biologist
1767 stories
·
10 followers

The Coronavirus Outbreak

1 Comment and 3 Shares
Read the whole story
notadoctor
20 hours ago
reply
Capitalism: the market is always right
Oakland, CA
Share this story
Delete

Compaq and Coronavirus

1 Comment and 3 Shares

To live in a moment that will be in history books is not a particularly pleasant experience; history, though, has another cruelty: those that are not remembered at all.

Compaq’s Impact

Consider Compaq: it was one of the most important companies in tech history, and today it is all-but forgotten. For example, look at this brief history of the IBM PC I wrote in 2013:

You’ve heard the phrase, “No one ever got fired for buying IBM.” That axiom in fact predates Microsoft or Apple, having originated during IBM’s System/360 heyday. But it had a powerful effect on the PC market.

In the late 1970s and very early 1980s, a new breed of personal computers were appearing on the scene, including the Commodore, MITS Altair, Apple II, and more. Some employees were bringing them into the workplace, which major corporations found unacceptable, so IT departments asked IBM for something similar. After all, “No one ever got fired…”

IBM spun up a separate team in Florida to put together something they could sell IT departments. Pressed for time, the Florida team put together a minicomputer using mostly off-the shelf components; IBM’s RISC processors and the OS they had under development were technically superior, but Intel had a CISC processor for sale immediately, and a new company called Microsoft said their OS – DOS – could be ready in six months. For the sake of expediency, IBM decided to go with Intel and Microsoft.

The rest, as they say, is history.

But wait, there was one critical part of this story that I excluded! IBM wasn’t completely stupid: while much of the IBM PC was outsourced, the BIOS — Basis Input/Output System, which was the firmware that that actually turned on the PC hardware and loaded the operating system — was copyrighted, and, IBM presumed, defensible in court. Compaq, though, figured out how to reverse-engineer the BIOS anyways. Rod Canion, who co-founded Compaq, explained on the Internet History Podcast:

What our lawyers told us was that, not only can you not use it [the copyrighted code] anybody that’s even looked at it — glanced at it — could taint the whole project. (…) We had two software people. One guy read the code and generated the functional specifications. So, it was like, reading hieroglyphics. Figuring out what it does, then writing the specification for what it does. Then, once he’s got that specification completed, he sort of hands it through a doorway or a window to another person who’s never seen IBM’s code, and he takes that spec and starts from scratch and writes our own code to be able to do the exact same function…

[We had] just a bull-headed commitment to making all the software run. We were shocked when we found out none of our competitors had done it to the same degree. We could speculate on why they had stopped short of complete compatibility: It was hard. It took a long time. And there was a natural rush to get to market. People wanted to be first. There was only one thing for us: we didn’t have a product if we couldn’t run the IBM-PC software. And if you didn’t run all of it, how would anyone be confident enough to buy your computer, if they didn’t know they were always going to be able to run new software? We took it very, very seriously.

The result was a company that came to dominate the market; in fact, Compaq was the fastest startup to hit $100 million in revenue, then the youngest firm to break into the Fortune 500, then the fastest company to hit $1 billion in revenue. By 1994 Compaq was the largest PC maker in the world.

Compaq’s Virtualization

Canion was, by that point, long gone; the board had ousted him in 1991 when the company was struggling to compete with direct-to-consumer PC makers selling “good enough” computers that were not nearly as well-engineered as Compaqs, but were faster to market and much cheaper. New CEO Eckhard Pfeiffer introduced the low-cost Presario line, which leveraged cheaper parts to break the sub-$1,000 price point, leading to Compaq achieving that first place position. By 1996, though, growth was again slowing, and Pfeiffer needed a new plan. Part 1 was expanding into more markets; Bloomberg explains part 2:

The second part of the formula — for producing profits along with growth — will involve wider use of outsourcing and partnership deals. That’s because the new financial yardstick — return on assets — will force the divisions to slash investment in assets such as plant, inventory, and overhead wherever possible. If the $3 billion home-PC business can cut its asset base, for instance, it can still deliver a 20% annual return to the company — even though price competition in home PCs will likely keep operating margins at around 2%.

