*** Disclosure: The following is the output resulting from
transcribing an audio file into a word/text document. Although the
transcription is largely accurate, in some cases may be incomplete or
inaccurate due to inaudible passages and grammatical corrections. It
is posted as an aid to the original audio file, but should not be
treated as an authoritative record.***


Forum on DNS Abuse
Sunday, 20 June 2011
ICANN Meeting - Singapore


>>JEFF MOSS:  All right, everybody.  We're going to settle down and
get ready to start the forum on DNS abuse.  So, if everybody could
just finish up their conversations and have a seat, we'll get ready to
start.  We have everybody?

Yes.  Okay.  All right.

>> Well, let's get started.  My name is Jeff Moss.  I'm the freshly
minted new chief security officer for ICANN.  And I'll be moderating
the forum on DNS abuse panel at ICANN number 41.  For those of you who
haven't been to the session before, this is a series relating to
conversations surrounding the abuse of the name service DNS system.
It's happened five times.  There's going to be two sessions today.
And there will be a chance for to you ask questions either online or
in person between the two sessions.  And so most of the crimes you
hear about online abuse the name service one way or the other, either
through legitimate registrations used illegitimately or fast-flux or
some other spear phishing name confusion attack.

And when these problems occur, they involve many of the ICANN
stakeholders from commercial to government, consumers and businesses.
So this forum is going to be part of a dialogue between the ICANN
community members talking about ways to either fight against DNS-
related abuse, such as our first panel.  Or the second -- our second
panel you will get an update on what the current trends are in ee-
crime and DNS abuse.  So I'm going to take this opportunity to tell
you my style, which is we're going to have each of our panelists talk
for five or eight minutes about their individual perspective.  And
then we'll move into a Q&A session at the end.

Now, if I see a lot of you in the audience confused or looking
quizzical, I might interrupt the speakers and ask them to clarify
something.  I might try to tease out a point that I think might not be
made.  And I might try to make it a little bit more interactive.  So
with that said, our panel today consists of Bill Smith from PayPal,
Edmon Chung from APRALO and dot Asia, and Kai Koon Ng from Symantec.
And the first speaker will be Bill Smith.  So let us give him a warm
welcome.  Bill?

[Applause]

>>BILL SMITH:  Thank you.  What I'm going to go through today is a
paper that we published back in April combating cybercrime.  First
thing I have is a question for the audience, if you'd indulge me.
And, by a show of hands, how many of you have a wireless route in your
home or business?

Okay.  We'll get back to that later.

>>JEFF MOSS:  Everyone.

>>BILL SMITH:  So in our paper we layout, basically, cyber issues.
This is a taxonomy from Scott Charney.  We believe he was the first
cybercrime espionage, terrorism, and warfare.  We are going to focus
on cybercrime and, in particular, "direct theft" is the term we use,
stealing of money, DDOS attacks, malware, phishing, those types of
things and not intellectual property theft.  I apologize to the IP
constituency, but --

>>JEFF MOSS:  Is that because it was just too big of a topic?  It
would suck all the oxygen out of the room?

>>BILL SMITH:  That's a possibility.  And we believe there's plenty to
talk about just on direct theft.  So that is our focus.  If you'd take
a look the paper, you'll see that that's what we have done.  All of
these are important.  They share characteristics.  They also have
different characteristics.  Some would share mitigation techniques.
And also there would be different mitigation techniques.  Also on the
espionage, terrorism, and warfare, we think those conversations
generally are best held elsewhere.  They require real diplomacy.
Nation states need to sit down and discuss these things, so we have
avoided going into it in any great detail.

Problem, generally, is really around trust.  I think all of you would
understand that trust is something that's relatively easy to break,
but it's very difficult to re-establish.

There are a list of things here.  Malware and insecure computers.
These are both individual vulnerabilities.  But also they're eco
system-wide vulnerabilities.  If you have malware on your machine, you
may, in fact, be externalizing the impact.

Law enforcement.  They have resource issues.  We need to spend
considerably more money on law enforcement.  There also needs to be
better international cooperation, that has improved, but we need to do
even better.

There are obstacles to data sharing, as an example, through privacy
laws.  Well-intentioned privacy laws, but it makes it difficult for
corporations to share information that actually could protect the
consumers.

And there's also unreliable data on the scale and scope of the
problem.  It ranges from several billion dollars to as much as a
trillion dollars, which we do not believe is a defensible number.  But
it's -- the number is large.  We think we need to do more to try and
figure out what the actual number is.  Here's a -- from -- I think
this is Panda Labs, growth malicious software.  It's got one of those
nice hockey stick chart curves that we all know and love in our
industry.

>>JEFF MOSS: Whenever I see charts like that I'm curious how much of
it is an actual increase in malware evolution, and how much of it is
better reporting and better data collection?

>>BILL SMITH:  Yes.

>>JEFF MOSS:  Exactly.

>>BILL SMITH:  It's a little of each, but we know it is growing.

PayPal, a money transfer agent, we are relatively comfortable with
regulation.  But we believe, as one of our principles in the
initiatives we've laid out, that we should, basically, involve the
least amount of regulation as possible and no more.  Typically, as any
industry matures or grows, regs come into play.  We could look at
automobile, air travel, telecommunications.  They all started out with
no regulation.  As they matured, they added more and more.  Some to
better effect and some less so.

Second principle:  Ensure that laws could be interpreted in ways that
allow the participants to prioritize safety as opposed to, perhaps,
some other things.  This could be, for example, a safe harbor in
companies sharing information to protect customers.

Let's skip down to 4.  Accept that the Internet is global.  We need to
do things on a global scale.  Basically, we -- as we say in the paper,
bring the MLATs, the multilateral assistance treaties out of the 19th
century and into the 21st.  It can take months or years to have data
exchanged between nation states.  And that's -- that just isn't going
to work going forward.  Avoid attempts to conflate other issues. Here
again, we talk about intellectual property. But included in there,
really, are free speech, privacy, and others.  Not that we don't care
about these.  We believe these are extremely important issues.  But we
also believe, if we're going to have an impact, significant impact on
cybercrime, we need to make -- we need to focus.  In general,
governments shouldn't mandate the specific technical controls.  Rather
that they should describe the effect that they want.

In, you know, in other industries, specific things may have been
useful.  Vaccines in medicine, as an example, or for public health.
But those are against relatively static issues.  In cybercrime we've
got a dynamic, intelligent, and highly determined set of actors that
we need to go up against. Ad we need to be able to move.  If we put in
place one specific technique, they just will find a way around it.
But, if the goal is to stop a specific type of behavior, it may be
possible for the technologists to come up with different ways or
multiple ways.

>>JEFF MOSS:  So, basically, you're talking about removing the
incentives?

>>BILL SMITH:   Yes.  Well, so, I mean, examples would be -- you know,
the way to correct a problem is to take this specific action, which,
you know, by regulation.  And then that action is taken, and then the
criminals just move someplace else.

>>JEFF MOSS:  So, when the domain tasting model went away or it became
a pay for -- the incentive model changed, right?

And then you saw the way that people abused DNS changing?

>>BILL SMITH:  Yep.  Let's see, where did I go?

We think that treating -- data that's used for marketing purposes
should be treated differently than data that's used for anti-fraud and
crime purposes.  There's a lot of interest in do not track at the
present time.  We actually use -- as an example, we track information
about users in order to make our risk assessments and to improve a
consumer's experience and help with fraud and criminal activity.

Let's see,. The last one here.  Organizations like ICANN that are
going to be doing Internet governance are part of the solution, not
part of the problem.  And for ICANN there really are three components
to that.  There's ICANN the dot org.  That's the thing we all
participate in.  There's ICANN the corporation.  Okay?  The corporate
entity.  And I believe ICANN, the staff.

Quickly jump into some initiatives.  In the U.S., we have a thing
called the National Transportation Safety Board, which is really
looking into accidents.  They look into all types of accidents, but
really most known for looking into air accidents.  We think this
industry could benefit from such a model.  I mentioned already
increasing law enforcement.  Incent ISPs to notify customers of
malware on their machines.  Australia and other countries are doing
that.  In Australia it's the AISI model.  We believe transit providers
could screen for, as an example, botnet activity and not deliver it.
It's only criminal activity.  And it would be a good thing if we
didn't have that transiting the networks.  To ingress and egress
filtering to prevent IP spoofing.  This would have an impact on DDOS
attacks.  Educate people better.  All the way from elementary school
up into university level computer science programs.  Directly attack
botnets.  We did that recently, or it was done recently with
Coreflood.  Typically, the industry says security is hard.  What that
means is it's difficult to build a system that is secure.  The reason
the criminals are able to attack us is that it is hard and we have
vulnerabilities.  Similarly, the software that is, in fact, malware
has vulnerabilities as well.  And, if we can exploit that and do
things like turn off the botnets, that would be a good thing.
Unfortunately, or fortunately, that activity itself is illegal.  So
some special things would need to be carved out.  We don't want
researchers running around doing vigilante justice, but we could do
this.

