2017-01-19T14:54:00-08:00What will the Internet look like in the next seven to 10 years? How will things like marketplace consolidation, changes to regulation, increases in cybercrime or the widespread deployment of the Internet of Things impact the Internet, its users and society? At the Internet Society, we are always thinking about what's next for the Internet. And now we want your help! The Internet is an incredibly dynamic medium, shaped by a multitude of pressures — be they social, political, technological, or cultural. From the rise of mobile to the emergence of widespread cyber threats, the Internet of today is different than the Internet of 10 years ago. The Internet Society and our community care deeply about the future of the Internet because we want it to remain a tool of progress and hope. Last year, we started a collaborative initiative — the Future Internet project — to identify factors that could change the Internet as we know it. We asked for your views and heard from more than 1,500 members across the world — thank you! That feedback provided a strong foundation for the development of our Future Internet work. We have consolidated that input into nine driving forces for the Internet. The list is posted on our future Internet webpage, along with the challenges and uncertainties raised by our community. Our community identified these forces as the things that will influence how the Internet will evolve in the future. They include: Convergence of the Internet and the Physical WorldArtificial Intelligence and Machine LearningNew and Evolving Digital Divides Increasing Role of GovernmentFuture of the Marketplace and CompetitionImpact of Cyberattacks and CybercrimeEvolution of Networks and StandardsImpact on Media, Culture, and Human InteractionFuture of Personal Freedoms and Rights Now, we need your help again. Please review this work and let us know what you think by sending your answers to the following questions to firstname.lastname@example.org: Which of the nine drivers do you think will have the biggest impact on the future of the Internet in the next seven to 10 years?Are there major issues that are missing from this list?What 2-3 issues would you prioritize in our Future Internet project? 2017 is the Internet Society's 25th anniversary. It is an opportunity to look back and see how the Internet has grown and evolved since our earliest days. It is also a chance to look ahead and imagine the future. Will the Internet continue to be a tool to build community, drive innovation, and create opportunity? With this Future Internet project, we can imagine some different futures and then think together about what steps we need to take today to bring about the future that we want. More updates will be coming soon, with a final report in September. Thanks in advance for your participation and input! Note: an earlier version of this post appeared on the Internet Society blog. Written by Sally Shipman Wentworth, VP of Global Policy Development, Internet SocietyFollow CircleID on TwitterMore under: Broadband, Internet Governance, Internet of Things, Law, Policy & Regulation, Privacy, Security, Telecom, Web [...]
2017-01-18T12:25:01-08:00Despite widespread concern about the security of mobile and Internet of Things (IoT) applications, organizations are ill-prepared for the risks they pose, according to a research report issued today from Ponemon Institute, IBM Security, and Arxan Technologies. "Mobile and IoT applications continue to be released at a rapid pace to meet user demand. If security isn't designed into these apps there could be significant negative impacts," says Diana Kelley, Global Executive Security Advisor, IBM Security. Some of the key findings from the report below: — Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace. Organizations are having a more difficult time securing IoT apps. Respondents are slightly more concerned about getting hacked through an IoT app (fifty-eight percent) than a mobile app (fifty-three percent). However, despite their concern, organizations are not mobilizing against this threat. — Material data breach or cyber attacks have occurred and are reasons for concern. Sixty percent of respondents know with certainty (eleven percent), most likely (fifteen percent) or likely (thirty-four percent) that their organization had a security incident because of an insecure mobile app. Respondents are less certain whether their organization has experienced a material data breach or cyber attack due to an insecure IoT app. — The risk of unsecured IoT apps is growing. Respondents report IoT apps are harder to secure (eighty-four percent) versus mobile apps (sixty-nine percent). Additionally, fifty-five percent of respondents say there is a lack of quality assurance and testing procedures for IoT apps. — Despite the risk, there is a lack urgency to address the threat. Only thirty-two percent of respondents say their organization urgently wants to secure mobile apps and forty-two percent of respondents say it is urgent to secure IoT apps. — Not enough resources are being allocated...yet. Only thirty percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (fifty-four percent of respondents). Other reasons to increase the budget are if new regulations were issued (forty-six percent of respondents) or media coverage of a serious hacking incident affecting another company occurred (twenty-five percent of respondents). Follow CircleID on TwitterMore under: Cyberattack, Cybercrime, Internet of Things, Security [...]
The Canadian Security Intelligence Service (CSIS) is reported to have warned companies about an increasing risk of cyber espionage and attacks on pipelines, oil storage and shipment facilities. In an exclusive report published by Reuters today based on classified documents, CSIS issued warnings last May in which it has highlighted an additional risk for the energy sector, where opposition to pipelines has ramped up in Canada, home to the world's third-largest oil reserves, and the United States. "You should expect your networks to be hit if you are involved in any significant financial interactions with certain foreign states," the official said in the document, seen by Reuters under access-to-information laws.
Follow CircleID on Twitter
A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack, according to Ukraine's National power company, Ukrenergo which hired investigators to help it determining the cause. Reuters reporting today:"A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday. ... Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters."
