It was 7 o’clock in the morning when the knocking on Dan Durrer’s front door woke him up. His dog started barking, and Durrer thought he was getting an early morning package. But when he opened the door, he wasn’t greeted by the FedEx man. He was face-to-face with a process server, a messenger from the courts, who handed him a stack of legal documents—three inches thick. Somewhere in that stack—buried in all the legalese—was the news that Microsoft had taken control of his company, but Durrer didn’t have time to read it. Almost immediately, his pager lit up with messages saying the company’s internet services had stopped working.
For the past 15 years, Durrer has worked as the CEO of a small internet service provider called No-IP. Based on Reno, Nevada, the 16-person company offers a special kind of Domain Name System service, or DNS, for consumers and small businesses, letting them reliably connect to computers whose IP addresses happen to change from time to time. It’s used by geeks obsessed with online security, fretful parents monitoring nanny cams in their toddler’s bedrooms, and retailers who want remote access to their cash registers. But it’s also used by criminals as a way of maintaining malicious networks of hacked computers across the internet, even if the cops try to bring them down.
That’s why Microsoft landed those documents on Durrer’s doorstep this past summer—and effectively shut down his operation. No-IP was in the crosshairs of Richard Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit. “The amount of malware that was reaching out to domains in No-ip.org was astronomically large,” Boscovich says.
He wanted to disrupt the people behind this malicious software, most of which was running on the company’s Windows operating system. So he used a controversial—but remarkably effective—legal maneuver that he invented himself. It’s based on something called an ex parte temporary restraining order, and in conjunction with other laws such as the 1946 Lanham Act, it gives Microsoft the right to seize private assets—a power that typically lies within the purview of law enforcement, not private companies.
No-IP was in the crosshairs of Richard Boscovich, an assistant general counsel with Microsoft’s Digital Crimes Unit.
Microsoft’s court maneuvering had played out in secret. Durrer’s company didn’t have the chance to argue its case in court. By the time Durrer was served with court papers on that June day, Microsoft had seized control of the company’s services and ejected the hackers using them, while also locking out all the legitimate users. Durrer eventually regained control of his company, but only after it had been offline for days. Because many of his customers are on annual contracts, he still isn’t sure how much the outage will cost him.
Boscovich and Microsoft have executed the same basic maneuver a dozen times over the past six years. The end-game is always the same: Microsoft wants to stop criminal activity and clean up infected systems. The company has derailed some pretty sleazy operations, but that’s not the case with No-IP, a healthy business with a wide range of customers.
Microsoft says it needs to wield this kind of extreme power to keep the internet safe. It’s part of determined attitude towards security that has pervaded the software giant since its Windows operating systems were attacked by a series of malicious internet worms more than a decade ago—an attitude that, in some respects, the company should be commended for. It has helped make the internet a better place. But some now worry the company has gone too far, acting as a kind of all-powerful internet sheriff, willing to shutdown legitimate companies as well as bad actors in its quest for online security.
Though the No-IP incident is now resolved, Boscovich says that Microsoft still plans to go after malware networks.
A Legal Knockout
When those legal documents arrived at Durrer’s door and then his pager lit up, he didn’t really connect the two. He thought at first that the pager messages were telling him that No-IP had been hacked.
But at his company’s offices later that morning, a clearer picture emerged. There was no online attack. Twenty-three of his company’s domain names—many of them crucial to business operations—had been redirected to computers controlled by Microsoft—the Las Vegas court had ordered the U.S. companies that had registered the domain names for No-IP to hand them over to the software company. Microsoft had a plan in place to keep legitimate customers online, while stopping the malware, but it didn’t work. Millions of addresses used by No-IP customers were knocked offline.
The office support lines were blowing up, and at first, Durrer and company had no idea what to do. “As the hours creeped by, more and more people were falling offline,” remembers Dylan Zigenis, No-IP’s business development manager. “We were getting more calls than we had ever had. We were getting more ticket than we had ever experienced, and it was just the beginning.”