Oh, sorry about that.

Require that Internet device is failsafe.  For all of you who raised
your hand and say you use wireless, how many of you know what the
default password was on your wireless router?  It was something like
"admin."  How many of you changed it?  Good.  We think that devises
shouldn't default to a uniform password of "admin."  They should
default to something else and that other things like that as simple as
that should be required.  Let's see.

We should take action against bulletproof hosters.  These are patently
criminal.  And ensure that ICANN properly enforces eco system safety
initiatives.  That's our speak for deal with the WHOIS quagmire.

So, in conclusion here, we believe it's time to address the issues.
It's a complex problem.  Multifaceted and global in scale.  ICANN has
an important role to play.  Both three -- not both.  The three sort of
versions of it -- the org, all of us, the corp., the staff, need to
participate.  Some of the initiatives we've laid out are pretty
simple.  Others are more difficult.  But, regardless, they all require
that we have the will to implement them.  And that's the message I
want to leave us with is we have to decide do we want to make an
impact?

And we can.  And a number of these things, the initiatives we laid it
out have something to do with DNS and the abuse of the system in some
way, shape, or form.  Thank you.

>>JEFF MOSS:  Thank you, Bill.

[Applause]

Okay.  So for those of you online or with a notepad, write down any
questions you might have for Bill so you can keep it fresh in your
mind for when we get to the Q&A session.

Okay.  Next up is Edmon Chung, the vice chair of the ISOC for Hong
Kong and secretary for ICANN APRALO and dot Asia.  Edmon.

>>EDMON CHUNG:  Thank you.  So, as mentioned I'll be speaking with two
hat, different hats.  I'll first talk a little bit about dot Asia.
And then I'll switch to my other hat as coming from ISOC Hong Kong and
speaking about, I guess, the DNS abuse type of issues that we are
working on at ISOC Hong Kong as well.

So on this -- in terms of dot Asia, we can definitely talk about
intellectual property side of things, about the DNS abuse area.  In
terms of the -- for us, we have, actually -- dot Asia ourselves, we
have worked very much with the community here on a lot of the policies
that we put in place as a sponsored gTLD.  And one of which I think a
lot of people might recall as when we first launched the sunrise
policies that we put in place.  They were actually architected from
this community.  And we've implemented a lot of those ideas.  And, in
fact, they were -- a lot of those ideas are now put into the new gTLD
discussions as well.  In terms of technically, the DNS abuse issues,
especially on phishing and other attacks, we worked very closely with
the Afilias team, which is our back-end provider.  They have a very
strong team that helps us deal with a lot of the phishing attacks and
different types of DNS attacks to our services.  So, you know, that's
-- that's one of the areas.  But, in terms of the policy side, we -- I
think dot Asia puts a lot of effort into abuse prevention commitments.
We were one of the -- we sort of started the work with the anti-
phishing working group on mechanisms to take down, you know, a sort of
predictable mechanism to take down issues of sites or domains with
phishing activities.  We, actually, also worked with the MPAA, the
motion picture association and their Asia Pacific arm on an MoU that
really is a sort of a concept that the URS eventually is talking
about, a mechanism to address abuses to registrations.  Especially, I
guess, most people would be realize that movies have a -- you know, a
certain life cycle.  And, usually, the biggest types of attacks would
happen within the -- a couple weeks when the movie is being promoted
and being shown in theaters.  So we have -- you know, we have
commitments and an MoU with them to do something like a URS process as
well.

And, in terms of other areas, we worked closely with the Hong Kong
cert and AP cert teams.  And we've done a number of drills, you know,
with them.  These are some of the things that we have put in place.

And, of course, the sunrise is one of the things that I think we -- I
shouldn't say we created.  But at least we sort of made one of the
most extensive sunrise.  And we're actually going through a IDN
sunrise right now, which is very much based on the original ASCII
sunrise back in 2007, 2008.  It's, you know, actually, we're going
through that process right now through the July 25th and then
Landrush.  And you can see from this slide, I'm just showing that the
sort of extensiveness of the sunrise program that we have -- I think
this part of the protection mechanism that we put in place, whether,
you know, a applicant has or doesn't have a trademark and, you know,
the different facets that we allow for protection of the rights of
others to minimize abuse on the dot Asia domain.  And I guess, you
know, some highlights from the IDNs sunrise as well.  We not only talk
about trademarks -- because of the way that it's launched, because we
launched English first, we have special considerations for potential
abuses as well because it creates user confusions like Romanized names
and translation of trademarks, those type of items.

But another thing -- I guess, well, this slide could be updated now
with the new gTLD process underway.  And, similarly, I think the IDN
TLD commitment for this region is an important aspect for us.  And I
think contributes to prevent DNS abuse.  The variant issue -- we take
it very seriously.  The simplified and traditional Chinese issues.
And because, unlike ccTLDs, we deal with multiple languages.  And the
different languages in Asia have an overlapping repertoire of
characters, we not only treat the simplified and traditional Chinese
issue, we also take care of the Japanese and Chinese overlap issue as
well in our IDN variant policies.  So these are some of the things
that we put in place.  We're also working closely with the -- what is
called CHIP now, Clearinghouse for Intellectual Property, for the
sunrise verification and preverification processes, as well as putting
in place -- I guess, one of the things also that is being discussed in
the new gTLD program, a trademark claims service post the sunrise.

And so I think this is -- you know, next couple slides.  I think this
is the reason why some of the -- you know, we have, like, movies and
banks starting to use dot Asia domain.  And I think those are
important things that we do.

And for dot Asia, we're also working -- taking all that knowledge to
the -- to work with the Macao government as well.  I'm obliged to show
this at the end of the dot Asia part.  We are a not-for-profit
organization ourselves, and every dot Asia domain contributes to
Internet development in Asia.

So now I have, I think, a minute or so left.  I'll change my hat to
ISOC Hong Kong.  And I think speaking on ISOC Hong Kong as an ALS,
speaking as a user perspective, we really worked a lot on security and
privacy in the last couple years.  This is the number one issue for
Internet users in our constituency and, I think, around the world.
Different issues, like even with the Green Dam, with the security
issues from IPv6.  And, you know, a lot of the issues also -- and one
of the key aspects I want to highlight is that we have a working group
on security and privacy.  And, you know, this is something that a lot
of people talk -- a lot of users are keen about security and privacy.
And one of the main things that we -- as ISOC Hong Kong, we want to
bring about is that it's a balance.  You know?

A lot of users think that, you know, they want -- we want the most
secure environment, and we want the best privacy.  But that is, you
know, sometimes that doesn't work.  Because, you know, the more
secure, you have -- you know, you might have to give up more data.
And, you know, that compromises privacy.  So this is one of the things
that we try to advocate and talk about.  And we spend a lot of time
monitoring the situation in Asia as well.  I mentioned about dot Asia.
The developments in CN NIC, again, it's a very interesting
observation.  You know, as dot CN updates their policies to require,
for example, real name for domain registration, that is probably
increasing in terms of the security side.  But, you know, you think
about the privacy side.  That's, you know, that's sort of a give and
take.  And, you know, of course, coming from Hong Kong, we monitor the
situation in Hong Kong and looking at Japan and Singapore as well.
And we also played host to a -- the -- starting of a Asia Pacific
anti-phishing alliance, which is starting to come together.  It's
being led by efforts from CN NIC.  And we were happy to host them at
the APRICOT meetings earlier this year.  I guess, in closing, as
wearing the hat of dot Asia -- I mean, ISOC Hong Kong.  Sorry, I'm
trying to figure out who I'm speaking for -- wearing the hat of ISOC
Hong Kong, I think it's really -- as the user point of view, it's
really important that we, as users, really want both security and
privacy.  But, as ISOC Hong Kong, our job is also to educate users
that, when we talk about policy, there is -- the balance of which is
where policy play comes into play.  That's why users need to
understand the linkage between the two and understand what they're
giving up when they want more security and also, you know, understand
what they're giving up when they want more privacy.  And, you know, I
listed three issues here --  WHOIS, phishing, spam.  In this order,
this community here at ICANN would probably rank WHOIS is sort of top
and then phishing and then spam.  But, in reality, for users, it's
right the other way around.  They care most about spam, you know,
dealing with that and then phishing, and nobody cares about WHOIS that
much until they get the spam.  So that's from -- I guess that
concludes my discussion from the ISOC Hong Kong point of view.  And
thank you.

>>JEFF MOSS:  Thank you, Edmon.

[Applause]

Okay.  Rounding out our panel today is Kai Koon Ng, who is the legal
and public affairs representative, a senior manager at Symantec in the
Asia-Pacific and Japan regions.  Kai.

