2017-01-22T11:47:00-08:00The FAKE45 sign in the photo lower right corner appearing on the front page of today's Washington Post — ironically in front of the Department of Justice headquarters — captures a result of yesterday's events that may have far-reaching consequences. About 4.5 million people — including a million in Washington DC alone — spontaneously came together from every corner of the nation and world to question the legitimacy of a Trump Administration, express disdain for its actions, and assert the repugnancy of its positions. I was there. Later that afternoon, Trump at CIA Headquarters "in a despicable display" per the former Agency Director, refuted the very existence of such large protests and eschewed any implications — denouncing the press for reporting it. It is also abundantly clear from Trump's stated public positions that he rejects the most fundamental concepts of public international law, intends to abrogate many significant international agreements, and retreat back to the 19th century before the existence of the international system of laws and multilateral cooperation. In short, the pronounced policy of his Administration is one of Bully Bilateralism, deceptions, and propagation of mistruth. Lastly, and quite significantly, Trump was installed in his position by documented deceptions and manipulation — losing the democratic vote by a very sizeable margin. While Trump may be able to hold on to his position and authority within the U.S. for the immediate future, however tenuous within its domestic legal system, his legitimacy and that of his Administration under the international legal system seems open to significant challenges. The U.S. itself for far less has questioned the legitimacy of foreign Administrations who were not democratically elected and clearly do not represent the patent interests of its people. The Trump Administration on its present course does not deserve to be accepted as part of the international community. As someone who was trained, taught and has practiced international law for many decades in multiple capacities, the pursuit of this subject seems worthy of colleagues at my alma mater — the Washington College of Law — and in the profession worldwide. Furthermore, those who purport to be part of the Internet Community, need to stop living in a state of denial and doing little or nothing to speak out, much less substantively resist what is occurring. There are many avenues to do so. Responsive actions in international cooperation and organizations are some of them. The Trump Administration as evidenced by the installation speech and hand salute before the Capitol two days ago, and its immediate profound changes to the White House website, is plainly taking the Internet and international cooperation to a dark place. Written by Anthony Rutkowski, Principal, Netmagic Associates LLCFollow CircleID on TwitterMore under: Internet Governance, Law, Policy & Regulation [...]
(image) FCC senior Republican Ajit Pai has named President Donald Trump's pick as chairman of the FCC"Pai, a Barack Obama nominee who has served as the senior FCC Republican for more than three years, could take the new role immediately and wouldn't require approval by the Senate because he was already confirmed to serve at the agency." Alex Byers and Tony Romm reporting in Politico: "President Donald Trump will tap Ajit Pai as his pick to lead the FCC in the new administration… Pai is already a familiar name in tech and telecom policy debates. He’s a fierce and vocal critic of many regulations passed by the commission's Democratic majority, including the 2015 net neutrality rules… As chairman, Pai will be able to start the process of undoing the net neutrality order and pursuing other deregulatory efforts."
Follow CircleID on Twitter
"Outgoing U.S. Federal Communications Commission Chairman Tom Wheeler warned Republicans against dismantling the Obama administration's landmark 'net neutrality' protections." David Shepardson reporting in Reuters: "These are serious things," said Wheeler, who steps down Friday as Republican Donald Trump replaces Democrat Barack Obama as president. "People have made business decisions based on the expectation of an open internet and to take that away in order to favor half a dozen companies just seems to be a shocking decision. ... "Republican FCC Commissioner Ajit Pai, who is expected to be named acting chairman by Trump as early as Friday, said in December he thought net neutrality's days were numbered."
