DNS Abuse
ICANN - SYDNEY
25 June 2009

(Meeting in Progress)

>>GREG RATTRAY: I think Greg made the strong point that because TLDs
contextually dependent, that because TLDs are seeking to service
different registrant bases and have different business models, that
really the answers to these questions tend to be dependent on those
factors.

With regard to does the current model work, I think Greg was fairly
positive in some ways that a lot of activity has grown up around
remediation approaches, that there are mechanisms for cooperation. 
Certainly they need to be strengthened and information sharing
mechanisms would help a lot.

But this is not a Greenfield in that the new gTLD space should be
included in the existing mechanisms that exist.

And then we did ask the more pointed question of specifically what
should we do.  And the RISG really came back with two basic answers,
one of which is central in terms of how do we, in the applicant
process, identify what measures new applicants may take.  There's a
call here for them to explicitly identify how they plan to treat abuse
topics, and certainly we're taking that on board as an input in terms
of process about how we make that happen.

And then addressing one of the longstanding issues, to use Rod's
construct, we do need to make sure that our compliance efforts continue
to be robust and are enhanced and that certainly will be taken into
account.

Leigh Williams represented the banking and financial community.  He
did not provide slides so I am channeling Leigh's input.

Really, we appreciated Leigh's input as, I think, pretty balanced.  He
believes for that sector, which has real -- will be a target of
malicious conduct, because that's where financial transactions occur
and the money is to be made by criminals, that there is an opportunity
as well as a risk here from new gTLDs.  And that if the space is
properly constructed, that sector may be better off as it uses the
Internet than worse, but that there are risks if that does not occur.

And was basically to enjoin us to -- we are going to engage in a
dialogue with the set of financial associations and to understand those
concerns and what they believe need to be done.

He called out three key questions.  First, should enhanced security
measures affect all elements of DNS operations?  And particularly, do
certain communities, like the banking and finance community, have, in
the terminology of the process, community objection rights would allow
them, you know, to figure out who gets to be in a dot bank or a dot
finance or a dot check TLD.

And that that would be very useful.  And Leigh just walked into the
room as I reprise his remarks.

He also went over what the -- the belief that there need to be, you
know, mandates for high security risk TLDs.  And then we had a good
discussion about whether there needs to be a higher bar for everyone.

So those were the primary areas covered by Leigh.

Azrina representing the CERT community.  I captured a few of her
slides.  Basically the CERT community is part of the response when
malicious conduct occurs, so they come at it from what would enable
them to respond more effectively.  Again, I think in the interest of
time I am going to flip through these fairly quickly, but these were
the issues identified by somebody who is a leading figure in the global
incident response community.

And then Beau Brendler represented the at-large constituency, and he
gave a presentation, which was really a demonstration which was really
the confusing nature of the domain name space, pointing out that from a
consumer perspective, if the space is so confusing that you can't
distinguish between sites that are either conducting trademark abuse or
facilitating criminal activity, like fraudulent sale of drugs, that the
space is, from a consumer perspective, a more malicious, hard-to-use
space.

So the way forward in this issue area certainly as well as trademarks,
as many know there's a planned series of consultations in the cities
identified here in July and early August.  That we will be working with
the banking and finance sector on security -- ideas related to security-
specific TLD concerns and mitigation approaches.

And at the end of the day, these -- this good work will be rolled up
into potential measures that are included in the third version of the
applicant guidebook.

So Cheryl, I think that's my synopsis.

>>CHERYL LANGDON ORR:   Not only a synopsis, in absolutely perfect
time, you have gained us back three minutes!  I will have to find
rewards for the best speakers on these panels.

Well done!  Thank you.

We are now going to move to the meaty part of today's event.  Well, it
will be first of many meaty parts of today's event.  And the first
talks about the latest developments in the fight against DNS abuse.

These are ten minute sections and you have all time you need in the
ten minutes allocated but we are first going to hear from Greg Aaron
and rapid suspension system, back to Greg Rattray, and then Steve
Stroud at the end.

Having introduced Greg, I am going to now introduce Greg.  (Laughing) 
A quick shift of Gregs as we go down the table.

Greg Aaron is key account manager and domain security at Afilias.  I
assume you are not whole of it for security.  There's more than just one.

He manages registry services for the dot info top-level domain, and
oversees Afilias's security programs designed to address domain name
abuses such as phishing, spam, malware and fast flux.  Greg is the
chair of ICANN's registration abuse policy working group, and he
represents Afilias on the steering committee of the Anti-Phishing
Working Group, APWG.

Rod is absolutely delightful because his bio says president and CTO at
Internet Identity.  I like that sort of bio.  It's just the sort of bio
I enjoy reading out.

Steve Stroud, however, almost gets the guernsey for the shortest bio. 
Thank you, Steve.  Steve is the director, exercises projects and review
e-security policy and coordination branch at the Attorney General's
department, the Australian Attorney General's Office.  And Steve, I
need to tell you because you are here at ICANN, you must make that into
a group of letters.  We respond very well to large numbers of
meaningless letters.  So I would like to see the letters by the end of
the day.

Okay.  Over to you, Greg and Rod.

>>GREG AARON:   Thank you for the kind introduction, Cheryl.

We're going to talk about phishing as a way of illustrating some of
the policy, legal, and operational issues that parties encounter when
dealing with abuse and malicious uses of domain names.

So what Rod and I do is every six months we publish a study through
the Anti-Phishing Working Group.  And our goal is to quantify what's
happening out there.  Measure the amount of phishing that's happening
in the world, understand how the phishers are accomplishing it,
identify trends, and then that hopefully leads to ideas about how to
fight the problem.

Okay.

So we basically try to collect every -- a record of every phishing
attack that happens in the world.  We collect it through a variety of
means, including the Anti-Phishing Working Group's rather authoritative
database.  Other feeds, private sources and so forth.

This is millions of URLs, but basically it boils down to a small set,
manageable set of data on attacks and domain names used.

In the second half of 2008, there were about 180 million domain names
in existence worldwide.  So we think we have caught about 99.5% of
those and incorporated it into our report.

So here are the overall stats.  And this is a comparison also with
previous periods.

So when you say a phishing domain name, that means a phish has
appeared on a domain name.  That does not necessarily mean on the home
page but on a domain.  And you see that the number of domain names
affected has gone up and down a little bit, but it's somewhat
consistent over the last year and a half.

Phishing can also take place on I.P. addresses.  So if you are looking
at the address bar in your browser, you would see number dot, number
dot and so forth.  That actually has gone down quite a bit over the
last year and a half because people are finding effective ways to
dissuade that kind of activity and filter it out.  So the phishers are
moving away from this method.

The number of TLDs that have been phished in; i.e., ones that have had
at least one phish, have gone up a little bit.  Although it's noted
that a lot of these TLDs have only one or two or a handful during this
period in question.  Still, the number of TLDs has gone up.

Would you like to define what an attack is?

>>ROD RASMUSSEN:   Certainly.  An attack can be -- we have to define
that in order to differentiate between a domain name being involved in
phishing for one particular brand that's being attacked versus multiple
brands.  So one single domain may end up hosting several different
attacks against different phishing targets.

>>GREG AARON:   So measuring attacks is also a different measure of
activity.

We started tracking that in a previous period, and the number of
attacks increased between reports.

However, if you look overall at the number of domains and the number
of I.P. addresses, the number or amount of Internet resources used for
phishing has actually remained fairly steady over the past year and a
half.

We have found that IDNs are not being used for phishing.  There are
certain attacks that could be facilitated by using IDNs to make people
confused about what characters are being used.  But so far, we have not
seen a manifestation of that in that type of attack.

There are basically two kinds of domains you have to worry about. 
One, compromised domains.  These are basically domains owned by
innocent people.  And the Web servers get hacked into, and the phishers
put up phishing pages down in the subdomains or subdirectories.  They
do this for various reasons.  One is they get free hosting, and these
are also hard to take down.  Basically, the problem is if you suspend
that domain name's resolution, you are also bringing down the Web site
and the e-mail of the innocent registrant.

Then we have maliciously registered domains.  Phishers do go out and
register domain names for their own use.  They usually put them up
quite quickly.  That's one indication that they are using stolen credit
cards in order to register the domain names.

And here is an example.  This is a phish that targets Lloyds TSB Bank.
You see the URL at the top of the slide.  And you also see in the
address bar, on the browser you see that the phisher has put this phish
down in the images directory where most people wouldn't look to find
things if they are hosting a Web site.  And then they have put the
Lloyds' name tacked on at the end.  They are trying to fool people into
thinking this is the actual Lloyds' site.  But what is really on this
site?  We see it on a home page.  This is the site of a women's
organization in Portland, Oregon, U.S.A.  It's a wonderful
organization.  The problem is if we suspend this domain name, we are
going to take this site down and this organization would be collateral
damage.

So you see the real site here.

>>ROD RASMUSSEN:   So the bottom line on the number of domains for the
last half of last year were a little over 30,000.  Of those, almost 80%
were on compromised servers.  So the amount that were actually
registered by the bad guys is about 20%.

Also interesting, and this seems to be a declining trend over time, is
they are not using in the domain name itself, very often, variants of
the brand that they are attacking.  They are actually using typically
fairly nonsense names and then adding the brand in either the host name
or the trailing URL string.

I think one of the reasons for that is there has been a very strong
emphasis on protecting brands within domain registrations and the
services that are doing that are pretty good at it.

So the conclusion out of this is the domain itself doesn't matter. 
It's the resources that the criminals are going after so themselves so
they can launch their attacks.

So we had to come up with a metric to compare against different TLDs. 
So we took the space and said per 10,000, we will give it a score.

The median amongst all of the sites was 2.7 per, dot com being about
half is another good measure, half of all domains register.  So
somewhere in between, it will be a pretty average type of TLD.

Scores for smaller TLDs will skew higher just because of the smaller
denominator.

The -- This is for the last half of last year.  Problems really stick
out, as you can see here.  We had Venezuela go through the charts as
far as where the attacks were occurring and that's because of registry
operation.  It was actually Venezuela is a registry/registrar combined
model, part of the government of Venezuela.  And at the time of these
attacks they had just upgraded their system to allow for easier
registrations and they were being shifted from one part of the
government to another.  So there were a whole host of circumstances, a
perfect storm, full, and it took them several weeks to get things back
UPU under control and in the meantime you could see thousand of domains
during the day being actively phishing.

Thailand is an interesting one.  There were no malicious registrations
here at all.  Those are all on either government or university servers
in Thailand.  So they actually seem to have a security issue there
rather than a domain registration issue.

On the gTLD side, you can see the numbers are fairly close throughout.
What's kind of interesting, you do see that the biz and the info TLDs
do have I'd say a fairly noticeable difference as far as being a lower
amount of phishing being prevalent.

The correlation on those two is they are actively running abuse
programs and actively working with their registrars to remove domains
as soon as they show up, or as soon as possible.

So it does seem that the inclusion of a registry abuse program has an
impact on these scores.

We also took a look at how long phishing sites stay up.  So we monitor
the phishing sites and track how long they are there.  It's really an
automated process.  And we collect average and median -- a median is a
better number to use because sometimes people don't know about phishing
sites, and some of them actually existed the entire six months of the
study, for example.

We have tracked some phishing sites that have been up for years
because people don't know about them and the brand holders aren't
taking active measures against them.

So here is the numbers for the gTLDs.  And the one thing to take away
from this slide is there's a kind of constant trend over time.  If you
take a look at com and the average for registries that are doing
different things, you may see a variance in time.  So you see biz and
info will have some variance there.  The big one up for biz in
September, those were all on compromised domains for the most part.  So
really the registry doesn't have much to do with, necessarily, being
able to remove malicious domains.

And for the ccTLDs, we -- actually, the one that sticks out here is
obviously the UK.  This is an example of a registrar within that system
that was not doing a very good job of remediation.  And so the registry
operator I know actually worked with that registrar to help address the
situation.

But it can vastly impact the time difference, just from one bad -- or
one -- not necessarily a bad actor but an actor that needs help in
better doing their job.

>>GREG AARON:   So when doing this kind of remediation work, each of
many entities has its own capabilities that it can bring to bear.  And
each one has a role.

The targets are brand owners, the banks and so forth, that get phished.

They have a primary responsibility to protect themselves, because the
phishers are going after their money.  And, of course, those banks as
customers.

So some of these organizations have anti-phishing resources, some of
them have teams, some of them employ outside vendors.  Some of them do
a great job.

Some of them not so -- so active.  In some cases, even ignoring the
issues.

Hosting providers are really important because they and ISPs can take
down individual phishing pages.  So we want to contact those people. 
They can surgically remove the problems and leave the innocent Web
sites up.

Registrars need to be looking for malicious registrations, seeing what
they can do to cull those out and suspend domain names.

Registries are in a good position to disseminate information, to
contact their registrars, to push out reports, and in some cases, also
suspend domain names.

Law enforcement involvement is somewhat diffuse.  Phishing takes place
across international boundaries, and in the vast majority of cases, law
enforcement has no role in mitigating any specific phish.  It's
relatively rare.  Most of the mitigation is taking place through these
various private parties, like the targets and registrars and the
hosting providers.

However, law enforcement has a vital role to play in tracking this
activity over all.  And they are very interested in pursuing some of
these large phishing gangs which perpetrate the majority of this kind
of activity.

So they are very interested in what's going on and do take vigorous
action when they can.

Finally, security companies and organizations like APWG are out there
educating people, trading information, and trying to improve the
situation overall.

One of the questions that is coming up here at ICANN is what is the
role of ICANN?  What is its role in education?  What is its role in
encouraging better practices?  What is its role in making policies that
might affect these problems?

So our conclusions are as follows.  Each of these abuse types --
phishing, malware, spam -- all these kinds of problems are different. 
They all present some unique challenges.  They are approached different
ways.

Phishing as a problem is probably affecting about 60,000 phishing
domains a year.  That's out of about 180 million worldwide.

The vast majority of these domains are hacked into.  The registrants
don't know about it and are not responsible for the malicious activity.

We see phishers moving from registrar to registrar.  As soon as one
registrar gets clued into what's happening, they button things down and
the phisher will go elsewhere.

The same thing happens with TLDs.

The phishers are very rational.  They are criminals that are out to
make money.  They make rational decisions, and search out weak links.

We find that collaboration works.  Working with each other is the best
solution because we can bring all of our powers to bear on the problem.

And unfortunately, bad guys put us all in a really bad situation. 
They affect all of us.  They don't play by the rules that we do.  And
it means that oftentimes there are not any easy solutions that, at a
stroke, would eliminate a lot of these bad activities.

But we're very hopeful because there's much greater awareness of these
problems, especially at ICANN over the last couple of years, and a lot
more parties are coming in and making contributions to fighting these
problems.

Thank you.

>>CHERYL LANGDON ORR:   Thank you.

Now, a little example I think is coming up next.  Conficker.  Greg.

>>GREG RATTRAY:   Thank you, Cheryl.  It is certainly an example both
for the potential for computers to become outside of one's control and
thereby be misused.  It's also, I think, a very good lesson in the
value of collaboration, building upon the point that Greg just made. 
And in that vein, I do want to acknowledge a couple of people or
actually a few people.

First, these slides are built by Dave Piscitello, who is over there on
the left as part of the ICANN team that worked on the Conficker
challenge.  John Crain -- John, raise your hand, please -- really let
the collaborative efforts with probably many in this room to undertake
some sort of response to the challenges that Conficker presented, and
we are about to go through.  And then Greg and many others in the TLD
community were basically the front line of working on keeping the
Domain Name System part of, you know, the place where it was hard for
this malicious activity to occur.  And I will describe that in a little
more depth.

So what is Conficker?  I would like a show of hands.  How many people
think they really understand what a botnet is?

Okay.

So Conficker, this is a -- I would guess that 50, 60%, a little more
than half, so I'm going to spend a moment. Conficker is a worm which
was the prelude to a botnet.  It was a set of code that was able to
basically increasingly distribute itself across the Internet.  It's
probably not -- you know, the slide says it's a variety of vectors or
means by which it tried to take over different computers.

It goes from a worm into being a botnet when command and control
channels are the people that are trying to propagate the code can
actually control the host that the code has been inserted into.