>>KAI KOON NG:  Hi.  So I'm here today to share a bit about the
evolving cyberspace threat landscape.  I think perhaps it also helps
to put into context the scale of the problem that DNS abuse is causing
in this world of ours.

Okay.  So I am obliged to show this because I think what we are trying
to demonstrate here also is that part of what we do is that because of
the business we have, we do monitor a lot of the Internet traffic, and
annually we do put out a report called the Internet security threat
report where we try to highlight some of the trends and changing
threat landscape that is happening as well, and I'll be going through
some of the data from that.

So what is the trend landscape today?  Who are the players that we are
seeing?  Hackers, cybercriminals, cyberspies, and what we call
hactivists.

So as most of you are aware, there's been quite a number of incidents,
and it's actually getting a lot of attention in the press and
governments around the world.

Some of these cyberthreats that are happening in the world,
governments, large corporations are being hacked into, data stolen,
denial of service attacks are being carried out.

So basically --

>>JEFF MOSS:  Oh, one question, though, if you back up.

>>KAI KOON NG:  Sure.

>>JEFF MOSS:  Where would you put a company like Libya that decides to
disconnect themselves?  Would we add governments to that list?

>>KAI KOON NG:  I think governments are certainly one of the groups
that you're looking at, but probably they would -- you could always
put them under cyberspies, if that's the best place you would like to
put them.

>> Not criminals.

>>KAI KOON NG: :  No, definitely not criminals.

So basically, what happens in these attacks?

Basically, they steal resources.  Spams or DDOS.  And a good example
of that was the Rustock, which happened last year.  Information is
stolen.  Sensitive information.  Banking credentials.

With respect to my colleague from PayPal, I think one of the things we
saw in the underground economy is that credit card information and
bank credentials are still the bestsellers in this -- in the
underground economy today, so that was what Zeus was doing.

Extortion money.  I see a number of notebooks here with a particular
fruit logo, and some of you may be aware that recently there was an
incident whereby if you download a malicious picture from the
Internet, you get a warning saying that your notebook has been
affected and you are asked to install a certain product.  That is an
example of what we've seen.

And the thing is that with a lot of these attacks, the warning sign is
that they're getting a lot more sophisticated.  I remember the first
phishing e-mail I got.  We knew it was fake because, one, the spelling
was bad, the grammar was bad, the vocabulary was bad.

But today, they're properly formatted, they look exactly like who
they're supposed to be coming from, and even the e-mail looks correct.
And that is, I think, something that's very difficult to put forward
to the layman; that, you know, something that looks legitimate could
actually be malicious.

And finally, of course there's Destroy.  We've seen in some of the
attacks carried out by Anonymous the disruption that they've made to
companies, to countries, and it's really having an impact on
everyone's life.

And of course the banner boy of that is the Stuxnet.

So what are -- how are they doing this?

For most of -- some of you who are not aware, the term "dumpster
diving" actually means that you go pick up the rubbish of someone that
you're looking to attack, trying to gain information about the target
itself.  Well, that's no longer required.  We have something called
social networking.  Social networking provides a wealth of information
for would-be attackers.

I think -- and few people realize the dangers of posting what are
personally identifying information online.

And I mean, who puts pictures of their children on their social
networking site?  Almost everybody who knows that anyone with
reasonable understanding of how social networking sites can actually
access that, understand and start to gather information about you and
-- through the photos that you post.

And even knowing who your friends are or who you're linked to is
significant.  If half of the friends in your networking site belong to
a law enforcement agency, I think it's a pretty good conclusion that
you're in law enforcement as well.

And finally, there's also search engine optimization poisoning.  These
criminals are sophisticated.  They understand how such engines like
Google, Bing works, and they are able to exploit that to what they
want.

What we've observed over the past years was that any significant
regional global event actually triggers them to start creating fake
and malicious Web sites, to -- and use -- using some of these
techniques to push themselves up the page rank, such that they come up
quickly during search.

And who is being attacked?  Basically everyone.  Enterprises, business
users, small businesses, end users, and governments.

The goal for each of these attacks are different, but ultimately, as
you can see, they are all after information.  All right?

So I'd like to spend a bit of time as well on targeted attacks because
that's probably an area that's the most relevant when it comes to DNS
abuse.

So a targeted attack, in our speak, basically means a cyberattack
which targets an individual or organization.  It uses information that
is specific to a targeted attack.  So for an example, a denial of
service could be through the IP address that is associated with that
organization.

Frequently -- as I mentioned, frequently this uses social engineering
techniques to exploit vulnerabilities to gain access.

Now, prior to social networking, generally you will find information
about an organization through public releases, public Web sites, but
the advent of social networking has now given these criminals a new
treasure trove of information.  And increasingly we find that from a
lot of these targeted attacks, they plan to be hidden in plain sight.
They are not the viruses of old.  They don't change your wallpaper.
They don't put a rude message on your page or they don't put a rude
message on your screen and go away.  They stay hidden, slowly
extracting information from your company or your organization and
sending it back to the attacker.

Two highest profile cases were, of course -- was Hydraq, you know,
last year and Stuxnet later in the year.

So I put this slide together because Stuxnet is usually something that
most people have an understanding of because of the profile it has.
But what has it taught us?  It's actually one of the most
sophisticated targeted attacks possible and the level of targeting
that Stuxnet did would not be possible without specific information
about the target.

We could speculate about how it got that information, but it should
also be remembered that Stuxnet actually had a capability to send
information back to the attackers, right?  And increasingly, as I
mentioned, targeted attacks are used to steal information.  The charts
I have there shows that actually for the one on the right, the average
number of identities exposed per data breach, the largest number of it
is through hacking, okay?

Phishing is also another form of very sophisticated targeted attack,
and the majority of them imitates banks, right?  You get an e-mail
from your bank asking you for banking credentials, and they are
getting professional, to some degree, enough that people are being
conned by it.  And I think -- and one of the things that we also -- as
I mentioned we saw over the past year is that now they do reference
major sporting, news, and pop culture events.  The World Cup in South
Africa last year and even the tsunami in Japan earlier this year were
events that triggered off a large number of phishing attacks.

So in conclusion, the challenges are there.  The bad guys are
innovating.  They have the new forms of attacks like Stuxnet and they
are ready to harness and adopt latest technologies.  It's -- I call it
a never-ending arms race between the good guys, the law enforcement,
you guys, security companies like us, and the bad guys who are looking
to carry out these activities.

And the evolution of malicious activities over the last 10, 20 years
is that it's no longer just an annoyance.  They all have specific
goals in mind, and it's usually for financial gain or espionage.  We
have seen the evolution of the malicious attacker move from the
college student with too much time on his hands to now a major
criminal enterprise, and today information is the new goal.  Data
about yourself, your spending habits, your credit card information,
your banking information, that's worth a lot to these people.

So I put this quote there because I think it's very apt in terms of
what we do, right?  "Predicting rain does not count, building arks
does."

What does that mean?  I could tell you about all these problems, but
the thing that we really need to do is start solving these problems,
and at Symantec, we feel that the best way to go about that is
collaborating with governments and organizations such as ICANN to see
what is the best way we can fix some of these problems.  I've got a
whole list of collaborations there.  I won't go into those.  But I
think a lot of it has to do with the willingness of people to
collaborate, and it doesn't have to be big.  Some of the places, we
work together with the governments on education programs and we need
to really also start educating the people at large about what are the
threats out there, what are the things they need to look out for, and
hopefully that can start to mitigate some of the things that we see.

[ Applause ]

>>JEFF MOSS:  All right.  Thank you very much.  All right.  This is
going to move us into the question-and-answer phase of this first
panel, and if you are online and participating remotely, now is your
chance to submit a question online.  Nobody has, as of yet, so we're
going to move to the audience, the real-life -- the RL -- audience
here.  But first, I want to give our panelists a chance to ask each
other any questions, if they've formed any.

Does anybody here have a question for each other?

>>BILL SMITH:  Sure.  I'll ask Edmon.  Or a statement.  We actually
think that sort of the dichotomy between privacy and security is a
false choice.  That there really is no privacy without security.  And
so casting the discussion that way as, "Well, if you give up privacy,
you get better security, or if you have less security, you have better
privacy" tends to be -- tends to actually confuse the issue.  What are
your thoughts on that?

>>EDMON CHUNG:  Right.  It's -- I think that's a very good issue --
item to bring about, and that's the reason why I brought it up.  I
think, speaking as a -- this is why I'm very confused when I speak as
dot asia and as ISOC Hong Kong.  This is one of the issues that is at
the crux of it.

