There's "protecting your trademark from genuine copyright infringement" [nods], and "trying to silence legal parody via weak trademark arguments" [shakes head].
CSCs whole deal is securing domain names for huge brands, they probably have people whose job involves thinking of derogatory domains like that so they can grab them pre-emptively. The people behind the .sucks TLD turned that into an incredible grift, they charge an exorbitant amount (about $300 a year) because they know every big brand will buy brand.sucks no matter what.
I worked for a company where MarkMonitor proactively registered domains for us which were likely typos of our brand (e.g. example.com -> examlpe.com, exmaple.com, etc), and would hunt down registrations of new domains which appeared likely to be phishing sites. They didn't catch everything, but they were pretty good.
I worked at company_name when the .xxx top level domain became available, and my boss was sure that we should buy company_name.xxx. I talked them out of it. Luckily no one has maliciously registered company_name.xxx all these years later. I guess it could happen any day now.
This is true [0]! But even more surprisingly clownstrike.com redirects to crowdstrike.com. I am surprised why they may have thought this is a good idea, but it means that we can actually use clownstrike.com instead to reference it in the web.
I wonder to what extent companies consider the reputational damage these kinds of enforcement actions cause. I recently came across this when googling for information on a small Biotech startup:
Oh wow, they sued someone who used his last name as a domain name because they feel like their trademark should allow them to prohibit him from using his family name ... And obviously they registered their trademark after he started using his name.
Prince Rogers Nelson's given name was a registered trademark of Warner Music. It took that whole stunt with him changing his name to Love Symbol #2 to get them to relent.
i didn't know that prince was the same as prince rogers nelson (only vaguely remembered the name prince as a musician from dances at high school), so googled his name:
Remindes me of someone I met a long time ago that had the Zeppelin last name, and could not use on Facebook because and agreement between Facebook and the band Led Zeppelin blocked it.
UDRP is meant to address obvious, intentional, malicious domain squatting, where someone registers a domain with your trademark and then extorts you for it.
I believe it serves that purpose reasonably well.
There are three criteria that ALL have to be met (1. identical or confusingly similar to your trademark, 2. registrant doesn't have a legitimate reason, 3. registered/used in bad faith). In cases where these are met, it's pretty clear that the owner should be losing the domain.
I think it would make sense to add a rule that someone who issues a spurious UDRP request should be required to pay the domain holder some default amount of compensation for the hassle, but overall, I think this is a process that makes the Internet better, not worse.
What would have happened if Scipio refused to provide his marriage papers? Would he have lost the domain? How could he know beforehand?
If I was in his position, I would definitely feel the implicit threat of "if you're not willing to provide all the info we're requesting, you lose your domain".
> 2. registrant doesn't have a legitimate reason, 3. registered/used in bad faith
I've read arbitration cases where "The Expert" says (simplifying): "the site is being used for illegal activities, so there's no legitimate use", when no actual court or official institution has declared that the site's content is illegal*. So, you're at the whims of some "Expert's" opinion of what's legitimate, even if it may eventually contradict the actual justice system of your country.
I have very little trust on the competence and fairness of UDRP arbitration.
* And it's not a case where the things are evidently illegal, it's very debatable if they are.
In my experience, businesses which are the most vigorous about pursuing frivolous IP claims and lawsuits are usually dishonest entities which themselves trample and steal the IP of others.
I have twice found myself defending my IP rights when a business in one case, a government ministry in another, attempted to dispute my right to use the work that they had themselves stolen, wholesale.
Kinda wish the company got more than a slap on the wrist for such nonsense.
> While the Complainant may have 'sailed very close to the wind' in this case [...] the Complainant's conduct in this case does not appear to fall squarely into the realm of any of the above mentioned [Reverse Domain Name Highjacking] circumstances. Therefore, the Panel has decided not to make a finding of RDNH on this occasion. The Panel however cautions the Complainant to only invoke the [Uniform Domain-Name Dispute-Resolution Policy] Policy in the future in circumstances under which the Complainant is able to identify the bases and adduce evidence in respect of all three UDRP Policy grounds.
So yeah, name-n-shame on their leadership such as *checks* CEO Pierre Chaumat and friends. [0]
He was even willing to sell it for €5,000. If they had just paid that relatively small sum instead of getting all triggered that someone might ask money they would have had the domain. Hilarious. Good on this Christian fella for winning. What a bunch of idiots.