Follow CircleID on Twitter
2017-01-14T20:02:00-08:00Why does the broadband industry, supposedly a "high technology" one, lag behind old and largely defunct industries that now have reached the "museum piece" stage?Last week I was at the National Slate Museum in Wales watching slate being split apart. On the wall were sample pieces of all the standard sizes. These have cute names like "princess". For each size, there were three standard qualities: the thinnest are the highest quality (at 5mm in thickness), and the thickest have the lowest quality (those of 13mm or more). Obviously, a lighter slate costs less to transport and lets you roof a wider span and with less supporting wood, hence is worth more. These slates were sold around the world, driven by the industrial revolution and need to build factories and other large structures for which "traditional" methods were unsuitable. Today we are building data centers instead of factories, and the key input is broadband access rather than building materials. Thankfully telecoms is a far less dangerous industry and doesn't give us lung disease that kills us off in our late 30s. (The eye strain and backache from hunching over iDevices is our deserved punishment for refusing to talk to each other!) What struck me was how this "primitive" industry had managed to create standard products in terms of quantity and quality, that were clearly fit-for-purpose for different uses such as main roofs versus drainage versus ornamental uses. This is in contrast to broadband where there is high variability in the service, even with the same product from the same operator being delivered to different end users. With broadband, we don't have any kind of standard units for buyers to be able to evaluate a product or know if it offers better or worse utility and value that another. The only promise we make is not to over-deliver, by setting an "up to" maximum burst data throughput! Even this says nothing about the quality on offer. In this sense, broadband is an immature craft industry which has yet to even reach the most basic level of sophistication in how it defines its products. To a degree, this is understandable, as the medium is a statistically multiplexed one, so naturally is variable in its properties. We haven't yet standardized the metrics in which quantity and quality are expressed for such a thing. The desire is for something simple like a scalar average, but there is no quality in averages. Hence we need to engage with the probabilistic nature of broadband, and express its properties as odds, ideally using a suitable metric space that captures the likelihood of the desired outcome happening. This is by its nature something that is an internal measure for industry use, rather than something that end consumers might be exposed to. Without standard metrics and measures, and transparent labeling, a proper functioning market with substitutable suppliers is not possible. The question that sits with me is: whose job is it to standardize the product? The regulator? Equipment vendors? Standards bodies? Network operators? Industry trade groups? Or someone else? At the moment we seem to lack both awareness of the issue, as well as incentives to tackle it. My hunch is that the switch-over to software-defined networks will be a key driver for change. When resources are brought under software control then they have to be given units of measure. Network operators will have a low tolerance for control systems that have vendor lock-in at this elementary level. Hence the process of standardizing the metrics for quantity and quality will rise in visibility and importance in the next few years. Written by Martin Geddes, Founder, Martin Geddes Consulting LtdFollow CircleID on TwitterMore under: Access Providers, Broadband, Policy & Regulation, Telecom [...]
2017-01-13T09:54:00-08:00A Global Paradigm Change is Threatening us All While conventional cyber attacks are evolving at breakneck speed, the world is witnessing the rise of a new generation of political, ideological, religious, terror and destruction motivated "Poli-Cyber™" threats. These are attacks perpetrated or inspired by extremists' groups such as ISIS/Daesh, rogue states, national intelligence services and their proxies. They are breaching organizations and governments daily, and no one is immune. This is a global paradigm change in the cyber and non-cyber threat landscape. The world has moved from resisting the attack, to surviving the inevitable. Traditional Cyber-Security Strategies are Struggling at Best, and Failing Daily With traditional cyber-security strategies failing, how can Decision Makers defend and protect national and corporate interests against existing serious conventional attacks and the new generation of Poli-Cyber terrorism? This is not just a threat to profitability, this is a threat to "Survivability". New & innovative solutions are most urgently needed. The MLi Group is organizing Decision Maker Symposiums & Briefings aimed at Chairmen, CEOs, Board members and senior government officials, as well as Summits around the world to address these new threats, and offer innovative solutions that address them. On March 22-23, 2017, an MLi summit is taking place in London aimed at: "Securing Survivability in Cyber Threatened World” This Summit is a new format created by MLi based on its proprietary and holistic Survivability Solution™ to address these grave new threats posed by conventional and destruction motivated Poli-Cyber attacks threatening businesses and governments globally. The Summit Draft Program illustrates the innovative MLi developed model as well as some of their partners' mechanisms and processes to help stakeholders first come to terms with the severity of new threat landscape and to be able to operate in it. Only then are they in a position to start their journey to better ensuring "Survivability". Decision Makers who are keen on making their organizations become better protected against these new threats would significantly benefit from attending. But those who also see the value of turning a threat into a unique competitive edge and opportunity for years to come would find Joining, Witnessing & Engaging in the New Mind-Set, Approach, & Solutions Needed to Address this Critical New Challenge very Compelling. Written by Khaled Fattal, Group Chairman, The Multilingual Internet GroupFollow CircleID on TwitterMore under: Cloud Computing, Cyberattack, Cybercrime, DDoS, DNS Security, Internet Governance, Internet of Things, Internet Protocol, Law, Malware, Policy & Regulation, Security, Spam [...]
(image) Transition spokesman Sean Spicer told reporters today that former New York City Mayo, Rudy Giuliani will "chair" the cyber task force that Trump announced last Friday. The task force is given three months from Trump's inauguration to deliver a cybersecurity plan.