Follow CircleID on Twitter
2017-01-20T14:58:00-08:00"Past performance does not necessarily predict future results." That's what the U.S. Securities and Exchange Commission requires mutual funds tell investors. But it's also true about domain name disputes. Cases in point: In four recent proceedings under the Uniform Domain Name Dispute Resolution Policy (UDRP), the operator of a large bank won two decisions but lost two others, despite a track record of having won more than 30 previous UDRP disputes. The complainant was Webster Financial Corporation, and all four of the cases involved the same trademark (HSA BANK) and the same type of activity by the domain name registrant (pay-per-click sites with links for competing services). The differing decisions were all issued within a two-week period of time. Here are the decisions: Webster Financial Corporation v. SATOSHI SHIMOSHITA, Forum Claim No. FA1611001704955 (January 3, 2017): Panel denied transfer of
2017-01-19T14:54:00-08:00What will the Internet look like in the next seven to 10 years? How will things like marketplace consolidation, changes to regulation, increases in cybercrime or the widespread deployment of the Internet of Things impact the Internet, its users and society? At the Internet Society, we are always thinking about what's next for the Internet. And now we want your help! The Internet is an incredibly dynamic medium, shaped by a multitude of pressures — be they social, political, technological, or cultural. From the rise of mobile to the emergence of widespread cyber threats, the Internet of today is different than the Internet of 10 years ago. The Internet Society and our community care deeply about the future of the Internet because we want it to remain a tool of progress and hope. Last year, we started a collaborative initiative — the Future Internet project — to identify factors that could change the Internet as we know it. We asked for your views and heard from more than 1,500 members across the world — thank you! That feedback provided a strong foundation for the development of our Future Internet work. We have consolidated that input into nine driving forces for the Internet. The list is posted on our future Internet webpage, along with the challenges and uncertainties raised by our community. Our community identified these forces as the things that will influence how the Internet will evolve in the future. They include: Convergence of the Internet and the Physical WorldArtificial Intelligence and Machine LearningNew and Evolving Digital Divides Increasing Role of GovernmentFuture of the Marketplace and CompetitionImpact of Cyberattacks and CybercrimeEvolution of Networks and StandardsImpact on Media, Culture, and Human InteractionFuture of Personal Freedoms and Rights Now, we need your help again. Please review this work and let us know what you think by sending your answers to the following questions to email@example.com: Which of the nine drivers do you think will have the biggest impact on the future of the Internet in the next seven to 10 years?Are there major issues that are missing from this list?What 2-3 issues would you prioritize in our Future Internet project? 2017 is the Internet Society's 25th anniversary. It is an opportunity to look back and see how the Internet has grown and evolved since our earliest days. It is also a chance to look ahead and imagine the future. Will the Internet continue to be a tool to build community, drive innovation, and create opportunity? With this Future Internet project, we can imagine some different futures and then think together about what steps we need to take today to bring about the future that we want. More updates will be coming soon, with a final report in September. Thanks in advance for your participation and input! Note: an earlier version of this post appeared on the Internet Society blog. Written by Sally Shipman Wentworth, VP of Global Policy Development, Internet SocietyFollow CircleID on TwitterMore under: Broadband, Internet Governance, Internet of Things, Law, Policy & Regulation, Privacy, Security, Telecom, Web [...]
2017-01-18T12:25:01-08:00Despite widespread concern about the security of mobile and Internet of Things (IoT) applications, organizations are ill-prepared for the risks they pose, according to a research report issued today from Ponemon Institute, IBM Security, and Arxan Technologies. "Mobile and IoT applications continue to be released at a rapid pace to meet user demand. If security isn't designed into these apps there could be significant negative impacts," says Diana Kelley, Global Executive Security Advisor, IBM Security. Some of the key findings from the report below: — Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace. Organizations are having a more difficult time securing IoT apps. Respondents are slightly more concerned about getting hacked through an IoT app (fifty-eight percent) than a mobile app (fifty-three percent). However, despite their concern, organizations are not mobilizing against this threat. — Material data breach or cyber attacks have occurred and are reasons for concern. Sixty percent of respondents know with certainty (eleven percent), most likely (fifteen percent) or likely (thirty-four percent) that their organization had a security incident because of an insecure mobile app. Respondents are less certain whether their organization has experienced a material data breach or cyber attack due to an insecure IoT app. — The risk of unsecured IoT apps is growing. Respondents report IoT apps are harder to secure (eighty-four percent) versus mobile apps (sixty-nine percent). Additionally, fifty-five percent of respondents say there is a lack of quality assurance and testing procedures for IoT apps. — Despite the risk, there is a lack urgency to address the threat. Only thirty-two percent of respondents say their organization urgently wants to secure mobile apps and forty-two percent of respondents say it is urgent to secure IoT apps. — Not enough resources are being allocated...yet. Only thirty percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (fifty-four percent of respondents). Other reasons to increase the budget are if new regulations were issued (forty-six percent of respondents) or media coverage of a serious hacking incident affecting another company occurred (twenty-five percent of respondents). Follow CircleID on TwitterMore under: Cyberattack, Cybercrime, Internet of Things, Security [...]
