Subscribe: CircleID: Featured Blogs
Added By: Feedage Forager Feedage Grade B rated
Language: English
case  complaint  domain names  domain  domains  icann  information  internet  names  network  new  online  security  service  time 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: CircleID: Featured Blogs

CircleID: Featured Blogs

Latest blogs postings on CircleID

Updated: 2017-03-29T15:04:00-08:00


Networks - The Next Challenge in Digital Transformation


As digital transformation has been picking up momentum, leading analysts such as 451 Research have suggested that hybrid multi-clouds and automated DevOps will become key constituents powering enterprises in the new era. At the heart of these enabling technologies lies Lifecycle Service Orchestration (LSO) designed for near-autonomous application deployment across hybrid infrastructures consisting of traditional on-premise data centers and public clouds. The business case for LSO is straight-forward. To be able to accommodate the peak loads that any digital services may experience, enterprises running their own data centers have been forced to invest in excess capacity to accommodate the x2-3 load peaks that may occur from time to time. As this excess capacity idles for most of the time, buying the peak capacity from cloud service providers considerably reduces the CAPEX investments an enterprise would otherwise have to make. With the promise of slashing the CAPEX spending in half, it is no surprise that hybrid IT has been gaining in popularity as of late. This has led into something of a gold rush into the market space, with industry bellwethers such as Cisco Systems, Hewlett-Packard Enterprise and Microsoft all making significant investments into the area. Also, the open source community has taken a note of the potential, with DevOps communities and key commercial players such as Red Hat making their way to the hybrid world. Hybrid IT Runs on Networks The curious thing about hybrid IT innovation is that practically all the focus has been going into the application realm of things. I find this somewhat troubling from the operational point of view because, in order for the applications to be moved around automatically using technologies like LSO, both the application release parameters and the underlying networks should be managed within a single unified system. By fusing the unified network management and the LSO together, enterprises will be able to develop streamlined processes that allow private Wide Area Network (WAN) segments to be activated automatically in Virtual Private Clouds (VPC). This enables seamless connectivity between private enterprise data centers and public clouds such as Amazon Web Services or Microsoft Azure, making the free movement of application workloads a reality. In contrast, without a unified network management process in place, the IT departments can easily end up with delivery times calculated in months. This is the typical time it takes to manually assign and activate new network segments, to requisition new virtual appliances, and to install and to configure all of this manually. In situations where the business user is in urgent need of additional application capacity to meet business needs, delivery times this long are simply not acceptable. Conclusion To solve the network part of the digital transformation, Lifecycle Service Orchestration (LSO) should be paired up with a unified network management system that is responsible for the underlying networks in the same way as the LSO is responsible for the business applications that run in them. You can call me an idealist, but I have a strong feeling that solutions like this are just around the corner. Otherwise, the ICT industry will have hard time unleashing the true power of Hybrid IT. Written by Juha Holkkola, CEO of FusionLayer, Inc.Follow CircleID on TwitterMore under: Cloud Computing, Data Center, Internet of Things [...]

Studying .BRAND New gTLDs


Many participants in the latest ICANN meeting in Copenhagen asked that same question: "when is the next round of the ICANN new gTLD program?". If the question came from new gTLD service providers, I also noticed that it was different from "the first round": now the question focuses more on .BRANDs rather than Generic TLDs dedicated to selling domain names. The question also comes more from representatives of certain Trademarks who want to acquire a .BRAND domain name extension. When is the next round? There have been dozens of publications with that same title and no answer inside. I recently read a publication saying that it could be between 2020 and 2025. I also asked the question publicly at the latest ICANN meeting in Copenhagen and was told that the answer would remain the same as when previously asked in other ICANN forum sessions; no one knows, and the reason is simple: a few things like "singular and plural domain name extensions" must be fixed for the next round. A "date" is not the only question anymore Now more Trademarks have started to use their domain name extension. The Dot Brand Observatory has published a certain number of case studies which answer the second most important question for Trademarks willing to apply for their personalized TLD: what to do with a .BRAND new gTLD? Trademarks such as SEAT, FAGE, LECLERC, BNPPARIBAS, SENER, JCB, CITIC GROUP, BRADESCO, DNP and BARCLAYS do the show in published case studies and more will be added. "Leclerc" for example, is a French supermarket and hypermarket chain. The 26 pages study says that it is developing its .brand TLD in a progressive and consistent approach: second level domains correspond to product categories, keywords or specialized stores. An example of a live website is "Bradesco", a financial company from Brazil, has 114 domain name registered. Note that this is a lot for a .BRAND applicant since none of these domain names are sold: they belong to the registry (Bradesco here) who pays to renew them, unlike a generic registry who has registrants to buy them from registrars. Bradesco uses its personalized domains but also uses a "redirect" strategy. 45 domain names are redirected: 9 of them to the main welcome page and the 36 others are pointing to relevant correspond pages ( redirects to "Usage is key" If the initial speech on .BRAND new gTLDs has long been negative due to the incredibly high cost to submit ICANN an application, ".brand" new gTLD registration volumes now clearly show that applicants want to activate the full potential of their domain name extension. If registration volumes are a nebulous indicator in regard to generic gTLDs dedicated to selling domain names, they are a good indicator that .BRAND new gTLDs are deploying since a .BRAND applicant has no reason to activate domain names just to say: "hey: my registry has thousands of live domains registered". A .BRAND applicant does not need to attract customers to buy its domain names since it does not sell them. When digging in the Dot Brand Observatory websites, there is a page dedicated to "Volume of domains”: MMA, Audi, NRA and Abbott are applicants to be using more than 100 ".brand" domain names: this is not what we call a defensive strategy which consists in acquiring a .BRAND domain name extension for the sole purpose of securing the Trademark's assets. This is real usage. Written by Jean Guillon, New generic Top-Level Domains' specialistFollow CircleID on TwitterMore under: Top-Level Domains [...]

