A 32-year-old Russia man was sentenced on Friday to 27 years in prison for computer hacking crimes that is reported to have caused over $169 million in damages to small businesses and financial institutions. Roman Valeryevich Seleznev, going by the name Track2, was convicted in August 2016, of 38 counts related to his scheme to hack into point-of-sale computers to steal credit card numbers and sell them on dark market websites. From the official release: "According to evidence presented at trial, between October 2009 and October 2013, Seleznev hacked into retail point-of-sale systems and installed malicious software (malware) that allowed him to steal millions of credit card numbers from more than 500 U.S. businesses and send the data to servers that he controlled in Russia, the Ukraine and McLean, Virginia. Seleznev then bundled the credit card information into groups called "bases" and sold the information on various criminal "carding" websites to buyers who used them for fraudulent purchases, according to evidence introduced during the trial of this case. Many of the businesses targeted by Seleznev were small businesses, and included restaurants and pizza parlors in Western Washington, including Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault. Testimony at trial revealed that Seleznev's scheme caused approximately 3,700 financial institutions more than $169 million in losses."
Follow CircleID on Twitter
Classified ad site craigslist is famously protective of its contents. While they are happy for search engines like Google to index the listings, they really, really do not like third parties to scrape and republish their content in other forms. In 2013 craigslist sued a company called 3taps which had created an API for craigslist data. They also sued real estate site Padmapper, which showed craigslist and other apartment listings on a map, something craigslist didn't do at the time. After extensive legal wrangling, 3taps eventually gave up and in 2015 paid craigslist $1 million and shut down. Craigslist donated the money to the EFF which was a little odd since the EFF had generally supported 3taps.
One of 3taps' other customers was another real estate site Radpad, which kept showing craigslist listings after 3taps shut down.
Radpad has since gone bankrupt, and last week the court accepted and the bankruptcy administrator did not contest an impressive settlement with craigslist.
It lists all of the bad stuff that craigslist alleged that Radpad did, including copyright infringement of about 130 craigslist listings, scraping 80,000 people's contact information from craigslist, and sending them 400,000 e-mail messages through craigslist's system in violation of CAN SPAM. (The particular violations alleged were fake return addresses and fake subject lines to make it appear that the messages were from a live person.) A detailed injunction forbids Radpad to do any of the things craigslist objected to.
The interesting piece is the damages: $60.5 million, of which $40 million is CAN-SPAM damages for the 400,000 messages at $100 each. I think that's the largest CAN-SPAM judgment ever.
It's worth noting that Radpad initially denied all of craigslist's allegations, but stopped defending the case when they went bankrupt. The bankruptcy administrator was not a target of the suit. They just added the judgment to the pile of claims against Radpad that are unlikely ever to be paid.
The judgment does allow craigslist to keep pursuing the people who did the scraping, so it's possible we haven't yet heard the last of this case.
Written by John Levine, Author, Consultant & Speaker
Follow CircleID on Twitter
2017-04-21T16:54:00-08:00California was recently reminded that rain can be very dangerous. In February, the nation's tallest dam, the Oroville dam in northern California, became so overloaded with rain that over a 100,000 people had to evacuate their homes. Many of them ended up at the fairgrounds, a common place for rural communities to gather in times of disaster. Many rural fairgrounds remain unconnected to broadband Internet services, which can make a dangerous situation worse. Especially during critical times, the public must be able to access resources and communicate with their loved ones through the Internet. Now imagine: What if fairgrounds did have high-speed Internet access? It could be an untapped place for opportunity, acting as a job and economic generator for rural communities and serving as a connection to a 21st-century Internet-based economy. Making this shift and bridging the rural-urban divide in this way is just one projected benefit from the Internet for All Now Act (AB 1665). A Legislative Solution Even though the California Legislature pledged to help connect 98% of Californians to the Internet by 2017, the state has not been successful in rural communities. According to the 2016 Survey on Broadband Adoption in California, 16% of Californians lack access and 14% connect only through smartphones, which means that a staggering 30% lack home broadband and a computing device. Cost is reported as the biggest deterrent to access. See a map of each district's broadband access in California: many rural areas remain underserved or unserved with broadband access. These maps find further evidence that, as the California Public Utilities Commission (CPUC) reported in April 2017, only 47% of rural households have access to reliable broadband service. In 2008, the California Public Utilities Commission (CPUC) and Legislature established the California Advanced Services Fund (CASF) to correct this digital divide. It provided grants and loans for the deployment of broadband infrastructure in unserved and underserved areas, as well as grants to public housing and regional associations to advance broadband deployment, access, and adoption. Funded through cent increases to the public's phone bills, the fund supported 58 projects over the last nine years. However, this is the only source of government support for broadband, and the CASF is out of money, with 6 pending projects and more in the pipeline. The Legislature is the only entity that can replenish the CASF, which is why the Internet for All Now Act is so critical. Otherwise, we will continue having a digital divide that reinforces economic insecurity amongst rural, disabled, and low-income communities. Nuts and bolts of the bill Proposed legislation, AB 1665 or the Internet For All Now Act, would expand the capacity of the government to bridge this divide. The Sf-Bay Area Chapter supports this legislation's multi-faceted strategy, which would: Fund infrastructure projects that provide broadband access to no less than 98% of California households by December 31, 2023. Establish a new Broadband Adoption Account to assist low-income Californian households in getting online. Require the CPUC to biennially report on CASF to the Legislature. Require the CPUC to identify priority unserved and underserved areas and delineate the priority areas in the biennial reports. Require the CPUC to consult regional consortia, stakeholders, and consumers regarding priority areas and cost-effective strategies to achieve the broadband access goal through public workshops conducted at least annually. To learn more about the legislation, visit InternetForAllNow.org. What You Can Do If you're a California resident, call your legislator today and tell them you support AB 1665. A sample script: "Hi, I'm a resident of [county] calling to support AB 1665, the Internet for All Now Act. I urge you to support this legislation in order to bridge California's digital divide and ensure digital access and literacy for all." As the CEO and [...]