As an end user, I want both, obviously, but as -- you know, as an end
user, companies and governments are really telling me that, you know,
"The bad guys are out there, but trust us.  You know, we'll centralize
your data and keep you secure, so trust us with your information."
You know, it's things like Green Dam, things like the -- that's
happening from government initiatives about more secure, you know, and
a real identity on the Internet.  That -- you know, I think that's one
of the things that end users are very worried about.  You know, and
it's very real in terms of security versus privacy, and I think that's
-- that's the reason why I think, you know, it's important to let
users know.

Yes, it is probably going to confuse people.  I -- I don't doubt that.
Because, you know, most people would just say, "We want security, we
want privacy," and that's easy.  And actually governments and
businesses can claim to say, "We're going to give you both, but wait a
minute, trust us with the data.  Just us only.  And then, you know,
you'll have both privacy" --

Even Facebook, right?  They say "We have privacy settings," but then
they still have your data.

>>JEFF MOSS:  One of the things I find interesting on this topic
relating to registries is I use Network Solutions and I can get a
private registration.  That's fine.  It protects my identity.  I don't
get spam in the mail.  But I can't get a privacy-protected SSL
certificate.  So if you want to figure out who has a domain, you just
look in their SSL certificate because they will not give you private
data in that cert.  So I can't perform secure transactions online, you
know, privately but I can have a private domain, and so it seems like
these issues are only half figured out.

>>BILL SMITH:  Well, our view on, well, anonymity, I'll say and e-
commerce is that they're -- at least at this point, they're
incompatible online.  And there are similarities -- and this is
because of risk.  And there are similarities into the physical world
as well.  We wouldn't have direct mail or telephone ordering unless
the companies that are providing those services could actually look at
ZIP Codes in the U.S., telephone numbers and other things, and
shipping addresses, to know whether or not to allow a sale to go
through.

So they actually -- they do look at personally identifiable
information to make their decisions, and online we need to be able to
do the same thing.

>>JEFF MOSS:  But as a site owner, you know, not doing business, just
having a forum and you want to allow people to communicate securely,
you still have to give up your -- sort of your identity, so how do you
have anonymous political speech in a secure fashion?  It becomes
interesting.

Anyway, I don't mean to derail the conversation now.  I'd like to open
it up to the audience.  We have some microphones here, if anybody
wants to come forward and ask a question.  Just say your name and who
you're with.

>>ROD RASMUSSEN: :  Rod Rasmussen with Internet Identity and the
antiphishing working group.

And the answer to your last question is:  Self-sign, Jeff.

I had a question for Bill.  In part of the plan there, the set of
goals was rather interesting, I thought.  It was the creation of some
sort of force or entity to go after botnets.  Kind of a botnet cert,
if you will.

That's a rather interesting proposal.

I mean, we've got a variety of methodologies that have been going on
for quite a while as far as eradicating botnets from individual
companies doing it to large-scale volunteer efforts to Microsoft being
very creative in leading kind of a legal and technical way, and then
now we have the FBI and the -- and the Belgian police or the Dutch
police -- one of the two -- going after BredoLab.

There was a lot of different ways of doing this.

Could you expand on how that would work or what you're thinking about
in that realm, and how exactly we'd have authority and things like
that delegated to an organization like that, and how do you get the
providers and registrars and whoever else needs to be involved to work
with them?

>>BILL SMITH:  So that's a good question, and I'll -- I can pretty
easily answer.  This is not terribly well thought out at this point.
It would require lots of discussion.  But we -- the reason we wanted
to raise it is that the criminals, the bad guys -- right? -- have the
advantage here.  They can take advantage of the vulnerabilities in our
systems, and we are precluded from taking advantage in their systems,
and we are suggesting that there needs to be a balance of power here.

Probably a quasi-governmental, if not a governmental, agency would
need to do this.  It might require court action -- okay? -- before
such a -- such action was taken.  But we think it's something to throw
out on the table for a discussion and so we welcome it.  And this may
not be the right place to have that discussion, other than I would
just lay it out.

>>JEFF MOSS:  It makes me think almost like you'll get an INTERPOL red
notice for a botnet.

>>BILL SMITH:  Yeah.  Something like that.

>>BOB HUTCHINSON: :  I'm Bob Hutchinson.  I have a question for Edmon.

Do you have any metrics that you could share with us on how effective
the sunrise blocking or trademark protection has been in your -- do
you have any information that you could share with us about that?

>>EDMON CHUNG:  Thank you for the question.

Now I'm wearing my dot asia hat.

I don't think we have -- you know, it's probably hard to quantify it
that way, because, you know, what hasn't happened, you know, that's --
in terms of if you want some quantity, I think you can take a look at
the UDRP cases that dot asia has had.

I think they are -- last time I checked, WIPO probably has about 10 or
so since our launch.  And in terms of the -- the sunrise program, I
think another -- a couple of good indicators, one of which is the low
level amount of disputes that arise out of the sunrise and (inaudible)
process for dot asia, and that number is zero, so we're quite happy
about that.  So in terms -- it's -- I think it's very difficult to
quantify something that didn't happen, you know.

So I think that fact that, you know, not a lot of disputes arose from
the dot asia launch is a -- an indicator of some level of success.

And also I think it's a matter of the mechanisms that we did put in
place as well as the commitment that we showed to -- you know, the
type of PR and the type of work that we have showed the community,
that we are working very hard, on top of this, that that helps.

>>JEFF MOSS:  All right.  We'll take these final two questions and
then we'll change panels.  Sir?

>>MILTON MUELLER: :  Thank you.  Milton Mueller, Syracuse University.

A question for Mr. Ng.

You had mentioned the bad guys are becoming more sophisticated and you
used Stuxnet as an example of that.

Is it your opinion that the government of the United States and the
Israelis, are they probably the leading suspects as a source of that?
Are the bad guys?

>>KAI KOON NG:  I can't speculate on that one way or the other, but I
think beyond Stuxnet, we are seeing that really there is an evolution
of how they are carrying out the attacks.  I mean, Stuxnet was an
example that I used because it was -- it was something that was very
sophisticated, very targeted, and probably you could say would be the
worst-case scenario that you're ever likely to see.  But beyond
Stuxnet, we're also seeing very sophisticated attacks in spear
phishing, in targeting of enterprises, of governments, in terms of
extracting sensitive information.

I think over the past few weeks, a number of governments, including
the CIA, were hit by targeted attacks, and some of these were able to
be carried out because of they essentially targeted executives with
very specifically formatted e-mails, to make it look like they were
coming from within the company to -- and have them click on malicious
links.

So it's -- it's not -- it's basically these guys know what's
happening, they know what are the latest technologies coming out, they
are exploiting them, and they are innovating, and we need to find a
way to stop them.

>>DAVID CAKE: :   Yeah.  Point taken there, but there are probably
better examples of a spear phishing event, penetration style attack
you could have used as bad guys, probably.

My -- well, first, I'd just like to make a comment, which is that you
--

>>JEFF MOSS: Wait, wait.  Who are you?

>>DAVID CAKE: :  Sorry.  David Cake, NCUC, Electronic Frontiers,
Australia.

First I'd just like to make a comment about security versus privacy
that you mentioned.  I just want to reiterate actually privacy is one
of the reasons for security.  It's why we -- one of the most important
reasons why we have it.  There is no conflict there absolutely.  We
have security so we can have privacy, is one of the main reasons.  And
it -- one of the main issues with the privacy -- at least the security
problems we've seen so recently has been the massive privacy
violations associated with the user's account details and things
blotted out.

But the question I actually wanted to ask is, Bill, about -- you
talked about a quasi-governmental sort of solution for botnet
fighting, but you also put up the AISI model.  The AISI model is very
much a government -- is more of a -- is an information source and
leaves it to the industry to do the actual fighting, and I just --
yeah.  Do you think that would need government coordination or do you
think the government should just be there, you know, actually just
actually helping rather than coordinating in that sense?

>>BILL SMITH:  Okay.  So the AISI model is around malware, regardless
of whether it's botnet or not, okay?  And so it's informing -- and the
ISPs are the entities that can -- can effect a change there and
notify.  And the government, with a very few employees -- something on
the order of five -- right? -- has been able to reach into about 80%
of the users in Australia.  That's had a very significant impact --

>>DAVID CAKE: :  There's 106 ISPs signed up for it.  It's a very
successful program.

>>BILL SMITH:  It's 106 now?  Okay.

>>DAVID CAKE: :  Very successful program, yeah.

>>BILL SMITH:  Yeah.  Oh, we think it's a great program.

>>JEFF MOSS:  Okay.  And with that, I'm going to close the question-
and-answer session for this panel.  Thank you very much for
participating.  If I can have the next panel move up.

[ Applause ]

>>JEFF MOSS:  And while they're getting seated, I'll just give you a
little view of what you can expect, and I'm just going to be basically
reading from what's available online.

Although the DNS may be involved in most e-crime and other forms of
malicious conduct on the Internet, questions remain regarding the
appropriate role of ICANN in developing solutions or responses.

