Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting

chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.

need to crack down on the russian government and o

[Joe_Dragon]

need to crack down on the Russian government and others who just about look the other way.

Re:

[Anonymous Coward]

what about the NSA? How much of this "cyber crime" is related to government monitoring. I like how the focus shifts to Russia and China at a time when the US is being criticized/ignored for leading an international spying ring! How much malware has hit the internet lead by governments working together, until its caught in the wild then they all blame each other or some group as the cause?

That's the real problem anymore, no one knows who is responsible for half the shit going on. Even better you can set-up f

Re:

[Anonymous Coward]

need to crack down on the Russian government

The Russian government? How about assigning responsibility where it belongs?

TFA is pure revisionist propaganda on the scale of editing Trotsky out of of pictures with Stalin. In reality, TFA should start:

When it comes to enabling cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft,

Plenty of us remember how fragile and colander-like most Microsoft OSs have been until VERY recently.

Re: Enabling software

[Anonymous Coward]

Apparently it's forbidden Here to say anything bad about MS, but still. It is cause of monopoly that we have these problems. In healthy market it would BE difficult to take control of many machines when there would be many platforms.
Now media only mentions when MS uses it's Monopoly to take down those bots it has enabled.

It's Microsoft's fault

[Animats]

If Microsoft hadn't built such insecure operating systems, the problem wouldn't be so big. This is the company that brought you Active-X, autorun, and the ability to invoke programs from spreadsheets and documents.

Re:

[Anonymous Coward]

If the operating system is secure, criminals exploit the users instead. And if Microsoft had built a secure operating system in 2001 instead of spending the decade of the 2000s patching their vulnerabilities, there would have been fewer viruses and worms and more phishing and social engineering, exactly like the situation is now. Go back to the 1990s and take your irrational hatred of Microsoft with you, troll.

Re:It's Microsoft's fault

[ShanghaiBill]

If the operating system is secure, criminals exploit the users instead.

Nonsense. There is not a fixed quota of crime in the world. Criminals exploit profitable opportunities, and more opportunities mean more crime, while fewer opportunities mean less crime. A secure operating system does not "push" people into phishing. Writing a virus and social engineering don't even use the same skill sets.

Re:

[strikethree]

Nonsense. There is not a fixed quota of crime in the world. Criminals exploit profitable opportunities, and more opportunities mean more crime, while fewer opportunities mean less crime. A secure operating system does not "push" people into phishing. Writing a virus and social engineering don't even use the same skill sets.

At first blush, I thought that I agreed with you. A moment of thought brought some nagging doubts to my mind...

Crime does not occur simply because there is opportunity. There are plenty of opportunities for crime that are never taken. Yes, opportunity does play a, significant I believe, role, but it is not a determining factor except that if there is no opportunity, there is no crime.

Whatever drives the need or desire for crime is the thing that makes criminals look for opportunities. Increasing the need or

Re:

[Bert64]

If there was more diversity among the systems being used, then even social engineering attacks would be harder... Whats the point trying to trick someone into running a program, if the system theyre using isnt capable of running it?

Re:

[Anonymous Coward]

This is the company that brought you Active-X, autorun, and the ability to invoke programs from spreadsheets and documents.

This can't be emphasised enough. Before Outlook, there was a scam/joke which claimed that there were emails spreading viruses. Nobody could be stupid enough to execute the contents of an email. Microsoft realised that, at the cost of the security of their users, they could make something easier. They looked at a choice that everybody else had knowingly and clearly made the other way for the good of their own users and were the only company unethical enough to make the choice in the other direction.

The s

Re:

[rtb61]

The problem is policing agencies have been left way behind and are still just barely catching up. This creates a problem private corporations have the computer skill but lack the legal propriety to conduct the policing role and shouldn't really be trusted with it as competitive pressure will not allow the impartial application of the policing role. Police agencies are woefully lacking in the skills, going so far as to actively avoid hiring the people that would be most useful in that role. It's likely that

Re: It's Microsoft's fault

[hackwrench]

There are still flaws in Windows that allow programs to trick the OS into loading code that Microsoft has made difficult for the end-user to detect be it driver or service. What's with all the services hiding under svchost.exe anyways?

Re:

[Curunir_wolf]

What's with all the services hiding under svchost.exe anyways?

They're not hiding.

tasklist /svc

Sorry to dispel your ignorance.

If I didn't know better, I might ask what's with all those daemons hiding behind xinetd? But I do know better.

Hmm...

C:\Windows\system32>tasklist /svc | grep svchost

'grep' is not recognized as an internal or external command, operable program or batch file.

DAMMIT!!

Re:

[davester666]

Perhaps we could all get together and form some kind of group, call it something like Software Protection For Kittens and Children, and then this group could be responsible for doing stupid things like taking domain names from companies and then botching handling it before handing it back.