This does bring up a question though; I've had arp242.net for a long time, and obviously that's not my actual name. Can some company register "arp242" as a trademark and hijack my domain?
They can try through the UDRP, but your easy defense is to point that the date registered exceeds their TM by years. The UDRP would be highly likely to end in your favor should you dispute.
I think they generally give a lot of weight to someone who registered the domain well ahead of the said company registering their mark. Though you might run into trouble if you started using the domain in bad-faith against that company (ex. impersonating them).
In your example, you had that domain well in advance, it's your self-identified pseudonym that predates said mark, and it's actively being used to host your personal website. That seems like a pretty strong defense.
It sounds like they intended to use it as the primary e-mail domain for himself and family. They claimed that they had already switched to using it.
However, the total window of time here is small. They registered the domain in late November 2023 and this UDRP was filed in late February 2024. It also sounds like initial contact to try to acquire the domain occurred in early December 2023... so only a couple days after it was registered.
For the record, common law generally doesn't have a solid concept of actual/legal/"real" name, if you're known by a name then it's your name.
My birth cert, bank accounts, passports etc. are issued in various jurisdictions with various names. I'm not an international man of mystery or tax cheat, but I'm known by various equally legitimate names. It is a bit of a bother when someone around they must all be identical, but there's no crime or deception.
That is perhaps true in some Common Law jurisdictions (US?), but not for much of the world, including some Common Law jurisdiction such as the UK and Ireland. The first name I use daily is different from what's on my passport and I've gotten into trouble with this in both the UK and Ireland.
I'm not sure on what we disagree. It is my understanding that what I said applies to the UK and Ireland, there are formal ways to register a name change, but it is not necessary and it is possible to "change" your name simply by having people refer to you using the new name.
As I mentioned, this will cause some difficulty with people and organisations who assume names are unique and immutable(c.f. [0]), but that's not a legal issue and is no different to someone not coping with any other unusual but allowable circumstance.
> there are formal ways to register a name change, but it is not necessary and it is possible to "change" your name simply by having people refer to you using the new name.
Try opening a bank account like that. I can guarantee you it's not going to work; they will want to see a passport and proof of address with exactly the same name. I've been rejected by banks just because the utility bill shortened my second middle name to just "P".
This seems true for pretty anything of substance: government, tax, banks, insurance, health care, things like that. I'm not a lawyer and don't know how it works according to the letter of the law, but de-facto, you will have a "legal name".
I'm sorry you had trouble from your bank, I know the requirements are annoying. I have indeed opened bank accounts including in the UK and Ireland in names other than my passport name. It's easier once you have some piece of paper with a new name on it to get another.
This is why you want to remove as many intermediaries between your content and your audience as possible. Ideal scenario is your own ASN and a pipe with a commit and your own physical box. The only takedown target is your upstream bandwidth provider. From there you’re adding takedown targets: hosting provider, edge cache/firewall provider, commercial CMS, etc. So pick your middle ground carefully.
I’d suggest that choosing a commercial CMS makes you an easy target. Apparently so does choosing Cloudflare.
In this case Cloudflare, in a spasm of comprehension failure, soiled themselves further by proving unable to distinguish between a trademark complaint and a copyright complaint, and erroneously labelled the former as the latter. Irrespective of the fair use merits on display, the DMCA simply does not apply to trademark disputes.
Since this is "their core business" it's hard to believe that this material misrepresentation wasn't knowing or willful. I believe they've partially opened themselves to a counter suit on this point.
Except... in the 26 years the DMCA has been around and all the millions (billions?) of claims that have been made via it, want to guess how many people or organizations have been faced perjury repercussions?
Ironically the site takes me back in time to the Attrition era, where sites like these were used as defacement to point out similar clownishness. Well done.
> I’m most definitely not trying to put CloudFlare in the middle on this… so I told CloudFlare that I will take the site off of CloudFlare; however, it is staying on the internet…
I mean that’s kind, but the whole point of DMCA safe harbor provisions is that they aren’t in the middle of this. They send along the notice, you file a counter notice, and that’s it for their involvement, yeah? If CrowdStrike wants to press the issue, they go after you, not CloudFlare.
I think he's attempting to point out that CloudFront's basic value proposition is meaningless if a random third party company can automatically destroy your websites with a single letter.
