2016-09-27T16:02:00-08:00Search Engines drives traffic to a site that is well ranked for the right keyword According to a recent study carried out by Custora in the USA, search engines — paid and organic — represent close to 50% of e-commerce orders, compared to 20% for direct entry. A dot brand domain has the potential to boost direct entry, as it can be more memorable than traditional domains. Can dot brand domains also be part of a consistent search engine strategy? In order to have traffic coming in from search engines, it is necessary to achieve a good ranking: the link in the first position of search engine result page gets 6 times more clicks than the link in the fifth position. Click to Enlarge It is also important that the site is optimised for the right keyword, with enough search volume. For instance, "domain name" is searched 33,100 times per month in google.com, while "gTLD" is searched 1600 times. Being first on a search for "domain name" would generate approximately 20 times more traffic than being first on "gTLD". How important are domain names in search? The google algorithm is kept secret, and its artificial intelligence enables it to learn from the past behaviours and trends. This artificial intelligence enables google to show a different result page to every user, based on their profile and search history. It is therefore very difficult to have an exact list of criteria that play a role in the search rankings. Many specialists try to decrypt and anticipate the algorithm. Moz.com is animating a community of more than 2 million specialists, and every year publishes a list of 90 factors influencing search engine rankings. Every factor is weighted from 1 (meaning the factor has no direct influence) to 10 (meaning that the factor has a strong influence on ranking). Some of these factors do no depend on the keyword. For instance, the number and the quality of inbound links will show that a domain is more authoritative, and that it should therefore be ranked better. Some factors depend on the keyword — such as the number of keyword matches in body text. The global study is available on here on Moz. The domain name related factors fall into three main categories: Factors related to the domain characteristics: These factors include the age of the domain, the duration until expiration, the length of the domain etc.. The corresponding influence score varies from 2.45 to 5.37, which means that they have a relatively low influence. Factors related to the execution of the strategy: These factors are much more important, and they depend on how well the domain name is marketed and operated by the brand. The raw popularity of the domain. i.e. the number of links pointing to the domain, has a weight of 7.15, while the quantity of citations for the domain name across the web are weighted 6.26. Factors related to the presence of keywords: There are five factors that are directly linked to the presence of the keyword in the domain name, depending if they are in the root domain name, in the extension or if they are an exact match. These factors have a relatively low impact, with a score varying between 2.55 until 5.83, the highest being when the search corresponds to the exact match root domain name. Dot brand performance review In order to check the actual performance of the dot brand domains, we performed searches on the brand name and on the second level domain used by the brand. The analysis was performed on the 60 brands that are significantly ranked in the search engine, corresponding to around 250 websites. The full study is available to our members, but here are some of our findings: Presence of dot brand domains when searching for the brand name: 13% of the searches resulted in a "dot brand" domain names on the first position. Home.cern, group.pictet or engineeringandconstruction.sener are among these domains. 65% of the first result page included at one dot brand domain. Local and global optimization: Barclays TLD is targeting international customers more that local UK: dot barclays is bette[...]
"A group of Democratic U.S. senators on Tuesday demanded Yahoo Inc (YHOO.O) to explain why hackers' theft of user information for half a billion accounts two years ago only came to light last week and lambasted its handling of the breach as "unacceptable," reports Dustin Volz from Washington in Reuters. The lawmakers said they were 'disturbed' the 2014 intrusion, disclosed by the company on Thursday, was detected so long after the hack occurred. "This is unacceptable." The senators have asked Yahoo Chief Executive Officer Marissa Mayer for a timeline of the hack, its discovery and how such a large breach went undetected for so long.
Follow CircleID on Twitter
2016-09-27T11:36:00-08:00Donald Trump vs Hillary Clinton – First Presidential Debate 2016 / Hofstra University NYThe Internet and tech got very little mention last night during the first of three presidential debates. The only notable exception was cybersecurity where moderator Lester Holt asked: "Our institutions are under cyber attack, and our secrets are being stolen. So my question is, who's behind it? And how do we fight it?" Following are the responses provided to the question by the two candidates: * * * Hillary Clinton – Well, I think cyber security, cyber warfare will be one of the biggest challenges facing the next president, because clearly we're facing at this point two different kinds of adversaries. There are the independent hacking groups that do it mostly for commercial reasons to try to steal information that they can use to make money. But increasingly, we are seeing cyber attacks coming from states, organs of states. The most recent and troubling of these has been Russia. There's no doubt now that Russia has used cyber attacks against all kinds of organizations in our country, and I am deeply concerned about this. I know Donald's very praiseworthy of Vladimir Putin, but Putin is playing a really tough, long game here. And one of the things he's done is to let loose cyber attackers to hack into government files, to hack into personal files, hack into the Democratic National Committee. And we recently have learned that, you know, that this is one of their preferred methods of trying to wreak havoc and collect information. We need to make it very clear — whether it's Russia, China, Iran or anybody else — the United States has much greater capacity. And we are not going to sit idly by and permit state actors to go after our information, our private-sector information or our public-sector information. And we're going to have to make it clear that we don't want to use the kinds of tools that we have. We don't want to engage in a different kind of warfare. But we will defend the citizens of this country. And the Russians need to understand that. I think they've been treating it as almost a probing, how far would we go, how much would we do. And that's why I was so — I was so shocked when Donald publicly invited Putin to hack into Americans. That is just unacceptable. It's one of the reasons why 50 national security officials who served in Republican information — in administrations — have said that Donald is unfit to be the commander- in-chief. It's comments like that really worry people who understand the threats that we face. * * * Donald Trump – As far as the cyber, I agree to parts of what Secretary Clinton said. We should be better than anybody else, and perhaps we're not. I don't think anybody knows it was Russia that broke into the DNC. She's saying Russia, Russia, Russia, but I don't — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK? You don't know who broke in to DNC. "But what did we learn with DNC? We learned that Bernie Sanders was taken advantage of by your people, by Debbie Wasserman Schultz. Look what happened to her. But Bernie Sanders was taken advantage of. That's what we learned. Now, whether that was Russia, whether that was China, whether it was another country, we don't know, because the truth is, under President Obama we've lost control of things that we used to have control over. We came in with the Internet, we came up with the Internet, and I think Secretary Clinton and myself would agree very much, when you look at what ISIS is doing with the Internet, they're beating us at our own game. ISIS. So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He's 10 years old. He has computers. He is so good with these computers, it's unbelievable. The security aspect of cyber is very, very tough. An[...]
