broadband

News

.ORG COO Discusses Priorities With DailyVista, Pursuit of .NGO Domain

Manager of .ORG, the world's third largest top-level domain — has appointed telecom veteran Nancy Gofus as its chief operating officer. She will oversee marketing, sales, product and strategy functions, and work with Chief Executive Officer Brian Cute to expand PIR's global presence and further grow the .ORG domain in existing and new markets.

Gofus is coming on board as PIR pursues the proposed .NGO (non-governmental organization) domain extension.

Gofus, who currently serves as the board chair of the national board of Volunteers of America, served as senior vice president of global product management for Verizon Communications in 2009 and chief marketing officer at Verizon Business from 2006 to 2008.

The .ORG domain has more than nine million domain names registered worldwide. Reston, Va.-based PIR was founded by the Internet Society in 2002.

In an interview with DailyVista, Gofus discusses how she will utilize her blend of nonprofit, marketing and communications expertise to grow .ORG's presence.

circleid.com | 08-Feb-2012 00:09

Green Revolving Funds Can Help Fund Costs of Cloud Computing and R&E Networking

There have been some interesting new developments in university Green Revolving Funds (GRF) that I believe could be a significant revenue opportunity for cloud suppliers and R&E networks. In this age of severe financial constraints and cutbacks for universities, new revenue models are needed to sustain advanced cyber-infrastructure in support of research and education.

In recent years, GRFs have become increasingly popular on campuses in the United States and Canada. The funds operate and are managed by the university, with loans issued to university departments or campus groups. As of February 2011, there were 52 active green revolving funds in the United States and Canada. These funds were traditionally earmarked for energy efficiency applications like changing light bulbs or boilers. But increasingly they are now being used for IT applications.

Most green initiatives involve ICT in some form or another. A good example is Iowa State University that borrowed $300 from the university GRF to install energy saving software on over 500 computers, which is projected to result in over $49,000 in annual energy savings for the university.

One GRF model, that is gaining popularity, is national or state based GRF funds like Salix in the UK which received over $10m pounds from the UK government. These funds are also being targeted to support IT energy reduction as for example the recent funding of 2 million pounds to University of St. Andrews.

Another model, that is being explored is where the NREN operates a national GRF, sponsored by the national/state government or collectively on behalf of the institutions. Network membership or users fees can then be deducted against the fund, if the institution undertakes activities to reduce their IT energy impact through the use of clouds, remote collocation, offloading campus network management, content peering and other such services.

CANARIE, through the Greenstar program in partnership with the Canadian Standards Association has developed process and procedures on measuring the detailed energy costs savings that are possible through such arrangements.

Some pointers:
Good Overview of Green Revolving Funds
JISC white paper: Using IT to go green at universities & revolving green funds: briefing paper
CANARIE-Greenstar-CSA document

Written by Bill St. Arnaud , Green IT Networking Consultant

circleid.com | 07-Feb-2012 21:20

Is ICANN Opening up Public Comment Periods in Bad Faith?

I read with interest that ICANN opened up yet another comment period on new TLDs.

I believe that I speak for many when I question whether ICANN is opening up these comment periods in good faith, or instead whether these are smokescreens, mere distractions to pretend that ICANN is "listening" to the public while staff and insiders proceed with predetermined outcomes.

I note that as of today, there are multiple past comment periods where ICANN staff have not yet even summarized/digested the public's input. This is simply unacceptable. In other organizations, people would get fired for not doing their jobs in a timely manner. At ICANN, such behaviour is not only tolerated, it is seemingly encouraged. It appears to be part of the culture of "willful blindness" of ICANN staff, insiders and the Board, in order that its "top-down" agenda can be imposed upon an unwilling public, rather than actually listening to the public in the "bottom-up" process that it suggests exists.

Furthermore, when ICANN does bother to get around to publishing summaries, it's clear that they do not even listen to what the public has to say on the topic! The public opposed new TLDs by a great margin. It was a very clear message, yet ICANN kept ignoring what the public had to say, and mischaracterized their words when speaking to others (e.g. politicians in Washington, etc.) about the public "consensus."

One sees that ICANN continues to speak in that twisted and biased manner in this actual comment period, when it uses loaded phrases such as "carefully crafted, new protections" or "perception" or "perceived need" — the underlying assumption being that the public is simply "stupid" and "doesn't understand" new TLDs, and if only the public "knew better", they would "come around" and "love what ICANN is doing." That is simply preposterous and arrogant. It demonstrates that ICANN is out of touch with reality. The informed public knows that new TLDs will be a disaster, and has said so in clear language at every opportunity. ICANN is not "misunderstood" as some people believe — the public fully understands ICANN, and opposes its plans! Period!

