Comments on Sinkholed
Automated legal actions and takedowns like this introduce a lot of risk of collateral damage but I wonder what the alternatives are.
The investigators would likely argue that notifying domain holders would reduce the chance that they can take down a botnet's infrastructure successfully, which seems likely.
Could there be some maximum time after which the 'rule set' for the auto-takedown code needs to be made open source/public? It must presumably be implemented as software and/or configuration files.
That would at least allow for inspection, confirmation and disputes about how it's implemented, and if this was 30 days or so, it shouldn't risk the takedown effort.
While top-tier network engineers are developing takedowns like this, presumably they'll do a good job of minimizing false positives - but as this case shows, it's not always going to be perfect - and I worry that if it becomes more common, we'll see sloppier implementations.
That could lead to connectivity and access issues for more users (again in an international context). It's great that the situation was resolved in this case but I imagine not all users would be able to raise a complaint at a similar level of technical detail and respectful tone and for it to receive the same amount of attention.
Maybe that's untrue. Maybe injustices really do get amplified by social media and relying on companies to notice this 'works'. It doesn't sit particularly well with me as a remediation process though, and I'm not sure it scales.
Andy Beaumont said:
This was a really good write up, thank you. And congratulations on getting your domain back.
Tim Nolet said:
Props to you by reacting suitably: worried, but calm and measured and not jumping on some Twitter outrage bandwagon.
Yves Dorfsman said:
The scariest part is that it looks like this got resolved quickly only because your tweet got noticed and retweeted. I wonder how long it would have taken otherwise.
Someone less technical would likely have no idea what happened to their domain. An individual relying on their web presence for income could be massively impacted by something like this. There really does not seem to be a clear way for someone to a) know what the problem is, and b) get it resolved quickly.
As a small business owner, this terrifies me. Since the TTL for NS records is 48 hours, a domain takeover like this could easily bankrupt a lot of SaaS companies.
What options are there to prevent this? Would a registrar such as MarkMonitor provide at least some notice or protection?
Dylan Pyle said:
A couple of years ago we lost our domain (see The Duct Tape Holding the Internet Together) due to a registrar (that we were not a customer of) erroneously issuing a suspension. The amount of honor system involved in the whole process, particularly in ccTLDs without as much oversight, was really surprising.
Samuel Klein said:
Thank you for this. We are definitely seeing the declining use of centralized domain-resolution. It has advantages only when it is not itself being gamed, and increasingly companies and governmental orgs have found ways to do just that. At the very least every domain should have dual central + decentral resolutions, and browsers should give you options when the resolutions conflict.
I'm glad that this particular instance was resolved reasonably gracefully, but all it would have taken is a less informed or connected victim and it would have been so much worse.
Richard Kirkendall said:
Susam, I'm glad we were able to get this resolved for you and I apologize for the inconvenience and the scare this caused you.