Internet i inne organizacje

When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints.

Until now, the only documentation for ARF was a draft spec originally written Yakov Shafranovich (CircleID) in 2005, and occasionally updated originally by him and later by other people including myself. Earlier this year, the IETF chartered a working group called MARF which took that draft, brought the references up to date, stripped out a lot of options that seemed useful five years ago but in practice nobody ever used, and this week it was finally published as RFC 5965.

ARF (or now MARF) is quite simple, a version of the existing Multipart/Report message format that includes information about the report, such as the address of the recipient, descriptive text for a human reader, and a copy of the offending message. Having a standard format for reports, simple though it is, makes them much easier to process. For my tiny system, for example, nearly all of the trickle of reports are about mailing list messages. When a FBL report arrives, an automated script looks at the report and the message, and in the usual case that it's from a mailing list, it creates an unsubscribe request to remove the person from the list. Otherwise, it passes the message along to the human manager so I can decide what, if anything, to do about it. Larger mail systems also use them to collect statistics about their mail-sending customers.

The IETF process works particularly well when it standardizes existing practice, and ARF/MARF is an excellent example of that. The differences between the earlier drafts and the final version make it clearer and more precise, and it's now a proper standard we can cite:

Abuse Reporting Format! Ask for it by name: RFC 5965!

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Email, Spam

Just when you thought making phone calls couldn't get any cheaper, along comes last week's news from Google about their latest iteration of Google Voice. There have been several steps along the way for Google to get to this point, and there are a host of reasons why this news is of interest to service providers of all stripes. I often write about how certain technologies and disruptive forces change the business of being a service provider, and this is but the latest example.

Ever since Vonage came to market, residential carriers have been faced with declining revenues for landline service, which itself is quickly losing ground to wireless substitution. Then Skype came along and brought desktop VoIP to a whole new level of adoption. Along with that came a new value proposition for voice. Whereas Vonage was offering a lower cost monthly plan, Skype was offering free or near free voice, driving the price down to levels that no conventional service provider could sustain.

Google has its own take on voice, which is why this story should be of interest to service providers. Vonage is marketed primarily as a replacement service for POTS, making it a direct competitor to telcos. Nothing complicated there—it's really just a price game, but telcos do have more options to bundle telephony with other things—and of course, even more so for cable operators.

Skype is primarily a Web-based IM/chat service, on top of which they do voice very well, and at low cost to subscribers. As popular as Skype is, their proprietary technology keeps them a bit inside their own sphere. They are still a major threat to telcos, but when positioned a bit differently, they can be a very good complement.

The latest news with Google, though, is something entirely different. Their calling service—Google Voice—is mainly an add-on to Gmail, and works a lot like Skype. As such, it's not a pure telephony service like Vonage, and it's not really built off IM/chat like Skype; it's built around email. Of course, Google has all these other tools, but email is ubiquitous, and Google has been successful building a strong user base here. Gmail binds the user more deeply than IM/chat, making it a great platform for both business and personal usage. I'm not alone in noticing these days that when you get a personal email address as a backup for someone you're working with, more often than not it's a Gmail address.

Google already has GTalk, which supports free online calls between Google users—and is comparable to the free calling Skype users have among themselves. Google Voice is much bolder and is their answer to Skype Out/In, and gives Gmail users a PSTN interface to make calls to the rest of the world. In the short term, this may take a bite out of Skype in that Google Voice calls within the U.S. and Canada will be free until year end (but maybe longer). Longer term - along with Skype - Google Voice is more of a threat to telcos as they accelerate the race to the bottom, bringing the value of a voice call pretty much down to where email is.

Why are they doing this?

In my view, it's not to put the telcos out of business. They're offering domestic PSTN calls for free, in the hopes of subsidizing them by charging two cents a minute for international calls. Fair enough, but I don't see that happening, and Google really doesn't need to make money with this service. Of course, free beats paid any day—so long as the quality is comparable—and I see them making the voice pie bigger, much the way Skype has. The key for me is more about how Google Voice interacts with Gmail. By escalating an email message to a free phone call, users will stay longer in the Google environment, and the ability to transcribe voicemail will certainly appeal to some.

However, I think there's more to the story. Am mentioned, Google is coming from a different place than Skype, who depends almost solely on those Skype In/Out minutes for revenues. VoIP service is not expensive to provide, and Google has spent relatively little to get in the game. I would contend that the vast majority of their Google Voice capability comes from three small acquisitions that cost them maybe $150 million. When you think about the annual Capex budget of any incumbent, this really is pocket change. Going back to 2007, they acquired GrandCentral; last year they acquired Gizmo5, and a few months ago, they added Global IP Solutions. Collectively these companies have given them the pieces to offer a very appealing VoIP-to-PSTN service globally, and if they never make a penny from it, so be it.

As mentioned, free beats paid, and there's no better incentive to get people to use your service. Look how long Vonage has been around, and they barely have two million subscribers. Unlike Skype, Google doesn't have to build its user base from scratch, and it won't take long for them to start logging millions of calls. Just consider what happens when school resumes next month, and students will be falling over each other to make free calls home from those super-retro red UK phone booths that will be popping up on college campuses (and solar powered to boot).

As such, Google Voice will be one more reason to cut the cord, and the race to zero just picked up some speed. Thanks to Gizmo5, Google Voice is SIP-based and works nicely on both softphones and hand-held endpoints. Short term, there will be some cannibalization with Android by competing with voice from data plans, but Google will figure out how to make all these pieces fit. This is actually where the GIPS acquisition comes in, with their ability to support both voice and video over mobile devices, which in turn can make Google Voice a great add-on for businesses.

While Google Voice is primarily an outbound telephony service, I think they'll be able to take free calling beyond the desktop, and that's really what service providers need to be thinking about. Free on the desktop is one thing, but when you push out to mobile devices, things get more complicated. If this isn't enough, I think there's a separate agenda at work here, and it's something I've commented about elsewhere for quite some time.