In this case, the primary place within the infected host or the place
within the infected host that the code resides is in a portion of the
Windows operating system.  This was a Windows operating system
vulnerability.  And Microsoft was vigorously involved in the efforts to
try to both understand and remediate, collaboratively, the Conficker
worm.

I show this slide for a couple of different reasons.  Certainly this
is the problem of no one geographic region in the world.

The other thing is that the scale of these botnets or, at least in
this case, the in place code base over the worm that could be turned
into a botnet, is huge.

Estimates vary, but anywhere from one million -- and there's no --
that's the low-end estimate -- to 15 million hosts are infected. 
Really, the pace of infection has been steady since the mid spring in
terms of the security researchers.  Tracking exact numbers is a pretty
difficult proposition, and part of the challenge is the collaborative
response.  But you do need to know that we now talk about numbers of
computers that are over a million in these botnets.

So part of the reason for that is illuminated on this slide.

If it's a vulnerability that's prevalent in a lot of -- a large
portion of the installed base, Microsoft has processes, as do most
software vendors, for trying to identify and basically give you a patch
to stop this.  But the challenge is much more complex than that.

A particular interesting aspect of this one and many of these
Microsoft OS based worms is the large installed base of pirated
software for the Microsoft operating system where installing a patch is
not an option.  So therefore, once infected it becomes very difficult
to remove the infected host.

And for those who don't track this area closely, the sophistication of
those who build botnets, you know, advances by the month.  They are --
they understand what is being done to stop their efforts.  They quickly
adapt, as we'll see here, the characteristics of the code that they are
trying to emplace in order to make the defender's life more difficult.

This gives a brief chronology of events.  And Dave actually has a
slide that goes before this which talks about other sorts of worms and
security situations.  McColo, which was not really a worm but a bad
provider, the Srizbi bot, which gave us some experience in the types of
collaborations that we would need involving the Domain Name System with
the security community in responding.

In some ways this bot gave us preliminary inoculations that we were
able to learn from and deal more effectively as it tried to spread more
aggressively.

In particular, as we started to understand that Conficker.A affected
generic top-level domain space started to move with Conficker.B into
the country code domain name space, we started to understand we needed
to get out in front of the use of the Domain Name Systems as a means
for command and controlling this bot.

The bot had an algorithm that basically generated domain names.  That
algorithm was basically hacked by the security community.  It was
protected by encryption.  It was -- This is a cat-and-mouse game of
attackers and the security community.  By encrypting the algorithm,
they were able to proactively predict what domain names would be used,
allowing registries and registrars to go out there and take those names
out of play.

So for the involvement of the ICANN community in this activity, that
was really where the game was played and is still being played in the
different portions of the Conficker -- or for the different code bases
in Conficker that still endeavor to use the Domain Name System.

It's interesting.  If anybody does know who is responsible, there is a
$250,000 reward that has been issued by Microsoft.

John has thought about volunteering himself up, but hasn't quite taken
that step at this point.

[ Laughter ]

>>GREG RATTRAY:  Again, we went through an early portion of this year,
and then really hit what became the widely publicized Conficker.C/D,
depending on your labeling schema, where the worm went from operating
against 10 TLDs and registering I think 250 names a day to going
against 110 TLDs and registering 50,000 names in seeking to utilize the
ccTLD space.   

We had no game plan, as John well knows as the guy who had to pull
together one in the period of 24 to 48 hours, to reach out to everybody
and deal with a situation where 110, you know, elements of the Domain
Name System were potentially going to be utilized and could effectively
respond to this situation.

There is a Conficker.E.  It really looks like it's trying to test, you
know, what works and doesn't work and the response of the security
community.  Importantly, Conficker.E does not use the Domain Name
System, and there's some thinking that we have actually done well
enough in the Domain Name System to make the malicious code writers
move on to other vectors for spreading their code.

This is a map of the affected ccTLDs in the Conficker situation.  This
has been discussed in a couple forums in the ccNSO this week.

We cannot figure out any rhyme or reason to actually why the code
writers chose these specific ccTLDs.  It may have just been they wanted
us to waste time trying to figure that out, because people spent a
considerable amount of time trying to figure out why different
countries were or were not infected.

Some positive lessons learned, and there are certainly those.  While
it was an ad hoc response, both the domain name community dialogued
well, quickly with the security community once it was understood that
the Domain Name System wouldn't be used and the security researchers
could predict where the Domain Name System would be used, there was a
positive response by the DNS operators to go out there and either block
or either sinkhole direct to the security researchers the traffic
coming in from these infected computers.

Sustaining the trust that that can be done in a way that doesn't give
away the analysis that's being done in the security community, has been
-- sustaining that's an essential part of an effective response. 
Communication channels are essential.  We played basically an enabling
role in conjunction with ICANN's global partnership staff which has
regional liaisons across the globe in getting the word out.  We are not
operators, so really the action took place in those TLD operations that
took action on these bots.  And we do need each other.  We need to
figure out mechanisms and we remain engaged with the security
community, the vendors, Microsoft, the security researchers, the
antivirus writers like Symantec about how we're going to collaborate
going forward in the future.

What we haven't solved is how to get botnet operators out of business
and I don't think that's going to be a near term operation for us.  As
I've mentioned, they're agile and elusive.  There's no silver bullet,
as Greg mentioned, when it came to phishing in order to defeat this. 
And that collaboration can be complex and we're going to have to work
at and dedicate resources to be able to collaborate effectively going
forward.

Because Conficker was the subject of a lot of discussions here at the
Sydney meeting, you know, I do think that we have learned that this is
not a one-off, that whether it's Conficker F or a new variant of a worm
that's infecting the Internet and utilizing the domain name system or
the DNS itself comes under attack that we must have some sort of
standing collaboration mechanisms in order to address these threats.  I
believe Chris Disspain at the ccNSO has stood up a working group in
order to talk about how that sort of collaboration can occur. 
Certainly we at -- on the ICANN staff will be part of the working group
and look forward to working with all, in this community, the DNS
community, on how to do that as well as bridge it over to what goes on
in the security community so Cheryl, I think that's it.

>>CHERYL LANGDON-ORR:   And I can rely on you to get us perilously
close back to track.  We're going to work more together, this is
excellent.  Steve Stroud is now going to discuss the Australian
Government's role in the establishment of the CERT -- see, when you
give me letters, I'll put them out as letters.  Thank you, Steve.

>>STEVE STROUD:   Thank you, Cheryl.  I'm not going to talk about DNS
per se, or worms per se, or phishing or anything.  What I want to
briefly -- and I will be brief -- talk about is policy levers that
governments can use to assist.  I've got three key points I want to
make in this short time.  The first is that the Australian Government
takes cyber security seriously.  We call it e-security.  The second
point is, where we can, we try and facilitate collaboration between
people who may not otherwise collaborate.  And I'll come to an
initiative on that in a sec.  And the third point is Cheryl's point,
that we're bringing together a lot of our existing response
arrangements under the banner of a national CERT.  

We take cyber security seriously.  Our prime minister last year
outlined his view of Australia's national security.  And it's broader
than what you might think national security is.  But in it one of the
things he said that is important to Australia's national security is e-
security, it's number nine in our top ten.  For those of us in the
government e-security business that was like manna from heaven.  

But what we have done quite -- well, relatively constantly in the
Australian government is review our e-security policy.  We did it
initially in 2001, we did it again in 2006 and discovered that things
had changed dramatically.  So we instituted a program of doing it every
two years.  It's a fairly hefty body of work, and we completed the last
review, well, some of the initiatives were announced in December of
last year.  

Two things I want to touch on.  One is what we're calling information
exchanges, this is headed up by an organization within our department
called govcert.au and what they're doing is facilitating information
exchanges within various industry sectors.  So we're getting people in
a room to talk technical problems.  

These people are competitors, so one of the issues that we, the
government, had to solve -- in Australia there's fairly strict
competition laws, so we had to get the competition people happy with
these people being competitors sitting in a room and talking about
stuff -- so we got everyone to agree that security is really a
noncompetitive issue.  And we're just kicking these off now, as I
speak, there was one today, and the idea is that people are bringing
their problems to this forum and they share and they kick around
solutions.  So rather than me solving my problem independently, of Rod
solving his problem, we get together, and hopefully there's less work
done and things are solved quicker.

The other thing we did, that was announced in our last budget in May,
was we're bringing together -- pardon me -- we're bringing together all
of the response arrangements in this country under the banner of a
national CERT.  Now, we're doing this in conjunction with also the
University of Queensland and also we're bringing in all the bits of
government that do this.  The aim is to have essentially one place to
go and also to provide the Australian people with e-security
information and threat information and stuff like that.  That's really
all I wanted to say except to add that in response to Cheryl's
challenge for an acronym I would go with STVEENDEPRESPCBAGDA.  Thanks.

>>CHERYL LANGDON-ORR:   I think you've actually gone further at --
because that's even longer than BACARDIDBCDE.  Congratulations, Steven,
thanks very much for that.  Well, there's something on our schedule now
that means I'm hoping to see people come up to the mic.  It's
opportunity for question time.  Come on, Philip.  When you come to the
mic, just identify yourself for the scribes' sale.  Thanks.

>>PHILIP ARGY:   Thanks, Cheryl.  Philip Argy from ArgyStar.com,
immediate past president of the Australian computer society.  

At the Australian high-tech crime conference that was on a couple of
weeks ago, we had a group of people telling us that the solution to
disinfecting Conficker-infected machines was quite well-known.  The
policy and legislative response challenge is how to get that antidote
on to those machines.  And it's quite an interesting question because,
of course, we have in Australia, as most civilized countries have,
antihacking legislation that makes it an offense to access somebody's
computer without permission.  And as Greg, one, mentioned at the
beginning, the wormists take no notice whatsoever of that legislation
and will go in a band and affect those people's machines.  Those with
the ability to fix those machines who can also identify the machines
can't insert the antidote as it were without breaching a law. 
Governments are loath to authorize that sort of conduct.  What I want
to raise is really contrast the way the world has dealt with swine flu.
And whilst at one level it's a curious analogy, what is interesting is
the way the world has coordinated its approach, the way the world has
shared information in identifying symptoms, how to identify infected
victims, and then, most interestingly, how, once those people have been
identified, what's being done and really, at one level, very intrusive
and some would say heavy-handed activity and sort of confining people
to their homes and insisting that they take Tamiflu and matters like
that.  

So it's kind of interesting that when the world thinks there's a
serious issue, it can actually galvanize itself and find mechanisms to
deal with it, how effectively is yet to be seen but I just wonder
whether there isn't a lessen there that we might be able to learn in
terms of setting up structures and putting in place mechanisms that
might allow identified machines to be forcibly disinfected because,
using the same analogy, cutting down the propagation, is really the key
to minimizing and quarantining the damage and we're really fighting
with our hands tied behind our backs because we close off one of the
known solutions and that is infecting the infected machines with the
antidote.  We tie our hands behind our back and say we can't do that. 
We have to use ISPs to try to contact their customers and plead with
them to do something that's really not very effective so I think we
have to decide if we're serious enough, actually have a legislative
approach and create a mechanism for the antidote to be installed on
those machines.  I would suggest that the majority of owners of
infected machines would, in fact, not have the faintest idea that you'd
fixed their machine in the same way they're totally oblivious to the
fact that they've got an infected machine.  So it's really a
philosophical mental block that's stopping it, but considering
ramifications of the problem, I really think it needs a little bit more
focus at that level.

>>CHERYL LANGDON-ORR:   Thank you, and is there any other questions? 
Because wave now, otherwise I'm getting sorely tempted to get that
excellent challenge and put it to this group and perhaps ask Steve for
an initial response to that and then go, boys.

>>STEVE STROUD:   My initial response would be it would be a very
brave government, indeed, that would legislate to allow that to happen.

>>GREG RATTRAY:   It's Philip, correct?  You know, Philip, I think I'm
very sympathetic to the notion that these particular challenges, worms,
are analogous to public health sort of considerations and that as we
figure out how to do collaborative response, learning from models of
Centers for Disease Control and World Health Organizations and
preventive measures are something we need to consider to include, you
know, whether current legal and policy constructs are enabling or
disabling of those responses.  However, a little to Steve's point is I
do think the technology community can assert that a specific technical
fix will get much farther down the road than the messy reality of code
and installed computer bases and it is a risky proposition to shove
code into somebody else's computer that you don't understand its
configuration and how it's operated and therefore may break and worsen
the situation so that's why I think Steve's point that -- we're
probably a ways from the confidence level for governments in order to
enable those sorts of activities.

>>CHERYL LANGDON-ORR:   Thank you.  Waving at me.  Back mic.

>>DAVE PISCITELLO:   We're dead here.  That's better.  This is Dave
Piscitello from ICANN.  One of the things that goes on in large-scale
enterprise networks is something called end point admission control. 
And what it essentially is is, yeah, customs and immigration with
immunization mechanisms for connecting to a local area network.  There
have been many speculations on trying to migrate that kind of
technology to an Internet service provider where the service provider
would essentially check to see if your machine was infected and not
allow you to connect until you'd remediated the infection.

The disincentive there for the ISP is quite obvious.  Turning a
customer away, the customer will simply go to a different ISP who might
not create that kind of admission control or block access to the
Internet.  So maybe a government might not necessarily want to take the
big step of saying, you know, we're going to reach into your computer
and put our own little application to control it, but it might incent
Internet service providers or provide some sort of funding and say, you
know, we encourage you to do that, the kind of prophylaxis we think is
appropriate for the Internet and that might be an appropriate course
for governments to take.  Thank you.

>>CHERYL LANGDON-ORR:   Bertrand?

>>BERTRAND DE LA CHAPELLE:   I'm speaking here on a personal behalf,
on the issue that has just been raised.  Analogies carry us only so far
but at the same time they're very interesting tools to see where there
are similarities and nonsimilarities.  

I think the more we speak about computer and Internet security, and in
particular, that kind of problem, like worms and epidemics, the more
the difference between traditional police mechanisms and else
environments appear valid like health treatment is important.  It took
years to establish all the mechanisms of corporation, to prevent
pandemics and so on.  So I would urge as a methodical approach to avoid
getting precisely the kind of discussion where a bold idea is only
explored so far as to say it would take and jump to the solution too
quickly.  It is obvious that this is absolutely not ripe.  It's maybe
not the right approach.  But it is a typical subject where we're at the
core of public policy.  And at the core of a public policy where you
not only have to understand completely the problem with the help of the
different actors and the way Conficker has been fought shows that
governments, on their own, are unable to fight it without the
cooperation of the other actors, but likewise, any preventive mechanism
or remediation mechanism will need the cooperation of the different
actors to find the technical solution, to get the legal framework to
apply whatever solution there is and the business actors will also --
are likely to be cooperating in this.

So I just point this out because there are several frameworks, it's
not necessarily within ICANN, but I think this session is a typical
example of an awareness-raising.  And I think if any actor wants to try
to bring together a better interaction at a very preliminary stage to
say are we completely fools to even think of what was mentioned or is
an analogy actually meaningful in designing public policy or thinking
about it I think it would be worth it, personally.

>>CHERYL LANGDON-ORR:   Any response?  Rod?  Greg?  Steve?  Everyone,
go for it, first at the buzzer gets it.

>>ROD RASMUSSEN:   I've got it.  I think the comments here are very
good and we do have what appears to be more of a public health issue
than almost a law enforcement issue almost combined.  There is movement
within the ISP community on this issue.  We are seeing the use of
things like what is called a walled garden by some ISPs around the
world.  And what a walled garden is you basically try and log in, and
your ISP says your machine has done something, whatever that something
is, and until you remediate that, we're not going to let you through to
the Internet or whatever you're trying to reach.  And they're wrestling
with this issue of how do we do this in a competitive environment and
in an area where we may take on a legal risk.  That's where, again, I
think we can encourage governments around the world to help service
providers get past those issues so that there's a common -- common
baseline for them to work with and they don't have to worry about,
necessarily, blocking somebody's access who that person is affecting
lots of other people.

>>CHERYL LANGDON-ORR:   Steve, I'm sure you want to say something.

>>STEVE STROUD:   I want to make two points.  One, I thoroughly agree
with the use of analogies from outside of computing to look problems. 
We don't have our collective wisdom here looking at our own subject
field -- well, we, obviously, can't solve everything.  