The UK government has released the results of national cybersecurity survey revealing nearly seven in ten large companies in the country have identified a breach or attack in the past 12 months. The report also says that businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not (51 per cent compared to 37 per cent). "The most common breaches or attacks were via fraudulent emails — for example coaxing staff into revealing passwords or financial information, or opening dangerous attachments — followed by viruses and malware, such as people impersonating the organization online and ransomware. ... Of the businesses which identified a breach or attack, almost a quarter had a temporary loss of files, a fifth had software or systems corrupted, one in ten lost access to third party systems they rely on, and one in ten had their website taken down or slowed."
Follow CircleID on Twitter
The Canadian Radio-television and Telecommunications Commission (CRTC) today announced that it will strengthened its commitment to net neutrality. "Internet service providers should treat data traffic equally to foster consumer choice, innovation and the free exchange of ideas." CRTC is also publishing a new framework regarding differential pricing practices. The framework, the agency says, is intended to "supports a fair marketplace for services, cultural expression and ideas in which Internet service providers compete on price, quality of service, speeds, data allowance and better service offerings, rather than by treating the data usage of certain content differently."
— "The CRTC is of the view that differential pricing generally gives an unfair advantage or disadvantage to certain content providers and consumers."
— "After assessing Videotron’s Unlimited Music Service under the new framework, the CRTC found that the company is giving an undue preference to certain consumers and music streaming services, while subjecting other consumers and content providers to an unreasonable disadvantage. Videotron must ensure its Unlimited Music Service comes into compliance within 90 days."
Follow CircleID on Twitter
2017-04-20T13:43:01-08:00In The Limits of Filtering, Evan Engstrom and Nick Feamster argue eloquently that the costs of a "takedown-staydown" system to defend against copyright infringement would be prohibitive for online service providers (OSPs) and therefore deprive OSPs of otherwise interested investors. I agree that Engstrom and Feamster raise some valid points, particularly including that content recognition technologies are not perfect (he cites a 1-2% error rate on the specific technology he had tested) and may have costs to the OSP. However, we must also remember that the current DMCA regime imposes significant costs on content creators, particularly on small or individual artists who cannot afford the time or resources to engage in the endless whack-a-mole of notice and takedown. Moreover, the law fails to strike a reasonable balance between the legitimate needs of platforms to innovate and the needs of content creators to protect their works. The Current Notice-and-Takedown Regime As Engstrom and Feamster note, the DMCA today grants an OSP a safe harbor with regard to the storage or indexing of or linking to copyright-infringing material if they have no actual or constructive knowledge that the material is infringing, and if, once advised of the fact of infringement, they act expeditiously to remove or disable access to the infringing material. In other words, "takedown" is a remedy under law available to OSPs who wish to allow their users to share material with others online. This provision has been problematic for rights holders because identical, or substantially identical, material can simply be uploaded again after each "takedown". This creates an asymmetric, burdensome cat-and-mouse game between a holder of copyright and hundreds or thousands of deliberate infringers of that copyright, since content, once "taken" down, does not "stay" down. Most troublingly, this creates a massive imbalance between the interests of online service providers and the interests of small or individual artists. The difference between "takedown" and "staydown" turns on the definition of "actual or constructive knowledge" in that, a service provider is presumed by courts to be unaware of the infringement status of materials until after they receive a complaint from a rights holder. This presumption is rendered invalid by today's availability of commercially reasonable technology and tools which are capable of accurately comparing and matching many types of digitized artworks — for example, older material which a service provider has taken down as a result of a complaint by a rights holder, and newer, substantially identical material which is in the process of being uploaded. Such content recognition technologies are not perfect (as noted, the Echoprint technology tested by Prof. Feamster at Princeton found an error rate of 1-2%), but the question is whether they are effective. To my mind, an effectiveness rate of 98-99% (the converse of Prof. Feamster's error rate) is clearly effective and certainly a vast improvement over today's flailing notice and takedown regime. Simple procedures can be readily adopted to address the relatively small number of false positives — such as a system by which uploaders can dispute the validity of a particular block (much as the DMCA currently provides for counter-notices). Engstrom and Feamster also point out that most piracy websites are overseas and therefore asserts that amending the DMCA to implement takedown-staydown would be pointless. I believe that the United States of America should set an example for rights protection that we want the rest of the world to follow. Also, while the site's operator may be overseas, the content itself may often be found hosted on U.S servers. There's no question that running a content sharing OSP is more expensive if the cost of intellectual property protection is not externalized onto rights holders via the flawed "notice an[...]