This way, the blame for stupidity won't be squarely placed one specifically stupid company, instead, it will be spread on the entire software industry. Of course, it'll still be the one company doing the stupidity.

Re:

[Anonymous Coward]

Metonymy as a rhetorical device has been used since ancient times. Get used to it.

Partners in crime fighting

[rossdee]

dinner, dinner, dinner, dinner, dinner, dinner, dinner, dinner,
Batman

re:cautiously pessimistic

[ed.han]

i for one welcome our botnet overlord masters?

ed

Re:

[lister king of smeg]

sounds to me like we need develop more user friendly distributed anonamous internet tools. while the tools we have work when used they are not user freindly and often have horrible documentation. We need a suit of tools to fix the internet to stop corporate/government control over the web. include tor freenet i2p namecoin & bitcoin, retroshare and pgp. encrypt everything end to end and make domain hijacking impossible.

Summary should say ...

[fnj]

Few companies can claim to have done as much fighting - or feeding - cybercrime.

There, fixed that for you.

no-ip is shady?

[Anonymous Coward]

recent seizure of servers belonging to the (shady) managed DNS provider NO-IP

That's blatantly libelous journalism right there.

Re:

[raydobbs]

Slashdot.... journalists? Hehe... re... Hahahaha....really? Did you *laughs uncontrollably* really call Slashdot.... journalists?

Hold on, I might just pass out from laughing so hard, rolling on the floor...

Re:

[Anonymous Coward]

TFA calls NO-IP shady. ITworld aren't journalists either, apparently.

Re:

[Curunir_wolf]

TFA calls NO-IP shady. ITworld aren't journalists either, apparently.

The whole summary reads like propaganda.

"fighting cybercrime ... the Internet's Dirty Harry ... single-handedly take down cyber criminal networks ... the (shady) NO-IP ... "

And, of course, along with being the big, bad, good-guy cop, some "alleged" that their business was disrupted. Poor old Microsoft is "weary" of its role.

Re:

[Enfixed]

In all the years I've used NO-IP for personal and business DNS management, NOT ONCE have they done anything I'd even remotely consider shady. Their service was rock solid until Micro$oft came in with a hostile takeover, hell they didn't even bother to so much as talk with NO-IP beforehand.

Solutions

[Anonymous Coward]

1. Make email White-list based (with a choice to opt out), That will kill spam
2. Allow people to "lock" their machines so they will only download from curated sites., That will severely hurt malware sites.
3. Allow web browsers to 'block' sites/IPs on a per country basis, e.g. all of Ukraine, Russia,China,Brazil, etc, that will kill the redirect bots
4. Allow countries to place Tariffs on imported goods from countries that do not take positive action against cybercrime, nothing inspires politicians like a los

Re:

[currently_awake]

In 4 you mistake the UN for a world government. A world government requires a military to enforce its laws. I think turning the UN into a world government has merit, but given how that would undermine the major world powers I don't expect that plan to be implemented.

Police

[Anonymous Coward]

So in America, Microsoft polices the internet. Who polices in real life? McDonalds? Disney?

Re:

[Anonymous Coward]

Dunkin Donuts.

No-ip isn't shady

[sobachatina]

I've used No-ip for non-mission-critical dynamic IP services and for domain registration for over 10 years. There's nothing "shady" about them.

They offer a free service that is sometimes exploited by criminals and are very responsive to reports of abuse.

Microsoft not only didn't report these criminals to no-ip- they actually sealed the court order so they could seize the domains before no-ip found out about it.

It boggles my mind that a vigilante corporation can get a court order to simply seize another companies assets.

Re:

[whoever57]

Microsoft not only didn't report these criminals to no-ip- they actually sealed the court order so they could seize the domains before no-ip found out about it.

Microsoft compounded the problem by having a DNS infrastructure that completely failed to resolve the subdomains that were not implicated in any botnet use.

Perhaps the core problem was rate limiting by No-IP, but Microsoft should have anticipated this.

Re:

[transporter_ii]

It boggles my mind that a vigilante corporation can get a court order to simply seize another companies assets.

Yeah, it will go down a little smoother when it is Microsoft, Sun, Google, and Facebook working together. I mean, it's easy to bash MS, but when it is team of industry titans, everything will run much, much smoother. Yeah.

Re:

[Anonymous Coward]

I've used No-ip for non-mission-critical dynamic IP services and for domain registration for over 10 years. There's nothing "shady" about them.

They offer a free service that is sometimes exploited by criminals and are very responsive to reports of abuse.

Microsoft not only didn't report these criminals to no-ip- they actually sealed the court order so they could seize the domains before no-ip found out about it.

It boggles my mind that a vigilante corporation can get a court order to simply seize another companies assets.

