Forum on DNS Abuse
Cartagena, Colombia
9 December 2010


>> For those of you who are here to attend the forum on DNS abuse, we
would appreciate it if you could move a little closer to the stage.
It makes it a bit difficult for the panelists to know who they're
talking to.  So if you could move down, it would be greatly
appreciated.

>> Hello, everyone.  I'd like to introduce our moderator for today's
forum on DNS abuse.  It's Vanda Scartezini, ICANN board liaison.
Vanda?

>>VANDA SCARTEZINI:  Hello?  Hello?  Yeah.  Finally.  Thank you.

Good morning to everybody.  Thanks for being in this session with us.

What we have today in this session this very day-by-day issue that is
in our lives unhappily in this time, you know, causing a lot of
problems to the industry, to the users, and that's the idea, to debate
a little bit what are the countries facing and some technical issues.

We're going to have two small sessions here with three speakers in
each one, so we're going to start having some challenges that Colombia
has faced, then we're going to have some analysis about phishing cases
in Brazil and abuse of DNS.  And after that, we have a more technical
section about the reputation of DNS.

So that's the first part of this session, and the first -- after that,
we're going to have some open session for questions and answers, and
we'll be glad to take them, and also we have remote participation that
personally, as a member of the public participation committee, I'm
glad that we can offer this facility to our colleagues that are
present today in this session.

So to start, we're going to have her Mr. Jeffer, who is a criminal
investigator from the criminal investigation department of Interpol in
Colombia that will share some challenges that Colombia is facing
nowadays in this issue.  Mr. Jeffer, the floor is yours.

>>JEFFER RUIZ:  Thank you.  Buenos dias.  Good morning.  Very quickly,
we're going to have an overview of the challenges that Colombia is
facing today, but you will notice that they are not very different
than what we see worldwide.

Basically, ICANN as an organization in this case requires from
Colombia for being the host country also to say what they face at this
moment, and what the strengths are in the research and investigation
precisely.

So first, we are going to address the challenges.

The Colombian police force that is investigating cybercrimes, we have
a scale of the top 10 -- or the -- yeah, the top 10 trends that are
taking place in Colombia, and you will realize that we are
investigating, out of these 10, more than 50% have to do with that
report, with that abuse, with that replacement of identities, with
that theft of identity in the Web.

First, we have theft by e-transfer or e-wire, phishing, pharming,
spoofing.  I know that our terminology, that you are very well
familiar with, and so we are investigating at this moment easy money
offer and job offers in the country which are fake or via Internet,
through the use of companies' domain names or providers that are not
precisely making any requests via Internet but they are doing it to
make this replacement on line.

We also have the SMS messages, which are short text messages through
the telephone companies or providers, and the mobile lines where
allegedly great big companies are delivering premiums, prices, in cash
in some occasions, and they also make this replacement of big
companies, big corporations in mobile services of large marketplaces,
et cetera.

This is happening very frequently.

The identity replacement or phishing with social networks, profiles in
the Internet at the corporate level and at the individual level, on a
free level, all of this is taking place, this identity theft.  It is
also one of the focuses that we are having at this moment.

Also, the sale of databases.  Bogota is not alien to pursuing
corporate databases through spammers that -- Colombian spammers are
gathering all the information of domain names and selling those
databases.

So we are going to see how is it taking a domain name and stealing it
is.

Also, spy and data theft is very frequent in the industry for the
replacement.  Also malware Trojans, Colombian Web sites of critical
infrastructure, government, education, that have been hacked, and in
their hosting, in their dot com domain in their servers have been --
have had phishing lines hosted which enables Colombian criminals to
use them as the phishing platforms.

Hacking and sabotage also takes place in Web sites.  For example, in
the state Web sites.

So it is interesting to the coordination and the role that this
coordination with the dot com domains plays.

And the content crimes have to do with social networks and e-mails
that basically have to do with the cyberbullying that is to entrust a
bad reputation to individuals, but this is not made in a physical way
as it happened in high school or -- but virtually, electronically.

And so they are 24 hours a day damaging the good name and the good
reputation, et cetera.

And also, then, we have grooming which has to do with sexual predators
that use Internet and the anonymous names that it offers, pretending
they are younger people to obtain sexual encounters with underage
people.  These are the trends that the national police is currently
investigating, and as you can notice, seven or eight of them have to
do with this abuse of Internet and with the replacement of the domain
as well.

Organizations, criminal organizations that have been identified at
this moment in Colombia, we can notice that they are organizations
with defined roles.  Each one of the individuals are -- know how to do
their role.  It's very hard to get to the leaders, to the heads of
these organizations because they are anonymous, behind the Internet as
a platform, and as investigators, we need to begin with the wikis
chain -- with the wikis, because they receive that money from the
transfer in some occasions, so we need to begin with the most
difficult part.  And in some occasions, very, very seldom we get to
the leaders of the attacks.

The problems and the question that still remains as a problem, because
to us it's a problem and for the ordinary citizen we have -- we need
more effective communication protocols, fastest connections.  Everyone
is claiming for that, because -- but we need to make Internet
available in a very wide or broadband connection because otherwise --
because this would impede constant attacks.

Second problem is storage.  People identifies three essential
components to buy technology:  Higher processing, higher speed and
higher capacity.

One individual with a 500 gigabyte capacity equipment very, very
hardly will get to that storage.  Very, very hard.

And to us, this is a problem because as a national police force, when
we seize those elements and we need to analyze those elements in a
forensic way, we need to make an exact copy.  We can never work on the
original.  And this entails that we need lots of storage capacity to
make those copies and to us this becomes a problem, but to the end
user, well, that is the best that can happen.  To them, it's a
benefit.

Also, low prices to access to new technologies as from 2007 in
Colombia, and anyone interested in purchasing equipment below 1.7
million Colombian pesos will not pay taxes and this opened the market
to technology, so for end users this is something good and we find
people without studies with good connection have all the tools
available to become potential hackers.

Because everything is on the Internet.  Everything is available on the
Internet.

People use the Internet as an information means, but they find other
content and they become potential attackers.

And the second problems -- or one of the many problems that we face,
980 million of illegal files in the networks.  This is something very
complicated to us to make that legal follow-up, because of crime
trends that are a crime in Colombia but not in other countries.

So you well know what this means.

These are networks that effectively here we have detected that they
offer a service is, an exchange file service, that are being used to
find vulnerable equipment and submit them to botnets and we have
plenty of equipment in Colombia that have been submitted to this
botnet.

DNS attacks.  We are not alien to this.  At this moment, this is a
clear example in the national registry where the elections for the
president took place.  It was precisely attacked on the very same day
of the election.  Colombia is not alien to this kind of attack, of
hacking.

Our Web site was used for phishing in one opportunity, so we need to
struggle, we need to fight against this.  These are domains, dot gov,
dot -- these are the pages that crime or cybercriminals attack most
frequently.