2017-04-20T13:18:00-08:00While the most common results of a UDRP proceeding are either transfer of a disputed domain name to a complainant or denial (that is, allowing the respondent to retain it), there is another possible outcome: cancellation. I'm always surprised to see a UDRP decision in which a domain name is cancelled. True, many trademark owners don't really want to obtain control of a disputed domain name (and, instead, they simply want to get it taken away from a cybersquatter). Plus, maintaining a domain name incurs an ongoing expense as the result of renewal fees, and many trademark owners already have large (and, therefore, costly) domain name portfolios. But, the cancellation remedy means that a UDRP victory may be short-lived because cancelled domain names become available for registration by anyone, including another (or even the same) cybersquatter. A trademark owner that files a UDRP complaint incurs real expense (through filing fees and legal fees) — payments that rightly could be seen as an investment. Allowing a domain name to be cancelled instead of transferred seems like a wasted investment. Here's one way of looking at the math: The least amount of money that a trademark owner could expend on a UDRP complaint is about $500 — if it files at the Czech Arbitration Court (the least expensive UDRP service provider) and prepares the complaint itself, without outside counsel. (In reality, most UDRP complaints incur total expenses of thousands of dollars.) A popular registrar such as GoDaddy charges about $15 per year to renew a .com domain name. Therefore, a trademark owner could maintain a transferred domain name for more than 30 years for less than the cost of filing the cheapest possible UDRP complaint. Under this scenario, why would a trademark owner risk having a domain name fall into the hands of another cybersquatter if it could keep the domain name for itself and avoid having to file a second UDRP complaint? The risk is real, as domain names cancelled in UDRP proceedings don't necessarily remain cancelled for long. For example, although the pharmaceutical company Sanofi won a UDRP complaint last year for 21 domain names, 20 were quickly re-registered (by multiple registrants) after they were cancelled and are being used in connection with websites that most trademark owners would consider problematic. True, not many trademark owners request the cancellation remedy. At WIPO (the most popular UDRP service provider), only 1.69% of all cases have resulted in cancellations. But, the number of cancellations is on the rise, reaching 2.16% in 2015 and 2.09% in 2016. What explains this (slight) increase in cancellations? One reason could be the arrival of cybersquatting in the "new" gTLDs. For example, some recent UDRP decisions that resulted in cancellations involved the top-level domains .support, .xin, .engineer, .istanbul, .host, .accountant and .bid. Perhaps the prevailing trademark owners felt that these domain names would not be attractive to other cybersquatters after they were cancelled. Whatever the reason, trademark owners should think long and hard about whether to request the cancellation, rather than transfer, of a disputed domain name in a UDRP proceeding. It would seem that a domain name worth pursuing is worth keeping. Written by Doug Isenberg, Attorney & Founder of The GigaLaw FirmFollow CircleID on TwitterMore under: Cybersquatting, Domain Names, Law [...]