ICANN acts like a greedy politician, asking for a "tax increase" to pay for a new bureaucracy that simply transfers wealth from the public to itself and its insiders. ICANN is not creating new wealth. ICANN is destroying wealth. Taxpayers see through attempts to bamboozle them that the "tax increase" is a good thing. Just as the public sees through attempts by ICANN and its insiders to bamboozle them that this new TLDs plan is "good" for the public. Attempts to dress up their greedy proposal using words like "innovation" fail, because the public is smarter than ICANN and can see through their self-serving proposals.

One need only look at the .XXX rollout, which was a disaster for the public. Millions of dollars were spent by universities, non-profits, individuals and corporations to purchase "protection" so that someone else could not tarnish their image/brand/identity. ICANN and its insiders do not consider this to be a "disaster", though — they look at this as "innovation", and pat themselves on the back saying "job well done." ICANN might pretend "well, no one told us this was going to happen… how were we to know??" That's utter nonsense, of course. One can go back to the analysis of Tim Berners-Lee on new TLDs, who didn't mince his words. He said "New Top Level Domains Considered Harmful". Could one be more clear?? [NB: He was not pointing to just .mobi and .xxx — he was saying this about ALL new TLDs (see the "Title" tag in the W3C page).]

ICANN and its insiders are emboldened by the dot-XXX launch. They want to multiply that "tax" on the public, what many have described as a "protection racket", a thousand-fold. ICANN suggests that "this time will be different" — keep dreaming! The only thing that will be different is the *degree* to which the public will be damaged. ICANN wants to damage the public a thousand-fold, to the benefit of itself and its insiders.

ICANN instead needs to take a step back, whether willingly or by being forced to do so by the GAC, DOC, NTIA, DOJ or by other agents that are representative of the public interest. I suggest ICANN be compelled to do the following:

(1) immediately suspend the new TLDs rollout, and refund all monies collected to date.

(2) terminate the staff who have pushed forward this new TLDs plan over the objections of the public. It's clear that these staff have their own agenda that does not reflect the public interest, and it's time for new blood that is ready to serve the public, rather than staff who want to be masters over an enslaved public.

(3) go back and present true options to the public regarding new TLDs. In our prior recent submissions (see here and here), (which ICANN has yet to summarize, although we repeat much past input) we identified FIVE allocation methods for new TLDs. Five! 5! Yet, ICANN has never presented them all as options to be seriously considered. They simply imposed in a top-down manner their single plan that maximized the benefits to ICANN's insiders, rather than allow for competing alternatives that maximize the benefits, if any, to the public. One can see some of the options that ICANN failed to allow the public to even comment on, such as:

(i) no new TLDs

(ii) .com domains simply "ascending" to the root (no need for "defensive registration" concerns in that scenario, is there??)

(iii) Ascended TLDs approach (see here for full description) which also reduces the need for defensive registrations considerably.

(iv) regular competitive bidding/tenders for lowest cost to registrants (this was the DOJ/NTIA/DOC proposal in December 2008)

(4) go back and do true economic studies that weigh the benefits and the costs on the public (not just the benefit to ICANN and its insiders) for all alternatives (including the four options presented in point (3) above), not just the self-serving single plan that ICANN wants to impose upon the public. The economic studies must be truly independent, with researchers selected by the NTIA/DOC/DOJ or GAC, and not by ICANN staff/insiders.

In conclusion, ICANN simply acts as if it "knows better" (which it doesn't) and dismisses all attacks on its extremist and disastrous plans. It is our true hope that ICANN not be allowed to damage the DNS further. As Tim Berners-Lee wrote:

"The second effect is that instability is brought on. There is a flurry of activity to reserve domain names, a rush one cannot afford to miss in order to protect one's brand. There is a rash of attempts to steal well-known or valuable domains. The whole process involves a lot of administration, a lot of cost per month, a lot of business for those involved in the domain name business itself, and a negative value to the community."

The existence of this comment period about "defensive registrations" is proof that "Sir Tim" was right! (maybe that's why he was knighted, due to his brilliance) We ask that the new TLDs plan be terminated, so that further "negative value to community" does not occur. By continuing to ignore the public's wishes, ICANN is causing DNS instability. A trusted custodian of the DNS would not be causing DNS instability. Yet, ICANN has been doing exactly that. It's time that the world recognizes that ICANN is no longer a trusted custodian of the DNS and its damaging plans must be opposed.