So the panelists are going to talk about their viewpoints as they
explore what activities can be considered DNS abuse that fall within
ICANN's mandate to address through its bottom-up, consensus-driven,
multistakeholder development process, and what cannot.

And then there will be a second short presentation by Professor Ang
Peng Hwa that believes the tendency when -- when an act is tantamount
to a cybercrime is committed is to normally turn toward the law, but
on the Internet, however, it can be difficult to obtain international
agreement and so his presentation is going to explore the
possibilities and limits of a self-regulation in this situation.

So with that said, let me introduce our panelists.  Sitting to my
right is Danny McPherson from VeriSign, and then Eleanor Bradley from
Nominet, mick Moran from INTERPOL -- hi, Mick -- Marilyn Cade from ICT
Strategies and mCADE llc, and then Professor Ang Peng Hwa from Nanyang
Technical University, and Marilyn Cade.  She is listed twice.  There's
two of you.

[ Laughter ]

>>JEFF MOSS:  You've been cloned.

>>MARILYN CADE:  (Speaker is off microphone).

>>JEFF MOSS:  We weren't supposed to reveal that technology yet.

Okay.  First up, Danny.  Yeah, you're -- oh, yeah.  I'll give you a
further introduction because I have the information.

>>DANNY McPHERSON:  No, no.  That's fine.

>>JEFF MOSS:  I'm sorry?

>>DANNY McPHERSON:  No.  We're fine.  You don't want to read all that
anyway.

>>JEFF MOSS:  Yeah, I do want to read that, just to embarrass you.

He's the chief security officer at VeriSign.  You've been there for
about, what, 16, 18 months now?

>>DANNY McPHERSON:  Thereabouts.

>>JEFF MOSS:  And is responsible for strategic direction, research and
innovation, and infrastructure and information security, and advises
on corporate structure and infrastructure evolution.

>>DANNY McPHERSON:  All right.  That's good.

>>JEFF MOSS:  Yeah. Besides being active in like every abuse working
group that I can name.  Highly active contributor.

>>DANNY McPHERSON:  All right.  So thanks -- thanks, Jeff.  I guess,
you know, this is kind of an interesting panel.  Sort of I asked the
question of what are the desirable objectives of a DNS abuse forum,
and, you know, what is it we want to get out of these at the end of
the day, and I think this is a great sort of topic to discuss, which
is, you know, how can, you know -- or what are the elements and
ICANN's role in responding to e-crime and other malicious activity on
the Internet.

So kind of have a hodgepodge of thoughts or collections here, and then
I'll share one aspect of something VeriSign is doing in this area, and
then go from there.

So anyway, so I guess if you look at what's sort of under ICANN's
purview, it's three primary things, right?  It's, you know, certainly
coordinating unique identifiers on the Internet and, you know, that
includes namespace -- domain names, primarily, today is one of the
primary aspects of that -- number space, like IPv4/IPv6 addresses, AS
numbers, and then protocol parameter registries, for example, on
behalf of the IETF, the Internet assigned numbers authority function.

If you look at that and then you step back and say, "Well, you know,
how do you respond to e-crime and what's the impact of ICANN," you
sort of -- you know, I think the community has a tendency to, you
know, consider Maslow's hammer, I guess, if you will, which is
basically, you know, the law of the instrument is, you know, if you
have a hammer, everything starts to look like a nail.

And it becomes kind of problematic, you know, when more people are
involved in that and you don't sort of address the root of a problem.

So, you know, where does content reside on the Internet or where does
-- you know, what's the most effective way to mitigate a threat or
malicious content or illegal content on the Internet, and what's the
most effective way to do that without causing harm.

And so I think it's -- you know, it's sort of a -- to understand that
and say, you know, is it in the namespace or is it dealing with the
content directly, you know, either in the distribution or the
consumption path.  And so I think that's certainly one aspect of it.

With that said, you know, in the DNS itself, it's important to step
back and say, "What are the primary elements that make up the DNS?"

If you talk to a network operator, they may say it's the resolution
function with recursive name servers and authoritative name servers.
If you, you know, talk to most of this community, it's some of that
but it's also largely the registrants, registrars, and registries, and
then finally there's the -- you know, the non-authoritative side which
-- you know, which is the recursive name servers and system stub
resolvers and that sort of thing and so what are the implications on
various aspects of that.

Certainly, you know, in the registry/registrar/registrant path, I
think it's critical in whatever we do to respect contractual
adjacencies in that space -- for example, the registries with the
registrars and the registrars with the registrants -- and to respect
that to the maximum extent possible.  And it's also important to
remember that registrants have rights and due process is extremely
important.  It's a -- you know, if I get a list of domains, you can't
just take those down, because if you cause collateral damage or impact
a legitimate property, then that could be very problematic, you know,
for everyone involved.

So, you know, certainly on the -- on the name resolution side, you
have, you know, the authoritative elements that include the root
system, the cc and gTLDs, the second-level domains, top-level domains,
and then, you know, various levels of the authoritative system.

And you can -- you can impact various aspects for take-downs and other
things at those levels.

And then there's certainly the recursive path and, you know, you look
at recursive name servers like ISPs or corporate -- you know,
corporations operate and there's a lot of diffusion occurring in that
space.

You know, traditionally it was sort of very Draconian where an end
system would use a local recursive name server and then it would go to
the authoritative layer from there.

And, you know, now you see open recursive name servers for lots of
reasons, and at the same time you see end systems and sort of a
democratization in that pace where even applications are using their
own recursive name servers or going -- you know, bypassing things like
-- or you have plug-ins in different Web browsers or clients, and so
the wider that diffusion occurs, the less effective, you know, various
activity in the recursive space or even the authoritative space is
going to be, so what are the implications of that on universal
resolvability or parental controls or malcode or DNS change or Trojans
or whatever it is you want to accomplish.

>> Caching.

>>DANNY McPHERSON:  Yeah.  Caching as well.  Absolutely.

So I think the effectiveness of caching is certainly something that
takes a hit with that as well.  So those sorts of things.  So I think
those are all things to be considered.

And then from a, you know, malicious conduct perspective, there's lots
of different aspects.  There's sort of three primary ones.  You know,
it's resolving names to some location on the Internet and providing,
you know, agility for miscreants is one aspect.

You know, attacks on the infrastructure directly.  We see tons of DDOS
attacks.  Advanced persistent threat.  You certainly heard about some
of those very targeted attacks.  And then -- oh, yeah, sorry, talking
too fast -- and then attacks that leverage the infrastructure either
through cache poisoning, for example, or reflective amplification
attacks, which are one of the most effective denial of service attacks
today.

So all those sorts of things at various layers could be, you know,
considered DNS abuse in the system and things you have to consider, so
--

And then -- so certainly one of the points I made was -- or I wanted
to highlight which aren't -- it is a tough balance, the tussle between
privacy or anonymity and security on the Internet.  And it is hard to
have one and without the other and so forth, but I think that was
already highlighted by both comments and your speakers.

>> JEFF MOSS:  You are tying into the point of what can ICANN do and
not do in these areas.

>>DANNY McPHERSON:  Absolutely.  It is critical to understand that
because you are captive to all these external elements, like ISPs or
corporate or nation-state policies or sovereignty issues and all that
sort of stuff that many of us deal with every day.  So I think
recognizing that expressly is really important.

So I think -- let me just highlight real quickly -- I think I am
getting close to my time.

>>JEFF MOSS:  Not real quickly.  You will have to speak slower.

>>DANNY McPHERSON:  All right.  Sorry.

One of the things, certainly VeriSign is experiencing all the
different aspects of DNS abuse both targeted, DDOS attacks and having
a role as a registry operator as well.  One of the things that we're
working on is certainly we're captive to due process and registrants
and rights and that sort of adjacency principle with contractual
relations between registrants and registrars and registries.  And we
are trying to expedite that and be as effective as possible in
combating threats but, at the same time, making sure you don't amplify
some problem.

And so we have got this notion of the white hat initiative.  One of
the things we are doing with that is to provide stable, honorable sort
of pre-established partnerships and a communications platform to
expedite abuse handling of domain names.

>>JEFF MOSS:  Sort of like trusted communities, people --
relationships you already have in place.

>>DANNY McPHERSON:  Right.  And ideally applying the adjacency model,
it is law enforcement or is it government other folks or is it
registrars which are our primary constituents to populate things in
registries and so forth.

It is something we are trying to do to accommodate the RIR, the
different agreements we're captive to certainly, but also to expedite
take-downs or be more effective in combating online threats.

So it's our white hat initiative.  If folks are looking for more
information on that, it's something that we're continuing to refine
but certainly captive to all the contractual obligations and malls
where we operate.  So it is something we are expanding up on.

One -- I guess, to move on beyond that, one other point I would make
is that with -- you heard some about this from Rod this morning.  But
there is this notion of the resource PKI, or RPKI.  It provides an
Internet number resource certification.

