Public participation site

This post was co-authored by Sarah McKune, a senior researcher at the Citizen Lab.

Public attention to the secretive world of cyber espionage has risen to a new level in the wake of the APT1: Exposing One of China's Cyber Espionage Units report by security company Mandiant. By specifically naming China as the culprit and linking cyber espionage efforts to the People's Liberation Army, Mandiant has taken steps that few policymakers have been willing to take publicly, given the significant diplomatic implications. The report has brought to the forefront US-China disagreements over cyberspace, igniting a furious response from the Chinese government.

Also cast in stark relief by this incident, however, are the priorities of the United States in securing the cyber domain: threats to critical infrastructure, and the theft of intellectual property, trade secrets and confidential strategy documents from key industry players and Fortune 500 companies. General Keith Alexander, the head of US Cyber Command and the National Security Agency, raised the profile of the theft issue last year in asserting that widescale cyber espionage had resulted in "the greatest transfer of wealth in history." The issue was highlighted again in the newly-released Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.

Certainly, threats against critical infrastructure and theft of intellectual property and trade secrets are important. However, they are not the only targets of cyber intrusion and espionage that should merit public attention and government concern.

An often-overlooked dimension of cyber espionage is the targeting of civil society actors. NGOs, exile organizations, political movements, and other public interest coalitions have for many years encountered serious and persistent cyber assaults. Such threats — politically motivated and often with strong links to authoritarian regimes — include website defacements, denial-of-service attacks, targeted malware attacks, and cyber espionage. For every Fortune 500 company that's breached, for every blueprint or confidential trade secret stolen, it's a safe bet that at least one NGO or activist has been compromised in a similar fashion, with highly sensitive information such as networks of contacts exfiltrated. Yet civil society entities typically lack the resources of large industry players to defend against or mitigate such threats; you won't see them hiring information security companies like Mandiant to conduct expensive investigations. Nor will you likely see Mandiant paying much attention to their concerns, either: if antivirus companies do encounter attacks related to civil society groups, they may simply discard that information as there is no revenue in it.

While cyber espionage against a company may result in the loss of a blueprint, an attack on an NGO could result in a loss of individual life or liberty. Yet civil society is largely on its own as it goes about its work to advance human rights and other public policy goals while struggling to stay ahead of debilitating cyber threats.

In Citizen Lab's research on cyber espionage against civil society, going back to the Tracking GhostNet and Shadows in the Cloud reports, we've routinely encountered the very same malware families, social engineering tactics, and advanced persistent threats experienced by the private sector, governments, and international organizations. Our research indicates that the important details uncovered by Mandiant are just one slice of a much bigger picture of cyber espionage linked to China. For example, Citizen Lab's Seth Hardy has found that certain malware targeting a Tibetan organization incorporates much of the same code and uses one of the same command-and-control servers as the APT1 attacks documented by Mandiant. This suggests that APT1 is also targeting civil society groups alongside the "higher profile" companies and organizations on its roster.

Our findings confirm there's more to China's motivations than just industrial and government espionage. The Chinese government appears to view cyber espionage as a component of much broader efforts to defend against and control the influence of a variety of "foreign hostile forces" — considered to include not only Western government entities, but also foreign media and civil society — that could undermine the grip of the Communist Party of China.

The solutions presented by US policymakers, however, have left civil society out of the equation altogether, focusing on industry and government only, as if these are all that matter. Notably, a February 12, 2013 executive order on improving cybersecurity provides that US policy is to "increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats." No similar initiative exists for outreach and information sharing with civil society. Without these considerations, we leave civil society hung out to dry and lose sight of that which we are aiming to protect in the first place — a vibrant democratic society.

As we consider what to do about mitigating cyber attacks, and the bleeding of our industrial base from unabashed cyber espionage, we would do well to remind ourselves of a fact that may be easily overlooked: China's domestic problems in the human rights arena are a major factor driving cyber insecurity abroad. China's aggressive targeting of "foreign hostile forces" in cyberspace includes groups simply exercising their basic human rights. We may well soften China's malfeasance around corporate and diplomatic espionage, but without dealing with the often-overlooked civil society dimension, we will not eradicate it entirely.

Written by Ron Deibert, Director, The Citizen Lab, Munk School of Global Affairs, University of Toronto

Follow CircleID on Twitter

More under: Cyberattack, Internet Governance, Malware, Security

As noted in the first part of this series, Security and Reliability encompasses holistic network assessments, vulnerability assessments, and penetration testing. In this post I'd like to go deeper into network assessments. I stated last time that the phrase "network assessment" is broad. Assessments may be categorized as "internal" (behind the firewall, corporate infrastructure) or "external" (outside the firewall, Internet infrastructure). Regardless of the scope and areas of technology assessed, the goals are to assess the current state of your infrastructure with respect to industry best practices, to provide a gap analysis that shows where best practices are not met, and finally to provide remediation steps to fill those gaps.