Worse still, the letter is obviously incorrect for a trademark dispute, possibly illegal as a result, and should have never made it to the customer before being reviewed or followed up on by internal staff.
My read was "sorry you guys don't want to do your job so I'll just take my business elsewhere. goodbye."
I certainly don't want to claim everyone on Hacker News is a high powered CISO making EDR purchasing decisions for their Fortune 500 company or whatever, but I feel like there are enough people with actual influence who read this site that if I was a security company (or any tech company) I wouldn't want front page stories that make me look petty about getting rightly clowned on after a fuck-up of galactic proportions.
There is the difference that this mistake is much simpler. A lot of business people will understand that having a litigation team without even the most basic Streisand filter is a newbie mistake. How they should have/could have protected themselves against the big breakdown is a lot more complicated, even for tech people.
Does it matter? If they authorized a brand reputation company to harass random third parties without runnit it by them firs then it's still their fault.
If years from now CrowdStrike is known as "that company that sends bogus DMCA claims over parodys" then this is a huge success. Even a negative distraction might be good for them right now
Falcon sensor has been causing kernel panics / memory stacktraces / and insanely high load for years on Linux boxes (RHEL 7/8 mostly where I was at), not just in April.
FWIW: CSC is a company that other companies hire to act on its behalf.
It's very likely that the company you work for uses CSC as it's registered agent in the State of Delaware for administrative purposes (CSC doesn't really do anything other than exist on paper and file annual forms to satisfy legal and compliance requirements necessary for companies to exist in the US).
I wasn't aware they file DMCA requests on behalf of companies... that seems off brand for them.
2) Crowdstrike files a claim on their cyber insurance policy which includes coverage for brand protection
3) Crowdstrike (or their insurance company) buys some brand protection service, like the one offered by CSC
4) This guy receives a takedown
When I started writing this comment I was intending to defend CSC. But after googling I think CSC's brand protection services are to blame. Seems to be having the opposite effect for Crowdstrike considering they paid to have their brand "protected" and now this guy's site is getting lots of traffic!
Reminds me of that time when Mike Bloomberg's lawyers preemptively registered 400 .nyc domains for him, apparently without his knowledge, many of which are hilariously negative (MikeIsTooShort.nyc, MikeBloombergIsADweeb.nyc, GetALifeMike.nyc etc.):
> Seems to be having the opposite effect for Crowdstrike considering they paid to have their brand "protected" and now this guy's site is getting lots of traffic!
> I wasn't aware they file DMCA requests on behalf of companies... that seems off brand for them.
CSC is a well know high value domain registrar. Similar to MarkMonitor. I'm not surprised CSC does brand protection, also similar to MarkMonitor.
When I was at an employer that became a MarkMonitor customer, we didn't have enough domain business to meet the minimum spend, so we started using the Brand Protection "for free". Sometimes they have a hair trigger, we had our own accessory apps taken down occasionally. ¯\_(ツ)_/¯
Previous registrar was NetworkSolutions, lol; they had a customer service agent get phished, and the phishermen set new NS records for several domains, including ours. Major PITA.
Have used CSC for domain / brand protection. They offer a reputable service in this space, but i must admit, i developed the view that CSC much be a surreal place to work - i just couldn't figure out what/how/why motivates people to their mission. [obv, employee compensation]
Where they may have messed up is with the use of crowdstrike's branding. I've worked for a company that had a near 100% success rate with taking over domains that used their branding. Not just taking down the site, but taking ownership of the whole domain.
Were any of those success for violation of copyright or trademark when used in parody? I don't know if it would hold up, or how long it would even be between a domain registrar handing it over and having a day in court, but there does seem to be a good case for this being a protected use of CrowdStrike's protected branding.
That ruling is only relevant if the operator of clownstrike.lol is in Canada. The US in particular has much better protections for parody than most countries.
I actually thought CSC was a parody website ... it just seems a bunch of buzzword fluff and no products. Just "solutions" which at other companies is usually code for "we don't actually have anything to sell".
It’s ironic that Crowdstrike could be suffering reputational damage due to a failure mode they didn’t realize existed in the services provided by a vendor they hired to protect them from reputational damage.
Maybe this will give them some empathy for their users who bought their services to protect their infrastructure.
You don't need empathy when you have a captive market. I'm afraid we're about to enter the "lol fuck you, what're you gonna do, leave?" stage of this organization.