I could provide over hundreds of examples at this moment of what we
are currently doing for this kind of investigation.

Phishing and spoofing is a very simple example.  I review it at --
because of so many pages available on the Internet.  And you can see
on the top the e-mail address, Cartagena2010@ICANN, and it doesn't
exist.  I made it up at the moment of replacing.  I sent it to my
corporate account, an e-mail with a link that obviously would send me
-- or redirect me to another part with a photograph that could have a
malicious code.  There's nothing we can do against it, so if
somebody's trying to identify if this is real -- something real or a
replacement, so we should look at the whole heading.  And because of
the cultural matter, we don't do that.  We only review the headings in
order to determine what is real and what is fake.

And in this e-mail and the free e-mail, it's not identified if there
is a malware there, and that NIC is going to take me to a phishing
site and the attachment could include malware and we are fighting
against this, basically.

It's a war that -- an endless war, and what do criminal hackers need?
They want information.  If we take a look at the picture, if you
received this e-mail where it says that if, at this moment, you do not
resend this e-mail your 15 main topics is going to be there next to
your bed.

I will do that.  This is what they basically do to obtain that
information of your 15 main contacts, because it's very impressive or
-- because they personalize this kind of e-mail so people open this
kind of e-mail indiscriminately of phishing, spoofing, et cetera.  The
strength that the Colombian national police force has at this moment
was -- became effective two years ago with the I.T. Act for Crimes.

We had only two years ago one single article in the criminal code to
criminalize this kind of crimes, but now we have 10 different criminal
categories:  Access abuse, I.T. system, so that you can have an idea
of what these articles undertake.  10 articles illegitimate hindering
of I.T. system, interception of I.T. data.  I mean, they are very
broad in order to fill the technological gap, and so we cannot say
that this is obsolete from five years from now.  Just informatic or
I.T. damage, malicious malware, violation of personal data,
replacement of Web sites to capture personal data.

There are some aggravating circumstances when that replacement is made
on critical infrastructure.  This is one of the aggravations for these
crimes.  And two, connected with the financial, which is to do with
theft and non-consented transfers of assets.

We have 10 new criminal categories with a penalty of at least four
years in prison meant, and this is a strength that we currently have
and it did -- that did not exist two years ago.  And they became
effective on January 5, 2009.

In the same way, we have two articles in the criminal code of
procedure to recover Internet information through other technological
means to produce equivalent effects.

So all electronic devices have the power to make the seizure and the
analyze and the -- also anything that could be seized from the
transfer of files via the Internet.  That is where the dot CO domain
plays a significant role, because we need that cooperation, that
international cooperation, and we will find places, sites, that will
be launched anywhere worldwide.

And we have another article that enables e-mails, telex, telefax as
evidence.

Even though this is intangible, we can use this as an evidence for a
trial, for example.  And a Web site that is -- at this moment works as
a platform with an interactive chat so that any citizen, companies,
and financial entities, when they are victims of hacking, they can
immediately report it to us and we can make the follow-up.

Or be the first respondent and tackle in a very fast way.

What are the challenges for 2011, 2012?  To have the coverage, the
technological coverage total, country-wise, with the 44 main cities in
the country, with 8 I.T. -- forensic I.T. labs on a national level.

We now have five in place in Medellín, Barranquilla, Cali,
Bucaramanga, and Bogota, and centrally, we have the investigation, the
criminal investigation left, and internationally we are working with
the working group of Latin America for technological crimes and we
also participate with the Ibero- American forum of cyberpolice to have
an on-line forum to file a complaint, and let the individual use this
on line and provide the first response and also the creation of the
cold CERT, something that we've been working from 2008 to provide
response to cyberattacks and you can also see the address, cybernetica
policia.  That is a unit.  We talk about a national or a domestic
address with a platform for everything connected with child
pornography.  Those are our challenges for 2011, 2012.  And also to
process digital evidence.  We have no problems with physical evidence
and we are strongly working to make processing of the evidence on a
digital side of cloud computing, which is the information on the
Internet and that is where we are addressing nationally now.

Anything that may be available physically, if it is intangible, we can
make it available as well.

Our contact information.  We are going to provide them in the
presentation, and that is all we wanted to say.  Thank you very much.

[ Applause ]

>>VANDA SCARTEZINI:  Thank you.  As he said, we are going to continue
now with the presentation by Cristine Hoepers.  Cristine is with the
Computer Emergency Response Team from Brazil.

And Cristine, please, she is talking about the DNS abuse and phishing
cases.  Cristine, please, the floor is yours.

>>CRISTINE HOEPERS:  Okay.  Thank you, Vanda.

I will talk a little bit about the phishing cases we handled in Brazil
this year.  So CERT.br is a national CSIRT for Brazil, so we all the
incidents and computer security incidents related to Brazilian
matters.

The data I'll be talking here is basically from complaints we received
about phishing cases hosted in Brazil or hosted abroad affecting
Brazilian brands and Brazilian banks or e-commerce sites or other
institutions that are being targeted by phishing.

And in this year, we received a total of seven- -- a little bit more
than 7,000 complaints.  This means not e-mails complaining, but
exactly about URLs that were new to us that were hosting phishing
sites.

So this is not -- here I don't have statistics about malware because
these were handled as different statistics, so I'm not talking about
URLs hosting malware.  I'm only talking about URLs hosting fake Web
pages and content relating to phishing attacks themselves.

Most of the attacks, they were targeting Brazilian brands that were
complaining to us and cc'ing us to help take down the content, but we
received almost 2,000 complaints about international brands that had
some phishing cases hosted in Brazil.

And what we see is that there is no one-to-one rule or any connection
between IPs and domain names and ccTLDs.

We have all the cases basically just spread all over the world.

We had more than 68 countries that were hosting those contents, so we
get the IP location data from the regional Internet registries data,
so we are just getting to each country where those IPs were located.

What we see is we have a total of 92 ccTLDs, so there are a lot of
domains that are not exactly like being hosted at IPs at the same
country where the ccTLD is, so the abuse of a ccTLD is not related
directly to where the content is located according to IP addresses.

And we had like 10 gTLDs involved this year in phishing attacks.

And we still have a pretty significant number of phishing cases --
that's 500, a little bit more -- that are just hosted in IP addresses.
There is no domain name at all.

One of the things talking about IP allocations, of course people from
all over the world, they just complain to us about things hosted in
Brazil.  So most of the people that complain about something hosted in
Brazil, we receive that, so this is roughly 35%.

But most of the cases affecting Brazilian brands are hosted in the
U.S., and if you look at the table on the right, you can see that the
AS -- the autonomous systems -- involved in hosting this are basically
hosting companies.

So when we go to these hosting companies, it's not like the criminals
are actually paying for the services.  They are most -- most of the
times they are just compromising Web sites that are being hosted in
big data centers.

So what we are seeing is that there are a lot of data centers in U.S.
and a lot in Brazil and in some other countries, too, but they are not
really the biggest majority.