"Preserving a Free and Open Internet," is the title of a post published today by Kent Walker, Google's SVP and General Counsel. He writes in part: "Why the IANA Transition Must Move Forward ... Although this is a change in how one technical function of the Internet is governed, it will give innovators and users a greater role in managing the global Internet. And that's a very good thing. The Internet has been built by — and has thrived because of — the companies, civil society activists, technologists, and selfless users around the world who recognized the Internet's power to transform communities and economies. If we want the Internet to have this life-changing impact on everyone in the world, then we need to make sure that the right people are in a position to drive its future growth. This proposal does just that."
Follow CircleID on Twitter
2016-09-26T08:01:00-08:00I noted in last week's essay three kinds of cybersquatting complaints typically filed under ICANN'S Uniform Domain Name Dispute Resolution Policy (UDRP). The third (utterly meritless) kind are also filed in federal court under the Anticybersquatting Consumer Protection Act (ACPA). While sanctions for reverse domain name hijacking are available in both regimes, the UDRP's is toothless and the ACPA's a potent remedy. As a result, claimants who would not dare to file complaints in federal court (or if they do dare lack appreciation of the risk) have no hesitation in maintaining UDRP proceedings. There is a steady stream of UDRP complaints alleging cybersquatting against registrants whose registrations predate complainants trademark rights. While these complainants have standing they have no actionable claims. If the only risk to filing these complaints is a mild slap on the wrist, then complainants have no disincentive trying their luck in the hope providers will appoint panelists who either subscribe to the retrospective bad faith theory of liability or find bad faith on renewal of domain registrations. While the retrospective bad faith theory of liability appears to have retreated from panelists' repertory of awards it emerges in a less toxic form by panelists rejecting requests for reverse domain name hijacking even where trademarks postdate domain registrations and complaints could not possibly state any actionable claim. There is a split of view about sanctioning complainants under the UDRP who are overreaching their rights. This is very different from the view taken by federal judges under the ACPA. The better reasoning for RDNH under the UDRP where complainants knew or should have known their complaints could not succeed is to sanction complainant for abusive use of the proceedings; not appropriate for weak cases, but certainly warranted for meritless ones. This precisely describes trademark owners whose rights postdate domain name registrations. Two decisions from veteran panelists stand out: Nucell, LLC. v. Guillaume Pousaz, CAC 101013 (ADR.eu July 7, 2015) and Cyberbit Ltd. v. Mr. Kieran Ambrose, Cyberbit A/S, D2016-0126 (WIPO February 26, 2016). Majority Panels that have declined to award RDNH for abuse of process have elicited strong opinions from the concurring/dissenting members on RDNH. When we move to statutory claims of cybersquatting, we are in a totally different environment. Federal courts have no hesitation in awarding damages for reverse domain name hijacking under the ACPA. Commencing meritless actions is always risky but the risk is intensified under the ACPA because it expressly grants damages up to $100,000 per domain name under 15 U.S.C. §1117(d) and attorney's fees where the courts finds the case exceptional under 15 U.S.C. §1117(a). Whether plaintiffs can extricate themselves after commencing the action depends in part on defendant's aggressiveness in objecting to voluntary dismissal. In a Southern District of New York case in 2015, Office Space Solutions, Inc v. Jason Kneen, 15-cv-04941 dismissed with prejudice defendant (surprisingly) did not seek damages or attorney's fees. That is unusual and not typical; other complainants have not been so lucky. The degree of risk is illustrated in Heidi Powell v. Kent Powell and Heidi Powell, 16-cv-02386 (D. AZ) (a direct filing in federal court, not a de novo action following a UDRP award). Plaintiff alleged she is a well-known guru in the health area. When she "attempted to register the domain name www.heidipowell.com" she discovered it was already taken by defendant, a grandmother whose name happens to be Heidi Powell. The plaintiff "Heidi Powell" was not baptised with that name. It is evident from reading the complaint that plaintiff had no understanding of the risk in filing the complaint. She alleges that "in 2012, well after Heidi Powell had become a public figure, and as part of the logical zone of expansion of her media empire[...]