— Giuliani from the Trump Tower in Manhattan on Thursday: "Over the course of the last 20 years, our ability to use modern technology has evolved in ways we couldn't possibly imagine — really fast, very quick, we can do things we never could do before. Our ability to defend that has lagged behind."
— "Giuliani, who has done private cybersecurity work since he left government, will be convening groups of private sector experts and executives who will meet with Trump on the issue," Rebecca Savransky and ben Kamisar reporting in The Hill
— Giuliani on Fox & Friends: "It's his [Trump's] belief, which I share, that a lot of the solutions are out there, we're just not sharing them. It's like cancer. You know, there's cancer research going on all over the place — you'd almost wish they'd get together in one room and maybe we'd find a cure." Watch video clip via Twitter
Follow CircleID on Twitter
2017-01-12T12:37:00-08:00A company that registers a domain name containing someone else's trademark may be engaging in the acceptable practice of "defensive registration" if (among other things) the domain name is a typographical variation of the registrant's own trademark. That's the outcome of a recent decision under the Uniform Domain Name Dispute Resolution Policy (UDRP), a case in which the domain name in dispute, idocler.com, contained the complainant's DOCLER trademark — but also contained a typo of the respondent's DOLCER trademark. The UDRP complaint was filed by Docler IP S.à r.l. and related companies, all in Europe, that own the DOCLER trademark. According to the UDRP decision, Docler IP apparently uses the DOCLER trademark in connection with "a web platform with music, storytelling, and similar entertainment services." The disputed domain name was registered by a Chinese company that "sells speakers and similar products under the name DOLCER," which is protected by an EU trademark registration. Note the slight difference: The complainant's trademark is DOCLER, while the respondent's trademark is DOLCER. And, importantly, the respondent's domain name contains the complainant's trademark. The UDRP panel had no trouble finding the domain name
a green paper outlining guiding principles and ways to support the advancement of the Internet of Things (IoT). "The report, developed by the Department's Internet Policy Task Force and Digital Economy Leadership Team, finds that the increased scale, scope and stakes of the Internet of Things will lead to opportunities and challenges that are qualitatively different than prior technological advances."The Department of Commerce issues
The paper offers feedback on the April 2016 Request for Comment as well as a workshop that was hosted by the Department in September 2016. Included in the paper are four principles for guiding the Department's future IoT activities:
— The Department will lead efforts to ensure the IoT environment is inclusive and widely accessible to consumers, workers, and businesses;
— The Department will recommend policy and take action to support a stable, secure and trustworthy IoT environment;
— The Department will advocate for and defend a globally connected, open and interoperable IoT environment built upon industry-driven, consensus-based standards; and
— The Department will encourage IoT growth and innovation by expanding markets and reducing barriers to entry, and by convening stakeholders to address public policy challenges.
Follow CircleID on Twitter
2017-01-12T11:37:00-08:00Zero-touch provisioning (ZTP) — whatever does that mean? Of course, it is another marketing term. I think the term "closer to zero touch provisioning" is probably better, but CTZTP — as opposed to ZTP — is a bit more of a mouthful. Whenever I hear language like this that I'm not familiar with, I get struck by a bolt of curiosity. What is this new and shiny phrase that has just appeared as if from nowhere? Zero means zero, right? So by zero-touch provisioning, I was expecting to be dazzled. Services could be delivered to the customer without anyone having to put their hands near anything. How was this going to be done? Had someone invented a system run by robots and mind-control? Did we just need to think about what we wanted and it would get done? Unfortunately, this was not the case. Some touches were required. Whole networks needed to be in place and this was going to require some physical touches. Already we are way above zero. Okay, so ZTP is probably based on the assumption that the infrastructure is in place. Is there a case to be made for zero touches? I'm still not seeing it. Someone still needs to take the customer order. If it is a new customer, then usually someone needs to go onsite. The service still needs to be checked to ensure it meets the standards required; at a minimum, the customer needs to access the internet, see a TV channel, or get a dial-tone. For the sake of getting to our goal of zero touches, we can make that process better. How about we just ship the required devices to the customer? That makes it so the customer just needs to plug-in, turn on, and connect to the network. Okay, so this is still not quite zero-touch as the customer needs to do something, but it is zero touches for us. Now we don't need to send someone onsite. That helps a lot. Not only do we save on labor costs but the customer becomes a shade more technical. But what if there's a problem? Now the customer has plugged everything in and they're not getting service. So much for the great plan of just shipping the device out! Well, actually, this is where we can get really creative. Nowadays, we can generally determine if and when a device is connected. Once we know the device is connected, we can then ensure that the service is good quality, e.g. using TR-069, SNMP, IPDR, and so on. Before we can do this though, we need to map a device to a customer order. In other words, even if a device comes online, how do I know that this device is sitting in the right customer's premise? There are ways to deal with this, for example: Log the device that is sent to the customer address prior to delivery Once the device is plugged in, use a walled garden to discover the device information and map that back to the customer. Once the customer tries to access the Internet, they will be redirected to a walled garden. This redirection captures the device information, thereby registering the device. In both cases above, once the device is properly associated with the customer and is online services will be set up and the service assurance workflows will be triggered. Decreasing the touches generally means increasing the automation. As we get closer and closer to zero touches, the automation increases and gets more complex. I'm sure you're also seeing other options here. NFV and SDN can contribute greatly to this. In my mind's eye, "zero touch" is a bit like that exponential decay curve that will forever go towards zero but never quite reach it. So even though it will probably never be literally "zero touch", I get the idea. The more we can remove "touches" from the process, the easier it will be to deploy new devices and make the whole provisioning cycle so much easier. We offer a white paper with more information about getting as close as possible to zero-touch pro[...]