You got it.

And, basically, has the capability -- if you sort of step back, DNS is
simply an application on the Internet.  We like to think it is a lot
more valuable.  Really it is an application on the Internet, and it
enables lots of things and it is very valuable.

But the number space, the RPKI, is extremely -- or resource
certification on the Internet is extremely important as well.  And
policies and things that are developed, how you might apply those in
this community to something equal or with parity in resource
certification space could have drastic implications at the end of the
day.

If you have a take-down policy for a domain, what if that were an I.P.
address and it impacted everything on that host, for example?  So
making sure we are considering those into the future is important
because I think it is going to have some pretty profound impacts on
the new structure.

>>JEFF MOSS:  But with IPv6 everything will have an I.P. address.

>>DANNY McPHERSON:  Perhaps.  Everything might have multiple I.P.
addresses actually.  So measuring the efficacy and the implications on
number space as well as namespace within this community and starting
to think about that more and more because that's a role that ICANN has
never really had beyond simply allocating address space to regional
Internet registries so working with that community is going to be
really critical as well.  So that's it.

>>JEFF MOSS:  Thank you, Danny.

Next is Eleanor Bradley, the director of operations for Nominet.  She
is responsible for the services that are provided to registrants and
registrars and has developed a reputation as a provider of service
excellence.  Her role also sees her working with Nominet's broader
stakeholder community to ensure safe and secured dot HK.

Eleanor?

>>ELEANOR BRADLEY:  Thank you very much.  I'd like to talk a little
bit about our approach to abuse in dot uk.  Now, Nominet runs dot uk.
We are a large, open country code registry.  And our approach, we
think, works extremely well for the vast majority of applicants and
users of dot uk.

But what we would say is where you have an open approach where
registration is quick and simple to do, you need to balance that with
effective and robust mechanisms that are in place post-registration
for dealing with instances of abuse.

A common theme for us in the U.K. is working within a broad network,
so whether that be working with legal experts or technical experts or
law enforcement and certainly with our registrar channel and also the
users of the U.K. Internet.  Our aim as a registry is to try to
enhance trust in dot uk.  But even without that, dealing with abuse we
would argue is very much on the political agenda and it is not going
away.  So it is essential that it has an appropriate response.

So in terms of the types of abuse that we might see, we would divide
this down into a direct technical attack against the DNS itself, abuse
that uses the DNS.  So where the criminal needs the domain name system
in order to actually operate and also abuse that is more of a threat
where it is a social threat so it is exploiting the people who manage
the domain name system or perhaps exploiting the people that are using
the domain name system.

So looking first at abuse against the DNS.  Well, obviously the
obvious example of this is a DDOS attack.  Our approach in this area
is that we work with and help develop -- we have networks of best
practice.  And I think there are well-established responses and
technologies in place like Anycast.  And it is about, again, really
being joined up and making use of third parties.

So within the ICANN framework, we have the ongoing work of the SSRT
and also specialist groups, perhaps like DNS-OARC who are looking at
just this kind of thing.

Abuse using the DNS might be something like Conficker or for us an
area that we've been focusing on over the last 18 months to two years
is the sale of counterfeit goods through U.K. sites.  We have been
working with law enforcement in the U.K. and within the framework of
our terms and conditions to suspend domain names that are selling
counterfeit goods.  And so far we have taken down about 2 1/2 thousand
registrations for that reason.

We work in the U.K. with the Serious Organized Crime Agency and also
Police Central e-Crime Unit, which is a division of the metropolitan
police.  This is something that we've been developing over the last
couple of years.  And we're now looking to develop a more formal
framework around this suspension activity.  And I would say we suspend
domain names in dot uk, we don't seize them.

And what we're doing now is bringing together a really broad range of
stakeholders who are engaged in this issue to develop a formal abuse
policy and hopefully consensus around the approach.

In the room, we have people like the Serious Organized Crime Agency so
we have law enforcement represented.  We also have registrars
represented and also people whose groups whose stated aim is
protecting people's rights on the Internet, so a really broad range of
stakeholders coming together.

In terms of abuse that might involve exploiting the people that manage
the DNS, this is really social engineering.  And as a registry, the
way we respond to that is by constantly looking at our own processes
and practices, learning from other people's mistakes and, of course,
our own and, again, working collaboratively within the wider
community.

We also work with specialists in the U.K. to actually test our
security and our people to raise awareness within the registry about
the kind of issues and threats that we might face.

And, finally, abuse that exploits the people that use the DNS, while I
think there are technical and perhaps more social responses to dealing
with this, we have implemented a series of tools in dot uk to help our
channel, to help the registrars respond.  So we actually pull together
a list of sites involved in phishing and we will pipe that out to
registrars so they are getting information from authoritative sources
and can react quickly.

We also have a tool that allows them to lock down a domain name where
it is involved in phishing, and that prevents the registrant from
being able to move that domain name on to another registrar and
continue the activity.

In Alpha, we have a fraud forum in the U.K. which is bringing together
expertise within registrars to actually talk about the issues they're
facing and report specific behaviors and alert each other to what's
going on.  That's something we really have high hopes for in terms of
actually enabling registrars to share information and take action
themselves.

We're part of the anti-phishing working group, and it is very much
about working with both our channel, the registrars, but also the
wider Internet community to educate people on what is good practice
and how to protect themselves.

We have an education Web site in the U.K. which has up-to-date
information on the latest scams so U.K. consumers can find out what's
going on and how to respond.

And, finally, I know the context for this second session is what is
ICANN's role in terms of e-crime.  I suppose I would just say we would
see ICANN's role being very much to facilitate and develop
understanding of the issues and help to develop appropriate responses.

But for country codes, we need to work within a national framework and
build an approach which is very much developed by the community and
with the community to e-crime.  Thank you.

>>JEFF MOSS:  Thank you, Eleanor.  Just like in the last session,
please take note of any questions you may have for the panelists so we
can move on to them in the question-and-answer section.

Next up is Mick Moran from INTERPOL.

Hand him the clicker.  You've got the clicker?  Yeah.

>>MICK MORAN:  Good afternoon.  I'm going to talk to you about child
abuse material just very quickly because that's what we're talking
about here.  This is an academic study which carried out to produce a
topology.

This is what I'm talking about here rather than what we're talking
about here.

This is a topology which is brought together by academics to give an
example and an idea of what we're talking about.  And most of what law
enforcement -- most of what our problem is on the Web is related from
Number 6 to 10.  And, basically, that is about the abuse of children,
all right?

Now, DNS is abused hugely to provide that material to the public, some
of whom demand it and some of whom don't.

Now, if we look at the production of that material over the years that
was produced during the abuse of children, we can say that the abuse
of children is something that remains the constant.  The effect of a
demand for photographic or film evidence of that abuse on abuse is
debatable and is very hard to actually get empirical evidence of.

But between 1826 and the invention of the camera, for example, in 1969
was very little child sexual abuse available -- material available to
members of the public, very little, until around the end of the '60s
when some countries began to repeal pornography laws because of the
rights of people to make their own decisions.  And they repealed
pornography laws in countries such as the Netherlands, Denmark,
Sweden, Germany.  And there was less robust enforcement in countries
like the U.K. and the U.S.

The result of that was that in on the coat tails of that came child
pornography or as we now call child sexual abuse material, CAM, child
abuse material.

Between 1969 and 1985 when new laws were brought in in these countries
like Netherlands, Denmark, Sweden, Germany, there was a huge amount of
very high quality child abuse material produced in magazine and movie
film, huge amount of it.  And a lot of it flowed across the Atlantic
to the U.S. where there was a bit of a backlash to it because there
was an increase in enforcement.  And it backed away.  It came to the
Netherlands and places like that where they changed the laws around
1984.

Now, just to reiterate the point I've just made, this is a "Time"
magazine article from 1969 when on July the 4th Denmark would become
the first state in modern history to abolish every legal sanction
against pornography for adults, pornography for adults.  That's
looking to the market.  And they abolished all rules and, as a result,
huge amounts of child pornography were in on the coattails.  Nobody is
saying that was the intention, but that was the result.

And we saw that in 1971, the "Time" magazine came out again with
another article.  And this time they joke about the fact that the "New
York Times" is being sold from under the counter at kiosks in USA
cities because there is no room for it with all of the pornography
that's available for sale at those same kiosks.  Some would say the
"New York Times" should be sold from under the counter all the time,
but...

And if we go to 1977, we see the result of this liberalization of it.
And in 1977, you see "Lollitots" magazine which was one of the
magazines that was produced in Denmark by a company in very high
Technicolor on shiny paper, right?  And if I want to go back very
quickly now to this article here, to this slide here, we can see that
in 1995 -- from 1985 to '95 there was a huge reduction in the
availability.  Whether that reduces demand or not, like I said, is
very hard to prove empirically.  But you see where the graph is now
and where it is going since '95.

