2017-03-23T08:21:00-08:00The Uniform Rapid Suspension System (URS) — which allows a trademark owner to suspend certain domain names, especially those in the "new" gTLDs — was designed as a quicker and less-expensive alternative to the Uniform Domain Name Dispute Resolution Policy (UDRP). As I've written frequently before, there are significant differences between the URS and the UDRP. One of those differences is how long a typical proceeding lasts. Like the UDRP, the URS procedure and rules provide strict timelines for various stages of a case. But, unlike the UDRP, URS cases are usually resolved much more quickly — often in less than three weeks (although reviews and appeals may prolong the life of a URS proceeding). Here's how a common URS case proceeds: Step 1 (Filing of Complaint): As with a UDRP complaint, a trademark owner has discretion in deciding when it wants to file a URS complaint. Nothing in the URS procedure or rules requires that a complaint be filed within a specified period of time, and — to my knowledge as of the date of this writing — no URS decision has addressed the issue of laches, that is, whether a URS complaint would be barred by an undue lapse of time between the trademark owner's discovery of the disputed domain name and the date on which it files a complaint. Step 2 (Administrative Review): The URS procedure requires that a dispute service provider conduct an "Administrative Review" within two business days of the date on which the complaint was submitted to the provider. (Currently, there are three URS service providers: the Forum, the Asian Domain Name Dispute Resolution Centre and MFSD.) The procedure makes clear that this review is simply "to determine that the Complaint contains all of the necessary information." Step 3 (Notice and Locking of Domain): The URS service provider must immediately notify the registry operator after the service provider has completed the administrative review, and the registry operator is required to lock the disputed domain name within 24 hours. Then, within another 24 hours, the service provider must notify the registrant of the disputed domain name of the complaint, providing both electronic and hard copy notices. Step 4 (Response): A registrant has 14 days after notification to submit a response to a URS complaint. The URS provider may grant "a limited extension of time to respond" if there is a good faith basis for doing so." If the registrant does not submit a response, the proceeding is considered to be a "Default," which is relevant for purposes of a later possible "de novo review" or appeal (see below) and does not automatically result in a determination in favor of the complainant. Step 5 (Determination): Although supplemental filings are not uncommon in UDRP cases, a URS examiner "may not request further statements or documents from either of the Parties," and — to my knowledge as of the date of this writing — no URS examiner has considered a supplemental filing from any party, because doing so would complicate and delay what is supposed to be a simple and rapid process. The examiner appointed to decide a URS case (and all URS cases have only a single examiner) is expected to issue his or her determination "on an expedited basis, with the stated goal that it be rendered within three (3) Business Days from when Examination began." Under "extraordinary circumstances," an examiner may not issue a determination until five days after the response was filed. If the determination was an order to suspend the disputed domain name, the the registry operator is required to do so "[i]mmediately upon receipt of the Determination" from the URS service provider. Complications: The process outlined above may seem very straightforward and quick — and, in most cases, it is — but the URS provides multiple opportunities to extend the course of a URS proceeding. For example, among other things, a losing domain name registrant that did not submit a response during the 14-day period may "seek relief[...]
Under a draft legislation approved by the Internal Market and Consumer Protection Committee on Tuesday, national enforcement authorities would be required to have a set of powers to detect and halt online breaches of consumers' rights across the European Union.
— "The draft rules aim to close legal loopholes created by the fact that enforcement powers differ from one EU country to the next. Today, some enforcement authorities in the EU cannot prosecute traders for past infringements, such as misleading advertisements that were live for only a few hours or days. Nor are they able to track financial flows to identity those behind such breaches. Also, some authorities cannot take measures to take down websites containing scams pending the end of the investigation."
— "The draft rules would require EU member states' authorities to have a number of investigation and enforcement powers, e.g. to request information from domain registrars and banks to help them detect rogue traders, purchase, inspect and 'reverse engineer' goods or services as test purchases, including under a cover identity, and to order a hosting service provider to remove content, suspend or close down websites that host scams."
Follow CircleID on Twitter
2017-03-23T06:40:00-08:00I recently ran a workshop in Asia and to guide attendees through the content; I put together an overview slide which you might also find of interest and use. It is a description of the quality attenuation framework, originally developed and defined by Predictable Network Solutions Ltd, and documented and extended by myself and colleagues at Just Right Networks Ltd. You can read more at qualityattenuation.science. * * * The telecoms industry is, I believe, overdue for a 'lean' revolution. This will change its working model from 'purpose-for-fitness' to 'fitness-for-purpose'. For networks, that means switching from 'build then reason about performance' to 'reason about performance and then build'. The benefit of this business transformation is a radical lowering cost risk and cost, predictable experiences, and the ability to rapidly adapt to changing patterns of demand. In order to deliver this benefit, there needs to be a management that executes on the new intent of 'going lean'. What to change, what to change to, and how to effect that change? Answering these means applying a system of scientific management that helps us focus on what is relevant, and ignore what is not. These ideas of scientific management are well established in other industries (Six sigma, theory of constraints, Vanguard method, statistical process control), but appear to be novelty in telecommunications. In order for these lean concepts to be applied, we need to overcome a series of technical constraints that we presently face. The technology innovations that will achieve this include high-fidelity measurements, new packet scheduling mechanisms, and new architectures to embed these into. Turning those technologies into a working system for a particular product, customer or deployment is an act of engineering. True engineers have an ethos of taking responsibility of fitness-for-purpose, and any shortfall in fulfilling the promises made. This means turning a high-level customer intent into a technical requirement. To understand whether there is a risk of under-delivery against the requirement you need to be able to model and quantify the 'performance hazards' via 'breach metrics'. This means reasoning about the performance of supply chains before they are assembled, and decomposing a 'performance budget' into a requirement for each element or supplier. Turning that specific engineering requirement into an operational system, in turn, draws upon a general science of performance. This considers what resource supply will meet the resource demand. The nature of the resource constraint is timeliness (as if you can be made to wait forever, the tiniest capacity will suffice). The contract between supply and demand is formed as a 'timeliness agreement', which can be enforced by observing how 'untimeliness' (packet loss and delay) accrues along the supply chain. This 'untimeliness' is a reframing of the nature of quality: from an attribute of a 'positive' thing (quantity), to the absence of a negative thing (quality attenuation). There are three basic laws of networking (that don't appear in the textbooks) that describe this 'quality attenuation' phenomenon: it exists; is conserved; and can (partly) be traded between flows. The amount of quality attenuation that is tolerable for any application to deliver an acceptable rate of performance failure defines its 'predictable region of operation'. This is the requirement of demand that is then expressed in a 'timeliness agreement' that contracts the required supply. Underpinning this is a need to quantify the idea of quality attenuation. This involves extending the mathematics of randomness from 'events' (like rolling a dice) to include 'non-events' (the dice never lands). This allows packet loss to be included a single resource model as delay. This is akin to how imaginary numbers extend real numbers, and how complex analysis underpins the physics of electromagnetism. Without expressions like '3i + 4' you can't model radio wave[...]