Google is really interested in the voice business, not to make life difficult to telcos, but as a source of raw material—snippets from voicemail and live calls, if you will—that can be harvested for search. I'm not sure about the regulatory issues around this—and apparently Google has been vague here—but certainly for voicemail, free calls will generate a huge cache of "content" that they can apply speech recognition algorithms to and build an archive of audio-based search prompts. Once those audio cues are transcribed into text, they can become hugely valuable for the next frontier—mobile search. This sounds a bit on the dark side ("do no evil" as we're told), but it's a far better way to monetize voice than charging a few cents a minute or a few dollars a month. When viewed from this lens, Google Voice is a very different business than Skype, Vonage, or any telco for that matter. Disruption comes in many forms, and we're seeing a new one with Google Voice. Don't let the race to zero fool you; I think it's just a side-show compared to what Google really has in mind.

This article of mine originally ran today on my Service Provider Views column on TMCnet.

Written by Jon Arnold, Principal, J Arnold & Associates

Follow CircleID on Twitter

More under: Email, Telecom, VoIP, Web

Reading through Brian Kreb's blog last week, he has an interesting post up on the White House's call upon the industry on how to formulate a plan to stem the flow of illegal pharmaceuticals:

The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications.

According to the World Health Organization, approximately 8 percent of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard, and 10 percent of global pharmaceutical commerce—or $21 billion—involves counterfeit drugs. LegitScript.com, a verification service for online pharmacies, is currently tracking more than 45,000 rogue Internet pharmacies.

It is unclear to me whether or not the goal of this initiative is to stem the flow of online crime in general or to reduce the flow of illegal pharmaceuticals flowing into the United States (since presumably this cuts into the profits of large pharmaceutical companies… who would naturally want to see their profit margins increased in return for pledging their support for health care reform that was passed earlier this year). Assuming that the target of this are the online pharmaceuticals, there are a few things I can think of. Unfortunately, a three hour meeting really isn't enough to get this off the ground because it is a series of interconnected events that would need to take place. Anyhow, here's a list of things I'd do:

1. Stopping illegal pharmaceuticals piggy-backs onto stopping illegal <anything> on the 'net. Spammers who advertise illegal software, or fake degrees, or fake enlargement pills, or fake mortgages are all basically doing the same thing. So, any strategy that is aimed at stopping those other things will extend to stopping fake pharmas as well. My point here is that concentrating only on fake pharmaceuticals may exclude strategies that scale to others.
2. Registrars need to get their act in gear. When a website advertising cheap Viagra goes up, somebody somewhere needs to register that site. Whoever registers is needs to do a better job of verification of the identity who registered it. The problem here is that so many of these sites are registered by registrars in foreign countries which is outside the jurisdiction of the US. However, just like in the Wizard of Oz, there's no place like home and the government can pressure domestic ones to do better proactive abuse mitigation.
3. WHOIS protected services are questionable. I don't deny the need for WHOIS-protected services in some cases. However, any time I am looking up a suspicious site and the WHOIS registration is protected, that's pretty much all I need to make the determination that the site is abusive. It doesn't cost much to shield your WHOIS information. If you want to do it, that's fine but there should probably be a stricter set of criteria who shielding your information like this requiring you to jump through a couple of more manual hoops.
4. Crack downs on spammers will go a long ways. One of the chief mechanisms of advertising illegal pharmaceuticals is through the use of spam. We all get it in our inboxes. Of course, there are other avenues of advertisement such as black search engine optimization. However, because it is not particularly difficult to send out a lot of spam and make money off of it, and because there is little chance of repercussion, spammers continue to do it. If law enforcement had more resources dedicated to prosecuting spammers such that it became more de-incentivized, then the supply part of the equation would start to dry up. In other words, putting spammers in prison will help in this regards, and this requires a prioritization of law enforcement resources. Whether or not they are willing to divert resources from one area of law enforcement to another is an open question.
5. Perhaps walled gardens are a good idea. In Australia, some ISPs kick infected computers off of their network if the ISP can detect that the machine connecting to it is infected with malware. Or, they redirect them to a sandbox and alert the user that they cannot continue until they clean their system. If more ISPs made this a policy, then maybe we'd have less malware abuse flowing back and forth in cyber space. I don't think I'd want government to enforce this, but perhaps ISPs might be willing to voluntarily comply with this.

This is a small list of things that could be done but by no means it is exhaustive. Running up-to-date software is a good idea, and so is running the latest patched version of one's software. What other ideas do you have to cut down on the flow of illegal online pharmaceuticals?

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance, Spam, Whois

Scary news from California's Contra Costa County — school officials there have reportedly decided to track some preschoolers with RFID chips, thanks to a federal grant supplying the funding.

According to a story from the Associated Press, the students will wear a jersey at school that has the RFID tag attached. The tag will track the children's movements and collect other data, like if the child has eaten or not. According to a Contra Costa County official, this is a cost-savings move, as teachers used to have to manually keep track of a child's attendance and meal schedule.

But of course, an RFID chip allows for far more than that minimal record-keeping. Instead, it provides the potential for nearly constant monitoring of a child's physical location. If readings are taken often enough, you could create an extraordinarily detailed portrait of a child's school day — one that's easy to imagine being misused, particularly as the chips substitute for direct adult monitoring and judgment. If RFID records show a child moving around a lot, could she be tagged as hyper-active? If he doesn't move around a lot, could he get a reputation for laziness? How long will this data and the conclusions rightly or wrongly drawn from it be stored in these children's school records? Can parents opt-out of this invasive tracking? How many other federal grants are underwriting programs like these?

These are questions that desperately need answers. California is in the middle of a terrible budget crunch, but the solution is not federally funded surveillance of children who are too young to understand the implications.

Hari Prasad, the Indian security researcher arrested for allegedly stealing an electronic voting machine, has been released on bail.

Earlier this year, an anonymous source gave the machine to Prasad and a team of researchers, who discovered critical security flaws. Under questioning by authorities last weekend, Prasad refused to divulge the identity of the source who gave them the machine. He was then arrested and reportedly charged with theft and trespass on the theory that he stole the machine himself.

According to the Indian news agency PTI, the magistrate who released Prasad on bail noted that "no offence was disclosed with Hari Prasad's arrest and even if it was assumed that [the electronic voting machine] was stolen it appears that there was no dishonest intention on his part...he was trying to show how [electronic voting] machines can be tampered with."