And I don't have to tell you that '95 popularity of the Web has
something to do with this.

So how was it dealt with in those days?  How was it dealt with back in
'77 and in '84?  How was it dealt with?  Well, it was dealt with by
legislation and robust enforcement action to carry up, to enforce that
legislation.

But now we know that this is a changed enforcement, a changed
legislative environment that we're dealing with, the democratization
of information, the way a server in one country serves to the world.

So the enforcement field has changed.  The whole landscape has
changed.  And law enforcement has to realize that it cannot do it on
its own, as it may have done back in '84 by, basically, going around
to places that were selling this material or producing this material
and saying you must stop.  That day is gone.

And without it, without involvement of ICANN and ICANN's enforcement
capabilities, well, then, you know, law enforcement can't do this on
their own.  We've already heard in the previous panel.  We've heard it
here from my friends from both Nominet and VeriSign that we have to
work together to deal with this.  And that's why INTERPOL is sitting
here at the table.  That's why Rod Beckstrom visited INTERPOL last
month.  That's why we will try to work together.

But abuse on the gTLD space has never, ever been properly addressed,
never.  And now it's about to get worse.  And I'm just asking, you
know, ICANN maybe, you know, a little bit less carrot and maybe a
little bit more stick, please.

>>JEFF MOSS:  Thank you, Mick.  All right.  This will be a
presentation from Professor Ang Peng Hwa from Nanyang Technical
University.

Professor?

>>ANG PENG HWA:  This one does not seem to work.  Given time, I am
told I should go to conclusion very quickly.

Okay.  My presentation is around this question:  Given the difficulty
arriving at regulation at a government level, can we self-regulate on
some of this DNS offenses?

I'm going to go relatively quickly, so I'm concerned that maybe some
of this may be a bit misleading so I am going to try to be as clear
and avoid being misleading as I can.

First of all, what is self-regulation?  There is some confusion in
this area.  But, basically, it is industry regulating industry.  There
is, of course, a question as to how can you trust industry to regulate
industry?  There is a whole sort of literature around this.  It can be
done.  In this context, what we are saying it is ICANN and Internet
community regulating the Internet community.

Okay.  I think that Eleanor has helped my presentation a little bit,
so I'm going to cut this a little short.  The big question is:  What's
so bad about not regulating?  Because she's answered this point, which
is that you need to build trust.  You want to build trust on the
Internet.  Some research has been done indicating that the correlation
between Internet penetration and trust is higher than Internet
penetration and GDP.  So trust is actually a better predictor of
Internet penetration than income.

Okay.  George Akerlof is big time.  He has got a Wikipedia page.
That's how we know he is big time.  Also, he had a Nobel Prize in the
year 2001.

I sort of stumbled and discovered him.  He gave a presentation before
he became really big time.  His interesting claim is this radical
point about information asymmetry.  If incomplete information is the
only means to judge a product or service, then bad information will
eventually lead to downfall of the market.  He won a Nobel Prize
basically for this insight.  So I'm going to give you his big thing
in, like, three minutes or less.

Akerlof calls it market for lemons.  Take second-hand cards.  Some
things you know about the cars and some things you don't.  Only the
seller knows the complete information.  The buyer doesn't.

Assume this nice car, okay?  I know.  I wish I had one, too.  Assume
the value of a good second-hand car is $10,000.  Assume the value of a
bad second-hand car, lemon, is 6,000.  Assume half the cars are good
and bad.  And, therefore, the market price should be $8,000.  That's
all the information you have.  That's incomplete.  That's all you can
work with.

So, the owners of the lemons will go to sell the car.  It is an open
market.  Owners of good cars will not.  So the price of these cars
will go down.  Eventually what happens is only the bad cars, the
lemons, are left.  And the trade in good cars will disappear.  And so
the market is destroyed.  You should take a look at this more than a
few minutes but this is basically insight.

So what he means is if you have unreliable information, it will cause
markets to fail.  There are some instances of these in real-life
situations.  So you look for ways to signal credibility, and so self-
regulation is a form of signaling credibility.

Okay.  So if you agree -- skip all this.  Agree that we need to
regulate the quality of information but getting governments to agree
is difficult.  How do you self-regulate, right?

So from the research I have done, you need these four factors to be
present in order for successful self-regulation.  You need the
industry to be motivated.  You need the market to be mature because if
the market is still moving, it is not going to work.  So in many parts
of the Internet, self-regulation will not work because the market is
just not mature enough.  The market is still changing, still moving.

You need a small number of large players, not a large number of small
players.  And, again, many parts of the Internet there are a large
number of small players.

And then ideally you should have a government regulatory backstop,
meaning if all things fail, there is a backstop to fall back on.  In
this case, I would say the backstop doesn't have to be a government,
and I will come to this in a bit.

The question for us is, is the industry motivated, right?  Is the
market mature or can you find a market within what we have to be a
mature market?  Can we have a small number of large players?  Can we
confine it?

So a question I have -- I don't have to deal with reality sometimes.
Can I open RIRs instead of just registries?  Because I'm told there's
250 of them, and that's a lot, is too many of them.  Can rope in a
small number of players.

And, of course, ICANN can be the backstop?  Instead of government, can
ICANN be a backstop?

So now, okay, assuming you agree with me -- okay, I am the law-abiding
Singaporean.  How do we know it can work?  Have I got an example?  A
beta, not an alpha even.  Some of you are smiling with the example,
used car dealers.

This group of used car dealers, not everybody but the majority of,
say, 70, 80% of the market, they are motivated because, remember, the
credibility of the industry was going down.  The market is mature,
used car sales, mature market.  There was a small number of large
players.  And there was a government law.  So these four factors were
present.

So before self-regulation, okay, and after self-regulation, you see
the difference.  So we've done this now for a little more than a year.
Before the self-regulatory system was in place -- this group of
dealers, it is not everybody because it is voluntary.  Not everybody
in.  But 70, 80% of the market.  We got about 150 complaints.  I'm
with the consumer association also.  Got 150 complaints.

The amount really varied a lot, from at least $2,000 Singapore to
about maybe $10,000, or more.  So 150 complaints.  Went down to four
complaints in six months or eight complaints roughly.  So out of these
-- so in a year, the systems helped 140% at least.

So another question, of course, who can be the backstop, right?  Okay,
thank you.

>>JEFF MOSS:  Thank you, Professor.

Finally, we are going to go to one of the two clones of Marilyn Cade
from ICT Strategies and mCADE, LLC.  And after that, we will open up
for questions.

Marilyn?

>>MARILYN CADE:  Thank you, Jeff.  It is a real pleasure to be back in
Singapore and particularly because, as you heard this morning from the
chairman of ICANN, that Singapore played a very historic role in our
launch of ICANN.

So it's a particular pleasure to be back here talking about what were
we thinking about when we created ICANN, initially called NUCO.  Many
of the people who continue to work at ICANN were involved in the
preICANN days.  So, like me, they, too, were thinking about what
should ICANN do?

What should its role be?  What are the limitations to what we want it
to do?

And how risky is it to put a private sector-led -- and in those days
"private sector" was a much broader term.  It was preWISA, pre World
Summit on the Information Society.  So private sector still stood for
anything not government.

In the 1995/96/97 -- at the time of the initial considerations of how
to change the coordination and management of the unique indicators, we
were -- identifiers, we were considering various options.  But we
weren't really fully thinking about Internet governance.  In 1998, the
consideration of who should govern the Internet, not just the
technical coordination aspects, but who should govern the Internet,
those seeds were just beginning to be sewn.  And various players were
thinking that perhaps the U.N. should have a much larger role.

So ICANN was born to solve a particular number of problems that had to
do with moving the coordination and management of the domain names,
the IP addresses, the AS numbers, protocols, et cetera, into a private
sector-led initiative.

There were a number of very interesting debates about how broad its
scope would be. And some of you who know the history know that the --
there was an extensive consultation process led by the U.S. government
called The Green Paper and then The White Paper.

The white paper, after its publication -- so The Green Paper was, in
fact, an international consultation.  And many parties contributed
comments.  And the scope issue and the scale issue and whether ICANN
should have any responsibility for the abusive use of the technical
parameters was on our minds very much, I think.

In fact, there were, within the community of players who were debating
what ICANN's job should be, there were people who thought that ICANN
should be nothing but a very narrow technical coordinating body.  And
that, to make ICANN successful, it should be incredibly boring and
that we would measure ICANN's success by how small the number of
people were who needed to come to ICANN's meetings and how narrow the
list of topics.  You can see how successful their dream turned out to
be.

What happened to all of us, I think, is that we moved the Internet in
scale and scope.  And so now we have to think about whether the design
and the responsibility that we gave ICANN fits the Internet as we know
it today.

