were, but Durrer says that, if he had complied, they would have put No-IP out of business.
This should make anyone scared to death. The fact a company with little or no oversight can simply lock down a companies servers and then hold them for ransom is quite freighting.
Add in the fact No-IP had no say in the issue and this was all done in secret is rather unnerving.
The exact same legal precedent could be used to seize hotmail.com for all the spam, scams, and viruses floating through it. I am willing to bet the judge was handed a 2 foot tall stack of papers with technical gibberish which she of course, didn't read, but had complete assurance from these slimy Microsoft lawyers that they knew what they were doing. If any other company tried the same move, the judge would dismiss it instantly. But of course, the law can't operate the same way for a 16 person company vs. a 100,000+ person company.
I'm sorry that people are hacking Microsoft's OSs, but this is "legal" piracy. The US courts should not and cannot condone one-sided private legal decisions. Sure the Federal government can vaguely justify doing this themselves but allowing a private corporation this right is beyond even a random reading of the constituion.
Well, Microsoft only acted after they got a court order.
So, it seems to me that your "real" objection, if I may presume to say, is that the Courts are giving Microsoft a lot of say as to which entities on the internet are bad actors.
But do you really want FBI agents or other federal executive-branch employees to have that say instead? Isn't it better for decisions like that to be made by organizations with greater technical competency than the executive branch of the US government?
Of course, if Microsoft starts using these court orders to hobble their competitors, then that is bad, but no one is asserting that they have started doing that; are they?
Also, if other computer companies, e.g., Google and Apple, started doing what Microsoft is, the Courts would give their expertise approximately the same amount of deference that they currently give Microsoft -- or more precisely, I have seen no signs that that is not the case.
An analogy: would you not prefer for the laws and executive-branch policies related to software patents to be decided by computer companies and software professionals rather than elected officials, their legislative aids and lobbyists? (According to Eben Moglen, current US laws and policy around software patents are largely influenced by lobbyists for the pharmaceutical companies who feel the need to oppose any weakening of patent "rights" in any industry.)
More precisely: if individuals and organizations without deep technical knowledge were prohibited from influencing policy on software patents, would not that be an improvement over the current situation?
> But do you really want FBI agents or other federal executive-branch employees to have that say instead?
Dear god yes. Law enforcement may need these enforcements from time to time, but you can not let a private company slap around their competitors at will using the same methods.
Really? That's like saying a guy on the corner selling tourist maps is more or less in the same business as Delta Air Lines, because Delta has a brochure stand in the airport lobby. No-IP offers domain/DDNS service, Microsoft Azure is a full stack cloud service similar to Amazon's AWS, and is a small part of a much larger company. There is no competition there.
No-IP sells managed DNS, which you can get with Azure as well, so in that particular service they are direct competitors. But with an as large company as Microsoft there will be overlap with pretty much every other company on the planet, so that's not necessarily relevant.
I was speaking in a more general sense. If Microsoft could do this, other companies can. If they could do it against No-IP, they can the same thing to others.
What are you talking about? It was a lawsuit filed in US District Court for the District of Nevada under state and federal laws. There is no international court with jurisdiction over such a suit.
So you're stating that the two Pro Hac Vice applications were just pointless pieces of paper?
It was filed in accordance with state and federal law, but you'll pay attention to the fact that the notice was served in three countries, as well as via the website. You should also notice that they had the individual registrars (in other countries) execute their process. Why would those non-state parties even agree to act on the process if there was no obligation for them to do so?
Attorneys in the US are licensed to practice per-state. Pro Hac Vice petitions are necessary whenever they seek to appear in a case outside the state(s) they are licensed in. In this case, two California attorneys were appearing in court in Nevada. There is nothing "international" about that.
Parties to a lawsuit, no matter where they are, have an obligation to respond under US law. If they never want to travel to or do business in the US or any other country whose courts will enforce US judgements (there are many that will), they are, of course, free to ignore the summons and/or orders (unless ICAAN says otherwise, in case of the registries).
Note also that the orders are signed by Gloria M. Navarro, Chief Judge, United States District Court for the District of Nevada.
This is a US court. I have no idea why you think otherwise. There is nothing to indicate otherwise.
What I don't understand is how a botnet could negatively affect Microsoft other than showing the world through news articles how it infected vulnerable Microsoft software?
Is the bad press basically the reason and justification?
I understand that, and they should be taken down. But Microsoft is using justification that it's hurting their business in order to take over other businesses and shut them down.
The conficker worm did cause significant harm for Microsoft's customers and Microsoft's direct or indirect costs associated in fighting the worm will have been considerable.
While this didn't involve a broad takedown of a public provider (as far as I'm aware), it did involve coordinated release of tools and more-targeted takedown requests through their semi-private "Coordinated Malware Eradication" program. On balance, I think what Microsoft is doing is a good thing, but public scrutiny and discussion of any organization/cartel that operates in secret is equally important.
I've shamelessly copied Microsoft's noticeoflawsuit.com and have used it as a template to recover two domains from people holding them ransom from the rightful owners. It's a fantastic process, and I have to thank Mr. Haimovichi for the cool legal tricks he taught me in his paperwork.