Apparently 6,000 to 8,000 sub-domains were being created each month on domains controlled by no-ip, just to support botnets.

no-ip insisted that the only way to report these sub-domains was through a manual reporting system on their website. This meant that the botnets could operate with impunity. Contrary to your statement, a number of organizations such as Microsoft, Cisco and the EFF had contacted no-ip and suggested methods to automate the process. no-ip did publicly acknowledge the issue but they did

Re:

[Anonymous Coward]

So in both things you link they state they rely on people informing them. So instead of informing them microsoft got a court order, without even talking to no-ip. And no-ip is supposed to look bad, how? It's obvious you are a shill for microsoft, you didn't have to actually admit it in the post.

Re:No-ip isn't shady

[ThatsMyNick]

hotmail has been known to send a lot of spam. I hope someone takes control of hotmail domain, since microsoft is unable to police it. (Note that it has recently been brought down, by someone should have taken control of their domain when it was a serious problem).

The point is a free service being abused is expected. It is not as if noip encouraged abuse and were paid by abusers.

Re:

[ljw1004]

The point is a free service being abused is expected. It is not as if noip encouraged abuse and were paid by abusers.

Expected: That the owners of no-ip should continue to make their own profits from advertising revenue, and a bunch of legitimate users should continue to get free dyndns service, and the benefit to these two groups comes at the expense of a wider pool of internet users who suffer from malware (and at the expense of unpaid volunteers to police no-ip since they're not spending enough resources to do it effectively themselves).

Does that sound like a fair trade to you? Not to me. Count me out.

In other news

[whoever57]

April 2013: the OpenDNS blog reported that no-ip was the second most popular dynamic-DNS site for malicious software.

In other news, Google is the most popular site for finding <your choice of illegal material here>.

See what I did there? And how the reports of NO-IP's use for malicious software are meaningless?

Re:

[symbolset]

You might as well call DNS itself shady. 98% of malware networks use it to hide their tracks an keep their networks up.

Re:

[MikeBabcock]

What percentage of their total hosted IPs are illegal or malware?

Sounds to me like the old "Windows has more viruses because its more popular" argument, used against NO-IP.

Re:

[Curunir_wolf]

They can sound hurt all they want that OpenDNS and Cisco and Microsoft wrote public blogs or took action rather than reporting the individual offenders to No-IP first.

Really? What about all their legitimate customers? Just "collateral damage", all worth the cost? Most of their customers use their free services, they only have a staff of *12* people. Of COURSE they want help getting reports of abuse. And the *DO* respond to those quickly and appropriately.

What Microsoft did was unconscionable. It's like some vigilantes wanted to put an end to shootings in South Side Chicago, but instead of reporting all the shooters to police, they just decided to set off a nuke in

Re:

[phorm]

no-ip was the second most popular dynamic-DNS site for malicious software

How popular are they overall as a DDNS provider, and how many legit VS malicious customers do they have? It may sound big if they've got 1,000,000 malicious DDNS sites, but not so much if it turns out that's less than half a percent portion of 10,000,000,000 overall sites and the rest are legit.

"fighting" crime?

[ChipMonk]

As a "fighter" of crime, Microsoft would be in the featherweight category.

Using Microsoft's tools to fight cybercrime is bringing a knife to a gunfight.

Re:

[JabrTheHut]

You give them too much credit - it's more like bringing an egg whisk to a gunfight.

Re:

[raydobbs]

...only if you consider that stubby, broken off plastic thing they are waving around a 'knife'

MS knows about crime

[Anonymous Coward]

After all, it's been found to be a criminal organization more than once in a court of law.

So they're gonna crack down

[future assassin]

all the holes in Windows and commercial software that allow so many criminals to profit from the security holes?

Re:

[Krishnoid]

Microsoft may be growing weary of its role as judge, jury and executioner of online scams.

I personally thought it meant they were getting tired of pushing Windows 8 as an upgrade path.

Re:

[future assassin]

If the software becomes a big part making machines function then yes even OSS should be liable.

Re:

[symbolset]

They promised. [schneier.com]

Re:

[currently_awake]

From a business point of view it's cheaper to chase down bot nets than to secure windows. Clearly someone (at Microsoft) has made a business case for offloading the work of chasing down bot nets to someone else, and everyone agreed that would improve the cost-benefit analysis (for Microsoft).

Bad programming

[jgotts]

Microsoft has been writing poor quality software for my entire life.

The best programmers do not go to work for Microsoft. Maybe that was the case in the early 90's but it hasn't been true for decades.

To make matters worse, Microsoft does a lot of its programming in India. We all know that Indian programming is of poor quality, and the reason is not because Indian programmers are much less competent. It has more to do with the fact that in programming if two parties can't communicate completely unambiguously in one language then they have no hope of writing good software. Programmers have to be more than fluent in the language they speak with each other, they have to be scientifically precise.