140 to 185 million users at the time that I was most actively involved
in the issues related to ee-Commerce, 191 million at the time we
launched ICANN, and we're at over two billion Internet users today.

We have moved from a narrow band Internet with tethered connections to
a broadband Internet.  Facebook, YouTube, Twitter -- all different
applications exist today that didn't exist then.

But, in more than that, we've moved the world's economy into an online
world.  And we have moved our dependence on social communications into
an online world.  And so what ICANN does is now playing a very, very
critical underpinning role to our social lives, potentially to how
energy is managed, to our banking, to how we educate our children, and
to how our governments communicate with citizens.

I would say that many of the people who were involved at the time that
we were designing ICANN did think about a future where ICANN's role
would be heavily stressed if it became engaged in making decisions
about content or making decisions about -- that are today made by
national jurisdictions.  We spent a lot of time talking about how
ICANN should rely on law but not make law.

And I think that's still where we ought to be.  But we have to
understand that the risk and threats -- when we use the term
"cybercrime," I really think we need to talk about the cyber risks,
the cyber threats and cybercrime.  Because we can engineer risk into
the Internet or engineer risk out.  We can surround users with
information and technical approaches to dealing with risk.  We thought
about that when we were designing ICANN.  But I don't think we fully
envisioned how rapidly the risk and threats could grow.

I do think we envisioned ICANN as collaborating and cooperating and
coexisting and having a narrow operational role in whatever it did.

But there are lots of people in the audience today and some you'll see
throughout the meeting who were certainly as actively involved as I
was at the time.  So, while you're here in Singapore, you may ask them
what they were thinking at that time as well.

>>JEFF MOSS:  Thank you, Marilyn.  All right.  Now we're going to move
on to the question and answer session.

Do we have any time pressure after this?

So we can potentially take more questions in this session, because
there's no immediate panel following this.  So, with that said, do we
have any online questions?

We have no online questions.

>>NANCY LUPIANO:  Excuse me.  We do have to make a note.  We have
about five more minutes.  And that's it, please.

>>JEFF MOSS:  The magic voice.

>>NANCY LUPIANO:  Thank you.

>>JEFF MOSS:  All right.  Please just identify yourself, who you're
with, and ask a question to the panel.

>> My name is Jonathan Matkowsky.  I'm speaking in my individual
capacity.  I'm with Las Vegas Sands, Corp.  This is a question for
Danny.  These sessions have been a lot about domain name abuse on the
architectural level and cybercrime.  Can you speak a little bit about
the relationship that the IAB plays with ICANN in helping to protect
against cybercrime?

>>DANNY McPHERSON:  So I see I'm not here wearing an IAB hat.  I am a
member of the Internet Architecture Board.  And we, certainly, a lot
of the Internet stewardship and oversight role of technical protocol
parameters and so forth is, you know, well within the authority, I
guess, if you will, or the charter of the IAB.  And I think there's --
the IAB has done a lot of things.  In one of the Internet traffic
workshops how can we adapt protocols to combat various threats or try
to get ahead of things, for example, incompatibilities of DNSSEC with
blocking or other things, what's sort of the intersection of those?
And what should the standards community do?  But, beyond that, I
really don't have a lot to share at the moment on that.  But, if folks
have ideas, I can say with every hat I wear, I'm very interested if
you think the IETF or IAB should doing anything at the space.

>>JONATHAN MATKOWSKY:  At some level I think IETF is part of ICANN on
some level through an RFC and, through the IAB, plays some role with
the backbone in architecture and seems to have the expertise.  And a
lot of this security issues seem to be on that kind of level.  So it
seems to me there needs to be strong -- a strong liaison relationship
between the entities to combat cybercrime.  Thank you.

>>STEVE Del BIANCO:  Steve Del Bianco with Net Choice.  Question for
Eleanor.  Eleanor, you described how dominant running dot UK would
combat the abuse called sale of counterfeit goods through the
suspension, not seizure, but suspension of the labels if they ended in
dot UK.  But whether it's suspended or seized -- I think you were
comparing it with the U.S. scheme -- is either effective when the
counterfeit goods are sold on a site that's beyond your borders?

And people seeking those counterfeit goods will find other labels that
are slapped on those sites.  I'm interested in your experience whether
using the DNS labeling system has really been effective at stopping
access to sites that have been used or labels.

>>ELEANOR BRADLEY:  Yes.   We are very aware that, at a particular
registry level, all we're ever going to do is remove the signpost.
That's why the approach we're taking is with working with our
registrar channel as much as we possibly can so they're at least doing
something about the content as well.  But, yeah, it will pop up
somewhere else.  You're going to be kind of realistic and pragmatic
about it.  But I would still argue that that's not a reason not to do
anything at all.  And it is about frustrating those kinds of
activities and making life more difficult.

>>STEVE Del BIANCO:  Thank you.

>>MILTON MUELLER:  Milton Mueller, Syracuse University.  My question
is mainly directed to Mr. Moran, but Peng Hwa and Eleanor may want to
address it.  The general overview comment I want to start with is the
three of you seem to be implying that ICANN can be this massive form
for Internet governance in the broadest sense of the term.  And I just
didn't hear that case being made.

Let me focus in on Mr. Moran.  You showed us a graph with a line going
up with no identification of the access, the vertical axis, what data
that is based on.  I know that that line is false, that it doesn't
exist.  In fact, it's going in the other direction, when you talk
about child pornography in the U.K. as a measurable aspect.  And that,
to the extent, based on my experience with ISPs, the child pornography
is openly traded on the Internet.  It's done through peer-to-peer file
sharing networks that doesn't involve DNS.

So my question is:  If you're trying to make a case for a role for
ICANN or that this is DNS abuse, I think you need a much clearer
conception of what kind of abuse of DNS you're talking about and a
much, much clearer conception of what the role of ICANN would be.  I
hope you're not implying that ICANN should be surveilling all content
and all registrations and be in charge of all of these things.  I
think you have to -- the whole concept of DNS abuse, to me, implies
technical abuses such as Conficker or something or the fast-flux or
some use of DNS that aids cybercrime.  And I don't see the connection
to child pornography at all, aside from thinking your facts are just
wrong.

>>MICK MORAN:  If I can just come in there, because we are limited for
time.  The two points you're trying to make to me is child abuse
material is going down and that you don't see that ICANN has a role to
play in it.  First of all, I will tell you that child pornography is
not going down.  Under no circumstances is the amount of child abuse
material on the Internet going down.  Under no circumstances.  If you
have figures that show it's going down in the U.K., I'd love to see
them.  One of the problems is that we don't have proper figures in
relation to it.  But I supervise --

>>MILTON MUELLER:  You make them up.

>>MICK MORAN:   So I -- supervise the INTERPOL, the international
child sexual exploitation database, which you're more than welcome to
come and look at any time at INTERPOL.  And that is certainly not
going down.  The material flowing into that has certainly not going
down.  It's going the other way.  I accept my graph may have been a
little adolescent.

>>MILTON MUELLER:   Made up.

>>MICK MORAN:   No.  There's no figures on graph.  It's only an
example to give an indication of where it has been going since the
Internet and since the Internet is being abused in such a way.  I
thoroughly agree with you that the vast majority of this material is
traded in non-porting technologies.  Totally agree with you there.
However, the vast majority of people are using the web.  What I'm
talking about is taking it off the web.  And ICANN most certainly does
have a role to play in taking it off the web.

>>ANG PENG HWA:  Quick response.  I'm not suggesting at all that ICANN
is the super mothership of all Internet documents.  Whatever is to be
done -- in fact, when I began this DNS, often it must fit the ICANN
mandate.  It must be something ICANN can do. It's similar to what
Eleanor had mentioned the way gone about trying to work within their
own capabilities trying to control some of these offenses.

Second thing is that, even withing this mandate, the situation must
fit self-regulation.  I can tell you -- give you one success, a
spectacular failure in education.  We tried self-regulation in
education.  And, as a professor, speaking for myself, even though you
cannot trust professors, right?

It blew up.  And we're going to have (Inaudible)  Not all situations
fit under self-regulation even.

>>MARILYN CADE:  And I think Milton knows that I'm not a fan of
expanding ICANN's mission or its mandate.  But I do think that ICANN
has to recognize it exists today in a much expanded ecosystem.  And it
has to figure out what it is doing and how it's doing it, Milton.  And
I, as you know, believe that there are other entities that have a
significant role to play in, particularly, the social policy areas,
which I don't think belong here at ICANN.

>>NANCY LUPIANO:  I'm terribly sorry, but we do have to call this
particular session to an end.  I'm sure that the panelists would be
very, very happy to take your questions outside.  We have to change
this room over.  Thank you very much for your understanding.

>>JEFF MOSS:  Thank you, everyone.  Thank the panelists and see you
this evening.

[Applause]