Written by George Kirikos, President, Leap of Faith Financial Services Inc.

circleid.com | 07-Feb-2012 20:02

10 Reasons Why New gTLDs May Not Work For You

World's mega businesses are about to wake up to the domain name expansion reality, where suddenly a name identity's exclusive ownership on global canvas of cyber branding and functionality will be ensured via gTLD. Something that traditional trademark system took years to achieve. A gTLD brand is not for everyone, structurally designed for powerful new ideas and established organizations around the world; however, following are the ten reasons why it may not work for you.

1. Localization – Your offerings are focused on local markets and there is no agenda for a multi-directional outward expansion. True, there are millions of successful businesses comfortably paced and happily servicing their local customer base, but a gTLD is most suitable when there is a challenge to tackle unlimited marketing options and enlarge national or global visibility.

2. Discounted Pricing – You pursue a reduced price strategy over creating premium branded goods. Commoditized businesses nestled in their own culture all over the globe stay firmly streamlined with such thinking. A gTLD is for extreme value added models in pursuit of extreme image visibility and mindshare to earn premium profit. This tool is to assist in digital presence and brand name visibility.

3. Brandless Advertising – Your business has a fierce agenda to push more adverting and promotion but not necessarily branding. There are far more businesses using advertising without any clear image positioning mandate or branding. A gTLD is for well defined strategies on market positioning and high value brandable concepts to reach massive customer touchpoints. This platform is for well structured name identities leading charge for brandable offerings

4. Outsourced Talent – Your business model mainly outsources marketing, advertising, branding and IT components. It's very common for businesses to avoid building highly skilled internal teams to integrate and create competitive advantage. A gTLD demands commanding knowledge from the internal teams to interact with highly specialized external services to achieve a comprehensive long term plan. It will allow sophisticated branding maneuvers and tackle futuristic issues.

5. Cyber-Oblivion – Social Media/Multilingulization/Cyber Branding is irrelevant in your successful organization. Organizations must either respond and interact with the rest of the cyber world or prepare to fall into an odd culture separated from the market reality. A gTLD is for aggressively pursuing the global 2 billion online users, driven by innovation and adoptability to global marketing needs in harmony with one internet one world, one name brand and one owner philosophy. It will fit with game changers mentality.

6. Budgetary Constraints – Your current sales volume or profit margins do not allow such expenditures. Almost all businesses are in a catch 22 trying to make such quantum leaps. The costs of gTLD are equal to production cost of a TV commercial. When properly applied, gTLD creates marketing weapons with maximum impact resulting in increased sales advantage and greater profitability. Under right applications it can replicate sub-domain-name branding at fraction of cost.

7. Cascade Effects – Your business model does not allow for the creation of unlimited customer touchpoints and multi-directional expansion. Most businesses structurally are not prepared for unlimited growth. A gTLD cascades downward when there are numerous applications for fully integrated social media and latest cyber technologies. It will spread outwards to increase customer touch points.

8. Convoluted Clusters – Your product and services name identities have become confusing and this lack of symmetry makes the costs prohibitive. Most businesses have either too few or too many brand names due to internal disparities and corporate politics supporting customer's confusion. A gTLD program demands well defined naming architecture to enable distinct name identities to act as precise marketing weapons. It will force corrected rules and vision towards business naming issues.

9. Name Rejection – Your already established name identity has no elasticity for stretching over the canvass of global image and trademarking and it is unable to pass the stringent tests of ICANN. Last century regional names are not capable to fit the next generation of global digital cyber branding. Businesses must either ignore or face the glaring disfunctionalities of their names. A gTLD provides wings to a globally workable name pushing them into a higher stratosphere in the fastest time and at a minimum cost. The ownership of a gTLD name will attract global spotlights.

10. Brandless Empires – You are in the business of making money and have successfully done so. Every corner of this planet has such great examples and yet not every success results in a successful brand delivering value-added experience at higher returns. A gTLD is for those wishing to own exclusive ownership of a globally recognized cyber name identity device, earn the respect and support of national or global mindshare, offer high value premium brands, while pursuing market domination via name identity. Name identity ownership must match high caliber outward bound brandable ideas.

(Excerpted from DOMINATION, THE gTLD NAME GAME by Naseem Javed Copyright © 2012
by permission of Metrostate Syndicate)

Written by Naseem Javed, Corporate Image & Global Naming Expert

circleid.com | 07-Feb-2012 19:29

Phish or Fair?

It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, accounts@bankofamerica.com, there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook.

Mail authentication schemes like DKIM and the new dmarc.org group use cryptographic signatures to help authenticate mail and prove that it really is from who it purports to be from. So, if the mail can authenticate the sender, the phishing problem goes away, right?

