[rmrfrmrf]

I get really irritated with companies that put absolutely no effort into cleaning up their services on their own. When nearly 20,000 of No-IP's accounts are being used for malicious purposes, crying about how Microsoft didn't give them any warning just makes them seem incompetent. There was another article recently on HN about some free tunneling service whose creator tried to automate account shutdowns whenever his ISP sent a complaint letter, which I found to be similarly annoying -- these services are essentially forcing other companies to spend money to do the work that they themselves should be doing.

IMO No-IP is responsible for its legitimate customers' outages. Waiting around for other companies to do your job for you will result in ham-handed solutions like this one.

[pling]

Lets be honest about the problem and this isn't some slashdot-esque rant:

a) Windows is a piece of crap when it comes to staying clean. If it wasn't, Microsoft wouldn't have to go after people like this. Not joking but I clean out a fair number of PCs every year and they are crawling with malware.

b) Users are dumb and install any old crap on kit if prompted to. Microsoft's SmartScreen did very little to prevent this.

In the fallout from this, people are getting hurt. End users are getting their PCs and data stuffed and companies like this lose their reputation and business because they are a convenient mule (as are the end users) for malware pushers who's job has been made easy.

And don't give me the crap about probability based on the sheer number of windows machines or the plain bullshit security statistics. They're a pretty easy target as the architecture of Windows is incredibly complicated and they're playing plug the holes rather than designing it properly to start with. For ref, I know the NT kernel, win32 and CLR inside out and no longer would I poke it with a stick.

So, there's nothing here that's unique to no-ip.com's case. The problem is that Microsoft spewed out crap for years and people are suffering because the only way they can contain it is to scorch the earth.

[wfjackson]

>They're a pretty easy target as the architecture of Windows is incredibly complicated and they're playing plug the holes rather than designing it properly to start with. For ref, I know the NT kernel, win32 and CLR inside out and no longer would I poke it with a stick.

Not sure what you mean by that. Does Linux have any protections beyond Windows to stop malware? Why does Android have a malware problem?

This is the text of a post I made yesterday in reply to a similar comment:

How can they patch it in their product without turning desktop Windows into something like iOS or Windows Phone/RT? Even Android has a ton of malware so the notion that Windows is somehow more hole ridden than other platforms stopped being true starting about 10 years ago with their Secure computing initiative. If the user can install Firefox, they can install malware.

If Firefox doesn't need to get permission from MS for their next version, Windows cannot distinguish between Firefox.exe and Codec_Flash_Shady.exe. Sandboxing will disable system level utilities.

MS is capable of making secure OSes. How many viruses and trojans do the 3 Xboxes, Windows Phone and RT have? Even Windows Server is pretty secure(atleast as secure as Linux) unless the admins start browsing on it. Malware is a real threat to any popular OS unless third party apps are entirely blocked or restricted by the use of a approval based App Store. Windows gives much more control to the user, which is why many users are able to stay away from infections.

And it's ironic that you're blaming MS here instead of the folks that propagate it(including a YC company https://www.techdirt.com/articles/20130115/17343321692/why-a...) and people who install it(users).

Remember the shitstorm that was raised against MS on here and elsewhere when they tried to secure users by preventing undetectable rootkits by enabling Secure Boot?

[BitMastro]

1) Linux and other unixes were created with the idea of privilege separation and permission baked in. Windows had to add it later, while keeping compatibility

2) Linux has a variety of kernels and libraries versions across its base, making it difficult to exploit it uniformly

3) MS is indeed capable of making secure OSes, I don't deny it, but you should not use Xbox, Windows Phone and RT as examples, since all three of them can ONLY install approved software (less for RT, but it's not used by end users in the same way)

4) MS could have used the same approach used by Linux and Android (and partially OSX): have a central approved and monitored repository of software, but giving the possibility to add external software by jumping a few hoops, i.e. inserting a password, or checking a couple of checkboxes before allowing untrusted installations.

5) To prove the point, Android has malware almost exclusively outside of the google play store. Never heard of someone getting malware by using android, while I know an handful of people getting malware on windows (this is anecdotal experience, but I don't have any other data)

6) The shitstorm was raised because on some Secure Boot implementations it was impossible to disable it

[wfjackson]

1) IIRC, The Windows NT family had more granular level permissions than Linux. Granted before XP Windows was quite insecure, as I said in my original comment

2) Still we do see a lot of bugs and exploits that affect large swathes of Linux machines.