So it's very spread.  Mainly where they can find vulnerable Web
applications, they just compromise the sites and put the data on line.

But getting into the data about DNS abuse, what we were seeing, we had
domains used for hosting phishing in 10 gTLDs.  The majority was dot
com, so it's also the majority of domains that we have in gTLDs, but
if you go to -- we dig into how many of those almost 2,000 domains
were actually created for phishing, like with the name of a brand or
name of a bank, that is just 80.  That's not really the biggest
majority that we are seeing.

We are seeing that most are just like domains that are hosting content
that are being compromised, the Web site, and then they host the
phishing in a sub-domain or in a URL in the main Web page, so this is
mostly what we are seeing.

And we saw also created domains just in dot com, dot net, dot org,
info, and biz, so this is where it's going.

But although it is a low number, one of the problems that we have is
how to contact the registrar or the reseller and try to explain to
them that that is actually a domain that's being used for phishing,
and so what we see is that sometimes those domains they last for a few
weeks and they change IP addresses, because most of the time it's just
that they don't understand.  They don't know whether the brand's
affecting Brazil, they don't know exactly who we are and what we are
talking, so mainly it's a communication problem with people that are
actually registering the domains for them to get the domain down and
to take some action into that.

And if we go to ccTLDs, the number are not too different from the
ccTLDs -- from the gTLDs.

We have a lot of complaints in dot br, but basically they are a lot of
complaints of Brazilian sites compromised by people abroad and hosting
phishing in Brazil, so we were looking at how many domains were
created in dot br that were actually related to brands or campaigns,
and those were 53, and they basically were just created and taken down
in the same day because our process is very quick from how to do that.
I was talking to people there.

We saw an interesting thing that Italy, Russia, and France, they had a
lot of domains that I will say like they had brands in it but they
were all in a free hosting service.

So a free hosting service was actually attracting more than actually
someone registering the domain.  So it was not a domain registered but
they were abusing free hosting in those ccTLDs to create pages and
names that actually look like names of the brands.

And another thing that we are seeing that is really increasing is the
abuse of those short URL services for phishing attacks, and basically
because the end users don't know exactly where the URL begins and
where you start having like directories for them, everything that just
starts with bank.com.br is basically their bank.  So they don't
understand that if you have -- a dot is not the same as if you have a
slash.  So it's basically it's how to understand the domain name.

So what we are seeing is like the bit.ly, the path.to, tiny cc -- the
migre.me is a word in Portuguese that would say like "migrate me," so
put me somewhere else.  So those are very popular services.  But
basically they're just abusing the understanding of the end user.

And talking more about the abuse of the DNS infrastructure per se, I
would say that we are not receiving reports of DNS cache poisoning.
That doesn't exactly mean that they are not happening.  Probably they
are, of some sort.  But what we are seeing is that at least in Brazil,
attackers are still very focused on delivering malware that alters the
host's file of the end user machine.  So I wouldn't call that a cache
poisoning because you're not actually caching -- poisoning the cache.
You are just like changing their file and preventing the user from
actually going to the Internet infrastructure.

And the other thing is that most of the times when we see a recursive
DNS server actually serving wrong answers, you had someone actually
compromising that server.  You can see that response is authoritative,
that you actually have someone putting a zone file in there and
controlling very well when that zone file is up and when it's not.
And usually it goes for, like, weekends or during the night.  That's
the time that you don't have, like, operators taking care and looking.
It's very easy, for example, for investigators to go in there because
then they make the queries and know it's responding okay.  So then
when they investigate fraud of the client the zone is not up anymore.
So there is a lot of confusion in the investigation process.  So
basically this is what's being used for crime.

Something that's not really related, just an end comment for abuse of
DNS for crime or phishing or the abuse of DNS, but we are seeing a
lot, is this TLD abuse of open recursive DNS servers for DDOS attacks.
So this is not related to creating domains, per se, but actually
abusing poor configured machines to create DDOS attacks.

So basically, this is my -- some data I have on the trends.

Thank you.

[ Applause ]

>>VANDA SCARTEZINI:   Thank you, Cristine.

We come back with some questions later.

So know we're going to have João Damas.  João is from ISC.

João, the floor is yours.

>>JOÃO DAMAS:   Thank you very much, Vanda.

I am going to spend a few minutes talking about reputational DNS,
explain what it is about.

Can we get the next slide, please.  Silly me.  Sorry about that.

So everyone is probably familiar with the concept of DNS reputation as
applied to e-mail services where you subscribe, or not as you choose,
to databases of hosts that you should be accepting, or not, e-mail
from, and that is delivered to your mail server by the DNS.

This has been around for a while.  It's also been applied to recursive
DNS in specialized code at some ISPs.

What's new with reputational DNS now is the announcement we did in
late July about response policy zones, what we call response policy
zones, which is basically a common framework for the exchange of DNS
reputation information to nameservers.

At the bottom there you will see a link, it's a bit gray, hard to
read, but the presentation is uploaded to the site.  There's a blog
entry by Paul Vixie explaining a little bit of what the goal here is
and how we are going to go about it.

So briefly, what is RPZ, the response policy zones?  It's DNS policy
information inside the DNS itself.

It's an open common mechanism that allows producers of domain
reputation data and consumers of that data to cooperate in the
application of that as policy in the recursive nameservers that you
have access to.  And it does this in real time.  So you will be
affecting, altering or modifying the stream of recursive DNS lookups
at your recursive server in real time.

So basically it turns DNS server into one more very powerful policy
tool.

Examples what you could use this do.  Well, for instance, you can use
this to block or redirect malicious sites to wherever you want.  Block
the ability of bots to find the command & control if that address
becomes known.  You could quarantine infected clients to make them
more aware of the situation that they are and how to possibly fix
their problems, help them, instead of propagating the problem further.

And of course the DNS is flexible enough to also carry IP for IPv6
information.

That was it.  It's a very simple mechanism.  The idea is not entirely
new.  It's very parallel to what we are doing these days in SMTP; it's
just that it applies to DNS and it applies to recursive servers in
real time.  It provides an initial tool.

We can discuss these later.  I think the overview is quite enough for
now.  If you have any questions, we can take them.

Thank you.

>>VANDA SCARTEZINI:   Okay.  Thank you.

So let's open the floor for questions.  And I'll start to ask Margie
if there is some feedback from the remote participation.

No?

If not, the floor is open.

There is any question from people?

Please identify yourself for the scribes.

>>SCOTT PINZON:  Hello, I am Scott Pinzon, part of ICANN staff.  I
think the idea of reputational DNS is fascinating.  I'm curious to
find out how the system would handle false positives so that someone
who may look shady from a DNS perspective, such as a legitimate mass
mailer or something, doesn't wind up getting identified as -- or
blocked.

>>JOÃO DAMAS:   Well, whenever you use reputational data, the source
of the data is very important; right?  Just like it is when you apply
it through e-mail.

