CircleID posts

Syndicate content CircleID
Latest posts on CircleID
Updated: 17 weeks 4 days ago

Fourth Round of Initial Evaluation Results for New TLDs

Mon, 2013-04-15 17:58

Mary Iqbal writes to report that ICANN has released the fourth round of Initial Evaluation results, bringing the total number of applications that have passed the Initial Evaluation phase to 131. ICANN is targeting completing Initial Evaluation for all applicants by August 2013. To learn more, see http://www.getnewtlds.com/news/Third-Round-of-Initial-Evaluations.aspx.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Categories: Net coverage

SPECIAL: Updates from the ICANN Meetings in Beijing

Fri, 2013-04-12 19:43

CircleID, once again, in collaboration with the team from Dyn Inc. and ICANN Wiki, brings you video blogs and updates from the 46th ICANN meeting in Beijing, China (7-11 April 2013).

Stay tuned as we keep this page updated through out the meetings.

Comments and questions? Please post them below in the comment section of the page or send us an email.

* * *

Update / Apr 12, 2013 — Ray King of ICANNWiki talked with Ben Crawford, CEO of CentralNic.



Update / Apr 12, 2013 — Dyn's Rich Peterson talked with UNH School of Law's Mary Wong.



Update / Apr 12, 2013 — As part of our ICANN 46 coverage, Ray King of ICANNWiki chats with Chuck Gomes, a member of the Registries Stakeholder Group.



Brought to you in partnership with Dyn Inc and ICANN Wiki. Please add your feedback and suggestions using the comment form provided on this page or contact us directly.

Video Coverage of past ICANN meetings:
ICANN 44 Meetings in Toronto
ICANN 44 Meetings in Prague
ICANN 43 Meetings in Costa Rica
ICANN 42 Meetings in Dakar
ICANN 41 Meetings in Singapore
ICANN 38 Meetings in Brussels
ICANN 37 in Nairobi, Kenya
ICANN 36 in Seoul, South Korea
ICANN 35 in Sydney, Australia
ICANN 34 in Mexico City

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

DNS Bug Disclosure: ICANN Releases New Guidelines

Fri, 2013-04-12 01:01

The Internet Corporation for Assigned Names and Numbers (ICANN) has released new guidance concerning the reporting and disclosure of bugs that affect the Domain Name System, including information of how ICANN itself will behave in response to vulnerabilities.

Until recently, ICANN, which is responsible for maintaining the root domain servers at the heart of the DNS system, had no specific guidelines for the reporting of vulnerabilities, leaving responsible disclosure protocols up to the researchers who discovered the bugs. With the release of the Coordinated Vulnerability Disclosure Reporting [PDF] document they hope to instigate a more unified and consistent process for disclosure.

The guidelines are intended to:

"define the role ICANN will perform in circumstances where vulnerabilities are reported and ICANN determines that the security, stability or resiliency of the DNS is exploited or threatened. The guidelines also explain how a party, described as a reporter, should disclose information on a vulnerability discovered in a system or network operated by ICANN."

The document outlines procedures that ICANN will follow in various roles, including as an affected party, where the vulnerability directly impacts ICANN's operations; as a reporter, when ICANN researchers discover vulnerabilities; and as a coordinating party.

Security vulnerability reporting is a controversial topic, with some researchers advocating immediate full disclosure, and others opting for responsible disclosure where vendors and stakeholders are notified privately before a full release is made only following the patching of relevant software. There is also a thriving black market for security vulnerabilities, where the information is disclosed only to the highest bidder for use in hacking attacks.

As an essential and ubiquitous part of Internet's infrastructure, the security of the Domain Name System is of particular interest to hackers and those engaged in industrial or state-sponsored espionage. ICANN is advocating a system of responsible disclosure with ICANN itself acting as a coordinator in some cases. Bugs that impact DNS can be reported directly to ICANN, who will then inform affected vendors or service providers.

Public disclosure is strongly discouraged until vendors have been informed of the vulnerability and have fixes in place. However, the methodology recommended by ICANN makes it clear that in the case of vendors who fail to respond to attempts at coordination, researchers may choose to disclose vulnerabilities.

None of these recommendations is binding, and researchers are still free to choose how to react to discovered vulnerabilities. However, the creation of these guidelines is a positive move towards a unified and coordinated system for handling security vulnerabilities in the DNS.

Written by Evan Daniels

Follow CircleID on Twitter

More under: DNS, ICANN, Security

Categories: Net coverage

New TLDs: Time For a Do-Over on Plural Similarity

Thu, 2013-04-11 18:13

Mandarin is a tricky language, but ICANN may want to learn the expression chóngfù before leaving the Beijing meeting. Chóngfù means "do-over" and that's what ICANN needs to forestall an entirely preventable disaster in the delegation of new top-level domains (TLDs).

The issue of "string similarity" seems straightforward. Nobody inside ICANN or out there in the real world wants Internet users to be confused by new TLDs that are confusingly similar. Imagine hearing an ad offering low rates at car.loans but you encounter something completely different at car.loan instead? And what would stop somebody from launching a new TLD by just tacking an "s" onto popular domains like .com or .org?

The Government Advisory Committee (GAC) is catching a lot of flack for it's Beijing Communiqué, but one thing the GAC got right was its advice that singular/plural strings are confusingly similar.

So how did we get to a point where ICANN inexplicably failed to find confusing similarity for 24 pairs of singular and plural forms of the same words, including .web /.webs, .game/.games, and .hotel/.hotels? More important, how do we fix this?

Chóngfù is hard for westerners to say and will be even harder for ICANN to do.

For starters, a little transparency is probably in order. The string-similarity review process was opaque by design. But many in the community want to know how ICANN's experts either failed to recognize the plurality issue — which would be troubling — or decided that single and plural gTLD strings can successfully coexist — which would be ludicrous.

Thankfully, the World Intellectual Property Organization (WIPO) has basic guidance on similarity: "words used in the singular include the plural and vice versa, as the context may require." That's the kind of common sense ICANN could use to correct the Guidebook and do a quick do-over on those 24 pairs of singular/plural TLDs.

ICANN may get a convenient backdoor out of this dilemma from the International Centre for Dispute Resolution, which is reviewing string confusion objections on seven of the single/plural pairs. If ICDR makes the right ruling, ICANN should apply that rule to all 24 single/plural pairs.

And if all else fails, there's always ICANN's "reconsideration" process for a formal chóngfù.

ICANN's critics at the United Nations and within many governments are waiting for a highly visible misstep in the ambitious expansion of top-level domains. That could be used to justify having governments displace the private sector in its leadership role on growing and governing the Internet.

Better that ICANN find a way to do-over on singular/plurals, than to risk having governments impose a bigger do-over on ICANN itself.

Written by Steve DelBianco, Executive Director at NetChoice

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

Google Does the Right Thing Opening Several Closed Generic TLD Applications

Wed, 2013-04-10 21:03

Over the last few months one of the areas of attention in the new TLD project has been "closed generics". I've written about this several times in the past and I've also raised the issue in as many fora as possible.

Yesterday ICANN published a letter they'd received from Google with respect to several of their new TLD applications.

Whereas Google had made it clear previously that they intended to operate domain extensions such as .blog, .cloud, .search and .app in a closed fashion or "walled garden" this is no longer the case, as outlined in their submissions on the topic of closed generics last month.