Second point towards ISPs, in Australia we have, and it came out of
the review minus -- Internet Security Review Minus One is something
called the Australian Internet Security Initiative, no one's spoken too
much into it because it doesn't fall into my area of responsibility
except to say that with -- with ISP participation, machines that are
identified as infected are notified to ISPs who, then, work with the
customer to clean them up.  It's happening largely voluntary basis, I
believe, but it is happening and when it works, it works very
spectacularly well.

>>CHERYL LANGDON-ORR:   Go ahead.

>>RUSS MUNDY:   Russ Mundy speaking as I guess a long-time security
guy.  First I'd like to comment about the suggestion that using similar
techniques that attackers use to fix infected machines is an
interesting but not really a new idea at all for folks that remember
the Morris worm from the late '80s.  I happened to be in the midst of
trying to respond and react to that and one of the things that many
people don't remember or never knew was that in the midst of the
reaction to that, which was -- had to be correcting code
vulnerabilities that were sitting out there on machines, it was more
taking advantage of code vulnerabilities rather than planting of
malicious code.  So similar but not quite exactly the same.  The fixes
that got promulgated were not all legitimate fixes.  In fact, at least
one and I think maybe two were, in fact, illegitimate fixes, published
in a way to look to be legitimate that would have, in fact, infected
those that were silly enough to accept those patches and put them in.

And so it was an interesting and somewhat challenging realm to look at
and examine that and I always -- that's what always comes to my mind
when I hear the idea of having, if you will, the good guys using
similar kind of tools to what the bad guys do.  I have never been
comfortable with doing that for a couple of reasons, one is things I've
lived through of that nature.  And because when that starts to occur,
it becomes even harder to know what's the good stuff that ought to be
going on to machines versus the bad stuff.  And it has the very big
potential of making the problem even worse than what you had to begin
with.  And so that's something that I wanted to just contribute to the
discussion here.

On the aspect of suggesting kinds of things that can be done to help
responding to this, one of the -- I often am an SSAC member and I'm
speaking purely as myself, not as an SSAC person here, but we're
currently having discussions about how to encourage and foster,
especially in some of the registrar space, the higher -- the ways in
which, from both a business and a service -- servicing perspective,
that the people that are offering this in the business realm can
effectively sell it to customers and to have some area of better
security that at least over time can itself become, if you will, a
positive motivation as opposed to a negative motivation.  And
personally, as a long-time security practitioner, I think that this is
a better way to try to move forward in this kind of space so that it is
in the advantage of the ultimate end users of this stuff to actually do
things that will help security as opposed to saying, oh, well, somebody
else shove some code on machine, I don't really know what they're
doing, fine, okay.  Thank you.

>>CHERYL LANGDON-ORR:   The passivity is scary, you're right.  I have
a question on both microphones so if we can just hold responses perhaps
till we here those questions, please step up and then you two in line.

>>BOB HUTCHENSON:  First of all, I'd like to thank these gentlemen for
the hard work they did to help stop Conficker.  Secondly, I'd like to
ask -- saw a recent presentation at NANOG that essentially said the
rate of new viruses going into the wild is around two per second. 
There's indications now that there's code being generated automatically
to build these botnet,s.  And I'm just wondering anecdotally if you
know how close we are to complete [[ICE-9, okay?

[ Laughter ]

And the other is if you're tracking at the antiphishing working group
anything about Tiny URLs and Tiny URL redirection.

>>CHERYL LANGDON-ORR:   Do you want to take the second one first?

>>ROD RASMUSSEN:   You happen to hit a wheelhouse right there for me. 
Yeah, we didn't break it down in the slides right here, but, actually,
in our report, we did mention the Tiny URL is a brand, just for those
of you who are not familiar with it, you can buy or -- and sometimes
they're free through a service a small domain name with a slash and
then some sort of short code after it.  And that URL redirects to
another place.  It's very popular for social networks, Twitter, things
like that.  The problem is the bad guys know this too and they use that
to -- they sign up for some of these and then they redirect through
that to their Web site.  So you've got a legitimate domain, Tiny URL
and there are several other services out there that do this, and then
it redirects to those so you don't know what it is until you get there.
There are some actually browser plug-ins and things like this that
could tell you what's actually at the other end, they are somewhat
effective but we did see a rise in this.  It was a few hundred in our
survey.  We expect to see a lot more going forward, they're definitely
on the rise.

>>CHERYL LANGDON-ORR:   Greg, you want to -- did you?  No, okay. 
Please go ahead.

>>JAY DALEY:   So one comment.

>>CHERYL LANGDON-ORR:   Who are you.

>>ANDY STEINGRUEBL:  My name is Andy Steingruebl.  One little follow-
up on the Conficker thing and the dangers of analogies, is that whereas
in the public health scenario, with something like influenza, you've
got a dumb attacker, a virus.  In the case of things like Conficker and
other worms, you have ascension attacker.  So being very public about
your response mechanisms actually influences the situation, whereas
that's typically not true in a public health situation, right?  So be
careful with drawing those analogies too broadly.  

The second question related to the discussion we had on APWG from Greg
and Rod, and that is that if we -- the number you presented was that
roughly 80% of the sites you were seeing were compromises rather than
the hosted site itself being malicious.  And the question is what
should the policy response to that be if somebody is hosting one of
those sites, doesn't have adequate security measures and if it's not at
a hosting provider, they can usually take action.

So we can say that it's not really their fault they got broken into,
but if you look at rules about public property, for example, or even
private property.

There are things considered attractive nuisances.  And if, for
example, you have a swimming pool and you don't have a fence around it,
you are still liable if somebody falls into it and gets harmed.

So the idea that people aren't responsible for that security, it
wasn't really their fault if the only effective response, in some
cases, is a revoking of the domain.

If that's the only effective response you can have to take down a
malicious site, what's the appropriate response and how does that play
into some of the discussions we're having about registrar takedown?

>>GREG AARON:   Thanks for the question, Andy.

I can tell you about some of the experiences I have had because I am
somebody, myself and some of my team are going out and dealing with
phish every day.

I do see these recidivist sites where somebody has a site or a host,
and it keeps getting broken into.  But my experience is the great
majority of cases, once we tell somebody they are vulnerable, we don't
see a repeat case.

So pushing information out to people in general works.  They don't
want it to happen again.

As Steve said, I think it would be a very brave government that would
require action to be taken if someone has a vulnerable system.  That's
a trickier thing to deal before.

>>ANDY STEINGRUEBL:   So how long before we see the malicious actors
setting up seemingly legitimate Web sites with what appears to be a
social club or something like that, hosting the phishing site in a
deeply nested URL as if it had been attacked.

So once you do that and you say that those things are off limits, you
incent -- and I don't know -- who knows who is in the audience.  I'm
giving them an idea.

>>CHERYL LANGDON ORR:   Thanks for that guideline.  I said it was not
to be a how-to guide.

>>ANDY STEINGRUEBL:   That's the counter to it; right?

>>GREG AARON:   It's always a cat-and-mouse game, as you say.

We haven't seen much of that yet.  What we have seen instead is, for
instance, people trying to put up bulletproof hosting where they are
bad people and won't take down stuff.

Now what we see usually is bad guys just go out and register some
domain names because that's cheapest and easiest for them to do and
least the path of least resistance.

Certainly as you lock down one avenue of attack, they will try
inevitably try something else.

Taking action and shutting down avenues of attack is worthwhile
because the harder you make it for the criminal, the less money they
are making, for example.  And there is absolute value in that.

>>CHERYL LANGDON ORR:   Thank you --

Next.

>>MICHELE NEYLON:  Hi.  Michele Neylon from Blacknight in Ireland.  We
are a hosting provider and registrar, so we see a fair amount of these
problems of the phishing URLs.  In most cases, as mentioned by the
panel, they are sites that have been compromised.

The reason I am up here is because one of the problems we have, it's a
recurring problem, is the actual takedown notices.  There doesn't seem
to be a standardized format for the takedown notices.

Having to read three and a half paragraphs of technobabble before you
get to the URL that is the source of the phishing is a waste of my
staff's time, it's a waste of everybody else's time because it takes us
so long to wade through all this junk that the site is still sitting
online.  And in some cases you feel why should I go through the trouble
of reading this if they are not going to present it to me in a simple
format.

So the question I would put to you is could you please give us some
reassurances that at some point in the not too distant future, before I
go completely gray, you will introduce within the security community
some level of sane, uniform, accessible, takedown format for phishing
sites.

We will take down sites quite happily, but for God's sake, please help
us do that.

Thanks.

>>CHERYL LANGDON ORR:   There's a challenge, gentleman.  Who is going
to stand to it?  Rod?

>>GREG RATTRAY:   You first.

>>ROD RASMUSSEN:   I would love to have you make that same speech at
the APWG.  That's where the most the people who do that work are.  And
you can certainly tell the statements were mostly written by lawyers
and not by operators.

This is an ongoing discussion in the community and it takes feedback,
though, from providers such as yours to make changes like that.  And I
will take that back to the APWG.

But I'm in the space, so there's a bit of a competitive issue there. 
So getting providers to actually feedback to the APWG, the e-mail was
right on the site.  So go ahead and get that right into the group.

>>MICHELE NEYLON:  One of the things we found as well is in some cases
it's quite hard for us to actually interact with the APWG.  For us as a
hosting provider and registrar, we would like to be able to give you
that kind of input.  But in many cases when we look at the APWG Web
site, if you want to join in this you have to pay thousands and
thousands.  Which I could be mistaken, but the last time I looked at it
there was this ridiculously high barrier to entry.  And while we have
things like EuroISPA in Europe, and we are involved with that as well,
to be able to give feedback to you guys would help us, because,
ultimately, we don't want those sites on our servers.

>>ROD RASMUSSEN:   I would be happy to take that up off-line, but you
can always post things to the organization if you have comments.  So we
encourage that quite a bit.

>>CHERYL LANGDON ORR:   Greg.

>>GREG RATTRAY:   I want to quickly encourage Rod or a group like
Rod's to not only have the dialogue but to go forward to try to issue
some sort of -- you know, you are not going to get one form that
handles all practice -- or all situations because the need for lawyers
to deal with different jurisdictional nuances.

But something out there as an industry best practice by a leading
global organization would really help the situation.

>>MICHELE NEYLON:  Following up on the legal side, if you could give
us info, then the legal (inaudible) would help.

>>CHERYL LANGDON ORR:   You have been at the microphone for a while. 
Go ahead, please.

>>MALCOLM HUTTY:  Thank you.  Malcolm Hutty speaking in an entirely
personal capacity.

And with reference to the old new idea, the undead idea, of using
worms to clean up worm holes and so forth, I hesitate to make a
literary reference in such an international context, but I'm really put
in mind of the ending to "Animal Farm."  "The creatures that outside
look from pig to man and man to pig and pig to man again but already it
was impossible to say which was which."

I would ask --

[ Laughter ]

>>MALCOLM HUTTY:  I would ask the panel for their thoughts on how, if
the good guys start acting like the bad guys, we will ever know which
is which.

>>CHERYL LANGDON ORR:   Very nice question.

Which one -- no rushing to the buzzer!  Look at that.

Go ahead, Greg 2.

>>GREG AARON:   When the fisherman goes fishing, that kind of thing.

Yeah, are we better than -- Are we better than those who we are
seeking to fight?  Right.  You have a good point.

We're people who choose to live within laws and pay attention to rules
because that's the way we want to deal with each other.

The question is how to create some flexibility sometimes within those
rules to get good things done.

>>MALCOLM HUTTY:  I wasn't actually just making a reference to laws
because you could always change the laws so as to permit it.  But
instead, more to the norm that the law embodies.  

>>ROD RASMUSSEN:  I would just point out that I think that, in the
end, using the tactics of the bad guys against themselves is self-
defeating.  We talked about that already.  You end up with the
battlefields being everybody's computers.  And battlefields are very
ugly after you get done fighting.  And I don't see the security
community in general going in that direction.  In fact, I would say the
ethics of the security community are very much to stay away from doing
those kinds of tactics, and these issues do come up, often.

>>GREG RATTRAY:   This is going to be a personal opinion, not opinion
of ICANN's.  But I do want to challenge the notion that computers are
there to serve human ends.  You know, we use viruses to fight viruses
in human.  We use guns to fight people with guns.  Policemen carry guns
as well.

This code is really not -- The insertion of code into a machine, to
me, is not the end game of this situation.  And therefore, you know, in
a situation where you have got automated code generation creating
botnets we're getting a more chaotic system, and the current constructs
and measures are not effective.  And to Bertrand's point, we may need
to consider some groundbreaking sort of models.  While I express my own
skepticism about the utility of doing that in the current of
environment because of the state of technique, I'm not sure really the
insertion of code is the moral issue here.

>>MALCOLM HUTTY:  Sorry, just following up to that, so do you know of
any example in the world where a virus has been used -- released into
the general population so as to fight public health as opposed to
inserted into a particular patient with the consent of the patient and
the treatment?

>>CHERYL LANGDON ORR:   I'm sure everyone appreciates the difference
and I'm sure you can take that on notice.

Please, go ahead.

>> 

>>BARRY SHEIN:  Hello, I am Barry Shein.  I am president of The World,
theworld.com.

Generally I consider ourselves to be living in a civilization where we
could believe that our cars are locked up, even though we have glass
windows.  We don't start putting iron bars all over them, and that's
sort of where we are sort of going with all this.

We get a lot of phish, we get attacked a lot.  When I think of
phishing, there's a purpose for phishing.  The purpose is to get money.
The purpose is to get into your account.  To get into your account,
even if I get into your account with name and password, most of us as
honest people wouldn't be able to dot next step even with your name and
password because I have to take that money, transfer it somewhere
through a series of steps.

So the question, what it comes down to is a fear of being caught, a
lot of it this; right?

So there was a tangential reference to this.  Are we getting arrests? 
Are these people being arrested at all?  I mean, even through the
banking side?  Once they perpetrate?  I realize that detecting who
launched the virus and stuff, going backwards in that direction is
difficult.

It seems the other side of this is much more mature; right? 
Transferring funds to different accounts and so forth.  And somebody
gets the money in their pocket; right?  Somebody is walking around with
that money in the end or else they wouldn't be bothered with it.

Is it just a dead-end on both sides of this crime?

Because unless there are arrests -- You know, most people --
governments work because most people voluntarily adhere to laws, even
if only out of fear.  Okay?

Where are we?

>>CHERYL LANGDON ORR:   Rod.

>>ROD RASMUSSEN:   Yes, people are getting put into jail and put into
orange jumpsuits and the like, at a very much lower rate than they
would for going in with a gun and robbing a bank, though, physically.

That is changing.  We are seeing a, in some regards, law enforcement
had to catch up with what was going on.

We still have issues, though, because this is not a -- this is a crime
that occurs across borders.  And so we have a lot of issues with trying
to do things with international cooperation where we haven't seen this
kind of crime easily implemented by somebody sitting in their basement,
able to steal a million dollars out of a bank somewhere across the
world.  That is new.  That is part of this.

So the investigation techniques are the same, but they are doing it
over a new technology.

So we're catching up.  And the law enforcement is catching up.

But the barriers to entry are very low, the costs are very low to the
criminals, and frankly the penalties aren't all that high, either, for
basically the hacking side and the theft of credentials.  It's
different than if you actually walked into a bank with a gun.  It's --

>>BARRY SHEIN:  (Inaudible); right?  That's been going on for a
hundred years.  People have been swindling people out of information
and out of their bank accounts and so forth.  Pigeon drops, and this
and that and the other thing.  There's nothing new about that.  The
banks are sophisticated.  Law enforcement understands this.  Even the
international nature of it is not new.

Times we get a little wrapped up in our Internetness, you know?

>>ROD RASMUSSEN:   Scale, that's the issue.

>>BARRY SHEIN:  Scale might be a problem, but still, heads on a pike
are often --

>>CHERYL LANGDON ORR:   And the final word on this is going to go to
Greg.  Go ahead.

>>GREG AARON:   I was going to say briefly, sometimes phishing is $300
there, a thousand dollars there, $5,000 there.

It's a diffused problem, and there are some in law enforcement who
appreciate the total scale, which amounts to many millions of dollars a
year.