The court reportedly also asked the Election Commission of India to confirm or disprove Prasad's claim that the country's electronic voting machines can be compromised. If Prasad's claims are false, action could be taken against him, the magistrate said.

Time flies. Although it was over 18 months ago, it seems just like yesterday that a small Czech provider, SuproNet, caused global Internet mayhem by making a perfectly valid (but extremely long) routing announcement. Since Internet routing is trust-based, within seconds every router in the world saw this announcement and tried to pass it on. Unfortunately, due to the size of this single message, quite a few routers choked—resulting in widespread Internet instability. Today, over a year later, we were treated to a somewhat different version of the exact same story.

First, let's review the Czech incident from February 2009. There were many positives to take away.

• It was precipitated by an honest mistake.
• It was an extremely unlikely event, as many stars had to be in exact alignment.
• Most of the Internet's core survived.
• The response from operators was fast and efficient, with the damage largely contained within an hour.

The complete technical details can be found here.

Deja vu all over again

Fast forward to today: Friday, 27 August 2010. What do you think would happen if another large and unusual routing announcement was made on the Internet? Do you think all the router vendors have perfected their code in the past 18 months? Do you think the entire planet has upgraded to this new, improved and perfect code base? Do you think it makes sense to use the Internet as your testbed? I doubt you answered "yes" to any of these questions.

We'll begin to describe what happened today with a snippet from a private mailing list. We'll purposely leave out the technical details so that we don't inadvertently contribute to the building of a Cybernuke.

On Friday 27 August, from 08:41 to 09:08 UTC, the RIPE NCC Routing Information Service (RIS) announced a route with an experimental BGP attribute. During this announcement, some Internet Service Providers reported problems with their networking infrastructure.

Immediately after discovering this, we stopped the announcement and started investigating the problem. Our investigation has shown that the problem was likely to have been caused by certain router types incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers. The announcements sent out by the RIS were correct and complied to all standards.

Um, while standards compliance is nice, it is foolhardy to assume that all BGP implementations are perfectly compliant, especially given recent history. Over 3,500 prefixes (announced blocks of IP addresses) became unstable at the exact moment this "experiment" started. Not surprisingly, they were located all over the world: 832 in the US, 336 in Russia, 277 in Argentina, 256 in Romania and so forth. We saw over 60 countries impacted by a "correct" announcement that "complied with all standards". The following graph shows the timeline of the event, followed by a map of the impacted countries by prefix count. Notice that it takes a bit for the Internet to stabilize after RIPE claims to have withdrawn the announcement at 09:08 UTC.

Conclusions

On the positive side, the incident was very brief, the damage was limited to under 2% of the Internet and the responsible parties quickly fessed up, aborting their "experiment". On the negative side, the Internet remains a very fragile place, even if that fragility is highly localized and different in different places. Standards aren't followed, code isn't tested and people make mistakes. That's life with any complex system and, while we can certainly do a better job, we will continue to see these types of events no matter what safeguards we might take. What puzzles me is how anyone thought it might be a good idea to test fate in this way. The end result was completely predictable.

Written by Earl Zmijewski, VP and General Manager, Internet Data Services

Follow CircleID on Twitter

More under: Internet Protocol, Security

Brian Krebs reporting in Krebs on Secruity: "The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications..."

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance

New gTLDs continue to be a major topic of discussion within ICANN circles, and the regional meeting currently underway in Tokyo has revealed some interesting updates for potential applicants.

ICANN's Chief gTLD Registry Liaison, Craig Schwartz, delivered a great presentation on the progress being made behind closed doors at ICANN and provided the attendees with an insight into a couple of key changes that are likely to be seen in the Final Applicant Guidebook. As many of our readers would be aware, we have been waiting in anticipation for the new gTLD Final Applicant Guidebook to be approved at a previously unconfirmed meeting of the ICANN Board. The date for this meeting was today announced as September 10th.

Like many others in the industry, we'll be actively watching for the outcomes of this Board retreat where the focus will be on the new gTLD program's remaining unresolved issues. In particular, the Board's willingness to address the complicated Vertical Integration topic (given the inability of the VI Working Group to reach consensus) will be of interest to the many applicants likely to be affected by the outcome.

On another interesting note, one very important topic that has been flying under the radar is Registry Transition, namely the current requirement for new gTLD applicants to provide both a backup Registry Services organisation and a financial instrument sufficient to guarantee a minimum of three years of Registry operations in the event of the TLD owner being unable to operate it.

Obtaining a backup Registry Services provider is not particularly difficult. However, for many potential applicants (in particular smaller community-based applicants) the requirement to obtain a letter of credit from a financial organisation is an enormous burden and a significant additional cost.

Acknowledging this today and noting that the protection of the Registrant is paramount to this process, Schwartz said that ICANN had invested significant time and will further expand the recent concept of Emergency Backend Registry Operator (and yet another acronym, EBERO) whereby qualified applicants (i.e. Existing Registry Operators) could tender to ICANN to provide 'temporary' Registry Services in the event of critical failure of the Registry Operator to operate the gTLD.

This is a great initiative and should be welcomed by the community for two key reasons:

a) It has the potential to remove the requirement to name a pre-organised backup Registry Service.

b) It has the potential to reduce the level of financial guarantee to ICANN from applicants.

Other interesting points worthy of note from yesterday's session:

• Communications Plan – This is being worked on by ICANN currently but won't be rolled out until the Final Applicant Guidebook is approved, almost guaranteeing that the earliest date for applications will be March or April 2011
• DAGv4 Summary of Analysis – This won't be released to the public until after the Board's retreat, which is a surprise given that the public comment finished quite some time ago
• IDN ccTLD Fast Track – ICANN have 33 applicants, representing 22 languages, currently under review as this program continues to drive the expansion of the internet across the globe

All in all, these small yet important pieces of information represent yet another positive step forward in the new gTLD process. I for one can't wait to see what the next few months will bring.

Click here if you want to see the presentations from the Tokyo meeting as provided by ICANN.