The Canadian Security Intelligence Service (CSIS) is reported to have warned companies about an increasing risk of cyber espionage and attacks on pipelines, oil storage and shipment facilities. In an exclusive report published by Reuters today based on classified documents, CSIS issued warnings last May in which it has highlighted an additional risk for the energy sector, where opposition to pipelines has ramped up in Canada, home to the world's third-largest oil reserves, and the United States. "You should expect your networks to be hit if you are involved in any significant financial interactions with certain foreign states," the official said in the document, seen by Reuters under access-to-information laws.
Follow CircleID on Twitter
A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack, according to Ukraine's National power company, Ukrenergo which hired investigators to help it determining the cause. Reuters reporting today:"A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday. ... Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters."
Follow CircleID on Twitter
2017-01-14T20:02:00-08:00Why does the broadband industry, supposedly a "high technology" one, lag behind old and largely defunct industries that now have reached the "museum piece" stage?Last week I was at the National Slate Museum in Wales watching slate being split apart. On the wall were sample pieces of all the standard sizes. These have cute names like "princess". For each size, there were three standard qualities: the thinnest are the highest quality (at 5mm in thickness), and the thickest have the lowest quality (those of 13mm or more). Obviously, a lighter slate costs less to transport and lets you roof a wider span and with less supporting wood, hence is worth more. These slates were sold around the world, driven by the industrial revolution and need to build factories and other large structures for which "traditional" methods were unsuitable. Today we are building data centers instead of factories, and the key input is broadband access rather than building materials. Thankfully telecoms is a far less dangerous industry and doesn't give us lung disease that kills us off in our late 30s. (The eye strain and backache from hunching over iDevices is our deserved punishment for refusing to talk to each other!) What struck me was how this "primitive" industry had managed to create standard products in terms of quantity and quality, that were clearly fit-for-purpose for different uses such as main roofs versus drainage versus ornamental uses. This is in contrast to broadband where there is high variability in the service, even with the same product from the same operator being delivered to different end users. With broadband, we don't have any kind of standard units for buyers to be able to evaluate a product or know if it offers better or worse utility and value that another. The only promise we make is not to over-deliver, by setting an "up to" maximum burst data throughput! Even this says nothing about the quality on offer. In this sense, broadband is an immature craft industry which has yet to even reach the most basic level of sophistication in how it defines its products. To a degree, this is understandable, as the medium is a statistically multiplexed one, so naturally is variable in its properties. We haven't yet standardized the metrics in which quantity and quality are expressed for such a thing. The desire is for something simple like a scalar average, but there is no quality in averages. Hence we need to engage with the probabilistic nature of broadband, and express its properties as odds, ideally using a suitable metric space that captures the likelihood of the desired outcome happening. This is by its nature something that is an internal measure for industry use, rather than something that end consumers might be exposed to. Without standard metrics and measures, and transparent labeling, a proper functioning market with substitutable suppliers is not possible. The question that sits with me is: whose job is it to standardize the product? The regulator? Equipment vendors? Standards bodies? Network operators? Industry trade groups? Or someone else? At the moment we seem to lack both awareness of the issue, as well as incentives to tackle it. My hunch is that the switch-over to software-defined networks will be a key driver for change. When resources are brought under software control then they have to be given units of measure. Network operators will have a low tolerance for control systems that have vendor lock-in at this elementary level. Hence the process of standardizing the metrics for quantity and quality will rise in visibility and importance in the next few years. Written by Martin Geddes, Founder, Martin Geddes Consulting LtdFollow CircleID on TwitterMore under: Access Providers, Broadband, Policy & Regulation, Telecom [...]
