Susam, I'm glad we were able to get this resolved for you and I
apologize for the inconvenience and the scare this caused you.
Automated legal actions and takedowns like this introduce a lot of risk
of collateral damage, but I wonder what the alternatives are?
The investigators would likely argue that notifying domain holders would
reduce the chance that they can take down a botnet's infrastructure
successfully, which seems likely.
Could there be some maximum time after which the 'rule set' for the
auto-takedown code needs to be made open source/public? It must
presumably be implemented as software and/or configuration files.
That would at least allow for inspection, confirmation and disputes
about how it's implemented, and if this was 30 days or so, it shouldn't
risk the takedown effort.
While top-tier network engineers are developing takedowns like this,
presumably they'll do a good job of minimizing false positives - but as
this case shows, it's not always going to be perfect - and I worry that
if it becomes more common, we'll see sloppier implementations.
That could lead to connectivity and access issues for more users (again
in an international context). It's great that the situation was resolved
in this case but I imagine not all users would be able to raise a
complaint at a similar level of technical detail and respectful tone and
for it to receive the same amount of attention.
Maybe that's untrue. Maybe injustices really do get amplified by social
media and relying on companies to notice this 'works'. It doesn't sit
particularly well with me as a remediation process though, and I'm not
sure it scales.
This was a really good write up, thank you. And congratulations on
getting your domain back.
Props to you by reacting suitably: worried, but calm and measured and
not jumping on some Twitter outrage bandwagon.
The scariest part is that it looks like this got resolved quickly only
because your tweet got noticed and retweeted. I wonder how long it would
have taken otherwise.
Someone less technical would likely have no idea what happened to their
domain. An individual relying on their web presence for income could be
massively impacted by something like this. There really does not seem to
be a clear way for someone to a) know what the problem is, and b) get it
As a small business owner, this terrifies me. Since the TTL for NS
records is 48 hours, a domain takeover like this could easily bankrupt a
lot of SaaS companies.
What options are there to prevent this? Would a registrar such as
MarkMonitor provide at least some notice or protection?
A couple of years ago we lost our domain (see The
Duct Tape Holding the Internet Together) due to a registrar
(that we were not a customer of) erroneously issuing a suspension. The
amount of honor system involved in the whole process, particularly in
ccTLDs without as much oversight, was really surprising.
Thank you for this. We are definitely seeing the declining use of
centralized domain-resolution. It has advantages only when it is not
itself being gamed, and increasingly companies and governmental
orgs have found ways to do just that. At the very least every domain
should have dual central + decentral resolutions, and browsers should
give you options when the resolutions conflict.
I'm glad that this particular instance was resolved reasonably gracefully, but
all it would have taken is a less informed or connected victim and it would
have been so much worse.