Written by Tony Kirsch, Senior Manager - International Business Development, AusRegistry International

Follow CircleID on Twitter

More under: Domain Names, Domain Registries, ICANN, Multilinguism, Top-Level Domains

Just a few weeks after his interview with EFF Legal Director Cindy Cohn, American hero Stephen Colbert has returned to the subject of digital rights. And in his show on Tuesday, he came up with a great solution to the problem of privacy and online social networks: Control-Self-Delete.

As Colbert suggests, the CEOs of Google and Facebook can be astonishingly tone deaf when it comes to the question of the privacy of their customers. As these experts in social media ought to know, the fact that a person chooses to share some information about themselves online is no indication that they prefer to share everything — nor does it indicate that control of personal data is not something they care deeply about. ">Study after study has shown the opposite to be true: users care about privacy, and demand control of their own data.

We like Colbert's basic point, saved for the end of this clip: if anyone should change their behavior to address the problem of online privacy, it isn't young people who have uploaded some racy pics — it's the companies that have made themselves the guardians of our personal data.

Facebook is facing down another embarrassing episode of censorship this week after refusing to show ads submitted by the Just Say Now marijuana legalization campaign. The gag is an important reminder that social networks like Facebook — while useful, interesting, and pretty — are "walled gardens" with overseers whose interests can overwrite free speech, open communication, and in this case, essential political debate. (In this they have something in common with Apple.)

Most recently, Facebook was caught censoring mentions of Power.com, an online tool designed to help users collect their information from Facebook to facilitate migration to other social networks. To this day, users are still blocked from sending messages or posting status updates containing the word "Power.com," preventing users from spreading the word about a convenient way to "make the move" to Orkut, or LinkedIn, or any other social networking service that may crop up to compete. The block even stopped law professor Eric Goldman from commenting on Facebook’s lawsuit against Power.com (Disclosure: EFF filed an amicus brief in support of Power in that case).

Facebook's censorship for anticompetitive reasons is petty and lame to be sure, but silencing Just Say Now's marijuana legalization ad campaign is even worse. Voters in various districts nationwide will have to make important political decisions about marijuana this year (California's Proposition 19 is one example). Facebook's decision, reportedly an attempt to be consistent with its ad policies restricting smoking and/or marijuana-related content, is instead primarily silencing an important, motivated voice in a politically significant debate.

Facebook should lift the ban and show Just Say Now's political ads. For better or worse, Facebook has become a important means of communication and organization for candidates and political campaigns. In this role, Facebook functions best as a neutral platform, hosting the debate without entering it. Whether or not Facebook wants to restrict depictions of smoking in commercial ads, it should not prohibit the open and robust political debate central to the value and promise of the Internet.

Eric Vyncke reporting in the NetworkWorld: "IPv6 exists for more than 15 years and it is rumored to be deployed extensively in Asia and especially in Japan and China with Africa being the last continent to deploy IPv6. Another place where there should be a lot of deployments is of course in the USA with the US Government IPv6 mandates. But, when it comes to measure where web sites are actually deployed over IPv6, the rumor proves to be just a myth..."

Follow CircleID on Twitter

More under: IPv6

Yesterday CommunityDNS noticed a sudden, heavy spike in traffic through its Anycast node in Hong Kong. While comfortably processing queries at 863,000 queries per second for close to 2 hours the occurrence was undeniable. While we can't say the increase in traffic was specifically due to DDoS, its sudden increase is suspicious and reminds us that DDoS is still a popular tool used by the malicious community.

DoS and DDoS attacks are happening throughout each day. Just as UltraDNS was twice regionally impacted in 2009 by DDoS traffic, Register.com with close to a 3 day outage in 2009, and DNS Made Easy, the recent target creating close to a 1.5 hour outage for its users earlier this month, we (enterprise, ISPs, hosting firms, registrars and DNS providers) are not all immune to such malicious antics. While all queries appeared legitimate in yesterday's spike, there is no reason to believe CommunityDNS was the intended target for the sudden increase in traffic. However, it still raises the issue of the impact such malicious activity can have on the general user base as well as online economy.

Last year and earlier this year CommunityDNS worked on a study developed for the EU Commission's office of Directorate-General for Justice, Freedom and Security, regarding the resilience of the DNS for the EU and its member states. The study pointed out the affects such malicious activity has on the confidence of legitimate Internet users. Such affects erode confidence, thus the EU's online economy not able to reach its full potential. The same concept would apply to any online economy. The study also noted how "suspicious" traffic appeared more elevated in some European cities over others. A recent Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet's traffic is tied to DDoS, or roughly 1,300 attacks each day.

So as the Internet marches on with the needed ramp up of DNSSEC, the rollout of IDNs and eventually the addition of new gTLDs, the malicious community continues their global activity. Such activity should make us all question, "Are we doing the best we can to ensure maximum resilience for Internet users and online economies?" The best way to ensure maximum resilience for users, businesses and the general online economy is through platform diversity. Where one has an open source-based DNS platform, a non-open source-based platform should be used. A mix of hardware platforms, upon which the open source and non-open source DNS software operates, is also necessary as the hacker community has more tricks up their sleeve than DDoS attacks. Adding hardware and software diversity into an infrastructure with strong security, ample capacity and scalability is the strongest method for ensuring maximum resilience to the DNS.

Written by Chuck Kisselburg, Director, Strategic Partnerships

Follow CircleID on Twitter

More under: Cybercrime, DNS, DNSSEC, Security

The announcement that .co has already achieved over 450,000 new registrations since the opening up of the second level a month ago demonstrates that there is strong demand in the global domain name marketplace for quality new domain spaces.

Though .co is the country code Top Level Domain (ccTLD) for Colombia, the second-level registrations (i.e. company.co) are available on a global basis and it is being pitched as a direct competitor to the dominant .com gTLD. Google has altered its algorithm to increase the relevance of search results in the .co domain by treating .co as a gTLD and allowing .co website owners to specify the geographic regions they are targeting. Though .CO Internet has the freedom enjoyed by all ccTLDs of not having to operate under ICANN's policy framework, they have elected to adopt policies that very closely match that framework, including the Uniform Domain Name Dispute Resolution Policy (UDRP).