2017-01-13T09:54:00-08:00A Global Paradigm Change is Threatening us All While conventional cyber attacks are evolving at breakneck speed, the world is witnessing the rise of a new generation of political, ideological, religious, terror and destruction motivated "Poli-Cyber™" threats. These are attacks perpetrated or inspired by extremists' groups such as ISIS/Daesh, rogue states, national intelligence services and their proxies. They are breaching organizations and governments daily, and no one is immune. This is a global paradigm change in the cyber and non-cyber threat landscape. The world has moved from resisting the attack, to surviving the inevitable. Traditional Cyber-Security Strategies are Struggling at Best, and Failing Daily With traditional cyber-security strategies failing, how can Decision Makers defend and protect national and corporate interests against existing serious conventional attacks and the new generation of Poli-Cyber terrorism? This is not just a threat to profitability, this is a threat to "Survivability". New & innovative solutions are most urgently needed. The MLi Group is organizing Decision Maker Symposiums & Briefings aimed at Chairmen, CEOs, Board members and senior government officials, as well as Summits around the world to address these new threats, and offer innovative solutions that address them. On March 22-23, 2017, an MLi summit is taking place in London aimed at: "Securing Survivability in Cyber Threatened World” This Summit is a new format created by MLi based on its proprietary and holistic Survivability Solution™ to address these grave new threats posed by conventional and destruction motivated Poli-Cyber attacks threatening businesses and governments globally. The Summit Draft Program illustrates the innovative MLi developed model as well as some of their partners' mechanisms and processes to help stakeholders first come to terms with the severity of new threat landscape and to be able to operate in it. Only then are they in a position to start their journey to better ensuring "Survivability". Decision Makers who are keen on making their organizations become better protected against these new threats would significantly benefit from attending. But those who also see the value of turning a threat into a unique competitive edge and opportunity for years to come would find Joining, Witnessing & Engaging in the New Mind-Set, Approach, & Solutions Needed to Address this Critical New Challenge very Compelling. Written by Khaled Fattal, Group Chairman, The Multilingual Internet GroupFollow CircleID on TwitterMore under: Cloud Computing, Cyberattack, Cybercrime, DDoS, DNS Security, Internet Governance, Internet of Things, Internet Protocol, Law, Malware, Policy & Regulation, Security, Spam [...]
(image) Transition spokesman Sean Spicer told reporters today that former New York City Mayo, Rudy Giuliani will "chair" the cyber task force that Trump announced last Friday. The task force is given three months from Trump's inauguration to deliver a cybersecurity plan.
— Giuliani from the Trump Tower in Manhattan on Thursday: "Over the course of the last 20 years, our ability to use modern technology has evolved in ways we couldn't possibly imagine — really fast, very quick, we can do things we never could do before. Our ability to defend that has lagged behind."
— "Giuliani, who has done private cybersecurity work since he left government, will be convening groups of private sector experts and executives who will meet with Trump on the issue," Rebecca Savransky and ben Kamisar reporting in The Hill
— Giuliani on Fox & Friends: "It's his [Trump's] belief, which I share, that a lot of the solutions are out there, we're just not sharing them. It's like cancer. You know, there's cancer research going on all over the place — you'd almost wish they'd get together in one room and maybe we'd find a cure." Watch video clip via Twitter
Follow CircleID on Twitter
2017-01-12T12:37:00-08:00A company that registers a domain name containing someone else's trademark may be engaging in the acceptable practice of "defensive registration" if (among other things) the domain name is a typographical variation of the registrant's own trademark. That's the outcome of a recent decision under the Uniform Domain Name Dispute Resolution Policy (UDRP), a case in which the domain name in dispute, idocler.com, contained the complainant's DOCLER trademark — but also contained a typo of the respondent's DOLCER trademark. The UDRP complaint was filed by Docler IP S.à r.l. and related companies, all in Europe, that own the DOCLER trademark. According to the UDRP decision, Docler IP apparently uses the DOCLER trademark in connection with "a web platform with music, storytelling, and similar entertainment services." The disputed domain name was registered by a Chinese company that "sells speakers and similar products under the name DOLCER," which is protected by an EU trademark registration. Note the slight difference: The complainant's trademark is DOCLER, while the respondent's trademark is DOLCER. And, importantly, the respondent's domain name contains the complainant's trademark. The UDRP panel had no trouble finding the domain name
a green paper outlining guiding principles and ways to support the advancement of the Internet of Things (IoT). "The report, developed by the Department's Internet Policy Task Force and Digital Economy Leadership Team, finds that the increased scale, scope and stakes of the Internet of Things will lead to opportunities and challenges that are qualitatively different than prior technological advances."The Department of Commerce issues
The paper offers feedback on the April 2016 Request for Comment as well as a workshop that was hosted by the Department in September 2016. Included in the paper are four principles for guiding the Department's future IoT activities:
— The Department will lead efforts to ensure the IoT environment is inclusive and widely accessible to consumers, workers, and businesses;
— The Department will recommend policy and take action to support a stable, secure and trustworthy IoT environment;
— The Department will advocate for and defend a globally connected, open and interoperable IoT environment built upon industry-driven, consensus-based standards; and
— The Department will encourage IoT growth and innovation by expanding markets and reducing barriers to entry, and by convening stakeholders to address public policy challenges.