Trademarks and Domain Names Composed of Common Terms


The lexical material from which trademarks are formed is drawn from the same social and cultural resources available to everyone else, which includes domain name registrants. Since trademarks are essentially a form of communication, it is unsurprising that a good number of them are composed of common terms (dictionary words, descriptive phrases, and shared expressions) that others may lawfully use for their own purposes. And equally unsurprising, domain names can be identical or confusingly similar to these common-term trademarks. But, whether domain name registrants infringe owners' rights to exclusive use of their terms on the Internet, depends on when the domain names were registered (and if they postdated the trademark, why?) and how the domain names are being used (important only if they postdate the trademark). One of the differences between applications for trademarks and registrations for domain names is that applied-for marks are examined by a gatekeeper and domain names are not. In the trademark world, rights to particular terms are circumscribed by statutory rules that prevent owners acquiring a monopoly over all but made-up words ("google"). This is done by subdividing goods and services into different classes. Apple Inc., the iconic maker of electronic goods in Class 37, for example, doesn't have a monopoly on the word "Apple". It shares the mark with an Apple Bank (Class 36), an Apple Market (Class 35), and many other APPLE businesses in a variety of different classes, none of which overlap with the goods offered by Apple Inc. In the cyber world domain names (when not identical to marks) can be composed of a countless number of variations by simply adding, omitting, and reversing letters or combing words. Terms that in the actual marketplace function as trademarks in cyberspace can just as easily (the facts not demonstrating otherwise) be used for their semantic value () or be equally as distinctive as trademarks (, discussed below). In the "gabs" case, Gabs S.r.l. v. DOMAIN ADMINISTRATOR – NAME ADMINISTRATION INC. (BVI), CAC 101331 (ADReu February 26, 2017) the Panel noted that Respondent has "used the Disputed domain name only within its ordinary meaning." "Gabs" transformed into a trademark informs consumers of the nature of the good or service. "Gabs" the Panel continued is a common English word based on "gab", meaning "talk, prattle, twaddle" (Concise Oxford Dictionary) and it is used to invoke notions such as "the gift of the gab" and in colloquial words such as "gabfest" and "gabble". It does not strain the language at all to accept that it is used interchangeably as a verb, as in "talks" or "prattles." Ergo, the GABS Complainant has nothing to complain about because Respondent is not exploiting the trademark value of the common term. In ZB, N.A., dba Zions First National Bank v. Oneandone Private Registration, 1&1 Internet Inc / John Mike, D2017-0137 (WIPO February 26, 2017) the dispute turns on the dictionary word "zion" in the second level string. But Complainant doesn't own "zion"; it owns several marks with the variant "Zions" as in Zions Direct and Zions Bank. Zion in the singular is a geographic term with historic/cultural and religious connotations but has no meaning in a plural form. There's only one Zion. While Complainant's mark is undoubtedly well-known in the territory in which it operates and for the banking and financial services it provides, ZB, N.A. has no monopoly on "Zion." This is clear from the USPTO database: there's a ZION in Class 12, a ZION REAL ESTATE in 35 and many other "Zion" businesses in a variety of noncompeting classes. A better argument for cybersquatting could have been made if the added letters "vpn" were banking or finance terms a point amply illustrated in other Zions Bank UDRPs but "vpn" is an acronym for "Virtual Private Network." The Panel notes that Co[...]

A Case to Further DNS Registrar Industry Self-Regulation


In most industries, businesses that blatantly act against the interests of their customers to favor their own internal profit centers would either not be allowed or else subject to controls and oversight by the government. It is universally regarded as an unfair and deceptive business practice. In the domain name registrar business, however, the normal practices of legitimate business dealings and customer protection seem woefully wanting. Kelly's Case described here illustrates the point, and it provides the opportunity for ICANN to demonstrate it can be responsive to egregious registrar behavior without government agencies or juridical bodies becoming engaged. A young woman starting up a business recently conveyed a disturbing set of facts. I'll call her Kelly. Kelly started up a web-based business five years ago, as part of an MBA enterprise development initiative. She created an LLC, registered a related domain name, and over the subsequent years built a business with innovative services, and a trademarked brand name with intellectual property — all associated with the domain name. She regularly ensured the domain registration fee was paid. Suddenly she found the domain was not functional, and contacting the registrar was told that without her notice, knowledge, or approval, the domain had been hijacked — sold to what appeared to be a domain name collector. She was instantly out of business. Upon further inquiry to her amazement, she found out that the "hijacker" was the registrar itself — the auction unit within the registrar. After pursuing the matter within the registrar's own processes, she was informed that the registrar regarded its obligations with to its own auction business unit, not her as a customer. The basis for the registrar's action was that five years previous when she had registered the domain name, she was enticed by the auction business unit to see what the domain name was worth. No further communication occurred and the relationship with the registrar auction unit itself was terminated — but apparently not the right to "hijack" the domain to sell it off. To the extent a clickthrough agreement existed, it would certainly be unconscionable. She never imagined that the registrar could years later simply transfer the domain name to its own business unit for sale to a third party without notice or approval by her. What is all the more appalling here is that the registrar also reviews its own actions and declared its actions are final in favor of the business unit. She was told by staff verbally that although this was patently unfair, the registrar regards its obligation is to its auction business unit rather than the registrar domain name customer. From a legal and public policy standpoint, Kelly's Case raises multiple significant concerns that seem increasingly common. The potential for abuse goes back to the Anti-cybersquatting Consumer Protection Act (ACPA) in 1999, and a considerable body of law has emerged. It is apparent that the U.S. Federal Trade Commission and its counterparts, as well as the courts in many jurisdictions, have instituted multiple actions against domain name registrars for unfair and deceptive practices. Indeed, the FTC itself — concerned about the potential increase in registrar deceptive practices and fraud — has repeatedly asked ICANN "to take additional steps to protect consumers." Other than a pro forma creation of an ICANN Data and Consumer Protection Working Group in 2010, however, it is not apparent that ICANN has actually done much of anything to protect consumers against the kinds of rather egregious activities and actions that Kelly's Case raises. Indeed, until the very recent appointment of a new senior VP for contractual compliance and consumer safeguards, ICANN has been asleep in this area. As part of the group 20 years ago that helped initiate ICANN as a means to help nurture industry self-regulation, I personally find this situation di[...]

Loudmouths Wanted for ICANN WHOIS Replacement Work


TL;DR? It's worth reading, BUT, if not — ICANN has yet another group looking at WHOIS, and there is a huge push to redact it to nothing. I spend easily half my day in WHOIS data fighting online crime, losing it would not make my job harder, it will make it impossible. PLEASE JOIN THE ICANN GROUP and help us fight back against people who are fighting in favour of crime. M3AAWG has submitted at least three comments in this regard, but that's not how ICANN works, they consider numbers of submissions to be more important than who is making a statement. M3 with hundreds of member companies, counts for one vote. Do it now; it is time for the security community to stand up strong to this nonsense. Thanks. Neil Schwartzman Executive Director Coalition Against Unsolicited Commercial Email Rant shared with permission: ------------------------------- Subject: ICANN WHOIS Replacement Work Date: March 24, 2017 at 4:05:52 PM GMT-4 We have been trolling them with facts for a month now. I learned a lot about that group in that time. Here's a blood pressure boosting wall-of-text rundown: The group is a bunch of registrars and "right to be forgotten" privacy people. They want to kill DomainTools and all similar services. The "privacy" advocates want domain ownership to be anonymous without a court order. They have no concern about privacy violation caused by criminals. They don't care that anonymous free speech is already available or that the domain system they are trying to create will be tremendously dangerous for dissidents and so forth to trust. They want to create privacy by forcing us to delete data we have collected from public sources. They are extremist fanatics with ideas unburdened by knowledge. People on this mailing list have done far more to protect privacy than these so called advocates. And for the registrars, it appears they are intent on saving money as they don't want to deal with the complaints or maintenance of whois. They seem uninterested in the fact that their small savings will cause huge losses for someone else. Some are dismissive of law enforcement, and some have spoken hostile words about Spamhaus, where the only other mouths I have heard such words from belonged to spammers. The arrogance from some of them is palpable. I am not exaggerating. The list archives are public, and you should decide for yourself. ------------------------------- I don't want this to be an entirely negative reactionary issue. There are opportunities. If enough people *who actually use WHOIS and own domains* participate, we can make WHOIS better. Have you ever been irritated with a bad domain that enjoys the benefits of WHOIS privacy? Have you ever been irritated that a registrar makes you visit their website and answer a CAPTCHA to see the WHOIS record, only to find out their website is broken? Have you ever been irritated with a registrar that gives your search warrants the middle finger and discloses no whois? Have you ever been irritated with registrars that minimize their exposure on DomainTools(and other WHOIS archivers) so they can appeal to abusers? If we don't participate, the risk is that bad policy hurts the Internet while increasing the profit of a minority. It has happened before. Here are some past ICANN policy issues: The .ZIP TLD, apparently no one involved saw a potential problem, but they certainly saw profits An explosion in general of TLDs that increased profits for registrars, with few controls on price abuse to the benefit of registries and the expense of everyone else. Companies spending hundreds of thousands of dollars to get a TLD, and domains on new TLDs- to prevent anyone else from using their name. Make no mistake, killing our visibility will reduce the money they spend on abuse complaints and subpoenas. It is insane that this minuscule industry dictates policy that increases risk for the global financial system. ---------------------------[...]