To get there, Compaq has already started “virtualizing” parts of its business. After cutting $57 off the cost of each home PC last year by building the chassis at its plant in Shenzhen, China, the company went a step further in cutting the cost of business desktop PCs: Instead of investing millions to expand the Shenzhen plant, Gregory E. Petsch, senior vice-president for operations, persuaded a Taiwanese supplier to build a new factory adjacent to Compaq’s to build the mechanicals for the business models. The best part of the deal: The Taiwanese supplier owns the inventory until it arrives at Compaq’s door in Houston. “This is the right way to do it,” says Sanford C. Bernstein & Co. computer analyst Vadim D. Zlotnikov.

It worked for a time: Compaq’s stock price surged over the next two years as the company rode the Internet wave and outsourced not only the building of PCs and eventually their design, but also their new businesses:

To compete in the big-iron business profitably, Compaq is counting on a series of relationships with other companies that can supply the kind of handholding that companies such as IBM are famous for. Instead of investing in legions of field technicians and programmers — and building up costly assets — the computer maker will use the resources of systems integrator Andersen Consulting and software maker SAP, among others. These companies have the personnel to install and maintain systems the way IBM or HP do. So Compaq gets to play in the big-iron market without incurring the costs of running its own services or software businesses. Using these partners, Compaq is already delivering packages of networks, servers, and services to big customers including General Motors, British Telecommunications, First Interstate Bancorp, and Deutsche Bundespost.

Compaq, however, may not be able to play through their intermediaries forever. “The real solution is to create your own capability. It takes longer and is more painful, but ultimately, it is more successful,” says Graham Kemp, president of G2 Research Inc.

Compaq never did bother; the engineering determination exemplified by Canion was long gone, and soon Compaq was as well: the company merged with HP in 2002 (resulting in a huge destruction in shareholder value), served as the badge for HP’s cheapest computers for a decade, and in 2012 was written down completely for $1.2 billion.

And no one even noticed.

Coronavirus Action

Compaq’s demise was, to be fair, first and foremost about the value chain within which it competed. The entire reason why Compaq could build the business it did was because as long as you had an IBM-compatible BIOS, an x86 processor, and a license for Windows, you could sell a PC that was compatible with all of the software out there. That, though, meant commoditization in the long-run, which is exactly what happened to Compaq and, it should be noted, basically all of its competitors.

Still, while I could not ascertain exactly which Taiwanese manufacturer it was that Compaq persuaded to build its PCs and hold them on its balance sheet, I suspect there is a good chance it is still in business: companies like Quanta and Compal took over PC manufacturing in the 1990s, and PC design entirely in the 2000s. Brand names were simply that: names, and not much more. This, of course, made for a fantastic return on assets; it was not so great for long-term sustainable revenue and profits.

It is at this point, 1400+ words in, that I must make what is probably an obvious analogy to the historical moment we are in. While there may have been an opportunity to stop SARS-CoV-2 late last year, by January (when the W.H.O. parroted China’s insistence that there was no human-to-human transmission), worldwide spread was probably inevitable; the New York Times brilliantly illustrated the travel patterns that explain why.

Since then, though, there has been divergence between countries that acted and countries that talked. Taiwan, where I live, is perhaps the best example of the former; Dr. Jason Wang wrote an overview of Taiwan’s actions (and published a list of 124 action items), including:

  • Passengers on flights from Wuhan were screened for fever starting in December, and banned from entry in January; the rest of Hubei Province, and then China as a whole — including non-Chinese who had recently visited China — soon followed.
  • Data from the National Immigration Agency was integrated into the National Health Insuance Administration, allowing officials to quickly match-up COVID-19 symptoms with recent travel history; full access was given to hospitals in late February.
  • People designated for home quarantine are tracked via their smartphones, and fined heavily for any violations.

What stood out to me was mask production; on January 23, the day that China locked down Wuhan, Taiwan had the capability of producing 2.44 million masks a day; this week Taiwan is expected to exceed 13 million masks a day, a sufficient number for not only medical workers but also the general public. The mobilization bridged government, industry, and workers, and is ongoing — the plan is for Taiwan to be able to export masks soon.

The public has done its part as well: most restaurants and buildings check the temperature of anyone who enters, and far more people than usual are wearing said masks, which worked to stop the spread of SARS in 2003, and which are likely particularly effective in the case of asymptomatic carriers of SARS-CoV-2.