"Alphabet cuts former Titan drone program from X division, employees dispersing to other units," reports Seth Weintraub today in 9TO5Google: "In 2014, Google bought Titan Aerospace, maker of high-altitude, solar-powered drone aircraft. ... The Titan division was absorbed into X in late 2015 from the Access and Energy division during the Alphabet re-shuffle. ... We’ve now heard and Alphabet has confirmed, that the Titan group was recently shut down and engineers were told to look for other jobs within Alphabet/Google in the coming months. Over 50 employees were involved in the process."
Follow CircleID on Twitter
2017-01-11T11:45:00-08:00Kremvax during the Soviet coup attempt (Top), Mumbai terrorist attack (Middle), The Arab Spring (Bottom) – Click to EnlargeI was naively optimistic in the early days of the Internet, assuming that it would enhance democracy while providing "big data" for historians. My first taste of that came during the Soviet coup attempt of 1991 when I worked with colleagues to create an archive of the network traffic in, out and within the Soviet Union. That traffic flowed through a computer called "Kremvax," operated by RELCOM, a Russian software company. The content of that archive was not generated by the government or the establishment media — it was citizen journalism, the collective work of independent observers and participants stored on a server at a university. What could go wrong with that? The advent of the Web and Wikipedia fed my optimism. For example, when terrorists attacked various locations in Mumbai, India in 2008, citizen journalists inside and outside the hotels that were under attack began posting accounts. The Wikipedia topic began with two sentences: "The 28 November 2008 Mumbai terrorist attacks were a series of attacks by terrorists in Mumbai, India. 25 are injured and 2 killed." In less than 22 hours, 242 people had edited the page 942 times expanding it to 4,780 words organized into six major headings with five subheadings. (Today it is over 130,000 bytes, revisions continue and it is still viewed over 2,000 times per month). What could go wrong with that? The 2011 Arab Spring was also seen as a demonstration of the power of the Internet as a democratic tool and repository of history. What could go wrong with that? What went wrong The problem is that the Internet turned out to be a tool of governments and terrorists as well as citizens. Furthermore, historical archives can disappear or, worse yet, be changed to reflect the view of the "winner." Our Soviet Coup archive was set up on a server at the State University of New York, Oswego, by professor Dave Bozack. What will happen to it when he retires? If someone tried to delete or significantly alter the Wikipedia page on the Mumbai attack, they might be thwarted by one of the volunteers who has signed up to be "page watchers" — people who are notified whenever the page they are watching is edited. We saw a reassuring demonstration of the rapid correction of vandalism in a podcast by Jon Udell. That was cool, but does it scale? Volunteers burn out. The page on the Mumbai attacks has 358 page watchers, but only 32 have visited the page after recent edits. Even if a Wikipedia page remains intact, links to references and supporting material will eventually break — "link rot." If our Soviet Coup archive disappears after Dave's retirement, all the links to it will break. By the time of the Arab Spring, we were well aware of our earlier naivete — the Internet was already being used for terrorism and government cyberwar and the dream of providing raw data for future historians and political scientists was fading. The Internet Archive I was slow to understand the fragility of the Internet, but others saw it early — most importantly, Brewster Kahle, who, in 1996, established the Internet Archive to cache Web pages and preserve them against deletion or modification. They have been at it for 20 years now and have a massive online repository of books, music, software, educational material, and, of course, Web sites, including our Soviet Coup archive. As shown here, it has been archived 50 times since October 3, 2002 and it will be online long after Dave retires — as long as the Internet Archive is online. Soviet coup archive from Internet Archive – Click to EnlargeKhale understands that saving static Web[...]