The Future of Fully Automated and Robot-Driven Transportation and Supply Chain Management


Today, we are in a way naturally connected to automation and robotics. In the industrial revolution, people realized that many tasks could be performed better and more efficiently by a machine. The rise of our dependence on technology has greatly risen since then, and thanks to scientific and technological advancements, we are on the breach of a new era. Experts are working on creating robot-driven and full automated transportation for enhancing supply chain management and public transportation. Let's see what kind of future awaits us. Public Transportation and IoT What is the Internet of Things (IoT)? To put it simply, it is a huge network of connected 'things', including things-things, people-things, and people-people relationships. The concept revolves around the possibility of connecting any device — smartphones, computers, headphones, washing machines, coffee makers, and other - to the Internet. People are today connected to the Internet more often than ever before. However, public transportation (trains, buses, and cars) still represents a notable dead spot in this concept. The Internet of Things is looking to change things such as lapses in coverage on the subway or through underground tunnels. The IoT is there to ensure constant connectivity to the Internet. This will also make transportation much more efficient. The main players in this 'game' are Greyhound, Amtrak, JetBlue, and Delta, who've understood the importance of IoT connectivity. For example, maintenance workers in airplanes can make sure that the plane complies with FAA guidelines and secure the aircraft more easily thanks to sensors built inside the planes. Also, many bus, train, and plane companies have started equipping their vehicles with Wi-Fi connection, with the aim of enhancing the customer experience. Thanks to the IoT, many smart cars and connected cars have gained in popularity. Dangers of Cyberattacks to Transport System Due to the increased risk of cyber attacks, GCC governments are urging for improvement in the security of critical national infrastructures. IBM has predicted 30 billion autonomously connected 'things' by the year 2020, regarding the field of operational technology. However, what is also on the rise is the sophistication, scale, and the number of cyber attacks aimed at IoT systems. Cyber criminals can, for example, shut down automated transportation systems, direct construction teams to damage utilities intentionally, create false emergencies, and even shut down street lights by sending fake data to sensors. Omnix International, a company dedicated to finding software solutions to public and private organizations across the energy, hospitality, AEC, and government sectors, are developing new cybersecurity solutions because of the growing organizational demand. Supply Chain meets AI, IoT and Robotics We learn things by doing them, tending to improve the processes. But when it comes to building a supply chain system, every time we begin from the ground up — repeating up to 40% of the same activities and going through same calculation steps each time. The future of mainstream supply chain activities sees the embedment of Artificial Intelligence coming its way. The problem is that we can't access algorithms that learn and retain experience and knowledge of the past. How can AI then be implemented and used in supply chain management? Well, robotics and machine vision are already in use, mostly in warehouses and in facial recognitions systems used by law enforcement. Machine/computer vision systems can be used, for example, by designers who use peripherals such as mice, keyboards, and drawing boards for interacting with 3D models. By employing gesture recognition apparatus, these systems can bypass all inefficient mechanisms. AI can aid in the development of predictive technologies that can make operating the supply chain more efficient. Also, creating fully-aut[...]

Use STIX to Block Robocalls


It is one of those oddities that occurs around Washington from time to time. During the same hour today, the Federal Communications Commission (FCC) was meeting at its downtown headquarters trying to stop robocalls, while a large gathering of government and industry cybersecurity experts were meeting a few miles away at Johns Hopkins Applied Physics Lab advancing the principal means for threat information sharing known as STIX. It turns out that STIX may be a perfect match for meeting FCC robocall mitigation objectives. Structured Threat Information Sharing (STIX) emerged from industry collaboration with the DHS US-CERT as a best-of-breed platform for observing cyber threats, packaging the sighting information, and distributing the bundle in trusted ways to users to stop the threats. The platform was initially perfected by MITRE working closely with the several industry groups — especially the financial industry. It captured such a significant cross-section of security communities in the U.S. and internationally that the entire platform was turned over to the standards body OASIS where it resides today under the aegis of the Cyber Threat Intelligence (CTI) Technical Committee. STIX is now envisioned as the principle platform for implementing both the U.S. Cybersecurity Act as well as the EU Network Information Security Directive. As many of the cyber security experts noted, unwanted calls — often with spoofed caller IDs or disguised origins — are a well-known threat faced constantly in dealing with network traffic. It makes effectively no difference if the traffic is a voice call, text SPAM, malware, or a DDoS attack. They all represent threats to users and network operators. Indeed, during the course of the years of Federal agency proceedings and workshops, industry innovators (as opposed to legacy incumbents) have urged reliance on the capture and exchange of robocall threat patterns among providers and end users rather than heavy-handed, complicated governance models. Indeed today, the dichotomy in approaches is posed as "deterministic" (i.e., governance schemes, registrations, certificates, and registry database lookups) versus "probabilistic" (i.e., capturing and exchanging threat signatures). So the FCC Robocall NOI/NPRM released today will doubtlessly unleash many thousands of irate complaints about the robocall/spoofed call problem. However, the FCC would be best served by eschewing onerous, deterministic platforms like STIR and SHAKEN with their certificate governance schemes, and relying instead on the more lightweight and already proven probabilistic solutions of the cyber security community and agencies like STIX. Robo/spoofed calls for STIX are simply another threat exchange profile. The latter approach is also more scalable, global, pro-competitive, encourages greater innovation, and leverages the enormous work within the cyber security community. It also comports with the minimalist approaches favored by policy makers today. Written by Anthony Rutkowski, Principal, Netmagic Associates LLCFollow CircleID on TwitterMore under: Policy & Regulation, Security [...]

How Long Does a URS Case Take?