People go to work for Microsoft because it's safe. There's no risk of the company going under. Risk minimizers don't write good software, because they're not very creative. They tend to keep patching up the same old crap rather than writing something new that works better.

At mature software companies hundreds of non-programmers are telling the programmers what to do, and it only gums up the works. You wind up not working efficiently, because you need too much sign off to get anything done. And once you get signoff, the hundreds of non-programmers are dictating your schedule, not quality of the code or whether it is completed to your satisfaction.

There is no one to clean up Microsoft's mess but themselves. Probably the best solution would be for the company to split up. The people who make the Xbox are probably weighed down by the rest of the company's ineptitude. I'd like to see those guys go their own way.

Re:

[DaHat]

Microsoft does a lot of its programming in India.

How much is 'a lot'? What %?

We all know that Indian programming is of poor quality, and the reason is not because Indian programmers are much less competent. It has more to do with the fact that in programming if two parties can't communicate completely unambiguously in one language then they have no hope of writing good software.

So that's a problem only with Indians? Not Chinese? Australians? Romanians? Turks? Russians? Nigerians?

If you hire those who can c

Re:

[symbolset]

90's? Nope. Their software has always been utter crap.

Re:

[david_thornley]

The original Microsoft BASIC was quite good.

Re:

[david_thornley]

I was pretty aware of the art of the day. I don't know exactly what Kemeny and Kurtz were thinking when they first made BASIC, but after that it was used a lot for working code. (If they didn't intend it for working code, why the array operators?) Most software for the earliest home computers, such as the Apple II, Commodore Pet, and TRS-80, was written in BASIC. The main alternative was assembly language, and I assure you BASIC was a heck of a lot easier to write and debug than Z80 assembly (I never d

Re:

[tjstork]

"Probably the best solution would be for the company to split up. The people who make the Xbox are probably weighed down by the rest of the company's ineptitude. I'd like to see those guys go their own way"

XBOX is running a version of Windows, which, is in many ways better than Linux. What's up for debate is its openness or lack thereof, but featureswise, Windows has lead Unix in a lot of ways.

Even Windows 3.1 had a better device independent rendering model than did the X terminals it competed against. An

Re:

[smartsheep]

if there are as many generalization and lack of precision in the posters code as there are in this posting it wold be below even Microsoft s level of coding. About equal to mine. David Smartsheep.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mtthwbrnd]

"At mature software companies hundreds of non-programmers are telling the programmers what to do, and it only gums up the works. "

And the other option is.... Linux! Where the programmers design everything with no consideration of what non-programmers want/need. LOL! [fyi Linux is unusable for anybody who is not a programmer].

What's with the scare brackets?

[FuzzNugget]

No-IP isn't shady any more than are steak knife manufacturers.

Re:

[anomaly256]

I have yet to see any proof that No-IP are 'shady', I've been using them myself for legitimate purposes for quite a while (devices that roam physical networks, non-static adsl connections, etc) and have no reason to believe they are doing anything untoward. Also no one 'alleged' their businesses were disrupted - it is a fact that they were. It is unfortunate that some businesses don't see the value and justification of purchasing a domain, static IP and setting up DNS hosting along with other services but

Hey, somebody else fix our products for us!

[FuzzNugget]

Can you imagine how this would sound coming from any other company?

Only a part of the headline is correct...

[Valvar]

Microsoft Looks For Partners In Crime

Re:

[AHuxley]

Thinking back to the old hardware you could have a secure sandpit and memory on Unix like devices.
You could have a secure sandpit and memory on consumer computers at a huge cost in cash and GUI slowness.
Speed to market for 1.0, GUI look and feel, security, costs, speed to market with new features vs security.
Helping the police and security services without slowing down the dev and release cycle.
The hardware was just too costly and slow at the consumer level vs a responsive, secure, feature rich software

When it comes to fighting cybercrime ..

[lippydude]

"When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft"

Despite how much effort Microsoft retrospectively put into trying to change the historical facts. When it comes to causing cybercrime, few companies can claim to have done as much damage as Redmond, Washington-based Microsoft.

"Windows NT and its successors .. were not initially designed with Internet security" ref [wikipedia.org]

Partner in Cybercrime (Prevention)

[organgtool]

Microsoft,

Nobody asked you to play cyberpolice - you took that upon yourselves in an attempt to make yourselves look better after being the laughingstock of security experts for several decades. Lately you've been overstepping your bounds and now you're looking for other companies to join you so that you don't have to take all of the heat the next time you overstep your bounds. Good luck with that.

How about an anti-NSA?

[currently_awake]

What we need is a government organization dedicated to keeping our networks safe. I'm thinking the exact opposite of the NSA, where instead of weakening our security and pushing to get back doors installed in everything they actually worked to protect us and promote national security.