The letter, which runs to 41 pages, includes a fairly concise explanation of Google's planned changes as well as the full text of the requested changes to their applications.

So what are they planning to do? Bearing in mind that they've got competition with several of these applications, so there is no guarantee that they'll be even granted to Google.

.search is planned to be a "dotless" domain:

Our goal for .search is to provide an easily-identifiable namespace for firms that provide search functionality and to allow Internet users a unique and simple mechanism to access the search functionality of their choice. Google intends to operate a redirect service on the "dotless" .search domain (http://search/) that, combined with a simple technical standard will allow a consistent query interface across firms that provide search functionality, and will enable users to easily conduct searches with firms that provide the search functionality that they designate as their preference.

I'm not sure how that will look, but it sounds kind of funky.

.app will be for developers of apps

We intend for .app to be a TLD dedicated to application developers. The term "app" is used in a variety of contexts, including mobile applications, browser-based applications and even desktop applications. We intend for the .app TLD to be restricted for use by relevant developer communities, but to be inclusive of the full range of application development communities and not to restrict registration to developers on a particular platform

So "app" will have the widest meaning possible, though how they'll actually "police" that isn't clear. Intent? Use?

.blog is one of the "closed generics" that bugged me the most. I blog. The string describes the content you are expecting to find on the domain. Being forced to use a specific blogging platform in order to access a .blog domain name was not how I'd like to see that extension used.

So Google's latest proposal for .blog is a lot more palatable to me:

We have two principal goals for the .blog TLD. First, users navigating to domains within the TLD should reasonably expect to reach a blog when they access a .blog domain name. Second, it should be simple and easy for .blog registrants to associate their second­level domain with their blog on the blogging platform of their choice. To this end, we are working with others in the blogging community to develop a simple set of technical standards that will allow users to automatically link their domain name to their blog at the time of registration. Registrations within the TLD will be limited to those with blogs adhering to these technical standard.

I'm not sure how this "standard" is going to look or how registrars and hosting providers are going to be able to implement it, but I like the concept.

The .cloud application is the fourth one that Google is planning to tweak:

As with .blog, our goal for .cloud is to create a clear association between .cloud names and projects hosted in cloud platforms, while simultaneously allowing registrants to more easily link domain names with the cloud offering of their choice. We are in the earlier stages of discussions with others in the cloud community, but intend to develop similar technical standards as with .blog

So with Google changing at least some of their applications to be more open and inclusive, will other new TLD applicants see the light and tweak theirs? What about Amazon? Symantec? L'Oreal?

And what about ICANN's board? Will they be able to find a way of dealing with the issue in a fair, transparent and equitable manner?

Written by Michele Neylon, MD of Blacknight Solutions

Follow CircleID on Twitter

More under: Domain Names, ICANN, Top-Level Domains

Categories: Net coverage

Information and Communication Technologies (ICT) Industry Soon to Be Largest Source of Co2 Emissions

Tue, 2013-04-09 22:49

There has been a lot of discussion lately on the environmental impact of the proposed Keystone-XL pipeline that is intended to carry heavy oil from the tar sands in Alberta to refineries on the US Gulf Coast.

I suspect at the end of the day the US government will approve the pipeline as GDP growth and potential job losses will always trump concerns over the environment.

However, the US government has been putting on a lot pressure on Alberta to improve its environmental standards as a quid pro quo for approving the pipeline. In response Alberta is exploring expanding their current CO2 emissions program to a $40/tonne carbon levy. In the past, all of the funds raised by Alberta's carbon emissions program was returned to industry to invest in dubious energy efficiency programs. But Alberta could really have a much more meaningful impact in terms of reducing CO2 emissions, that would more than compensate the emissions from the oil carried in the Keystone XL pipeline, if it invested some of this money into its local universities and R&E network — Cybera.

Although on the production side the tar sands are one of the biggest sources of CO2 emissions, the Information and Communication Technologies (ICT) industry, globally is the fastest growing and soon will be the largest source of CO2 emissions on the consumption side of the equation. ICT emissions are produced indirectly from the coal generated electricity that is used to power all of our devices. Currently it is estimated that ICT consumes around 10% all electrical power growing at about 6-10% per year. According to the OECD and other studies ICT equipment in our home now consumes more energy than traditional appliances.

New studies suggest that the growth in wireless networks could be the single largest component of that growth in CO2 emissions from the ICT sector. In a recent report by the Centre for Energy-Efficient Communications, at the University of Melbourne-based research centre claimed that by 2015, the energy used to run data centres will be a "drop in the ocean", compared to the wireless networks used to access cloud services. The report predicts that by 2015 energy consumption associated with 'wireless cloud' will reach 43 terawatt-hours, compared to 9.2 terawatt-hours in 2012. This is an increase in carbon footprint from 6 megatonnes of CO2 in 2012, up to 30 megatonnes of CO2 in 2015, which is the equivalent of an additional 4.9 million cars on the road, the report states.

More worrisome is another report from Sweden KTH that predicts will need to increase the density of wireless base stations by 1000 times to meet the insatiable demand for the "wireless cloud". If this came to fruition, it would be incredibly huge jump in the demand of electricity by the ICT sector.

The wireless industry in particular is an ideal sector to be powered by local renewable energy sources such as solar panels and windmills. Already many wireless towers in the developing world are powered by renewable energy (but unfortunately often with diesel backup). Because of it is inherently distributed, lower power architecture the wireless industry is ideally suited to be powered by local renewable energy.

I have long advocated that universities and R&E networks are the ideal environment for deploying wireless networks that are powered solely by local renewable power sources. By integrating WIfI and 4G networks with multiple over lapping cells it would be possible to provide seamless service zero carbon wireless services.

For more details see:

High Level Architecture for Building Zero Carbon Internet Networks , ICT products and services

Alberta could be a world leader in deploying such zero carbon networks starting first at universities in partnership with Cybera. The global CO2 impact of developing such technology in terms of removing additional 4.9 million cars from the road would be much greater than expected emissions from the oil to be carried in the proposed Keystone XL pipeline

Additional pointers:

Cloud's real ecological timebomb: Wireless, not data centres

Thousand times greater density of base stations
J. Zander, P. Mähönen, "Riding the Data Tsunami in the Cloud – Myths and Challenges in Future Wireless Access", IEEE Communications Magazine, Vol 51, Issue: 3 (March 2013), pages 145-151 http://theunwiredpeople.com/author/jenz/

Solar powered WiFi allows control of bugs instead of using pesticides

ICT industry on track to be largest sector for CO 2 emissions

Solar Powered DIY Portable HotSpot

More on revenue opportunities for R&E and open access networks – building next generation "5G" wireless network

Written by Bill St. Arnaud , Green IT Networking Consultant

Follow CircleID on Twitter

More under: Access Providers, Broadband, Cloud Computing, Data Center, Wireless

Categories: Net coverage

An Amazing Number - China Now Has 564 Million Internet Users: 75% Are Mobile

Tue, 2013-04-09 18:00

One of the staggering numbers introduced during the opening remarks at ICANN 46 here in Beijing by multiple speakers, including ICANN CEO Fadi Chehade and speakers from the Chinese government, was this:

China now has over 564 million Internet users!

Think about that for a minute.