The Great Resignation

The contrast with Western countries is stark: to the extent government officials across the Western world were discussing the coronavirus a month ago, it was to express support for China or insist that life carry on as before; I already praised the role Twitter played in sounding the alarm — often in the face of downplaying from the media — but even that was, by definition, talk. What does not appear to have happened anywhere across the West is any sort of meaningful action until it was far too late.

This has resulted in two problems: first, by the time Western governments acted, the only available option has been widespread lockdowns. Second, the talk itself is missing even the possibility of action. For example, over the last 48 hours there has been increasing discussion about trade-offs, specifically the trade-off between limiting the spread of the coronavirus and the halt in economic activity that is required to do so. Given how much I write about tradeoffs, I must surely consider this a good thing, no?

In fact, I think it is incredibly tragic, but not for the reasons you might think. The fact of the matter is that we do make tradeoffs between human lives and economic activity all the time — speed limits are perhaps the most banal example. What is truly tragic is the utter lack of resolve and lack of a bias for action in this so-called tradeoff. The only options are to give up the economy or give into the virus: the possibility of actually beating the damn thing is completely missing from the conversation. To put it another way, the West feels like Compaq in the 1990s, relying on its brand name and partnerships with other entities to do the actual work, forgetting that it was hard work and determination that made it great in the first place.

The best overview of how actual hard work could make a difference was written by Tomas Pueyo in this article entitled The Hammer and the Dance; to briefly summarize, the idea is to lockdown now to stop the uncontrolled spread of SARS-CoV-2, and then leverage the same sort of epidemilogical tools that countries like Taiwan have, including aggressive quarantining of known infections and extensive contact tracing.

This gets to the second reason why the current discussion of tradeoffs is so disappointing: not only is it debating a tradeoff that we don’t necessarily need to make, at least in the long run, it is also foreclosing discussions on tradeoffs we absolutely need to consider. Consider this picture:

Police scooters checking on a quarantined citizen

That was taken by me, outside of my apartment building; apparently one of my neighbors just returned from America and the police were checking on his home quarantine. In fact, look more closely at what Taiwan has done to contain SARS-CoV-2 to-date — you can reframe everything in a far more problematic way:

  • Restrict international movement and close borders (including banning all non-resident foreigners this week)
  • Integrate and share private data across government agencies and with hospitals.
  • Track private individual movements via their smartphones.

Even the mask production I praised required requisitioning private property by the government, and the refusal of local businesses to serve customers without masks or insist on taking their temperature is probably surprising to many in the West.

And yet, life here is normal. Kids are in school, restaurants are open, the grocery stores are well-stocked. I would be lying if I didn’t admit that the rather shocking assertions of government authority and surveillance that make this possible, all of which I would have decried a few months ago, feels pretty liberating even as it is troubling. We need to talk about this!

Policing Talk

The first problem of being a society of talk, not action, is the inability to even consider hard work as a solution; the second is a blindness to the real trade-offs at play. The third, though, is the most sinister of all: if talk is all that matters, then policing talk becomes an end to itself.

I know, for example, that I am going to get pushback on this Article, telling me to stick in my lane, and leave discussions of the coronavirus to the experts or government officials. Never mind that so many of those experts and officials have made mistake after mistake — it’s all in the memory hole now!

This is not at all to say that non-experts have the answers either; as I wrote last week the amount of misinformation is exploding. Rather, the point is that this is a situation with an unmatched-in-my-lifetime combination of massive uncertainty with unfathomable stakes. It follows, then, that the liklihood of any one person or entity having the correct answer is low, while the imperative to allow the right answer to bubble up — or, more accurately, be discovered step-by-step, idea-after-discarded-idea — is high. There is more value than ever in verifying or disproving ideas and information, and far more danger than ever in policing them.

Moreover, if the real tradeoffs to consider are about trading away civil liberties — which is exactly what has happened in Taiwan, at least to some extent — then the imperative to preserve debate about these matters is even more important. The most precious civil liberty of all is the ability to talk. Indeed, that is the terrible irony of losing the capability and will for action: it ultimately endangers the only thing we seem to good at, and in this case, the potential writedown to too terrible to consider.