2017-01-10T13:49:00-08:00The Updated Supplementary Procedures for Independent Review Process ("IRP Supplementary Procedures") are now up for review and Public Comment. Frankly, there is a lot of work to be done. If you have ever been in a String Objection, Community Objection, or negotiated a Consensus Policy, your rights are being limited by the current way the IRP Supplementary Procedures proposal is structured. With timely edits, we can ensure that all directly-impacted and materially-affected parties have actual notice of the IRP proceeding, a right to intervene, a right to be heard on emergency requests, and a right to be part of the discussion of remedies and responses. History The IRP is based on commercial arbitration. Arising centuries ago, commercial arbitration was used when two merchants chose to bring their disputes to a wise and trusted private party rather than await the decision of the courts. Arbitration, as we can all recite, is faster and cheaper. But is it fairer? Currently, the IRP Supplementary Procedures proposal is optimized for the traditional IRP/arbitration scenario: a registration industry member has a dispute with ICANN. The first IRP filer was ICM Registry when Stuart Lawley felt that he had completed all of the requirements for a .XXX and the ICANN Board refused to delegate it to him (under a lot of pressure from the GAC). The ICM Registry wanted the .XXX Registry Agreement with ICANN and through the brilliant representation of Becky Burr and her then-law firm, it won. That's the classic IRP — a one-on-one arbitration between a single party and ICANN. Problem But we have decided to use the IRP in different ways — including as the forum for a range of challenges to the decisions of other arbitration forums and to our Multistakeholder Consensus Policies. For these purposes, the IRP is functioning more as an appellate court than an arbitration forum. Yet, we have not updated the IRP Supplementary Procedures to allow all involved parties to participate. Fair is fair; an IRP proceeding should not be a dance between the disgruntled Claimant and ICANN. It should include all parties to the underlying arbitration (should they choose to participate) and all parties to the underlying Consensus Policy (ditto). ICANN Counsel is brilliant, but they were not directly engaged in the underlying arbitration nor did they (or the ICANN Board) research, negotiate and write the Consensus Policy (the Community did!). Fundamental rules of due process in all developed country legal systems require that all directly impacted, materially affected parties have a legal right to be heard when there is a challenge to their rights and property. How in good faith, and in our new world of openness and transparency, can we exclude them from the IRP Proceeding? 1. IRPs Need to Include All Parties to a Previous Arbitration Decision — Especially the Winners!! ICANN's Bylaws expressly throw the IRP doors open to challenge decisions of other arbitration forums. This includes decisions of the World Intellectual Property Organization's Legal Rights Objections, International Chamber of Commerce's Community Objections, and even the International Center for Dispute Resolution (the ICDR which hosts the IRP) also decided String Objections in Round 1 of the New gTLD process. All of these proceedings are legitimate arbitrations in their own right by well-respected International arbitration forums. Yet, when it comes to the IRP, only the challenger (specifically, the losing party) is heard as a matter of right. How can that be? This must be an oversight in the IRP Supplementary Rules. Clearly, any challenge to another arbitration decision MUST include Actual Notice to All of the Parties to the Underlying[...]
2017-01-10T09:13:01-08:00In 2016, ransomware became an increasingly serious problem for small and medium businesses. Ransomware has proven a successful revenue generator for criminals, which means the risk to businesses will grow as ransomware becomes more sophisticated and increasing numbers of ethically challenged criminals jump on the bandwagon. Every business must take steps to protect itself from ransomware, but talking about prevention doesn't help ransomware victims decide whether to pay to get their data back. It's an unpleasant position in which to find oneself. No-one wants to pay criminals for access to their own data, but nor do they want to permanently lose access to information vital to their business. To pay, or not to pay? As you might expect, there's no definitive answer, but we can think through some of the factors that should influence your decision. The FBI's position on ransomware payments is straightforward: don't pay. The FBI believes paying doesn't guarantee access to the encrypted data, that it "emboldens" criminals to target more organizations, and that it encourages more criminals to join the ransomware industry. All of that is true, but business owners are understandably more interested in getting their data back now than whether paying encourages future attacks. Nevertheless, before paying, business owners should consider that by paying, they paint a target on their back. Criminals will bleed a victim dry if they're able. If you make a payment, you show the attacker that you're the sort of person who pays, and that can only encourage the attacker to find out how much more they can extort. If you choose to pay, you may or may not receive the keys to unlock your data. There is no guarantee that the keys will ever be delivered. But, counter-intuitive as it may sound, the ransomware model is based on trust. Victims have to trust that attackers will release their data — otherwise there's no incentive to pay. In most cases, people who pay get their data back. In fact, the largest ransomware operations provide excellent customer service. They will help you pay and decrypt the data. Ultimately, your decision to pay should be predicated on a simple calculation: is the data I stand to lose and any future risk caused by paying worth the price being asked? The best way to avoid paying is to make sure that you never become the victim of a ransomware attack in the first place. That might seem like a truism, but it's surprising how many business owners don't take the simplest steps to keep their data safe. Educating employees about ransomware and phishing should be a high priority, but the single most important action a business owner can take is the creation of regularly updated offsite backups. Ransomware is only effective if it deprives the business of data; if that data is duplicated in a place the attackers can't reach, they have no leverage and you won't have to pay them a cent. Written by Rachel Gillevet, Technical WriterFollow CircleID on TwitterMore under: Cybercrime, Security [...]