And knitting together all that activity that takes place here, there
every day into larger cases is difficult.

In some cases, law enforcement is very interested in particular
individuals in certain countries, and they can't get to them.  And in
some cases, they are not able to work with law enforcement in that
country or there's not effective action.

So it's one of the unfortunate realities of geo politics.

>>CHERYL LANGDON ORR:   Well, I would like to ask the audience to
thank this I think brilliant, excellent, and excitingly informative
possible in the normal way for what has really been very interesting to
me.

Thank you all, gentlemen.

[ Applause ]

>>CHERYL LANGDON ORR:   Now, ladies and gentlemen, while we do the
cleverness of moving bodies from one side of a stage to another, I
would like to encourage you all to stand up, stretch, perhaps take a
five-minute bio break, and inform you all that at 1620, 1620, we did
start more than 20 minutes late at the first session, we will be
starting our law enforcement section.

Thank you all.

[ Break ]



>>CHERYL LANGDON ORR:   Ladies and gentlemen, if you can take your
seats, the panel is -- the panel is -- is -- is indeed assembled.

The second half of what I trust you are all finding as exciting, as
informative as I am this afternoon is law enforcements and the ccTLDs.

Our panel is going to include Rob Lowe from AusCERT, Nigel Roberts
from Island Networks, Chris Disspain from auDA, Steve Martin from the
Australian Federal Police.  And I am just going to do an introduction
of each of them.

Steve is from the high-tech crime investigation area of the Australian
Federal Police, and we have decided we are not reading the rest of his
bio.

>>STEVE MARTIN:   Thank you.

>>CHERYL LANGDON ORR:   Nigel is the founder and CEO of Island
Networks Group, which runs ccTLDs of GG, JE, and he was the first --
sorry, he was one of the first elected members representing the ccTLD
constituency.

Chris Disspain, how many of us don't know Chris Disspain?  Is he in
the audience?  Oh, hello, Chris.  Chris Disspain is the chairman of the
ccNSO, and is the CEO -- in fact, the all powerful -- in the auDA
administration.

And Erick, who has perfect timing, Erick who might I mention will be
speaking Spanish, so if you don't have headsets, I suggest you get them
-- began his involvement in the domain name space as a lawyer and an
advisor for the country PE code.  He is a member of the advisory
committee of ccTLD in PE and in NNI and dot PR.  He is now the general
manager of LACTLD.

Steve, first off.

What are we going to do?  Not talk about -- no -- yes, I will.  I will
turn over my page.

Rob, you are at the end.  You are also on page 2.

(Laughing.)  My apologies.  Lucky you are an Aussie; otherwise, we
would be having problems.

Rob joined the Australian Computer Emergency Response Team, AusCERT,
six years ago.  During his time, his roles of information security
analyst and training team leader has given him a wealth of information
which he is not only going to share with us today but, forgive my faux
pas later.

Now Steve.

>>STEVE MARTIN:   Okay.  Thanks.

>>CHERYL LANGDON ORR:   It's an exercise in cruelty.  It's push to hold.

>>STEVE MARTIN:   Okay.  Just hold it?  I will just say thanks for
being invited to be here today.  Hopefully, (inaudible) major issue for
law enforcement and for incident responders and -- I will talk a bit
slower.  Sorry.

I'd first like to recognize the work of the FBI and SOCER (phonetic),
the RCMP for some of the work they are doing with the ICANN groups,
RIRs and groups such as the APWG, which is -- the APWG provides with us
a significant group to provide with us information and support for
ongoing investigations.  And it's the collaboration that we have with
the industry and the private sector which is critical to us actually
moving forward.

Just to make a comment on what Rod mentioned in the previous panel,
there's no doubt that law enforcement is behind the times.  We are
catching up and we need to work with the industry, those people that
are here today, to make sure that we can actually try and prosecute and
try and make the online environment as stable and secure as possible.

Now, the problem gets bigger.  Because cybercrime is such a
transnational issue, we do need to work together in a partnership to
try and combat and try to mitigate the issue at hand.

The slide that you can see up there now is an indication of the manner
in which the Fast Flux networks are used.  The domains are changing
every 60 seconds about where they are being hosted, and obviously as
the sites will show on the screen, you will see that this domain itself
in two and a half hours crossed 35 countries.  And for law enforcement
to actually make a difference in that instance is actually quite
difficult.  Without the partnership of those people here in the room,
there's, no way that we could actually take action against that domain.

Just in terms of the analysis of the data we are looking at, we work
with the financial structure here in Australia with quite a unique team
called the Joint Banking Financial Sector Investigation Team where we
analyze data that the banks hold, provide to us, and allows us to
monitor the hosting (inaudible) phishing sites and the -- sorry -- the
mule sites as well.

You can see from this slide that there is phishing sites and the mule
site are sort of hosted on the same botnet, the same fast-flux network
that demonstrates that they are a botnet for hire or there is a direct
correlation between the phishing site and the mule sites.

The reason this is so important in relation to the DNS abuse is that
the registrars and the registries are the focal points of law
enforcement action, and that of the incident responders to actually try
and mitigate the threat.

>>CHERYL LANGDON ORR:   The scribes will appreciate all the breaks you
take.

>>STEVE MARTIN:   Just in relation to the WHOIS data.  It's a separate
and distinct issue for us.  It is certainly another major concern for us.

As we have heard over the last few days, the registrant details, which
includes cartoon characters and infamous or famous names, is actually
quite prevalent, albeit the significant proportion of original details
is certainly there for us.

The use of the privacy protection systems -- I am in no way anti the
privacy protections for some individuals and groups, but it certainly
still does make it difficult for law enforcement to take mitigation
against the sites.

With the discussions that have gone on over the last few days in terms
of new gTLDs and the language variations and the naming conventions,
the task of combating online criminals will only get harder.  By
providing a framework by which we can actually work together and have a
robust communication and intervention plan is actually critical to the
way in which we can tackle this growing problem.

One of the major issues that we have looked at recently as well, and
we had a male in Perth here in Australia sentenced on a Friday for
trying to sell a domain name registrar database.  The impact that could
have had on the stability of the Internet is actually fairly
significant, as most people here in the room can understand.

Now, the next slide that I'll just show up is actually a movie clip
from "Ice Age 2."  When you actually see it, just think about the
process of we all want to take out the best of the Internet.  As we do
that, we can start to see some holes that appear, some of the threats
and trends that come up.  We can do our best to try to block those
holes, block those threats, but in the end, if we are spread too
thinly, there's a chance that it's going to be a long and hard fall for
us all.

(movie clip).

>> Uh-oh.

(screaming).

[ Laughter ]

>>STEVE MARTIN:   That's it.  Thanks.

>>CHERYL LANGDON ORR:   Thank you very much.  It's very hard to smile
quite so hard and pass on to Nigel.  Please, go ahead.

>>NIGEL ROBERTS:   Thank you, Cheryl.

Let's see if I can make this work.  Thank you very much.  Great stuff.

Well, you have heard an introduction.  It seems like I have been
around ICANN forever, like before there was an ICANN.

I have got professional interests that are both in the Internet and
I.T. business and in the law.  Now, there are lots of lawyers in ICANN,
and they tell me the only thing worse than a lawyer turned geek is geek
turned lawyer.

We're going to talk about DNS abuse.  And what I thought I would do is
just give a few little highlights, a little keynote, if you like, pose
more questions and give answers, and hopefully we can tease out some
discussion that will provide some answers, perhaps, but more likely,
possible routes to more questions, even.

The three categories I have put them in are illegality, unlawfulness,
and anti-social behavior.

There is a shameless plug here for a famous ICANN person.

If you know Kieren McCarthy, he wrote a book called "sex.com' which
was about stealing a domain name.  So if you haven't come across this
case before, run, do not walk, and buy this book.

Fraud, misleading names used in phishing.  We have heard about that
quite a lot already today.  And so on.  But the key point I see in the
criminality is plain-old crime just done with the help of a domain name.

Unlawfulness.  There's a couple of examples that perhaps people
haven't thought of.  Rights infringement right at the bottom is very,
very familiar.  It seems we have been talking about trademark and I.P.
rights forever.

And a couple of others.

A domain name could actually commit a libel in itself.  It's a string.
If you were to say you NigelRobertsisaburglar.com, and I assure you I'm
not, therefore, that's a libel.  

Database mining.  That's a famous case of an attempt not far from
here, I think, to use the WHOIS to enumerate Nominet's database.  

I won't say too much about anti-social behavior, but I define that as
activities that are actually perfectly legal, but in some societies are
considered undesirable.

To some people warehousing and domaining could, at some point, be
abuse of the DNS.

Here is an interesting one that perhaps we haven't thought of.  Free
expression.  Something that in both United States and in Europe we hold
dear.

And that could even actually be entirely illegal in some societies.

There's a problem.  Do you disclose registry data to law enforcement
in a totalitarian country whereby they are trying to track down, for
example, who is using mobile phones in the Internet to get information
out from, for example, a country where something is happening right now.

So why do we have detailed WHOIS data globally accessible?  That is
one of the questions I think ICANN has been wrestling with for several
years.

And the only thing I would say at the end of this particular slide is
that policy considerations and remedies vary wildly from jurisdiction
to jurisdiction.  There is a discontinuity between attitudes both
within the U.S. and within the U.S. and Europe, let alone many, many
other societies that are out there.

So we're going to talk about law enforcement and the ccTLDs.

I have kind of deliberately interpreted this in two ways.  What are
the ccTLD managers' responsibility for enforcement of the law?  And
what is the ccTLDs relationship with law enforcement agencies, which is
perhaps the more obvious meaning of this panel.

Well, ccTLD managers are not law enforcement agencies.  In fact, we
are not and should not be a substitute legislature, and the same goes
for ICANN, a substitute of the executive branch.  We are not law
enforcement agencies.  And we certainly shouldn't be a substitute for
the judicial branch.

But there is a positive obligation on all of us to protect the rights
and freedoms of others in our societies.

Things like a right to private life, but including the right to be
protected from criminal activity.

So it's my submission to the panel here today that it's the ccTLD
managers positive obligation, irrespective of whether it's public or
private sector, to work with appropriate agencies, whoever they may be
in your country or in other countries, towards the goal of protecting
people.

How to improve that.  Well, it might sound obvious, but you can just
talk.  You can pick up the phone.

Police agencies, for example, have very, very different levels of
expertise.  We are very fortunate that we meet, here in ICANN, some of
the best.

There are others that you can have difficulties with.  I remember when
the tsunami happened and there was an issue in England with something
to do with the disaster emergency.  It was basically a phishing site. 
I got a spam about a phishing site.  I was just a citizen.  And trying
to deal with the ethics police at the time was actually quite difficult
because the expertise was concentrated in one particular little place,
and finding that officers was several days just to find the officer.

But as ccTLD managers, perhaps we should consider the environment in
which LEAs operate.  In the Mexico meeting, something very, very
interesting came out, at least from my perspective.  Is that I spent
five years simply not understanding why law enforcement agencies in,
for example, the United States were so keen on global publicly
available WHOIS.  And the penny finally dropped when it was realized
that a mutual assistance request across jurisdictional borders can take
months.

So is there a way to square this circle?  Now, I think there is.

Now, in the context of a European ccTLD manager, there are obligations
on all of us.  So what we call conventional rights are, in some sense,
very similar to United States constitutional rights.  Right to private
and family life were referred to earlier.  But the right to free
expression.  There's also hard law, data protection law, and also laws
enabling lawful access to various data, such as telephone and perhaps
Internet records as well.

But what happens if you are dealing with a European ccTLD and there
are some good guys, and they are outside the EEA, and they want some
data?  How do you deal with that?

Well, it is a balancing act.  But I would suggest that disclosure of,
for example, registry data doesn't have to just be WHOIS.  The registry
can be in possession of other data that is relevant to an
investigation.  It might be traffic data, it might be historical WHOIS
data.

I'm trying to put this forward in a more technology-neutral fashion as
possible.

But this is the guideline that has to be followed in my submission,
that it's got to be in accordance with law, necessary in a democratic
society, and proportionate to the aim to be achieved, and that will
probably sound quite familiar to some of you.

I think it's quite possible to come up with an agreement between law
enforcement agencies and ccTLD managers in the form of something like a
Memorandum of Understanding, a bit like the contractual clauses
recommended by the European Union for lawful transmission of personal
data outside the EEA -- for example, to the United States or India.

And the final question I'm going to leave you in this presentation,
and maybe some of the audience or some of the other panel can have some
suggestions on this, how would you put such an agreement together and
what might it comprise?

Thank you for your time.

>>CHERYL LANGDON ORR:   Thank you.  We are going to move up and down
the table here for certain.

Chris Disspain.

>>CHRIS DISSPAIN:   Good afternoon again, everybody.

I am going to catch you up some more time, Cheryl.  I am going to be
very, very brief because I am actually more interested in hearing what
everyone else has to say.  And you have all probably heard enough from
me this week anyway.

>>NIGEL ROBERTS:   Never.

>>CHRIS DISSPAIN:   I will be very quick.

So I just wanted to touch on the fact that what we do -- talking about
WHOIS, what we do with our WHOIS data, is our WHOIS data is basically
very accurate.  Teams not disclosed past a certain point, registrar
name, registrant point, e-mail address, but we have a series of
protocols with various institutions that enables them to ask us for
information.  And we provide that information to them provided they
fill in the letter requesting it.

So I think to a degree, that actually deals -- (inaudible)  Not very
helpful cross-border.  I think we can find a way around that.  I think
that actually deals with the balance between privacy and the need for
information.

My concerns about whether it's -- whether it's e-crime or -- why are
we calling it e-crime if everybody calls it cybercrime?  Is there an
official position for that?

Education -- there's a lack of understanding about who is responsible
for what, and that can mean it can take quite a long time for stuff --
I think as Nigel was saying, to find your right policeman.

So we know what we're responsible for, and that doesn't mean that
other people out there know what we're responsible for.

So that's quite challenging, and I'll give you an example.  We had a --
one of Australia's largest banks is called National Australia Bank and
they're known quite commonly as the NAB, N-A-B.  The domain name nab,
nab.com.au, I got a phone call, this had taken two days for these
people to eventually get to me because nab.com.au was being used was
not the National Australia Bank and was being used for phishing.  Now,
the person who finally got to me from the National Australia Bank was
extremely frustrated and very annoyed and -- not surprisingly, and
wanted something done immediately.

He wanted the domain name immediately -- the Web site immediately
removed and the domain name taken down.  Because clearly, there
couldn't possibly be a legitimate registration of the domain name. 
Now, turns out there was actually a legitimate registration of the
domain name.  There was an accountancy group in western Australia who
had the name since 1997 or something, probably way before that, and
that the problem was not even with -- the problem wasn't with them, the
problem was simply the people who were hosting them had been
compromised and that's why their Web site was being used for phishing. 
That took me about 15 minutes to fix.  It took me about five minutes to
work it out and another 10 minutes to fix.  But it had been floating
around for two days before anybody actually got to me.  So my plea
would be for us to talk to each other all the time and open up the
lines of communication not just in our own ccTLDs, but overseas, across
borders, and actually introduce, just to take an example introduce --
the Australian Federal Police can introduce us to the FBI guys and so
on, and that's really all I wanted to -- okay, I did want to say one
other thing was actually Steve you listed as one of the domain name
registrants Donald duck.

>>STEVE MARTIN:   Yes.

>>CHRIS DISSPAIN:   Actually, that's my partner's ducks partner, no,
no, that's true, absolutely true, he was christened before Donald duck
actually invented, if he was on the Internet and did have a domain name
you'd be in serious trouble now.

>>CHERYL LANGDON-ORR:   Indeed he would, thank you for getting us back
on track.  Did you want to reply.

>>STEVE MARTIN:   I'd be delighted.  Ladies and gentlemen, if you're
not a native Spanish speaker, I'd remind you to put your head foes on
and those who want to listen in English listen to channel one, in
fresh, channel two, and if you're perfectly happy with your Spanish,
you don't need to use any channel at all but that's normally on channel
three.  Erick, go ahead.