2017-04-20T11:47:00-08:00We recently wrote in response to how LegitScript is painting inaccuracies about the Canadian International Pharmacy Association ("CIPA”). With our members' 100% perfect safety record selling life-saving medications to millions of Americans for over 15 years, we are proud to participate in a regulated industry. We are also confident in the affordable solution we provide for consumers struggling with outrageous medication prices in the U.S. Given this affordable solution to predatory pricing, it is evident that LegitScript's dissemination of inaccuracies is part of a broader pattern of actions undertaken by the U.S. pharmaceutical sector to extend an outmoded and dysfunctional pricing system to cyberspace. This includes misrepresenting CIPA's role in the Healthy Domains Initiative ("HDI”) and operation of the .Pharmacy gTLD in a manner that is not only contrary to the Internet Corporation for Assigned Names and Numbers' ("ICANN's”) Bylaws and mission statement, but elevates the protection of profits over consumer interests. (See an earlier piece here on CircleID by Jeremy Malcolm, Senior Global Policy Analyst, Electronic Frontier Foundation and Mitch Stoltz, Senior Staff Attorney, Electronic Frontier Foundation.) The Truth About HDI For the record, CIPA advised the Domain Name Association ("DNA”) after it invited non-member input in 2016 that we would be happy to participate in HDI and to contribute to its online pharmacy initiative. Like many other non-members, we were ultimately disappointed to learn that DNA unveiled the HDI without asking for our input. To date, we have taken no position regarding the HDI's Rogue Pharmacy Abuse Report Proposal (the "Proposal”) because the information released by DNA has failed to provide sufficient details regarding the actual operation of its envisioned system for verifying the legitimacy of online pharmacies. We remain ready to work with DNA to refine the Proposal in a manner that both protects and benefits consumers seeking safe, authentic, and affordable medications via the Internet. In fact, CIPA recognizes the mischief of what are truly "rogue" online pharmacies, which prompted us to track misuse of our respected Certification trademark. For many years, we have worked directly with the Canadian Anti-Fraud Centre, a collaboration of the Ontario Provincial Police and the Royal Canadian Mounted Police, in order to take down those websites using our Certification trademark without authorization. In addition, we aggressively monitor use of our Certification trademark and pursue legal action against its unauthorized use. Contrary to LegitScript's view that we do not like private companies developing and implementing reasonable policies that remove the incentive for governments to regulate, we actually support and enforce self-regulation, and voluntarily coordinate with law enforcement to protect consumers. .Pharmacy – Misuse of a Global Internet Resource CIPA and the Electronic Frontier Foundation ("EFF”), an internationally recognized digital rights group based in San Francisco, are jointly concerned about private interests promulgating standards for key Internet intermediaries that are designed to serve their own financial interests. LegitScript's ongoing efforts to tarnish the reputation of CIPA and its members fit into a broader pattern of actions by U.S. pharmaceutical interests to suppress competition under a false narrative of consumer protection. The most blatant example of this is the operation of the .Pharmacy gTLD by the National Association of Boards of Pharmacy ("NABP"), the trade association primarily promoting the interests of U.S. retail druggists. The application for .Pharmacy was supported by such Big Pharma interests as The National Association of Chain Drug Stores, Eli Lilly and Company, and — no surprise — [...]
The Registration Operations Workshop (ROW) was conceived as an informal industry conference that would provide a forum for discussion of the technical aspects of registration operations in the domain name system.
The 6th ROW will be held in Madrid, on Friday May 12th 2017 in the afternoon, immediately after the GDD Industry Summit and prior to ICANN DNS Symposium and OARC 26, using the same venue as all above-mentioned events: Hotel NH Collection Madrid Eurobuilding, Madrid, Spain. A whole set of topics and speakers are confirmed. Here is the current list:
The speakers are from CentralNic, CloudFlare, ICANN, IIT-CNR/Registro.it, Verisign and Viagénie. The attendance is free but registration is required. The ROW Series workshops are sponsored by Verisign and ICANN.
Written by Marc Blanchet, Internet Network Engineer and Consultant
Follow CircleID on Twitter
A team of Internet activists including co-founder and ex-spokesperson of the Pirate Bay, Peter Sunde, today announced the launch of a unique domain name service, called Njalla, designed to act as a "privacy shield" for registrants. "Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions," says the group. "As long as you keep within the boundaries of reasonable law and you're not a right-wing extremist, we're for promoting your freedom of speech, your political weird thinking, your kinky forums and whatever." The group points out that Njalla is not a domain name registration service, but sit between the domain name registration service and the registrant. "When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party."