Read the whole story
notadoctor
5 days ago
reply
Oakland, CA
Share this story
Delete
1 public comment
karambir
5 days ago
reply
Good one
New Delhi, India

Who Do You Learn From?

2 Shares

When a city or country decides how to go about solving some problem, it will usually learn from somewhere else – either consciously as a set of best practices, or unconsciously as a sanity check. The “who do you learn from?” question is then what that somewhere else is. This is true of the ongoing corona pandemic, but also of infrastructure, which is why I want to draw this analogy.

Covid-19

In the Covid-19 outbreak, it has become obvious that Western countries do not learn from non-Western ones. I’ve heard people say that high-income Asia has responded better to the crisis before it was used to from the SARS outbreak of 2003. But SARS affected primarily China and Hong Kong, and secondarily Taiwan, Canada, and Singapore. Korea and Japan barely had any cases. And yet, Korea’s response to the crisis has drawn praise for reducing the daily infection rate through aggressive monitoring and testing. Daily growth in Korea is maybe 1%, slower than the rate of recoveries.

There is a clean cleave between rich Asian countries’ response to the virus and Western countries’. It’s not SARS, and it’s not whatever racist mythology Westerners tell themselves about Asian collectivism (in what way is the Hong Kong democracy protest movement collectivist?). What it is, is that Asians are happy to learn from other Asians. SARS normalized mask wearing in high-income Asia as a solution to poor air quality or to a contagious disease, and Koreans and Japanese picked it up from nearby countries.

Europeans and Americans, in contrast, wouldn’t stoop to learn from a civilization they look down. My American Twitter feed talked about the virus somewhat when it was raging mostly in China and then in Korea, but as soon as it hit Italy, most of it transitioned to talking about Italy. The rest of Europe didn’t think it would affect it, and even the strategies for how to deal with it are entirely European. Masks are nowhere to be found, tricks like Korea’s use of disposable chopsticks at elevators to avoid finger-pressing are nowhere to be found, testing capacity is low even in countries with strong civil service and good health care, metro stations and public buildings have no hand sanitizer. If it wasn’t invented here, it isn’t worth implementing, never mind how many thousands, tens of thousands, hundreds of thousands of Europeans will die for their civilization’s pride.

Public transportation

I went over a few national or supranational traditions of metro construction around a year to a year and a half ago, covering the United States, the Soviet bloc, and Britain. There are a few more traditions I could go over by popular request – Japanese (with influence across Asia, especially Korea), French, German, Chinese, increasingly Indian. These traditions do not neatly divide the world into spheres of influence – rather, there are places with multiple influences, like a combination of British and Japanese influence in Singapore and Hong Kong, and the Chinese system synthesizing some Soviet principles in addition to engaging in extensive domestic innovation.

I bring this complication up because when it comes to high costs, the Anglosphere seems mainly to learn from the rest of the Anglosphere, and the US almost exclusively from the US (very rarely from Canada and Britain, never from other English-speaking countries).

The Anglosphere shares certain institutions like common law, but Israel uses common law as well, and yet the Israeli rail electrification project’s communications and media coverage constantly emphasized “like Europe,” not like the English-speaking world; when it comes to how to build trains, Israel’s notion of the ideal functioning country is a pan-European medley.

Rather, the shared characteristics in the Anglosphere seem to be that these countries mostly learn from each other. The idea of road pricing was introduced to the world by the Smeed Report in 1962-4, then actually implemented in Singapore in 1975, then failed to make it to Hong Kong, then got back to London in 2003, and only then became a well-known idea in the American discourse. Moreover, in the Bloomberg-era discourse, London figured heavily, and few people mentioned Singapore and Stockholm; subsequently Milan adopted congestion pricing as well, and the American discourse has ignored it just as it has Stockholm.

Certain governance features that seem relevant to construction costs, like the privatization of state planning, are endemic to the Anglosphere. The use of public-private partnerships is widespread, more so than in other developed countries. Planning is routinely outsourced to consultants. What’s more, my vague understanding of Singapore is that for all its supposed state capacity, it’s headed in that direction too, no doubt thinking that if the US and UK are doing something then it must be good.