3) My entire point is that popular OSes that are used by nontechnical users that allow third party installs

4) Even OS X got a lot of burn for sanboxing apps and making third party apps difficult to install. They tried difficult UAC with Vista and it didn't go so well.

There isn't much stopping Linux malware in repos if the Linux desktop gets more popular. http://www.zdnet.com/blog/hardware/how-much-more-malware-is-...

Heck, even kernel.org was rooted and they still haven't revealed what happened. Not to mention other distros which were also compromised at some point.

5) http://www.pcworld.com/article/2099421/report-malwareinfecte...

6) Which ones? (apart from RT ARM machines that were a total flop in the marketplace and are like iPads)

[BitMastro]

I agree in general with all your point, apart from 4 and 5.

Malware in linux repositories is "practically" impossible. Software is most of the times peer reviewed and patched in different ways by different distros. And if a particular software becomes more popular it also comes under scrutiny by more people that want to change the source to add their own features. All the packages are checksummed and repositories have cryptographic keys to establish authenticity.

Of course bugs and security vulnerabilities exist, but the same applies to other OSes as well. And I do understand that UAC is obnoxious for users, but they didn't care about creating problems for legitimate users with the no-ip case since it was posing danger.

That android report makes two assumption: a very wide definition or malware (also installing java should be considered a malware because toolbar), and the fact that a malware doesn't usually last more than a day before being removed automatically.

[Someone1234]

> Not sure what you mean by that. Does Linux have any protections beyond Windows to stop malware? Why does Android have a malware problem?

This is the key question that I'd like to hear the answer to.

People often claim Linux/OS X/et al are more secure but they struggle to explain WHY. What technical mechanism is in place in those systems that is not in place in [current] Windows? A few years ago you could definitely name a few things (i.e. before UAC, and a few other things) but now?

I'm certain something like SELinux or AppArmor makes for a more secure system, but last time I installed a consumer distro (namely Mint and Ubuntu) they weren't shipped as standard and often broke quite a lot of default packages upon their installation.

As an aside: In my experience Windows has become less "malware ridden" since XP. Vista, 7, and 8 often survive much longer without anything bad happening. It does still happen, it just isn't as common as it used to be (e.g. 1/5 consumer PCs now instead of 3/5 or more).

[okasaki]

Ubuntu ships with AppArmor enabled. Fedora ships with SELinux. It's been that way for a long time. Other distributions like Arch come with packages for other frameworks, including grsecurity.

But I think the primary "technical mechanism" that makes Linux more secure is the fact that users install software from distribution repositories, rather than from the web. The repos are basically impenetrable since packages are signed and contributor identities confirmed with WoT (I've never heard of there being malware in a major distribution) and security updates are deployed to everybody very quickly.

[wfjackson]

>I've never heard of there being malware in a major distribution

Not much to stop malware if desktop linux becomes more popular.

http://www.zdnet.com/blog/hardware/how-much-more-malware-is-...

[BitMastro]

I'll give it a try:

privilege separation and permission since the beginning

only super user was allowed to install new software

(simplifying) different distros and different versions created diversity making it difficult for an attack area to be widespread across all installations

typing a password for additional privileges requires more attention than clicking a button

apparmor has been enabled by default since a couple of years, it used to break some stuff but not anymore

(simplifying) new files are not executable, and they don't rely on extensions to determine the associated program

since linux is not the default it requires a learning curve that people using windows don't have, so users are more tech savvy

since the source code is available, more people COULD have a look at security vulnerabilities, and in case of emergency the don't have to wait for someone else to provide a patched binary

That said, I don't consider security on windows to be a disaster. It certainly is improving and in general they also pay a lot more attention to security.

[anon1385]

>Windows is a piece of crap when it comes to staying clean. If it wasn't, Microsoft wouldn't have to go after people like this.

It doesn't help that Google is making money from infecting their users with malware. It's basically impossible for people to find popular Windows software though Google without begin directed to malware.

For example if you do a Google search for 'firefox', usually the top result (actually an ad) , will be a link to a site that downloads a copy of Firefox bundled with malware. This is from a search I did a few moments ago: http://i.imgur.com/lzKU3FO.png

It would be trivial for Google to block these malware sites and Adwords accounts - a lot of the ads that show up look to be pointing to the same sites as they were 6 months ago. Adwords has manual review of ads and the sites they link to. There is just no way that they don't know about these heavily profitable Adwords accounts that are running on hugely popular keywords.