Most estimates these days are that there are around 2 billion people around the world using the Internet. We have no real way of knowing exactly how many people are online, but the estimate most of us use is "2 billion".

So if we go with that estimate, these latest numbers out of China would mean that China represents around 25% of all Internet users. A rather amazing growth given that the ICANN 46 welcoming remarks also indicated that in 2002 China only had 59 million Internet users.

Less surprising to me was the stated fact that 75% of Chinese users are mobile Internet users. I think most of us can clearly see both in industry trends and in our own personal usage that Internet usage is increasingly moving to a mobile-centric world.

Still, let's think about the scale of that percentage: 75% of 564 million represents 423 million mobile Internet users — about the size of the entire population of the USA and Mexico combined.

A rather huge number of people.

I sat there thinking about those numbers and my mind immediately turned to all of those of us who are publishing content on the Internet. This is yet another sign that mobile consumption of content is increasingly dominant — how well does your website work for mobile users? And while English may be the primary language many of us may use for our websites, how well do those sites work for viewers for whom English is not their main language? And what multi-lingual capabilities does your website have? Or what are you planning to add?

Truly an amazing number of users… and it will only continue to grow!

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: ICANN, Mobile, Web

Categories: Net coverage

ICANN's NomCom 2-Stage (R)evolution

Tue, 2013-04-09 11:15

ICANN's Nominating Committee (NomCom) is both a strange animal and a precious resource. Having a committee charged with first recruiting, then selecting suitable candidates to hold key positions within ICANN is something that is often little, or even mis, understood. Within the ICANN community itself.

By the very nature of its recruitment role, the NomCom has to remain secretive. About who the candidates are, at any rate. But that doesn't mean the rest of the NomCom's processes must remain so.

The feeling that the NomCom has at times lacked transparency became very evident last year, when the 2012 NomCom Chair Elect — the person chosen by the ICANN Board to be the NomCom Chair for the following year — refused to take up that position.

The ensuing debate, and sometimes stinging criticism, has clearly energised this year's NomCom to execute significant changes. Under the auspices of the 2013 NomCom Chair Yrjö Länsipuro, blessed with both information sharing and people skills (he was a journalist and a diplomat), the NomCom has significantly changed its approach.

A general 2-stage transition has been initiated. Stage 1 is becoming more transparent. Stage 2 should be looking at the actual recruitment processes used by the NomCom to ensure that high-level candidates do not baulk at the complexities of filling in online application forms and dealing with the application system.

Since the start of the 2013 NomCom's tenure, the committee has been putting out a Report Card after each of its official meetings. This is the first time ICANN's NomCom has produced written accounts of its meetings.

History was also made at the ICANN Beijing meeting this week, where the NomCom has scheduled several open meetings, including its main planning meeting. This is the first time that the NomCom's deliberations have ever been held in public to such an extent.

These are important steps towards for what is a crucial committee for ICANN because it is designed to help bring new blood into the ICANN universe, which otherwise might be in serious danger of sclerosis.

Written by Stéphane Van Gelder, Chairman, STEPHANE VAN GELDER CONSULTING

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Policy & Regulation

Categories: Net coverage

Evolving ICANN Carries Great Promise for Internet Users

Mon, 2013-04-08 22:30

The headlines out of ICANN's meeting in Beijing may be all about new domains, but it is the quiet, systemic evolution of ICANN itself that holds the greatest promise for Internet users globally.

ICANN President Fadi Chehadé opened the meeting by announcing that it was ICANN's "season to evolve," and setting forth a series of programs, restructuring efforts and policy initiatives intended to make ICANN more responsive to the needs of its stakeholders, and by extension, to the needs of all Internet users, everywhere in the world.

Mr. Chehadé's ambitious agenda provides a unique opportunity for ICANN to holistically review and strengthen its role in upholding the safety of Internet users.

Historically, ICANN's focus has been on Internet security almost to the exclusion of Internet safety. During the early stages of ICANN's evolution this narrow focus on security was both natural and likely necessary, given the organization's resources and scope.

The threats against the Internet's core technical infrastructure are significant, and ICANN's work in mitigating them is critical. But as ICANN's scope and resources expand, so to does its obligation to address the more granular threats to Internet users that arise from systemic abuse and exploitation of the Domain Name System.

Global cybercrime is at an all-time high, and shows no signs of abating. An independent study conducted by eight researchers for the U.S., UK, Germany, and the Netherlands presented at the Workshop on the Economics of Information Security (WEIS) 2012 placed the global cost of cybercrime at just over $225 Billion per year. And it could get much worse — a 2012 survey by the National Cyber Security Alliance (NCSA) and digital security firm Symantec showed the 83 percent of U.S.-based small businesses have no formal cybersecurity plan, even though the 2011 NCSA/Symantec survey showed that cyberattacks cost small and medium-sized business an average of $188,242. Almost two-thirds of the victims were shut down within six months after the attack.

The vast majority of the fraud and scams conducted by international cyber-syndicates shares a common characteristic of gaming the openness and accessibility of the Internet's addressing system to exploit the most vulnerable users.

Within its existing technical scope, ICANN has a tremendous platform to address these significant safety challenges. Simply enforcing existing contract terms with registrars and registries could have a dramatic global impact on cybercrime. Strengthening those contracts, and their enforcement mechanisms, would only magnify that effect.

ICANN is already making significant strides in the right direction. The new registrar accreditation agreement seems to hold great promise for Internet users globally, as does the registrants "bill of rights and responsibilities" that Chehadé discussed in his speech.

But part of ICANN's evolution should be systematizing these efforts so that Internet safety is not addressed piecemeal, but as part of a broader effort to address the safety needs of Internet users, including the millions who lack the wherewithal to participate in ICANN's policymaking process.

When the ICANN community sets its will to something, history demonstrates that it can be remarkably effective at accomplishing it. We've seen that in its strides on Internet security, and will likely have another demonstration soon in the form of new gTLDs.

If the community can embrace the Internet safety challenge with the same vigor with which they approached new gTLDs, we will look back years from now and mark the critical importance of ICANN's "season to evolve."

Written by Tom Galvin, Executive Director at Digital Citizens Alliance

Follow CircleID on Twitter

More under: ICANN, Internet Governance, Security

Categories: Net coverage

Total Domain Names Pass 252 Million Worldwide

Mon, 2013-04-08 20:15

More than six million domain names were registered in the fourth quarter of 2012, bringing the total number to more than 252 million domain names worldwide across all top-level domains (TLDs) as of Dec. 31, 2012, according to the latest Domain Name Industry Brief from Verisign. The increase of 6.1 million domain names globally equates to a growth rate of 2.5 percent over the third quarter of 2012, and marks the eighth straight quarter with greater than 2 percent growth. Worldwide registrations have grown by 26.6 million, or 11.8 percent, year over year.

Follow CircleID on Twitter

More under: Domain Names

Categories: Net coverage

How Will Banks Ensure the Safety of Our Money? DDoS Attacks on NL Banks

Mon, 2013-04-08 16:37

This week bank costumers of The Netherlands were shocked when they realised that online banking may not be as safe as they thought. Perhaps some were surprised to hear that what they think is money, is nothing but digits, something that does not exist. Their money only exist because we all act as if it exists and accept transactions between each other aided by software run by banks, if they haven't outsourced that function. The good people found out the hard way that by, in this case involuntarily, changing a few digits, their money just disappeared (and some became millionaires without being able to access this money).

