[goblin89]

The whole affair seems bordering on blackmail: “pay me, MS, or your customers will get hacked”.

If you were truly concerned about security, you’d have just transferred the domain over. If you want to make a good profit off of that, though, please—don’t make a theater.

If you are both genuinely concerned about security but also desperately need money, what you would effectively end up doing is a reverse auction—start high and go lower until the one buyer you want agrees.

[crooked-v]

> please—don’t make a theater

Why not? If Microsoft is unwilling to pay a reasonable amount for the domain, the logical action to take is to publicize the flaw in their system.

[goblin89]

Giving security flaws the publicity they deserve: I’m most unreservedly in favor.

Using publicity to hold someone hostage in order to extract money while hiding behind security concern claims: not a good image.

If I were in a situation where I have nothing to eat and urgently need to liquidate such a domain, I would raise awareness publicly but negotiate in private. If I were relatively well-off, I would arrange a pro-bono handover, publicly or privately, and of course try to raise awareness anyway.

To make matters worse, the sale appears to be handled via an auction. The wide publicity given to the event via Brian Krebs’s website must have attracted attention of a wide range of players, motives unknown. For a reputable corporation to find itself bidding against a theoretical Bitcoin millionaire blackhat is far from desirable on a couple levels (I doubt auction’s KYC can really prevent that, but if it is strict enough then I take back this particular concern).

Thus, the situation as it is just seems to smell to me, though I’m not entirely ruling out good faith with unfortunate execution.