The Uniform Rapid Suspension System (URS) — which allows a trademark owner to suspend certain domain names, especially those in the "new" gTLDs — was designed as a quicker and less-expensive alternative to the Uniform Domain Name Dispute Resolution Policy (UDRP). As I've written frequently before, there are significant differences between the URS and the UDRP. One of those differences is how long a typical proceeding lasts. Like the UDRP, the URS procedure and rules provide strict timelines for various stages of a case. But, unlike the UDRP, URS cases are usually resolved much more quickly — often in less than three weeks (although reviews and appeals may prolong the life of a URS proceeding). Here's how a common URS case proceeds: Step 1 (Filing of Complaint): As with a UDRP complaint, a trademark owner has discretion in deciding when it wants to file a URS complaint. Nothing in the URS procedure or rules requires that a complaint be filed within a specified period of time, and — to my knowledge as of the date of this writing — no URS decision has addressed the issue of laches, that is, whether a URS complaint would be barred by an undue lapse of time between the trademark owner's discovery of the disputed domain name and the date on which it files a complaint. Step 2 (Administrative Review): The URS procedure requires that a dispute service provider conduct an "Administrative Review" within two business days of the date on which the complaint was submitted to the provider. (Currently, there are three URS service providers: the Forum, the Asian Domain Name Dispute Resolution Centre and MFSD.) The procedure makes clear that this review is simply "to determine that the Complaint contains all of the necessary information." Step 3 (Notice and Locking of Domain): The URS service provider must immediately notify the registry operator after the service provider has completed the administrative review, and the registry operator is required to lock the disputed domain name within 24 hours. Then, within another 24 hours, the service provider must notify the registrant of the disputed domain name of the complaint, providing both electronic and hard copy notices. Step 4 (Response): A registrant has 14 days after notification to submit a response to a URS complaint. The URS provider may grant "a limited extension of time to respond" if there is a good faith basis for doing so." If the registrant does not submit a response, the proceeding is considered to be a "Default," which is relevant for purposes of a later possible "de novo review" or appeal (see below) and does not automatically result in a determination in favor of the complainant. Step 5 (Determination): Although supplemental filings are not uncommon in UDRP cases, a URS examiner "may not request further statements or documents from either of the Parties," and — to my knowledge as of the date of this writing — no URS examiner has considered a supplemental filing from any party, because doing so would complicate and delay what is supposed to be a simple and rapid process. The examiner appointed to decide a URS case (and all URS cases have only a single examiner) is expected to issue his or her determination "on an expedited basis, with the stated goal that it be rendered within three (3) Business Days from when Examination began." Under "extraordinary circumstances," an examiner may not issue a determination until five days after the response was filed. If the determination was an order to suspend the disputed domain name, the the registry operator is required to do so "[i]mmediately upon receipt of the Determination" from the URS service provider. Complications: The process outlined above may seem very straightforward and quick — and, in most cases, it is — but the URS provides multiple o[...]

The Future of Networking (In One Slide)


I recently ran a workshop in Asia and to guide attendees through the content; I put together an overview slide which you might also find of interest and use. It is a description of the quality attenuation framework, originally developed and defined by Predictable Network Solutions Ltd, and documented and extended by myself and colleagues at Just Right Networks Ltd. You can read more at * * * The telecoms industry is, I believe, overdue for a 'lean' revolution. This will change its working model from 'purpose-for-fitness' to 'fitness-for-purpose'. For networks, that means switching from 'build then reason about performance' to 'reason about performance and then build'. The benefit of this business transformation is a radical lowering cost risk and cost, predictable experiences, and the ability to rapidly adapt to changing patterns of demand. In order to deliver this benefit, there needs to be a management that executes on the new intent of 'going lean'. What to change, what to change to, and how to effect that change? Answering these means applying a system of scientific management that helps us focus on what is relevant, and ignore what is not. These ideas of scientific management are well established in other industries (Six sigma, theory of constraints, Vanguard method, statistical process control), but appear to be novelty in telecommunications. In order for these lean concepts to be applied, we need to overcome a series of technical constraints that we presently face. The technology innovations that will achieve this include high-fidelity measurements, new packet scheduling mechanisms, and new architectures to embed these into. Turning those technologies into a working system for a particular product, customer or deployment is an act of engineering. True engineers have an ethos of taking responsibility of fitness-for-purpose, and any shortfall in fulfilling the promises made. This means turning a high-level customer intent into a technical requirement. To understand whether there is a risk of under-delivery against the requirement you need to be able to model and quantify the 'performance hazards' via 'breach metrics'. This means reasoning about the performance of supply chains before they are assembled, and decomposing a 'performance budget' into a requirement for each element or supplier. Turning that specific engineering requirement into an operational system, in turn, draws upon a general science of performance. This considers what resource supply will meet the resource demand. The nature of the resource constraint is timeliness (as if you can be made to wait forever, the tiniest capacity will suffice). The contract between supply and demand is formed as a 'timeliness agreement', which can be enforced by observing how 'untimeliness' (packet loss and delay) accrues along the supply chain. This 'untimeliness' is a reframing of the nature of quality: from an attribute of a 'positive' thing (quantity), to the absence of a negative thing (quality attenuation). There are three basic laws of networking (that don't appear in the textbooks) that describe this 'quality attenuation' phenomenon: it exists; is conserved; and can (partly) be traded between flows. The amount of quality attenuation that is tolerable for any application to deliver an acceptable rate of performance failure defines its 'predictable region of operation'. This is the requirement of demand that is then expressed in a 'timeliness agreement' that contracts the required supply. Underpinning this is a need to quantify the idea of quality attenuation. This involves extending the mathematics of randomness from 'events' (like rolling a dice) to include 'non-events' (the dice never lands). This allows packet loss to be included a single resource model as delay. This is akin to how ima[...]

EFF's Emerging Alignment With Offshore Internet Pharmacies


The last few years have been challenging ones for members of the Canadian International Pharmacy Association. First, in 2010, they lost their ability to advertise in the US search space after the US Department of Justice noted that many seemingly "Canadian" pharmacy websites "sell drugs obtained from countries other than Canada" when shipping medicines into the US, and major search advertising programs tightened their policies, effectively excluding CIPA's members from advertising in the US. Then, one of the organization's founding Canadian pharmacists was convicted of selling counterfeit drugs to US residents that weren't really from a pharmacy in Canada. Then, they began losing their ability to process credit card payments, after we and others helped reveal that the drugs sold by CIPA's so-called "international Canadian internet pharmacies" often aren't really from Canadian pharmacies. Then, one of their flagship members,, got indicted for selling counterfeit cancer medicines to US clinics through the pharmacy's wholesale chain. Then, a director of an internet pharmacy certifier widely used by CIPA members, PharmacyChecker, got indicted for hiding counterfeit drugs supplied by CanadaDrugs in his garage. (The charges were dismissed, reportedly after the guy cut a deal with DOJ.) There's more, but you get the point: it's been a bad few years for internet pharmacies that, even if able to produce a Canadian pharmacy license, don't necessarily send US residents drugs from real Canadian pharmacies. These developments have been a threat to the commercial interests of CIPA's members. In response, CIPA appears to have aligned with the Electronic Freedom Frontier (EFF) to attack the Healthy Domains Initiative (HDI), a collaboration designed to identify best practices for registrars related to child pornography, rogue online pharmacies, copyright violations and online abuse. A key rationale for the HDI is to stave off intrusive government regulation: if private companies can develop and implement reasonable anti-abuse policies, it removes the incentive for governments to come in and regulate the internet. The EFF calls these initiatives "shadow regulation." (Cue up the spooky music and Guy Fawkes masks.) Unfortunately, the EFF supports its argument by misrepresenting numerous facts that seem to be taken straight from CIPA's playbook. So what's really going on here — what's EFF's ax to grind? Well, let's look at the facts, at the EFF's arguments, and then who stands to lose money from the HDI initiative. First of all, EFF's Jeremy Malcolm, the EFF's point person on this issue, discloses in his blog that he was visiting the Canadian International Pharmacy Association the day of his article, and he advocates for the CIPA and PharmacyChecker certification programs as credible. (Lest you think I consider these companies our competitors: I don't, because we don't certify online pharmacies that operate illegally, and they do.) After all, CIPA's members market themselves as "Canadian" but source many of their drugs from cheaper, offshore (non-Canadian) locations in order to improve their profit margins. PharmacyChecker, meanwhile, has over the years certified multiple online pharmacies selling prescription drugs without a valid prescription, not to mention some engaged in counterfeit drug sales. In any case, EFF out of one side of its metaphorical mouth (inaccurately) attacks the HDI as promoting the commercial interests of "Big Pharma," but from the other side of its mouth in essence advocates for the commercial interests of "faux-Canadian" internet pharmacies. Second, the EFF apparently doesn't know how registrars actually deal with rogue online pharmacies. In nearly all cases I'm aware of where a domain name has been suspended (as in, somewhere bet[...]