Follow CircleID on Twitter
2017-01-12T11:37:00-08:00Zero-touch provisioning (ZTP) — whatever does that mean? Of course, it is another marketing term. I think the term "closer to zero touch provisioning" is probably better, but CTZTP — as opposed to ZTP — is a bit more of a mouthful. Whenever I hear language like this that I'm not familiar with, I get struck by a bolt of curiosity. What is this new and shiny phrase that has just appeared as if from nowhere? Zero means zero, right? So by zero-touch provisioning, I was expecting to be dazzled. Services could be delivered to the customer without anyone having to put their hands near anything. How was this going to be done? Had someone invented a system run by robots and mind-control? Did we just need to think about what we wanted and it would get done? Unfortunately, this was not the case. Some touches were required. Whole networks needed to be in place and this was going to require some physical touches. Already we are way above zero. Okay, so ZTP is probably based on the assumption that the infrastructure is in place. Is there a case to be made for zero touches? I'm still not seeing it. Someone still needs to take the customer order. If it is a new customer, then usually someone needs to go onsite. The service still needs to be checked to ensure it meets the standards required; at a minimum, the customer needs to access the internet, see a TV channel, or get a dial-tone. For the sake of getting to our goal of zero touches, we can make that process better. How about we just ship the required devices to the customer? That makes it so the customer just needs to plug-in, turn on, and connect to the network. Okay, so this is still not quite zero-touch as the customer needs to do something, but it is zero touches for us. Now we don't need to send someone onsite. That helps a lot. Not only do we save on labor costs but the customer becomes a shade more technical. But what if there's a problem? Now the customer has plugged everything in and they're not getting service. So much for the great plan of just shipping the device out! Well, actually, this is where we can get really creative. Nowadays, we can generally determine if and when a device is connected. Once we know the device is connected, we can then ensure that the service is good quality, e.g. using TR-069, SNMP, IPDR, and so on. Before we can do this though, we need to map a device to a customer order. In other words, even if a device comes online, how do I know that this device is sitting in the right customer's premise? There are ways to deal with this, for example: Log the device that is sent to the customer address prior to delivery Once the device is plugged in, use a walled garden to discover the device information and map that back to the customer. Once the customer tries to access the Internet, they will be redirected to a walled garden. This redirection captures the device information, thereby registering the device. In both cases above, once the device is properly associated with the customer and is online services will be set up and the service assurance workflows will be triggered. Decreasing the touches generally means increasing the automation. As we get closer and closer to zero touches, the automation increases and gets more complex. I'm sure you're also seeing other options here. NFV and SDN can contribute greatly to this. In my mind's eye, "zero touch" is a bit like that exponential decay curve that will forever go towards zero but never quite reach it. So even though it will probably never be literally "zero touch", I get the idea. The more we can remove "touches" from the process, the easier it will be to deploy new devices and make the whole provisioning cycle so muc[...]
"Alphabet cuts former Titan drone program from X division, employees dispersing to other units," reports Seth Weintraub today in 9TO5Google: "In 2014, Google bought Titan Aerospace, maker of high-altitude, solar-powered drone aircraft. ... The Titan division was absorbed into X in late 2015 from the Access and Energy division during the Alphabet re-shuffle. ... We’ve now heard and Alphabet has confirmed, that the Titan group was recently shut down and engineers were told to look for other jobs within Alphabet/Google in the coming months. Over 50 employees were involved in the process."