>>ERICK IRIARTE AHON:   Thanks, some people told me that I prefer
speaking English because my Spanish is very, very bad.  [Speaking
Spanish]  

First of all, I want to thank the translators because they're only
translating for me, I guess, nobody else had the headphones listening
to Spanish, and then thank Elicanto (phonetic) that I can speak in my
own language, you are invited to use the headphones here.  

The first thing we have to understand about the ccTLD in Latin America
is that we have diverse origins.  There are governmental ccTLDs, there
are others which originate in civil societies, some that originate in
universities, national universities, private universities.  The second
thing we have to understand, that the relationship with our governments
have been for ccTLDs, government ccTLDs have been complicated in most
of the cases because they're in different offices.  They sit in
different offices, ccTLDs in some countries are under the ministry of
communication, but in other countries they don't have much contact with
them.  So we have to also understand that in Latin America our
countries have a democracy, they're young countries, and the
relationship between civil society and university and government has
been complicated.  So how to work together with agency of law
enforcement that are on the governmental side, and in the last years,
they're becoming trained, and they didn't have a training that we could
have a good training to converse among each other.  Last year we
started a relationship with country code -- code with the law
enforcement agencies.  And this year we had a workshop of legal aspect
which developed a handbook of operations for ccTLDs or how to relation
with law enforcement agencies.  And last May we had a workshop with
them in Panama where we posed some questions, and I don't have those
answers to those questions, I didn't have them at the time, but they
can help us -- help what's the problem behind this.

One workshop has been carried out and what we want to know in this is
this domain name XYZ.com, whatever, or dot P, just to -- as an example,
what they wanted to know as a fact was what was the I.P. name behind
it.  They didn't want to know who was an owner of the domain name. 
Because when you open, there was a name like Mickey Mouse, a fantasy
name, because these registries are allowed in the dot P registry.  So
that detail was not important for them.  It wouldn't be helpful in
trying to follow up a crime, it was helpful to know who paid for this
because the credit card number is traceable but that credit card has
been cloned.  So it was an illicit act which they couldn't identify. 
And the other -- the number one they wanted was the I.P.  But in Latin
America some regulations, the I.P. number is a detail which is private,
personal, and second, it's protected by the Secret in Communications
Act, and the only way to lift it is through a judge, by order of a
court, if you have a phishing case now, until the judge resolves, one
month 's passed by and everything has been lost, and the detectives are
lost also.  This is a very serious problem because as, in fact, what
the agency wanted is to find the I.P. numbers, and the detail as the
ccTLD says we want the I.P. number and they told them if you want to
know who is behind the I.P. you go to the provider or to the hoster and
find out who's got this number through the WHOIS.  So they wanted
access to the WHOIS tables directly.  But it's free, you can access
directly those tables of WHOIS, lists of WHOIS, you have to fill up the
-- fill out the domain name number you want and you obtain the number. 
What did the law enforcement agency be doing, they were sending a
letter through the secretary, they left the police, and while it
arrived to the country code, many days passed by, and they were
awaiting a response not by e-mail but through -- in paper.  So one of
the tools they used was that the contact address was to be validated
both sides so the information could be fluid.  A very practical
solution, but it saved law enforcement agency plenty of resources and
plenty of paper to avoid downing trees.

The other thing is they decided they wanted details of the WHOIS, they
wanted to know if the name of the WHOIS, in the WHOIS is the one that
it says, I can that -- I can tell you the name I was asked to put in
that place.  So there was no agreement in this subject.  It was said
that the detail in all the information in WHOIS looks like -- it's like
a (inaudible) registrations, like something that's been finalized. 
When the law enforcement agency has asked to be done and all the others
were in agreement to train, to train from ccTLD, which has more
training information and has security, has followed up, has more
solution, capabilities to their police agency.  And they were
interested in listening to the country code and not having them as an
opponent because banks, when there was phishing involved, they are sent
letters.  They said you are an accomplice in a phishing act.  Help me,
because I have to find out who is doing the phishing here.  And this is
the concrete case of Venezuela which was mentioned today.  The country
code of Venezuela is within the ministry of communications.  So it's an
office, a governmental office.

>>CHERYL LANGDON-ORR:   They're desperate to catch up.

>>ERICK IRIARTE AHON:   The problem of country code in Venezuela is
the agency of domain names, to call it in a way, it was the ministry
different to the ministry where the police was located, and in order to
cross -- to do the crossing between agencies, they needed a mandate
from a third agency.  So it was a bureaucracy problem, if you want to
put it in such a way.  But also the alert didn't arrive because
somebody was accusing somebody but it came through these companies that
they are following up some special domain names like Pay Pal, Google,
et cetera.  And they were alerted.  This alert that they sent was like
a notice of a takedown, not little more than that.  You've been advised
that this is happening, and if you don't take -- do something, we will
take legal action.  And in Latin America, these letters are laughed
upon.  Why?  Because there's no legal way for a company, like a company
in the United States to act in another country protected by its own
laws.  So this is part of the agreement that started being done,
carried out, that these companies, these agencies started sending the
letters with the word "please."  Please be kind, help us.  Before you
are being ordered to do something to act against this, which was
impossible.  Because they have contractual relations to protect.  Even
if they can be invalidated because the name was Mickey Mouse.  But
second, there is a line of command, and the line of command said the
police agency had to send the country code.

This fluidity that has been discovered throughout the years has
allowed us to coordinate actions between law enforcement agencies and
country codes and finally, two more reflections.  The first one, in
Latin America we are preparing a series of handbooks which very please -
- we would be very -- very pleased to provide to you.  What happens if
this doesn't -- this dialogue doesn't happen?

The second, the country code is based on our legislation, national
legislation.  This national legislation, at the moment, Latin America
is working strongly in the development of certs where those country
codes are located and in the protection of private data privacy which
is a legislation which is still pending in Latin America.  This is a
situation that we have in the region.  We are working together, all
together, and we still have many things to do.  The solution was
training, mutual training and understanding that one is not the enemy
of the other but they are working against the same enemy, thank you.

>>CHERYL LANGDON-ORR:   Thank you, indeed.  Rob.

>>ROBERT LOWE:   Thank you very much.  Just a quick introduction to
AusCERT.  It's a not-for-profit organization based at the University of
Queensland.  We're funded by member descriptions and that membership
ranges from government, commercial organizations and educational
institutions.  We also receive some revenue from some very targeted
government projects that we undertake as well as running an annual
conference every year.

However, we try and look beyond the interests of our immediate members
and try to help Australian Internet users, where possible, and where
practical for us to do so.  We feel that if we can help increase the
level of Australia's Internet security posture or standards and make
Australia an unfriendly place for online criminals to do business then
we will try and do so.

We're not a law enforcement agency.  However, we do conduct
significant amounts of incident response or incident response
coordination.  And we do that by just really asking nicely, and as
Erick just said, we say please a lot.  We also just rely on the fact
that most hosting providers and infrastructure providers don't want
malicious activity occurring on their infrastructure.  And alert them
to that fact, and in -- where practical, we try and educate as well.

So just looking at the issue of WHOIS which has been discussed a
little bit here, from our perspective, we often find this very useful
for an incident response capacity because -- and I'll give you a
specific example that we have dealt with numerous times and that is web
defacement.  That is when an attacker compromises a Web site and puts
up -- replaces the actual correct content with their own content,
whether it's political messages or even just this is hacked by, you
know, their hacker handle or something of that nature.

In that case we can -- we often will contact the ISP, but ISPs' abuse-
handling varies from organization to organization and that takes hours
or even days to resolve that issue.  However, with up-to-date WHOIS
data, we can actually, in some cases, have been able to call the
registrant and that means we've been able to inform them directly that
their Web site has been compromised and they then often take -- give
that a high priority to rectifying that issue, so we were able to
mitigate that incident or start responding to that incident very
quickly.  

Just on some of DNS abuse incidents or issues that we've been dealing
with, we've already had a lot of discussion already about phishing,
and, sorry, this is also specifically those incidents where domain
names are being registered, so not specifically the hacked Web sites
but the domain names being registered.  We've had a lot of discussion
about phishing already and for registrars to take these down, it's
sometimes -- often a fairly easy thing to do to say, okay, here's the
legitimate Web site, and here's this fake, fraudulent, look, they're
the same, it's infringing on that intellectual property or that
trademark and used for malicious purposes, can you please take it down.
There is also -- which is quite a straightforward case to make.  What's
not so straightforward -- and Steve mentioned this in his presentation -
- was the money mules.  And they are the people who are recruited to
actually be parts of the money-laundering chain that once that bank
account is compromised, then those money mules are used to actually go
into those funds offshore.  

It's very difficult for us to show a registrar -- and a registrar is
often quite rightly skeptical to say, well, why am I going to take what
looks like a -- or what could well be a very legitimate company off the
Internet on your say-so.  So that's a problem that we've struggled with
significantly and we -- the best we've sort of done is relied on our
friends in the IFP and the IHTCC to do a lot of that work for us
because we just have too much of a hard time trying to convince
registrars to try and take those sites down.  

Both phishing and mules are often hosted on the Fast-Flux
infrastructure, and as Steve mentioned, that can cycle, so cycling
domain names through multiple ISPs at often a very quick rate.  

It's great to see ICANN's recent interest and research and fact-
finding on the Fast-Flux problem, and we hope that there's some good
outcomes as a result of that, so that's good to see.

Also, there's a more insidious issue that's often, as well, again, for
the purposes of financial fraud is malicious software, and that's
something we deal with quite a bit.  And again, these domains are being
registered and we see them distributing malicious software, being the
command and control structure, and the obvious example is Conficker
there, as well as domains that actually collect compromised personal
information.  So once that software on your computer has -- or that
malware on your computer has captured your user name and password, it
sends it off to one of these domains to be logged.  And again, all
those three situations are often quite difficult to convince registrars
that they are actually a problem.  So, yeah, that's an ongoing
challenge for us.  But what we see, that is often a more significant
problem than we see phishing because it's so much more than just user
name and password credentials for bank accounts.  It can be a whole
raft of password-protected -- or credentials for other sensitive
Internet sites.  We also see some incidents involving Distributed
Denial of Service amplification attacks using DNS servers but I won't
go into those here for the -- in the interest of time but I'm happy to
speak about those later.  And there's also the opportunity to perform
poisoning type of attacks of the DNS system.  That's something that
AusCERT isn't seeing a lot of but that isn't to say that attacks aren't
occurring.  Their very nature means they could be occurring and no
one's actually detecting those or the DNS server provider might be just
quietly fixing those incidents and not wanting to report them further. 
So they're the main, I guess, types of DNS abuses that we see.

I'd just also, since this is a country code-specific discussion, I'd
also like to share what I think is a bit of a success story and
similarly to Afilias' initiatives with the dot info, dot biz response
changes, we saw in 2006 and 2007 significant targeting of the Hong
Kong, the dot hk domain space.  And in those years, we saw 55 in 2006
and 81 in 2007 domains registered for these purposes of either
phishing, Trojans, mules or some other aspect of Trojans like command
and control of logging sites.  This is probably a underestimate because
this is more those sites involving Australian banks or institutions or
malware sites, so it's probably definitely on the under side.  The Hong
Kong DNR started cooperating with the Hong Kong CERT team and they --
and our incidents significantly dropped off then, in 2008 there were
three, and in 2009 there's only been two, so I think that's a really
good success story.  And I don't see that as being publicized widely,
well, as widely as it could have been so I just thought I'd share that
with you that that's something to consider, that if you, as ccTLDs, you
might want to consider partnering with a trusted partner like a CERT or
a law enforcement agency and have them being able to vet some of these
takedown requests that are coming through and give you some certainty
that you're not going to take down a legitimate domain.  So thank you.

>>CHERYL LANGDON-ORR:   Thank you.  Chris, you wanted to have a word
or --

>>CHRIS DISSPAIN:   Yeah, I just wanted to talk about taking things
down.  Registrars actually can't do that.  It's ISPs that can do that
certainly in Australia.  The registrar -- the only thing the registrar
can do is either delete the domain name or stop the nameservers, take
the nameservers out.  And if -- so it's just -- it's just a term of --
the term that you -- I just want to be clear about that.  We have
things that we can do, but they -- actually sort of -- when you talk
about taking a site down is what you actually want, isn't it, rather
than a domain name to be deleted.

>>ROBERT LOWE:   Thanks for that clarification, but actually I'm
talking about domain names being deleted, because in the case of Fast-
Flux, for example, all the domains that have been specifically
registered for the purpose of attacks, so, yes, I mean deleted in this
case and my apologies for that. 

>>CHRIS DISSPAIN:   As opposed to taking it down, yeah, okay.

>>CHERYL LANGDON-ORR:   Thanks for that clarification, indeed.  Ladies
and gentlemen, I'm wondering if there's any questions with regard to
specifically to the ccTLDs and security, yes?  No?  You're changing
batteries?  Questions?  It was all perfectly well understood and you're
excited about what they do.  I'd like to think that perhaps some of
this slowness that I see with a mix of paper and the need to say
"please," it sounds to me that there might be an opportunity for some
of the CCs to share the combined wisdom of their experience at some
point in the future.  I'm wondering, Chris, perhaps, with your chair of
the ccNSO hat on, whether your constituency might want to think about
something to do between now and Seoul?

>>CHRIS DISSPAIN:   See, now, we almost got away, but you had to ask
me a question, and now Bertrand stood up.

>>CHERYL LANGDON-ORR:   Chris, it's written here.

>>CHRIS DISSPAIN:   I know I know what it says.

>>CHRIS DISSPAIN:   I'm not clear what you're asking me to do.

>>CHERYL LANGDON-ORR:   Well, from what I heard here, there wasn't a
whole lot other than learn to talk to each other and sharing of
experience that can be done right now in terms of cooperation.

>>CHRIS DISSPAIN:   That's right.

>>CHERYL LANGDON-ORR:   Is there an opportunity for us to perhaps look
at something in Seoul where some of the CC experiences, where you've
got better practice and worst practice could be looked at.  Yes, Erick?

>>ERICK IRIARTE AHON:   Not exactly for the meeting but for regional
organizations, like TLD, APTLD, AFTLD and CENTR  are working very hard
together to making training some workshop in one ACURP (phonetic) for
one size and other size is about security and technical.  

Also we are working together to involve more our ccTLDs in that kind
of issues, but maybe could be a good idea to have in the ccNSO meeting
we can suggest that proposal.

>>CHERYL LANGDON-ORR:   And clearly more regionalized focus would be
the better way forward.  Michele?

>>MICHELE NEYLON:  Michele.  You'll get it right eventually, I'm sure.

Okay.  Just a couple of things.  Nigel was talking about this
memorandum of understanding concept, we've talked it a bit elsewhere as
well.  And one of the questions that kind of sprang to my mind was how
would that affect the relationship between the registrars and the
registry and the registrants?  I mean, what the -- if it's all very
well in the case of a registry operator which does not actually have
any formal registrars because obviously the registrant has a direct
contract with the registry, but there's also the implication that
you're changing part of the contract because obviously, if you
introduce a memorandum of understanding, that's going to affect the
existing domains that you have and then if you're going to do that in a
situation where you have both registrars and direct access as a kind of
registrar of last resort type situation how would you handle that?

>>CHERYL LANGDON-ORR:   It's got to be yours, Nigel and then yours,
Chris.

>>NIGEL ROBERTS:   There's more than just me to answer this but two
things:  the plan is for the MoU to be technology-neutral.  So, first
of all, what that means is we're not just talking WHOIS data, although
that's clearly a large part of it.  We're not also insisting, in this
concept, that a registrar situation obtains.  I mean, in our registry,
we're a very thin, thick registry or a very small, thick registry.  We
have all the data on all registrations in our TLD.

And the other thing is you mentioned contractual considerations.  Our
contractual terms and conditions, and they're available at
ww.channelisles.net, if anybody wants to look at them, are already
drawn in such a way that we may lawfully disclose data, but we're not
compelled to.  This is more about a situation whereby we document a
lawful way that we can transfer data, if it's appropriate, to
appropriate agencies outside of the European economic area.  I mean,
clearly something within, let's say, the U.K, if you're in the U.K,
island, if you're an island, anywhere within the EU will have a lawful
disclosure law.  But it's when you're going outside the EEA that you
need something like this to make it lawful under the data protection
law.  And it's very high level.  I hope it answers the question.  These
are ideas.  We're going slowly towards this.

