Ask HN: Microsoft SmartScreen is destroying our business
We understand false flags can happen. So we took to the official SmartScreen feedback site to report the false flag (as the website owner). Received an email that stated it would take up to 24hrs to analyse: 'If the status of your site has not changed after 24 hours, please contact us with a reply to this message'.
Sep 8 - first ticket sent. Sep 9 (24h later) - nothing. So we replied to the message as instructed. Sep 12 - still nothing. One more reply sent. Asked some of our customers to report our site as safe. Sep 15 - crickets. Tried calling phone support, impossible to get through; they just hang up on us. Reached out to MS support on Twitter, said they would look into the case. Sep 22 - no changes - MS twitter support has been unable to find the correct person internally. We replied to the SmartScreen ticket once more. Opened two new tickets. Asked more customers to report the site as safe. Sep 30 (Today) - now the warning has started to spread from our login page to our entire dashboard. Still no word from Microsoft.
We are totally baffed that MS allows a false flag to stay up this long, totally ignoring us for almost a full month, meanwhile destroying a business that did nothing wrong...
We suspect one of our competitors is responsible for falsely reported us. Is 'weaponized SmartScreen' a thing?
Does anyone have a similar experience? Any advince on resolving this matter is greatly appreciated!
205 comments
[ 2.1 ms ] story [ 247 ms ] threadBesides that possibility, if your business is truly being "destroyed," have you contemplated retaining counsel to escalate things with Microsoft?
And yes, that is a major defamation campaign led by Microsoft against the OP. And since MS even refuses to clarify their claim about the OP's wrongdoing, I imagine he would have an easy time in a court.
Ye, it tells bad actors how the detection system works.
They just don't want to because that costs more money than being a huge piece of shit does.
In fact, I'll go further. MS owns we an explanation why they are warning on any random site. Not only the site's owner.
[EDIT] My point is simply that somehow we manage in basically every other space to let those accused of wrongdoing know what we think they did that looked like wrongdoing, but somehow when it's an Internet giant calling the shots that's just impossible and waaaaah too hard and the sky would fall if they ever treated anyone with any amount of humanity and respect. I think it's grade-A bullshit and they've just figured out they can get away with being assholes at scale and no-one will make them stop.
It’s not just the internet. No company disclosed their fraud detection techniques.
But it doesn't matter. MS is the one telling to the entire world that his software is not reliable. They don't get to tell it all over the world without bringing some evidence.
"We're using our enormous market power to wreck your company and won't even tell you roughly the kind of thing we think is wrong" is so unacceptable it ought to draw an application of some kind of corporate death-penalty, if it's a pattern of behavior and not just a rare accident that goes against official policy. Certainly it's, all on its own, a strong argument that there shouldn't be companies this powerful in the first place.
Microsoft has no idea that you own the domain when you contact them, you are just a concerned party reaching out to them.. you could be the site owner, you could be the criminal that planted the payload.
Until it gets to the point where it is determined that you are the owner, they are correct to not give out sensitive information to random people that decide to e-mail them.
OTOH it might not be. LinkedIn flagged a domain I own as malware and pointed fingers at Spamhaus. Spamhaus had it flagged, but removed the flag when I objected. Their management claimed sites which they flag did something to deserve it on LinkedIn, but never said what. (There is no malware. It's just cranky, especially to bots.) I doubt that Spamhaus' intent was that someone should publicly mark it as malware for other parties though.
What sort of business is it? If it's something particularly scammy, it might be being screened for that reason.
Wow, hello marginalization! I wonder where their training data set came from.
Which actually should be a desirable characteristic as it is an unique identifier, but it kinda makes sense with so many 'lulzhackers' out there (not that I think this is the reason - I do attribute these issues mostly to incompetence)
Unfortunately, the medical procedure it covered thumbnailed down (in the generated preview) to a fairly graphic photo of a woman's private parts being operated on... and that resulted in an uncontestable instaban. No humans can be reached about it, of course.