Just make sure you have someone competent in the other jurisdiction that can file/serve the paperwork (Australia/Canada in my case), and it's remarkably straightforward. The defendant can only argue once the domain has been transferred over, so you'll get your domain back asap. In our case, the defendant didn't want to hire a lawyer (we're all self-representing advocates on the plaintiff's side), and we're expecting him to default in 15 days. The last four months of head games and BOFH behavior were quashed in less than 72 hours after the filing was completed in both jurisdictions.
Before Microsoft vs. No-ip.com, I was not a fan of ICANN. This process has certainly changed my tune, however.
Good god, how can you defend against this? All my email goes to my personal domain name-- if someone decides to sieze my domain name they have all the keys to the kingdom.
This is a prime example of why critical internet systems (namely domain name resolution) need to be completely and absolutely out of reach of government officials (some of whom are guaranteed to be corrupt) and private corporations (some of which are guaranteed to have interests contrary to the public).
I can't help but feel that with a judiciary that seems to be largely "out of touch" with technology, that when Microsoft walks into the courtroom and says something is bad...that the enamored judge thinks to herself, "well then it must be bad".
"Boscovich remembered a case he’d seen argued back in his Florida days. A maker of designer handbags had been granted the right to seize the bags from the counterfeiters. Because its brand was being harmed by the infringement, the court gave it the ok to seize the bags. A year after Waledac, Boscovich used this argument to seize the Rustock servers."
This is fascinating. This is an actual, tangible case where intellectual property law had more teeth, and more negative side effects, than the existing cyberlaws. It's evidence both that trying to take law that applies to physical goods and apply it digitally is not trivial (if even possible to do fairly), as well as how much cyberlaw has lagged behind the evolution of technology, in a context completely separate from the usual ones (DRM, copying = piracy?, etc).
I'm glad Microsoft is doing what law enforcement seems incapable of doing. Microsoft also has a huge vested interest in cleaning up Windows related malware, and huge cash reserves. I expect they spend more than most countries do on combatting cybercrime.
>I'm glad Microsoft is doing what law enforcement seems incapable of doing.
Yeah! why make our seized domains go to waste redirecting to a landing page like the FBI when we could make them work for us while ruining some company's user experience like Microsoft did!! Yeah!
law enforcement & microsoft are equally capable of feeding judges bullshit in order to put their hands where they don't belong and destroy fragile systems.
Why not aim your anger towards No-IP, given the following?
"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity." http://blogs.microsoft.com/blog/2014/06/30/microsoft-takes-o...
Why stop here? Maybe just let Microsoft police whole Internet, after all, 100% of malware operates on it. MS should clean their house first and start taking OS security seriously instead of putting blame on legitimate business.
>"Whatever they spent on their lawsuit could have been saved by a phone call."
Wasn't Microsoft's precise concern that such a call could have been tantamount to giving botnet operators advance notice? I seem to recall when this was discussed previously that some HN commenters had similar experiences with traffic from No-Ip domains and considered them to be in cahoots with the botnet operators.
You've shown the unfortunate side effect of Microsoft's libel. Now, many people think no-ip is a shady organization. It isn't the least bit true, and there was no link between no-ip and the people abusing their service.
I hate when I see that like the post says about this Attorney... he has no idea about computers yet he is trying to fight something in computers. I get that in real life all the time people that have no knowledge of computing and the internet want to change it... cause they are trying to show other people that they do.
When reading a Wired article, holding down shift and pressing left or right cursor loads another article.
Often, when reading articles, I highlight the part I am currently reading and then track where I'm reading by extending the highlight with shift and right or down cursor.
This has been fine for me for over 15 years, until reading a few Wired articles over the past while and coming across this new feature of theirs.
There's nothing really "new" about this though. Microsoft has been doing this for a while; it didn't start with Nadella taking the reins.
My take: Microsoft dropped the ball while genuinely trying to do a good thing. First, they should have communicated with No-IP as they have in the past instead of seeking a secret court order; they have worked together in the past and there was no reason they couldn't this time as well. Failing that, the court should have required Microsoft to reimburse No-IP for any lost revenue due to the action, given that No-IP was not allowed to even know about the order, much less present their side or make an attempt to work with Microsoft.
I honestly don't think Microsoft set out to destroy No-IP's business, there simply isn't a logical reason for that. They aren't a direct competitor (Microsoft is not in the dynamic DNS business to my knowledge), and if they were, using the court like this to destroy a competitor would end badly for Microsoft. No, I think they just plain goofed. It definitely sucks that they aren't more willing to help No-IP get back on their feet.
The blame here must reside with the justice system. There will always be companies attacking their competitors by legal means, it must be the responsibility of the system to not let them get away with it.
Indeed, the situation reeks of a rubber-stamp mentality among the court staff involved with this case. Having worked in law enforcement in the past, I've seen first hand how some judges can just blindly approve whatever warrant or order comes across their desk without so much as a cursory glance at the details, consequences be damned.
Presumably Microsoft were able to convince a judge that their plan was acceptable on the basis that they had a plan and it would work.
IMHO, that should be enough in itself to hold Microsoft culpable for all damages as a consequence of their plan failing.
Nothing against Microsoft in particular here; anyone can screw up. It should just be a general rule that applies equally to everyone in this sort of case. Doing this "ex parte temporary restraining order" without any opportunity for the targeted party to respond presents enough of a risk to the target that it should only be permitted if the party requesting it is prepared to take the financial hit should they screw up.
Perhaps the funds should even be required to be held in escrow. Enough to cover the target's financial collapse.