‘As the hours creeped by, more and more people were falling offline.’
Because Microsoft’s lawsuit had been under under seal, Zigenis and Durrer didn’t realize it could even tell its customers what was going on. No-IP had never been sued. “We were so green at this,” says Zigenis. So Durrer called the company’s lawyers and gradually arrived at a plan of action. By the evening, he was talking on the phone with Boscovich.
It was an unfriendly conversation. Microsoft was willing to hand over No-IP’s domains, but only if the company met certain terms. Microsoft’s specific demands are protected by a confidentiality agreement, so we can’t say exactly what they were, but Durrer says that, if he had complied, they would have put No-IP out of business.
Durrer and Boscovich and the lawyers talked late into the night that Monday, but they couldn’t reach an agreement. Meanwhile, Microsoft still had control of the domain names, and No-IP customers were still offline.
It was a heartbreaking situation for Durrer, but there was nothing he could do. On Wednesday, amidst a growing storm of negative press, Microsoft handed back control of the No-IP domains, but it would be Friday—the Fourth of July—before things were back to normal for all customers.
The Worm that Changed Microsoft
When Richard Boscovich left Florida—and a 17-year career with the Department of Justice—for rainy Seattle and life as one of Microsoft’s digital crime-fighters, his new boss told him to be creative. It was Cinco de Mayo, 2008. Engineers were working extra hours to finish up the company’s next operating system, Windows Vista, which was supposed to be its most secure ever. White had security consultants who just a few years earlier had made fun of Microsoft as they unearthed bug after bug in Windows were now on the company payroll—being paid to find and help patch bugs before Vista was ever released.
Then the Conficker worm hit. It was a turning point. An expertly written piece of malware, Conficker remains, six years later, the most widespread infection on the internet. Boscovich’s boss, Tim Cranston, wanted the company to strike back against the people who were writing this type of software. “At that point, everybody was really frustrated,” Boscovich says. “Our defensive work had improved dramatically, but we felt that we could do more.”
When Richard Boscovich left Florida for life as one of Microsoft’s digital crime-fighters, his new boss told him to be creative.
So Microsoft joined in a community based effort to rein in the worm. It was called the Conficker Working Group, and it included a wide range of internet experts and computer security researchers. But some say that Microsoft’s culture—where public statements are carefully controlled and vetted—was at odds with the more freewheeling nature of the community of internet researchers it worked with on Conficker (Boscovich disputes this).
“They feel a little bit burned by the Conficker Working Group, where there were so many participants and some of them were only in it for the marketing,” says Jeff Williams, a director of security strategy with SecureWorks who was at Microsoft during this time. “There are just so many reasons that that didn’t work out from an operational security perspective.”
The result was that in future operations, Microsoft operated alone or with a much smaller group of partners. There’s simply no other company that takes such a direct approach to taking on scammers. That makes Microsoft rather effective, but also a little bit scary, observers say. “The overall feeling in the industry is that they are playing their own game,” says Mikko Hypponen, chief research officer with F-Secure, a computer security company. “Nobody was asking Microsoft to do this. They could have been like Apple.”
Hypponen, who was himself a member of the Conficker Working Group, says he’s a little unsure what to think of Microsoft. He applauds their success, but worries about collateral damage. “They are on the same mailing lists and they do share some information and they do share some samples,” he says. “But it is more narrow than what we used to see.”
The Legal Hack
Conficker taught Microsoft that internet domain names were a key battlefield in the fight against cyber criminals. Conficker machines received their instructions from computers at a series of pre-set domain names. To neutralize the worm, a Boscovich colleague, TJ Campana, worked with a group of security professionals and they registered the domain names for themselves so that the bad guys could never send out new commands to the infected computers.
But there were other botnets out there, controlled by computers under domain names that Microsoft couldn’t simply register, as it had with Conficker. What if there was a way to seize them? If he could somehow demonstrate that these hackers were harming Microsoft and the public itself, the court might just let Microsoft seize the domains—and that would be a novel blow against botnet masters.