>>MICHELE NEYLON:  The thing is this, I think it's something that
needs to be discussed further.  I mean, like personally --

>>NIGEL ROBERTS:   That's why I brought it up.

>>MICHELE NEYLON:   We know.  Just thinking from our perspective,
speaking my capacity, as a hosting provider and registrar, it's
obviously in our interest, you know, that the domains are not abused
because that affects our business and everything else but obviously at
the same time we have to balance that with privacy and proper due
process.  Because the fear I would have is that you could end up in a
situation that somebody. 

I think it was the gentleman from AusCERT mentioned intellectual
property rights infringements and the thing is where do you draw the
line because the situation we've had in Ireland in the last six to
eight months is where the Irish equivalent of the RIAA is trying to get
the ISPs l and hosting providers to do certain things that completely
ignore -- I'm sorry, ignore all due process and that's something I've
been concerned about that you draw a line very clearly, that you're
dealing with abuse and what that abuse is that's criminal.  

>>NIGEL ROBERTS:   You're right to be concerned about such things. 
The content is the enabler.  It doesn't say we must give the content to
J random person who alleges there is an unlawful rights infringement.

And again, the concept is a model that can be equally adopted by
registrars in a thin model.  It could be incorporated into a contract
between a  ccTLD and its registrars, potentially.

These are high-level concepts which are a little bit undeveloped at
this stage.

>>CHERYL LANGDON ORR:   Chris.

>>CHRIS DISSPAIN:   I may -- I think I may be confused.  I missed
something.

First of all, it seems to me that in most -- it might not be the case
in the gTLD world, but in the ccTLD world, in most ccTLDs, irrespective
of whether they are registrars or not, there is a nexus, a legal nexus,
between the ccTLD registry or manager and the customer because there
has to be because it's the manager who actually grants the licenses of
the name.  Unless you do it -- you could, I suppose, do it by going
manager, registrar, registrant.  But that would mean that the rights
sat with the registrar on expiry, rather than come back to the --

(Multiple people talking at once.)

>>CHRIS DISSPAIN: So on that basis we can say the basis upon which we
will reveal your information -- I think I'd actually be quite
uncomfortable in Australia if registrars were in that position, because
then you wouldn't have a standard practice.  You would actually have
the different -- the different levels of ease of dealing with
authorities from one registrar and harder ones with others.

So from my point of view, it's for us to do that.  And your point
about it's got to be crime, et cetera, I do accept what you say.  The
problem is that the moment you put something to proof, you take up a
large amount of time.

So the way that we deal with it is we say it's who are you?  Do we
know who you are?

So in the case, for example, of some of our authorities, there is a
designated person or persons who can contact us and ask for
information.  And they have to provide us with confirmation that they
are investigating something and so on and so forth.

So what we won't let them do is go fishing, with an "F," through the
database just for -- just to use a quaint legal expression, on a frolic
of their own.

>>CHERYL LANGDON ORR:   Thanks, Chris.  I think that actually
clarified a lot.

Go ahead, Bertrand.

>>BERTRAND DE LA CHAPELLE:   First of all, thank you for the panel,
because it's a very interesting range of experiences.  What is
interesting is when you talk about ccTLDs, when we say law enforcement,
there is an assumption that there is a law.  And when we work in the
environment of ccTLDs, although the activity covers, of course, the
rest of the world, there is a close cooperation in defining the body of
law at the national level to establish the balance that the local
community has decided to put on the rules that will apply in case there
is a breach or a misuse.

I mention this because when we discussed the same thing at the global
level for gTLDs in particular, and I mention that as a GAC
representative because this is an idea that emerged this morning in one
of the discussions.  In the case of the discussion on WHOIS, for
instance, for new gTLDs, thick-wards, thin-wards, it is very hard for a
GAC representative who covers all ICANN issues to basically have the
complete knowledge.  So they are basically obliged to request their
privacy commissioner at the national level and the law enforcement
authority and a lot of things in order to channel back the information.

And this makes me think that in terms of process, what is being done
at the national level because the actors are actually collaborating on
policy is very difficult to do in the ICANN level because the format
does not engage those actors.

And so if we take an issue-based approach on WHOIS, there is probably
a need to do, at the ICANN level, when we deal with those issues,
mechanisms that do not necessarily force the law enforcement actors or
the privacy commissioners to come to ICANN meetings, but to have a
process where in between, they do work together so that in the same
room, you have the privacy protection actors, you have the law
enforcement, and they work together on the policy.

And the final point is what I find extremely interesting with the
ccTLD space is the demonstration that you can have a great diversity of
regimes within a sort of envelope.  Like there is a big range in
registration policy, in protection of data, in enforcement mechanisms.

However, the whole system, on the whole, doesn't function that badly.

So I want to highlight this capacity of diversity of regimes that are
more adapted to the national and local behaviors.

>>CHERYL LANGDON ORR:   Thank you, Bertrand.  And I think in -- yes,
go ahead, Erick.

>>ERICK IRIARTE AHON:   Yes.  The first comment is that the way for
ccTLDs in Latin America, in some moments for maybe other regions, is
not about if a contract or no in the relation with the national laws
that is the base of the contract to give something to somebody.  And so
with this contract is effected the registry, the registrants and the
registrar.

What means that, that you are in contact with the courts of some
country or some legislation of some country.

So this is very clear.

The question is what is that thing that you give?  You give a good or
good service.  If you bring a thing, you can have owner rights on the
property or the thing.  Maybe for the domainers are interested in that
kind of discussion because they want (inaudible) of domain.  And for a
lot of the ccTLDs the discussion is not on that side.  It is I bring a
service and only a service, and the domain name is not a thing.  It's
only something.

Legally, sometimes as lawyers, we make confusion in the people.  And
make confusion -- thanks, yes, I am a lawyer, too.  A good guy.

We make confusion in the people because we don't clarify what is a
domain name.  If it is a thing, the relation is a contract, and a
contract relation means some kind of rights that give to the people, in
this case, the registrant.  But if not a thing, if only a service, you
can cut the service with some clause about abuse, for example.

And this difference need to be in a contract.

Maybe it's necessary to start that discussion.  For years, nobody
tried to put that discussion on the table.

>>CHERYL LANGDON ORR:   Oh, Chris, come on, don't tempt us like that. 
That's just cruel!

All right, then.

>>CHRIS DISSPAIN:   All right, I just thought it was rather ironic
that the CC people were sitting up here talking about contracts.

[ Laughter ]

>>CHERYL LANGDON ORR:   Thank you very much, Chris.

And in fact, while we are thinking of thanks, I would like you all to
join with me in giving our sincere and generous thanks to the excellent
panel members we have had here in this afternoon's session.

Thank you all, gentlemen.

[ Applause ]

>>CHERYL LANGDON ORR:   Now, while we do the musical chairs.  There
will not be a bio-break.  You will just have to suffer like we do.

We will move straight on to protecting consumers from abuse of the DNS.

Those CC presenters who are able to stay, will stay, but many have
other commitments.

I would like to thank you all again as you leave the room.

The panel for this afternoon, and it's going to happen magically
around me as I talk on, is going to be -- this is an exercise in
cruelty.  This push-to-talk system is just murder.  Is going to be
describing the manner in which malicious abuse of the DNS affects
consumers and will identify challenges for those seeking to protect
consumers.  Constraints defenders face including inaccurate WHOIS data,
and limitations in the current RAA agreement.

The panel will then explore, if I give them time to do so, how changes
-- in fact, I will now reading it -- the RAA agreement could assist in
defending consumers from abuse involving  gTLDs.

We have -- Do we have them all yet?  Have I filibustered long enough? 
That's fine, shuffling around while we are working here.  Holly Raiche,
the executive director of the Internet society of Australia, who is not
just here as a clearly poor example of trying to get gender equity onto
the panels but is, in fact, here as one of the two signatories to the
petition for the consumer constituency along with Beau Brendler sitting
next to her.  And she is a director of the Australian communication,
consumer action network, a now federally funded body which is go live
on the 1st of July, whose task is to represent the needs of all
Australian communication consumers from a tithing of funds from industry.

So we are now greatly honored to have Holly here as a peak (phonetic)
body representative and as CEO of that organization, we are equally
delighted to announce, if you haven't noticed the buzz on the news, is
Mr. Allan Asher.

That brings me to Beau Brendler.  Beau founded a consumer protection
organization called Web Watch at Consumer's Union of the U.S. whose
family of Web sites included badwarebusters.org, stopbadware.org and
frontgroups.org.  He spent a decade in consumer advocacy on Internet
policy and created widely adopted guidelines to improve Web site trust
and credibility.

We know how often he is frequently quoted because we follow him.  And
you boys haven't shifted?  Well done.

We then have Dave Piscitello who is the senior security technologist
with ICANN.  He is recognized as an expert in the field of Internet
routing, broadband access and security, and more importantly, from the
consumer perspective, can actually help us understand what this is all
about.

He has done a number of briefings for us in the at-large area, and he
is a genuine communicator, making complex things seem simple.

Last and in no way least is Mason Cole.  Mason is vice president of
corporate communications, oversea.net and also manages the company's
industry relations.  Previously he worked at Snapnames where he
directed the company's public relations effort, managed relationships
with ICANN and the Snapnames partner network.

Lady and gentlemen, let's start our panel.  Go ahead, Holly.

>>HOLLY RAICHE:   I'm not sure what slide is going to come up.

>>CHERYL LANGDON ORR:   There should be a dongle somewhere.

>>BEAU BRENDLER:   Is that a dongle or is that a gizmo?

>>CHERYL LANGDON ORR:   You always have to start with a definition. 
We are unsure whether it's a dongle or a gizmo, as long as it works.

>>BEAU BRENDLER:   There you go.  You are there.

>>HOLLY RAICHE:   Much better.

And the next one.

Next slide.

That's all I am going to talk about and I am going to do it very
quickly.  Basically four topics.

Basically, as outlined by Cheryl.

The first is what are the actual threats, the real challenges, what's
in place, and then what might be in place.

>>CHERYL LANGDON ORR:   It's there if you need it.

>>HOLLY RAICHE:   That's all right.  I don't need it.

The threats, the threats are first of all let's start with scams. 
Everybody knows what a scam is, I think.  It's basically you thought
you bought the Brooklyn bridge and you discover 3,700 people have also
bought the Brooklyn bridge and you are not likely got your money back. 
But all you have done there is really lost money.

The next threat -- and these are all threats that have been talked
about all afternoon so I won't spend a lot of time on them -- and I
will talk slowly because I suddenly realize two people look pretty
frantic; sorry -- is identity theft.  And identity theft means somebody
can actually steal enough information about you to be you.  And once
they are you, they can actually make way with a lot of your property, a
lot of your money, possibly a lot of your property.

And the third threat actually is that sort of malware, botnet. 
Computers become a botnet.  The most recent example in Australia was
where naturally there's of course a black list that's developed by our
regulator, and very soon after it's developed, you go to Wiki leaks and
there it is.  A dentist discovered he was on the list that was blacked
out.  Why was this so?  And basically the government had to say that
basically his domain had been stolen.  So there went his business. 
People couldn't contact him, they couldn't e-mail him.  So it wasn't
just his identity that was stolen.  It was his business.

So there are threats from a consumer point of view or from a user
point of view.

The challenges.  And the first challenge from a consumer perspective
is basically they don't understand the threats.  An example I often
use, we -- we being ISOC AU -- did a series of talks about the
Internet.  One was in western Australia and there were a lot of seniors
in the audience.  In Australia we have a download limit that's about
three seconds long and it's the worst in the OECD list of countries. 
So if you are a senior and you are on a pension or you are on limited
income, and Microsoft sends out a patch and you know it's going to take
a whole month's download, they don't.  So they don't have the security,
and they don't understand the problem.

The next is if you don't know, you don't care.  And this is more a
younger generation thing, probably anywhere from age 4 to age 45, where
you will put things on Facebook or whatever, not realizing or not
caring -- mainly not caring about what sort of information is out there
about you.  A person I was talking to not long ago said you know
there's a program out there that takes about two minutes to come up
with enough information about people so that they have got what's
called a 100 point identity check.  That means you can walk into a bank
and be somebody.  And that's because a lot of people put an awful lot
of information out there not particularly caring.

And the third is people don't know where to go if they have a problem.

This was something when Beau and I were in Mexico was a theme, a
consumer theme.  Where do we go to actually start to solve things?

Also, I think it was Greg 2 in a panel or so ago basically said, look,
there was an e-security week, which was true, and at the end of the
week there was a little panel and we all sat around and said what is
going to be the problem over the horizon; i.e., longer than five
seconds.  And one of the problems everyone came up with is nobody knows
where there is one point to get information or some kind of reference
to some other place to get the kind of information and help you need. 
Is it a telecommunications industry ombudsman?  Another kind of
ombudsman?  Do you go to ICANN?  What is ICANN?  Do you go to your
registrar or ISP?

So at least some idea of where consumers go if they have a problem and
how to fix it.

Next heading is existing arrangements.  What are they and what are the
problems?

First I'll start with the Registrar Accreditation Agreement and its
amendments.  And some of them I actually think are very good.  First of
all, the resellers have been caught.  They didn't used to be, and now
they are and it's a very good thing.

There's a reaffirmation of the preference for the use of accredited
registrars, and that's another good thing.

Also, ICANN has been given some new powers to actually suspend, and
the term basically is if there has been a fundamental and material
breach.  And the lawyer in me -- sorry about that --

>>CHERYL LANGDON ORR:   Can't keep them out of the country.

>>HOLLY RAICHE:   I know, I know.  Doesn't see the term defined.  So
my brain goes what is a fundamental and material breach that is going
to cause some kind of response?  And I really don't know.

I imagine we'll find out.

There's another problem -- well, another issue, and that is WHOIS data
accuracy.  There was a subject of an earlier workshop.

The first question is why is this data important enough to us worry
about its accuracy?  Unfortunately, that was asked by -- I think it was
a registrar.  It was a very good question.  And there were some people
there from ICANN, and the response was something like, "I will be
taking instructions from my client."  And while I appreciate how to
make that kind of answer, I thought that wasn't good enough.  You need
to make people understand why it's important.

So, of course, being the shy silent type, I piped up and said law
enforcement actually thinks it's pretty important to have that kind of
data so they can actually track down some of the problems.  For
commercial abuses, you may actually want to know how to get ahold of
somebody that has a name.  But also in dispute resolution, this came up
at least a couple of times, if there is a dispute about a name, the
people sitting there trying to solve it need to know who the owner is,
when it was registered, when it was first registered, when it was
renewed.  So all of that data has a lot of uses, all of which is pretty
important, and I wish someone from ICANN had actually spoken up.

There's another issue, though, and that's privacy.  Now, there's all
sorts of privacy regimes, and it always has to be a balance between the
rights of an individual to privacy versus the need for accurate WHOIS
data.  And where that balance is, I'm not sure but it's something we
have to work with and work through.

Another issue that came up in Mexico, and to me is still an issue, and
that is the consistency of the rules.  If you are going to put out
information for consumers, for registrants, it ought to be consistent
information.

However, there is a set of rules for gTLDs that is a set of rules that
are still being developed for new gTLDs, and there's a set of rules for
ccTLDs.

Now, it's a confusing landscape if you don't know all of the acronyms.
It's particularly confusing, our landscape, if you have got three sets
of acronyms.  You have to know what they all mean.

Solutions.  The first is a code of conduct.  For those of you who
actually do read the Registrar Accreditation Agreement, you will notice
there is mention of a thing called a code of conduct for registrars. 
You will also notice there isn't one.  That's clause 3.7 for the lawyers.

I would like to see one developed.  And I would like to see one
developed where the registrars sit down and say what is best practice. 
And what Dave is going to talk about, which is SAC recommendation 038,
would be in there along with some others that basically say this is the
best way to operate.

The next one I think is -- and it's an issue that came up in Mexico
which Beau and I also talked about, some way to quickly deal with the
bad domain name, the bad -- the criminal activity.

I understand clearly there's some rules around ccTLDs and gTLDs, but a
way to actually stop the activity is what we need to deal with, and do
that quickly.  And fairly, I have to say.  Another solution is one
portal, some way in which consumers and registrants can actually find
information about what their rights are, what the obligations on
registrars are, how they can actually solve their problem.