I hate automated flagging. Not only can I now not help that person on the platform in question, but I am now discouraged from even using that product further (probably not a bad thing in FB's case!)
Common argument. Not a great one, because some things are only available through Facebook, and not being there can complicate your in-person life significantly. But, since I'm not on Facebook, I have to admit that it's good enough for me.
> One needs neither of these services to live a normal life.
A step too far. Normal people have Facebook and use Google. One needs both of these services to live a normal life.
Is this because normal peoples' utility curves maximize convenience?
Also, politicians never go after companies for biased reasons and we can count on the government with more power not to abuse it.
Just because there was no AT&T style divestiture at the end, doesn't mean there were no positive externalities.
http://moglen.law.columbia.edu/publications/lu-18.pdf
I don't know about the specifics of what is legally required vs what the Microsoft legal team decided to do to avoid further scrutiny. But the fact is that there's a lot of docs that were published in the aftermath of that ruling:
https://learn.microsoft.com/en-us/openspecs/protocols/ms-pro...
https://learn.microsoft.com/en-us/openspecs/data_portability...
The actual rendering engine was left to Windows (and to anyone who was using it, like AOL), the shell was left to IE to continue wrapping around it, and a few more things.
They weren't broken up but they were anti-competitive asswipes.
Keep in mind that the reason this happens isn't because of "faulty AI automated systems": the reason this happens is because these companies choose to save pennies by not offering proper support channels and recourse. Those saved pennies make the difference between a 2-hour outage and literally bankrupting you for no reason at all.
I say this because I have been involved in this exact situation multiple times: website flagged by some or other security service, website operator has no idea why and insists it is fine, website turns out to be serving the landing page of a major pharma scam campaign unnoticed by the website operator due to anti-detection measures.
If I put malware at xyz.com/mybadpage and MS starts flagging xyz.com, how on earth do I "maximize campaign life" by being told xyz.com/mybadpage has malware?
You can capitalise on this multiple ways. You can remove the first two and hope they remove the flag. You can design your next attack better so it is more like mybadpage3. Etc
(Not that I think MS should enumerate malicious URL's, unless $Site_Owner is paying for scanning service. A "we noticed malware at $URL" is generally 95% of the possible value of such disclosures.)
Mybadpage1.com
Mybadpage2.com
Mybadpage3.com
msscanninghoneypot1.com
msscanninghoneypot2.com
msscanninghoneypot3.com
You're pigeonholing a bad actor's actions into good actor behavior, it doesn't work like that...
edit: missed that multiple replies cover this
1. It's detected (because Microsoft told everyone)
2. What was detected and where it was (because they put it there)
Good Actors only know 1.
So by telling someone 2 they are giving bad actors no new information, and good actors valuable information.
2, MS only knows some information that shows the site is malicious, it cannot tell if it is a compromise or just a malicious site unless it perhaps looks at reputation but even then the site owner should be able to tell new or malicious files on their webserver withour MS telling them, if they can't even do that they have bigger problems and threat actors do abuse anti-abuse systems like this all the time and they do deploy multiple things on your site as well as use it to attack other sites and monitor the reputation of their infrastructure.
How does keeping secret (from the bad guys) where the malware is thwart the bad guys?
Or the bad guys themselves do that pretending to be the site owner. MS analysts can only inspect the normal site and the malicious URL that has now been removed in order to unblock it.
This is how abuse and IR works, I am surprised at the naivette of the responses here.
What happens is a website is blocked and the site operator has no idea why. The defense of "we can't share any information as to why you got punished as it might help bad actors avoid punishment" should not be an acceptable stance. It's the equivalent of being thrown to prison without due process and just ignoring false positives. It's a very "natural" way of acting, but that does not make it the right one.