The launch of second-level registrations under .co therefore represents, to all intents and purposes, a new gTLD launch, and appears to be a popular alternative to .com for both large corporations and small businesses, at least at this early stage. Overstock's purchase of o.co for US$350,000 shows a high degree of confidence in the new .co brand, and Twitter has also joined their list of high-profile anchor tenants, launching t.co as a secure URL shortening service. Anecdotal evidence also suggests that small businesses are taking the opportunity to secure names within this new space that they had been unable to register in .com or other spaces.

The .co launch is just the latest in a long line of examples of the opportunistic repositioning of ccTLDs to compete in the global market against the 'official' gTLDs. Colombia, like Montenegro (.me) and Tuvalu (.tv) and a number of others are simply leveraging their luck in the two-character assignment lottery by opening up their ccTLD to the world. Both Colombia and Montenegro have however tried to maintain the best of both worlds by reserving third-level registrations (such as .com.co and .com.me) for local entities, thereby providing trusted and dedicated domain spaces for the domestic market, while reaping the benefits of having a desirable ccTLD extension by opening up the second level to the world.

Despite the fact that they are globally-focused and effectively gTLDs, the success of .co and .me highlights the market opportunity that currently exists for other ccTLDs that are yet to establish a clear market position.

Of course, the vast majority of countries do not have the opportunity to reposition themselves as gTLDs to chase the global market, and in most cases there will be a clear preference to focus on the needs of the local market.

A report [PDF] released by Eurid (the .eu Registry) in June highlights the power that well-established and effectively managed ccTLDs can exert in their local markets. In Sweden, for example, the local .se ccTLD scored nearly 100% in terms of awareness and 49% for preference, compared with only 34% for .com. Similar rankings are likely to be enjoyed by other well-established ccTLDs, and we've seen similar numbers in relation to the position of .au in Australia.

Many ccTLDs however face a raft of challenges that are preventing them from achieving anything like this sort of local market position. These challenges can include the absence of local control, legacy systems, inefficient registration processes and restrictive policies, as well as a general lack of local capacity.

When ICANN's new gTLD program finally comes to fruition (likely towards the latter part of 2011), there will be a dramatic increase in choice for prospective domain name registrants across all regions and language groups. Those ccTLDs that are yet to position themselves as the pre-eminent domain space and default choice in their local markets therefore have a finite window of opportunity in which to do so, to ensure that they are not consigned to relative obscurity in the face of dozens of new Top Level Domains.

Written by Jon Lawrence, Business Development Consultant, AusRegistry International

Follow CircleID on Twitter

More under: DNS, Domain Names, Domain Registries, Top-Level Domains

In an interview with GovInfoSecurity, Sen. Thomas Carper said that the U.S. Senate is considering attaching cybersecurity legislation to a defense authorizations bill. Though clearly a ploy to be able to say "we did something about those evil hackers" before the elections, CAUCE applauds the attempt. There can be no doubt that the United States (and many other countries) sorely needs better laws to deal with these threats.

Further, Senate Majority Leader Harry Reid has asked that the cybersecurity bills currently in front of various committees be combined into one single, omnibus bill, which would presumably then be attached to the defense authorizations bill. Here's where we start to get worried.

Each of the bills we've seen (and we surely haven't seen them all yet) have some good points, and some...let's just call them unintended consequences. In every case it's obvious that the authors' intentions were good, but they needed some expert advice from people who understand the technical and legal realities of the internet today.

One such expert, a long-time CAUCE supporter who asked to remain anonymous, shares his review of one of those bills: S. 3742, the "Data Security and Breach Notification Act of 2010." You can read the original and check its current status here.

Please note that this is not legal advice. Our expert is not a lawyer, I'm not a lawyer, and CAUCE did not consult with any lawyers before publishing this article.

Our expert says it's going to be difficult to construct a single good omnibus cybersecurity bill. The bigger and more complicated it gets, the less likely it is that anyone will actually read the bill before voting on it—particularly when they're in a hurry to go home and win an election.

He highlights a few specific items which could be troublesome for just about anyone running a mail server, a web site, or other online services which collect or transit any information:

• Page 2, Section 2 (a)(2)(A): More or less everyone's going to need to have personally identifiable information (PII) security policies
• Page 3, Section 2 (a)(2)(B): ... and an information security officer
• Page 3, Section 2 (a)(2)(C): ... and a process for monitoring for PII breaches
• Page 3, Section 2 (a)(2)(D): ... and a process for mitigating PII vulnerabilities
• Page 3, Section 2 (a)(2)(E): ... and a process for securely deleting electronic records containing PII
• Page 4, Section 2 (a)(2)(F): ... and a process for securely destroying paper and other non-electronic records containing PII
• Page 4, Section 2 (b): If you're an "information broker" (which would include nearly anyone who collects information and shares it with anyone else), you have additional obligations, including needing to submit policies to the FTC, needing to provide consumer access to information, tracking access to information maintained by the broker, etc.
• Page 13, Section 3 (a)(1): Requires notification solely to US citizens and residents in the event of a breach. Of course, that presumes you know the nationality/immigration status of those whose PII data you hold (hmm, I don't think *anyone* I know does, except for HR departments with regard to their own employees). If I were a covered entity, I'd be strongly inclined to begin soliciting that information from everyone I get PII data from, although of course that may trigger a whole different set of issues, particularly in areas where immigration related issues are a hot button topic.
• Page 14, Section 3 (b)(2): Notification by a service provider triggers reporting requirements. This is going to make LOTS of friends for service providers, given the affirmative notification and credit protection obligations that customers accrue after being notified.
• Page 19, Section 3 (d)(2)(A): Alternative notification is available for incidents involving LESS than 1,000 individuals. This is goofy.
  Normally alternative notification is allowed as an option when the number of covered individuals is very LARGE not very small. For example, some state laws permit alternative notification in cases where costs of providing notice would exceed a quarter million dollars, the affected class of consumers to be notified exceeds 350,000, or the notifying party doesn't have sufficient contact information to provide notice.
  There's language on page 22 of the draft bill that may allow regulatory additions to expand when substitute notification is permissible, but the basics for when substitute notification should be permissible should be part of the core statute, not an after-the-fact, maybe-yes, maybe-no regulatory add on by the agency.
• Page 25, Section 3 (d)(2)(B): imposes compliance burdens on entities for a year before technical compliance guidance is available. Enforcement of the act should be held until the guidance envisioned by 3(d)(2)(B) is available, and realistically it will take probably an additional period after that for sites to deploy the recommended technology (new projects don't happen over night).
• Page 26, Section 3 (h): Potentially requires notification in polyglot languages. This can be a huge administrative PITA—consider the "simple" case of the EU, where there are "only" 23 official languages (Bulgarian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portugese, Romanian, Slovak, Slovene, Spanish and Swedish, plus (semi-official) Catalan, Galician, and Basque).
  This section could be potentially exceptionally burdensome if the FCC suddenly mandates that sites provide notification in multiple foreign languages (I could see an argument for requiring Spanish as well as English, but there are some communities in the United States where other languages are also very common).
• Page 28, Section 4 (b)(1): It seems unnecessarially combative to define all data security incidents as "unfair or deceptive acts or practices." Data security incidents are not typically something which a covered entity intentionally does, neither are such breaches typically "unfair" or "deceptive" in the same way that some TV or Internet huckster's "miracle" product or pyramid sales scheme might be.