Another issue, and I'll say it anyway with Dave here, is I think
there's some work on compliance.  I see a lot of things that are
supposed to happen in the Registrar Accreditation Agreement.  I don't
see that they always happen.

I'll say very little more about that.

>>CHERYL LANGDON ORR:   We want to get you out of the room.

>>HOLLY RAICHE:   I will be out of the room at 6:00, trust me.

One thing I would mention, and it was mentioned, I think, by -- was it
Greg 1 or 2?  I think it was Greg 2.  In Australia, the Internet
industry association, I have to say fairly reluctantly but nevertheless
they did, has convened a working group, which we are on, to come up
with a code of conduct that will help the individual consumer to
understand if their computer has been compromised, how do you tell, and
what do you do about it?  Now, this really has been only an idea.  The
working group hasn't been formed so it's really very early days.  But
it may be one -- another piece of the puzzle in actually dealing with
DNS abuse.

>>CHERYL LANGDON ORR:   Thank you, Holly.  And I think we are moving
straight on to Beau, providing everyone has worked out where your
slides are because when you shifted order, you also sort of shuffled
the slide story as well.

I think you're right, though.

>>BEAU BRENDLER:   I see it up there.

>>CHERYL LANGDON ORR:   Fantastic.  Thank you.

>>BEAU BRENDLER:   In this presentation I am going to be drawing a
little bit from some research that's been done by some other people
than at-large.  KnujOn, who some of you are familiar with, is actually
an at-large structure within North America, Artists Against 419, Jart
Armin, and other people who deserve credit for some of the stuff I am
going to talk about.

In terms of DNS abuse, the next couple of slides are going to look
pretty dense, and I would refer you to the URL at the bottom if you
want to look at this report in detail.  It just came out last month, or
the end of May.  And there's some really interesting information there,
but I think more specifically, I think it's good to note that this
report was produced, in fact, by an at-large structure within the ALAC,
and that that group of people, along with some of the others whom I
just mentioned, are beginning to take a very strong stance and role in
doing some investigative work regarding some issues that pertain to
abuse of the DNS and other consumer issues.  So we are happy to see
that evolving.

Specifically on this slide, there are some significant issues,
significant abuse problems in dot CN.  I don't know if anybody from dot
CN is here, but also the Chinese registrars Xin dot net, bizcn,
OnLineNIC and HiChina have been frequently cited for tolerating illicit
pharmacy, software piracy and spam as well as for weak security that
has allowed criminals from Eastern Europe and elsewhere to abuse the
space.   

Now, this next slide is incredibly dense and violates the -- whatever
it is, the PowerPoint rule of three sentences or something, so I'm
certainly not going to read through all of that.  Again, the URL is at
the bottom.  But there's a couple funny ones in here.  The dot Niue,
which I assume is somewhere in the South Pacific, means "nude" in some
languages and illicit domainers have been using .nu to register
prostitution and illegal pornography domains.  

Dot nu is administered by J. William Semich of Medfield,
Massachusetts, which is a long distance from here.  Nowhere near Niue.

Are you here by any chance, Mr. Semich?  I doubt that.

Dot IR, Iran's government controlled ISP is hosting space for the so-
called Russian Business Network.  I am waiting for them to show up to
an ICANN meeting.  Maybe they are here.  Who knows?  Maybe they are all
around us.  It is not yet clear how much influence they have within the
ccTLD space, but KnujOn is going to keep an eye on that.

[ Speaking too quickly ]

Dot ve, the Anti-Phishing Working Group noted in 2008 that .ve had not
only the most phishing domains but highest percentage of phishing
domains in relation to their portfolio.

Another thing, moving more towards the positive or moving more towards
solutions, within the KnujOn report is a grid -- I have kind of adapted
it a little bit here and given it a rather clumsy name.  Problem
assessment matrix.  But I think it's a good tool that could be used,
maybe not for consumer education, because it may be a bit high-pitched
for that but to perhaps educate consumer groups.  In essence, it's an
analysis of domains within the ccTLD space, but I think it could be
adapted to other areas.

Responsible -- if the domain that is a responsible party, public WHOIS
and a closed registration, that's probably okay.

Responsible party private WHOIS closed registration, okay.  And on
down the list, until you see no responsible party, public WHOIS, and
open registration bad.  No responsible party, private WHOIS, and open
registration, worst.  And some of the domains -- in fact, most of the
domains that I just mentioned on that dense page previously are of the
last item on the grid there.

Now, the RAA has come up and is part of what we're supposed to be
talking about here.  I know that we have tried over the last year or so
to require full contact information for registrars and resellers that's
publicly displayed.  That various bits of that made it into the RAA
language at some point and then was taken out, modified or withdrawn. 
But I think there is a provision in there now in the recently signed
RAA that at least calls for physical address, which is good.

WHOIS accuracy.  In accordance with ongoing ICANN study -- I should
actually make that plural studies because as we know there are a whole
variety of WHOIS studies going on now, the fruition of which we hope
will be positive for consumers.  Consistent with the U.S. GAO findings -
- the GAO estimated -- I think this report is about a year or so old,
but 2.31 domain names have been registered with patently false data.

Then also, defining the relationship between registrars and resellers
within the RAA.  We don't seem to have a lot of information about
resellers, and certainly it does not appear from what we have been able
to figure out, at least in the at-large side, that there is much of a
contractual obligation between registrars and resellers.  So we need to
know more about resellers in the whole system.

Consumer education challenges, I think there's a tendency to sort of
say, well, you know, this is out of scope for ICANN or this is not our
problem or consumers need to be taught this and that and some of that
is true but with, you know, I've had some experience in this field,
about a decade of it, consumer education's expensive and it's time
consuming.  The challenge of it increases with the complexity of
message.  And very few people outside of this room even though what a
ccTLD is and if you begin to tell them those sorts of things their eyes
glaze over.  And consumers are accustomed to nongenerative devices.  I
don't know if you read Jonathan Zittrain's book "The Future of the
internet and How to Stop It," or some educational poetic title, but he
talks about generative devices like PCs and nongenerative devices. 
When we're expecting consumers to deal with generative devices, they
come with a whole set of security issues and problems and concerns that
the nongenerative devices like this don't have.  Consumer organizations
face resource restrictions and they tend to see slices, also, rather
than the whole pie.  And then increasingly the privacy rights versus
business accountability argument I think we're tripping over a lot and
have tripped over in this community for many years, and I think we need
to look and be more aware of possible technological problems to some of
the WHOIS problems, although conversations I've had today have
enlightened me about how that might not be possible.  But we'd like to
know more about IRIS.  We'd like to know about who in the community is
studying what related to WHOIS.  And I don't think that there's a real
gestalt in this community right know about who is studying what WHOIS
and where those studies are going and who is doing them and what the
outcome is and what the purpose and scope of them are.  

Actually, I'm going to skip that last slide because I used it
yesterday and we're running short of time.  

So do we want to see consumers avoiding doing business with private-
proxy registered entities.  Do we want to see consumers begin to avoid
doing business with entities in certain countries.  Do we want to see
consumers avoid doing business on the Internet.  I think the answer to
all three of those questions is no.  But given the current environment
and given the direction that -- given the direction that consumers
concerns' about fraud are taking, a number of research projects I
undertook in the last couple years really did show at least in the
United States, you know, 30% or more of the general populace is
beginning to become fearful of doing any business at all on the
Internet and actually decreasing their use, so we're running short, I
will stop there and pass it on to -- pass the gizmo on to --

>>CHERYL LANGDON-ORR:   It's not a baton being handed on, it's a gizmo
being handed on.  Thank you, Dave.

>>DAVE PISCITELLO:   I have to hold this down the entire time?

>>CHERYL LANGDON-ORR:   Yes, you do have to hold it down the entire
time.  It's an exercise in cruelty and it's a way of keeping you short.

>>BEAU BRENDLER:   This one, by the way, won't turn off.

>>CHERYL LANGDON-ORR:   Push.

>>BEAU BRENDLER:   Well -- 

>>DAVE PISCITELLO:   We have several repetitive issues already at
ICANN, I guess I'm going to become the next victim here.

>>BEAU BRENDLER:   This one will stay on.

>>CHERYL LANGDON-ORR:   Listen, it this was part of my plotting. 
Never let consumer people and tech people at the same table.  They
start talking to each other, they understand their needs.  Oh, we
ready?  Okay, good.

>>BEAU BRENDLER:   Is this obstructing or violating your space?

>>DAVE PISCITELLO:   It's actually,s it's no worse than any other
ergonomic environment that I occupy so...

My name is Dave Piscitello and I'm from ICANN and this talk is
actually with my ICANN Security and Stability Advisory Committee hat
on.  I'd like to begin by sort of giving you a picture of exactly how --
good -- exactly how phishing domains are taken down by first
responders, intervenors, parties who look for -- work to protect brands
online.  I want to start a little bit before, and I know this is a
little hard to read, but in the upper left-hand corner in hours 0-1 you
have the phisher who has already found a hosting site and has uploaded
some sort of phishing kit which is essentially a webpage and, you know,
some clever scripting so that they can steal your identity or capture
your credit card information and sell you illegal pharmaceuticals.  And
what they do to make it very convenient for you is they actually go and
register and domain so you can click on a URL instead of an I.P.
address.  They largely do this because after 10 years, people have
finally realized that clicking on an I.P. address is not a great idea. 
So after the first hour, the phisher that created his site, he's
registered a domain and he sends his phishing e-mail.  Somewhere along
that first hour people begin to click the URL and visit the site. 
Fairly quickly in that first hour to one-hour -plus time frame, some
antiphishing service provider or some other monitoring organization
like a brand owner is either alerted or detects that the -- there is a
phish e-mail out there and he wants to stop this.  He needs to disable
the site and he needs to get the domain suspended.  So what does he do?
He needs to contact someone who knows something about that domain
registration and that's the real story behind this presentation.

The most important piece of information that an intervener can find is
the sponsoring registrar.  This is essentially the party who is going
to be integral in suspending the domain.  The real important questions
are where do I find the contact information for the sponsoring
registrar?  And does the contact information I find lead me to someone
who can handle abuse claims?

So let's start with the first question.  How do I find a registrar
contact?  You can visit the registrar's Web site.  And we're going to
think about that a little bit more in a moment.  You can also visit
ICANN's published list of registrar contacts which is at this URL and
there's actually reason why I put this here because I'm going to give
you all homework.  You can ask a colleague, in fact, on many mailing
lists that I participate in we're constantly trying to help people who
are looking for contact of the registrar and we share that information.
The big point here is if you go back to that original time line, every
time a intervener can't find the registrar abuse point of contact, it
extends the duration of the attack.  It's minutes, hours, you know, it
really depends on how hard it is to get the information.

When you get the information, you call or you place an e-mail, usually
you try to call because that's a faster response in most cases and you
ask can you help me?  Well, it really depends on what information you
obtained and, you know, obtaining the information particularly has
several falls, many publish their points of contact information
voluntarily.  The problem is certain published points of contact are
either inaccurate or incomplete not available 24 X 7, unable to handle
the abuse or criminal complaints that are submitted to them, you're
getting a general help desk, for example, and somebody says, "Oh, well,
I can't do that, and Joe who usually does that is at Starbuck's," I
mean, I'm making a little bit of fun here, I don't want to do that too
much but you know as a general contact point, it's not the same kind of
person as someone whose job it is to take down sites and deal with
abuse.  And many of the registrars have absolutely stellar people doing
this, so I don't want to paint a dark picture here.  

Another problem is that sometimes you hit a spot in, you know, in a
customer care or help desk chain where a party doesn't know how to
escalate the complaint.  Again, all these failures just simply add time
to the duration of the attack.  The site is still up, the domain is
still resolving, and people are visiting the site and either being, you
know, victimized by malware downloads or pharma, you know, pharma site
abuse or identity theft.  I wanted to try to understand how bad the
situation was or how good the situation was.  And I had recalled that
KnujOn folks had actually given a presentation at an APWG meeting, and
I could not find the presentation information nor the material, I
should have gotten their point of contact, actually, and what I did was
I visited registrar Web sites in search of the abuse point of contact. 
I used the ICANN list, I went down the list for about 250, 260 sites. 
Out of that number of sites I got 229 sites that resolved and that gave
me some information that I could read because some of them are in
foreign languages and I'm not real good at many Chinese and Arabic
scripts.  

So out of the sites I visited, 172 of 229 didn't have an abuse point
of contact.  578 sites had some form of abuse point of contact
information.  Eight sites had a spam or false WHOIS point of contact. 
Now, it's interesting that many people think we have 900 plus
registrars.  What we have is a much smaller number of registrars and
many registrars are affiliated or partners with, you know, with each
other so I decided to prune this list to try to see if the numbers got
any better.  Instead of 75% having no abuse point of contact, 79% did. 
Instead of 30 -- 25%, 21% did.  And the reason I bring these numbers up
is that the -- there is a possibility of changing this number
dramatically by simply having certain affiliate and partners just
simply say I'm going to do this.  In fact, I could identify three to
you that could almost make this 50% by the execution of one landing page.

Sometimes there's a little bit of push-back especially, you know, the
registrar market, I understand, is a very competitive market, the
margins are very small, but, you know, I don't -- I think that there's
a real incentive for registrars to distinguish themselves as being the
ones who are cooperating with law enforcement, are helping consumers
take down sites, and the message to those registrars who may not have
the abuse point of contact is the ideal response time for phishing
attacks are measured in hours.  Every minute you delay extends the
attack.  And if you help just there by providing the right information,
it's amazing how much we can reduce the delay and reduce the harm.

There is an SSAC report, SAC 38 which is registered abuse point of
contacts, it's up on the SSAC Web site, I can give you the URL if you
come up to me later, and the recommendations in that site are fairly
straightforward.  We ask that registrars provide an abuse point of
contact, that's an explicit one, but not just a contact.  Someone who,
you know, a contact that, actually, is an effective and responsive
party.  Someone who can provide a complainant with a tracking system so
they can get back and say, you know, my abuse is number 4721-J, can you
tell me where you are with respect to investigating that?  Publishing
an abuse point of contact also entails making it prominent not only at
the registrar site but I think at the ICANN weapons in the say way that
the RAA has now asked for mandatory information for general contact
information, I think that an abuse point of contact would be valuable
there too.  There's no real magic or science to this, the contact
information should be consistent with other registration contact
records.  In particular because a great deal of abuse, you know, and
tracking is done by automation, by intervenors and antiphishing
parties.  If you can make it available in machine readable format where
you can pull it out through a WHOIS or you can pull it out through some
other vehicle, that's great too.  And, obviously, it would be nice if
ICANN could, you know, periodically check for accuracy.

And that's it.  Thank you very much.

>>CHERYL LANGDON-ORR:   That's fantastic.  Thank you, Dave.  Holly has
to leave, she's hosting a function for ISOC AU and ISOC this evening
which is offsite.  So we'll forgive her for that.  Thank you very much,
Holly.  Perhaps a little round of applause for Holly as she leaves,
just to embarrass her, because if I can embarrass someone, I will, as
you should all know by now.  

So now I'll not try to embarrass Mason.  Go ahead, please.

>>MASON COLE:   I guess I don't get the magic constant -- no, that's
okay, that's okay.  I really only have a few things to say.  No, no,
sorry.  

So I did not prepare a presentation but I'm -- I see my colleague, my
Network Solutions colleague Jon Nevett in the room.  He's just recently
retired as chair of the registrars' constituency and I'm now 24 days
into my term.  So it's very refreshing to Jon, I know, but I'm in the
process of learning more about the scale of threats to the DNS that
have been developing over recent years.  But as I was listening to
these presentations, I made a few notes.  And I just wanted to share a
few thoughts from the registrars' point of view.  Yes?  