The next day new malfunction of banks' websites were reported. For the first time it was openly admitted that all our banks' and payment intermediary iDeal's website were down, due to an attack in the form of a DDoS attack, making the website of the respective banks unreachable for regular traffic. The assailants tried to log in also.

This resulted in headlines, Tweets, blogs and opening news items, the one at the 8 o'clock news on the public channel ending with: "in the USA this happens nearly every day". In the following I'd like to take a look at a few related comments, a tweet by a politician, before coming to some questions. The main one reflects the title most: "Who's responsible for cyber security?"

Public outcry

If anything the chaos or perceived chaos in banking transitions led to angry or confused people, famous short fuses and loads of attention from the media. The cyber security world is waiting for years for a major cyber incident. One causing great damages, in the hope governments and companies start moving in the right direction. Some experts are even totally resigned to this way of thinking. This is not that incident. Sure, it shocked end users, led to some reactions from politicians, but in the end nobody seems to have lost money and there are so many other issues calling out for attention.

The news

Tax evasion
In the past week high level tax evasion by multi nationals, top-executives, politicians, etc., let's say the top of societies, was prominent in the news. A conclusion in a column in NRC Handelsblad stated, to this problem decisions at world level are needed. (If I'm cynical, look at the list at the start of this section and ask yourself the following question: Who decides on worldwide solutions?) What struck me, also, is that this is the exact same conclusion that is derived at when talking about Internet governance, international cooperation against cyber crime, spam and malware enforcement, etc., etc. In short, what I recently heard someone call "the glass ceiling of Internet governance". Most discussions stop here. Another variant to this discussion is: "we need to break own silos!". Okay, but who is "we"? Is someone made responsible for this breaking down, silos or ceilings? What are the right questions to ask here? Questions that lead to answers that could take the discussion forward and actually change the outcome? A topic for the upcoming IGF in Bali I'd say.

The near future
The comment in the 8 o'clock news cited above, caught my attention most. "This happens nearly every day in the US". I read somewhere that 267 out 365 days there were problems accessing major banks' websites. In other words this is something we are to expect also? Are there contingency plans? Do governments allow that payments can't be made (parts of) 267 days in the year? The economic impact is gigantic. Does it matter then whether the attacks stem from criminals, free speech advocates, "fun hackers" or state-to-state activities? I'd say not.

How can banks ever guaranty the safety of our money?
...is the question Dutch parliamentarian Kees Verhoeven (D66) asked on Twitter. (This is the Tweet: "Heftig. De storing blijkt nu een #DDoS aanval! De vraag is hoe banken de veiligheid van ons geld kunnen blijven garanderen. #cybersecurity"). I responded to him that this was totally the wrong question to ask. There is nothing banks can do against DDoS attacks, beyond preventive measures. The attackers, the tools they use, the infected PCs and other devices used, the command and control servers hosted anywhere in the world, are all far beyond the control of banks. As long as banks run state of the art security measures (even if they don't), they are victims and not attackers. Perhaps the banks need support from other entities on and around the Internet to solve this problem.

The tools used are infected PCs of end users, companies, governments, industry, etc. and other devices like smart phones, smart TVs, up to a hacked chip in your cat's collar (and this is no joke). There are a million reasons why these devices are infected. From irresponsible use by end users, flawed software, a lack of security by design in anything with "i" in front if it, negative incentives to deal with botnet mitigation or notice and take down requests, a lack of understanding in general, right up to a lack of government regulation, enforcement or incentives. All measures or better a lack of measures, banks have no influence over at all. They have an influence over the quality of the products they buy themselves in the future, over internal policy and security measures and perhaps they can reach out more to discuss Internet governance actively, which I advice them to do, but it stops there.

So, taking this all in, can banks guarantee the safety of our money? Answer this question yourself and continue to ask yourself the question who is responsible for cyber security? A virtual plethora of parties involved and where to start? What I have to conclude is that almost every single decision is to be made in the private sphere. In a competitive world. Where does that leave governments? Where does this leave decisions consciously made with the common good in mind?

So, who's responsible?

I'm not going to answer this question here. Those who follow me on my blog, here on CircleID or read my articles in Virus Bulletin know my points of view. What I'd like to ask you is to think about this question for one minute and share your thoughts with me here on within an(y) other context. It may just get a discussion going.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, DDoS, Internet Governance, Security

Categories: Net coverage

Third Round of Evaluation Results for New TLDs

Sun, 2013-04-07 18:50

Mary Iqbal writes to report that ICANN has released the third round of initial evaluation results, bringing the total number of applicants to pass Initial Evaluation to 93. ICANN has now completed the initial evaluation of all but 13 IDN Top Level Domains. To learn more, see http://www.getnewtlds.com/news/Third-Round-of-Initial-Evaluations.aspx.

Follow CircleID on Twitter

More under: ICANN, Top-Level Domains

Categories: Net coverage

Much Ado About Nothing

Sat, 2013-04-06 19:42

Much ado about nothing; why the Uniregistry request for antitrust immunity is meaningless and its conclusions misleading

With much fanfare last month, Uniregistry announced that proposals for dispute resolution between New TLD applicants in lieu of ICANN's so-called "Auction of Last Resort" posed significant antitrust risks. Their claim of concern was not based on any critical antitrust analysis, but rather on the fact that they had sought a "Business Review" letter from the Antitrust Division of the U.S. Department of Justice (DOJ), and, according to Uniregistry, the DOJ failed to provide them a positive response and discussed the issue with them.

I am a former trial attorney in the DOJ Antitrust Division and the former Policy Director of the Federal Trade Commission (FTC). At the FTC, I was in charge of the business review letter process and authored several of these letters. The specter of concern raised by Uniregistry is based on a misinterpretation of the business review process and not sound antitrust analysis.

Uniregistry suggests that simply the fact that they failed to receive a positive response from the DOJ suggests that enforcement action is likely. That is hardly the case. The DOJ has very high standards for issuing business review letters. Review letters are typically only issued where the facts and the law are fairly clear cut and demonstrate that there are no potential competitive concerns raised by the proposed conduct. Because of these very high standards, the DOJ typically receives numerous review letter requests, but issues only two or three business review letters a year. The fact they did not grant Uniregistry's request did not mean the conduct raised substantial competitive concerns. In my experience, it simply means that the DOJ lacked the unambiguous compelling facts to say that there were no competitive issues.

If the DOJ saw some potential competitive problems it would have responded with a letter articulating those concerns. In fact, one week after the Uniregistry announcement, the DOJ did exactly that, turning down a business review request on a patent exchange system because of potential competitive concerns. See http://www.justice.gov/atr/public/press_releases/2013/295147.htm. The DOJ's failure to respond formally to Uniregistry certainly does not support the allegation that they have competitive concerns over the dispute resolution system.

Contrary to Uniregistry's suggestion, the DOJ's refusal to issue a positive letter does not suggest the conduct at issue is likely to lead to antitrust enforcement. If the DOJ thought there were competitive concerns sufficient to bring enforcement action, its procedures instruct that they would respond clearly in that fashion. Rather, according to Uniregistry, they simply responded that the conduct is not wholly immune from scrutiny. Stated another way, the failure to secure a business review letter does not mean the DOJ is likely to bring a law enforcement action. Indeed, in over 40 years there has never been a case where a rejected business review letter request led to an enforcement action, even when the DOJ has suggested that the conduct at issue could potentially present antitrust issues.