You should secure your site better and have someone who knows what they are doing (there are paid WAF and web security vendors) monitor and respond to security incidents. You are not being punished, MS is protecting its customers. You should blame the hacker not MS for the impact of the hack. It's like someone messed with your car tank and tires and the police stop you from driving it because it is unsafe to other drivers, they are not punishing you but protecting other people from being hurt by your property.
The police says why they stopped you though! Which implies what you have to change in order to be able to drive again. They will not say "you have to figure it out on your own or the guys who messed with your car would have it more easy."
This is a pretty weak position to fall back to.
MS is disparaging their business and is trying to make themselves unaccountable. And they aren't customers so they have nothing to walk away from.
A non-malicious actor doesn't know, so telling them the exact URL at least tells them where the compromised asset might be.
A non-malicious actor who needs the URL isn't monitoring or responding to the incident properly. Threat actors do take advantage of this and simulate a fake cleanup. Actually they exclude certain ips and asns on phishing kits so that visiting the url gives you a 404 or a webhosts "cleanup" page.
With that said, there is an epidemic of muppet thinking right now. It's not just the intertubes. Suppose a credit card company pulls your credit report because they say you applied for credit with them. No funds are stolen. You demand they show proof. They say nope, because TTPs. So: how do I know it's a one-off, and not data theft by fraud at scale? Off goes a letter to the FTC...
Do you think like a muppet? Here is satirical example (http://athena.m3047.net/temporizing.html):
Imagine if I just suddenly started spreading around rumors of your malfeasance and shadyness, and untrustworthyness.
It's a big deal.
Leave it to HN to get me to defend even MS lol.
Alex Pinto's classic research into the (lack of) overlap among threat indicator feeds should be a shot across the bow; I worked with threat indicators for a decade. To fend off muppet thinking I would like to remind everybody that they're selling threat indicator feeds; nobody that I know of sells not-a-threat feeds. A false positive means a site was falsely reported as a threat [sp]; a false negative does not mean that it is good, it simply means it is omitted from the list of threats.
In my experience vendors are a lot more worred about false positives than dropping something which is a threat on the floor (false negatives in context). However, moral hazard pushes them to publish things which turn out to be false positives anyway, because at the end of the day they're selling FUD.
My network, my rules. Something doesn't have to be a threat for it to be blocked from a private network in my opinion; there are lots of reasons for that, including minimizing potential threats. Something could be hosted on stinky infrastructure, but it's unknown or hasn't been demonstrated to be a threat. Profiles for operational security vary, and so does the appetite for proactively blocking (and whitelisting necessary resources): just because it's legal doesn't mean it doesn't put me at a competitive disadvantage if people know what I'm doing. I have no problem with people sharing and discussing such indicators, but there has to be attribution to the sharer: they have a reputation to be considered with equal concern as that of the indicators they publish.
If you're going to do something public with such information, you can't point fingers at "AI" and indicators you found in a paper bag on the bus: you do that, then you own it. Saying the victim deserves it is something you'd better be prepared to defend in court.
Example: Viral video shows police pulling unarmed (and allegedly innocent) suspect out of a parked car that sparks outrage. It's later found out that the victim was previously evading police pursuit just minutes before, and was trying to blend in with the other cars in a lot.
Not saying that isn't shit or frustrating.
Being slightly more specific shouldn't be a problem.
Saying "we know you are compromised and know exactly where, but we're not going to tell" is very childish. Now, if they said for a nomial fee, we'd be happy to share the results of our work, would be another thing totally.
Are you saying that if you have this info correctly set up, these companies can verify your email domain is the same to provide assistance? What does law enforcement do with this info?
Email domains aren't always match with domains running the web-site (don't forget only ten years ago www. was still expected and people redirected you there from non-www. name).
But having access to DNS zone you can prove 'ownership' (at least technical) of the domain (even if it doesn't have the associated MX records for e-mail), precisely why LE is doing it.
> by copying&pasting whatever the original certbot
> I have no idea what they do, who can read them, when, where, why, etc
Oh my...
> Are you saying that if you have this info correctly set up, these companies can verify your email domain is the same to provide assistance?