Follow CircleID on Twitter
2017-01-11T11:45:00-08:00Kremvax during the Soviet coup attempt (Top), Mumbai terrorist attack (Middle), The Arab Spring (Bottom) – Click to EnlargeI was naively optimistic in the early days of the Internet, assuming that it would enhance democracy while providing "big data" for historians. My first taste of that came during the Soviet coup attempt of 1991 when I worked with colleagues to create an archive of the network traffic in, out and within the Soviet Union. That traffic flowed through a computer called "Kremvax," operated by RELCOM, a Russian software company. The content of that archive was not generated by the government or the establishment media — it was citizen journalism, the collective work of independent observers and participants stored on a server at a university. What could go wrong with that? The advent of the Web and Wikipedia fed my optimism. For example, when terrorists attacked various locations in Mumbai, India in 2008, citizen journalists inside and outside the hotels that were under attack began posting accounts. The Wikipedia topic began with two sentences: "The 28 November 2008 Mumbai terrorist attacks were a series of attacks by terrorists in Mumbai, India. 25 are injured and 2 killed." In less than 22 hours, 242 people had edited the page 942 times expanding it to 4,780 words organized into six major headings with five subheadings. (Today it is over 130,000 bytes, revisions continue and it is still viewed over 2,000 times per month). What could go wrong with that? The 2011 Arab Spring was also seen as a demonstration of the power of the Internet as a democratic tool and repository of history. What could go wrong with that? What went wrong The problem is that the Internet turned out to be a tool of governments and terrorists as well as citizens. Furthermore, historical archives can disappear or, worse yet, be changed to reflect the view of the "winner." Our Soviet Coup archive was set up on a server at the State University of New York, Oswego, by professor Dave Bozack. What will happen to it when he retires? If someone tried to delete or significantly alter the Wikipedia page on the Mumbai attack, they might be thwarted by one of the volunteers who has signed up to be "page watchers" — people who are notified whenever the page they are watching is edited. We saw a reassuring demonstration of the rapid correction of vandalism in a podcast by Jon Udell. That was cool, but does it scale? Volunteers burn out. The page on the Mumbai attacks has 358 page watchers, but only 32 have visited the page after recent edits. Even if a Wikipedia page remains intact, links to references and supporting material will eventually break — "link rot." If our Soviet Coup archive disappears after Dave's retirement, all the links to it will break. By the time of the Arab Spring, we were well aware of our earlier naivete — the Internet was already being used for terrorism and government cyberwar and the dream of providing raw data for future historians and political scientists was fading. The Internet Archive I was slow to understand the fragility of the Internet, but others saw it early — most importantly, Brewster Kahle, who, in 1996, established the Internet Archive to cache Web pages and preserve them against deletion or modification. They have been at it for 20 years now and have a massive online repository of books, music, software, educational material, and, of course, Web sites, including our Soviet Coup archive. As shown here, it has been archived 50 times since October 3, 2002 and it will be online long after Dave retires — as long as the Internet Archive is online[...]
2017-01-10T13:49:00-08:00The Updated Supplementary Procedures for Independent Review Process ("IRP Supplementary Procedures") are now up for review and Public Comment. Frankly, there is a lot of work to be done. If you have ever been in a String Objection, Community Objection, or negotiated a Consensus Policy, your rights are being limited by the current way the IRP Supplementary Procedures proposal is structured. With timely edits, we can ensure that all directly-impacted and materially-affected parties have actual notice of the IRP proceeding, a right to intervene, a right to be heard on emergency requests, and a right to be part of the discussion of remedies and responses. History The IRP is based on commercial arbitration. Arising centuries ago, commercial arbitration was used when two merchants chose to bring their disputes to a wise and trusted private party rather than await the decision of the courts. Arbitration, as we can all recite, is faster and cheaper. But is it fairer? Currently, the IRP Supplementary Procedures proposal is optimized for the traditional IRP/arbitration scenario: a registration industry member has a dispute with ICANN. The first IRP filer was ICM Registry when Stuart Lawley felt that he had completed all of the requirements for a .XXX and the ICANN Board refused to delegate it to him (under a lot of pressure from the GAC). The ICM Registry wanted the .XXX Registry Agreement with ICANN and through the brilliant representation of Becky Burr and her then-law firm, it won. That's the classic IRP — a one-on-one arbitration between a single party and ICANN. Problem But we have decided to use the IRP in different ways — including as the forum for a range of challenges to the decisions of other arbitration forums and to our Multistakeholder Consensus Policies. For these purposes, the IRP is functioning more as an appellate court than an arbitration forum. Yet, we have not updated the IRP Supplementary Procedures to allow all involved parties to participate. Fair is fair; an IRP proceeding should not be a dance between the disgruntled Claimant and ICANN. It should include all parties to the underlying arbitration (should they choose to participate) and all parties to the underlying Consensus Policy (ditto). ICANN Counsel is brilliant, but they were not directly engaged in the underlying arbitration nor did they (or the ICANN Board) research, negotiate and write the Consensus Policy (the Community did!). Fundamental rules of due process in all developed country legal systems require that all directly impacted, materially affected parties have a legal right to be heard when there is a challenge to their rights and property. How in good faith, and in our new world of openness and transparency, can we exclude them from the IRP Proceeding? 1. IRPs Need to Include All Parties to a Previous Arbitration Decision — Especially the Winners!! ICANN's Bylaws expressly throw the IRP doors open to challenge decisions of other arbitration forums. This includes decisions of the World Intellectual Property Organization's Legal Rights Objections, International Chamber of Commerce's Community Objections, and even the International Center for Dispute Resolution (the ICDR which hosts the IRP) also decided String Objections in Round 1 of the New gTLD process. All of these proceedings are legitimate arbitrations in their own right by well-respected International arbitration forums. Yet, when it comes to the IRP, only the challenger (specifically, the losing party) is heard as a matter of right. How can that be? This must be an oversight in the IRP Supplementary Rules. Clearly, any[...]