Moreover, the key to any analysis of proposed conduct from the perspective of the antitrust laws is whether consumers or other parties may be harmed by the conduct at issue. In this case, it seems fairly unambiguous that ICANN will not be harmed by the dispute resolution system. In fact, they designed the dispute resolution system pursuant to which they encourage applicants to engage in dispute resolution in order to avoid the ICANN auctions. Indeed, there never has been a successful antitrust case brought where the alleged plaintiff was the party that actually designed the restraints at issue.

Uniregistry's request was unusual in another important respect. Typically business review letters are requested by the parties proposing the conduct or those that have created the arrangement, but in this case ICANN did not go to the DOJ. A critical part of any analysis of a proposed arrangement is the "purpose and intent," but Uniregistry was in no position to answer those critical questions.

In any case, regardless of how Uniregistry might want to interpret DOJ's non-action, there's little antitrust risk posed by anticipated private auctions or the registry dispute resolution system as a whole. First, as suggested earlier, the only entity that could be harmed by the system is ICANN, which designed the system. ICANN effectively cannot be harmed by this system, and this is key, as it is deliberately avoiding any type of revenue from the auctions of these new registries. Second, the dispute resolution system cannot harm consumers. There is no fashion in which the method of dispute resolution ultimately would lead to higher prices or less innovation or output. Without some clear-cut harm to consumers, it is difficult to fathom any antitrust violation. Third, the dispute resolution system is akin to many types of joint ventures that have been approved by the DOJ in which competitors have collaborated in order to improve how the market works. The ultimate question asked by the DOJ is whether a system helps to make markets function more effectively and certainly the ICANN dispute resolution system, including private auctions, would meet that requirement.

Finally, although Uniregistry or others might be able to envision some other form of dispute resolution system, it is not the DOJ's role to engage in economic policy engineering and suggest how ICANN should restructure those rules. They simply are obligated to stop conduct that will harm consumers through higher prices or less innovation. The current ICANN dispute resolution system does not pose these risks; that is why antitrust enforcement would be highly unlikely. Any suggestion otherwise is most likely just in Uniregistry's business interests.

Written by David Balto, Antitrust Lawyer

Follow CircleID on Twitter

More under: ICANN, Law, Top-Level Domains

Categories: Net coverage

ICANN 46 Starts This Week In Beijing - Remote Participation Is Possible

Sat, 2013-04-06 18:27

The 46th meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) takes place this week in Beijing, China, and will bring together leaders from all over the world to discuss and debate a wide range of issues related to domain names and the surrounding industry. One can expect that the new gTLDs, a topic frequently discussed here on CircleID, will naturally consume a great amount of the discussion at ICANN 46. The main site for the event can be found at:

http://beijing46.icann.org/

and the full schedule of events can be found at:

http://beijing46.icann.org/full-schedule

A great aspect of ICANN meetings is that most of the meetings have some mechanism for you to view the meeting remotely. If you go into any of the sessions on the schedule, you will see remote participation links — often for both high and low bandwidth connections. In my experience, many sessions are also recorded for later viewing.

Do keep in mind that all times are local to Beijing which is UTC+8 and may not work with your viewing schedule. For instance, there is a 12-hour difference from the eastern US where I live and as a result a session that starts Monday at 9am will be starting Sunday night at 9pm for people in the eastern US..

In the midst of all the more business-focused discussions around domain names and governance questions, there are also some excellent technical tracks. I will be in Beijing specifically for the excellent DNSSEC Workshop and related sessions, as well as attending the IPv6 workshop.

I'm looking forward to the ICANN 46 event — if you will be there, too, please do feel free to say hello. You can pretty much expect to find me in any sessions related to DNS security.

P.S. If you are interested in the views of my employer, the Internet Society, on the events happening at ICANN 46, a few of my colleagues prepared the "Internet Society's Rough Guide to ICANN 46's Hot Topics” that outlines what the organization will be watching and participating in over the next week.

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: DNS, DNS Security, ICANN, Internet Governance, Top-Level Domains

Categories: Net coverage

Networks Announcing IPv6 Over Time: A Short Update

Fri, 2013-04-05 13:29

We regularly check the status of IPv6 deployment in the RIPE NCC service region, and in other service regions as well. One way to measure IPv6 deployment is to look at the percentage of networks announcing IPv6 prefixes and follow the developments over time.

The RIPE NCC's IPv6-ASN graph shows the percentage of networks that announce one or more IPv6 prefixes in the global routing system. Having an IPv6 prefix visible in the global routing system is a required step for a network to actually start exchanging IPv6 traffic with other networks. The interactive graph allows you to specify the countries or service regions you are interested in, which can make for some interesting comparisons.

The graph below shows the percentage of networks announcing IPv6 prefixes in each Regional Internet Registry's (RIR) service region over the last few years.

It is interesting to see that the percentage of networks announcing IPv6 address space in the APNIC and the RIPE NCC service regions continues to increase steadily. Both of these RIRs have reached IPv4 exhaustion (in 2011 and 2012 respectively) and are currently allocating from their last /8 block of addresses.

It is also encouraging to see that the percentage of IPv6-enabled networks in the ARIN service region, which is projected to be the third RIR to reach its last /8 of IPv4 addresses, is also increasing. On the other hand, the percentage of IPv6-enabled networks in the Lacnic and the AFRINIC service regions appears to have stopped growing. For the Lacnic service region this number even fell a little over the last few months. Despite the absolute number of IPv6 announcing networks growing from 388 to 399 since the beginning of 2013, this growth was outpaced by the total growth of networks in the service region that are visible in the global routing system, which resulted in a total percentage decrease from 15.5% to 15.0% for this period. Even though this might not be a surprise, it's reassuring to see that in regions where IPv4 exhaustion has occurred, there is a steady growth in the percentage of networks announcing IPv6 address space.

If you find other interesting comparisons between countries or regions, please comment below! You can find more information and statistics on RIPE Labs.

Note that this article is based on work done by Emile Aben, System Architect at the RIPE NCC.

Written by Mirjam Kuehne

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Categories: Net coverage

Ignore The Chicken Littles: Let's Give New Web Domains a Try

Fri, 2013-04-05 13:07

As part of the new domain initiative launched by the Internet Corporation for Assigned Names and Numbers, established businesses and speculators have filed applications for a wide range of top-level domains — from .amazon to .garden. While some applications would make new web domains open to any qualified applicants, others propose a "single registrant" model that would allow only one company to use the new top-level domain.

Before the experiment has gotten off the ground, some critics have expressed concern about applications to operate domains referring to a "generic" product or service, like .car, .book, or .app. News reports indicate that Microsoft and other Google competitors have filed complaints about Google's applications, while authors' organizations have raised questions about some of Amazon's applications. These complaints assert that giving these applicants the right to operate these new domains would provide an unfair competitive advantage.

ICANN shouldn't worry, however. The sky isn't falling.

Granting Google, Amazon or any other company "single registrant" gTLDs does not threaten the competitive online ecosystem.