Follow CircleID on Twitter
2017-04-18T10:52:00-08:00There are no gatekeepers to prevent registrants from acquiring domain names incorporating marks that potentially violate third-party rights. Anyone anywhere can acquire domain names composed of words and letters in languages not its own through a registrar whose registration agreement is in the language of the registrant. For example, a Chinese registrant of a domain name incorporating a Norwegian mark as in
2017-04-18T09:47:00-08:00The president of LegitScript recently authored an inaccurate and misleading critique of the Canadian International Pharmacy Association (CIPA) that was clearly intended to smear our reputation with a broad brush dipped in inaccuracies and scare tactics. This response paints the true picture of who we are and the benefits CIPA Members offer U.S. consumers. CIPA Members Have A 100% Perfect Safety Record Since its founding in 2002, the members of CIPA have maintained a 100% perfect safety record. Yes, you read that correctly — a 100% perfect safety record. Serving millions of Americans. For 15 years. So, given our perfect safety record for well over a decade, we rhetorically ask: "where is the problem, LegitScript?!" CIPA customers can obtain a personal supply of pharmaceuticals and maintenance medications made by the leading brand-name manufacturers, at prices 50% – 80% less than U.S. pharmacies. (Ahhh...there's the problem: Our prices allow profit for the manufacturer, but don't gouge the consumer to the point of absurdity, as in the U.S.!) Top prescription drugs purchased through CIPA members include: daily medications prescribed to prevent blood clots after a heart attack; to reduce cholesterol; to treat depression; and for the treatment of diabetes. CIPA members do not sell controlled substances, narcotics or pseudoephedrine products. Any issues or concerns raised about the sale of controlled substances to customers in the U.S. — such as Google's non-prosecution settlement a few years ago — do not pertain to CIPA and do not involve any of our members, despite LegitScript's best efforts to suggest otherwise. In addition to dispensing medications from licenced pharmacies in Canada, CIPA members have relationships with regulated international pharmacies and inspected fulfillment centers that directly deliver medications to patients. A look at the FAQ section on our website shows that — despite what LegitScript says — CIPA members are fully transparent about the international component of their businesses. In short, customers are clearly informed where their medication comes from — on the CIPA website, and during ordering and with follow-up communication from the CIPA member. (A former CIPA member wasn't transparent — cause for expulsion from our organization. But he's actually been gone for a decade, and we've had zero contact with him in 10 years.) Our 100% safety record is the result of the stringent standards observed by all CIPA members to ensure patient safety, including: Requiring a valid prescription before dispensing medications; Obtaining demographic and medical information from the patient and maintaining a health profile with medication history to avoid adverse drug interactions; Having a licensed pharmacist on staff to supervise dispensing of medications and to be available for consultation upon patient request; and Maintaining procedures to ensure patient privacy and confidentiality of personal records and contact information. LegitScript's False and Misleading Accusations There are many unlicensed and illegitimate "rogue" pharmacies on the Internet, yet despite CIPA's strict safety procedures and 100% perfect safety record, Legitscript is trying to falsely paint us into the "rogues" corner of the web. It is readily apparent that LegitScript does not like how CIPA and the Electronic Frontier Foundation ("EFF") are collectively shining a spotlight on the U.S. pharmaceutical industry's coordinated campaign to eliminate threats to their predatory pricing model. This is what appears to have motivated LegitScript to campaign to suppress consumer choice and competition under the false pretense of protecting consumers. The truth is that CIPA and[...]
2017-04-18T08:58:00-08:00Do consumers still get confused when they see a URL without a .com (or other traditional extension)? Probably — but I don't think anyone really knows the answer to that from a global perspective. What I do know, however, is that it's important for those of us in the new TLD industry to help our brand customers ensure that we're providing audiences with the best possible chance to identify new domains as legitimate web addresses. One question that frequently arises in our conversations with .brands is about just how to represent .brand URLs to maximize audience understanding, recall, and action when used in advertising or promotional material. The short answer is that there are a number of ways to represent .brand domains, each with its own advantages and challenges — and the best fit is based upon the media in which it will be displayed and the action you want your audience to take. So let's have a look at a few of the options that we've seen to date and see if we can uncover what the best option is for you. * * * www Traditionally, use of the 'www' was seen as the preferred method to ensure that the audience identified the text as a domain name. Many will also recall the http:// also being used interchangeably in days gone by. As browsers have improved over time, the requirement for users to type the 'www' and/or the 'http://' has been eliminated and thus, many advertisers simply use the simplified domain in their creative these days. When it comes to advertising new .brand URLs however, many have reverted back to the use of the 'www' to help train audiences that this is, in fact, a legitimate web address. This avoids confusion in situations where 'dots' are used as creative devices rather than functional elements of a domain name. For example, Neustar has opted to include the 'www' wherever possible when using its .brand. The plus side Helps the address to look like a domain name and conveys immediately that this is a web address and works well in spoken form Globally acknowledged standard The down side Can extend the length of the web address, potentially making it less appealing for visual or text-based ads Not required in browsers any longer, so potentially seen as outdated by some audience segments * * * http:// As discussed above, using 'http://' is a slightly more outdated version of the 'www' option but does establish well-understood URL elements to illustrate that despite the unfamiliar extension, this is a real domain name. The plus side Looks like a domain name and conveys immediately that this is a web address The down side Looks overly technical and not as attractive in written form and clunky when spoken aloud Again, not required in browsers any longer, but potentially seen as outdated a little more than the ‘www’. * * * Domain only labels