More like "to prove you are the one responsible for tailspintoys.com - create a TXT record under that domain with 'dylan604 is admin here'".
> I have no idea what they do
TXT records are just plain text strings (in ASCII), nothing more, nothing less.
> who can read them, when, where, why
Everyone, anytime, anywhere, because it is you who placed it there in a system of Public DNS servers
The sad think is they didn't even tell that, they gave the admins no ways to be able to differentiate between:
- we don't care if we destroy your company with a false positive and
- we are sure we are right, if you didn't do it intentionally you are probably compromised
I've been in the situation where a company kinda 'ghosts' me before. And found out I was indeed the bad player (unintentionally, of course).
Those people don't have a registered business; The people contacting Microsoft do.
There are probably a bunch of excuses we can come up with that would make sense... but I think most people know the real reason, it's the same as with Google and Apple... they don't do customer support, and they don't take responsibility for any negative effects their services might have on others, at least not until someone big enough makes a fuss or lawyers get involved.
I don't think you understand how sophisticated malware distribution can be.
There's absolutely nothing stopping a "legitimate business" from distributing malware.
Likely they already store this info somewhere so that the next time anyone reviews the domain, the reviewer cannot overlook it. In that case, the system could be completely automated, sending the info to the hostmaster or tech-c of the domain or something.
If you launch a product that targets other businesses and has the capability of destroying them, you better take responsibility for that.
You're not sure which one of your virus payloads set off their screen so you open a ticket. And Microsoft is supposed to tell you exactly how to get off their list again?
Just like you shouldn't be beaten by the cops without knowing a reason for it.
Is that really something to worry about so strongly that we screw over legitimate websites?
A malicious actor can already know exactly what's detected if they run one malware at a time per site.
We can not expect companies to give free security advice. Secondly, providing such info without consent might result in legal actions from not so smart companies.
I worked with a very well-known university that unknowingly had been compromised and was being flagged for malware by various protective services.
They, assuming it was just a false positive, put up a banner at the top of their webpages that said they were falsely being flagged and that visitors should ignore any warnings and essentially shut off any protections for their website.
Meanwhile their site was compromised and attempting to dump payloads onto visitors.
Have you ensured you are not compromised?
> It might be wise to engage a security firm to conduct an investigation if you don't have in-house expertise in this area.
Any good security firms you recommend for a small to midsize website?
What about all of the garbage that people pull in from the webs (and into their customer's browsers)? Do you know why fonts.google.com is controversial? Is some ad network participating in a watering hole attack? Got a chatbot on your payment page?
Once you have a handle on that, you can start looking for answers. If that's too much to ask, then the time to start paring down your attack surface is before there are questions.
Use hosting that provides such guarantees. Use an MxP. Don't keep customer information you don't need. What you quote is facile.
I have seen and investigated cases where malware runs for everyone except in certain locations or even excluding only the site operators.
Look for weird scripts, includes, base64 decode and exec calls in your codebase/site.
Can you quote one of the shills? I see people saying that OP should verify that it's a false flag. Are those the shills to whom you're referring?
https://news.ycombinator.com/item?id=33037323
https://news.ycombinator.com/item?id=33037211
And these ones showed up right after they posted:
https://news.ycombinator.com/item?id=33037364
https://news.ycombinator.com/item?id=33037349
Edit: actually that first one was after they posted too? So their comment may not have been accurate the second they made it, but three comments defending microsoft's secrecy showed up in the next five minutes.
Yes/no/yes to the above questions means that is where you should look.
1) Check your DNS registrar and make sure there are no new subdomains. dnsdumpster can also help a bit.
2) Check for any new files in the directory tree of public facing sites.
If you're sure all is good you just have to keep escalating with microsoft and creating new requests to remove your domain multiple times a day from different IPs and emails so you can land in the right queue eventually. Squeaky wheel and all (don't forget social media noise).