So in the case of false positives, if one gets through, for whatever
reason, what you'd probably be seeing is a block.  And the block would
occur at the ISP level.

So if it is, in fact, a false positive, the ISP then has the power
within reach of his own tools to alter that behavior without having to
wait, necessarily, to get the information amended at the source.

There will be mistakes, like with anything.  There's no way around it.
Here the thing you have to think about, I think, is cost/benefit.
What do you get?  How much trouble can you avoid versus how much
trouble you are potentially going to create.

But it does put control into the hands of the ISP, which is usually
the organization that's closer to the customer; right?  And has a
direct relationship with the customer.

So I think it's a more effective place to be than if the information
is being -- or the action is being controlled by an organization that
is (inaudible).

>>SCOTT PINZON:  Thank you.  And one little follow-up.  Is it possible
to estimate at this time what level of monitoring it would require
from ISPs, for example?  It wouldn't be a full-time job for someone,
I'm assuming, or would it?

>>JOÃO DAMAS:   No.  We don't -- I don't think anyone anticipates this
to be a full-time job for anyone.  It will be one more item that the
ISPs will be adding to their regular operations.

But again it, depends on how good or not so good the reputation -- the
source of reputation information is; right?  That's a crucial part.

The better it gets, the less trouble it causes, and the happier
everyone is.

>>SCOTT PINZON:  Thank you very much.

>>ROD RASMUSSEN:   Rod Rasmussen with Internet identity.

Two things.  I wanted to follow up on the RPZ question there, because
actually we're implementing RPZ reputation publishing that kind of
data for blocking or sinkholing or what have you.

On the question that was just asked, there actually is a start of
authority record possibility for showing the source of the list data.

So if there's a false positive, you can actually track it back to the
organization that published it in the first place.  So there's a way
of actually -- if you're an end user that thinks that you have been
blocked inappropriately, you can actually figure out who is blocking
you and contact them directly.  So it's a very powerful thing.

I had a question or a comment or what have you on the information that
Cristine brought up on the hacking of recursive name servers and post
file exploits on the user/end-user PC.  We had a big session on DNSSEC
yesterday.

I believe, somebody can correct me if I'm wrong here, DNSSEC would not
help in either of those cases because you have control of the host
file on a computer that would never reach out and check the DNS
record, and even on the recursive server, if you control what it's
doing it, would not get the DNSSEC record either.  So that,
unfortunately, DNSSEC doesn't really cover those possibilities.

Can I get a comment on that or just a confirmation on that?

>>CRISTINE HOEPERS:   I'll just confirm, yeah.  That's one of the
biggest problems that we have in that.  It doesn't matter what you do.
You just lose control.

So even if you have, like, a reputation service, it doesn't matter
because the user is compromised.

If you are using DNSSEC, even the intruder could sign with DNSSEC in
your own recursive and kind of show that that is signed, because you
never reach the bank or the Mastercard or whatever that's being faked.

So it's really a big problem, because DNSSEC doesn't cover exactly
that.

And that's what we are seeing in Brazil, is the major problem is the
host file and the end user.  It's not really -- compromises of the
zones happen two times in big providers, so that was a big impact, but
then actually most of them, ours, is just like day-to-day for them.
It's just go there, put the zone file and the host file, and they
block everything.  AVs.  And sometimes they don't even -- they have a
look-back for, like, Google DNS or something like that.  So you can
never reach other things because they actually put hundreds of files
in there.

>>ROD RASMUSSEN:   Just a follow up on that.

Are you seeing any malware that's doing a -- basically replacing the
recursive servers with basically criminal recursive servers instead of
the ones that the ISP would provide?  Because we see that in other
locales.

>>CRISTINE HOEPERS:   No, we haven't seen that.  That could be
possible, but we haven't seen.

We see that they are even, like, changing the addresses of the big
hosting service because they want to get your user name and password
to host phishing in the hosting site, so they are really using the
host file to do all the types of man-in-the-middle, or something like
that, with attacks.

>>JOÃO DAMAS:   It's certainly possible.  It's not too hard to write
and embed a lightweight resolver in any piece of software like this.
They already do things that are a lot more sophisticated than that.
And libraries that allow you to build resolvers are very easy.

I haven't seen any that does this yet, but it's just a matter of time,
I think.

And I just wanted to add something to your question about DNSSEC.
DNSSEC does what it does very well, but it's definitely not the cure
for world hunger; right?

It protects the information in transit between -- from the source to
the consumer.  And that it does very well.  If the information that's
injected in the system is not valid, or the consumer is not behaving
-- or its behavior has been altered, then you are out of luck.  That's
outside of what DNSSEC protects.

>>ROD RASMUSSEN:   It wasn't a criticism of DNSSEC.  I was just trying
to point out that it doesn't solve that problem and some people might
assume that it does.

Thanks.

>>TONY HARRIS:   My question is for Mr. Ruiz so I will make it in
Spanish.

I'm Anthony Harris, I am the executive director of the Argentine
Internet Chamber.

We operate in the Internet exchange in Argentina connection, and we
are also in the process of implementing a CSIRT; that is, a cert for
the private sector.

What we have been hearing from the technology providers in cybercrimes
is that the key problem, the key issue is that the ignorance, the lack
of knowledge in general of the end user with respect to anything that
may happen just for being online.

For example, they spoke about hundreds of thousands of PCs hacked,
infected by the cyber hackers.  Nobody is aware of that.  And it seems
that it would take, according to their explanation, a very intensive
awareness and training campaign for users, at comprehensive level.

So my question is if you have faced this aspect in Colombia and what
your opinion is about it.

>>JEFFER RUIZ:   Yes, in fact, as I mentioned before, this is
happening worldwide.  I think that no country is alien to this.

The issue we tackle is for the user to have a PC and a connection, and
it seems enough.  I mean, learning, training, they need to begin to
use it, and the easier the operating system is, the better.  And
fighting against this is something cultural, social.  It's very hard.

As national police, we are unable to make it, but companies affected
-- for example, the financial sector -- in fact, they are making
strong advertising investments to make these trends aware.  Like
saying do not provide information if somebody asks for your data on
the Internet or via e-mail.  We would not be able to make it because
we could create economic panic in the financial sector.  Do not use
virtual financial portals.  That is not something we can make.

We try to provide the statistics that say this is a trend that is
taking place in Colombia or in any other place in the world.  We could
be victims and be involved.  And the national administration from this
year is strongly working and making a very significant investment in
advertising to make all these trends known.  And we look forward that
with the consolidation of our CERT we will also be able to materialize
that information and make that information massive.  We are also
working in that.  We are making it.

Thank you very much.

>>JORDI AGUILA:  Well, my question is also addressed to you, Mr. Ruiz.
I am Jordi Aguila.  I am the founder of La Caixa, that is the first
saving bank of Spain.  On the Board of Directors of FIRST and of the
working group.  And in Europe, we have seen the need to create
intelligent exchange networks between the banking sector and the law
enforcement to face the most complicated challenges, not only phishing
but hackers that are oriented to attack critical infrastructures that,
for example, are very important to the countries of the European Union
and to the union itself.