2016-09-25T11:04:00-08:00This article was co-authored by GUO Feng, Senior Research Fellow of China Academy of Information and Communication Technology (CAICT) and JI Yenan, Research Fellow of CAICT On August 16 of 2016, the US Government announced its intention to transit the stewardship of the Internet Assigned Numbers Authority (IANA) function to the multistakeholder community upon the expiration of the IANA function Contract as of October 1 of 2016, barring any significant impediment, in a formal letter to Mr. Göran Marby, President and CEO of the Internet Corporation for Assigned Names and Numbers (ICANN). This announcement attracts the close attention of Internet community around the world and also in China. On August 30 of 2016, China Academy of Information and Communication Technology (CAICT), which serves as a China ICT Think Tank and has long been concerned with and involved in global Internet governance, held a Seminar on IANA Function Stewardship Transition (Referred to as the "IANA transition") inviting representatives from China Internet community to discuss topics such as the progress of the IANA transition, the influences on China Internet community, post-transition developments, and attentive issues of future Internet governance. 16 representatives from government agencies, registries, registrars, industrial organizations, research institutes and universities participated in the seminar. The participants generally welcomed the progress of the IANA transition. They viewed that the process of IANA transition has entered a relatively steady stage and estimated that the smooth transition is highly probable at the time of the expiration of the IANA function Contract on September 30. However, some participants showed their concerns with possible problems and risks in the operation of the IANA function after transition. They identified that, although the rules and mechanisms for the operation of the IANA function after transition have been established, ICANN newly-established Post-Transition IANA (PTI), new community supervision mechanisms, such as Customer Standing Committee (CSC) and Root Zone Evolution Review Committee (RZERC), and other mechanisms and organizations related to the IANA function, may go through a long adaption period after transition which will be tested and verified whether these mechanisms and organizations could operate with one another stably and effectively. The participants of the seminar also looked into the future development after transition. The representative from registries and registrars clearly expressed that ICANN should focus on its main business after transition to provide better services. The business community in China tended to have high expectation of Mr. Göran Marby, the new President and CEO of ICANN, for his practical work style and attitudes after taking his post, and hoped that ICANN could initiate the next round of the new generic Top-Level Domain (gTLD) program as soon as possible. Some participants pointed out that some topics such as human rights discussed by the CCWG-Accountability Work Stream 2 (WS2) were, to certain extent, away from the working scope of ICANN as a "technical coordinator" of DNS whose influences on the future operation of ICANN needed to be further observed. Some participants also discussed and expressed their concerns with the attentive issues of Internet governance in the future such as Internet fragmentation, governance of domain name registration data, and development of the new gTLD market, etc. The participants unanimously expected that, with the enhanced capacity building and industrial development, China Internet community would participate more actively in ICANN processes and play a more important role in ICANN and global Internet governance arena after transition. They viewed the recent attempts of some volunteers from China Internet community taking part in the election as council members of Generic Names Supporti[...]
(image) "Law Enforcement, Courts Need to Better Understand IP Addresses, Stop Misuse," says EFF in a whitepaper released on Thursday. Legal Fellow, Aaron Mackey writes: "[U]se of the IP address alone, without more, can too often result in dangerous, frightening, and resource-wasting police raids based on warrants issued without proper investigation… This paper explains how law enforcement and courts can use IP addresses responsibly in criminal investigations and provides specific suggestions to assist each of them."
— "IP addresses information isn't the same as physical addresses or license plates that can pinpoint an exact location or identify a particular person. Put simply: there is no uniform way to systematically map physical locations based on IP addresses or create a phone book to lookup users of particular IP addresses."
— "The Constitution requires further investigation and corroboration of rumors and anonymous tips before police can rely upon them to establish probable cause authorizing warrants to search homes or arrest individuals. The same should be true of IP address information."
Follow CircleID on Twitter
2016-09-23T12:19:00-08:00As business computing demand explodes and web apps rule the market, moving to the cloud seems unavoidable. But even as cloud services mature, many organization make costly mistakes — and not all of them are technical in nature. According to Cloud Tech, CIOs are on the front lines: In 72 percent of companies surveyed, chief information officers lead the cloud computing charge. However, adoption without the right information is doomed to fail — here are 10 key questions CIOs should ask before moving operations to the cloud. What's the Business Benefit? INFORGRAPHIC – 10 Questions CIOs Should Ask Before Moving Operations to the Cloud by SingleHop (Click to View)First, it's critical to identify business benefits. Here the key to success lies in specifics rather than generalities — how will your company leverage cloud resources to benefit existing customers, open new markets or get ahead of competitors? How Will You Use Cloud Tech? Cloud solutions are quickly becoming ubiquitous; almost 50 percent of companies store more than half their data in the cloud, 94 percent run at least one cloud app, and 55 percent have some portion of their ERP in the cloud. With so many processes now running off site, it's critical to identify specific use cases or risk cloud sprawl driving up total costs. Which Solution Is Your Best Fit? Public, private or hybrid? All three are viable options. Companies are split on the use of public versus private resources, but 75 percent plan to implement a hybrid strategy. Before investing, determine: Are you looking for easy resource scaling and lower costs, on-site servers with the benefit of greater control, or a mix of both? Storage: How Much Is Enough? Is it better to buy more than you need or purchase "just enough" storage to meet your data needs? Current market trends suggest the latter: While many companies experience 40 to 60 percent growth in storage requirements year over year, datacenters typically see price drops of over 20 percent in the same period. The result? Data provisioning may be your best bet. Is Your Provider Industry Compliant? Cloud technology doesn't exist in a vacuum, and leveraging new solutions means partnering with a reliable cloud provider — but not all vendors are created equal. As a result, it's worth asking if your vendor is up to the task of meeting industry-standard compliance regulations — can it handle health data, credit card information or insurance information? Where Are Your Hidden Costs? CIOs often pitch cloud computing as a cost-effective alternative to in-house IT. With any cloud service, however — and public clouds especially — you may be on the hook for line items such as data uploads and downloads, disaster recovery or customer support. Make sure your SLA spells out all costs in detail before you sign. Can Staff Spare Time and Effort? While going cloud takes much of the burden off in-house IT pros, you still need a way to administer and provision these services. With 32 percent of companies citing lack of resources as their top cloud migration challenge it's worth asking if your staff can spare the time and effort to handle new tech deployments — for many companies, managed cloud services can help support new cloud initiatives by letting IT pros focus on local tech issues. What's Your Plan? The cloud can't guarantee success in isolation; 50 percent of companies moving to the cloud experience business-impacting performance issues because of poor network design. For CIOs this means crafting a plan for success that accounts for existing infrastructure, cloud scale-up and eventual phase-out of legacy solutions. Do You Need a Pilot Program? With so many companies shifting to the cloud, it's tempting to dive right in — but ask yourself: Could your business benefit from a sandbox pil[...]