The collective North American IPv6 Task Forces announced the 2017 North American IPv6 Summit will be held at LinkedIn headquarters in Sunnyvale, CA. The two-day event (April 25-26), designed to educate network professionals on the current state of IPv6 adoption, will feature a variety of speakers from leading organizations, including LinkedIn, ARIN, Google Fiber, Microsoft, Cisco, Comcast, and others. The IPv6 North American Summit, first held in 2007, will cover such topics as exemplary IPv6 adoption, best practices in IPv6 deployment, methods for driving increased usage of IPv6, current IPv6 adoption trends, and future IPv6 growth projections. Awards will be presented to the top 10 North American service providers who achieved connecting over 20% of their subscribers with IPv6.
Follow CircleID on Twitter
More under: IPv6
The Internet Corporation for Assigned Names and Numbers (ICANN) has ruled that .feedback owner Top Level Spectrum (TLS) is in breach of its registry agreement. Barney Dixon reporting in IPPro The Internet: "In an unprecedented review by a standing panel of the public interest commitments dispute resolution policy, ICANN found that TLS engaged in conduct that 'violated its commitments to operate .feedback in a clear and transparent manner'… They argued that the registry had perpetrated 'deceptive practices in the .feedback top level domain in violation of its public interest commitments'. The brands accused TLS of self allocating numerous domain names corresponding to brands, many of which were withheld during the TLD's sunrise period."
Follow CircleID on Twitter
2017-03-21T16:34:00-08:00The last few years have been challenging ones for members of the Canadian International Pharmacy Association. First, in 2010, they lost their ability to advertise in the US search space after the US Department of Justice noted that many seemingly "Canadian" pharmacy websites "sell drugs obtained from countries other than Canada" when shipping medicines into the US, and major search advertising programs tightened their policies, effectively excluding CIPA's members from advertising in the US. Then, one of the organization's founding Canadian pharmacists was convicted of selling counterfeit drugs to US residents that weren't really from a pharmacy in Canada. Then, they began losing their ability to process credit card payments, after we and others helped reveal that the drugs sold by CIPA's so-called "international Canadian internet pharmacies" often aren't really from Canadian pharmacies. Then, one of their flagship members, CanadaDrugs.com, got indicted for selling counterfeit cancer medicines to US clinics through the pharmacy's wholesale chain. Then, a director of an internet pharmacy certifier widely used by CIPA members, PharmacyChecker, got indicted for hiding counterfeit drugs supplied by CanadaDrugs in his garage. (The charges were dismissed, reportedly after the guy cut a deal with DOJ.) There's more, but you get the point: it's been a bad few years for internet pharmacies that, even if able to produce a Canadian pharmacy license, don't necessarily send US residents drugs from real Canadian pharmacies. These developments have been a threat to the commercial interests of CIPA's members. In response, CIPA appears to have aligned with the Electronic Freedom Frontier (EFF) to attack the Healthy Domains Initiative (HDI), a collaboration designed to identify best practices for registrars related to child pornography, rogue online pharmacies, copyright violations and online abuse. A key rationale for the HDI is to stave off intrusive government regulation: if private companies can develop and implement reasonable anti-abuse policies, it removes the incentive for governments to come in and regulate the internet. The EFF calls these initiatives "shadow regulation." (Cue up the spooky music and Guy Fawkes masks.) Unfortunately, the EFF supports its argument by misrepresenting numerous facts that seem to be taken straight from CIPA's playbook. So what's really going on here — what's EFF's ax to grind? Well, let's look at the facts, at the EFF's arguments, and then who stands to lose money from the HDI initiative. First of all, EFF's Jeremy Malcolm, the EFF's point person on this issue, discloses in his blog that he was visiting the Canadian International Pharmacy Association the day of his article, and he advocates for the CIPA and PharmacyChecker certification programs as credible. (Lest you think I consider these companies our competitors: I don't, because we don't certify online pharmacies that operate illegally, and they do.) After all, CIPA's members market themselves as "Canadian" but source many of their drugs from cheaper, offshore (non-Canadian) locations in order to improve their profit margins. PharmacyChecker, meanwhile, has over the years certified multiple online pharmacies selling prescription drugs without a valid prescription, not to mention some engaged in counterfeit drug sales. In any case, EFF out of one side of its metaphorical mouth (inaccurately) attacks the HDI as promoting the commercial interests of "Big Pharma," but from the other side of its mouth in essence advocates for the commercial interests of "faux-Canadian" internet pharmacies. Second, the EFF apparently doesn't know how registrars actually deal with rogue online pharmacies. In nearly all cases I'm aware of where a domain name has been suspended (as in, somewhere between 99.99% and 100%), registrars voluntarily take action against rogue online pharmacy domain names because [...]