So I just was wondering if there are similar initiatives in America,
in Latin America in place for the creation of intelligence networks on
a pre-routed basis for the exchange of intelligence against the attack
that the private sector suffers and the enforcement and the police or
the individuals that are devoted to the national defense.

>>JEFFER RUIZ:   Thank you.  Yes.  In fact, this is something we're
currently working on.  We are working with the embassies to sign
mutual legal assistance agreements with different government agencies
for that approach.  We are fully available, and we are also to enforce
our law 24/7 for the exchange through the Interpol office and have a
very fast exchange and a full cooperation to get that volatile
evidence with any ISP or dot CO domain could otherwise be quickly
lost.

So we are fully available and we are currently working on that.

We are open to any request, and we are pursuing those agreements
through the learn working group and through different stages.

Thank you very much.

>> I also know that Brazil has a strong protection group with the
police force.  They are strongly connected with the Mercosur, that is
the southern common market, with the United States and with Europe.
And I think that with the whole Latin American continent.  And they
are exchanging opinions and information on security.

And so we held a session short ago, and this was the most important
session on international cooperation.

Thank you very much.

>>JEFFER RUIZ:

>> If I may take advantage to ask Margie if there is anybody else.

So if you let me, I will ask to Mr. Jeffer about the act, the law.
Because we are all working.  The recent act, law in Brazil that is
still a bill in the Congress, but a very significant fact is that we
are really struggling if there is anything in your law, bill, for the
information about the ISP, how to retrieve that information, how long
that is going to take.

If you have information, I would be pleased to know about it.

In this moment, as there is information and data protection act and
another law that was recently enacted that is the AV data law that
defines what information is private and what information is public.
And everything regarding the companies that store that information and
how to provide that information.

As investigators of cybercrime, in order to have access to that
information of ISPs, we need a prior consent of guaranteed judge to
request that information.  So all of this is included in that AVS data
law that protects the holders.  So this is not public unless a judge
allows me access to that information.

The Ministry of the LASTIC (phonetic) is working on the amendment of
this act, and we have a telecommunication act.  But that act is more
focused to telephony, and the Internet side is still behind.

So the progress we have seen in telecommunications is focused now on
the Internet and we are working to regulate and have that information
available.

Information is available, then, but we have not still accomplished to
know for how long this information will be and when it will be
provided.

We received the information subject to reviews and controls regarding
people's or individuals' privacy and the timelines, but we have not
still enacted a law to let us know for how long that information
should be stored in order to provide it.

And so we are currently working on that.  We don't know the timelines
but information is available.

>>VANDA SCARTEZINI:   Thank you.

(dropped audio) part of this meeting.  And I would like to thank all
the speakers.

[ Applause ]

>>VANDA SCARTEZINI:   And I will call Jacqueline Morris, that's the
next moderator of the second part of the session.

From my side, thank you very much for your attention, and let's
continue.

Jacqueline, please.

>>JACQUELINE MORRIS:   Hi, everyone.  My name is Jacqueline Morris.  I
will be moderating this session.

This portion of the panel is about the SSAC's registrants guide to
protecting domain registration accounts.

We have Richard Wilhelm from Network Solutions and the SSAC who will
take us through that guide, and then we have some reactions from Evan
Leibovitch from the ALAC and the at-large group, and from Matt Serlin
from MarkMonitor.

So I guess Rick, will you take it away.

>>RICK WILHELM:   Thank you very much.  Throw the slides up.

So the SSAC is the -- is ICANN's Security and Stability Advisory
Committee and it's a group of technical experts from all over the
globe that advise the board on security matters.

And so we undertake very projects.  And this was one of the ones we
took under, and it's about advising registrants about what they need
to do to protect their registration accounts.  It's a follow on to an
essay paper that was written by the SSAC called SAC040 and that was
more targeted for registrars.  And it came about after there were a
few high-profile account compromises that resulted in a various high-
profile registrants losing control of their domain names.  And those
having sort of bad things happen, if you will.

So we set about doing this to really kind of point this more at
registrants themselves.  And in this paper, we go over and we spent
some time looking at the threat landscape, and then we talk about what
registrants should be doing when they're -- as registrant account
holders to help them protect their data, and then we provide folks
some guidance on how to go about some questions they can ask about
choosing a registrar.  Because there is a lot of choice in the
marketplace, and different registrars fill different areas of that
marketplace.

So the paper was published within the last month or so, and there's a
URL for it up on the ICANN Web site under this section.  I mercifully
do not have that URL memorized, so I won't try and make the moderator
put it into the transcript.

So it's about 30 pages or so.  And you can read about that at your
leisure on the plane ride hope.

So the first thing that we talk about in this paper is we go over the
threat landscape.  And it's sort of the biggest and most obvious
threat is just losing control of your account credentials; right?  You
have a password, and someone compromises it, they guess it, or you
have it written down somewhere or maybe someone runs a password
cracker against it, and your account credentials can just get lost.

And sort of if this happens, if you're lucky, the thing that they will
do is change your password and try and lock you out, because that's
actually -- if they do that, that's actually a good thing because then
you will probably find out about it.

More sinister things that can happen is they can go and start changing
your DNS or change your contact info, move your DNS around on the
Internet, and it could keep -- everything could keep working fine, and
then one day you could wake up and try to go renew your name, or
perhaps you had it set on auto renew, and lo and behold, you find out
your name is not renewed and some things have happened that you have
lost control of the name.  And then you sort of are sort of in a world
of hurt, I guess would you say, because perhaps your e-mail is not
working, perhaps your Web site is down, or perhaps it's, more
importantly, depending on your business, might be an e-commerce
company, and some other people can do things to damage your online
reputation.

And these threats are changing and evolving constantly, even actually
as we were writing the paper things were changing about.

So what can you do as a registrant?  Well, the sort of obvious thing
is, you know, choose strong passwords and everybody kind of knows
about that.  But one of the things that we identify in the paper is
that, really, folks should be using the communications that they get
on a schedule from their registrars as a way to help ascertain that
they are still, in fact, control of the name.  That the registrar
still believes you are in control of the name and that's why they are
sending you the e-mail.

So consequently, it kind of runs counter to some people's intuition,
which is oh, these e-mails from my registrar are just spam so I want
to unsubscribe from all their lists.

We are encouraging people to look hard at that perhaps knee-jerk
reaction and consider maintaining some of those subscriptions such
that you can identify important correspondence from your registrar as
being a signal that you are still in control of the name.