Obviously the importation of British and American ideas to Singapore has its limits, as we’re seeing now with the outbreak, but this importation remains widespread. In contrast, importation of Continental ideas is limited. One possible explanation is that Singaporeans view the entire West as a single culture, much as Westerners can’t tell Chinese people apart and often group the entirety of Asia together; if you don’t think there’s much of a difference between different European countries, then you will import ideas from the one that speaks English.

Why are they like this?

The West is a solipsistic civilization, and a lot of Europeans and Americans are going to die in the next few months as a result. But within the West, the United States is especially solipsistic. This does not mean it will necessarily fare worse in the outbreak than Europe – the virus reached it later, so it does have more time, measured in perhaps two weeks, to implement social distancing, ramp up testing capacity, and build emergency hospitals to reduce the death rate from infection. More fundamentally, when it comes to learning from Korea and Taiwan, the US isn’t any worse than Europe.

However, the virus is just my motivating example; my actual work is about public transportation, and there, the US is worse, because Europe has good test cases to learn from that other European countries look at and the US does not. I have seen multiple examples of this even among reformers, like the RPA report on construction costs or the GAO one, let alone among state governments (Massachusetts will simply not learn from anything outside North America).

The explanation, I think, has to do with who the process is empowering. Senior management in big American cities does not understand anything about how things work in other countries, nor do the managers have any social relationships with their peers abroad. Domestically, and sometimes even across the northern border, it’s different – a senior manager in New York has gone to national conferences and met peers from Los Angeles and Chicago and Boston and Seattle and probably also Toronto. A best practices effort that’s restricted to North America empowers such managers.

In contrast, a best practices effort that goes global disempowers the most powerful people in politics and the bureaucracy. They are monolingual, so they can’t easily contradict what people say in a report that talks about how things work in Paris or Tokyo or Madrid or Stockholm. They are unlikely to have lived abroad, or if they did, it was so long ago their knowledge is no longer relevant. They have no established relationships with their peers. They are useless in such a process, and they know it.

I was on a diversity panel at Intercon called Gaming as the Other, I believe in 2015. There were me as the immigrant (just about the only 1st-and-not-1.5th-generation immigrant in a community numbering in the low hundreds), a second-generation Chinese-American, and two black Americans. We discussed different issues relevant to this 95% white community, and at some point, someone from the audience asked me a very good question: “Alon, do you feel excluded when we talk about American pop culture references?” I thought about it a little and said no, I can usually fill in the gaps – I don’t feel excluded when the Americans know something I don’t but when I know something they don’t, because I know they will not respect my knowledge. The two black Americans did not connect to this; the Chinese-American did, bringing up a school in Chinatown in Manhattan that split over traditional vs. simplified characters, a distinction few non-Chinese people would understand.

It’s likely that the single biggest institutional barrier to improving public transportation in the United States is not exactly bureaucratic inertia, but rather than the improvements do not tap onto the agreed-upon skillset of the most powerful people. The political appointees are of no use. Some managers are, but not many, especially not at the top levels. At planning agencies it’s often the junior people who are most useful. Why should a manager listen to an underling?



Read the whole story
notadoctor
12 days ago
reply
Oakland, CA
Share this story
Delete

Devil's Dictionary of Programming — programming is terrible

1 Comment and 5 Shares

With apologies to Ambrose Bierce

simple — It solves my use case.

opinionated — I don’t believe that your use case exists.

elegant — The only use case is making me feel smart.

lightweight — I don’t understand the use-cases the alternatives solve.

configurable — It’s your job to make it usable.

minimal — You’re going to have to write more code than I did to make it useful.

util — A collection of wrappers around the standard library, battle worn, and copy-pasted from last weeks project into next weeks.

dsl — A domain specific language, where code is written in one language and errors are given in another.

framework — A product with the business logic removed, but all of the assumptions left in.

documented —There are podcasts, screencasts and answers on stack overflow.

startup — A business without a business plan.

hackday — A competition where the entry fee is sleep deprivation and the prize is vendor lock in.

entrepreneur — One who sets out to provide a return on investment.

serial entrepreneur — One who has yet to provide a return on investment.

disrupt — To overcome any legal, social, or moral barrier to profit.

Read the whole story
notadoctor
38 days ago
reply
Oakland, CA
Share this story
Delete
1 public comment
digdoug
38 days ago
reply
"disrupt — To overcome any legal, social, or moral barrier to profit."
Louisville, KY

odinsblog:Mike Bloomberg is a racist, paternalistic, Islamophobic, oligarch. And that’s without...