New Ad Fraud Schemes Utilize Alpha-Numeric Domains


Co-authored by Dr. Augustine Fou, Independent Cybersecurity and Ad Fraud Researcher and David Mitnick, President of DomainSkate The breach of the Democratic National Committee email system and a massive digital advertising fraud believed to be run by alleged actors in Russia share a common thread beyond their ability to capture the news cycle. Although each event targeted a different weakness in brand/online security platforms, the common denominator is the use of fraudulent domain names. In the case of the DNC hack, an email linked to a look-alike Google domain was a critical component that allowed hackers entry into the DNC computer system. On the ad fraud side, alphanumeric and gibberish domains were used to bilk advertisers of millions of dollars a day via a complex system that showed real ads to fake people. With respect to ad fraud, the use of alphanumeric and gibberish domains are particularly attractive because they are cheap (no premiums like for those domains that are normally associated with popular terms) and anonymous. Whereas prior schemes relied on some form of human intervention — whether it was fake clicks from confused users or hired clicks — the new schemes require none. In fact the entire purpose of registering a domain name like is that it will remain anonymous and not attract attention. We did research on some recent alpha-numeric domains registered in the .COM registry and found that there were obvious patterns in the registrations. For example, see the below registrations that were made just last month: Many of these domains were registered within minutes of each other which means that the registration was likely automated as part of a targeted scam. Specifically, bulk registrations can be performed by bots by simply adding slight variations to the domain names (as in the list above, and the examples below). And all are unique domains that will have a different payment ID in the ad exchange. Here are a few examples: Creation Date: 2013-02-04T21:01:29Z Creation Date: 2013-02-04T21:01:42Z Creation Date: 2013-02-04T21:01:48Z We also visited these sites and it became clear that the sites had no (human) traffic and were simply created for fraudulent purposes. The front pages of the sites most of them were exactly the same — that means they used the same site template. There was also no real or useful content on the pages. Though there was no legitimate purpose for the sites, the large numbers of them could be useful if used to commit ad fraud — where scammers would add them into ad exchanges in order to carry ads (e.g. display ads, video ads, search ads, etc.) just like in the recent Russian advertising scam. The bottom line is that it is important for every company, large or small to monitor their brand names online and to pay close attention to the details in their media/digital advertising reports. On the brand side, a failure to monitor means that users or customers can be harmed by phishing scams that might otherwise be preventable. With respect to digital advertising and media, it is important to always insist on line-item details when buying digital media. With these details you will be able to see domain names (e.g. on which your ads and media ran). When you see domains like the ones discussed in this article, be very suspicious and do further investigation, because they are more likely to be used for fra[...]

Shedding Light on How Much Energy the Internet and ICTs Consume


Ever since I published an essay exploring the relationship between climate change and the Internet, I have endeavored to bring this subject to the fore as often as possible (and in relevant fora and discussions) since the responsibility of creating a more sustainable world falls on all communities and stakeholder groups. It is particularly pressing now — at a time when international interest in curbing climate change is strengthening, while it is juxtaposed with the receding commitments of the United States government vis-à-vis climate change and the environment under the Trump administration, which was reflected in his first official budget proposal. Such instances where I have highlighted this topic included advocating for more environmentally friendly practices, such as reducing energy use and/or transitioning to renewable energy sources like solar and wind, at the global Internet Governance Forum (IGF), which was held in Guadalajara, Mexico, in December 2016. The Dynamic Coalition on the Internet and Climate Change (DCICC), which was a focus of the aforementioned essay, submitted its annual report leading up to the IGF, and was represented at the Dynamic Coalition (DC) main session where we updated the IGF community about our work and progress made in 2016. I was able to facilitate two breakout sessions at the Internet Society (ISOC)-sponsored Collaborative Leadership Exchange (CLX) as well — one where we discussed the Sustainable Development Goals (SDGs), and another that focused solely on the Internet, information and communications technologies (ICTs), and the environment. The work has only just begun, however, and is continuing in earnest. For instance, I was appointed as the focal point for a European Dialogue on Internet Governance (EuroDIG) workshop examining digital pollution and the effects on the environment (such as electronic waste (e-waste) and energy consumption), and I am co-organizing the DCICC annual session at the 2017 WSIS Forum. So far, most of the feedback I have received from individuals across the Internet governance community about raising this issue has been positive. I greatly appreciate the support that has been shown, and the relevance of maintaining this discussion was further reinforced by a World Health Organization (WHO) publication that was released earlier this month (March) regarding technology, e-waste, and the environment: "The WHO also noted [in their Inheriting a Sustainable World: Atlas on Children's Health and the Environment report [PDF] the importance of properly managing emerging environmental hazards like electronic and electrical waste. Without proper recycling, this can lead to children being exposed to dangerous toxins known to harm intellectual development and cause attention deficits, as well as more serious conditions like lung disease and cancer." With the proliferation of the Internet of Things (IoT), the dangers raised by the WHO's report are even more pressing. Yet, e-waste is only one part of the problem. As more and more people come online, more devices are going to come online as well, which is going to further add the need for power consumption by the Internet and ICTs. This point was explicitly raised in a personal email exchange between Vint Cerf — one of the "fathers of the Internet" who co-invented TCP/IP — and I. We were discussing Google's transition to fully renewable energy use for its data centers, and he posed two questions. After Vint gave me his consent to share the information from our exchange, I decided to publish it here as a follow-up to my October 2016 essay. The following was my substantial answer to his questions (which are listed below in bold). Also, for full disclosure, note that I often refer to Google as a c[...]