2017-03-21T11:32:00-08:00Co-authored by Dr. Augustine Fou, Independent Cybersecurity and Ad Fraud Researcher and David Mitnick, President of DomainSkate The breach of the Democratic National Committee email system and a massive digital advertising fraud believed to be run by alleged actors in Russia share a common thread beyond their ability to capture the news cycle. Although each event targeted a different weakness in brand/online security platforms, the common denominator is the use of fraudulent domain names. In the case of the DNC hack, an email linked to a look-alike Google domain was a critical component that allowed hackers entry into the DNC computer system. On the ad fraud side, alphanumeric and gibberish domains were used to bilk advertisers of millions of dollars a day via a complex system that showed real ads to fake people. With respect to ad fraud, the use of alphanumeric and gibberish domains are particularly attractive because they are cheap (no premiums like for those domains that are normally associated with popular terms) and anonymous. Whereas prior schemes relied on some form of human intervention — whether it was fake clicks from confused users or hired clicks — the new schemes require none. In fact the entire purpose of registering a domain name like www.000chat000.com is that it will remain anonymous and not attract attention. We did research on some recent alpha-numeric domains registered in the .COM registry and found that there were obvious patterns in the registrations. For example, see the below registrations that were made just last month: 000000.com 0000000.com 00000000.com 000000000.com 0000000000.com 00000000000.com 000000000000.com 0000000000000.com 00000000000000.com 000000000000000.com 0000000000000000.com 00000000000000000.com 000000000000000000.com 0000000000000000000.com 00000000000000000000.com 000000000000000000000.com Many of these domains were registered within minutes of each other which means that the registration was likely automated as part of a targeted scam. Specifically, bulk registrations can be performed by bots by simply adding slight variations to the domain names (as in the list above, and the examples below). And all are unique domains that will have a different payment ID in the ad exchange. Here are a few examples: 0-bip-s01-0.com Creation Date: 2013-02-04T21:01:29Z 0-bip-s02-0.com Creation Date: 2013-02-04T21:01:42Z 0-bip-s03-0.com Creation Date: 2013-02-04T21:01:48Z We also visited these sites and it became clear that the sites had no (human) traffic and were simply created for fraudulent purposes. The front pages of the sites most of them were exactly the same — that means they used the same site template. There was also no real or useful content on the pages. Though there was no legitimate purpose for the sites, the large numbers of them could be useful if used to commit ad fraud — where scammers would add them into ad exchanges in order to carry ads (e.g. display ads, video ads, search ads, etc.) just like in the recent Russian advertising scam. The bottom line is that it is important for every company, large or small to monitor their brand names online and to pay close attention to the details in their media/digital advertising reports. On the brand side, a failure to monitor means that users or customers can be harmed by phishing scams that might otherwise be preventable. With respect to digital advertising and media, it is important to always insist on line-item details when buying digital media. With these details you will be able to see domain names (e.g. on which your ads and media ran). When you see domains like the ones discussed in this article, be very suspicious and do further investigation, because they are more likely to be used for fraudulent purposes than for legitimate ones. Written by David Mitnick, President DomainSkate LLCFollow CircleID [...]
"Hundreds of Cisco switches vulnerable to flaw found in WikiLeaks files" Zack Whittaker reporting in ZDNet: "Cisco is warning that the software used in hundreds of its products are vulnerable to a 'critical'-rated security flaw, which can be easily and remotely exploited with a simple command. The vulnerability can allow an attacker to remotely gain access and take over an affected device. ... The security flaw was discovered by the company's own security researchers in WikiLeaks' most recent disclosure of classified information, released last week."
Follow CircleID on Twitter
More under: Security
2017-03-21T08:14:00-08:00Ever since I published an essay exploring the relationship between climate change and the Internet, I have endeavored to bring this subject to the fore as often as possible (and in relevant fora and discussions) since the responsibility of creating a more sustainable world falls on all communities and stakeholder groups. It is particularly pressing now — at a time when international interest in curbing climate change is strengthening, while it is juxtaposed with the receding commitments of the United States government vis-à-vis climate change and the environment under the Trump administration, which was reflected in his first official budget proposal. Such instances where I have highlighted this topic included advocating for more environmentally friendly practices, such as reducing energy use and/or transitioning to renewable energy sources like solar and wind, at the global Internet Governance Forum (IGF), which was held in Guadalajara, Mexico, in December 2016. The Dynamic Coalition on the Internet and Climate Change (DCICC), which was a focus of the aforementioned essay, submitted its annual report leading up to the IGF, and was represented at the Dynamic Coalition (DC) main session where we updated the IGF community about our work and progress made in 2016. I was able to facilitate two breakout sessions at the Internet Society (ISOC)-sponsored Collaborative Leadership Exchange (CLX) as well — one where we discussed the Sustainable Development Goals (SDGs), and another that focused solely on the Internet, information and communications technologies (ICTs), and the environment. The work has only just begun, however, and is continuing in earnest. For instance, I was appointed as the focal point for a European Dialogue on Internet Governance (EuroDIG) workshop examining digital pollution and the effects on the environment (such as electronic waste (e-waste) and energy consumption), and I am co-organizing the DCICC annual session at the 2017 WSIS Forum. So far, most of the feedback I have received from individuals across the Internet governance community about raising this issue has been positive. I greatly appreciate the support that has been shown, and the relevance of maintaining this discussion was further reinforced by a World Health Organization (WHO) publication that was released earlier this month (March) regarding technology, e-waste, and the environment: "The WHO also noted [in their Inheriting a Sustainable World: Atlas on Children's Health and the Environment report [PDF] the importance of properly managing emerging environmental hazards like electronic and electrical waste. Without proper recycling, this can lead to children being exposed to dangerous toxins known to harm intellectual development and cause attention deficits, as well as more serious conditions like lung disease and cancer." With the proliferation of the Internet of Things (IoT), the dangers raised by the WHO's report are even more pressing. Yet, e-waste is only one part of the problem. As more and more people come online, more devices are going to come online as well, which is going to further add the need for power consumption by the Internet and ICTs. This point was explicitly raised in a personal email exchange between Vint Cerf — one of the "fathers of the Internet" who co-invented TCP/IP — and I. We were discussing Google's transition to fully renewable energy use for its data centers, and he posed two questions. After Vint gave me his consent to share the information from our exchange, I decided to publish it here as a follow-up to my October 2016 essay. The following was my substantial answer to his questions (which are listed below in bold). Also, for full disclosure, note that I often refer to Google as a case study because (1) Vint is vice president and chief Internet evangelist at Goog[...]