1 Comment and 5 Shares

odinsblog:

Mike Bloomberg is a racist, paternalistic, Islamophobic, oligarch. And that’s without mentioning that Bloomberg has even more sexual harassment allegations against him than Trump does.

Don’t anybody dare @ me or tell me to “vote blue no matter who,” not when this billionaire racist isn’t even a Democrat. As a BLACK man, I shouldn’t have to pick between the racist Republican who wants to use the police to racially profile me, or the other racist Republican who also wants to use the police to racially profile me. That’s not even a false choice - it’s no choice at all.

My Bloomberg story isn’t nearly as horrific as those in the tweets above. My relatives living under Bloomberg’s racist regime simply instructed me to stay out of NYC if I didn’t want to risk being arrested and harassed and possibly inserted into the criminal justice system. And I listened to them.

Mike Bloomberg is an authoritarian who wants use big government to crack down on poor people and black people, but wants less taxes on the wealthy, and deregulation for billionaires. It is not hyperbole to say that Bloomberg is an existential threat to democracy.

Please don’t let him buy the White House.

Read the whole story
notadoctor
41 days ago
reply
Oakland, CA
Share this story
Delete
1 public comment
shanel
42 days ago
reply
THIS
New York, New York

Dangerous Domain Corp.com Goes Up for Sale

1 Comment and 3 Shares

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\\drive1\” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

INSTANT CORPORATE BOTNET, ANYONE?

That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.”

THE EARLY ADVENTURES OF CORP.COM

Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

Archive.org’s index of corp.com from 1997, when its owner Mike O’Connor briefly enabled a Web site mainly to shame Microsoft for the default settings of its software.

O’Connor said he also briefly enabled an email server on corp.com, mainly out of morbid curiosity to see what would happen next.

“Right away I started getting sensitive emails, including pre-releases of corporate financial filings with The U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things,” O’Connor recalled in an interview with KrebsOnSecurity. “For a while, I would try to correspond back to corporations that were making these mistakes, but most of them didn’t know what to do with that. So I finally just turned it off.”

TOXIC WASTE CLEANUP IS HARD

Microsoft declined to answer specific questions in response to Schmidt’s findings on the wayward corp.com traffic. But a spokesperson for the company shared a written statement acknowledging that “we sometimes reference ‘corp’ as a label in our naming documentation.”

“We recommend customers own second level domains to prevent being routed to the internet,” the statement reads, linking to this Microsoft Technet article on best practices for setting up domains in Active Directory.

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

But both O’Connor and Schmidt say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time. Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations.

Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low, O’Connor said.

“The problem is that when you read the instructions for doing the repair, you realize that what they’re saying is, ‘Okay Megacorp, in order to apply this patch and for everything to work right, you have to take down all of your Active Directory services network-wide, and when you bring them back up after you applied the patch, a lot of your servers may not work properly’,” O’Connor said.

Curiously, Schmidt shared slides from a report submitted to a working group on namespace collisions suggesting that at least some of the queries corp.com received while he was monitoring it may have come from Microsoft’s own internal networks.

Image: JAS Global Advisors

“The reason I believe this is Microsoft’s issue to solve is that someone that followed Microsoft’s recommendations when establishing an active directory several years back now has a problem,” Schmidt said.

“Even if all patches are applied and updated to Windows 10,” he continued. “And the problem will persist while there are active directories named ‘corp’ – which is forever. More practically, if corp.com falls into bad hands, the impact will be on Microsoft enterprise clients – and at large scale – paying, Microsoft clients they should protect.”

Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said Microsoft actually offered to buy the domain several years back for $20,000. He turned them down, saying that at the time he thought it was too low and didn’t reflect the market value of the domain.

O’Connor said he believes the software giant ought to be accountable for its products and mistakes.

“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it. My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)

Update, 6:22 p.m. ET: Added the bit at the end about the $20,000 offer a few years back from Microsoft, a detail that I somehow omitted from the original story.

Read the whole story
notadoctor
50 days ago
reply
Oakland, CA
Share this story
Delete
1 public comment
JayM
50 days ago
reply
Will they buy it now...
Atlanta, GA
Next Page of Stories