2017-04-18T02:08:00-08:00In the afternoon of March 29, the CAICT held the ICANN 58 China Internet Community Readout Session in the CAICT together with the ICANN Beijing Engagement Center. Mr.Li Xiangning, Deputy Director General of Information and Communication Administration under the Ministry of Industry and Information Technology (MIIT), attended the event and gave a speech on the meeting. Over 60 representatives from related governmental agencies including the Office of the Central Leading Group for Cyberspace Affairs, the Ministry of Foreign Affairs and Beijing Communications Administration, domain name registries and registrars, industrial organizations, institutes and universities participated in the seminar. The attendants introduced the developments of the ICANN 58 Copenhagen Meeting held from March 10 to 16 and further discussed the ICANN affairs and hot topics on the meeting. On the meeting, Li Xiangning, Deputy Director General of Information and Communication Administration, gave a speech, which fully affirmed the important role of the community exchange and cooperation platform set up by the CAICT and the ICANN Beijing Engagement Center in enhancing common understanding and promoting cooperation of the China Internet community, and presented his opinions over ICANN jurisdiction issue and the open registration of country name and country code in second-level domains. Li said that the MIIT would always support the development of the China Internet community and regard it as an important approach to implement the Internet power strategy so as to further strengthen China's discourse about international affairs and the rule-making processes. Jia-Rong LOW, Vice President of ICANN and General Manager of the Asia-Pacific Operations, introduced several important topics on the ICANN Copenhagen meeting, expressed his appreciation to the growth of the China Internet community, and fully affirmed the contribution by Song Zheng, Director of the ICANN Beijing Engagement Center to ICANN affairs and the China Internet community. And he also announced that Song would leave his position and Zhang Jianchuan, Senior Researcher of KNET, would take over his position. The attendants expressed their appreciations for Song's efforts in the last three years and extended their congratulations to Zhang Jianchuan on his new role. Guo Feng, Vice Chair of the Governmental Advisory Committee (GAC) and Researcher of the CAICT, introduced the general conditions of ICANN 58 Copenhagen and the progress of GAC's key topics. Attendants, such as Shen Zhi and Chu Nan from CNNIC, Liu Limei from CONAC, Professor Kan Kaili from Beijing University of Posts and Telecommunications, Cai Xiongshan from Tencent Research Institute, Wang Wei and Zhang Jianchuan from KNET, Pam Little from Alibaba Cloud, Wu Yangyi from ".商标" Domain Name Registry, Tan Yaling from Teleinfo, introduced the progresses of topics including ICANN, APNIC and APLTD related to the meeting and shared their experience on the ICANN 58. The seminar was moderated by Liu Yue of CAICT. The attendants discussed the issues such as ICANN jurisdiction and the compliant operations of domain name practitioners and unanimously considered that the China Internet community should further strengthen communication and coordination, enhance the quality of participants and the voluntariness, further their concerns about the progress of the second phase of the ICANN accountability, and voluntarily participate in the domain name rule making process so as to promote the development of China's Internet domain name industry and strengthen the discourse and influence of the China Internet community. On the morning of March 29, the CAICT held a lecture for domain name registrie[...]
A study conducted by PhD candidates at the Stony Brook University resulted in identifying malvertising as a major culprit for exposing users to technical support scams which allowed them to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. They wrote: "By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. .. [I]n a period of 250 days, we discover 8,698 unique domain names involved in technical support scams, claiming that users are infected and urging them to call one of the 1,581 collected phone numbers. To the best of our knowledge, our system is the first one that can automatically discover hundreds of domains and numbers belonging to technical support scammers every week, without relying on manual labor or crowdsourcing, which appear to be the main methods of collecting instances of technical support scams used by the industry. ... From a financial perspective, we take advantage of publicly exposed webserver analytics and estimate that, just for a small fraction of the monitored domains, scammers are likely to have made more than 9 million dollars."
Follow CircleID on Twitter
2017-04-17T06:49:00-08:00M3AAWG is a trade association that brings together ISPs, hosting providers, bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware, and mobile abuse. (Those comprise the M3.) One of the things they do is publish best practice documents for network and mail operators, including two recently published, one on Password Recommendations for Account Providers, and another on Password Managers Usage Recommendations. Since I'm one of M3's senior technical advisers, I helped write them, but I think they're pretty good anyway. Rather than just regurgitate the usual unworkable advice (make each password 14 different random characters, change them every week, and never write them down) we tried to look at the real threats on the current Internet and offer advice that makes sense today. The password advice does recommend strong passwords or pass phrases, but then mostly talks about operational issues: do encrypt channels where passwords are sent via HTTPS or the like, do use multiple factors where possible, do use federated authentication to minimize the number of passwords people have to use, do make users change default passwords before using a new account, and don't do hard account lockouts after password failures (an easy way to harass your enemies.) While it does say to make it easy for users to change passwords when they want, it doesn't recommend required password changes, since that is counterproductive--people use a pattern like password1, password2, password3, write them down, or most likely both. The whole document is 8 pages long, so it's worth downloading to read the whole thing. The password recommendations also encourage people to use password managers, the topic of the second document. A good password manager makes good password discipline much easier, since it can remember different totally random passwords for every account, and won't forget them. Many of them can keep the list of passwords in sync between a laptop and phones and tablets, a boon for whose of us with aging memories. This paper is only three pages, short enough to download and print out and send around to people who don't understand why they're a good idea. There are lots more best practice documents on the M3AAWG web site. I'll blog about some of the others in the future. Written by John Levine, Author, Consultant & SpeakerFollow CircleID on TwitterMore under: Security [...]