2016-09-23T07:07:00-08:00How many domain names can be included in a single complaint under the Uniform Domain Name Dispute Resolution Policy (UDRP)? Neither the UDRP policy nor its corresponding rules directly address this issue, although the rules state that a "complaint may relate to more than one domain name, provided that the domain names are registered by the same domain-name holder." As I have written before (see, "The Efficiency of Large UDRP Complaints”), there are obvious incentives for a trademark owner to include multiple domain names in a complaint. Chief among them: The filing per domain name can drop significantly when more than one is included in a complaint. Cost-Effectiveness Average Number of Domain Names per Case(Click to Enlarge)For example, under WIPO's fee schedule, the base filing fee of $1,500 doesn't change even if the complaint includes up to five domain names. Said another way, for a UDRP complaint with one domain name, the filing fee is $1,500 per domain name; but if five domain names are included, the effective filing fee drops to only $300 per domain name. Although the total filing fee increases if a UDRP complaint includes more than five domain names, the effective fee per domain name can be reduced tremendously with large complaints. (WIPO's published fee schedule only addresses complaints with up to 10 domain names, with larger filings incurring a fee "[t]o be decided in consultation with the WIPO Center.") Filing Trends As the chart above makes clear, the average number of domain names per complaint (at WIPO) has varied through the years — from one (in 1999, when the first and only UDRP complaint was filed) to 2.39 (in 2013). The largest UDRP complaint ever filed included more than 1,500 domain names. (Disclosure: I represented the complainant in that massive case.) So far in 2016, the average number of domain names per complaint is slightly higher than in 2015 (1.79 v. 1.58), thanks in part to some particularly large filings this year, such as a complaint filed by Jaguar Land Rover Limited for 101 domain names; a complaint filed by Bank of America Corporation for 59 domain names; a complaint filed (and terminated before decision) by Calvin Klein Trademark Trust & Calvin Klein, Inc. for 72 domain names; and a complaint filed by Facebook, Inc. and Instagram, LLC for 46 domain names. 'Same Domain-Name Holder' Confusion While the UDRP rules' reference to "the same domain-name holder" may at first glance seem clear when it is appropriate to include multiple domain names in a single complaint, in practice the issue can become quite complicated. As Gerald M. Levine has succinctly put it in his book on domain name disputes, "The phrase 'same domain name holder' has been construed liberally to include registrants who are not the same person but circumstances suggest the domain names are controlled by a single entity." Just what these "circumstances" are can sometimes be difficult to decipher, especially when one person or entity provides multiple registrant names for multiple domain names. For example, one UDRP panel wrote (in a case brought by General Electric Company for 17 domain names): "[T]he mere fact of registrants being differently named has, in various previous cases, not prevented a finding that there is one proper Respondent, in circumstances which indicate that the registrants may be regarded as the same entity in effect." The issue of whether multiple domain names are registered by a single "domain-name holder" is especially complicated when privacy or proxy services mask the registrant's true identity. * * * In any event, a trademark owner contemplating whether to file a UDRP complaint may find the process more compelling if it can pursue numerous (or even just two) domain names at once and can be well-served by researching connecti[...]
2016-09-22T16:38:00-08:00"A radical review of cybersecurity in space is needed to avoid potentially catastrophic attacks," warn researchers at the International Security Department of UK-based thinktank, Chatham House. The report titled, "Space, the Final Frontier for Cybersecurity?," released today is based on a multi-year study led by David Livingstone and Dr. Patricia Lewis. From the report: "The vulnerability of satellites and other space assets to cyberattack is often overlooked in wider discussions of cyberthreats to critical national infrastructure. This is a significant failing, given society's substantial and ever increasing reliance on satellite technologies for navigation, communications, remote sensing, monitoring and the myriad associated applications. Vulnerabilities at the junction of space-based or space-derived capability with cybersecurity cause major national, regional and international security concerns, yet are going unaddressed, apart from in some 'high end' space-based systems. Analysing the intersection between cyber and space security is essential to understanding this non-traditional, evolving security threat." Further notes include: — Satellite services are potential targets for a range of cyberthreats, as space supports a growing and increasingly critical level of functionality within national infrastructure across the world, stimulating economic growth. One attack on a key node in the space sector could have the leveraged potential to affect critical national and international capabilities. This dependency on space is not unique to developed states; most countries will have similar vulnerabilities. — Cyberattacks on satellites can include jamming, spoofing and hacking attacks on communication networks; targeting control systems or mission packages; and attacks on the ground infrastructure such as satellite control centres. Possible cyberthreats against space-based systems include state-to-state and military actions; well-resourced organized criminal elements seeking financial gain; terrorist groups wishing to promote their causes, even up to the catastrophic level of cascading satellite collisions; and individual hackers who want to fanfare their skills. — There is currently no coherent global organization with regard to cybersecurity in space. Development of a flexible, multilateral space and cybersecurity regime is urgently required Follow CircleID on TwitterMore under: Cyberattack, Security, Telecom [...]