2017-01-09T13:49:00-08:00Did you know that over 50% of .CZ domains are now signed with DNS Security Extensions (DNSSEC)? Or that over 2.5 million .NL domains and almost 1 million .BR domains are now DNSSEC-signed? Were you aware that around 80% of DNS clients are now requesting DNSSEC signatures in their DNS queries? And did you know that over 100,000 email domains are using DNSSEC and DANE to enable secure email between servers? These facts and many more are available in a new report published by the Internet Society: State of DNSSEC Deployment 2016 While many separate sites provide DNSSEC statistics, this report collects the information into a series of tables and charts that paint an overall picture of the state of DNSSEC deployment as of December 2016. As the report indicates, there has been steady and strong growth in both the statistics around DNSSEC signing and validation — and also in the number of tools and libraries available to support DNSSEC. It also discusses the growth of DANE usage (DNS-based Authentication of Named Entities), particularly for securing email communication. That growth, though, is not evenly distributed. In some parts of the world, particularly in Europe, there is solid growth in both DNSSEC signing and validation. In other parts of the world, the numbers are significantly lower. Similarly, while some country-code top-level-domains (ccTLDs) such as .CZ, .SE, .NL and .BR are seeing high levels of DNSSEC signing of second-level domains, other ccTLDs are just beginning to see DNSSEC-signed domains. And among the other TLDs, some such as .GOV have almost 90% of their second-level domains signed, while .COM has under 1% signed. The report dives into all this and more. Beyond statistics, the document explores some of the current challenges to deployment of DNSSEC and provides a case study. It also includes many links to further resources for more exploration. Creating a report of this level involves a great number of people. I'd like to thank all the members of the DNS / DNSSEC community who provided data, reviews, proofreading and other support. Our intent is that this will be an annual report where we can look back and see what has changed year-over-year. Our target now is for the 2017 report to be delivered at the DNSSEC Workshop at ICANN 60 in November. To that end, I would definitely welcome any comments people have about what is in the report and what people find useful and helpful. I'd also welcome comments about anything we may have missed. Please do read and share this report widely. We'd like people to understand the current state of DNSSEC deployment — and how we can work together to accelerate that progress. On that note, if you want to get started with DNSSEC for your own network or domains, many resources are available to help. P.S. an audio commentary is also available on this topic for those interested in listening to me talk about this topic. Written by Dan York, Author and Speaker on Internet technologies - and on staff of Internet SocietyFollow CircleID on TwitterMore under: DNS, DNS Security, Domain Names, ICANN, Security, Top-Level Domains [...]
2017-01-09T10:14:00-08:00Back in 2003, there was a race to pass spam legislation. California was on the verge of passing legislation that marketers disdained. Thus marketers pressed for federal spam legislation which would preempt state spam legislation. The Can Spam Act of 2003 did just that… mostly. "Mostly" is where litigation lives. According to the Can Spam Act preemption-exception: This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto. 15 USC s 7707(b)(1). The preemption-exception is big because California affords a private right of action, where the Can Spam Act does not. The Can Spam Act is enforced by state and federal authorities only. This is where today's plaintiff, in Silverstein v. Keynetics, Inc., Dist. Court, ND California 2016, attempted to hang his coat. According to the court, "Plaintiff is a member of the group 'C, Linux and Networking Group' on LinkedIn, a professional networking website. Through his membership in that group, he received unlawful commercial emails that came from fictitiously named senders through the LinkedIn group email system. The emails originated from the domain "linkedin.com," even though non-party LinkedIn did not authorize the use of its domain and was not the actual initiator of the emails." The emails themselves contained marketing links that led, allegedly, to defendants' businesses. Plaintiff alleged that the names in the 'from' field of the emails were false or deceptive. According to Plaintiff, "the 'from' names include 'Liana Christian,' 'Whitney Spence,' 'Ariella Rosales,' and 'Nona Paine,' none of which identify any real person associated with any defendant. Further, Plaintiff alleges that the emails 'claim to be from actual people' and that all of the false 'from' names deceive the emails' recipients 'into believing that personal connection could be made instead of a pitch for Defendants' products.'" A reading of the Can Spam Act would appear to be clear. The Can Spam Act preempts state causes of action "except to the extent that any such statute prohibits [either] falsity or deception." If the email is either false or deceptive, it would seem, Plaintiff could proceed. In the case at hand, the information in the 'from' field would appear to be false. The Judge in the Silverstein decision, however, hangs her hat on a previous 9th Circuit decision in Gordon v. Virtumundo, 575 F.3d 1040 (9th Cir. 2009). In Gordon, defendant sent out marketing emails from domain names that it had registered such as "CriminalJustice@vm-mail.com," "PublicSafetyDegrees@vmadmin.com," and "TradeIn@vm-mail.com." These were, in fact, defendant's domain names. While the 'from' field may not have clearly identified who the defendant was, the information was not false nor was it deceptive. Furthermore, according to the court, the WHOIS database accurately reflected to whom the domain names were registered. Therefore, at best, the 'from' field information was incomplete, but not false or deceptive. As a result, the Can Spam Act preempted litigation under state law. The Gordon court elaborated that it is insufficient for the information in the spam to be merely problematic. It had to be materially problematic. The Gordon court looked at the words "false" and "deceptive," and other language of the Can Spam Act, and said, "we know those words. Those words refer to 'traditionally tortious or wr[...]