Internal network assessments may be highly customized and should evaluate a wide range of network infrastructure or specific areas of technology, including but not limited to:

• Network switching/routing
• Firewall and IDS/IPS
• Wireless (Wi-Fi, microwave, satellite, etc.)
• VoIP
• DNS/DHCP/IPAM
• Server infrastructure
  
  • Application
• Client/desktop
  
  • System builds
  • Anti-virus/anti-malware
• Physical security

External network assessments may also be customized and should examine areas including but not limited to:

• IP address registration and routing policy
• DNS and domain name registration
• Electronic Mail
• Internet gateways (border router, access controls, filtering, firewalls, etc)
• VPN access to corporate network
• Site-Site interconnections

You may also wish to assess information security policies and procedures, access controls (logical or physical), readiness for SSAE16, ISO 27000 series, or PCI compliance, and disaster recovery procedures, or business continuity plans for both internal and external assessments.

The benefits of a network assessment include documentation to help you understand your current security and reliability posture in terms of best practices, and steps to remediate gaps in best practices. This type of assessment can form the basis for system-wide documentation and further policy development if needed. In addition, once you remediate any gaps in the assessment, you can begin to document best practices with respect to network/system architecture, security, change management, disaster recovery and business continuity.

The next logical steps to enhancing your security and reliability posture are to execute periodic vulnerability assessments and penetration testing, which I will delve into in the following posts.

Written by Brett Watson, Senior Manager, Professional Services at Neustar

Follow CircleID on Twitter

More under: Security

Recently, I sent my submissions on the current call for public comments on the Closed Generic TLDs which closes on the 7th March, 2013. I thought I would share it here as well as encourage people to post their comments on the public forum.

A "Closed Generic" is a TLD that is a generic term, but domains within that TLD will not be sold to the public.

Today, there are 22 generic TLDs. These include .COM, .BIZ, .INFO and .NET. Domain names within today's generic TLDs are available for purchase by the general public. Generic TLDs that are available for purchase by the general public are NOT closed generic TLDs.

When ICANN held its open application process in June 2012, there were many applicants for Top Level Domains for both branded and generic terms. For example, there were applications filed to create the .BMW Top Level Domain, the .DOT, Top Level Domain, the .SEARCH Top Level Domain, and the .SHOP Top Level Domain. Some of the applicants intend to sell domain names within their proposed new Top Level Domains to the public, while others do not intend to sell domain names within their proposed new TLDs to the public.

The litmus test in my mind is what is the impact on global public interest? The Affirmation of Commitments (AoC) by the United States Department of Commerce (DOC) and ICANN clearly specify the promotion of competition, consumer trust and consumer choice. There are two ways of examining the situation, one is by looking at the closed generic applications and the other is to look at it from the standpoint of ICANN which is beholden under the AoC.

The issues that arise are as follows:-

1. Would the endorsement of "Closed Generic" Applications create a situation or a series of situations whether now or in the future that will restrict competition?
2. Would the endorsement of "Closed Generic" Applications create a situation where there is a dominant position within the market?
3. Would the endorsement of the "Closed Generic" Applications create a restraint in trade of a particular market?
4. Would ICANN be immune from anti-trust liability?

Traditionally, the prohibition and control provisions laid out in competition rules basically aims to prevent cartelization and monopolization in markets for goods and services. Such developments in markets inevitably harm consumer welfare which competition rules aim to protect. On the same token, there are instances where some agreement may limit competition to allow for social and economic benefits to pass to the other. In order to ensure that such agreements with a net effect of increasing competition can be made, an exemption regime is regulated in competition law and agreements between undertakings in the same level (horizontal) and different levels (vertical) of the market may be left exempt from the prohibition of the competition rules under an exemption system, provided they are not cartel agreements which are, by nature, out of the scope of exemption.

The Sherman Antitrust Act also referred to as the Sherman Act prohibits certain business activities that federal government regulators deem to be anticompetitive, and requires the federal government to investigate and pursue trusts, companies, and organizations suspected of being in violation.

On 4 August 2012, the Honorable Philip S. Gutierrez, United States District Judge ruled in Manwin Licensing International S.A.R.L., et al. v. ICM Registry, LLC, et al, that "anti-trust" claims could be filed over controversial .xxx. See: a. ICANN's Involvement in Trade or Commerce By its terms, the Sherman Act applies to monopolies or restraints of "trade or commerce." 15 U.S.C. §§ 1, 2. The identity of a defendant as a nonprofit or charitable organization does not immunize that organization from antitrust liability. NCAA v. Bd. of Regents of Univ. of Okla., 468 U.S. 85, 101 n.22 (1984) ("There is no doubt that the sweeping language of § 1 [of the Sherman Act] applies to nonprofit entities."). On the contrary, nonprofit organizations that act in trade or commerce may be subject to the Sherman Act. Big Bear Lodging Ass'n v. Snow Summit, Inc., 182 F.3d 1096, 1103 n.5 (9th Cir. 1999) ("A nonprofit organization that engages in commercial activity . . . is subject to federal antitrust laws."). Rather than focusing on the legal character of an organization, an antitrust inquiry focuses on whether the transactions at issue are commercial in nature. Virginia Vermiculite, Ltd. v. W.R. Grace & Co. — Conn., 156 F.3d 535, 541 (4th Cir. 1998) ("We emphasize that the dispositive inquiry is whether the transaction is commercial, not whether the entity engaging in the transaction is commercial."). "Courts classify a transaction as commercial or noncommercial based on the nature of the conduct in light of the totality of surrounding circumstances." United States v. Brown Univ. in Providence in State of R.I., 5 F.3d 658, 666 (3rd Cir. 1993). In any circumstance, "[t]he exchange of money for services . . . is a quintessential commercial transaction." Id.