2016-09-22T15:13:00-08:00I recently sent a letter to congressional leaders including Speaker of the House Paul Ryan; House Minority Leader Nancy Pelosi; Senate Majority Leader Mitch McConnell and Senate Minority Leader Harry Reid expressing the Domain Name Association's support of the U.S. Administration's planned transition of the Internet Assigned Numbers Authority (IANA) to the global multi-stakeholder community under the stewardship of the Internet Corporation for Assigned Names and Numbers (ICANN). The Domain Name Association is a non-profit association that represents the interests of the domain name industry. There is no industry more impacted by the work of ICANN than ours. Each of our companies rely on ICANN's efficient management of the IANA functions and fair administration of the domain name system's contractual regime. I believe these community-developed proposals will ensure the ability of our industry to thrive and encourage you to join us in supporting this necessary and overdue transition. As the domain name industry's leading business association, we have sought to ensure that, ICANN remains independent, free from capture from any entity or group; Governments may participate as stakeholders but may not assert undue authority; Permission-less innovation remains a prevailing force and ICANN becomes truly accountable to the global Internet community. Bill Empowers Businesses And Technical Experts; Reinforces Advisory Role Of Governments Our members have devoted countless hours to the lengthy process preparing for this transition and we can state with confidence that the IANA transition plan meets our requirements on all counts. Some are raising concerns, particularly stating that by relinquishing the IANA contract, the U.S. will be handing the Internet over to authoritarian regimes. That, simply, will not be case. In fact, we believe the exact opposite will occur with this transition. The community developed proposals contain a number of specific provisions that will make government interference at ICANN far less likely and will empower stakeholders to step in should ICANN waver under the outside influence of governments. Our member companies, those in the U.S., and those located elsewhere around the globe, have too much at stake to submit to a change that could empower governments over the policies and arrangements that guide our business. This transition plan empowers businesses and technical experts and properly reinforces the advisory nature of governments. The Domain Name Association Applauds Congress The Domain Name Association applauds the oversight role Congress has played throughout the transition. I believe the close attention paid by members and staff has directly led to a sharper product, helping ensure greater stability and accountability at ICANN. Given the success of that oversight, I now ask that Congress acknowledge the will of those impacted the most and allow the transition to occur in a timely manner. Written by Roy Arbeit, Executive Director at Domain Name Association Follow CircleID on TwitterMore under: Domain Names, Registry Services, ICANN, Policy & Regulation, Top-Level Domains [...]
2016-09-22T09:16:01-08:00"Yahoo is expected to confirm a massive data breach, impacting hundreds of millions of users," reports Kara Swisher today in Recode: "Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation, hacking that has exposed several hundred million user accounts. ... The announcement, which is expected to come this week, also has possible larger implications for the $4.8 billion sale of Yahoo's core business — which is at the core of this hack — to Verizon." — UPDATE: Yahoo has confirmed the massive data breach affecting 500 million accounts. Reported by AP / 22 Sep 2016 — Verizon releases statement this afternoon regarding Yahoo security incident: "Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we other wise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon intersets, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment." — Yahoo releases official statement: "A recent investigation by Yahoo! Inc. (NASDAQ:YHOO) has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter." Follow CircleID on TwitterMore under: Cyberattack, Cybercrime, Security [...]
2016-09-21T14:33:00-08:00Of all the patently false and ridiculous articles written this month about the obscure IANA transition which has become an issue of leverage in the partisan debate over funding the USG via a Continuing Resolution, this nonsense by Theresa Payton is the most egregiously false and outlandish. As such, it demands a critical, nearly line by line response. * * * Changing who controls the Internet Corporation for Assigned Names and Numbers (ICANN) so close to our presidential election will jeopardize the results of how you vote on Nov. 8 unless Congress stops this changeover. So the first sentence is fairly loaded with nuance. We aren't "changing who controls" ICANN, as much as letting them continue to do what they have been doing for the last 2 decades. The "change" is that they will run the Internet Assigned Numbers Authority (IANA) as a subsidiary instead of as a zero dollar contractor of the US. The Board of Directors of ICANN will continue to "control" ICANN and the ICANN policy community will have greater accountability measures in place to "control" the ICANN Board after the contract expires at midnight September 30th, 2016. But this contract expiration WILL IN NO WAY have anything to do with the US election voting. Nothing, nada, zilch. Pure FUD, totally made up out of thin air. * * * When the calendar hits Sept. 30, a mere 6 weeks before our election, the United States cannot be assured that if any web site is hacked, the responsible party will be held accountable. At the moment, the United States cannot be sure that responsible parties will be held to account for hacking today. ICANN has NOTHING to do with this aspect of cybersecurity, not a damn thing. This is what I call "Beyond the Palin" on Ms. Payton's part, a complete fabrication. * * * We cannot be sure if a web site is a valid. Not sure what she means here, but there is nothing that ICANN does or doesn't do in terms of website "validity" that will change after September 30th. * * * We cannot be sure if one country is being favored over another. In terms of nations states participating AS nation states inside ICANN's Government Advisory Committee, there is no change that will or will not favor one nation over another. The reality is that the ICANN policy making community is dominated in many ways by American Registries, Registrars and activists. This won't change after Sept 30th. * * * These are all the things ICANN is responsible for and has worked perfectly since the Internet was created. NONE of the things listed above by the author are things that ICANN is responsible for. Not one thing. It is a sheer fabrication! ICANN has patently not worked "perfectly" since the Internet was created. ICANN has been in existence for half of the life of the Internet and has acted in flawed ways over the last 17 years (some due to the existence of the contract about to expire). The reforms that are scheduled to go into effect on October 1 are attempts to fix some of these flaws. * * * Why change it now and so close to the election? Why does that matter to you as a voter? The Internet Naming, Numbering and Standards communities have been working diligently for years on these reforms so this contract CAN expire on Sept 30th. It only matters to voters who consume the fact free rhetoric of certain GOP politicians who SHOULD (if true to small government principles) be in favor of this privatization/contract expiration. * * * Take a look at recent cyber activity as it relates to the election. The Democratic National Convention was breached comprising the entire party's strategy, donor base, and indeed, national convention. Everything the DNC had done to prepare for a moment four years in the making (if not longer) w[...]