Maintaining ownership proof.  Everybody is sort of used to printing
out receipts and things like that when they are having paperwork for
an important purchase.  Like you probably know where the title is for
your car.  But one of the things that we have identified is that
maintaining proof of ownership in the form of receipts from your
registrar purchase and things like that is important when you get
involved with a dispute.  You want to have that in a safe and secure
location.  But more importantly, a known location that you can access
it quickly and without scrambling around.  Because if you lose control
of your name, and someone takes the e-mail, your e-mail away from you,
you are likely going to be in a hurry to get it back.  And that is
probably not the time to go rooting through that stack of paper that's
on your credenza.  Well, maybe Matt might be more organized, but I
certainly have a stack of paper on my credenza.

And so maintaining those in an organized fashion just like you do the
title of your car is very useful.

We also talk about diversifying points of contact and implementing
change controls.  In larger companies, these are sort of standard
things that companies do.  They're used to setting up mechanisms
whereby when someone leaves the company or by when there's changes
being made, that there are processes and controls around these things.
We are really encouraging registrants of all sizes to adopt some of
these processes.  And you may not need -- a lot of bigger companies
have big change control systems and very complicated sorts of things.
You don't need all those sorts of big systems to do a passable job at
doing change control around, for example, when someone leaves your
company, you're already pretty good at making sure they don't get
paid.  That's sort of a typical thing that people do when they leave
their company.

But you also should be looking at, Does this person have control of
any domain names or any registrant accounts and how do we keep those
in the hands of the company itself as opposed to in the hands of
individuals.

I know I have been personally involved in a number of disputes at our
company -- not "involved," but sort of helping to resolve -- and
probably Matt has, too -- where names are registered by an individual
at the company and then that person sort of takes the names away from
the company, almost treating them like a personal asset.  And this can
cause a lot of companies great distress, and it can lead to a fair bit
of litigation.

And then we also talk about encouraging users to be proactive in their
monitoring, in other words, not waiting for something bad to happen
before you actually go and check.  So you can go and monitor the WHOIS
and the DNS.  And if you are -- a programmer can do this sort of stuff
pretty simply.  But there are also free services on the Web and also
companies that will monitor these things for you for a fee.  We
encourage people to look at what their contact data looks like, their
name servers, how they are configured, see when was the last time that
your domain data was changed.  Sort of like if you log in an online
banking, at least when I log in on my accounts, you see a thing at the
top that says, "You last logged in on this date."  And it might even
give you a geo location of the IP address where you logged in from.
That sort of thing can be a good reminder to help people understand
when and where they were, to make sure their account wasn't
compromised and someone sort of logging in from some bad place at an
oh-dark-thirty in the morning.

So account protective measures.

Oops, red is down.  Green is go.  There we go.

So -- and then, lastly, as you are looking at prospective registrars,
we give -- we offer a list of questions that you can ask registrars
because there are a wide variety of them.  And you can ask them things
about their security measures.  You can do research about their
reputation, talk to some of their other customers because your
relationship with a registrar is very important because these domain
names that you have in your account are very important assets to your
business or to your personal -- to your personal life.

So I think that's the last of my slides here.  And so I don't know how
we're doing this next.  So I will just turn it back.

>>JACQUELINE MORRIS:  Okay, thanks a lot.  Let's see.  Evan, if you
want to talk about the user perspective.

>>EVAN LEIBOVITCH:  Okay.  Good morning.  I didn't bring any slides
with me, so you're going to have to listen to me.  Sorry.  I'm coming
in from At-large, which means I have the perspective supposedly of the
Internet end user.  And also in my day job, I'm involved with
consulting services to small businesses.  I also work with a major
university in Toronto.  And so I'll give some of the perspective I
have from them.

For friends, family and myself, I manage a portfolio of a whopping 17
domains.  That makes me a domainer in their eyes, but probably a speck
of dust in the world of domainers.  So I'm comfortably in the middle,
I guess.

What I would just like to do, first of all, is congratulate Richard
and the SSAC on the document.  I've read it.  It is in plain English.
I really hope that every single registrar puts it on their Web site
along with their Internet 101 that they give to their customers or
make available.  It really should be required reading.  It is a
really, really good piece of consumer self-education that I really --
I like the language of it.  It's clear.  It is understandable, and I
would really -- to any registrars in the room, please put this on your
Web site.  It is going to make your registrants more educated and
smarter, and that's going to be good all around.

Some of the stuff that -- you know, the obvious things -- I'm not
going to repeat what Richard said.  I'm just going to offer perhaps a
couple of extra tidbits, one of which is to encourage registrants to
be very, very familiar with the particular dashboard of the registrar
they are using.  That's something that will help them manage things
like auto renewal.  That will help them make sure that they have got
good, clean content information and can also make sure that they are
notified if anyone tries to make any kind of modification, you know,
along with the geo location that you mentioned and so on.

But that dashboard differs, of course, from registrar to registrar.
And I would just simply want to put out as a piece of best practice,
please, to make sure people are very familiar with whatever particular
software that a registrar is using or has developed internally.

The other thing to keep in mind is that a lot of registrants, when
they first go in, especially individuals in small businesses, don't
realize that a domain has multiple contact links, not just one.  So
there's an owner; and depending on the TLD, there will be a technical
contact, an admin contact, a billing contact and so on.  A lot of
people don't take advantage of this and they really should.

I'll give the main concrete example, is actually one that was raised
yesterday in a session of, I think, a restaurant in Colombia that got
a Web designer to do a sort of all-in-one package and the Web design
was really good and the Web site was really good.  And then they went
into the WHOIS and they saw the owner's name was registered to the Web
designer.

The person making the presentation thought that was a good thing in
terms of an all-in-one solution.  I was bothered by that because if
you have a technical contact, most TLDs have a place for the technical
contact.  But that is not the same as the owner of the domain.  And if
there is any kind of a dispute between the owner of the domain and the
service provider, be it a Web designer or hosting provider or anything
like that, it is really important that the owner of the domain assert
that ownership and make sure they're listed as the main owner.

Another instance where I have one into this is hosting services that
say if you host with us for so long, you get your domain for free.
Then they turn around and realize the hosting service has maintained
ownership on the domain.  So if the company wants to go to a different
hosting service, they can't necessarily take the domain with them.  It
is one thing to port your Web site to another site, but if the hosting
service won't let you take that domain with you, that ends up being
problematic.

And so we encourage people to make sure that they know the nature of
that sort of bundling that they're getting, that they continue to
maintain ownership of the domain regardless of who's doing their
hosting.

Those are really the main things that I just wanted to draw attention
to.  The rest of this is simply being a good consumer as a registrant
and doing the same kind of consumer research that you would do for
buying any kind of goods, whether it's shopping for a car, shopping
for an ISP, shopping for a computer supplier or anything like that,
being a smart consumer.  Just doing basics of research and using the
kind of information mapped out in SSAC-44 is really a phenomenal
start, I think, in helping people make good decisions.  I'll leave it
at that.

>>JACQUELINE MORRIS:  Okay.  Thanks a lot.

Matt?

>>MATT SERLIN:  Thanks, Jacqueline.  I just want to thank Margie for,
again, putting together this forum.  Margie, this is the fifth --

>>MARGIE MILAM:  Sixth.