First, the "competitive advantage" (or value) any company can achieve from these gTLDs is uncertain. Previous TLD offerings like ".biz," ".mobi," or ".info" failed to draw large numbers of websites despite extensive promotional efforts. In fact, repurposed country code TLDs — including .ly (Libya), .me (Montenegro) and .co (Colombia) — earned their popularity unexpectedly.

To put a finer point on it — most alternative domains have flopped. Because of the highly uncertain value of new gTLDs, many of the concerns levied against bidding companies like Google and Amazon, which have applied to manage dozens of gTLDs, are completely speculative. Companies are bidding because they think there might be opportunities in new domains — but history suggests they will have an uphill battle. There is no evidence to suggest a genuine likelihood of harm to Internet users or the online ecosystem.

Second, the existence of alternative web domains will not disturb the fundamental openness of the Internet. Amazon's use of the .book domain to market the latest bestsellers would in no way block any other bookseller from using a different domain to do the same. In fact, the use of .book does not seem to provide a company any kind of competitive advantage against its business rivals.

Despite linguistic confusion, there is no relation between an exclusive right to a domain and a "monopoly" over a specific economic market. Users can easily navigate to any site based on its quality, whatever its domain name. Sites that grow popular do so because of how well they meet their users' needs, not because of their domain name.

Moreover, users today often rely on search engines to get where they want to go, rather than typing URLs out. There is even a term for such searches: "navigational searches." Terms relating to Facebook including "Facebook.com" or "Facebook login," for example, represented 5.62% of all searches conducted online in the United States, according to the information analytics firm Experian. If Facebook is on .com, .facebook, or .socialnetwork, people will be able to find it.

Finally, many of the worries about Google's control over certain gTLDs have already been addressed. Google changed its applications for the .search, .app, .blog, and .cloud gTLDs so that the domains would be open to qualified sites, not just Google products. Others of its applications, including .map and .fly, were already drafted to be open for qualified sites. This means that if MapQuest wants to use mapquest.map, Wordpress wants to use wordpress.blog, or Yahoo! wants to operate yahoo.search, all will be free to do so.

Google's competitors also contend that Google has the incentive to tweak its search algorithm to favor any site on a Google domain. Google has already pledged not to do this. Further, Google has little financial incentive to make its results less relevant to users, because some users would switch to other search engines.

If ICANN's experiment is successful, it has the potential to generate tremendous value for companies and offer users a better online experience. Existing companies will be able develop domains centered on their brands to draw more customers and enhance their business performance. Operators crafting new business models for these domains may also improve how users interact on the web. As ICANN's At Large Advisory Committee observed, "there may be innovative business models that might allow a closed TLD to be in the public interest."

While the benefits remain uncertain, the harms are clearly exaggerated and should find a home at a new domain called .premature.

Written by Marvin Ammori, Fellow at the New America Foundation, Lawyer at The Ammori Group

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

Just How Big is China's Cable and TV market?

Fri, 2013-04-05 01:35

The numbers are big. Official figures quoted at the recent 21st annual China Content and Broadcasting Network (CCBN) conference indicate that China has 400 million TV households, of which 210 million subscribe to cable TV (CATV). Of these cable subscribers, 140 million receive digital service while the rest are still on analog systems. This means that the country's CATV network is still largely a one-way network, limiting the growth of on-demand and interactive services. Compared to broadband offered by the dominant telecom operators — China Telecom and China Unicom — the country's CATV high-speed Internet service is tiny at a mere 5.64 million subscribers in total.

Theoretically, China's unique CATV industry is organized in a four-layer hierarchical structure. First, there's the nationwide network. Secondly, each of the country's thirty-odd provinces runs its own CATV network. Then each municipality owns a cable network, and finally, each county below the municipality level runs its own network. In reality, this structure is not always so fixed, as some government levels merely perform administrative functions while others actually own a physical network of services. Even so, there are still thousands of CATV operators in China and almost all of them are owned or partly owned by some level of government.

The country is currently undergoing a major effort to consolidate CATV networks. The first step is to consolidate all networks up to the provincial level, so that each province will run a connected cable network by merging and unifying the networks within its provincial territory. The aim of this is to provide a foundation of operational scale and reach. Leading the effort is the State Administration of Radio, Film, and Television (SARFT), the government regulator that sets state policies and regulations for these industries. Each CATV operator is owned by the respective administrative branch of SARFT, so in essence, the regulator is the operator.

This consolidation is part of China's Next Generation Broadband (NGB) initiative. It involves an upgrade of the country's CATV systems to two-way transmission and the deployment of a distributed conditional access system to deliver high-definition TV, 3D TV, Ultra HDTV, and multimedia. The NGB will enable China to move towards an all-digital, all-IP world. By the end of this year, the aim is to turn 50% of all networks above the municipal level into all digital and IP services, and by 2015, for 80% of all networks to feature two-way services. China's CATV industry is also expected to grow from the current 28 high-definition channels and one 3D channel to at least 100 HD channels and 10 3D channels by 2015.

There is still a proliferation of Ethernet over cable (EoC) but DOCSIS has gained ground recently through what is known as "C-DOCSIS". This localized version of DOCSIS architecture pushes the traditional CMTS further to the edge of a Converged Media Converter (CMC) to deliver bandwidth to some 300 homes more cost-effectively than a CMTS.

All in all, the country is gearing up for delivering the 4As: anywhere, anytime, any device, and any content. Multi-screen access to content is a priority. Although the market is big, it can be confusing for equipment vendors and revenues can be elusive. Layers of bureaucracies, shifting priorities and timelines, and intricate distribution channels have contributed to market inefficiencies that hinder the growth of this industry. Cable in China is caught between the need to provide a commercial service and adhere to its function as a governmental branch that has to carry out state goals and priorities.

Written by Will Yan, Senior VP, Worldwide Sales at Incognito Software

Follow CircleID on Twitter

More under: Broadband, IPTV

Categories: Net coverage

Hints and Solution for the Protection of Wine Geographical Indications in the ICANN New gTLD Program

Wed, 2013-04-03 21:51

This article is a copy of a letter sent today, 3 of April 2013, to the attention of Mr Fadi Chehadé, CEO of ICANN and other members of the ICANN board. Protecting wine Geographical Indications in the new gTLD program is a problem. This letter is also an article providing hints for the protection of Wine Geographical Indications in the ICANN new gTLD program.

* * *

Dear Mr Fadi Chehadé, CEO of ICANN,

As a person involved - since 2008 - in the wine domain names that have just been introduced by the ICANN new gTLD program, I have been very happy to point out that there were 4 new gTLD applications posted on Reveal Day, June the 13th 2012: 3 applications for the .wine Top-Level Domain (in English) and one for .vin (in French).

Even if these applications are standard ones, it shows there is definitely a Wine community on the Internet.

Project dotVinum was set-up to open the discussion, inform about, promote wine domain name extensions to the public in multiple languages (.wine, .vino and .vin) and launch wine Registries. The aim of the project remains what it always has been: offer wine domain names, protect the wine industry and users publishing wine related content on their web site, protect brands and wine Geographical Indications.