> It’s ironic that Crowdstrike could be suffering reputational damage due to a failure mode they didn’t realize existed in the services provided by a vendor they hired to protect them from reputational damage.
If you spend enough time around VC's it becomes difficult to imagine how this doesn't happen more often. Many times companies grow too quickly for a clearly seasoned veteran of the market to get a chance to take the wheel. Combine this with "nobody ever got fired for purchasing IBM" and you get a perfect storm for taking out the IT infrastructure for an entire culture—all you need is a majoritarian marketshare and you can take out an entire people.
I think it's going to shift. Airlines in particular are probably going to decide that they can't afford to take another hit like this, and come up with a way to limit the damage if a software update (even from Microsoft) is broken, and come up with a way to test updates before pushing them to all devices.
Ah, got it. So instead they'll just keep doing what they were already doing for half their systems: Keeping them without updates for decades. Those terminals survived, afterall.
I think the leaders of Crowdstrike should be considered clearly seasoned veterans. George Kurtz was high up at McAfee. But maybe Cathleen Anderson is a little new to the chief of legal role.
and what is shown on the page is Cloudflare boilerplate about DMCA, not Crowdstrike.
if Crowdstrike did use the DMCA form as a way of getting attention, that still serves as "notice" of the trademark infringement which Clownstrike has graciously acknowledged receipt of
I am quite certain that CSC won't proactively send Cease and Desist/takedown notices without first confirming with the customer that they want it done.
Someone at CrowdStike had to say "Yes, send the takedown for this".
I base this on prior experience working at places which used CSC brand protection (among other services)
They also apparently own the clownstrike.com domain [0] and this is since 2012, crowdstrike itself exists since 2011, so they must have hired them since close to the beginning. But could be that now they are probed to do damage control after the incident (though as always this tactic tends to disperse more damage than control it).
What I don't understand is why companies and brands like this just don't use NameBlock or a similar domain blocking service like GlobalBlock.
They literally can block domain names that have their company name or brand in them from being registered (up to 500 variations of their domain).
It's literally like $99/year to place a block. Saves a lot of the hassle of having to deal with parody and phishing sites and trying to take them down.
Just block the domain(s) from being registered in the first place.
You'd be surprised. I recently parked some big name domains ending in various common TLDs in the world of government contracting. They did utilize some sort of parking or service to do it for them, but certainly not enough.
If you place a block on a brand/companyname (a string of characters), then no one can register a domain name that contains those strings of characters. They also block up to 500 variations (placing a block on 'paypal' would get 'paypa1' blocked as well.
Those domains that are blocked won't be 'parked', someone trying to register the domain that's blocked, it will just say it's not available for registration.
I doubt it. They are protecting against variations of "crowdstrike"...Not every variation of domains with the word "strike" in it. That would go beyond reasonable.
This reads kind of like an advertisement. Plus it's subtly wrong.
My experience with the NameBlock API is that for those $99/year, they'll allow you to automate purchasing all similar domains. But then you have to pay registration fees on all of those domains, too. It's only $10/month per typo domain that you buy, but it sums up really quickly.
You're thinking of some other service, not NameBlock or GlobalBlock. There's no automated purchasing of all similar domain names. You don't pay registration fees, as the domains that end up being blocked will never be registered by anyone (not even you).
There literally is a block on the variations, it works at the Registry level not the registrar level.
I didn't grab the pricing info for NameBlock because it requires you to sign an NDA to even see the pricing. I also don't see a list of TLDs they support.
242 comments
[ 4.7 ms ] story [ 264 ms ] threadIt was how most people at M$ were referring to them last week.
edit: OMG, I thought it would be obvious I'm kidding. I guess garbage HN comments win garbage HN prizes.
Maybe there will be a supreme court ruling that George Kurtz has to wear a clown nose due to the Krusty precedent?
You mean "genuine trademark infringement".
I wonder what other parody names and altered versions they own…
http://microsoft.sucks redirect to Microsoft.com and they pay for it.
[0] https://www.whois.com/whois/clownstrike.com
For example: https://www.microsoft.sucks/en-au/microsoft-365
They did! They issued $10 Uber Eats Gift Certificates that were revoked minutes later[1]. What, you didn't get to use yours in time?
[1] https://news.ycombinator.com/item?id=41058261
https://udrp.adr.eu/decisions/detail?id=65fab3e46fc02956a010...