The most persuasive argument in the other direction is probably that currently most states already have their own PII breach notification laws, and it can be a pain to try to stay in compliance with 46 different PII information security and breach notification statutes. So again, the intention is clearly good, but in practice...it needs some careful review.

So there are the results from one bill, examined by one expert. He's one of the best minds in the cybersecurity community, yet he may still have missed something. With legislation as important as this, smushing it all together and rushing to attach it to something unrelated is simply a bad idea. This is a topic which requires careful thought, from multiple people who really do know what they're doing—and who can explain it to the Congressional staffers who will write the resulting bill, and then to the Senators and Representatives who will collectively make the decision.

Once that education has occurred, it should quickly become evident that while some of these bills do overlap, others do not. Some will disagree. Some simply contain bad ideas. All of this has to be worked out. Then, finally, it might make sense to combine them—not now, and not just because they all have the prefix "cyber" in the title somewhere.

This article was originally published by CAUCE.

Written by J.D. Falk, Director of Product Strategy at Return Path

Follow CircleID on Twitter

More under: Cybercrime, Law, Policy & Regulation, Security

There's been a tremendous amount written about the Google-Verizon joint proposal for network neutrality regulation. Our commentary at the EFF offers some legal analysis of the good and bad in this proposal. A lot of commentary has put a big focus on the exemption for wireless networks, since many feel wireless is the real "where it's gonna be," if not the "where it's at" for the internet.

Previously I wrote about support for the principles of a neutral network, but fear of FCC regulation and decided that the real issue here is monopoly regulation, not network regulation. My feelings remain the same. In wireless we don't have the broadband duopoly, but it is a space with huge barriers to entry, the biggest one being the need to purchase a monopoly on spectrum from the government. I don't believe anybody should get a monopoly on spectrum (either at auction or as a gift) and each spectrum auction is another monopoly bound to hurt the free network.

Most defenders of the exemption for wireless think it's obvious. Bandwidth in wireless is much more limited, so you need to manage it a lot more. Today, that's arguably true. I have certainly been on wireless networks that were saturated, and I would like on those networks to have the big heavy users discouraged so that I can get better service.

With Martin Cooper (Left), former Motorola vice president and division manager who in the 1970s led the team that developed the handheld mobile phone (as distinct from the car phone).
Source: WikipediaAs I said, on those networks. Those networks were designed, inherently, with older more expensive technology. But we know that each year technology gets cheaper, and wireless technology is getting cheaper really fast, with spectrum monopolies being the main barrier to innovation. We would be fools to design and regulate our networks based on the assumptions of the year 2000 or even on the rules of 2010. We need to plan a regime for what we expect in 2015, and one which adapts and changes as wireless technology improves and gets cheaper. Planning for linear improvement is sure to be an error, even if nobody can tell you exactly what will be for sale in 2015. I just know it won't be only marginally better or cheaper than what we have now.

The reality is, there is tons of wireless bandwidth—in fact, it's effectively limitless. Last week I got to have dinner with Marty Cooper, who built the first mobile phone, and he has noticed that the total bandwidth we put into the ether has been on an exponential doubling curve for some time, with no signs of stopping. We were in violent agreement that the FCC's policies are way out of date and really should not exist. (You'll notice that he's holding a Droid X while I have the replica Dyna-Tac. He found it refreshing to not be the one holding the Dyna-Tac.)

Bandwidth is limitless both because we keep improving it, and because we can build picocells anywhere there is demand. The picocells use very high frequencies and won't go through walls. You may think that's a bug, but actually it's a feature, because you can have two picocells in different rooms that don't interfere much with each other, and get gigabits in each individual room. While wireless use is growing quickly, much of that is coming inside buildings.

In the past, having so many cells would be too expensive. But today the electronics for the cells cost a pittance compared to what old thinking predicted. And that's going to continue. This is just one way we know to get more bandwidth for everybody.

The original question was whether it was good for somebody to be soaking up the wireless bandwidth in your area downloading a movie, and whether networks needed to throttle such users. We scream out that they should, but our thinking is short-term. It is the congestion caused by these heavy users, after all, that drives the innovation and network expansion. If we can "solve" our problem with network management rather than putting in more bandwidth, then we don't create as much incentive to make the bandwidth technology cheap. If the only way we can solve the problem is to boost the network capacity to match the wired one, that's how we will solve it.

Some have argued, in fact, that it's cheaper to solve these problems with more bandwidth than it is to solve them with network management. Network management turns out to be pretty hard, and requires lots of work by human beings, and thus it's quite expensive. And it's not getting cheaper, for it is not a problem that Moore's law (or Cooper's law) helps you as much with. Boosting the network is such a problem. And if you solve congestion this way, and drive the creation of better and cheaper products, not only do you get reduced congestion but you also get a nice fast network when it's not congested. It's a huge win for the network and for the world, since everybody gets to buy the new technology, while not everybody needs the network management.