Okay.  Registrars obviously are interested in contributing to
resolution to customer threats.  We spend a great deal of time, money,
effort, employee energy, marketing dollars, what have you, acquiring
customers.  And as it's been correctly pointed out the registrar market
is extremely competitive.  And it operates on razor thin margins.  And
we compete on multiple fronts, especially on price.  It's very
important to us that once we are successful in attracting a customer
that we do everything we can to take care of that customer and that
includes protect that customer to the extent that we can from potential
harm.  We don't want to lose a customer to these kinds of threats.  I
do want to agree with some things that Beau said about the challenges
of using the -- being educated about the domain name system in general.
This is my 20th ICANN meeting.  I find that hard to believe.  But I've
been exposed to ICANN and the DNS and these types of things for some
time now.  And I've become literate with the terms.  If I'm a
registrant, I'm not near as literate.  And it's -- most registrars that
I know of, the colleagues in our constituency, do a very good job of
educating customers about how to go about the process of taking care of
getting a domain name, taking care of it, and protecting it.  Can we do
better?  Sure.  There's always room for improvement.  Remarkably, this
is still a young industry.  I agree with Beau that it's complex.  It
will be complex for a while until efficiencies continue to introduce
themselves into the marketplace to make things simpler.  But as
registrars, we are very interested in taking care of the customer and
making sure that the customer understands what's happening.

A word about the RAA.  I agree.  The RAA, the update has been very
useful.  The amendments that were just put into place, registrars agree
that they were necessary.  We embrace them.  We wanted very much to
have the playing field leveled and we wanted to have the RAA available
to us as a tool to help root out bad actors.  I'm probably going to
disagree with several folks that the RAA should be used as a continual
policy development tool.  We have a policy development process in place
that can be used for that purpose.  And a word also about best
practices.  Registrars are very interested in best practices.  We're
interested in developing them, encouraging them and using those as
another method for rooting out bad actors.  Do you hear a theme in
here?  We want to root out bad actors, so I want that known.

Other than that, I think I'm going to stop there.  So I look forward
to the discussion, thank you.

>>CHERYL LANGDON-ORR:   Thank you, Mason.  And I must say coming from
the somewhat unique Australian experience where we set up an industry
code of conduct which is enforced by auDA but was actually an industry
self-regulation model, and having been one of the consumer reps on
that, the discovery that, in fact, we do all want the same end game is
one the consumers tend to go, "Oh, you mean you're not all bad guys?" 
And the industry goes, "Well, of course, not, it doesn't do any good
for one bad apple to spoil the barrel at all."

Ladies and gentlemen, I'm happy to open up the floor now for questions
so if anyone would like to come down and raise a question to who's left
of the panel, then please do so.  Come on down.  

>>MICHELE NEYLON:   I seem to be going up and down here quite a bit
this afternoon.  

Just one thing that does concern me a small bit is the constant
reference to the KnujOn reports.  Because the -- I know one at one of
the recent RIPE meetings, I think it might have been in Amsterdam,
KnujOn forwarded one of their presentations and we're referring
specifically to WHOIS accuracy and the critique that they had was not
that the WHOIS data was incomplete, but it was in a language that was
unscripted, they could not understand.  And based on that single
criterion, the WHOIS data provided was inaccurate and therefore
abusive.  And KnujOn have a terrible tendency to throw out these
wonderfully broad, sweeping statements about companies and individuals
without, you know, having any real tangible data.  I just think it's a
bit dangerous to rely so much on the reports.

>>MASON COLE: May I speak to that, Cheryl?

>>CHERYL LANGDON-ORR:   Yeah, and I actually wonder whether Dave may
want to follow up with the internationalized data registries.  Go on.

>>MASON COLE:   Sure, I agree with Michele, I'm afraid that is the
case.  In our experience, we have found even in -- we've seen the
KnujOn reports, we investigated them, and we did find that they were,
unfortunately, quite inaccurate.  If there is reporting to be done
about the state of any point of technology that has to do with
registrar operations, we're happy to make sure that whatever data is
necessary to help inform people is accurate.  And we'll contribute to
that process.  I agree that it's disturbing when factually inaccurate
information is revealed to the public in a way that creates confusion
about the real situation.

>>BEAU BRENDLER:   I can't sit here and necessarily defend -- excuse
me -- defend the depth of -- depth and validity of KnujOn's information
in every case.  The information I was quoting from the May report, you
know, what I think is interesting is that we have an at-large structure
within ICANN that has taken the time to do this kind of research, and I
think, knowing KnujOn as I do, they would be somewhat open and welcome
to working with anyone who would wanted to work with them.  But the
point is, is whenever we see data that we don't necessarily like to see
or that doesn't come from our particular perspective, you know, I think
we have a tendency to react poorly to it, especially given the way it
may be released.  

And, you know, from a journalistic perspective, not that KnujOn is
necessarily referring to itself as a journalistic entity, but when you
release a report on something or when you do reporting on something,
you don't run it by the people who may have a vested interest in how
the data appears in order to make sure they think it's okay or not, so
that's probably not going to happen.  And I wouldn't encourage it to
happen necessarily, but I would encourage you to get in touch with
Garth and some of the other folks who I cited at the beginning as doing
some of this research because no one else is really doing it.  I mean,
is there anything out there that anybody has on hand about the ccNSO?

>>DAVE PISCITELLO:   Yeah, there is.  So I'm not going to spend time
defending Garth.  And I think that there are certainly points at which
you can take issue with some of his reports and that's duly noted. 
You're not going to see those cited, you know, chapter and verse in an
SSAC report, I guarantee you.  There are however, other extremely
reliable sources that I will -- I will be happy to share with you.  I
think the University of Birmingham spam data mine is fabulous.  I think
the Shadow Server Foundation folks are really, really rock solid. 
There are other people -- you know, the NCFTA are doing some great
monitoring collection, Cyveillance, the list goes on and on.

>>BEAU BRENDLER:   APWG.

>>DAVE PISCITELLO:   And spam house.  Just to give people an idea
there's a lot of information out there.  I'm not going to point at
registrars.  But if you go back and look at bow's slides and look at
the names of the registrars there you will find them on the same -- you
know, at the same prevalence on the same list, if you notice the
registrars in this room are usually not at the top of this list, and
that's because these are the good guys, these are the guys that try to
make a difference and they end up getting hammered.  And my goal and my
objective in trying to put these kinds of recommendations -- and I
think it holds for the entire SSAC -- in front of the registrar
community is to help the registrars that really want to do a good job,
distinguish themselves, you know, markedly from the people who are not.
Because consumers understand that.  And so, you know, we're talking
about things like trust marks for -- you know, that registrars might be
able to, you know, obtain from ICANN or a trusted third party that
illustrate that they meet a certain criteria and they're implementing a
baseline that consumers can trust.  And so the same way that, you know,
that a consumer will go and see the VeriSign SSL trust mark, or the
thought SSL trust mark or a Consumer Reports trust mark and they'll use
that site, you know, we can slowly migrate people away to the point
when it's very obvious when somebody has 99% of their portfolio as
spammy and phishy domains, and maybe at that point, you know, with a
little bit more in the hands of compliance and a little bit more of a
pit bull mentality, we can take some of these folks and we can put them
out of business.

I have no goal, there's nothing that I want more than to make the
industry really reputable and to make people just feel really confident
about going to the registrars that ICANN accredits and making a
transaction and knowing that they're safe.  I mean, that's part of my
job.

>>CHERYL LANGDON-ORR:   Mason?

>>MASON COLE:   So I want to speak to both those points.  And I
certainly don't want to beat up on bow because his work is always very
good.  On the issue of KnujOn, here's the problem.  When inaccurate
data is provided to the marketplace without being verified for its
accuracy, then registrars who are affected by that find themselves in a
position where they have to defend themselves to their customers on
data that is inaccurate.  Or they have to defend themselves to
newspaper reporters or what have you.  When the premise of the thought
is incorrect to begin with.  Now, if -- actually, I'm a former
journalist myself and it was my duty when I was reporting on any
situation to contact the affected entity and verify, or at least get an
opposite point of view.  If anyone wants to report on this industry, no
objection.  But if you do report, it's incumbent to make sure that the
data's accurate.  So you want to --

>>BEAU BRENDLER:   Yeah, I understand that and I'm not from KnujOn but
I guess what I would say is KnujOn is part of the ICANN community now,
they're within a large structure within ICANN, so work with them, talk
to them.

We want to make sure that registrants who are looking for a safe place
to do business are aware of those safe places to do business.  And I
know that the registrar that I represent goes out of its way to be
known as a security conscious registrar.  And so whatever we can do in
our constituency to encourage our colleagues to do the same, we
certainly will.

>>CHERYL LANGDON-ORR:  I was going to say I thought you wanted the
right of reply.  Or you cede to Nigel or you want a second point?

>>MICHELE NEYLON:   The main thing is I can appreciate that Beau's
report and everything else is in the right place.  Its heart is in the
right place.  I just had a problem, as Mason did as well, with how
things move forward.

>>CHERYL LANGDON ORR:   And I will take my role here to say maybe we
will also be able to find ways forward to better, more satisfying
partnership relationships.

Thank you.  Go ahead.

>>NIGEL ROBERTS:   Thank you, Nigel Roberts from dot GG.  I take great
comfort from what Mason said about if you are going to say something
about somebody, you better be accurate.  I do, however, take issue with
Mr. Brendler.  His presentation contains certain implications and close
to allegations regarding a couple of members of the ccTLD community.

>>BEAU BRENDLER:   Yeah?

>>NIGEL ROBERTS:   You essentially said that Bill Semich of dot nu was
involved in child pornography, because you used the word "illegal"
pornography, did you not?

>>BEAU BRENDLER:   No.

>>NIGEL ROBERTS:   Maybe I misunderstood.  Can we have the slide back
and I can see what it is?

>>CHERYL LANGDON ORR:   Can we bring back the slide?  Thank you.

>>NIGEL ROBERTS: And you said, is he here?  I think not.

I saw him in the hall a couple of days ago.  Mr. Semich has been
coming to the ICANN meetings since before there was an ICANN meeting.

If you are going to excoriate a member of our community, then I think
it behooves you to send a courtesy e-mail before you do so and tell him
that and maybe he would be here.  I don't know if he is still here or
if he has left.

But the ad hominem nature of your presentation I found a little bit
incorrect.

>>CHERYL LANGDON ORR:   I think all we can say to that is so noted,
but we can give Beau the clarity to say what he said to ensure that
there is no error and implied --

>>NIGEL ROBERTS:   There we are.  There is the phrase I remember
"illegal pornography."  You mentioned Iran.

>>BEAU BRENDLER:   There's no reference to child pornography as you
stated.  I believe you said child pornography.  That's not on the slide.

>>NIGEL ROBERTS:   To my mind, illegal pornography and child
pornography are faintly synonymous.  But that's my perception. 
Illegality is still illegality, whatever the kind of illegality it is.

>>BEAU BRENDLER:   I think the point of all of this is not, you know --
when I said is Mr. Semich here, I think perhaps the reference to -- I
think it's a bit odd in your community, in certain circumstances or at
least it would look odd to consumers that country code domains, even
though they are the sovereign property of the countries, can be, in
essence, sold off to whomever pays the country enough money to do
whatever they want to do with them.  I cite Moldova as another example
as being run out of New Jersey.

>>NIGEL ROBERTS:   This is a entirely completely different debate
regarding the nature of what a two-letter identifier on the Internet
actually is and what the authority of anybody running a ccTLD code or,
indeed, ICANN is in legal terms.  There's a Ph.D. in there somewhere. 
So when you say it's sovereign property, there's a whole debate around
the origin of authority for any TLD on the Internet that was created
prior to ICANN.

So let's just not -- let's not open the can of worms.

>>CHERYL LANGDON ORR:   Also, Nigel, this afternoon's panel was to
look at things very much from a consumer perspective, and consumers
have not been well informed.  And in fact, would find it extremely
difficult and probably fairly offputting to try to become better
informed.

What I can say is when a consumer wants to look at something that they
assume belongs to X because of the implied ownership of X and it ends
up being B, they get nervous.  And if we have done nothing more than
heighten that as an awareness on all sides, well, that's not a bad thing.

>>NIGEL ROBERTS:   Indeed, and I accept that.  When we are talking
about Internet privacy and rights -- Mr. Semich's home address is put
up there, literally millimeters away from the words illegal
pornography.  I think if you have evidence of the fact, I think you
should report that to the relevant authorities in Massachusetts and see
him prosecuted but I don't think that's going to happen because these
allegations have been around ad hominem for a long time.

It's not my job to defend him.  I run a completely different ccTLD in
a completely different environment.

>>CHERYL LANGDON ORR:   But it is my job to control the management of
this meeting, and I I have, I think out of courtesy because it is an
important topic, let that particular subject run long enough.

Go ahead, Philip.

>>PHILIP ARGY:   Philip Argy, ArgyStar.com.  Something a little more
prosaic, perhaps.  

The suggestion earlier that we have a one-stop shop is really
important for consumers, and I am wondering if we can't really simplify
this by having a global convention, for example, that abuse of domain
name will always be automatically directed to one or more relevant law
enforcement agencies, registrars, ccTLDs, so consumers know if they
receive a phish, all they have to do is send it as an attachment to
abuse@domain name, and somebody who is understanding of this stuff,
which is about the level at which consumers perceive it, will deal with
it appropriately.

I mean, something that facile needs to be done.  I mean, we can do all
-- a whole lot more sophisticated stuff, but something like that would
be good.

In Australia, we have a spam reporting mechanism to a regulator.  But
I am told that regulator only looks at those e-mails every couple of
days and looks to enforce the Spam Act and doesn't refer on phishes
that come in the form of spam.  That, to me, is absurd.  It's a total
fragmentation of effort and wasted effort on the part of those who
report them.

>>DAVE PISCITELLO:   There actually is a mail convention, and it is
documented in an RFC.  And it actually strongly recommends the use of
abuse@, admin@ and things like that.

And the SAC38 report actually suggests we have a uniform convention
for exactly that purpose.

It gets a little trickier when you start to use Web pages and Web
forms and you have people with Drupal and people with other automatic
page and content generation so names don't get quite so easily
generated.  And I don't want to put an unreasonable onus and make
people actually alter from their Web generation and content generation
to make some things as clear as they might be.

I do think that it is valuable to have some uniform notion of abuse in
that whether it's an ISP or it's a ccTLD registry or a gTLD registry or
a registrar that serves any of them, you can contact them all with the
relatively same convention, and that's, I think, very valuable.

>>CHERYL LANGDON ORR:   Any further questions or comments to the
microphone?

If not, I would like to share something with you.

While we have been sitting here this afternoon, and those of you who
were in Internet Governance Forum will know there are at least three
pieces of social networking software open on my computer as well as so
I can see these slides, I have been watching a little discussion go on
about the fact that there was just about a meltdown in the Australia
post call centers this afternoon because they happen to be nine hours
into a phishing attack based on your slide.  I might share this URL now
it's gone public, but Josh Roe, who is involved in auDA, has been
keeping me up-to-date on what, up till now, has been confidential.  But
I see it as slightly ironic when our Australia post server has been
phished busy being phished while we are sitting here talking about the
risks to consumers.

Ladies and gentlemen, I would like to thank what's left of the panel
for I think a healthy and spirited debate.  I think we have learned a
lot.  I think we continue to need to learn a lot, and I'm pretty darn
certain that we will get a lot further together than we will in
opposition.  And I don't know about everyone else in this room, but I
would like to give each and every one of these panelists, both those
here and those who have left, a rousing round of applause.

[ Applause ]

In absolute closure, however, it's important we work out whether or
not this type of exercise is worthy of your time and our energy. 
Therefore, feedback, comments, indications on whether or not you would
like to see this sort of thing again is going to be called for.  And
again, with this social networking that we are doing, I have been
frantically typing to and from staff, and I gather that in the next few
days, there will be some form of Wiki, suggestion box, comment space,
et cetera, that we will put out to the community.  And most
importantly, that all the slides that have been used here today,
perhaps with some edits, will be available in the next few days on this
meeting space.

Margie, did you wish me to cover anything else or say anything?  Wave,
yell, talk.

>>MARGIE MILAM:   Thank you very much.  We will follow-up, post the
slides, and try to get a Wiki page up to solicit input from the
community.

Thank you, everyone.

>>CHERYL LANGDON ORR:   And I promised the translators and the scribes
that it would be an 1820 finish, but you walk out think about the work
they do and I want to thank you all from the bottom of my heart, thank
you, thank you, thank you, and thank you again.

[ Applause ]