Will probably be the first thing I remember when I hear their name.
Actually, the company’s trademarks are from 2017 and he got his name via marriage in 2020.
Still a stupid suit
i didn't know that prince was the same as prince rogers nelson (only vaguely remembered the name prince as a musician from dances at high school), so googled his name:
https://en.m.wikipedia.org/wiki/Prince_(musician)
https://en.wikipedia.org/wiki/Scipio_Africanus
Shame on SCIPIO.
That is enough proof to conclude that this UDRP thing is deeply unfair and should not exist.
"First come, first served" is much more fair than this "burden of proof falls on the defendant" nonsense.
We'll have to replace ICANN with something better at some point.
I believe it serves that purpose reasonably well.
There are three criteria that ALL have to be met (1. identical or confusingly similar to your trademark, 2. registrant doesn't have a legitimate reason, 3. registered/used in bad faith). In cases where these are met, it's pretty clear that the owner should be losing the domain.
I think it would make sense to add a rule that someone who issues a spurious UDRP request should be required to pay the domain holder some default amount of compensation for the hassle, but overall, I think this is a process that makes the Internet better, not worse.
If I was in his position, I would definitely feel the implicit threat of "if you're not willing to provide all the info we're requesting, you lose your domain".
> 2. registrant doesn't have a legitimate reason, 3. registered/used in bad faith
I've read arbitration cases where "The Expert" says (simplifying): "the site is being used for illegal activities, so there's no legitimate use", when no actual court or official institution has declared that the site's content is illegal*. So, you're at the whims of some "Expert's" opinion of what's legitimate, even if it may eventually contradict the actual justice system of your country.
I have very little trust on the competence and fairness of UDRP arbitration.
* And it's not a case where the things are evidently illegal, it's very debatable if they are.
As I understand it, either side can escalate to the justice system in the end.
I have twice found myself defending my IP rights when a business in one case, a government ministry in another, attempted to dispute my right to use the work that they had themselves stolen, wholesale.
https://en.m.wikipedia.org/wiki/Streisand_effect
> While the Complainant may have 'sailed very close to the wind' in this case [...] the Complainant's conduct in this case does not appear to fall squarely into the realm of any of the above mentioned [Reverse Domain Name Highjacking] circumstances. Therefore, the Panel has decided not to make a finding of RDNH on this occasion. The Panel however cautions the Complainant to only invoke the [Uniform Domain-Name Dispute-Resolution Policy] Policy in the future in circumstances under which the Complainant is able to identify the bases and adduce evidence in respect of all three UDRP Policy grounds.
So yeah, name-n-shame on their leadership such as *checks* CEO Pierre Chaumat and friends. [0]
[0] https://scipio.bio/news/scipio-bioscience-appoints-new-ceo-t...
This does bring up a question though; I've had arp242.net for a long time, and obviously that's not my actual name. Can some company register "arp242" as a trademark and hijack my domain?
In your example, you had that domain well in advance, it's your self-identified pseudonym that predates said mark, and it's actively being used to host your personal website. That seems like a pretty strong defense.
so he didn't much care about it as his email address as he generally used his other domain christian-scipio.de? https://www.christian-scipio.de/contact
However, the total window of time here is small. They registered the domain in late November 2023 and this UDRP was filed in late February 2024. It also sounds like initial contact to try to acquire the domain occurred in early December 2023... so only a couple days after it was registered.
My birth cert, bank accounts, passports etc. are issued in various jurisdictions with various names. I'm not an international man of mystery or tax cheat, but I'm known by various equally legitimate names. It is a bit of a bother when someone around they must all be identical, but there's no crime or deception.
As I mentioned, this will cause some difficulty with people and organisations who assume names are unique and immutable(c.f. [0]), but that's not a legal issue and is no different to someone not coping with any other unusual but allowable circumstance.
[0] https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-...
Try opening a bank account like that. I can guarantee you it's not going to work; they will want to see a passport and proof of address with exactly the same name. I've been rejected by banks just because the utility bill shortened my second middle name to just "P".
This seems true for pretty anything of substance: government, tax, banks, insurance, health care, things like that. I'm not a lawyer and don't know how it works according to the letter of the law, but de-facto, you will have a "legal name".
I’d suggest that choosing a commercial CMS makes you an easy target. Apparently so does choosing Cloudflare.
https://news.ycombinator.com/item?id=41132328#41133504
Starts with "Z". Ends in "ero".