2017-03-21T08:06:00-08:00Last week the Alliance for Safe Online Pharmacies (ASOP Global; www.BuySafeRx.pharmacy) presented its inaugural Internet Pharmacy Safety E-Commerce Leadership Award to two organizations during the Generic Names Supporting Organization (GNSO) Joint Meeting of the Registries and Registrars Stakeholder Groups at ICANN58 in Copenhagen, Denmark, it was announced on Tuesday. ASOP Global selected the award recipients, Rightside and Realtime Register, based on their corporate policies and practices; responsiveness to illegal online drug sellers; prevention of illegal use of domain names for illegal online drug sales; cross-industry collaboration; and public and consumer awareness efforts, explained ASOP Global's Executive Director, Libby Baney. "Both organizations have shown exceptional and consistent efforts to improve patient safety online by actively addressing concerns regarding illegal online drug sellers and promptly responding to reports of potential domain abuse, often within 24 hours," Baney said. "Likewise, while both Realtime Register and Rightside have registries amassing hundreds of thousands of domains each, our award winners have a near zero count of illegal internet pharmacies utilizing their services," she added. "Rightside is pleased to be recognized for its ongoing efforts to shut down illegal pharmacies on both its registrar and registry platforms. The access to, and distribution of, unsafe medications to consumers without a license is a serious global public health risk and Rightside is glad to participate with other companies to address this problem," said Rightside Vice President for Business and Legal Affairs, Statton Hammock. "It was really great to accept this award from ASOP Global in front of all of the delegates attending the Joint Registries and Registrars Stakeholder Session as we were able to show our colleagues the other side of the issue in which many of our registries and registrars are working responsibly to ensure patient safety online," said Realtime Register's Compliance and Policy Officer, Theo Geurts. Nominations for ASOP Global's second Internet Pharmacy E-Commerce Safety Award are now open. All questions and nominations may be sent to "Nominations@BuySafeRx.pharmacy”. Award recipients will be announced during ICANN63 in October 2018 in Barcelona, Spain. About the Alliance for Safe Online Pharmacies – Headquartered in Washington, D.C., the Alliance for Safe Online Pharmacies (ASOP Global) is an international 501(c)(4) social welfare organization dedicated to combating illegal online pharmacies and ensuring the safety of consumers worldwide. Written by Libby Baney, Digital Health Policy Consultant; Executive Director, ASOP GlobalFollow CircleID on TwitterMore under: Cybercrime, Domain Names, ICANN, Internet Governance, Policy & Regulation [...]
2017-03-21T07:47:00-08:00Time to brush the dust off your Computer II notebooks. Are voicemail, electronic fax, and call forwarding enhanced services or telecom services? Today's case: FTC v. American eVoice, Ltd, et al, CV-13-03-M-DLC (DC Montana Mar. 14, 2017). See also Stipulated Permanent Injunction. The FTC brought an action against Defendants claiming that they were engaged in cramming, adding unwanted voicemail, electronic fax, and call forwarding services to consumers bills to the tune of $70 million. Slip at 3. The FTC concluded that this was a violation of Sec. 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." Slip at 3. Defendants filed a motion to dismiss, arguing that they are common carriers and therefore exempt from FTC jurisdiction. This argument had been successful recently. In FTC v. ATT Mobility (9th Cir. Aug. 2016), the FTC had brought an action against ATT Mobility for data throttling (before the FCC's Open Internet order declaring Internet access service a telecommunications service). The 9th Circuit found that ATT Mobility had the status of a common carrier, therefore the FTC lacked jurisdiction over ATT Mobility. Specifically, Sec. 5 states that the FTC lacks jurisdiction over "common carriers subject to the Acts to regulate commerce." The term "common carrier" is not defined in Sec. 5. The 9th Circuit conducted an extensive review, concluding that the language applied generally to firms that have the status of being a common carrier, and not specifically only to actions that constitute the provision of common carriage. In other words, according to the holding of the 9th Circuit, the FTC lacks jurisdiction over ATT Mobility even if ATT Mobility is selling hot dogs out of a push cart because ATT Mobility has the status of common carriage for some other part of its business. So are Defendants in the case at hand "common carriers" or not? The Court cites to Computer II authority, for which it gets my thumbs up. But of course Computer II has been superseded by the Telecommunications Act of 1996 which codified definitions for an "information service” (a.k.a. "enhanced services") and a "telecom service." An "Information Service" is the offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications, and includes electronic publishing... 47 U.S.C. § 153(20) By contrast, a "telecom service" means the offering of telecommunications for a fee directly to the public 47 U.S.C. § 153 (53) And of course, "telecommunications" means the transmission, between or among points specified by the user, of information of the user's choosing, without change in the form or content of the information as sent and received. 47 U.S.C. § 153(50) As the court states, telecom service is essentially a pipeline. It is the transmission layer of the communications service. It pretty much is someone saying "hi grandma" into a telephone network and "hi grandma" comes out the other end. Anything more than that is an "information service." This is a bright line test. If "hi grandma" is spoken into the network and "Bonjour Grand-mère" comes out the other end of the network, you gots yourself "a change in the form or content of the information" sent. The FCC and the courts have been deciphering the distinction between "information services" and "telecommunications services" for more than half a century. There is a bit of precedent here. What we know, according to the court, is that defendants offered "voicemail, electronic fax, and call forwarding." Have previous courts and the FCC passed on whether these are "information services"? Yes they have. Service | Classification | Authority Voicemail | Information Servi[...]