Alliance for Safe Online Pharmacies Honors Leading Companies at ICANN


Last week the Alliance for Safe Online Pharmacies (ASOP Global; presented its inaugural Internet Pharmacy Safety E-Commerce Leadership Award to two organizations during the Generic Names Supporting Organization (GNSO) Joint Meeting of the Registries and Registrars Stakeholder Groups at ICANN58 in Copenhagen, Denmark, it was announced on Tuesday. ASOP Global selected the award recipients, Rightside and Realtime Register, based on their corporate policies and practices; responsiveness to illegal online drug sellers; prevention of illegal use of domain names for illegal online drug sales; cross-industry collaboration; and public and consumer awareness efforts, explained ASOP Global's Executive Director, Libby Baney. "Both organizations have shown exceptional and consistent efforts to improve patient safety online by actively addressing concerns regarding illegal online drug sellers and promptly responding to reports of potential domain abuse, often within 24 hours," Baney said. "Likewise, while both Realtime Register and Rightside have registries amassing hundreds of thousands of domains each, our award winners have a near zero count of illegal internet pharmacies utilizing their services," she added. "Rightside is pleased to be recognized for its ongoing efforts to shut down illegal pharmacies on both its registrar and registry platforms. The access to, and distribution of, unsafe medications to consumers without a license is a serious global public health risk and Rightside is glad to participate with other companies to address this problem," said Rightside Vice President for Business and Legal Affairs, Statton Hammock. "It was really great to accept this award from ASOP Global in front of all of the delegates attending the Joint Registries and Registrars Stakeholder Session as we were able to show our colleagues the other side of the issue in which many of our registries and registrars are working responsibly to ensure patient safety online," said Realtime Register's Compliance and Policy Officer, Theo Geurts. Nominations for ASOP Global's second Internet Pharmacy E-Commerce Safety Award are now open. All questions and nominations may be sent to "”. Award recipients will be announced during ICANN63 in October 2018 in Barcelona, Spain. About the Alliance for Safe Online Pharmacies – Headquartered in Washington, D.C., the Alliance for Safe Online Pharmacies (ASOP Global) is an international 501(c)(4) social welfare organization dedicated to combating illegal online pharmacies and ensuring the safety of consumers worldwide. Written by Libby Baney, Digital Health Policy Consultant; Executive Director, ASOP GlobalFollow CircleID on TwitterMore under: Cybercrime, Domain Names, ICANN, Internet Governance, Policy & Regulation [...]

Is Call Forwarding an "Information Service" and Why It Matters for FTC Jurisdiction


Time to brush the dust off your Computer II notebooks. Are voicemail, electronic fax, and call forwarding enhanced services or telecom services? Today's case: FTC v. American eVoice, Ltd, et al, CV-13-03-M-DLC (DC Montana Mar. 14, 2017). See also Stipulated Permanent Injunction. The FTC brought an action against Defendants claiming that they were engaged in cramming, adding unwanted voicemail, electronic fax, and call forwarding services to consumers bills to the tune of $70 million. Slip at 3. The FTC concluded that this was a violation of Sec. 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." Slip at 3. Defendants filed a motion to dismiss, arguing that they are common carriers and therefore exempt from FTC jurisdiction. This argument had been successful recently. In FTC v. ATT Mobility (9th Cir. Aug. 2016), the FTC had brought an action against ATT Mobility for data throttling (before the FCC's Open Internet order declaring Internet access service a telecommunications service). The 9th Circuit found that ATT Mobility had the status of a common carrier, therefore the FTC lacked jurisdiction over ATT Mobility. Specifically, Sec. 5 states that the FTC lacks jurisdiction over "common carriers subject to the Acts to regulate commerce." The term "common carrier" is not defined in Sec. 5. The 9th Circuit conducted an extensive review, concluding that the language applied generally to firms that have the status of being a common carrier, and not specifically only to actions that constitute the provision of common carriage. In other words, according to the holding of the 9th Circuit, the FTC lacks jurisdiction over ATT Mobility even if ATT Mobility is selling hot dogs out of a push cart because ATT Mobility has the status of common carriage for some other part of its business. So are Defendants in the case at hand "common carriers" or not? The Court cites to Computer II authority, for which it gets my thumbs up. But of course Computer II has been superseded by the Telecommunications Act of 1996 which codified definitions for an "information service” (a.k.a. "enhanced services") and a "telecom service." An "Information Service" is the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications, and includes electronic publishing... 47 U.S.C. § 153(20) By contrast, a "telecom service" means the offering of telecommunications for a fee directly to the public 47 U.S.C. § 153 (53) And of course, "telecommunications" means the transmission, between or among points specified by the user, of information of the user's choosing, without change in the form or content of the information as sent and received. 47 U.S.C. § 153(50) As the court states, telecom service is essentially a pipeline. It is the transmission layer of the communications service. It pretty much is someone saying "hi grandma" into a telephone network and "hi grandma" comes out the other end. Anything more than that is an "information service." This is a bright line test. If "hi grandma" is spoken into the network and "Bonjour Grand-mère" comes out the other end of the network, you gots yourself "a change in the form or content of the information" sent. The FCC and the courts have been deciphering the distinction between "information services" and "telecommunications services" for more than half a century. There is a bit of precedent here. What we know, according to the court, is that defendants offered "voicemail, electronic fax, and call forwarding." Have previous courts and the FCC passed on whether these are "information services"? Yes[...]

How Long Does a UDRP Case Take?


The Uniform Domain Name Dispute Resolution Policy (UDRP) was designed as a quicker and less-expensive alternative to litigation. Although the UDRP policy and rules provide strict timelines for various stages of a UDRP case, how quickly a dispute is actually resolved can vary based on numerous factors. A typical UDRP case results in a decision in about two months, but the facts of each case — including actions both within and outside the control of the parties — may shorten or extend that timing. Here's how a common UDRP case proceeds: Step 1 (Filing of Complaint): A trademark owner has discretion to file a UDRP complaint at any time. While some panels have considered a "doctrine of laches," the WIPO Overview notes that "delay (by reference to the time of the relevant registration of the disputed domain name) in bringing a complaint does not of itself prevent a complainant from filing under the UDRP, or from being able to succeed under the UDRP, where a complainant can establish a case on the merits under the requisite three elements." Step 2 (Compliance check): The UDRP service provider (WIPO, the Forum, the Czech Arbitration Court and the Asian Domain Name Dispute Resolution Centre) acknowledges receipt of a complaint within about one day of filing; submits a "verification request" to the registrar to confirm the accuracy of information about the domain name and the registrant; and reviews the complaint for "administrative compliance" with the UDRP policy and rules. Rules, paragraph 4(b). If the provider finds the complaint "administratively deficient," it "shall promptly notify the Complainant and the Respondent of the nature of the deficiencies identified." Rules, paragraph 4(d). The complainant will then have five calendar days to correct any deficiencies. If the disputed domain name was protected by a privacy service and the underlying registrant's identity disclosed after filing, the provider may invite the complainant to amend the complaint within the same five-day time period allowed for curing deficiencies. Step 3 (Commencement): Within three calendar days of the provider's receipt of the filing fee from the complainant, the provider "shall forward the complaint, including any annexes, electronically to the Respondent and Registrar and shall send Written Notice of the complaint (together with the explanatory cover sheet prescribed by the Provider's Supplemental Rules) to the Respondent." Rules, paragraph 4(c). This is commonly referred to as "commencement." Step 4 (Filing of Response): A respondent is required to submit its response within 20 days of commencement. Rules, paragraph 5(a). (Many respondents choose not to submit a response — but, failure to do so does not automatically result in a decision in favor of the complainant, because there is no default judgment available under the UDRP.) A respondent is automatically entitled to a four-day extension upon request. Rules, paragraph 5(b). And, "in exceptional cases," the service provider may grant additional extensions. Rules, paragraph 5(e). Step 5 (Panel appointment): The service provider is required to appoint a panel within five calendar days of receiving a response (if one is filed) or the deadline for a response (if one is not filed), if neither party has requested a three-member panel. Rules, paragraph 6(b). If a three-member panel is required, then the deadline for appointment may take 10 calendar days. Rules, paragraphs 6(c)-(e). Step 6 (Decision): The panel is required to ensure that a UDRP proceeding "takes place with due expedition," Rules, paragraph 10(c), and, unless there are "exceptional circumstances," it "shall forward i[...]