It inspires paranoia I tell you.
And keep all the data you can (from Web, marketing, ads, etc.), to try to figure out and show how much this is costing you. "And here's where the hockey stick snapped in half."
This is when you have a lawyer send a letter. That's cheap. That gets your lawyer talking to Microsoft's lawyers. Most commercial disputes are, in practice, resolved that way.
Not sure if they solved it, but might be helpful asking them.
I know that it is problem of email providers, but still I would like to leave OneDrive, but I cannot find alternative that is in similar price range as OneDrive (about 2 USD/month for 1TB).
Run your page against OWASP top 10. You might find something
Maybe i am too tired and am missing some feature in whois or something.
my_account+site_address@example.org
for regular interactions, or:
my_account+site_address-current_date@example.org
for one-off interactions.
Won't help with historical abuses/data breaches but it'll certainly be invaluable in the future.
If you're willing to share more details about your site such as your tech stack, we can probably give you more specific advice beyond "check your logs for weirdness and hire a consultancy firm that deals with breach detection," though that is good advice.
For what it's worth I went through something similar to this not too long ago, so I know how maddening it is. My client never found any breach (though I did find some PHP library CVE's that could have conceivably been chained together to wreak some havoc), but I ended up rebuilding their prod environment clean and the flag went away on it's own after a couple days, probably because whatever malware was in there had disappeared.
In this case I also expect it's all very carefully worded ("Be careful! This site might be trying to harm your computer") to be legal even in cases when they accidentally (and inevitably) miscategorize a site.
Depends on jurisdiction, although I am presuming OP is from the USA due to their spelling.
In court and parliament, this is relaxed somewhat. But just 'cause you - say - saw a murder by X in broad daylight, doesn't mean you get to say you did anywhere you like, in Canada and Britain.
PS, yes defence is really spelled with a c in Canada. This was deliberately done historically in order to distinguish ourselves from the US long before the internet and spell-checkers.
IANAL - but then a lot of lawyers aren't much good at their game either.
I love Smartscreen…
I would however, probably be willing to DM people individually after doing a small amount of due diligence on their comment history. I guess it depends on sensitivity of the site and how desperate they are.
Yes... "Free security assessment" was a euphemism I'm afraid.
I put my company's website in my HN profile. Go ahead, make my day.
(I'm not the OP and as far as I know don't have any security issues)
Is it a corrupt system? Pay to play? Sure. But this is a guaranteed way to solve the problem. And way cheaper and 1000x faster and less of a headache than contacting an attorney (which a surprising number of people here are recommending!)
It seems like asking to run code on other people's machines is a privilege, too. Unfortunately the World Wide Web has trained consumers to grant that privilege willy-nilly to every web page they visit. I am thankful that code signing and validation is ending the party in that way.
At least to get a driver's license you need to pass a driving test, and return periodically to update the photo and pass an eye exam.
With the driver's license, the police officer can usually easily see if you've been behaving like someone who found their license in a packet of chips or not.
Does the certificate issuer perform any kind of due diligence to determine if the certificate should be given to this program?
Racket protection's determining characteristic is that the outfit can't care less what you do as long as you pay your dues and don't cross them. And if you don't, it doesn't matter how upright a citizen you are or how paranoid about safety you are, your shop will burn.
The certificate authorities are separately run, by the way. I don't know how you could say Microsoft has a protection racket when they accept certificates from disparate authorities.
Code-signing certificates enable users to discern reputation. A certificate confers a reputation and not holding a certificate means an unknown reputation.
If I drive a car without a license, I can probably drive that car for years as long as I'm obeying laws and not causing trouble. A police officer who pulls me over may perhaps not ask for a license after all, but he doesn't know my reputation of obeying traffic laws; he's got to check my privilege. A driver's license in my jurisdiction carries reputation beyond just the driving privilege: infractions will rack up points.
I’m surprised that it apparently had to be delivered physically. Did Comodo generate the private key for you?