2016-09-21T11:18:00-08:00Harvard Professor Karl Deutsch, the late nestor of political science, described world history as the "history of side effects". Political actions, according to his theory, always have side effects which go out of control and constitute new history. The history of the Internet is full of side effects. But this time, we could have special unproductive side effects. A failure of the IANA transition could trigger a process towards a re-nationalization of the borderless cyberspace and Ted Cruz would go into the Internet history books as the "Father of the Internet Fragmentation". The IANA History The battle around the IANA transition meanwhile has a history of its own going back more than 30 years. IANA emerged as a one-man-institution of Jon Postel in the 1980s. IANA was never the "controller" of the Internet. It was an "enabler". The IANA database is just like a "phone book" which enables users to find addresses. Postel operated IANA with the help of one assistant under a contract of his Information Science Institute (ISI) at the University of Southern California (USC) with DARPA, the advanced research agency of the US Department of Defense. Under this contract the US government authorized the publication of zone files for top level domains in the Internet root server system. This contract expired in 1997 and was extended until 2000. In the early 1990s, after the invention of the world wide web, it became clear that the six gTLDs (.com, .net, .org, .gov, .edu and .mil), which were established in the 1980s, would not be enough. In the middle of the 1990s Postel had its own ideas how to extend the gTLD namespace. He flirted with the ITU and WIPO, two intergovernmental organizations of the UN system, to launch additional seven new gTLDs via an Interim Ad Hoc Committee (IAHC). The Clinton administration was not amused; saw the risk of a fragmentation of the Internet and proposed an alternative route. A private non-for profit corporation with an international board, incorporated under Californian law was seen as the better alternative. In this model the decision making power would remain in the hands of the non-governmental provider and users of Internet servicers from the private sector, the technical community and the civil society. Governments were put into a "Governmental Advisory Committee" (GAC). ICANN was established in 1998. This model — today known as the multistakeholder model — was a political innovation. The plan to give the management of a critical global virtual resource in the hands of qualified non-governmental stakeholders, rocked the traditional mechanisms of international relations. But not everybody was excited. Skeptical voices raised issues of legitimacy and accountability for the new ICANN. And many governments were not happy with the "advisory role" in the GAC. Indeed, when ICANN was established, it was unclear whether this innovation would work. To reduce the risk of a failure, the US government entered into a Memorandum of Understanding with the new ICANN which included the duty for ICANN to report on a regular basis to the National Telecommunication and Information Administration (NTIA) of the US Department of Commerce. Furthermore, the US government transferred the contract with the USC, into a contract with ICANN to continue its stewardship role with regard to the IANA service. ICANN was still untested. The original plan was to give ICANN full independence after two years. But even in the high speed Internet world, this was an unrealistic plan. To establish a multistakeholder mechanism is an extreme complex challenge. ICANN made progress from its very first day. But it was progress based on trial and error. And it took much [...]