>>MATT SERLIN:  Sixth.  We spend a lot of time during ICANN meetings
talking about policy issues.  And the thing I really appreciate about
these sessions is that these are real-world, kind of operational kind
of things to discuss and I appreciate that we have the forum to do
that.

Like Evan, I did not prepare slides as well so Rick has all the slides
for us.  I wanted to take just a couple minutes and compliment the
SSAC on the report.

MarkMonitor is an ICANN-accredited registrar, but we work only with
large corporations.  And so we have a very unique perspective because
our clients often are the targets of some of these hijacking attempts.

You know, I want to be clear that this isn't just a corporate issue.
This is an issue that affects individuals that have domain names
registered.  You know, for those of you that don't think that it is a
real-world scenario, there actually was a recent case where a domain
portfolio owner actually had his -- excuse me, had his account
credentials compromised by some malware that was installed on his
machine, similar to what you talk about in the report.

So a third-party was able to access the account up to the registrar,
update the DNS, transfer the domains away.  The SSAC report that was
issued really goes to the core of things that we see in real-life
scenarios day in and day out.  So kudos to the SSAC for, again,
putting forth a great report.

And, you know, the threat landscape has changed over time.  The thing
that I sort of rely on is that the measures that we have, the
countermeasures to those threats have changed as well.  So the SSAC
report talks a lot about some of the measures that you can take,
things like two-factor authentication, things like registry lock that
are now available to guard against the threats that we have that
weren't available several years ago.

So I think as a community as, you know, registrars and registries,
we've really sort of come together to make sure that we're addressing
the threats that are out there and we're changing the technology and
our processes to allow us to have better safeguards for registrants
around the world.

And, really, you know, I also want to drive home the fact that this is
not just a registrar issue or a registry issue.  I think we all have
skin in the game here.  And it is up to all of us, registrants,
registries and registrars, to all make sure that we have best
practices, that we're educating, you know, our staffs and our
customers about what it means to have good security and the fact that
domain names are a target.

So if you're anyone, whether you are an individual that's running a
blog site or a small business site or a large corporation that your
whole business is online, you know, it is incumbent upon you to make
sure that you're paying attention to your security.

And that's really all that I have.  We wanted to keep it brief and
make sure we left time for questions and opened it up to the audience
as well.

>>JACQUELINE MORRIS:  Great, thanks.  So are there any questions from
the audience or from our remote participation?

>>BRUCE TONKIN:  Hi.  My name is Bruce Tonkin, and I work for a fairly
large registrar, Melbourne I.T.  Just a comment, Evan, when you are
talking about ownership versus admin contacts and things, that comes
to the crux of a lot of the issues that we have around domain names,
is a lack of understanding of the different roles and the lack of a
consistent use of the WHOIS entries to document what those roles are.

In the early days, there was -- particularly I'm talking about dot
com, I had an admin, a technical contact, probably the two main
contacts that were public.  Often there is a billing contact as well
which can be a little different.

Now, the problem with the admin contact on its own is you typically
assume you knew who the organization was and who the owner was.  They
didn't really document that separately.  So if it was a government
department or it was M.I.T. University.  If you had mit.university,
you would have mit.edu and then it had the admin contact.  It was
pretty clear who the owner of that name was.  That was never carefully
documented.

The main thing was just making sure we knew who was the person you
would ring if you had a problem with a computer that was running that
particular domain name.  That's really the early origins in that
academic environment.

Now what's transpired is that the ownership of names is often not
clear.  And the sort of thing you're talking about is a Web developer
builds a Web site on a domain.  Who actually is, in a legal term, the
registered name holder, the legal entity that holds that name?  Often
that's not very well done.  And some ccTLDs do that very well.

Dot au, for example, has very explicitly you have to identify not just
the company that owns the domain name but its legal identifier within
Australia has to be included.  It very clear who the owner is.

It makes it much easier to deal with disputes.  Because when someone
rings up and says, "This is my name versus that name," you can fall
back on a company structure.  There is legal documents they can
provide.  But for most of dot com that doesn't apply.

I think one of the things that ALAC can probably assist with from a
user perspective is really being clear, what are the things that need
to be properly documented, certainly being clear, who is actually the
legal holder of the domain name ultimately.  So usually that can be an
individual if it is an individual name.  But usually it is best to
have the actual formal company name in there, whatever it is
incorporated, because that then has a legal framework behind it for
managing disputes.

Then the admin contact obviously can be someone at that company.  It
could be at their provider if they want to do that.  That doesn't
really matter.  But the key thing is documenting ultimately who's got
legal responsibility for that name.  By and large, that's very poorly
done.

I would say there is probably more than 50% of the entries in dot com
don't have that right in that the actual proper owner of the name is
not actually documented.

This goes back to the security problems that we have because we have
don't put any effort really into identifying who is ultimately
accountable for the use of that name.  Because WHOIS is actually a
contact methodology, it is not a legal documentation for who holds the
name.  All it is is a method for contacting people.  Yet, we are
trying to use choice as though it is an identity system and it is not.

So I think we need to really clearly identify there is two problems
here:  Who is the identity; and who is accountable for the name and
how is that documented; and the WHOIS, how do you contact someone if
the domain name is not working today, three different purposes.

At the moment, we've got that all crushed into one place which is the
WHOIS.  And it is not even clear which element is doing what.  The law
enforcement community thinks the admin contact is the accountable
owner.  It is actually not.  Very rarely is the accountable owner ever
identified in the WHOIS.  That's the crux of a lot of the problems we
see.

>>EVAN LEIBOVITCH:  Bruce, are you going to help us with the
documentation to do this?  You're absolutely right.  That kind of
information does need to go out.  And, you know, just as Matt had
said, the chain goes all the way in the responsibility for keeping --
for the security.

I mean, one of the initiatives for At-large going forward is trying to
define issues of, say, registrants' rights and responsibilities.  And
it is sort of, "Well, you are entitled to a certain level of security
but you have to do your part in order to maintain that chain and to
build that."  So I don't think you will get any argument.

>> MARGIE MILAM:  I will take this moment to report from the chatroom.
Bob Connelly agrees with Bruce Tonkin, that this is an issue, and gave
the example regarding the -- a similar situation in that a Web site
might be created by a college student.  The college student leaves and
then the domain name expires and there is no ability really to follow-
up and get the information clarified.  So Bob is agreeing with the
discussion here.

>>ROD RASMUSSEN:  Rod Rasmussen.  Just to follow up on what Bruce was
talking about as well, another consideration here is privacy services,
a labor of obfuscation telling who the actual owner is.

In theory, that privacy service might be able to help and return
something that was hijacked but it adds time, complications, et
cetera.  So that might be an interesting aspect that was not really
covered in the paper as an issue.  I would love to see that issue
explored a bit more.