A few things the board, the Independent Objector and the ICANN Ombudsman should remember prior to reading more about this article:

  • The OIV (International Organisation of Vine and Wine) posted 4 public comments regarding Geographical indication in the wine sector as well as many other organizations: 38 public comments for .WINE and 9 for .VIN;
  • In November 2013 a GAC early Warning was issued by the French Government on .VIN regarding the implementation of an objection procedure to safeguard the protection of geographical indications;
  • A GAC Early Warning was also issued by The Government of Luxembourg for .VIN; In March the 12, President of the European Federation of Origin Wines sent a letter to the ICANN board with object: "ICANN initiatives for the attribution of new generic top-level Internet domains - PDO and PGI wines' concerns".
  • Today, 3 of April 2013, I send ICANN this letter.

1) Geographical Indications and Appellations of Origin are easy to protect: stick to the official databases

Wine is specific regarding the question of protection because protecting the wine community is not only a matter of protecting brands and Country and Territory Names as specified in "Specification 5" from the Applicant Guidebook. Avoiding a third party to register a "monbazillac.wine", a "toro.wine", a "champagne.wine", a "cachi.wine", or a "bentoncounty.wine" is also a matter of protecting a culture: the culture of Wine.

Part of this culture was given names: "Geographical Indications (GIs)" and "Appellations of Origin (AO)".

Following ICANN's rules and sticking to Specification 5 of the new gTLD applicant guidebook "only" is far from enough to protect the wine Industry: I am happy that a domain name like california.wine is protected in multiple languages — thanks to this specification — but what about napavalley.wine (USA), valedosvinhedos.wine (BRAZIL) and...champagne.wine (FRANCE)?

There is NO strong mechanism offered to protect GIs et AOs in the Applicant Guidebook as well as any of the four proposed wine applications. This is not acceptable.

The Trademark Clearinghouse and the Sunrise Periods offer a possibility to participate for interested parties who want to register a domain name, but what about the rest of all members of the wine Communities who do not know, who do not use domain names, who do not want to participate but want to be protected?

Sunrise periods are open during a certain period of time but this is not enough for an entire industry to know it can register a domain name. This is not a protection mechanism… It is just an option.

The only solution left then for all this "wine population" who could not participate, who did not want to participate, who could not afford to participate or who forgot to participate will be to recover its infringed domain names and infringed Wine GIs through a URS procedure? Again, this is not acceptable.

Geographical Indications and Appellations of Origin official Databases DO exist. There are 2 official databases worldwide which list them:

  1. The database of the OIV (Organisation Internationale de la Vigne et du Vin) which is composed of 44 member states.
  2. The database of the European Commission, also called E-BACCHUS which consists of the Register of designations of origin and geographical indications protected in the EU in accordance with Council Regulation (EC). The database also lists non-EU countries' geographical indications and names of origin protected in the EU in accordance with bilateral agreements on trade in wine concluded between the EU and the non-EU countries' concerned.

Another complete and up-to-date database of French wine GIs only is available at the French INAO.

2) How to allow any listed institution or competent authority representing a wine GI to have access to its corresponding domain name?

Not only Geographical Indications and Appellations of Origins Registrants should be allowed to register their domain name ANYTIME THEY WANT and whatever how long the Sunrise or Landrush Periods are, but they should also be allowed to recover their domain name anytime they want to when another Registry (such as .HORSE for example) allows another Registrant to register a conflicting domain name.

SPECIFICATION 5 of the New gTLD applicant guidebook offers the best solution to block and reserve names at the second level to protect Wine Geographical Indications. The E-BACCHUS database has a list of 3013 Geographical Indications (see figures) which should be blocked for Registration and then allowed to be unlocked on request by the corresponding representative of a wine Geographical Indication.
Each blocked name should include its plural version(s) with and without hyphen when they exists.

ICANN should also include a mechanism to:

  1. Request authority on a domain name if the Registrant can demonstrate he represents a wine Geographical Indication.
  2. Revoke the domain name if no answer was given by the actual Registrant in a certain period of time (20 days for example). If Registrant cannot demonstrate he truly represents a wine GI, then a procedure should be offered at the ICANN or Registry level.

Standard or Community?
All wine new gTLD applications that have been submitted are Standard ones. This was expected but:

  • There are strong institutions in the Wine industry worldwide which could have endorsed these as Community applications;
  • There are recognized International wine organizations: the OIV is one of them.

The question here is not to understand why none of them is represented in any WINE application, the real question here is why ICANN has offered any commercial organization to apply for a .wine Top-Level Domain without the consent of, at least, one recognized wine institution?

The final question regarding .WINE applications is not to say whether ICANN offered a correct way to apply through its multiple versions of its applicant guidebook, the final question here is how to ensure that wine Registrants, AOs and GIs are offered a way to register their domain name without having to face what comes after: cybersquatting and domaining? These factors have been a reality for the past 25 years: check bordeaux.pro as a matter of example.

Being allowed to acquire the highly profitable monopoly to own a registry license may seem easy according to the ICANN Applicant Guidebook but "wine" or "vin" are not just letters added on to the other: they represent people, companies, culture, knowledge, datas: they are not the same as giving the monopoly to a .XYZ which will be "open to all". Not to forget that the winning applicant is then granted to be the only one to allow selling wine domain names worldwide! Once the winning application is delegated, there is no way back: there is no possibility to change the rules.

WINE applications submitted to ICANN

I checked all .WINE applications and they all follow the ICANN rules offered in the "Applicant Guidebook", but none goes farther enough into protecting the wine Community. For the subject of Wine, it does no matter whether they are "Standard" applications or "Community" ones:

  • No applicant offers a protection mechanism to protect wines with a protected designation of origin (PDO). Let us take an example: anybody will be able to register morava.wine (Czech Republic);
  • Based on this example, the solutions offered by applicants put this "strictly wine" domain name in danger because if "Morava" is a Trademark in another country, it legitimates its owner to acquire the domain name BEFORE the Czech Protected Designation of Origin during the Sunrise Periods! This is a serious issue for the protection of the wine Community;
  • I do not see any protection mechanism for a word like "Champagne". Yes, Champagne is a wine… In the French region of Champagne, there is an institution called "Le Comité interprofessionnel du vin de Champagne". It defines itself as "the trade organisation established by statute to administer the common interests of everyone within the Champagne industry". I myself see no other candidate for a domain name like champagne.wine or champagne.vin, even champagnes.wine but according to the operating rules described in wine new gTLD applications, I understand that anyone could ask for "champagne.wine". Champagne is an example here; there are many similar wine institutions of these kind worldwide.
  • Premiums (and Protected) domain names are used in most applications. They allow offering a domain name at a specific price which can then be auctioned if it receives a competing bid. It is unclear whether a word like "Champagne" (or any other "wine word" representing a geographical indication, appellations of origin, or institution) could be made available for sale during an auction. This is a serious issue for the wine Community. Since Premium domains names are allowed, the minimum would be to list them so wine Geographical Indications are not part of them!

Dear members of the board, the ICANN new gTLD program is not ready but there is still time to protect the wine community. Once you have launched, it is the entire Wine industry which will be exposed to infringements: Geographical Indications can benefit from a good protection only if they are protected at the source in the list of reserved names from the Specification 5 of your applicant guidebook.

NB: I am sorry for any mistakes in this letter, English is not my native language.

Written by Jean Guillon, New generic Top-Level Domain specialist

Follow CircleID on Twitter

More under: Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

Categories: Net coverage

Open DNS Resolvers - Coming to an IP Address Near You!