Each of the generic TLDs presents a market and there are generic brands like .blog which if were closed could pose serious threats to freedom of expression for those who wish to register .blog. Article 19 of the International Covenant on Civil and Political Rights (ICCPR) clearly provides for freedom of expression. The threat of limiting or restricting the ability of persons wishing to acquire .blog poses serious harm to the global blogging community and individuals.

For the purposes of assessing whether closed generic TLDs should be permitted, it is essential to engage in identifying the market for the TLD and whether there is likelihood that a monopoly or oligopoly would be created that could distort the market and prejudice public interest.

Under the Sherman Act § 2, 15 U.S.C. § 2 monopolizing trade is a felony. Under the circumstances where this trade involves foreign nations such as generic TLD applications that have been made by countries outside the US, then Sherman Act § 7 (Foreign Trade Antitrust Improvements Act of 1982), 15 U.S.C. § 6a will apply in relation to conduct involving trade or commerce with foreign nations.

There is the possibility that something which is declared open can be later declared closed, depending on market dynamics and how competition is controlled. The other issue is who regulates the competition of the gTLD market? Is this supposed to be self regulatory where market forces are left to determine how the pendulum swings or does ICANN or the Applicant of the gTLD given discretionary rights to control its respective gTLD market?

However complex these questions, the litmus test for advocates of an open and free internet is the impact on global public interest and I would propose that the considerations would be:-

• Is there a visible threat to the global public interest?
• What is the nature of the threat/challenge?
• Is there need to "seal off a market" to preserve competition?
• Are there generic terms where it is in the public interest to be closed?

There are no easy answers to the debate on closed generic TLDs. There is room however for discussion, dialogue and sharing perspectives to help policy makers in the decision making process. It is critical that people have their say and respond to the call for public comments on Closed Generic gTLD applications at http://www.icann.org/en/news/public-comment/closed-generic-05feb13-en.htm before it closes on March 7th, 2013. Have your say today!!!

Disclaimer: These are some reflections on closed generic TLDs. The views expressed are solely my own and is not the view of the At Large Advisory Committee (ALAC) nor the Civil Society Internet Governance Caucus (IGC). The views are made in my personal capacity as an individual.

Written by Salanieta Tamanikaiwaimaro, Director of Pasifika Nexus

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

ICANN is currently seeking public comment on the subject of "closed generic" Top Level Domain (TLD) applications. A "Closed Generic" is a TLD that is a generic term, but domains within that TLD will not be sold to the public.

There are those who object to generic terms such as .book being operated as closed registries, which means that domain names within the .book Top Level Domain as proposed by Amazon would not be sold to the public, but instead, Amazon.com would own and operate all domain names within the .Book Top Level Domain. (e.g. You might soon be able to navigate to Amazon.book.) For example, Google, Inc., has applied to create the .Search TLD to allow it to improve its search functionality, and Amazon.com has applied for the .book TLD to allow it to segregate its book product offerings onto a separate TLD. Many oppose these projects because, it is said, that these TLDs offer companies like Google, Inc. and Amazon.com an "unfair competitive advantage".

On the other hand, there are those who believe that Closed Generics should be permitted because they do not represent an unfair competitive advantage. By way of comparison, the leading bookseller online is Amazon.com, not Book.com. Those who support Closed Generics are in favor of innovation and competitive freedom, with no restrictions on the types of services that can be provided through a Top Level Domain.

To date, there have been 42 comments submited to ICANN's public comments section:

2 Commenters Support Allowing Closed Generic Top Level Domains
39 Commenters are Opposed to Closed Generic Top Level Domains
1 Commenter is Opposed to the current gTLD Application Process all together

View a comment summaries at:
http://www.getnewtlds.com/news/UpdateOnClosedGenericsDebate.aspx

Written by Mary Iqbal, Founder of Get New TLDs Inc.

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Top-Level Domains

There is a very interesting video posted on YouTube.com from Matt Cutts of Google who answered the question about how ccTLD's are viewed by Google especially when they are being used as domain hacks.

Here is the question:

"We have a vanity domain (http://ran.ge) that unfortunately isn't one of the generic TLDs, which means we can't set our geographic target in Webmaster Tools. Is there any way to still target our proper location?"

In the 2:30 minute video, Matt Cutts makes it clear that not all ccTLD's are going to be treated the same by Google:

As the domain space gets more exhaustive in .com, people are getting more creative using domain names like Ma.tt which is owned by Matt Mullenweg of WordPress.com, which is a very cool domain, but is the country code for Trinidad and Tobago.