It's been popular to tell Google they are being evil by getting together with Verizon on this deal. I suspect it's more a case of not thinking about the future. Once the FCC encodes rules into law, we'll have them for decades, and even if we're lucky enough to get the right rules today, they won't be the right rules for the future. Alas, they will probably be the rules the lobbyists want.

If the FCC or FTC want to make rules, they should be monopoly busting rules. Let's have better roaming, for example, so our devices can readily and rapidly make use of the small cells. Most new phones have 802.11, so what about a system where any operator of a short-range access point can easily make it a picocell and sell service to the wireless company (now a wireless aggregator) at negotiated or auctioned rates. Most wifi hotspots would be happy to do this at very low rates (they often do it free right now) that can easily be bundled with any plan. A hotspot that wants to charge extra might only get premium customers.

A good roaming system helps enable the ethic I think is right for spectrum sharing—"don't be selfish." Under this regime you are required to use only as much power and spectrum as you need, and if you're inside a building and there is a nice 100 megabit in-room 5ghz wireless, you should not be broadcasting to everybody for a mile around at 850mhz. Doing so is wasteful and doesn't make sense. If the FCC needs to do anything, it should slightly tweak things to encourage such good behaviour.

Written by Brad Templeton, Electronic Frontier Foundation (EFF) Boardmember, Entrepreneur and Technologist

Follow CircleID on Twitter

More under: Broadband, Mobile, Net Neutrality, Policy & Regulation, Telecom, Wireless

Music lovers take note: the classical music archive Musopen needs your help to liberate some classic symphonies from copyright entanglement. Museopen is looking to solve a difficult problem: while symphonies written by Beethoven, Brahms, Sibelius, and Tchaikovsky are in the public domain, many modern arrangements and sound recordings of those works are copyrighted. That means that even after purchasing a CD or collection of MP3s of this music, you may not be able to freely exercise all the rights you'd associate with works in the public domain, like sharing the music using a peer-to-peer network or using the music in a film project.

To fix this, Musopen is asking backers to join an effort to hire a world-class orchestra to record sublime digital performances of the symphonies by the composers mentioned above. Musopen will then relinquish all rights to the recordings, giving the public the freedom to experience these works in full: to download, share, derive, and remix without limit. The fundraising campaign is taking place on Kickstarter, a site where users can pledge money to various creative projects. (Users pledge an amount towards a project, but the money doesn't actually go to the project unless the specified funding goal is reached. Kickstarter has a great explanation for their "all-or-nothing funding" design on their FAQ.)

It’s too bad such seminal, cultural works have been effectively buried by copyright interests — despite their age, ubiquity, and importance. (Note problems like this are exacerbated by discrepancies in international laws that create different "public domains" that copyright owners can exploit to stop online archives.) The Musopen campaign presents a creative solution that could help ensure that such essential music is preserved and shared for generations to come. Music lovers and copyfighters — vote with your wallet and support Museopen's work!

We're pleased to announce that EFF's Legal Director, Cindy Cohn, has won a 2010 Intellectual Property Institute Vanguard Award from the State Bar of California.

Cindy was one of four legal professionals honored for spearheading new developments in the world of intellectual property. We're proud to see the work that we do to preserve balance in copyright, trademark, and patent law recognized, and we'll continue to fight for the fans, the tinkerers, independent journalists and bloggers, and consumers.

The 2nd Annual IP Vanguard Award will be presented to Cindy during an awards Luncheon on Friday, October 29, at the 2010 Annual IP Institute meeting in Napa, California.

Verizon Business has a message to companies still reluctant to migrate their networks to IPv6: You're better off doing it now than later. William Schmidlapp, Verizon Business's product manager for Internet dedicated access services, says that the advent of 4G LTE and WiMAX-based devices will only increase the need to switch over to IPv6, since each of those devices will require its own IP address…

Read full story: Network World

Follow CircleID on Twitter

More under: Broadband, IP Addressing, IPv6, Mobile, Wireless

I like to read other people's stories when it comes to spam, and I like Box of Meat. It's always alerting me to interesting stories around the web that deals with cyber security. But the more I read, the more I see conflicting views on the state of the criminal cybercrime world. On the one hand, the Russian criminal cybercrime underworld is a scary, organized place where people are actively trying to do the rest of us harm. On the other hand, there is the position that that position is an exaggeration of what it is actually like and that it's a bunch of ragtag folks who have some advanced computer skills but they are not formally organized. They trade amongst each other for the highest prices and exchange goods and services like the open market but they are not colluding with each other. I see this very similarly to how I see cyber warfare—on the one hand there are the hawks who believe national cyber threats are behind every corner, and on the other hand there are the doves (for lack of a better word) who claim there is no national cyber threat, it's all about crime that has moved online.

Consider excerpts from this article from the New York Times:

MOSCOW—On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service. And in real life, he was nearly as untouchable—because he lived in Russia. BadB's real name is Vladislav A. Horohorin, according to a statement released last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

...

The seizing of BadB provides a lens onto the shadowy world of Russian hackers, the often well-educated and sometimes darkly ingenious programmers who pose a recognized security threat to online commerce—besides being global spam nuisances—who often seem to operate with relative impunity.

Law enforcement groups in Russia have been reluctant to pursue these talented authors of Internet fraud, for reasons, security experts say, of incompetence, corruption or national pride. In this environment, BadB's network arose as "one of the most sophisticated organizations of online financial criminals in the world," according to a statement issued by Michael P. Merritt, the assistant director of investigations for the Secret Service, which pursues counterfeiting and some electronic financial fraud.

...

According to the Secret Service statement, Mr. Horohorin managed Web sites for hackers who were able to steal large numbers of credit card numbers that were sold online anonymously around the globe. Those buyers would do the more dangerous work of running up fraudulent bills. The numbers were exchanged on Web sites called CarderPlanet carder.su and badb.biz—according to the Secret Service, and payment was made indirectly through accounts at a Russian online settlement system known as Webmoney, an analogue to PayPal.
...
Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals' expertise or for allowing their networks of virus-infected computers to be used for political purposes—to crash dissident Web sites, perhaps.