2017-03-17T04:16:00-08:00The Uniform Domain Name Dispute Resolution Policy (UDRP) was designed as a quicker and less-expensive alternative to litigation. Although the UDRP policy and rules provide strict timelines for various stages of a UDRP case, how quickly a dispute is actually resolved can vary based on numerous factors. A typical UDRP case results in a decision in about two months, but the facts of each case — including actions both within and outside the control of the parties — may shorten or extend that timing. Here's how a common UDRP case proceeds: Step 1 (Filing of Complaint): A trademark owner has discretion to file a UDRP complaint at any time. While some panels have considered a "doctrine of laches," the WIPO Overview notes that "delay (by reference to the time of the relevant registration of the disputed domain name) in bringing a complaint does not of itself prevent a complainant from filing under the UDRP, or from being able to succeed under the UDRP, where a complainant can establish a case on the merits under the requisite three elements." Step 2 (Compliance check): The UDRP service provider (WIPO, the Forum, the Czech Arbitration Court and the Asian Domain Name Dispute Resolution Centre) acknowledges receipt of a complaint within about one day of filing; submits a "verification request" to the registrar to confirm the accuracy of information about the domain name and the registrant; and reviews the complaint for "administrative compliance" with the UDRP policy and rules. Rules, paragraph 4(b). If the provider finds the complaint "administratively deficient," it "shall promptly notify the Complainant and the Respondent of the nature of the deficiencies identified." Rules, paragraph 4(d). The complainant will then have five calendar days to correct any deficiencies. If the disputed domain name was protected by a privacy service and the underlying registrant's identity disclosed after filing, the provider may invite the complainant to amend the complaint within the same five-day time period allowed for curing deficiencies. Step 3 (Commencement): Within three calendar days of the provider's receipt of the filing fee from the complainant, the provider "shall forward the complaint, including any annexes, electronically to the Respondent and Registrar and shall send Written Notice of the complaint (together with the explanatory cover sheet prescribed by the Provider's Supplemental Rules) to the Respondent." Rules, paragraph 4(c). This is commonly referred to as "commencement." Step 4 (Filing of Response): A respondent is required to submit its response within 20 days of commencement. Rules, paragraph 5(a). (Many respondents choose not to submit a response — but, failure to do so does not automatically result in a decision in favor of the complainant, because there is no default judgment available under the UDRP.) A respondent is automatically entitled to a four-day extension upon request. Rules, paragraph 5(b). And, "in exceptional cases," the service provider may grant additional extensions. Rules, paragraph 5(e). Step 5 (Panel appointment): The service provider is required to appoint a panel within five calendar days of receiving a response (if one is filed) or the deadline for a response (if one is not filed), if neither party has requested a three-member panel. Rules, paragraph 6(b). If a three-member panel is required, then the deadline for appointment may take 10 calendar days. Rules, paragraphs 6(c)-(e). Step 6 (Decision): The panel is required to ensure that a UDRP proceeding "takes place with due expedition," Rules, paragraph 10(c), and, unless there are "exceptional circumstances," it "shall forward its decision on the complaint to the Provider within fourteen (14) days of its appo[...]
2017-03-17T03:38:00-08:00Two of the hottest trends in networking today are network dis-aggregation and SDN. This is great for many reasons. It's also confusing. The marketing hype makes it hard to understand either topic. SDN has become so vague that if you ask 10 experts what it means, you are likely to get 12 different answers. Network dis-aggregation seems straightforward enough until it gets confused with SDN. We need to take a step back. In a recent Packet Pushers blog post; I start with a simple explanation of each of these trends and then map how they interact. Software Defined Networking (SDN) I try not so use the term "SDN." As Ethan recently pointed out, its been so badly abused that it has, essentially, lost all meaning. The flip side is that the term isn't going anywhere. Companies are selling SDN and executives are asking for SDN. Just like "cloud," we seem to be stuck with "SDN." The best we can do is work to agree on a common, if general, definition — and be more specific whenever possible. For now, we're left to define the term every time we use it. At its core, I believe that SDN has two components; network automation, and network analytics. Automation encompasses concepts such as logically centralized management, network programmability, and network abstraction. Analytics provides the information you need to make informed decisions when planing, building, and operating your network. Analytics also provide the feedback needed for advanced automation (i.e. autonomous networks). Whether you use OpenFlow or overlays, whether you write your own Ansible playbooks or leverage complex orchestration systems; the fundamentals of SDN are always the same. Putting information into the network, and getting information out of the network. Using this definition, I don't see SDN as an option as much as an inevitable progression of network management. Networks are becoming more and more vital to our society while the ratio of devices to engineer continues to climb. We must find ways to simplify network operations and increase network efficiency. Today, those solutions fall under the umbrella of SDN. Network Dis-aggregation Here's another imperfect term. Taken literally, "network dis-aggregation" means to separate the network into its component parts. Wouldn't that just mean looking at individual routers, switches, and firewalls? More specifically, we probably should say 'network device dis-aggregation' or 'hardware and software dis-aggregation in network devices.' Too bad those phrases are so unwieldy. What we're talking about here is the ability to source switching hardware and network operating systems separately. This is like buying a server from almost any manufacturer and then loading an OS of your choice. This is where I'm supposed to say, "thank the heavens that networking is finally catching up to systems." And it IS great that this is an option now. The proliferation of "whitebox" and "britebox" switching platforms, combined with the explosion of available network operating systems (NOS'), are together putting pricing and innovation pressure on the legacy "aggregated" networking vendors. Don't forget however why so many people love their Apple products; sometimes it still makes sense to engineer hardware and software together. Note: This trend is going to get even more exciting as we start to see commodity hardware built on programmable merchant silicon, like Barefoot's Tofino, Cavium's XPliant, and Innovium's Teralynx. Combining Network Dis-aggregation and SDN Deploying dis-aggregated network devices and deploying SDN are not the same thing. There is an obvious relationship between the two though. To dig into how network dis-aggregation and SDN interact, and how they may guide your j[...]