I mean that’s kind, but the whole point of DMCA safe harbor provisions is that they aren’t in the middle of this. They send along the notice, you file a counter notice, and that’s it for their involvement, yeah? If CrowdStrike wants to press the issue, they go after you, not CloudFlare.
Worse still, the letter is obviously incorrect for a trademark dispute, possibly illegal as a result, and should have never made it to the customer before being reviewed or followed up on by internal staff.
My read was "sorry you guys don't want to do your job so I'll just take my business elsewhere. goodbye."
https://www.techspot.com/news/103899-crowdstrike-also-broke-...
It's very likely that the company you work for uses CSC as it's registered agent in the State of Delaware for administrative purposes (CSC doesn't really do anything other than exist on paper and file annual forms to satisfy legal and compliance requirements necessary for companies to exist in the US).
I wasn't aware they file DMCA requests on behalf of companies... that seems off brand for them.
(After writing the above) turns out CSC has a Online Brand Protection service. https://www.cscdbs.com/en/brand-protection/ I wouldn't be surprised if:
1) Crowdstrike incident takes down internet
2) Crowdstrike files a claim on their cyber insurance policy which includes coverage for brand protection
3) Crowdstrike (or their insurance company) buys some brand protection service, like the one offered by CSC
4) This guy receives a takedown
When I started writing this comment I was intending to defend CSC. But after googling I think CSC's brand protection services are to blame. Seems to be having the opposite effect for Crowdstrike considering they paid to have their brand "protected" and now this guy's site is getting lots of traffic!
https://www.huffpost.com/entry/michael-bloomberg-nyc-domain-...
Streissand Effect.
That was fun.
CSC is a well know high value domain registrar. Similar to MarkMonitor. I'm not surprised CSC does brand protection, also similar to MarkMonitor.
When I was at an employer that became a MarkMonitor customer, we didn't have enough domain business to meet the minimum spend, so we started using the Brand Protection "for free". Sometimes they have a hair trigger, we had our own accessory apps taken down occasionally. ¯\_(ツ)_/¯
Previous registrar was NetworkSolutions, lol; they had a customer service agent get phished, and the phishermen set new NS records for several domains, including ours. Major PITA.
https://en.wikipedia.org/wiki/Untied.com
Maybe this will give them some empathy for their users who bought their services to protect their infrastructure.
Sure, they're all equal shades of shitty, but that's a different issue.
You can choose which digital shotgun is strapped to your organizational forehead.
If you spend enough time around VC's it becomes difficult to imagine how this doesn't happen more often. Many times companies grow too quickly for a clearly seasoned veteran of the market to get a chance to take the wheel. Combine this with "nobody ever got fired for purchasing IBM" and you get a perfect storm for taking out the IT infrastructure for an entire culture—all you need is a majoritarian marketshare and you can take out an entire people.
This is SOP for plenty of purchasers already.
Some orgs just don't have the ability to build processes like that.
and what is shown on the page is Cloudflare boilerplate about DMCA, not Crowdstrike.
if Crowdstrike did use the DMCA form as a way of getting attention, that still serves as "notice" of the trademark infringement which Clownstrike has graciously acknowledged receipt of
Someone at CrowdStike had to say "Yes, send the takedown for this".
I base this on prior experience working at places which used CSC brand protection (among other services)
https://who.is/whois/clownstrike.com
[0] https://www.whois.com/whois/clownstrike.com
They literally can block domain names that have their company name or brand in them from being registered (up to 500 variations of their domain).
It's literally like $99/year to place a block. Saves a lot of the hassle of having to deal with parody and phishing sites and trying to take them down.
Just block the domain(s) from being registered in the first place.
Those domains that are blocked won't be 'parked', someone trying to register the domain that's blocked, it will just say it's not available for registration.
My experience with the NameBlock API is that for those $99/year, they'll allow you to automate purchasing all similar domains. But then you have to pay registration fees on all of those domains, too. It's only $10/month per typo domain that you buy, but it sums up really quickly.
There literally is a block on the variations, it works at the Registry level not the registrar level.
https://globalblock.co/included-extensions/
I'm also seeing much higher pricing:
https://www.101domain.com/global-block.htm
NameBlock is a separate company than GlobalBlock, and covers a different set of TLDs/extensions.