Many others are using words that end in .es, and we see a lot of startups that have been using .io (Indian Ocean).

When using these ccTLD as either domain hacks or just because they make a cool domain name or brand, Matt Cutts is saying you have to be VERY careful otherwise the domain is going to be treated as a ccTLD and thought by Google to be only targeting residents the country the ccTLD represents.

"You have to think hard, if its going to be thought of as an international domain or a country code."

Matt calls out .co specifically as one which is treated as generic by Google and not as the ccTLD of Colombia.

"In some sense it comes down to a little bit of a call when a domain becomes truly generic, appropriate to the entire world."

"So like .Co, which I think used to be for Colombia. has become a generic like another .com"

"But if you're using an .es for a word that ends in .es or .li domain, which I understand is being used by a lot of businesses located in Long Island, because it's really a cool address, you have to be careful because in the case of .es we are going to think its related to Spain and in the case of .li we are going to associate it as targeting residents of Lichtenstein because 99% of the domain in use are related to those countries".

"Otherwise everyone starts to use crazy random domain names and they lose the sense of what they were originally intended for and that could be a bad experience for everyone".

A MUST see Video for anyone using or considering using ccTLD especially as a domain hacks.

Written by Michael Berkens, President of Worldwide Media, Inc.

Follow CircleID on Twitter

More under: Domain Names, Top-Level Domains, Web

A colleague sent me a story by Cecilia Kang in the Washington Post: Survey finds gap in Internet access between rich, poor students. With my interest in programs to get connected computers into low income households, my friend knew I would be interested in the article which talks about a survey released Thursday by the Pew Research Center.

Indeed, I would commend the Washington Post article and the survey itself to you for reading.

I want to highlight the problem representing the survey results in the Washington Post. The fifth paragraph says:

Half of all students in higher income families have access to the Internet at home through a computer or mobile device. The figure drops to 20 percent for middle income children and just 3 percent of students from poor homes, according to the survey of 2,462 teachers by the Pew Internet & American Life Project in cooperation with the College Board and National Writing Project.

Something seemed off with those figures.

After all, I recalled that two weeks ago, I wrote about digital literacy programs trying to deal with the one-third of American households that aren't on-line. How could it be that half of wealthy households with kids were without internet, if the national figures show two-thirds of households have internet access.

Something wasn't right.

In going to the actual Pew report, I found the likely source of the Washington Post numbers. But Pew didn't actually report on the availability of home internet by income. It was a different question.

The survey reported "% of teachers who say ALL or ALMOST ALL of their students have sufficient access to the digital tools they need [at home / at school] to effectively complete school assignments, by student socioeconomic status".

This question may point to whether teachers have to adapt homework assignments; can the teachers assume that digital tools will be available?

The Washington Post appears to have treated these numbers as though the question ask "percentage of students who have home internet, by income."

The Washington Post question is important to understand and address, but it was not addressed in the survey. And as a result, the numbers were just plain wrong.

Written by Mark Goldberg, Telecommunications Consultant

Follow CircleID on Twitter

More under: Access Providers, Broadband

Now that ICANN has stuck to its guns and only placed 4 new gTLD's strings that look confusingly similar into contention sets, rather than those that sound identical, such as .inc and .ink or those that have the same meaning like .Law and .Lawyer or those that are singular and plurals of the same word, like .deal and .deals, we now that many new gTLD's are going to have a very a tough marketing road and face a lot of consumer confusion.

Not only will the new gTLD strings have to sell themselves to the public as alternatives to incumbent TLD's and ccTLD's but they will have to separate themselves from other new gTLD's that will be fighting in the same vertical for seemly the same customers with almost the same String.

Here are some new gTLD strings that will not only have to compete for the same vertical but possibly a real problem is separating themselves away a very close alternative:

.Law/.Lawyers.Game/.Games.New/.News.Hotel/.Hotels.Gift/.Gifts.Realestate/.Realty/.Realtor.Car/.Cars.Host/.Hosting.Secure/.Security.Coupon/.Coupons.Insure/.Insurance.Sport/.Sports.Deal/.Deals.Kid/.Kids.Shop/.Shopping.Fish/.Fishing.Loan/.Loans.Tech/.Technology.Film/.Movies.Photo/.Photography.Web/.Webs.Site/.Website

The question is can two or more gTLD's in many cases separated just by being singular or plural of the same a generic word both be successful in the marketplace.

Beyond the challenges of selling say a .deal from a .deals, what will be end users reactions? How much confusion has ICANN allowed to be created down the line. Will consumers really be able to get it right when they see or hear an ad for sale.deal without confusing it with sale.deals or deal.sales?

Of course there is still the objection period which doesn't close until March 13th under which applicants can object to other applications; the Initial Evaluation of applications which should start to be released this month and there are still the GAC objections.

ICANN certainly followed its own guidelines for setting contention strings as laid out in the Guidebook, ICANN should have defined contension sets differently in a way to place such really similar strings into the same contention set so that there would only be one surviving string that are many times simply separated by a "s".