2017-01-10T09:13:01-08:00In 2016, ransomware became an increasingly serious problem for small and medium businesses. Ransomware has proven a successful revenue generator for criminals, which means the risk to businesses will grow as ransomware becomes more sophisticated and increasing numbers of ethically challenged criminals jump on the bandwagon. Every business must take steps to protect itself from ransomware, but talking about prevention doesn't help ransomware victims decide whether to pay to get their data back. It's an unpleasant position in which to find oneself. No-one wants to pay criminals for access to their own data, but nor do they want to permanently lose access to information vital to their business. To pay, or not to pay? As you might expect, there's no definitive answer, but we can think through some of the factors that should influence your decision. The FBI's position on ransomware payments is straightforward: don't pay. The FBI believes paying doesn't guarantee access to the encrypted data, that it "emboldens" criminals to target more organizations, and that it encourages more criminals to join the ransomware industry. All of that is true, but business owners are understandably more interested in getting their data back now than whether paying encourages future attacks. Nevertheless, before paying, business owners should consider that by paying, they paint a target on their back. Criminals will bleed a victim dry if they're able. If you make a payment, you show the attacker that you're the sort of person who pays, and that can only encourage the attacker to find out how much more they can extort. If you choose to pay, you may or may not receive the keys to unlock your data. There is no guarantee that the keys will ever be delivered. But, counter-intuitive as it may sound, the ransomware model is based on trust. Victims have to trust that attackers will release their data — otherwise there's no incentive to pay. In most cases, people who pay get their data back. In fact, the largest ransomware operations provide excellent customer service. They will help you pay and decrypt the data. Ultimately, your decision to pay should be predicated on a simple calculation: is the data I stand to lose and any future risk caused by paying worth the price being asked? The best way to avoid paying is to make sure that you never become the victim of a ransomware attack in the first place. That might seem like a truism, but it's surprising how many business owners don't take the simplest steps to keep their data safe. Educating employees about ransomware and phishing should be a high priority, but the single most important action a business owner can take is the creation of regularly updated offsite backups. Ransomware is only effective if it deprives the business of data; if that data is duplicated in a place the attackers can't reach, they have no leverage and you won't have to pay them a cent. Written by Rachel Gillevet, Technical WriterFollow CircleID on TwitterMore under: Cybercrime, Security [...]