Network Dis-Aggregation and SDN: Different, But Related


Two of the hottest trends in networking today are network dis-aggregation and SDN. This is great for many reasons. It's also confusing. The marketing hype makes it hard to understand either topic. SDN has become so vague that if you ask 10 experts what it means, you are likely to get 12 different answers. Network dis-aggregation seems straightforward enough until it gets confused with SDN. We need to take a step back. In a recent Packet Pushers blog post; I start with a simple explanation of each of these trends and then map how they interact. Software Defined Networking (SDN) I try not so use the term "SDN." As Ethan recently pointed out, its been so badly abused that it has, essentially, lost all meaning. The flip side is that the term isn't going anywhere. Companies are selling SDN and executives are asking for SDN. Just like "cloud," we seem to be stuck with "SDN." The best we can do is work to agree on a common, if general, definition — and be more specific whenever possible. For now, we're left to define the term every time we use it. At its core, I believe that SDN has two components; network automation, and network analytics. Automation encompasses concepts such as logically centralized management, network programmability, and network abstraction. Analytics provides the information you need to make informed decisions when planing, building, and operating your network. Analytics also provide the feedback needed for advanced automation (i.e. autonomous networks). Whether you use OpenFlow or overlays, whether you write your own Ansible playbooks or leverage complex orchestration systems; the fundamentals of SDN are always the same. Putting information into the network, and getting information out of the network. Using this definition, I don't see SDN as an option as much as an inevitable progression of network management. Networks are becoming more and more vital to our society while the ratio of devices to engineer continues to climb. We must find ways to simplify network operations and increase network efficiency. Today, those solutions fall under the umbrella of SDN. Network Dis-aggregation Here's another imperfect term. Taken literally, "network dis-aggregation" means to separate the network into its component parts. Wouldn't that just mean looking at individual routers, switches, and firewalls? More specifically, we probably should say 'network device dis-aggregation' or 'hardware and software dis-aggregation in network devices.' Too bad those phrases are so unwieldy. What we're talking about here is the ability to source switching hardware and network operating systems separately. This is like buying a server from almost any manufacturer and then loading an OS of your choice. This is where I'm supposed to say, "thank the heavens that networking is finally catching up to systems." And it IS great that this is an option now. The proliferation of "whitebox" and "britebox" switching platforms, combined with the explosion of available network operating systems (NOS'), are together putting pricing and innovation pressure on the legacy "aggregated" networking vendors. Don't forget however why so many people love their Apple products; sometimes it still makes sense to engineer hardware and software together. Note: This trend is going to get even more exciting as we start to see commodity hardware built on programmable merchant silicon, like Barefoot's Tofino, Cavium's XPliant, and Innovium's Teralynx. Combining Network Dis-aggregation and SDN Deploying dis-aggregated network devices and deploying SDN are not the same thing. There is an obvious relationship between the two though. To di[...]

Sanctionable Conduct for Abusing the UDRP Process


To claim a superior right to a string of characters mark owners must (first) have priority (unregistered or registered) in using the mark in commerce; and secondly, have a mark strong enough to rebut any counter argument of registrant's right or legitimate interest in the string. A steady (albeit small) number of owners continue to believe it's outrageous for registrants to hold domain names earlier registered than their trademarks and be permitted to extort amounts far "in excess of [their] documented out-of-pocket costs directly related to the domain name." However, the only absolute when it comes to names is that ownership belongs to the first to acquire (for domain names) and use in commerce (for trademarks). To have an actionable claim under U.S. trademark law, a mark has to be "distinctive at the time of the registration of the domain name." Anticybersquatting Consumer Protection Act (ACPA), Sec.1125(d)(1)(ii)(I). The ACPA states the proposition directly: no priority, no standing. The Uniform Domain Name Dispute Resolution Policy (UDRP) reaches the same result indirectly by requiring complainants to prove holders registered the domain names in bad faith, which (leaving out an exception to this rule) they cannot possibly do if a particular mark is not "distinctive at the time of the registration of the domain name." While there is no monetary penalty for initiating a UDRP proceeding (as there is under federal law) Panels are empowered to issue sanctions for reverse domain name hijacking, but this empowerment is discretionary. As a result, the parameters of sanctionable conduct largely depend on the panelist appointed to hear the matter. Conduct that one panelist believes sanctionable to another (for reasons not always clear) is excusable. For Panels at one end of the spectrum, a complainant's failure to respond to a sanction request can be fatal because it supports a negative inference that there is no defense. I'll return to this in a moment. At the other end of the spectrum, a Panel in a recent case declined to find reverse domain name hijacking because Complainant "at least [presented] a colorable argument" (albeit relying on a principle of bad faith that has essentially been rejected by other panelists). The Panel found this reliance (that renewal of registration with knowledge of a mark is bad faith) "was reasonable." Dividex Management, LLC v. Rory Blake, D2016-2574 (WIPO February 17, 2017) (). Some commentators would find that relying on a rejected proposition of bad faith is "not reasonable" at all, in fact dubious and particularly so where the mark was "not distinctive" and postdated the registration of the domain name by more than a decade, since in that factual context there could not have been bad faith registration. Responding to the Panel's decision in Clasen Quality Chocolate, Inc. v. Earthlink, Inc., D2017-0129 (WIPO March 1, 2017) () Andrew Allemann (of Domain Name Wire) exclaimed: "Wow: WIPO panelist lets 'misconceived' complainant off the hook." The conduct found excusable in Clasen Quality that elicited Mr. Allemann's intake of breath was the Panel's explanation that this "Complaint appears, on balance, to be more misconceived than malicious in nature" (emphasis added). The head scratcher here is that the Panel also stated that the "Complaint should not have been brought" which is the formulaic language used by panelists on the other end of the spectrum for expressing abuse of the proceeding. RDNH rests on two factual certainties. First, complainant knew or should have known that the complaint could not have succeeded; and s[...]