Written by Michael Berkens, President of Worldwide Media, Inc.

Follow CircleID on Twitter

More under: ICANN, Policy & Regulation, Top-Level Domains

As much as we talk here about the inner workings of the Internet's infrastructure, there are times when you have to just sit back and look at how incredibly cool some of the things are that are enabled by the Internet. For example, last week I was delighted to stumble across (via Google+) this excellent music video collaboration between the International Space Station's Canadian commander Chris Hadfield, the Canadian band Barenaked Ladies along with a Canadian student choir — all coordinated by the Canadian Space Agency, the Canadian Broadcasting Corporation and The Coalition for Music Education.

While I was sitting there very much enjoying the music, I was also thinking about the technology that enabled a space station to participate as they did — and the role the Internet infrastructure played in enabling the creation — and subsequent sharing of this music video. Naturally several of us were immediately wondering about latency and how much post-production was done… but regardless, it was great to see and enjoy! Listen yourself:

Not to be outdone by the Canadians, of course, NASA had their own Google+ Hangout with the I.S.S. last week, too, and if you watch the replay the connection with the station occurs about 30 minutes into the hangout. (Prior to that questions are being handled by astronauts on the ground.) The I.S.S. crew take questions from the moderator and from videos submitted through YouTube. One of the questions was about social media and the crew spoke about how the technology enabled them to collaborate with people all around the world.

On one level this is all mundane, "normal" collaboration that perhaps doesn't warrant being called out… I mean, it's just an IP network, right? But it's an IP network that includes a space station and, at least to me, that's very cool and something to celebrate!

P.S. And as an added bonus, the music video and Google+ Hangout are both available to me over IPv6, as it should be.

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: Internet Protocol

Some pretty big companies are beginning to show an active interest in ICANN's new TLD project. The most recent of them is bookseller Barnes & Noble.

The letter, which is available both on the ICANN website, is quite narrow and pointed in its scope and focusses on the perceived competition issues with Amazon's bids for several "closed generics".

Excerpt from the letter:

Barnes & Noble, Inc. submits this letter to urge ICANN to deny Amazon.com's application to purchase several top level domains (TLDs), most notably .book, .read and .author (collectively the "Book TLDs").1 Amazon, the dominant player in the book industry, should not be allowed to control the Book TLDs, which would enable them to control generic industry terms in a closed fashion with disastrous consequences not only for bookselling but for the American public. If Amazon, which controls approximately 60% of the market for eBooks and 25% of the physical book market2, were granted the exclusive use of .book, .read and .author, Amazon would use the control of these TLDs to stifle competition in the bookselling and publishing industries, which are critical to the future of copyrighted expression in the United States.

Amazon's ownership would also threaten the openness and freedom of the intenet and would have harmful consequences for intenet users worldwide. When ICANN announced its plan to increase the number of TLDs available on the Domain Name System, one of its stated goals was to enhance competition and consumer choice. However, if the Book TLDs applications are granted to Amazon, no bookseller or publisher other than Amazon will be able to register second-level domain names in .book, .read and .author without Amazon's approval, leaving Amazon free to exclude competitors and exploit the generic Book TLDs for its sole benefit.

The Booksellers Association of Switzerland is also opposing Amazon:

The Booksellers Association of Switzerland is of the strong opinion that closed generic gTLD applications have to be invalidated when submitted by commercial entities operating in a sector of activity related to the closed generic gTLD .

In the case of a closed generic TLD like .books, the exclusivity granted to the winning applicant would de facto strengthen the position of a single big operator in the book industry and would be detrimental to the industry as a whole.

Think I see a trend!

Written by Michele Neylon, MD of Blacknight Solutions

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

I co-authored a book in 2005, titled "Extreme Exploits: Advanced Defenses Against Hardcore Hacks." My chapters focused on securing routing protocols such as BGP, and securing systems related to DMZs, firewalls, and network connectivity.

As I look back over those chapters, I realize that the basic fundamentals of network security really haven't changed much even though technology has advanced at an incredible pace. "Defense in depth" was a hot catch phrase seven years ago, and it still applies today. I believe there are three broad steps any organization can take with respect to security and reliability to get a handle on their current security posture, whether internal (corporate, inside the firewall) or external (Internet, outside the firewall).

Network Assessment

Begin with a "network assessment." This is a broad term that might encompass a holistic view of an organization's Internet security posture, including Internet gateways, firewalls, DNS and email services, and B2B partner connectivity. In addition or alternatively, a network assessment may focus on an organization's internal network, including employee intranets, VPN, electronic mail, DNS, VoIP, vulnerability management and anti-virus services, change management, and business continuity planning and disaster recovery. A network assessment can be tailored to specific security requirements for any organization, but ultimately the assessment will provide a baseline gap analysis and remediation steps to fill those gaps.