2017-01-09T13:49:00-08:00Did you know that over 50% of .CZ domains are now signed with DNS Security Extensions (DNSSEC)? Or that over 2.5 million .NL domains and almost 1 million .BR domains are now DNSSEC-signed? Were you aware that around 80% of DNS clients are now requesting DNSSEC signatures in their DNS queries? And did you know that over 100,000 email domains are using DNSSEC and DANE to enable secure email between servers? These facts and many more are available in a new report published by the Internet Society: State of DNSSEC Deployment 2016 While many separate sites provide DNSSEC statistics, this report collects the information into a series of tables and charts that paint an overall picture of the state of DNSSEC deployment as of December 2016. As the report indicates, there has been steady and strong growth in both the statistics around DNSSEC signing and validation — and also in the number of tools and libraries available to support DNSSEC. It also discusses the growth of DANE usage (DNS-based Authentication of Named Entities), particularly for securing email communication. That growth, though, is not evenly distributed. In some parts of the world, particularly in Europe, there is solid growth in both DNSSEC signing and validation. In other parts of the world, the numbers are significantly lower. Similarly, while some country-code top-level-domains (ccTLDs) such as .CZ, .SE, .NL and .BR are seeing high levels of DNSSEC signing of second-level domains, other ccTLDs are just beginning to see DNSSEC-signed domains. And among the other TLDs, some such as .GOV have almost 90% of their second-level domains signed, while .COM has under 1% signed. The report dives into all this and more. Beyond statistics, the document explores some of the current challenges to deployment of DNSSEC and provides a case study. It also includes many links to further resources for more exploration. Creating a report of this level involves a great number of people. I'd like to thank all the members of the DNS / DNSSEC community who provided data, reviews, proofreading and other support. Our intent is that this will be an annual report where we can look back and see what has changed year-over-year. Our target now is for the 2017 report to be delivered at the DNSSEC Workshop at ICANN 60 in November. To that end, I would definitely welcome any comments people have about what is in the report and what people find useful and helpful. I'd also welcome comments about anything we may have missed. Please do read and share this report widely. We'd like people to understand the current state of DNSSEC deployment — and how we can work together to accelerate that progress. On that note, if you want to get started with DNSSEC for your own network or domains, many resources are available to help. P.S. an audio commentary is also available on this topic for those interested in listening to me talk about this topic. Written by Dan York, Author and Speaker on Internet technologies - and on staff of Internet SocietyFollow CircleID on TwitterMore under: DNS, DNS Security, Domain Names, ICANN, Security, Top-Level Domains [...]
2017-01-09T10:14:00-08:00Back in 2003, there was a race to pass spam legislation. California was on the verge of passing legislation that marketers disdained. Thus marketers pressed for federal spam legislation which would preempt state spam legislation. The Can Spam Act of 2003 did just that… mostly. "Mostly" is where litigation lives. According to the Can Spam Act preemption-exception: This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto. 15 USC s 7707(b)(1). The preemption-exception is big because California affords a private right of action, where the Can Spam Act does not. The Can Spam Act is enforced by state and federal authorities only. This is where today's plaintiff, in Silverstein v. Keynetics, Inc., Dist. Court, ND California 2016, attempted to hang his coat. According to the court, "Plaintiff is a member of the group 'C, Linux and Networking Group' on LinkedIn, a professional networking website. Through his membership in that group, he received unlawful commercial emails that came from fictitiously named senders through the LinkedIn group email system. The emails originated from the domain "linkedin.com," even though non-party LinkedIn did not authorize the use of its domain and was not the actual initiator of the emails." The emails themselves contained marketing links that led, allegedly, to defendants' businesses. Plaintiff alleged that the names in the 'from' field of the emails were false or deceptive. According to Plaintiff, "the 'from' names include 'Liana Christian,' 'Whitney Spence,' 'Ariella Rosales,' and 'Nona Paine,' none of which identify any real person associated with any defendant. Further, Plaintiff alleges that the emails 'claim to be from actual people' and that all of the false 'from' names deceive the emails' recipients 'into believing that personal connection could be made instead of a pitch for Defendants' products.'" A reading of the Can Spam Act would appear to be clear. The Can Spam Act preempts state causes of action "except to the extent that any such statute prohibits [either] falsity or deception." If the email is either false or deceptive, it would seem, Plaintiff could proceed. In the case at hand, the information in the 'from' field would appear to be false. The Judge in the Silverstein decision, however, hangs her hat on a previous 9th Circuit decision in Gordon v. Virtumundo, 575 F.3d 1040 (9th Cir. 2009). In Gordon, defendant sent out marketing emails from domain names that it had registered such as "CriminalJustice@vm-mail.com," "PublicSafetyDegrees@vmadmin.com," and "TradeIn@vm-mail.com." These were, in fact, defendant's domain names. While the 'from' field may not have clearly identified who the defendant was, the information was not false nor was it deceptive. Furthermore, according to the court, the WHOIS database accurately reflected to whom the domain names were registered. Therefore, at best, the 'from' field information was incomplete, but not false or deceptive. As a result, the Can Spam Act preempted litigation under state law. The Gordon court elaborated that it is insufficient for the information in the spam to be merely problematic. It had to be materially problematic. The Gordon court looked at the words "false" and "deceptive," and other lan[...]