"San Francisco Supervisor Mark Farrell has assembled a group of business, privacy and academic experts to discuss crucial, early-stage questions surrounding Farrell’s plan to wire the city with high-speed Internet service." Dominic Fracassa reporting in San Francisco Chronicle: "If it becomes reality, San Francisco would be the largest city in the country to implement citywide high-speed Internet. City officials are currently targeting speeds of 1 gigabit per second. The average Internet speed in the U.S. is 31 megabits per second according to the most recent data published by the Federal Communications Commission, so this could be about 30 times faster."
Follow CircleID on Twitter
2017-03-14T19:56:00-08:00To claim a superior right to a string of characters mark owners must (first) have priority (unregistered or registered) in using the mark in commerce; and secondly, have a mark strong enough to rebut any counter argument of registrant's right or legitimate interest in the string. A steady (albeit small) number of owners continue to believe it's outrageous for registrants to hold domain names earlier registered than their trademarks and be permitted to extort amounts far "in excess of [their] documented out-of-pocket costs directly related to the domain name." However, the only absolute when it comes to names is that ownership belongs to the first to acquire (for domain names) and use in commerce (for trademarks). To have an actionable claim under U.S. trademark law, a mark has to be "distinctive at the time of the registration of the domain name." Anticybersquatting Consumer Protection Act (ACPA), Sec.1125(d)(1)(ii)(I). The ACPA states the proposition directly: no priority, no standing. The Uniform Domain Name Dispute Resolution Policy (UDRP) reaches the same result indirectly by requiring complainants to prove holders registered the domain names in bad faith, which (leaving out an exception to this rule) they cannot possibly do if a particular mark is not "distinctive at the time of the registration of the domain name." While there is no monetary penalty for initiating a UDRP proceeding (as there is under federal law) Panels are empowered to issue sanctions for reverse domain name hijacking, but this empowerment is discretionary. As a result, the parameters of sanctionable conduct largely depend on the panelist appointed to hear the matter. Conduct that one panelist believes sanctionable to another (for reasons not always clear) is excusable. For Panels at one end of the spectrum, a complainant's failure to respond to a sanction request can be fatal because it supports a negative inference that there is no defense. I'll return to this in a moment. At the other end of the spectrum, a Panel in a recent case declined to find reverse domain name hijacking because Complainant "at least [presented] a colorable argument" (albeit relying on a principle of bad faith that has essentially been rejected by other panelists). The Panel found this reliance (that renewal of registration with knowledge of a mark is bad faith) "was reasonable." Dividex Management, LLC v. Rory Blake, D2016-2574 (WIPO February 17, 2017) (
2017-03-14T14:21:01-08:00ICANN's WDPRS system has been defeated. The system is intended to remove or correct fraudulently registered domains, but it does not work anymore. Yesterday I submitted a memo to the leadership of the ICANN At-Large Advisory Committee (ALAC) and the greater At-Large community. The memo concerns the details of a 214-day saga of complaints about a single domain used for trafficking opioids. For those who are familiar with the cycle of WDPRS complaints, the time frame is supposed to be 45 days at a maximum. The 45-day window was defeated by the domain owner who constantly transferred the domain and changed the data which took it out of the hard-structured view of complaints processing. This is part of an ongoing series of articles and research into online opioids traffic and effectiveness of different enforcement procedures. The first complaint was submitted 4 August 2016 and the most recent response from ICANN on 6 March stated in part: ICANN considers this matter now closed. Wonderful. We should all feel so much safer. Unfortunately, this is just the continuation of a very long process failure. The domain in question, DRUGS-ORDER.NET (which I refer to in my handwritten notes as "DONT") is still online and used for selling opioids without a prescription and without displaying a pharmacy license. The memo I submitted in response to these events is an analysis of the ICANN complaint system (WDPRS). The analysis uses this domain with false WHOIS as an example to better understand the issues with ICANN policy and procedure. In short, the ICANN WDPRS has been effectively circumvented. The domain has had 3 different sets of false WHOIS and simply transferred their domain each time a complaint was filed. The domain has been transferred to 4 different registrars and is currently operating selling narcotics. With nearly 3000 registrars there is no practical limit. In each case, the registrar largely followed the process and complied with ICANN. So ultimately it's not a registrar issue, it's an ICANN issue. The failure of the organization to understand how the process can be manipulated makes the process useless. ICANN compliance will likely respond by stating they are constrained by the contract. However, they are also apparently constrained by process innovation as well as real-world context. This is an extremely urgent issue. Yesterday, here in Copenhagen at the CC session towards effective DNS abuse mitigation prevention mitigation some very smart and passionate experts (including APWG and global LE) discussed various threats on the Internet. One fact is clear from this discussion: the ability of criminals to obtain domains far outpaces the current ability to contain them. Even concerned and proactive registrars at the session complained that their compliance and cooperation with abuse mitigation is hampered by other factors out of their control. The various issues can be summed up in one word: complexity. The data is complex, but the process cannot accept that complexity. All criminal and abusive operations should follow this cycle to stay in business: Obfuscate, Wait, Transfer, Repeat. I will be presenting on these issues at the joint session of the Public Safety Working Group (PSWG) and the Verified TLD (vTLD) constituency. This meeting is scheduled for Tuesday 14 March from 18:30 to 19:30 (CET) in Hall B4.1 at ICANN58. Written by Garth Bruen, Internet Fraud Analyst and Policy DeveloperFollow CircleID on TwitterMore under: Cybercrime, DNS Security, Domain Names, Registry Services, Intellectual Property, ICANN, Internet Governance, Law, Policy & Regulation, Security, Top-Level Domains, Whois [...]
