4 July 2014

Hello again Google, all is forgiven... well you are the slightly lesser of two evils... this week anyway.

Yes my move away from Google over removing security options from the Android system on my phone has come to an end. Not because I am pleased with any new implementation of the system they previously removed (in fact I've had some updates recently but not really had a chance to check out the changes yet).

No, this weeks most evil award goes to Microsoft for managing to stuff up the connection to my home network by virtue of their attack on No-IP.com. If you missed it, some judge in Nevada sided with M$ and gave them control of a large chunk of No-IP's business all done in the name of stopping malware from infecting Windows installations (as long as it is possible to make Windows invulnerable without actually patching the faults I presume).

Essentially No-IP works like a telephone directory which fulfills a need for many of their customers. They provide dynamic domain-name-resolution service (Dynamic DNS or DDNS). It works something like this. Your ISP might charge you a kidney or two for a connection to the internet which always has the same IP number (a static IP address). After all IPv4 addresses are getting scarce and since not all of the ISP customers are online at the same time they can share fewer numbers by allocating what they have between many users. So when you connect, the ISP may give you an internet address which was recently used by someone else because it's cheaper than having a dedicated address for everyone.

That was all very well when we only used PC's to connect to the internet but these days people want to rig up cameras, fridges and just about anything else they can think of. But how can you get to it when away from home if your internet address keeps changing and you don't know what it has changed to? That's where DDNS comes in. You typically have a client (a script or app) which updates your DDNS entry from home so you can always put http://mymegafridge.no-ip.org (for example) into your browser and a server at the other end looks up the current IP address for your fridge and forwards your browser to the server running on your home device. These update scripts can even be built into the software running on your home broadband modem or wi-fi router

So why did M$ get control of No-IP.com's web addresses? I can only put it down to ignorance on the part of the judge in Nevada. Imagine if Apple were allowed to shut-down Verizon because some of their subscribers were using the network to place prank calls to Apple employees. There is an obvious conflict of interests here and this decision needs investigating. Microsoft may not provide an alternative DDNS service but it claims to have known about No-IP domains being used to hack Windows machines for at least 12 months. So what have they done to fix these weaknesses in Windows to prevent the malware from spreading? Well M$ release regular updates for Windows on a monthly basis (known in the biz as patch Tuesday). Kind of hard to beleive then that they are still being affected by something they've already had 12 months to fix? That sort of thing can happen in industry though because IT depts will check each patch to see if it screws up their systems before rolling-out the fixes to all the employees (or not if the patch has a more detrimental affect than the malware risk). Even so, there are other DDNS services out there which were still running, still being used for exploits. The only real way to stop them is to build a big off switch which links the whole internet and just turn it all off - I suggest a custom 404 page to go with it with a big game-over logo.

Taking down my ability to link to my home network does only that. If there was a device spreading malware at my home, it would still have been connected, still trying to spread itself - I just wouldn't be able to connect to it while away from home to check or fix it. And the thing that really wound me up the most was the video being posted on twitter about some sweaty Ron character giving away free cupcakes with hair in them. The punchline goes "not everything that's free is good". Yes but Windows certainly isn't free and if it's being affected by 12 month old malware then it certainly isn't good either. The real irony is that Microsoft probably could have had a greater impact on reducing their malware crisis by shutting down their own hotmail service which is a frequent source of phishing and exploit invitations. Anyway, rant over and I'll be Binging no more and back to Google it is. Lovely, imperfect Google with their phone O/S on which I've turned off 90% of the functionality to get a 7-day battery life and who haven't scuppered my home network connection in some botched attempt to stop the spread of malware. And if you're going to attack things which are free then kindly remember that also includes free speech - so your actions could be considered unconstitutional.

What I will take forward from this experience is that reliance on a third-party service can create issues should anything happen to that third-party. I'm sure I could script something (maybe on a pi) to watch my IP address and contact me when it changes. Luckily my home network is purely for a couple of home security devices so the outage didn't have financial consequences for me. M$ should definitely be forced to compensate anyone who did lose money as a result of this action.