2017-01-06T12:51:01-08:00The new year is upon us and it's time for our annual look at CircleID's most popular posts of the past year and highlighting those that received the most attention. Congratulations to all the 2016 participants and best wishes to all in the new year. Additionally, you can also visit the leaderboards for CircleID's overall top 100 community and industry participants. Top 10 Featured Blogs from the community in 2016: #1How .MUSIC Will Go Mainstream and Benefit ICANN's New gTLD ProgramConstantine Roussos | Jan 06, 2016Viewed 39,642 times#2Examining IPv6 Performance - RevisitedGeoff Huston | Aug 19, 2016Viewed 18,134 times#3Cybersquatting & Banking: How Financial Services Industry Can Protect Itself Online (Free Webinar)Doug Isenberg | May 02, 2016Viewed 15,333 times#4We Need You: Industry Collaboration to Improve Registration Data ServicesScott Hollenbeck | May 24, 2016Viewed 14,751 times#5Usage Trumps Registrations: Why Past TLDs Failed and Why Many Will Follow in Their PathColin Campbell | Apr 09, 2016Viewed 14,529 times#6ICANN Fails Consumers (Again)Garth Bruen | Apr 15, 2016Viewed 14,390 times#7Canon Takes Its .brand to the World, Moves Its Global Site to .CANONTony Kirsch | May 18, 2016Viewed 14,248 times#8Internet Governance Outlook 2016: Cooperation & ConfrontationWolfgang Kleinwächter | Jan 11, 2016Viewed 14,222 times#9Internet Stewardship Transition Critical to Internet's FutureDaniel A. Sepulveda | Sep 16, 2016Viewed 13,347 times#10The Future of Domain Name Dispute Policies: The Journey BeginsDoug Isenberg | Apr 27, 2016Viewed 12,859 times Top 10 News in 2016: #1IPv6 Now Dominant Protocol for Traffic Among Major US Mobile ProvidersAug 21, 2016Viewed 16,228 times#2Sweden Makes its TLD Zone File Publicly AvailableMay 16, 2016Viewed 13,006 times#3Internet Governance Forum Puts the Spotlight on Trade AgreementsDec 09, 2016Viewed 11,462 times#4Hong Kong Billionaire Richard Li Becomes First Person to Own a TLD Matching His NameMay 12, 2016Viewed 10,466 times#5WordPress Announces New .BLOG TLD, to be Available This YearMay 12, 2016Viewed 9,686 times#6Next Round of New TLDs May Not Happen Until 2020, Says ICANNMay 05, 2016Viewed 8,399 times#7PirateBay Domains to Be Handed over to the State, Swedish Court RulesMay 14, 2016Viewed 8,052 times#8Series of New African TLDs Fail to Go Live, Get Termination Notice from ICANNMay 11, 2016Viewed 7,881 times#9Google Releases 'Noto', Free Font Covering Every Language and Every Character on the WebOct 09, 2016Viewed 7,057 times#10Cisco Issues Hight Alert on IPv6 Vulnerability, Says It Affects Both Cisco and Other ProductsJun 03, 2016Viewed 6,467 times Top 10 Industry News in 2016 (sponsored posts): #1Move Beyond Defensive Domain Name Registrations, Towards Strategic ThinkingBoston Ivy | May 17, 2016Viewed 15,807 times#2Verisign Launches New gTLDs for the Korean Market, .닷컴 and .닷넷Verisign | May 16, 2016Viewed 12,915 times#3Meet Boston Ivy, Home to Some of the Most Specialized TLDs in the Financial Services SectorBoston Ivy | May 24, 2016Viewed 12,397 times#4Verisign Opens Landrush Program Period for .コム Domain NamesVerisign | May 16, 2016Viewed 11,981 times#5New .PROMO Domain Sunrise Period Begins TodayAfilias | Apr 14, 2016Viewed 11,831 times#6Domain Management Handbook from MarkMonitorMarkMonitor | May 10, 2016Viewed 11,810 times#7Afilias Announces Relaunch of .GREEN TLDAfilias | Apr 22, 2016Viewed 11,338 times#8New TLD .STORE Crosses 500+ Sunrise ApplicationsRadix | May 31, 2016Viewed 10,095 times#9Minds + Machines Group Announces Outsourcing Agreements, Web Address ChangeMinds + Machines | Apr 08, 2016Viewed 9,943 times#1[...]
2017-01-06T09:50:00-08:00Two events, which made headlines in the digital world in 2016, will probably frame the Internet Governance Agenda for 2017. October 1, 2016, the US government confirmed the IANA Stewardship transition to the global multistakeholder community. November 2, 2016, the Chinese government announced the adoption of a new cybersecurity law which will enter into force on July 1, 2017. IANA Transition and the Chinese Cybersecurity Law The IANA transition stands for a multistakeholder bottom up policy development process. The Chinese law stands for a top-down governmental approach. The new ICANN Bylaws are probably the most advanced version of a multistakeholder mechanism for a free, open and unfragmented Internet. The Chinese cybersecurity law is probably the most outspoken version of how a country can control the Internet within its territorial borders. Here we have a global multistakeholder network. There we have a national government. And it is not only the Chinese government which introduces strong national Internet legislation. It is Russia, Turkey, Iran, Pakistan, Saudi-Arabia, Hungary, Poland, and even the United Kingdom. Will we see a new type of conflict between multistakeholder networks and national Internet policies? Will the wave of the new nationalism swap into the borderless cyberspace? Will, with a new president in Washington's Oval Office, pure power politics trample collective wisdom? Will fictions beat facts? The short answer to this rhetorical question is, unfortunately "Yes". Yes, we will see a continuation of a chilly "Cold Cyberwar". Yes, we will see that more governments, in the name of security, will restrict fundamental individual human rights as privacy and freedom of expression. And yes, we will see that more governments want to re-nationalize the global cyberspace and erect borders around their "national Internet segment" where they can control individuals, private corporations, personal data as well as the flow and the content of communication. However, the short answer tells only half of the truth. The reality is more complex. To describe the basic cyberconflict of our time as "Democracies vs. Dictatorships" would be an oversimplification. Yes, there are conflicts between political structures, value systems, and ideologies. And yes, there are conflicts between borderless spaces (managed by multistakeholder networks) and bordered places (managed by hierarchically organized states). But the truth is, that there are hierarchies in networks and networks in hierarchies. And there is no 100 percent democracy on one side and 100 percent Dictatorship on the other side. There are western governments, which prefer strong Internet regulation, argue that cybersecurity is more important than data protection and reduce their commitment to the multistakeholder model to the technical management of Internet resources as domain names, IP addresses or Internet protocols. On the other hand, the Chinese government has recognized that the concept of sovereignty in cyberspace, as it is pushed forward by president Xi, has to take into consideration also the role of non-state actors. Critical observers recognized that during the 3rd high-level Wuzhen Conference in November 2016 Chinese officials introduced the terminology of "multi-party governance", which is the Chinese version of the multistakeholder model. "Multi-party Internet governance" invites the Chinese private sector, technical community, and even civil society to participate in Internet policy making. How far this will go in practice remains to be seen, but it is an interesting move in an ideologica[...]