2016-09-21T10:03:00-08:00Connected devices need a free-to-use infrastructure that allows for innovation beyond the needs of a provider or other intermediary. An interface is best when it disappears and the user can focus the problem at hand. In the same way infrastructure, is best when it can simply be assumed and becomes invisible. With an invisible infrastructure as with an invisible interface a user can concentrate on their tasks and not think about the computer. Dan Bricklin and I chose to implement VisiCalc on personal computers that people could just purchase. This made VisiCalc free to use. The reason the Internet has been so transformative is that it gives us the ability to ignore the "between" and focus on the task at hand or problem we are trying to solve. To use a website all you need to do is open the browser and type the URL (or, often, use an app), and it "just works". We take this for granted now. But when the web first burst onto the scene it seemed like magic. And, amazingly the web is effectively free-to-use because you pay for the connectivity totally apart from each website or connection. If we are to extend this magic to connected things, aka the Internet of Things, we need to look behind the screen and understand the "why" of this magic. In order to use the web, we just need connectivity. This worked well in local networks such as Ethernets where you can just plug in your computer and connect to any other such computer locally and thanks to interworking (AKA The Internet) this simplicity was extended to any other connected computer around the world. Today I can connect to the web as I travel by having a cellular account and cadging connectivity here and there after manually signing up to websites (or lying by saying I read through an agree screen) and working past WiFi security perimeters. And we accept that oftentimes we're blocked. If we are to truly support an "Internet of Things" we need to assure free-to-use connectivity between any two end points. Achieving this is a matter of technology and economics. To take a simple example: if I'm wearing a heart monitor it needs to be able to send a message to my doctor's monitoring system without having to negotiate for passage. No agree screens or sign-up routines. For this to occur we need what I call Ambient Connectivity — the ability to just assume that we can get connected. This assumption is the same as assuming that we have access to sidewalks, drinkable water and other similar basics all around us. The principle challenge to achieving Ambient Connectivity today is economic. At present we fund the infrastructure we use to communicate in much the same way we paid for railroad trips by paying the rail companies for rides just as we pay a phone company to carry our speech. For a railroad operator, owning tracks is a necessary expense it bears so that it can sell the rides. It wouldn't make sense to offer rides to places that aren't profitable to the railroad. It doesn't allow you to explore beyond the business needs of the railroads' business model. In this same way the telecommunications company owns wires (or frequencies) so that it can sell (provide) services such as phone calls and "cable". It can't make money on value created outside the network. This is why there is so much emphasis on being in the middle of "M2M" or a machine-to-machine view of connected things and treating them like dumb end points like telephones. With the Internet we create solutions in our computers and devices without depending on the provider to assure they reach the messages' correct destination in order. In this sense they are more like automobiles than railroad cars and we need policies mo[...]
2016-09-20T11:07:01-08:00A few days ago I was startled to get an anti-spam challenge from an Earthlink user, to whom I had not written. Challenges are a WKBA (well known bad idea) which I thought had been stamped out, but apparently not. The plan of challenges seems simple enough; they demand that the sender does something to prove he's human that a spammer is unlikely to do. The simplest ones just ask you to respond to the challenge, the worse ones like this one have a variety of complicated hoops they expect you to jump through. What this does, of course, is to outsource the management of your mailbox to people who probably do not share your interests. In this case, I sent a message to a discussion list about church financial management, and the guy sending the challenges is a subscriber. Needless to say, an anti-spam system that challenges messages from mailing lists to which the recipient has subscribed is pretty badly broken, but it's worse than that. On the rare occasions that I get challenges, my goal is to make the challenges go away, so I have two possible responses: If it's in response to mail I didn't send, i.e., they're responding to spam that happens to have a forged From: address in one of my domains, I immediately confirm it. That way, when the guy gets more spam from the forged address, it'll go straight to his inbox without bothering me. Since the vast majority of spam uses forged addresses, this handles the vast majority of the challenges. If it's in response to mail I did send, I don't confirm it, since I generally feel that if it's not important enough for them to read my mail, it's not important enough for me to send any more. In this particular case, I wrote to the manager of the mailing list and encouraged him to suspend the offending subscriber, since if he's sending me challenges, he's sending them to everyone else who posts to the list, too. You may have noticed that neither of these is likely to be what the person sending the challenges hoped I would do. But you know, if you give random strangers control over what gets into your inbox, you get what you get. So don't do that. There are plenty of other reasons not to send challenges, notably that many mail systems treat them as "blowback" spam with consequent bad results when the system sending the challenges tries to send other mail, but I'd hope the fundamental foolishness of handing your inbox to strangers would be enough to make it stop. Written by John Levine, Author, Consultant & SpeakerFollow CircleID on TwitterMore under: Email, Spam [...]
"Sen. Ted Cruz wants to engineer a United States takeover of a key Internet organization, ICANN, in the name of protecting freedom of expression," said Tim Berners-Lee and Daniel Weitzner in a co-op piece today in the Washington post: "[T]he misguided call for the United States to exert unilateral control over ICANN does nothing to advance free speech because ICANN, in fact, has no power whatsoever over individual speech online. ... There is no international law or treaty that calls the Internet into existence or forces everyone to use the same standards and technology. Rather, it is a voluntary effort of people around the world. ... ICANN is no 'mini-United Nations.'"