2017-03-14T14:08:00-08:00WikiLeaks shook the internet again on March 7, 2017, by posting several thousand documents containing information about the tools the CIA allegedly used to hack, among others, Android and iOS devices. These classified files were obtained from the CIA's Center for Cyber Intelligence, although they haven't yet been verified and a CIA official declined to comment on this incident. This isn't the first time that the U.S. government agencies were accused of crossing the line and undermining online security and civil liberties, as it's been only a year since the infamous FBI-Apple encryption dispute. It's like "1984" all over again. March 2017 According to these documents, the alleged exploits took place between 2013 and 2016, while at least 24 Android vulnerabilities were identified. Among them were hacking tools capable of turning Android and iPhone devices, smart TVs, and computers into "covert microphones". Chrome was targeted by the EggsMayhem attack, the Sulfur exploit caused Android to leak critical OS information, while the RoidRage bundle was used to obtain remote control over Android devices. At first, all the tech companies from Silicon Valley maintained their silence, but two days later, Google's Manager of Information Security, Heather Adkins, said that many of the vulnerabilities referred to in the report were fixed. However, security specialists say that those government intrusions on privacy, although undeniably severe and illegal, haven't been reported to affect versions of Android after 4.4. Google is currently busy analyzing their security issues, and working on implementing further protections. Apple also issued a statement saying that their users were protected as the latest iOS version contained security patches for the mentioned exploits. Security protocols of many chat apps such as Facebook's WhatsApp, Signal, or Weibo, were broken, too. All this obviously puts not only many individual users, but also numerous companies at risk, as their privacy can be easily violated and their trade secrets exposed. That's why it's wise to think about alternative methods of communication and constant security software testing. February 2016 On December 2, 2015, 14 people were killed, while 22 were injured in a terrorist attack at the Inland Regional Centre in San Bernardino, California. The perpetrators were subsequently killed in a shoot-out with the police. During the investigation, the FBI found an Apple iPhone 5C, issued to one of the terrorists by the San Bernardino County, as he was its employee. However, the phone had a password and couldn't be unlocked due to its advanced security features. The FBI asked Apple to help them and disable certain security features, which the company declined on the grounds of its policy of never undermining the security features of their products. This case sparked a heated debate regarding the importance of security and encryption both in court and among the general public. A poll conducted by the Pew Research Center on the sample of 1,022 adults showed that 51% of the U.S. citizens supported the FBI, while 38% agreed with Apple, although the company warned that creating a backdoor to the iPhone could pose a threat to the data security, as the government or hackers could potentially unlock any iPhone. Finally, the FBI used a tool purchased from a third party unlock the device and withdrew the request. This incident is still a controversial matter in the U.S. December 2013 In December 2013, it was revealed that the NSA and the UK's GCHQ entered the realm of online gaming and started collecting data from the likes of WoW and Second [...]
2017-03-14T13:40:00-08:00One challenge for all new top-level domains (TLDs) is the so-called Universal Acceptance. Universal Acceptance is a phenomenon as old as TLDs exist and may strike at many occasions e.g.: • Using a very short email address like email@example.com • Using an IDN email address like λ@ελ.ελ • Using an email address or domain name based on a new gTLD • Filling out an online form or using a software application either using email addresses or domain names as described before • Other events The effect when universal acceptance hits you is that you cannot send or receive email, get error messages or even worse when it looks like everything works but it does not, and you do not even get a notification. All new gTLD registry operators but not limited to them are facing this problem and registrants are the people that are hurt by this problem. The software and hardware which does not take into effect that since 2014 more than thousand new gTLDs have been added as valid TLDs. As this software and hardware will still be used for many years, the problems may not be fixed completely anytime soon. ICANN has identified this problem and is working with the Internet community, especially the technical community, to palliate the problem. Reloaded – The medal has two sides Throughout the last three years, Universal Acceptance has merely been seen as a technical problem. But as Registry Operator for .berlin, we are not only running all the technical stuff, we also market domain names to Berliners. By this, we have experienced that Universal Acceptance has two sides like a medal. There is not only the obvious technical side that contributes to Universal Acceptance but also the people's side of the medal which seem to us equally important. We brought this to a simple formula which we would like to propose: Universal Acceptance &nsash; Technical Acceptance + People's Acceptance Please see our definitions below for which we adopted the existing wording done by ICANN with some new definitions we would like to suggest. * * * The technology side of Universal Acceptance Technical Acceptance – is the concept that all domain names should be treated equally by technical systems. Domain names and email addresses should be accepted, stored, processed and displayed in a consistent and effective manner. Linkification – is the action when a software application uses algorithms and rules to determine whether a string should create a hyperlink to a valid Internet location (URL) or an email address (mailto:) and executes the linkification. + The people's/consumer's side of Universal Acceptance Universal Awareness – is when those people who are domain name owners or want to become domain name owners are aware of the large choice and benefits of the new top-level domains that complement the legacy TLDs. Universal Recognition – is when people, especially Internet users, identify a combination of two or more labels separated by dots as a potential domain name and type it into a browser or search bar or forward that information. = The full picture of Universal Acceptance Universal Acceptance – is the state when both, technology and people, identify a label.label combination as a potential or real Internet address (= domain name) and perform appropriate action on it. * * * Our Suggestion In order to overcome the Universal Acceptance issues, we would like to make the following suggestion: With enormous existing funds of over US$ 230 million from the new gTLD auction proceeds, ICANN could spend a serious amoun[...]