2017-04-16T08:49:00-08:00Our latest research shows that dot brand domains continue their qualitative and quantitative growth. We carried out a complete cycle of analysis in April 2017, and found that brands had registered 6,505 domains in their Top Level Domains, which represents a progression of 3% compared to February 2017. 761 actual websites are published on these domains, which represents an increase of 6% form February 2017. Most of these domain names are actually being used as shortcuts to existing content. The total number of brands who are publishing at least one website is of 122, compared to 112 in February. Recent launches: Amazon Web Services and Product Launch Amazon Web Services, or aws, launched chime.aws in February 2017. Chime is a unified communication software that is designed to make meetings easier and more efficient. The Chime product uses the AWS — Amazon Web Services — new dot brand gTLD .aws. (see Dot Brand Observatory for more data) This is the second launch of an Amazon product that uses a dot brand domain by AWS, after QuickSight — a fast business analytics service for everyone — launched on the quicksight.aws domain. Sener and Language Sener is a Spanish engineering company, have launched their new digital platform using keyword rich domains written in the language of the content of the domain — Spanish, English or Polish. Sener launched a French site in March 2017 with the same domain — ingenierieetconstruction is the French domain for engineeringandconstruction.sener (English version) or ingenieriayconstruccion.sener (Spanish version). (see Dot Brand Observatory for more data) Honda and Local Website March 2017 also saw another notable brand launch: Honda, the Japanese conglomerate that manufactures automobiles, aircraft, motorcycles, and power equipment. Honda launched their first new gTLD website, ke.honda. ke is the two character abbreviation for the country Kenya. Honda sells motorcycles directly in Kenya and importers distribute the two other business lines from Honda — automobile and power products. The site promotes the Honda motorcycles on the Kenyan market and provides directions for the importers of automotive and power products. Honda also uses the ke.honda domain name on their social media campaigns and promotions. (see Dot Brand Observatory for more data) About the Dot Brand Observatory – The Dot Brand Observatory is the research program on dot brand domains sponsored by Verisign. We have recently published our April research and we feature an improved interactive dashboard, TLD and SLD profile pages, providing a clearer and more user friendly interface. Visit the dot brand observatory on https://dotbrandobservatory.com Written by Guillaume Pahud, CEOFollow CircleID on TwitterMore under: Top-Level Domains [...]
2017-04-14T14:26:00-08:00Co-authored by by Constance Bommelaer, Senior Director of Global Internet Policy at Internet Society and Wolfgang Kleinwächter, Professor Emeritus at the University of Aarhus Last week, the G20's ministers responsible for the digital economy met in Düsseldorf to prepare this year's G20 summit, scheduled for Hamburg, July 2017. Building on important strides initiated two years ago during the G20 summit in Antalya and based on the G20 Digital Economy Development and Cooperation Initiative (DEDCI), which was adopted last year under the Chinese G20 presidency, the Düsseldorf meeting adopted a "G20 Digital Economy Ministerial Declaration” which also includes a "Roadmap for Digitalisation". One day before the ministerial meeting, non-state actors were invited to discuss "Policies for a Digital Future" within a so-called Multistakeholder Conference. The ministerial outcome document reflects a deepened understanding of the Internet's role in the future. It reiterates the importance of the digital economy for the overall economy, for growth, job creation and a sustainable development. And it reaffirms the commitment to the goals and principles laid down in the documents of the UN World Summit on the Information Society (WSIS), the 2030 Agenda on Sustainable Development and the OECD Ministerial Declaration of Cancun (June 2016). Despite the diversity of the "Group of Twenty” — which includes both the G7 countries (US, UK, France, Germany, Canada, Japan, Italy) and the BRICS countries (China, Russia, India, Brazil, South Africa) as well as countries like Turkey, Saudi Arabia, Mexico, Indonesia, South Korea and Argentina — the document recognizes, "that freedom of expression and the free flow of information, ideas and knowledge across border are essential for the digital economy and beneficial to development". Furthermore it "reaffirms support for ICT policies that preserve the global nature of the Internet" and "allow Internet users to lawfully access online information, knowledge and services of their choice". It is also remarkable that Paragraph 3 of the Düsseldorf Declaration reaffirms the G20 commitment "to a multistakeholder approach to Internet Governance, which includes full and active participation by governments, private sector, civil society, the technical community and international organisations, in their respective roles and responsibilities". The ministers of the G20 countries also support "multistakeholder processes and initiatives which are inclusive, transparent and accountable to all stakeholders." This is good news and will help to deepen and broaden the still controversial discussions around "enhanced cooperation", "Internet fragmentation" and "multistakeholder models" in the global Internet Governance Ecosystem. But what the meeting also showed was increasing concerns around trust, and new challenges offsetting the Internet's benefits. In many regards, it reflected a view that the Internet is no longer a naïve space which offers more and more opportunities, but a technology with risks and threats and with significant impact on humans lives and diplomatic relations. Indeed, despite the world's increasing dependency this global network the Internet has become a centerpiece of a political context where globalization is being put into question. New reflexes of fear are emerging, and not only from governments who may sense they are losing control of their national boundaries and see new risks of cyberattacks against their critical national infrastructure. Workers fear that digitalization will dest[...]