Vulnerability Assessments

Once a baseline network assessment is completed, an organization may wish to perform periodic vulnerability assessments. Traditional vulnerability assessments tend to cover applications services and nothing more. However, an organization's security posture must include Internet gateway switches/routers, firewalls, DNS servers, mail servers, and other network infrastructure not directly related to providing service for a specific application. Whether internal or external, vulnerability assessments can uncover critical gaps in security that may lead to credential leaks, intellectual property theft, or denial of service to employees or customers. A well planned and executed vulnerability assessment should eliminate false positives, but can never give an organization 100% confidence that a specific vulnerability can be exploited. Vulnerability assessments should be executed on at least a quarterly basis, but it's not uncommon for larger organizations to execute them on a monthly basis.

Penetration Testing

The next step in assessing your organization's security and reliability is penetration testing. While I typically say that vulnerability assessments give you a "95% confidence level" that a vulnerability exists, penetration testing can give you 100% confidence that a specific vulnerability can be exploited and show you how it can be exploited by attackers. Alternatively, a penetration test may show you that you have proper compensating controls in place to prevent a vulnerability from being exploited. That is to say, the vulnerability exists, but a compensating control is in place that prevents attackers from succeeding.

One only needs to read the news to know that every organization, whether large or small, is susceptible to intrusions across their networks or exploits in their applications and services. It's prudent to execute a network assessment in order to understand your current security posture, and then follow up with periodic vulnerability assessments and penetration tests. These will give you a higher level of confidence that your architecture is sound, and that your staff is adhering to security policies and procedures. Ultimately, your customers trust you to secure your resources and their information, and your brand and market identity are at stake if you don't.

Written by Brett Watson, Senior Manager, Professional Services at Neustar

Follow CircleID on Twitter

More under: DNS, Security, VoIP

Really ICANN? The Trademark Clearinghouse provides unprecedented protection. According to your recent announcement it does.

Do tell, ICANN — in what way does the Trademark Clearinghouse protect anything?

• Does it block others from registering trademarks for which they have no legitimate right?
• Does it notify trademark owners in advance of a pending registration?
• Does it provide warnings of infringing names beyond exact match?
• Does it even provide notifications of exact-match registrations beyond the first 60/90 days of the general registration period?

Of course, the answers to all of these questions is a resounding NO.

Now, I am not saying that the Trademark Clearinghouse is not without value. It will undoubtedly streamline the validation process for trademarks so that they can qualify for Sunrise Registrations. Having to validate trademarks with each individual new gTLD registry would have been extremely time-consuming, and possibly much more expensive.

That said, the Trademark Clearinghouse is not, and has never been a Rights Protection Mechanism, and trying to classify it as one only makes trademark owners even more frustrated.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

Follow CircleID on Twitter

More under: Cybersquatting, Domain Names, ICANN

PIR released the results of the bi-annual domain name report, "The Dashboard," which outlines the growth of .ORG in the second half of 2012. Overall, we had a remarkable year. Most notably, we hit a major milestone in June with the registration of the 10 millionth .ORG domain!

Our team compiles this report every six months and each time I'm impressed by the results. It's encouraging to see that year after year individuals and organizations continue to turn to .ORG to promote their cause and educate their audiences.

Some of the key findings of "The Dashboard" include the following:

• New .ORG registrations increased by 11.9 percent in the second half of 2012.
• The number of .ORG domains under management (DUM) grew by 4.3 percent in 2012.
• .ORG experienced a net gain of 416,301 registrations in 2012.
• .ORG DUM have more than doubled during the past seven years, increasing from 3.9 million in 2005 to more than 10.1 million in 2012.

We are particularly proud of our international growth in the past two years. From 2010 to 2012, new .ORG domain names created abroad increased in the following regions:

• Asia, Australia and the Pacific region grew by 47 percent.
• Africa grew by 23 percent.
• Latin America grew by 25 percent.

This increased demand for .ORG in international markets only further solidifies our commitment to non-profits and non-governmental organizations (NGO) worldwide. To that end, our applications with the Internet Corporation for Assigned Names and Numbers (ICANN) to be the operator of .NGO and .ONG domains are currently under evaluation, and ICANN expects to delegate new top-level domains later this year. These proposed domain extensions would be specifically aimed at meeting the needs of the global NGO community, providing them with a secure and trusted venue that enables them to increase engagement, awareness and funding opportunities. For more than a decade, Public Interest Registry has served non-profit organizations and we look forward to growing our mission and global capabilities in 2013.

To see the full results of The Dashboard, download a PDF of report here.

Written by Brian Cute, Chief Executive Officer, .ORG, The Public Interest Registry

Follow CircleID on Twitter

More under: Domain Names, Registry Services, ICANN, Top-Level Domains

There has been an upsurge in brands withdrawing their applications. The timing undoubtedly is due to the deadline of 70% refund of the $185k application fee. But why are so many of the withdrawals .brand/closed generics?

Having been involved in drafting of financial projections for over 50 applications and having answered a number of financial Clarification Questions, I believe that the major reason why there is an acceleration in .brands, especially closed ones, is that they are receiving a large number of financial Clarifying Questions (CQs) and are deciding to cut their losses. In my opinion there are two main reasons for these types of gTLDs receiving an inordinate proportion of financial CQs.

