It's not one-sided. There is an incentive on both sides to come to a reasonable agreement.
It's not like O'Connor can do anything (legally) with the sensitive data that's hitting his domain. If he could, I could understand why he might be reluctant to sell, even if given a strong offer.
But the fact is, if Microsoft walks away from the negotiations, he gets nothing, and there are likely few other buyers he could ethically sell to, and those buyers are unlikely to offer as much as Microsoft can.
> and there are likely few other buyers he could ethically sell to
Anyone that wanted to develop a real business based on a tremendous four letter .com address, which is a vast selection of potential buyers he could ethically sell to.
The name itself, independent of the inbound sensitive stream of data, is worth a lot. Any major enterprise company in the US could trivially develop policies to deal with the inbound sensitive data while using the name for a legitimate business. This one guy has been dealing with it just fine for two decades.
I think it'd be a lot of fun to set up a responder of sorts, that would handle the incoming traffic, discard the sensitive bits, and feed back something like "Your administrator needs to apply KBxxxxxx patch" in any fields of whatever sort of traffic may apply.
I'm sure someone would get their undies in a twist and sue me, which is why I've never done anything of the sort with the juicy traffic that's come my way (in a similar, though long in the past, situation that shall remain unspecified).
But 1 packet out of 100,000 gets upsidedownternet.
> anyone that wanted to develop a real business based on a tremendous four letter .com address
I genuinely wonder how much that matters these days. You've got app stores, Google searches, etc... I think having a memorable, short .com URL was a huge thing in the mid-2000s, but I'm less sure that it is today.
> It's not one-sided. There is an incentive on both sides to come to a reasonable agreement.
I believe that there was no agreement to be made. O'Connor put the domain up for auction, so MS was bidding against other buyers, not O'Connor.
> But the fact is, if Microsoft walks away from the negotiations, he gets nothing
I expect that the domain still would have sold, although not for price that MS now has paid.
Regardless of who O'Connor would have sold to it would have been a nice payday and he knew that. It was just a matter of waiting for the right moment to put the domain up for auction.
But they would be under the same constraints as him. And it would be easy to see if they tried anything (are those ports accepting connections or not?) at which point it would have been quickly seized. Plus, wouldn't knowingly selling it to a bad actor be a violation of his due diligence?
But this site would not be running a botnet. It would only be accepting data that others willfully send its way. If this is illegal, then I can shut down any site by sending my private data to it.
Of course actually doing anything with the received private data might be illegal, but that would be harder to track. How would the owner of a misconfigured network ever figure out how their data got "hacked"; whether the owner of corp.com did something or nothing with it?
Hence ancestor's use of "ethically" rather than "legally".
> It would only be accepting data that others willfully send its way.
Human knowledge and intent matters in legal matters. If a technology is accidentally misconfigured to send sensitive data to a third party, and that third party knows that the data they are receiving was not intended for them, then they are still responsible for not willfully misusing that data. That's clearly the case with corp.com.
> If this is illegal, then I can shut down any site by sending my private data to it.
No, if you knowingly choose to send your data somewhere, then you can't turn around and blame the people receiving your data. Again: human knowledge and intent matter for the law.
As an example, a charge of trespassing depends on permission (human knowledge and intent), not whether you leave your gate open (how a system is configured).
You seem to be trying to contradict that it is legal to own corp.com, but actually you are saying that misusing collected data is illegal, which I never denied.
The point is that it would be hard-to-impossible to go after someone who owns corp.com even if they use it for nefarious purposes because the actual nefarious action would be so hard to discover or prove.
Besides which, the bad actor here could easily live somewhere without an extradition treaty to the US or simply remain pseudo anonymous (via shell companies, bitcoin, etc). So, it would be possible for an unethical owner of corp.com to find a buyer who intends to use it for ill.
As shawnz hinted at there is a protocol dance that happens before the data is sent over. I don't know exactly what it consists of, but I suspect it's more than just tcp-level responses saying the port is open and ready to receive.
Playing along in that dance is arguably unethical and shows intent.
There are circumstances where I would consider it ethical. For example, publishing the logs after a month (or whatever) delay and after notifying the relevant parties to fix their configs and change any secure information exposed.
In that case, it's similar to security researchers releasing the information, and I imagine it also protects him from liability in some ways. Firstly, he treats all traffic the same and has a public policy of exposing it, I think that more clearly puts the problem on the people sending the data to a public location, and secondly, people at a company that are looking at a security problem won't notice some some info went out to him and grasping at straws look to cover their own asses by trying to say that's where the problem must have come from.
It's not like O'Connor can do anything (legally) with the sensitive data that's hitting his domain. If he could, I could understand why he might be reluctant to sell, even if given a strong offer.
But the fact is, if Microsoft walks away from the negotiations, he gets nothing, and there are likely few other buyers he could ethically sell to, and those buyers are unlikely to offer as much as Microsoft can.