ICANN Complaint System Easily Gamed


ICANN's WDPRS system has been defeated. The system is intended to remove or correct fraudulently registered domains, but it does not work anymore. Yesterday I submitted a memo to the leadership of the ICANN At-Large Advisory Committee (ALAC) and the greater At-Large community. The memo concerns the details of a 214-day saga of complaints about a single domain used for trafficking opioids. For those who are familiar with the cycle of WDPRS complaints, the time frame is supposed to be 45 days at a maximum. The 45-day window was defeated by the domain owner who constantly transferred the domain and changed the data which took it out of the hard-structured view of complaints processing. This is part of an ongoing series of articles and research into online opioids traffic and effectiveness of different enforcement procedures. The first complaint was submitted 4 August 2016 and the most recent response from ICANN on 6 March stated in part: ICANN considers this matter now closed. Wonderful. We should all feel so much safer. Unfortunately, this is just the continuation of a very long process failure. The domain in question, DRUGS-ORDER.NET (which I refer to in my handwritten notes as "DONT") is still online and used for selling opioids without a prescription and without displaying a pharmacy license. The memo I submitted in response to these events is an analysis of the ICANN complaint system (WDPRS). The analysis uses this domain with false WHOIS as an example to better understand the issues with ICANN policy and procedure. In short, the ICANN WDPRS has been effectively circumvented. The domain has had 3 different sets of false WHOIS and simply transferred their domain each time a complaint was filed. The domain has been transferred to 4 different registrars and is currently operating selling narcotics. With nearly 3000 registrars there is no practical limit. In each case, the registrar largely followed the process and complied with ICANN. So ultimately it's not a registrar issue, it's an ICANN issue. The failure of the organization to understand how the process can be manipulated makes the process useless. ICANN compliance will likely respond by stating they are constrained by the contract. However, they are also apparently constrained by process innovation as well as real-world context. This is an extremely urgent issue. Yesterday, here in Copenhagen at the CC session towards effective DNS abuse mitigation prevention mitigation some very smart and passionate experts (including APWG and global LE) discussed various threats on the Internet. One fact is clear from this discussion: the ability of criminals to obtain domains far outpaces the current ability to contain them. Even concerned and proactive registrars at the session complained that their compliance and cooperation with abuse mitigation is hampered by other factors out of their control. The various issues can be summed up in one word: complexity. The data is complex, but the process cannot accept that complexity. All criminal and abusive operations should follow this cycle to stay in business: Obfuscate, Wait, Transfer, Repeat. I will be presenting on these issues at the joint session of the Public Safety Working Group (PSWG) and the Verified TLD (vTLD) constituency. This meeting is scheduled for Tuesday 14 March from 18:30 to 19:30 (CET) in Hall B4.1 at ICANN58. Written by Garth Bruen, Internet Fraud Analyst and Policy DeveloperFollow CircleID on TwitterMore under: Cybercrime, DNS Security, Domain Names, Registry Services, Intellectual Property, ICANN, Internet Governance, Law, Policy & Regulation, Secur[...]

Google Claims It Fixed the Security Holes the CIA Exploited


WikiLeaks shook the internet again on March 7, 2017, by posting several thousand documents containing information about the tools the CIA allegedly used to hack, among others, Android and iOS devices. These classified files were obtained from the CIA's Center for Cyber Intelligence, although they haven't yet been verified and a CIA official declined to comment on this incident. This isn't the first time that the U.S. government agencies were accused of crossing the line and undermining online security and civil liberties, as it's been only a year since the infamous FBI-Apple encryption dispute. It's like "1984" all over again. March 2017 According to these documents, the alleged exploits took place between 2013 and 2016, while at least 24 Android vulnerabilities were identified. Among them were hacking tools capable of turning Android and iPhone devices, smart TVs, and computers into "covert microphones". Chrome was targeted by the EggsMayhem attack, the Sulfur exploit caused Android to leak critical OS information, while the RoidRage bundle was used to obtain remote control over Android devices. At first, all the tech companies from Silicon Valley maintained their silence, but two days later, Google's Manager of Information Security, Heather Adkins, said that many of the vulnerabilities referred to in the report were fixed. However, security specialists say that those government intrusions on privacy, although undeniably severe and illegal, haven't been reported to affect versions of Android after 4.4. Google is currently busy analyzing their security issues, and working on implementing further protections. Apple also issued a statement saying that their users were protected as the latest iOS version contained security patches for the mentioned exploits. Security protocols of many chat apps such as Facebook's WhatsApp, Signal, or Weibo, were broken, too. All this obviously puts not only many individual users, but also numerous companies at risk, as their privacy can be easily violated and their trade secrets exposed. That's why it's wise to think about alternative methods of communication and constant security software testing. February 2016 On December 2, 2015, 14 people were killed, while 22 were injured in a terrorist attack at the Inland Regional Centre in San Bernardino, California. The perpetrators were subsequently killed in a shoot-out with the police. During the investigation, the FBI found an Apple iPhone 5C, issued to one of the terrorists by the San Bernardino County, as he was its employee. However, the phone had a password and couldn't be unlocked due to its advanced security features. The FBI asked Apple to help them and disable certain security features, which the company declined on the grounds of its policy of never undermining the security features of their products. This case sparked a heated debate regarding the importance of security and encryption both in court and among the general public. A poll conducted by the Pew Research Center on the sample of 1,022 adults showed that 51% of the U.S. citizens supported the FBI, while 38% agreed with Apple, although the company warned that creating a backdoor to the iPhone could pose a threat to the data security, as the government or hackers could potentially unlock any iPhone. Finally, the FBI used a tool purchased from a third party unlock the device and withdrew the request. This incident is still a controversial matter in the U.S. December 2013 In December 2013, it was revealed that the NSA and the UK's GCHQ entered the realm of online gaming and st[...]

Universal Acceptance of New Top-Level Domains Reloaded


One challenge for all new top-level domains (TLDs) is the so-called Universal Acceptance. Universal Acceptance is a phenomenon as old as TLDs exist and may strike at many occasions e.g.: • Using a very short email address like • Using an IDN email address like λ@ελ.ελ • Using an email address or domain name based on a new gTLD • Filling out an online form or using a software application either using email addresses or domain names as described before • Other events The effect when universal acceptance hits you is that you cannot send or receive email, get error messages or even worse when it looks like everything works but it does not, and you do not even get a notification. All new gTLD registry operators but not limited to them are facing this problem and registrants are the people that are hurt by this problem. The software and hardware which does not take into effect that since 2014 more than thousand new gTLDs have been added as valid TLDs. As this software and hardware will still be used for many years, the problems may not be fixed completely anytime soon. ICANN has identified this problem and is working with the Internet community, especially the technical community, to palliate the problem. Reloaded – The medal has two sides Throughout the last three years, Universal Acceptance has merely been seen as a technical problem. But as Registry Operator for .berlin, we are not only running all the technical stuff, we also market domain names to Berliners. By this, we have experienced that Universal Acceptance has two sides like a medal. There is not only the obvious technical side that contributes to Universal Acceptance but also the people's side of the medal which seem to us equally important. We brought this to a simple formula which we would like to propose: Universal Acceptance &nsash; Technical Acceptance + People's Acceptance Please see our definitions below for which we adopted the existing wording done by ICANN with some new definitions we would like to suggest. * * * The technology side of Universal Acceptance Technical Acceptance – is the concept that all domain names should be treated equally by technical systems. Domain names and email addresses should be accepted, stored, processed and displayed in a consistent and effective manner. Linkification – is the action when a software application uses algorithms and rules to determine whether a string should create a hyperlink to a valid Internet location (URL) or an email address (mailto:) and executes the linkification. + The people's/consumer's side of Universal Acceptance Universal Awareness – is when those people who are domain name owners or want to become domain name owners are aware of the large choice and benefits of the new top-level domains that complement the legacy TLDs. Universal Recognition – is when people, especially Internet users, identify a combination of two or more labels separated by dots as a potential domain name and type it into a browser or search bar or forward that information. = The full picture of Universal Acceptance Universal Acceptance – is the state when both, technology and people, identify a label.label combination as a potential or real Internet address (= domain name) and perform appropriate action on it. * * * Our Suggestion In order to overcome the Universal Acceptance issues, we would like to make the following suggestion: With enormous existing funds of over US$ 230 million from the new gT[...]