That wasn't my main -- My main comment, though, was around -- I wanted
to, A, commend the paper.  It was excellent work.  I was very happy to
see that come out.  In connection, I believe it was SAC-40 which
talked about the registrar side of things.

One thing that was mentioned in passing in the paper is use of
multifactor authentication as a strong methodology for ensuring that
domains can't be hijacked.

Two thoughts on that.  One is -- it would be really great to get kind
of the information about who is providing those kinds of services out
in the marketplace so people can actually make decisions on that.  It
is fairly a well-guarded secret as far as that goes, at least it has
been up until recently.

Second part on multifactor is that the criminal element has done a
very good job in -- at least in the last year or so defeating
multifactor authentication.  So your standard tokens and things like
that that you get no longer protect you for transactional security.
You actually need far more advance things to curistics and user
behavior and things like that to watch what's going on because the bad
guys want to steal money from the banks.  Multifactor has been pushed
out by the banks.  Bad guys get around that by, basically, taking over
your computer through malware and running it from your computer, so
you are multifactor.  You still use it but the bad guy is controlling
what happens.

So love to hear comments on what the thoughts were on putting the
paper together on those issues and, I guess, the availability of
information about WHOIS providing different authentication levels.

>>MATT SERLIN:  Yeah, thanks Rod.  A couple things, it is a cat and
mouse game, right?  Like I talked about earlier, as the threats have
changed, we've all kind of adapted.  So I think that's going to
continue.  And in terms of information, you know, it is interesting at
least speaking from my perspective, you know, we don't -- just
speaking for MarkMonitor, we don't do a lot of publicity on our Web
site about security measures that we have in place.  And that's very
intentional.

But we're a sort of a niche player, you know?  But there are more sort
of retail-facing registrars that do publish information about two-
factor authentications available and things like that.

I don't think there's a sort of centralized place where you can go and
see, you know, every registrar that has different security features
available or not available.  But I know that I've seen several
registrars that, I think, have even issued press releases that they
have rolled out two-factor in their interface and things like that.
So I think the information is out there, but it might not be out there
in a sort of aggregate form.

>> RICK WILHELM:  Yeah, I agree with all of that.  The easiest way is
to call and ask.  There is a number of things you would find out if
you called our company and asked about those sort of things.  You
would find that we do have a two-factor solution available.  You don't
see it on the front page of our Web site.  You find that there is also
things that if you are really paranoid about your name that we can do
to really help to torque it down, similar with Matt.  There's all
sorts of things a registrar can do to help you if you really want to
be restrictive on that name.

Those reduce your operational flexibility and inject very purposeful
friction into those kinds of things.  So you can't just sort of
randomly wake up at 3:00 in the morning and say, "I think I want to
update my e-mail address" because, you know, I want to shift it from
my Yahoo! account to my Gmail account.  You are probably not going to
be able to do that.  The same reason you have a safe deposit box.  It
is hassle to go get those birth certificates and stuff like that, but
the nice thing is that they won't burn down in your house, right, in a
fire?

You know, as far as two-factor being broken, my words, not yours, I'm
paraphrasing, like Matt said, it is a cat-and-mouse game.  And the
only completely secure computer is one that's turned off and not
connected to a network.

And I don't sell two-factor services.  The people that sell two-factor
services might have an issue with sort of declaring it, you know,
vulnerable.  But that's sort of a different -- I think that's a
different panel.

As far as your other question was about the privacy service, we didn't
address privacy services here because that's out of -- out of
bailiwick for this sort of discussion, right?  This is about what
registrants are doing to protect their account.

And so from that standpoint, one of the things that we could have said
if we wanted to step into that, because that's sort of fraught with
perilous peril, privacy services are -- and the SSAC is trying to sort
of constrain its remit to technical matters.  And so consequently --
because if we were going to make a comment about privacy, you might
actually say that privacy might actually help those things because it
makes the registrant a little more secure hypothetically.  You could
argue that.

But privacy services are different -- a different discussion entirely.

>>EVAN LEIBOVITCH:  Privacy is a very different discussion than
security.  I'll leave it at that.

>>ROD RASMUSSEN:  Just a quick follow-up.  I understand it is kind of
a third rally.  I don't want to go there on the privacy services.  On
the multifactor authentication issue, your point on the only secure
computer is one that's not connected to anything, that reminded me of
the current guidance at least in the U.S. is that for doing online
transactions of high value, they recommend having a dedicated computer
to just doing those transactions.  Not a bad thing when you have a
portfolio of domains that are worth a whole lot or you've got a
corporate environment where you have got to protect that, as to
dedicate a single computer.  They are so cheap these days.  Not a bad
idea.

>>RICK WILHELM:  I will have to bring that up with my wife to see if I
can get some funds appropriated as the fiscal year runs out at our
house.

>>JACQUELINE MORRIS:  Any more questions or comments?

>>MARGIE MILAM:  I have some more observations from the chat.  Bob
Connelly makes another case as an example.  Californiadelta.com was
used as a community marketing Web site, and the admin contacts died.
And by the time the other members woke up to the problem, the domain
had reached the delete pool and had been captured by a speculator in
Belize.  And, unfortunately, the speculator never responded to e-mail
inquiries.  So I think his point is that this is a very useful
document for situations such as that.

I also have a comment from Jaap Akkerhuis who mentions that SAC-023
did mention privacy services.  I think that was in response to
Richard's comment.

>>JACQUELINE MORRIS:  Okay.  Anyone else?  No?

I'll say thank you very much.  It has been a great experience.  The
report is fabulous.  I actually did read it.  And I will go to Vanda
to wrap up.

>>VANDA SCARTEZINI:  Well, so I believe that's the end of our session.
Is everybody hungry?  And, certainly, we have a very broad spectrum of
these issues here.  And there is much more to do, and I do believe it
could be a very normal session in the future of ICANN meetings because
there is a lot of progress, a lot of problems that we are going to
face and more and more nowadays with the people going to cloud
computers, we are going to have a lot of challenge to face.  So it's
my suggestion that we keep this running during the next meeting, you
know, more organizing and much more broad aspects, part technical,
part more social and impact of the society.

So thank you very much for your attention.  And Steve wants to start
again.  So it is open again.

[ Laughter ]

>>STEVE CROCKER:  Not so much to start again but to participate in the
closing.  I'm Steve Crocker.  I'm chair of SSAC.  My ears are burning,
my heart is warm.  Thank you very much.  I'm glad that you enjoy our
work so much, and it is great pleasure to have been helpful to you
guys.

>>VANDA SCARTEZINI:  Thank you, Steve.  And so let's close again.
Thank you, again, for all of you to be here with us.  Thank you for
all the speakers, our colleague over there.  And all this material
will be available for you in our Web site.  So even the contact of the
speakers so you can also make additional questions if you want to.
Thank you.

[ Applause ]

>>JACQUELINE MORRIS:  Just wanted to add one thing, everybody please
take this report and disseminate it to everyone you know because it is
really, really important.