Wed, 2013-04-03 00:43

Three vectors were exploited in the recent DDoS attack against Spamhaus:

1) Amplification of DNS queries through the use of DNSSEC signed data

2) Spoofed source addresses due to lack of ingress filtering (BCP-38) on originating networks

3) Utilisation of multiple open DNS resolvers

While 1) is unavoidable simply due to the additional data that DNSSEC produces, and 2) "should" be practised as part of any provider's network configuration, it is 3) that requires "you and I" ensure that systems are adequately configured.

The fact is open DNS resolvers are nothing new and the open resolver project is tracking approximately 27 million open DNS resolvers. What I find interesting is that their database can be queried for an IP range to see how many open resolvers are listed.

Out of curiosity, I entered the /24 prefix that my personal IP address resides on, 81.174.169.0/24. This range belongs to Plusnet, a popular ISP located within the UK. I was quite surprised that a list of 9 IP addresses came back, I wasn't really expecting any, and fortunately, none of them were mine!

Out of further curiosity, I started using dig to fire off a DNS query for "www.bbc.co.uk" to each of the IP's. Most of them timed out, but as I worked down the list, sure enough, one of them returned an answer. I ran a port scan but couldn't detect any well known open ports other than DNS. So within a few minutes, I had found an open resolver being run on an IP address within the same /24 as my own. This ISP has hundreds of thousands, if not millions of customers, so if extrapolated, there could be thousands of open resolvers present via this one ISP. (Having said that, this list of open resolvers vs AS numbers only lists 7 open resolvers against Plusnet, so maybe I was just (un)lucky...) I would like to think my ISP has implemented BCP-38, but what if they haven't? And how many other ISPs out there haven't?

I have no idea whether CPE routers are providing this open resolver capability or whether people are genuinely running a poorly configured DNS server. The Measurement Factory perform regular surveys for open resolvers and network providers can get them to email a list of open resolvers. They have a useful page here.

I guess it's unfair to place the blame solely at sysadmins when the default setting for BIND up until 9.4 was to allow queries from anyone, and I am sure there are many *nix/*BSD distros that shipped with BIND versions <9.4 (RHEL 5 anyone?) — although you could argue "Why haven't they upgraded?" as we are talking pretty old code here. No, I think more culpable are the network operators who route spoofed traffic out from their network; it is inexcusable that they have not implemented BCP-38 (also known as RFC2827).

However, looking at that list of open resolvers vs ASNs again, the top offender is Brazil, followed by a big block in Asia-Pac, HINET is Taiwan, then Chile, Korea etc. To go to each of these providers, figure out which local networks are the offenders, and communicate all this in a meaningful, constructive way to the end customers, well, it's a gargantuan task!

Unfortunately I do not see a simple solution to this problem, and I fear that with the publicity the Spamhaus attack generated, we will ultimately see more of these kinds of attacks.

If you are curious like me, why not check your local ISP range and see if you can find any open resolvers? You never know what you might find! I'll buy a pint for the person who can find the most… at a date/time/location of my choosing… provided it's in the UK… in the South somewhere… near Reading or Basingstoke! ;-)

Written by Paul Roberts, CEO, Calleva Networks

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Categories: Net coverage

Don't Blame Open Recursives For DDoS Attacks and Why You Should Implement BCP38

Wed, 2013-04-03 00:00

There has been plenty of buzz and chatter on the Internet recently concerning a very large DDoS attack against CloudFlare, with coverage on their blog, the New York Times, and the BBC, among many others.

While attacks of this nature are certainly nothing new, the scale of this attack was surprising, reported to hit 120Gbps. For a sense of scale, your average cable modem is only about 20Mbps, or about 0.016% of that bandwidth.

So how does one generate an attack of that size? The technique that appears to have been used is called DNS Amplification. The attacker will typically use a network of infected hosts, known as a botnet, to send DNS queries to servers, faking the source address to be that of their target. When the servers reply to these queries, they send the reply to that false address.

Since the response packet is bigger than the query packet, the DNS server is helping out in the attack by increasing the amount of bandwidth being used. This is not a new technique, and has been around since at least the late 1990s.

What has changed is how effective this attack is, mostly due to the introduction of DNSSEC records. For example, a DNS query for isc.org/ANY with DNSSEC is only 78 bytes, but the reply is 3,586 bytes — so big it gets fragmented and spread across three packets. This makes it very easy to use a little bit of bandwidth to make a huge attack, and since your compromised hosts don't need to send out a lot of data, it's less likely they'll be detected and shut down.

Open Recursives Are Not the (Only) Problem

A lot of these attacks make use of recursive resolvers to perform this amplification. These are the servers that are typically run by your ISP or by services such as Dyn's Internet Guide, OpenDNS, or Google's Public DNS.

It is intended that the end user will query these servers, they'll take care of finding the answer, caching it, and returning it to the user. In the case of an ISP's resolvers, these are usually locked down so only the ISP's customers can use it. It has long been considered a security risk to operate a resolver that will respond to just anyone (an "open" resolver) without taking special care to consider the consequences.

There has been a lot of renewed interest in finding and shutting down unintentional open resolvers, through things like the Open DNS Resolver Project. This is a good thing, but it only addresses part of the problem. These attacks do not need to use open resolvers; they can use the authoritative servers directly to do their amplification. The authoritative servers are the systems that ultimately serve the answers in DNS.

These are the sorts of systems operated by DynECT Managed DNS and Standard DNS. And since these servers must be open in order to function, it's much more difficult to secure them against abuse and the attackers are using them.

Dyn observed this activity back in December 2011, and it has only gotten worse since then. Other authoritative operators have seen the same behavior, typically DNS queries for "ANY" records on zones that have been DNSSEC signed. We have our own in-house tools for mitigating these attacks, but there has been public work to counter the problem, such as the Response Rate Limiting patches to the BIND nameserver software.

But these are really only temporary fixes in an arms race between DNS operators and the people who want to abuse their systems.

The Real Problem and its Solution

At its core, the problem that enables these attacks to work is source address spoofing. This is when a packet is sent from a computer using a source address that isn't actually on that computer, but instead belongs to some other system — usually not even on the same network, such as a home PC on a cable modem, sending traffic that appears to be from a popular website. This has been seen as a security problem for a long time, and yet there are still plenty of networks that allow it to happen.

The solution has also been around for a while, known as BCP38. This document, part of a series of Best Common Practices, describes a very simple concept of not allowing packets to pass through a router from hosts that shouldn't be sending from those addresses. It was published nearly 13 years ago, and is often brought up in tech circles as a solution to a number of problems, but there is still a lack of implementation on the Internet at large.

It boils down to a very simple logic, described in section 4:

IF packet's source address from within [its assigned space]
THEN forward as appropriate

IF packet's source address is anything else
THEN deny packet

There has been a renewed effort recently to push the adoption of this practice, with a boost from this recent DDoS attack on CloudFlare, with some new websites popping up, such as BCP38.info, and a lot of discussion in public forums. This is something that really needs to be done for the security of the Internet as a whole.

So, if you're a network operator, please consider implementing BCP38. If you're buying internet service, ask your provider about BCP38. The rest of the Internet will thank you.

Written by Chip Marshall, Network and Security Analyst

Follow CircleID on Twitter

More under: Cyberattack, DDoS, DNS, DNS Security, Security

Categories: Net coverage