Reading this article, you would come away with the impression that these guys are very good at what they do—they have extensive computer hacking and social engineering skills, are well educated not to mention being good at money laundering (or being affiliated with people who are good at it). We see terms such as 'sophisticated' being used to describe these people. They are a definitive threat and the odds of actually arresting them are small; when they are arrested, it is seen as the exception and not the norm. In any case, they are not a ragtag bunch of people but instead are well organized and intentional about their behavior.

Worse yet, there are possible collusions between themselves and national intelligence agencies. This makes the general public even more concerned because the not-so-subtle implication is that not only do these people have extensive hacking skills, they could potentially use this to cripple national infrastructure if a hostile government, directed by an intelligence agency, instructed them to do so. The general public isn't entirely clear on what spy agencies do anyway, but in our cultures we are ingrained with the belief that they do some nasty stuff. Just imagine what they could do with a small army of hackers.

However, contrast that article with excerpts from this one in eWeek:

When people think of cyber-crime, the typical image being pushed today is that of highly organized criminal operations. New research, however, suggests the underbelly of cyber-space may be less mafia-like than some think. In an effort to improve the level of understanding of today's black hats, security researchers Fyodor Yarochkin and "The Grugq" have spent several months looking at Russian hacker forums.

"It is an ongoing project that we started about 18 months ago," Grugq told eWEEK. "Originally it started when Fyodor investigated some service offerings from Russian hacker forums for a specific project that I was working on. It turned out to be extremely interesting and amusing, so we discussed doing more long-term monitoring on the forums. It grew from there into what is now a continuous monitoring program."

Their research was presented last month at the Hack in the Box 2010 conference in Amsterdam. What the two found was that the image of a highly organized cyber-underworld run by hardcore criminals is not the order of the day. Instead, the dozen or so hacker forums they analyzed illustrated that many of the users are "geeks, not gangsters," the researchers said.

"Basically, from what we've seen on the forums much of what goes on with the sales of services is much more petty criminal activity, or crimes of opportunity," Grugq said. "Often poor students who like to hack for fun will sell access to a server they've owned. Many don't even realize that this is an illegal activity. This sale will be for $20 or $30, which is a lot of money for a poor student in Russia, but for a hardened criminal mastermind bent on destroying Western civilization—not so much."

...

"In terms of percentage, there'd be two to three guys working on stuff professionally, versus 10 to 20 hobbyists," he continued. "Most of the activity is essentially petty criminal activity where guys are trying to make a little extra cash on the side. You can think of it as a self-organizing hierarchical system with needs and people able to provide goods and services to satisfy the needs."

...

"From what we can guess," Grugq said, "any [mob] involvement is more along the lines of some people at the very top of the stack have to pay off the real gangsters. ... So, for example, if you are organizing a massive credit card cash-out scam which nets millions of dollars, you'll have to pay protection money to the mob to not get robbed. It doesn't look like the mob itself is organizing these cash-outs though.

"We're not disputing that organized crime is involved with cyber-crime, but the popular conception of leather jacketed thugs running around with firearms and laptops is not in line with what we have observed from the actual communities," he said. "It seems like it is very useful for some companies to popularize the scary idea of Russian cyber-gangsters, but honestly the involvement seems to be much more hands off."

This is quite a bit different than the perspective offered by the first article. Here, we still have perpetrators that are advanced hackers with strong computer skills. However, they are not organized amongst each other and view their craft like a bunch of frat boys. They boast amongst themselves. They argue amongst themselves. They don't even seem to realize that what they are doing is illegal. What makes the problem so widespread is that the cost of technology has dropped so much and Internet access has become so ubiquitous that they can do a lot of damage with limited human resources.

A few weeks ago I wrote about how many hackers who get arrested are arrested because of their own hubris. They do not have their egos in check and therefore end up leading a cyber paper trail straight to their lairs. Their lack of life experience leads to carelessness, and when that occurs they get caught. It is more of a bunch of individual actors doing stuff, trading stuff, trying to make some money. This is hardly the portrait painted by the New York Times.

So which portrait is correct?

Well, to be sure, there are many hackers out there that are hobbyists, and they are the ones that get caught. But it certainly seems like there are plenty of organized criminal groups out there (such as Avalanche). A conspiracy is often a "nice" way to explain all that's wrong in the world, but most conspiracies rarely hold up to close examination (never attribute to malfeasance what you can simply attribute to incompetence).

My theory is that this is a variant of the Pareto principle. The Pareto principle, also called the 80/20 rule, states that 80% of the effects are from 20% of the causes. In a business, 80% of the revenue comes from 20% of the sales. 80% of the systems crashes are caused by 20% of the bugs. 80% of the movement on the stock market comes on 20% of the days (not sure if this one is true… it sure feels like it).

In the same way, 80% of the cybercrime is caused by 20% of the cyber criminals. The other 80% of the cyber criminals do some damage and are not so difficult to back trace. They are nuisances and commit online fraud but will always remain small potatoes. By contrast the good ones, the 20%, are very good at what they do. They are smaller and better and cause more damage, and get paid more. The reason they get paid more is because they are more skilled and have the full repertoire—good computer skills and good people management skills, that is, the ability to stay anonymous.

People who are good at their craft usually make more money, and in order to stay alive in the criminal underworld (that is, without getting arrested), you need to be good. Not everyone is good at what they do (like the players on my favorite football team which explains their current 2-6 record). The ones who aren't that good browse forums and chat openly about stuff. They don't make too much money. The ones who are good are busy honing their craft, coming up with new ways to separate people from their money and they don't browse forums. They are spending their time getting better at what they do, not raising their profile.

That's why the second article paints a picture of a disorganized structure of hackers. The hackers that they can examined fall into the 80% that just aren't the kingpins of the industry. That's why the first article paints a picture of doom and gloom, they are studying the elite group of hackers that are difficult to catch and more difficult still to profile.

That's my theory.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Security