In general, .brand applications were defensive in nature, hastily prepared and involved a lot more "cut and paste" in answering the questions of the application.

Many of the financial Clarification Questions received by brands seem to be geared towards open rather than closed systems. The applicants did not effectively consider how to write their answers to comply with the ICANN evaluation criteria.

It is very likely that .brand/closed generics are receiving a relative large amount of financial CQs and are deciding to opt out because:

• They may be defensive registrations from the legal department with little or no business/financial or marketing participation
• They have failed to identify a real and tangible business value
• Risk they were mitigating against, just was not worth the trouble
• They cannot figure out sufficient answers to CQs or do not have the confidence that they can put forward a reasonable business use case to answer the financial CQ.

The number of applicant withdraws reached 22 during the week and I think it's a shame to see such global brands depart the gTLD round, especially if the reason is due to the difficulty of answering CQs. ICANN was always clear, either answer the questions per the AGB criteria in your initial application, or you will get clarifying questions. Pay me now, or pay me later.

One concern is that for several brand applicants, the awareness of the new gTLD application never got out of the legal/trademark protection department. If the legal departments are making the call to abandon without fully exploring the future opportunities with the marketing department, they have done their brands a disservice. The .brand applications can provide clear financial answers that meet guidebook criteria. It will require additional speculative investment to secure undeveloped internet real estate, as well as urgent engagement with the marketing and branding functions to fully realize the risks and or potential benefits of your own TLD.

I hope that other brand applicants fully consider the long-game before pushing the trigger on a hasty "withdraw" button.

Written by Norbert Grey, CFO of Architelos

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

ICANN CEO Fadi Chehadé was already 2 hours into his flight from Singapore to Paris when the pilot's voice interrupted the in-flight entertainment.

A tech problem meant turning back, landing in Singapore, waiting for another plane and starting the long haul again!

Half a day later, Chehadé landed in Paris.

He'd already missed a lunch appointment but was still in time to make a reception organised at French ICANN board member Sébastien Bachollet's initiative. Chehadé gave a speech there to help spread the word about ICANN to the local community, before speeding off to the Unesco building in the center of Paris.

This was the venue for the WSIS+10 meeting, held from Monday to Wednesday this week.

Now you and I would have been straight off to the hotel to sleep off that nightmare flight. But not Chehadé! He kept to his commitments and looked none the worse for wear when the next day, addressing a packed room II (one of the largest) at the Unesco building, he delivered one of his trademark impassioned speeches to the WSIS+10 delegates.

"Multi Stakeholderism is the only way. But it has to be equal Multi Stakeholderism, where every stakeholder has an equal place. Academia, civil society, industry, users and yes… even governments… they all have a part to play," he said in a humorous nod to his government-heavy audience.

As soon as the speech was over, Chehadé sped off to another Bachollet-inspired meeting. This time at the office of the French Prime Minister.

All this only a day after he'd walked the walk in Asia by announcing the creation of two regional ICANN hubs, one in Singapore and the other in Istanbul. And that he'd be leading by example and relocating to Singapore for a third of the year!

Four months after officially starting as CEO, Chehadé obviously eats, drinks and breathes ICANN all day long. His enthusiasm and energy seem as infectious as they are limitless, whilst his people skills are second-to-none.

And perhaps most importantly, he speaks to people in their own language rather than imposing ICANN's. Literally. In Singapore, Chehadé highlighted his Asian origins (well Beirut is technically in Asia, isn't it?). In Paris, he spoke French at his off-the-plane reception. In Africa, he will remind people of his links with the continent (his parents were Egyptian).

In short, Chehadé is open, engaged and engaging. He is also truly international and respectful of differences in culture, ideology and opinions.

If the ICANN CEO is like that, chances are ICANN itself will benefit. Now I know us ICANN community members are not used to optimism, but perhaps it's time to put aside our cynicism and recognise that if the guy at the top can push those values, then maybe in time ICANN itself can adopt them…

Written by Stéphane Van Gelder, Chairman, STEPHANE VAN GELDER CONSULTING

Follow CircleID on Twitter

More under: ICANN, Internet Governance

If you are a new gTLD applicant, or if you follow ICANN, or if you just like being in a constant state of confusion, then the recent barrage of ICANN activity has probably been enough to make your head spin. Let's take a look at what we have hurtling towards us, like an out-of-control asteroid, in the next month:

March 5 – Public Interest Commitment (PICs) Due

If you are a new gTLD applicant, then you have been asked to indicate which parts of your application you will incorporate into the registry agreement as binding commitments, or to identify additional commitments that are not part of your application but which you intend to incorporate as a binding commitment into the registry agreement. To muddy the waters, ICANN has clearly stated that you are not required to submit a Public Interest Specification, if you do not wish to incorporate a binding commitment into the registry agreement. But in a recent letter from the NTIA, ALL applicants are encouraged to participate.

March 13 – New gTLD Formal Objection Period Closes

Of course we don't have important information from the Governmental Advisory Committee (GAC), or even know whether the applications have passed Initial Evaluation, but let's not let that stop us from being forced to file Formal Objections.