2017-03-12T23:31:00-08:00On 6 March 2017, ICANN's GDD finally responded to an applicant letter written on 14 August 2016 to the ICANN Board. This was not a response from the ICANN Board to the letter from 2016 but a response from ICANN staff. The content of this letter can best be described as a Null Response. It reminded the applicants that the Board had put the names on hold and was still thinking about what to do. After 6 months of silence from the ICANN Board, the GDD staff reminds the applicants that they have not yet gotten a response and that the "the topic of name collision continues to be considered by the ICANN Board," and tells then where they can go to continue waiting for a response. This sad episode reminds one of some of the worst stories one hears about bureaucratic dithering. The applicants continue waiting for a timely response from ICANN. 24 applicants with over $4 million in applicant fees that sit in ICANN's coffers, continue to sit in ICANN's waiting rooms. Five years after the gTLD round of 2012, applicants still wait for a response without hope. ICANN is now in the midst of discussing subsequent applications for new gTLDs. In this process, the ICANN Board asks the community when they will be ready to open applications for more gTLDs, yet cannot find time to get moving on solving this problem from previous rounds. I have discussed this problem in several blog posts in the past and find it amazing that after all this time the issue remains untouched by the ICANN Board. The next step in solving this problem is actually rather easy. The applicants remain ready to work with ICANN on finding ways to solve this situation. There have been previous recommendations that a group of experts, from among the applicants, from ICANN staff, and from the technical community work together to discover a solution. Various mitigation strategies and technical solutions remain possible but unexplored and are begging to be discussed and worked on. It is unbelievable that 5 years after the submission, ICANN has not put together a task force to resolve this embarrassing lack of progress. Does ICANN hope the applicants tuck their tails behind them and walk away without a resolution? The 3 domain names are often referred to by some in the technical community as toxic names because of the complexities that come from having been usurped for unapproved and dangerous private usage. The fact that these names are used improperly remains a risk for the Internet and constitutes a possible vector for attack. These so-called toxic domain names should be treated as any toxic threat to the environment, with a cleanup. The best way to cleanup the names remains to mitigate the risks, educate the public, and put the names into delegated service. The domain names .corp, .home, and .mail should be designated as an Internet 'super site' and plans should be immediately developed for cleaning up the situation. Some claim that the names should just be put on a toxic reserved list and abandoned. Not only would this perpetuate the possible risks they pose to the Internet, it would encourage others to just grab any name they want and to use them until they become toxic. While ICANN takes its time to create deliberate well-formed programs for safe domain name delegation, it also continues its implicit invitation to just grab any name someone wants, knowing that there will be no response other than to allow the miscreants to continue using undelegated names with impunity. ICANN allows families and businesses to continue using names like .corp, .home, and .mail without any attempt to in[...]
2017-03-12T20:56:00-08:00One of the most striking and enduring dichotomies in the conceptualization of electronic communication networks is summed up in the phrase "the Internet as weapon." With each passing day, it seems that the strident divergence plays in the press — the latest being Tim's lament about his "web" vision being somehow perverted. The irony is that the three challenges he identified would have been better met if he had instead pursued a career at the Little Theatre of Geneva and let SGML proceed to be implemented on OSI internets rather than refactoring it as HTML to run on DARPA internets. So this gets back to the central premise of this article — the existence of any electronic communication capability that is "an open platform that enables anyone, everywhere, to share information, access opportunities and collaborate across geographic and cultural boundaries" globally is fundamentally a weapon. Apart from Tim equating "web" with internets, the existence of such an infrastructure has inherent economic, operational, and political self-destructive properties that are playing out exponentially every day. Tim's three observations border on the absurd. "We have lost control of our personal data." Guess what, if you convey it across a globally open electronic communications infrastructure, it is no longer your personal data and you have lost control. Count on it; and there about 167 years of treaty instruments that ensure that will be the case. Indeed, Tim's web vision rests on a treaty signed in 1988 that allowed internet capacity for the first time to be made publicly available globally. Internet weaponization in the form of the Morris Worm played out in the press during the treaty conference and led to all nations as a quid pro quo, assuming obligations that included "as necessary, those financial, technical, or operating conditions to be observed." Those obligations remain in force today. Within ten years, the scaling of the Internet as weapon began with three major components that sent everyone scrambling to do something: cyber crime, cyber terrorism, and cyber war. By 2001, the consequences began manifesting themselves big time. All of this occurred as many nations began to openly use internet platforms as instruments of political change in other nations. Even new hyper-competitive commercial entrants leveraging obligation-less regulatory devises such as NetNeutrality and OTT services furthered the weaponization touting it as a "disruptive" paradigm. Nevermind the collateral damage. The mainstream legacy telecommunications industry, as well as cognizant government security and law enforcement agencies, scrambled to cope with these developments in the face of rapidly changing political-economic conditions. The notion that anyone can do anything globally on open communication networks and not be observed is just not going to occur. The U.K. got it right with the Investigatory Powers Act that serves as a global model. "It's too easy for misinformation to spread." You don't say! Doesn't that come with pursuing a cyber-utopian "open platform and the resources for anyone, everywhere, to share information?" The reality of human existence is that the disaffected peoples and crazies of the world are more energized to convey their views — including all that misinformation. The pursuit of power and money provides significant incentives as well. You can't have it both ways, and the appropriate term is getting "hoisted on your own petard." And, yes, it can "spread like wildfire" courtesy of the very[...]