2017-01-06T08:50:00-08:00The Respondent's cry of pain in AXA SA v. Whois Privacy Protection Service, Inc. / Ugurcan Bulut, axathemes, D2016-1483 (WIPO December 12, 2016) "[w]hat do you want from me people? I already removed all the files from that domain and it's empty. What else do you want me to do???" raises some interesting questions. "A," "x," and "a" is an unusual string of letters but unlike other iconic strings such as "u," "b" and "s" and "i", "b" and "m" for example that started their lives as the first letters of three-word brands AXA is not an acronym. Whether invented strings or acronyms iconic strings are not just random letters. Combining them with dictionary words (whether or not suggesting an association with complainants' businesses) is essentially conclusive of cybersquatting. Adding "themes" to AXA particularly when AXA also owns AXA THEMA, "money" to UBS where UBS is in the money business, or "food" to IBM (even though food has no direct connection with IBM's business) undercuts credibility to these respondents even if they appear and argue ignorance of intention; that they had entirely different project "in mind" without reference to the trademarks. Innocence is essentially Respondent's position in AXA. He put on a show of indignation but had no explanation for incorporating the trademark in the domain name: "How can you know [he says] that [the domain name] refers [to] AXA THEMES, maybe it's AXAT HEMES or AXATH EMES." Well, why not? Conceivably, a registrant could use made-up phrases to create a business using either of the two alternative possibilities but to do that he would have to offer demonstrable proof of such a business existing or in formation. In the absence of proof, Panels will infer cybersquatting. Complainants prevail when Respondents cannot explain what the trademark is doing in the domain name even if the added word has no association with the trademark;
2017-01-05T07:59:01-08:00A new age of openness is coming upon us. At least that's what we're being told. For instance — "The reign of closed solution suites is over, shifting to the rise of open, heterogeneous software ecosystems." Maybe it's my 30 years in the information technology business (how many people remember Thomas-Conrad ARCnet hardware?), but I'm not convinced. It's worth taking a moment to consider the case. On the positive side, there is a huge movement towards openness in many areas of the IT world. It is slowly becoming possible, for instance, for mid-scale operators to disaggregate their routers and switches into multiple parts, each purchased and managed to obtain the best bang for the buck. In this regard, the importance of the router (or switch) as an appliance certainly seem to be on the wane. The open source movement, standing on the shoulders of open standards, certainly seems to be making huge strides. There are now a number of open source routing stacks available (including Free Range Routing, forked off of Quagga). Various flavors of *NIX are available through open source that are production grade, and many companies are contributing large and important projects (such as KAFKA) to the community. These open source projects form the backbone of the cloud, in fact; cloud providers largely build their services on open source software and white box hardware. Open19 is accelerating the move towards commodity compute and storage, as well, making the white box buy much more compelling for mid-scale operators. The existence of large-scale, widely available development platforms is making a lot of companies ask: Why buy hardware from a name brand vendor when you can rent a cheaper version that someone else maintains? But all the roads in the world do not lead to open software systems. There are several counter movements that need to be watched carefully if we are to see the whole picture. The first to note is the Software-Defined Wide Area Network (SD-WAN) movement. While it might be fairly invisible to hyper- and web-scale operators, it is "in-your-face" for last mile and transit providers. SD-WAN is taking the wide area world by storm, with most transit and last mile providers either scrambling to keep up, or partnering with an existing company in the space. More importantly for the question this post is asking: SD-WAN is based on completely closed, proprietary solutions that do not interoperate with anything else. The second to note is the serverless movement. At first glance, serverless is just another stage of the cloud. First, you remove the storage, then the compute, then the network, and, finally, the operating system. But there is a more important point in the serverless revolution. To go serverless, you must move your applications into an API controlled by a provider. While these applications might well interoperate with other applications and systems, they must do so through the facilities provided by the operator. Serverless is, to put it more familiar terms, at least for someone who used to work on mainframes and minis, a pretty mainframe'ish version of the cloud. Again, the very definition of a closed, proprietary system. So there are several examples of movement towards open software running on commodity hardware. There are, at the same time, several examples of movement towards closed systems running on what is essentially proprietary hardware bundled with software. Neither case is a "pure appliance" play, but both cases rely on strong vertical integration to create a new way of solving [...]