March 14 – Reply Period on Policy v. Implementation Closes

Undoubtedly, it is a little concerning that ICANN cannot delineate between what is "Policy" and what is "Implementation" — but at least they are asking for feedback from the Community to help drive discussions scheduled to occur at the ICANN meeting in Beijing.

March 20 – Reply Period on Revised New gTLD Registry Agreement Including Additional Public Interest Commitments (PIC) Specification Closes

As the PIC Specifications are to have been submitted well-ahead of this date, not sure what purpose these comments will serve. That said, the proposed new gTLD registry contract has already received harsh criticism from a number of Community members during the initial comment period. It isn't clear how ICANN will move forward in the face of such clear opposition.

March 26 – Trademark Clearinghouse Begins Accepting Submissions

Assuming that the Trademark Clearinghouse is accepting submissions by March 26, ICANN will have delivered on its promise that it would be launched in Q1, 2013 — barely. Will it work as expected? That remains to be seen, as some implementation details are still being ironed-out.

Is That All?

And if all of this isn't enough to track, don't forget to be on the lookout for: guidance from the GAC which has now been delayed according to a recent announcement, updates from the Expert Working Group on gTLD Directory Services and the Accountability and Transparency Review Team, published list of new gTLD contention sets and who knows what else. Oh, and if you're a new gTLD Applicant, don't forget to answer those Clarifying Questions.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

ICANN is looking to set up two new hubs in Singapore and Istanbul to serve the Asia-Pacific, and Europe, Middle East and Africa (EMEA) markets. "Asia has not been well-embraced by ICANN in the past. We owe Asia a big apology," Fadi Chehade, CEO of the organization responsible for administrating the world's Web traffic, said in an interview with ZDNet. Prior to his visit in the city-state, Chehade said he had been travelling this week to China, South Korea, and Japan to share how ICANN planned to grow its Asian presence.

Follow CircleID on Twitter

More under: ICANN

ICANN is looking to set up two new hubs in Singapore and Istanbul to serve the Asia-Pacific, and Europe, Middle East and Africa (EMEA) markets. "Asia has not been well-embraced by ICANN in the past. We owe Asia a big apology," Fadi Chehade, CEO of the organization responsible for administrating the world's Web traffic, said in an interview with ZDNet. Prior to his visit in the city-state, Chehade said he had been travelling this week to China, South Korea, and Japan to share how ICANN planned to grow its Asian presence.

Follow CircleID on Twitter

More under: ICANN

Kevin Murphy reporting in Domain Incite: The National Telecommunications and Information Administration said today that all new gTLD applicants, even those that have not already been hit by government warnings, should submit Public Interest Commitments to ICANN.

In a rare comment sent to an ICANN public forum today, the NTIA suggested that applicants should use the process to help combat counterfeiting and piracy. ... NTIA said that applicants should pay special attention in their PICs to helping out the "creative sector".

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Kevin Murphy reporting in Domain Incite: The National Telecommunications and Information Administration said today that all new gTLD applicants, even those that have not already been hit by government warnings, should submit Public Interest Commitments to ICANN.

In a rare comment sent to an ICANN public forum today, the NTIA suggested that applicants should use the process to help combat counterfeiting and piracy. ... NTIA said that applicants should pay special attention in their PICs to helping out the "creative sector".

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Lesotho IXP setup. Photo Credit: ISOC/Michuki MwangiThe Internet Society today announced that it has been awarded a grant by Google.org to extend its Internet exchange point (IXP) activities in emerging markets. The grant will build on the Internet Society's previous efforts and will establish a methodology to assess IXPs, provide training for people to operate the IXPs, and build a more robust local Internet infrastructure in emerging markets.

IXPs play an important role in Internet infrastructure that allows Internet service providers (ISPs) and other network operators to exchange traffic locally and more cost effectively, which can help lower end-user costs, speed-up transmissions, increase Internet performance, and decrease international Internet connectivity costs. The Internet Society and Internet technical experts have been working for several years to bring IXPs to emerging markets. These efforts have resulted in locally trained experts and facilitated the development of local and regional technical infrastructures. An additional benefit of IXP development is the expansion of community governance models as well as building local Internet expertise.

Google.org, a team within Google focused on social impact, develops and supports technology solutions that can address global challenges, such as expanding Internet access to more of the world's seven billion people.

"The Internet Society has proved to be one of the most effective institutions in the Internet community," said Vint Cerf, vice president and Chief Internet Evangelist at Google. "I am confident that they will apply their grant wisely to extend their work to increase Internet access for everyone, including those in emerging markets."

Lynn St. Amour, President and CEO of the Internet Society, stated, "We are very excited to receive this grant from Google.org. With support to extend our IXP development and improvement projects, we can more quickly bring core Internet infrastructure to underserved countries and assist in building key human and governance capabilities. We will also be able to extend the Internet Society's mission to ensure the open development, evolution, and use of the Internet for the benefit of people everywhere. We look forward to working with Google.org, and we are committed to collaborating with Internet community partners around the world on this important project."

Follow CircleID on Twitter

More under: Access Providers