Boscovich took the idea to Cranston, who said “no.” But then he thought about it some more and changed his mind. On February 24, 2010, Microsoft announced that a federal court had ordered Verisign to cut off the 277 top-level domains associated with Waledac. When Microsoft went after the Rustock botnet, the company needed to seize servers that were being used by the scammers. Boscovich remembered a case he’d seen argued back in his Florida days. A maker of designer handbags had been granted the right to seize the bags from the counterfeiters. Because its brand was being harmed by the infringement, the court gave it the ok to seize the bags. A year after Waledac, Boscovich used this argument to seize the Rustock servers.
Boscovich remembered a case from his days in Florida: A maker of designer handbags had been granted the right to seize the bags from the counterfeiter.
Some of Microsoft’s arguments to the court in the Waledac case were the same as they were in No-IP’s case. They amount to this: Bad guys are violating our trademarks and harming the public, we need to stop this, give us control of the domains. Microsoft has made the argument successfully about a dozen times now, but there are some big differences between the No-IP case and previous cases. No-IP is a legitimate company whose services are used by thousands of law-abiding citizens. The fact that Microsoft could knock it offline, as if it were another Waledac, has many observers worried.
“The particular legal opinion that they were shopping for in the No-IP case was: if there is a a widely used resource on the internet that is not being well-tended to by its owner, then someone should be able to take it over,” says Paul Vixie, one of the creators of the DNS system and the CEO at Farsight Security. “There’s a long list of people who could take better care of Hotmail.com and Outlook.com than Microsoft does. I don’t think they would want to live in the world that had that precedent.”
Lawyers say that the tactic needlessly deprives companies like No-IP their right to be heard in court. Shortly after the No-IP takedown, the Electronic Frontier Foundation blasted Microsoft’s actions. Eric Goldman, a law professor at Santa Clara University, doesn’t like these ex parte temporary restraining orders either. “Our judicial system is designed to adjudicate disputes when adversarial litigants fight each other before an impartial decider,” he says. “When that impartial decider hears only one side’s story, and has no mechanism to hear anyone else’s version of the story, our adjudicative process irreparably fails.”
Vixie is concerned that Microsoft seems to be fine with harming legitimate users in the process of targeting cyber criminals. He says Microsoft’s 2012 takedown of a Chinese dynamic DNS provider called 3322.org was similarly harmful.
The Collateral Damage
Two weeks after the No-IP takedown, both Boscovich and Vixie spoke at a Senate Judiciary Committee hearing discussing the problem of botnets. They didn’t talk about No-IP, and at one point, Boscovich said: “We do not and cannot work on botnets alone.” The problem, Vixie believes, is that this isn’t true. So, in front of the committee, he took an oblique shot at the company. “We have found that when a single company or a single agency or a nation goes it alone in a takedown action, the result has usually been catastrophe, because the internet is richly interdependent and many of the rules governing its operations are unwritten,” he said.
His point is that, with the No-IP takedown, Microsoft didn’t work with others. It didn’t even work with No-IP. It served the company papers without asking the No-IP to shutdown bad actors or even telling the company what it planned to do.
According to Boscovich, it wasn’t possible to work with the company—at least not without tipping its hand to the criminals using No-IP’s network. “We were concerned that either knowingly or unknowingly in the process of taking these things down that they might give information that would give the bad guys notice that they would move their infrastructure,” he says. But No-IP doesn’t see it that way.
The irony is that No-IP had worked with Microsoft in the past. The company had collaborated with Microsoft’s anti-piracy group, and it also worked on the takedown of the Mariposa botnet, which was dismantled in 2010. Especially give their prior relationship, No-IP’s Zigenis wishes Microsoft had reached out for help with the takedown instead of going to the courts. “All this action, all the work that Microsoft did,” he says. “Whatever they spent on their lawsuit could have been saved by a phone call.”
No comments:
Post a Comment