2017-04-13T09:54:00-08:00The Uniform Rapid Suspension System (URS) is designed to get a domain name suspended, but in some cases this dispute policy can be used to help get a domain name transferred. It's an uncommon result but one that trademark owners may want to keep in mind. The suspension remedy is often viewed as the greatest limitation of the URS. Trademark owners that want to have a domain name transferred typically file a complaint under the Uniform Domain Name Dispute Resolution Policy (UDRP) instead of the URS — but, the UDRP is more expensive and time-consuming. Still, in some cases, trademark owners have been able to obtain the transfer of a domain name as the result of a URS proceeding. While the URS itself doesn't provide for a transfer remedy, the issue can arise if a trademark owner and domain name registrant agree to a transfer after a URS complaint has been filed but before a determination has been issued. In other words, a settlement under the URS can result in the transfer of a disputed domain name. Settlements under the UDRP are not uncommon, but doing so under the URS is much more unusual and challenging, largely because of the expedited nature of URS proceedings. While URS case files are not made public, it's interesting to note that a number of URS complaints have been withdrawn and the disputed domain names are now registered by obvious trademark owners — a likely indication that the parties settled their disputes. Indeed, at the Forum (the largest provider of URS services), 37 of 685 complaints — about 5.4% — have been withdrawn. In two cases withdrawn earlier this year, for
2017-04-13T09:29:00-08:00For the non-state actors who are making efforts to approach cybersecurity issue in a different and creative way, the state actors, however, have given clear signs that they have exhausted their patience and insisted on doing things alone by bringing traditional old tricks back into cyberspace. This is exemplified in the bilateral meeting of two cyber sovereigntists — the Chinese and U.S. presidents on April 6-7, and in the multilateral G7 Declaration on Responsible States Behavior in Cyberspace on April 11. Particularly disturbing in the wording of the G7 Declaration is its call on "states to publicly explain their views on how existing international law applies to states' activities in cyberspace to the greatest extent possible". If we associate that with the words shared by Ms. Heli Tiirmaa-Klaar, Head of Cyber Policy Coordination at European External Action Service at an event on March 29, during which she promotes the application of "the Law of Armed Conflict based on the interpretations in the two Tallinn Manuals”, then it is clear that the G7 nation-states are eager to introduce the traditional logics of conflict solution into the cyber domain. This has given rise to the trend that the whole set of industrial age narratives such as allies, threats, deterrence are being replicated in the cyber rules-making. Once this lid is opened, global Internet governance will be dominated by those whose way of thinking divides people rather than unites them. Nevertheless, at the approaching UN GGE conference in June, it would be clearer about how far the states can go. The real dilemma goes beyond the warring rhetoric of states, but rests on the very legitimacy the states have on striking a deal on cybersecurity. As early as in 1996, Barlow had a good reason to call states like "China, Germany, France, Russia, Singapore, Italy and the United States" as "weary giants of flesh and steel". By 2017, their legitimacy and credibility in cyber policy-making had suffered numerous fatal blows. It is in this context of the crisis of traditional models that the multistakeholder approach represented by ICANN has been widely celebrated, and the industry initiative on a Digital Geneva Convention by Microsoft is highly appreciated. Professor Milton Mueller has compared the Microsoft initiative to a "2017 version" of the Declaration of the Independence of Cyberspace. When the industry and civil society find ways to join hands, there is a chance that they can make a difference. Take the China-U.S. case for example, now that the two presidents have agreed to carry on the cybersecurity dialogue, the two countries' IT industry leaders like GAFA and BAT and civil society groups should reach each other to make sure this dialogue happens in a multistakeholder framework and is not dominated by those who approach the issue from a national security lens. After all, state actors are often willing to compromise cyber issues for other geopolitical gains. The IT sector and the civil society groups who are active in the field, however, have the interests and motivation to treat cyberspace as a different domain that nurtures new values, gives birth to creative mechanism of global governance, and, in turn, enlightens the physical world and traditional mentality. Written by Peixi (Patrick) XU, Associate Professor, Communication University of ChinaFollow CircleID on TwitterMore under: Cyberattack, ICANN, Internet Governance, Law, Policy & Regulation, Security [...]