Follow CircleID on Twitter
2016-09-19T20:53:00-08:00Bruce Schneier's recent blog post, "Someone is Learning How to Take Down the Internet", reported that the incidence of DDOS attacks is on the rise. And by this he means that these attacks are on the rise both in the number of attacks and the intensity of each attack. A similar observation was made in the Versign DDOS Trends report for the second quarter of 2015, reporting that DDOS attacks are becoming more sophisticated and persistent in the second quarter of 2016. The Verisign report notes that the average attack size is 17Gbps, with a number of persistent attacks of the order of 100Gbps or greater. The number reported is 75% larger than the comparable period of a year ago. To quote from the report: "Verisign's analysis shows that the attack was launched from a well-distributed botnet of more than 30,000 bots from across the globe with almost half of the attack traffic originating in the United States." The State of the Internet report from Akamai for the second quarter of 2016 paints a disturbingly similar picture: they observed a 129% increase in DDOS attacks over the same period in 2015, with increases in NTP reflection attacks and associated UDP flooding attacks. The obvious question I have when reading these reports is, who is behind these attacks, and why are they doing it? There has been a visible evolution of malice and hostility on the Internet. The earliest recorded event that I can recall is the Morris Worm of November 1988. This was a piece of self-replicating software that operated in a manner similar to many biological viruses — once a host was infected, the host tried to infect other hosts with an exact copy of its own code. The author, Robert Morris, was evidently a curious graduate school student. This was perhaps the first public Internet example of the 'heroic hacker' form of attack, typified by apparently pointless exploits that have no obvious ulterior motive other than flag planting, or other forms of discovery. A public declaration that "I was here” appeared to the motivation that was the primary objective of many of these hacker exploits. However, this situation did not remain so for long. While the task of finding new attack vectors was a challenging task that involved some considerable expertise, it was quickly observed that the level of mediation of previously discovered vulnerabilities was woefully small. As long as the vulnerabilities remained unfixed, the attacks could simply be repeated, and pretty quickly much of this work was packaged into scripts. This resulted in a new wave of attacks typified by so-called 'script kiddies' who ran these attack scripts without detailed knowledge of precisely how they exploited vulnerabilities in host systems. While it's debatable, it appears in retrospect that the motive of the script kiddies was still predominately flag planting. The next step in this unfortunate story was the introduction of money, and predictably where money flows, then crime follows soon after. Script authors rapidly discovered that they could sell their attack scripts, so that what was once a hobby turned into a profession. Equally the potential attackers found that they could turn the threat of an attack into a monetary opportunity: launch a small attack and threaten a larger and more prolonged attack unless the victim paid up. There is no doubt that this criminal component of attack activity persists on the Internet today, but it is increasingly difficult to reconcile the level of expertise and capability that lies behind some of these large scale attacks on criminal activity alone. There is now some [...]
2016-09-19T08:17:00-08:00There are three kinds of UDRP disputes, those that are out-and-out cybersquatting, those that are truly contested, and those that are flat-out overreaching by trademark owners. In the first group are the plain vanilla disputes; sometimes identical with new TLD extensions ( and ; sometimes typosquatting ( and ); other times registering dominant terms of trademarks plus a qualifier ( and ). Respondents in this group have no defensible positions and invariably default in appearance; in essence the registrations are opportunistic and mischievous and clearly in breach of respondents' warranties and representations. This group comprises by far the largest number of defaults, between 85% and 90%. The second group consists of complainants whose trademarks have priority of use in commerce (they have to have priority otherwise there can be no bad faith registration) but either 1) had no reputation in the marketplace when the domain name was registered, 2) parties are located in different markets or countries, so respondents can plausibly deny knowledge of the marks, or 3) the terms are generic or descriptive, thus capable of being independent of any reference to trademark values. Examples are in Circus Belgium v. Domain Administrator, Online Guru Inc., D2016-1208 (WIPO September 5, 2016) (
2016-09-17T11:24:00-08:00As the time ticks away on Senator Cruz's ersatz Doomsday clock, possibly accompanied by the fat sound of Mic Michaeli's analog synthesiser riff, it is easy to dismiss all his arguments as the ravings of a disappointed Cecil Underwood. Some in the ICANN community have described Cruz as a skilled orator. This isn't precisely accurate. He is certainly a competent orator but his outstanding skill is that he is a brilliant courtroom advocate. That is to say, once armed with a brief, he excels at using every barristerial tactic to advance his cause. And you need only look at his professional career outside of politics to realise that he has a razor-sharp analytical mind (in relief and stark contrast to the man who outplayed him to take the Republican Presidential nomination). And, as was demonstrated at the Senate Hearings he called into the transition last week, Senator Cruz is devilishly effective at surgical cross-examination, although, being both centre-forward and referee in this football (soccer) game, it did seem more than a little like he was fishing for trout in a barrel with a twelve bore. Like all honourable witnesses, faced with cross-examination, Göran Marby was open and honest, and when asked if ICANN is bound by the First Amendment answered directly and apothegmatically. Unfortunately Senator Coons, the ranking Democrat didn't really shine in his role as opposing counsel, so we are left with the one-sided abiding view that Senator Cruz wanted to produce, and which is now being retweeted ad nauseam. Never mind the fact that ICANN, as a private sector organisation has never been subject to the First Amendment, and that has never had any obligation to respect any of the fundamental rights such as free expression, fair hearing, right to property (including intellectual property) among others, Senator Cruz, as stage-manager of this particular piece of theatre the other day, easily managed to highlight this in a way to suit his own agenda. Many in ICANN have, in the past, been worried that adopting a written commitment to fundamental rights such as free expression may lead ICANN to be obliged to interfere in how domain names are managed by registries (and by ccTLD managers in particular). Such a fear would appear to be completely unfounded, and displays a lack of awareness of the relationship between ccTLDs and ICANN, as well as recent work by the ccTLD community, the GAC and the ICANN Board on interpretation of pre-ICANN policy. Further work is afoot within the ICANN community to produce a future direction for ICANN on fundamental rights. But ICANN's lack of a binding, public, commitment to fundamental rights — such as are embodied in the First Amendment, for example — at the time the transition was scheduled for does seem to be an omission; which omission, it appears, might have significantly damaged the chances of the transition succeeding on Oct 1 by giving further ammunition to the opponents of the transition. We have not long to wait to find out how significantly! Nigel Roberts FRSA is Director (Technical & Legal) at CI Domain Registry and one of the co-rapporteurs of the CCWG Human Rights sub-group. This article is a personal view only. Written by Nigel Roberts, CEO at CHANNELISLES.NETFollow CircleID on TwitterMore under: ICANN, Internet Governance, Policy & Regulation [...]