This isn't a new problem, I've mentioned it time and time again: https://news.ycombinator.com/item?id=7101939 , https://news.ycombinator.com/item?id=7335401 , https://news.ycombinator.com/item?id=7089727

[pling]

That's a pretty scary thing really when you think about it. Thanks for outlining it. Good job I stick adblock on every machine I ship so these things don't even get seen.

[pjmlp]

> Windows is a piece of crap when it comes to staying clean.

All operating systems at the face of the earth are a piece of crap when the users have admin rights and install every piece of sXXt they can put their hands on.

There isn't a single one that does it better.

[bagosm]

This reminds me of a friend of mine:

"But mom! Why did you 'sudo sh LOVE-LETTER-FOR-YOU.txt.sh' in the first place? Didn't I tell you not to trust email?". Security's no1 problem is the user.

[the_ancient]

It is a very dangerous notion that the federal courts can seize the domains of one company and just hand them over to another company...

It was bad enough when ICE was doing it, this takes that bad practice to a whole other level......

What is even worse is they got the order ex parte, meaning No IP did not have a chance to defend or explain themselves to the judge before their business was irreparably harmed by the actions of their competitor.

Even if the malware claim is true (which I doubt because I trust MS about as much as the NSA) No IP should have been given basic Due Process to explain their side to the Judge before their business was harmed.

[danielweber]

Question of fact: did the court attempt to contact No-IP.com? Or did they attempt contact, and No-IP.com failed to show up?

[the_ancient]

Courts never contact anyone. It is normally up to the Plaintiff to "Serve" the defendant. Except when the Plaintiff seeks an ex parte motion,order,etc which allows to court to act with out contacting the defendant.

Further if this would have been a situation where contact was attempted and failed it would have been a "default" judgment/order not ex parte

[danielweber]

Fine, did any party before the court attempt to serve No-IP.com?

If No-IP.com avoided service like Charles Carreon, I have little sympathy. If there was no attempt at service, that's a different story.

[the_ancient]

Perhaps one should read my full post, as I answer this question in my "Further" second paragraph

I think you are just grasping to find any justification for what MS and the courts have done here... There are none.

[DanBC]

HN has an international audience. Many people here do not speak English as a first language and you could help those people by being a bit clearer with your communication.

[bitJericho]

Read the order, it's floating around on the other thread. The justification is laughable at best, purjury at worst.

[spindritf]

They claim it was 2k out of 4M.

Goguen said while Microsoft claimed that there were more than 18,000 malicious hostnames involved, no-ip.com could only find a little more than 2,000 from that list that were still active as of Monday morning.

http://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sit...

[jdong]

And how is No-IP supposed to find these malware hosts? Seems to me like they'd have less capability to do so than an antivirus company that collects thousands if not millions of malware samples each day.

[manicdee]

How many of Microsoft's customers are being used for malicious purposes? Am I as an ISP allowed to summarily disconnect all Microsoft customers from my network?

[Omniusaspirer]

I don't think I could possibly disagree with you more.

It is in no way No-IP's job to protect Microsoft from malware yet by all accounts they employed both automated detection as well as a (very timely) manual reporting option. How can you possibly sit back and claim they're "incompetent" when you have absolutely zero knowledge of what happened within the company to address this issue? Microsoft wants to complain No-IP wasn't doing their job to their standards as if how they feel about it matters in the slightest.

Oh, and from the numbers I saw it was 12,000 accounts were deemed to be complicit in malware distribution by a 3rd party security firm. Another user posted they have ~4 million accounts total. If those numbers are accurate that means only .003% of total accounts had anything to do with malware; Sounds like a damn good job from the No-IP guys to me.

Even if you manage to delude yourself into thinking Microsoft is in the right in their domain seizure then you still can't justify the sneaky way they approached this with no forewarning to No-IP customers or even No-IP themselves. Had they actually established a dialogue maybe I wouldn't be experiencing any outages since they could have actually set up sufficient infrastructure in advance to handle the No-IP server load.

And yes, I actually used No-IP domains myself for completely legitimate purposes and am still unable to make use of any of the seized domains. No-IP is absolutely not responsible for this, that blame falls 100% on Microsoft and I honestly think you'd need to be misinformed or a Microsoft employee to feel otherwise.