Unfortunately not. One huge problem is that even if you have all the crypto stuff so you can be 100% sure that a message really is from, say, BANK-AMERICA.COM, you don't know whether BANK-AMERICA.COM is actually your bank or not.

I've made a little game called Phish or Fair. It shows you a domain name, you guess whether it belongs to Bank of America. Try it out and see how you do.

Then see if you can figure out why a bank would use over a thousand different domains. My example here is Bank of America, but they're no worse than other big banks; I picked them because their name is easy to search for.

If banks were serious about phishing, they'd pick one name, one domain, and use that consistently. But they don't.

PS: BANK-AMERICA.COM belongs to some guy in France.

Written by John Levine, Author, Consultant & Speaker

circleid.com | 07-Feb-2012 16:03

New gTLD Application Monitoring? Now?

Why in the world would any company sign-up for a "New gTLD Application Monitoring Service" when ICANN intends to publicly post all applications on May 1st?

Domain Name Watching and Trademark Watching Services make perfect sense when new registrations and applications are being submitted and granted on a daily basis. I think that we can all easily agree that trying to understand new domain name and trademark registrations without an automated service would be nearly impossible.

And when ICANN eventually moves away from these discrete application rounds, I will be the first one to recommend an Application Watching Service.

However, as all new gTLD Applications in this first round will be publicly posted to the ICANN website on May 1st , it would seem that reaching for Ctrl-F would be the quickest and easiest way to search for exact- and near-matches.

Additionally, the applications that are likely to cause the greatest concern are probably those that consist of generic terms being applied for by a single company which intends to restrict ownership to only itself. So looking through the list of applications will be critical — you may not know what is of concern until you actually see it.

Be wary of companies offering new gTLD Application Watching Services at this time. Given that the number of submitted applications will likely be between 1,000 and 1,500, companies should be able to easily review the full list on May 1st, and quickly identify applications of concern.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

circleid.com | 07-Feb-2012 00:48

Mobile Internet Usage at 8.5%, Doubled From Last Year

Global internet usage through mobile devices, has almost doubled to 8.5% in January 2012 from 4.3% last year according to a new report from web analytics StatCounter. While this stat excludes tablets, firm's research arm highlights the increasing use of mobile devices to access the internet with market share doubling year on year since 2009. Nokia leads worldwide, most probably driven by its dominance in India. Apple is second globally but leads the US and UK markets. In the UK RIM is second only to Apple.

circleid.com | 07-Feb-2012 00:13

The FBI and Scotland Yard vs. Anonymous: Security Lessons

A lot of people are fascinated by the news story that Anonymous managed to listen to a conference call between the FBI and

Scotland Yard. Some of the interest is due to marvel that two such sophisticated organizations could be had, some is due to schadenfreude, and some is probably despair: if the bad guys can get at these folks, is anyone safe? To me, though, the interesting thing are the lessons we can learn about what's wrong with security. Many of the failures that led to this incident are endemic in today's world, and much of the advice we're given on what to do is simply wrong or arguably even harmful.

The first issue is how Anonymous managed to record the call. The ways we'd see it done in a movie — tapping a phone line or listening to law enforcement official's cell phone — are comparatively difficult to do. They're not impossible, but they're not the easy way for a task like this. Rather, what appears to have happened is what most outside security experts immediately suspected: Anonymous read an email giving the details of the call, and simply dialed in, in the same way as the intended participants. The message was sent to "more than three dozen people at the bureau, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden;" a single security flaw anywhere along the chain could have resulted in the leak.

Here we see the first flaw: the call details were, effectively, a shared credential. It is quite probable that the conference call moderator had no idea who had dialed in. We see the same phenomenon with role accounts: many people share the password for the login, email access, etc. It may happen in the large — postmaster@example.com — it may happen when a vacationing executive gives a secretary the password to his or her email account; it may happen when spouses or romantic partners share passwords. Whatever the reason, it creates a security risk.

Reading further into the article, we see that "One recipient, a foreign police official, evidently forwarded the notification to a private account". At that point, it's tempting to blame that official, say he or she was poorly trained or disobedient, and stop worrying. Apart from the self-evident fact that a single security lapse shouldn't compromise everything (a proposition easier to state than to make happen), I strongly suspect that this unnamed official was behaving very rationally: he or she either wanted email access that was too inconvenient via the proper mail servers, or wanted a different human interface. If this person had no access to work email from home, or felt that, say, gmail was enough better that their productivity was improved, it's not surprising that this would happen. It shouldn't happen — and one would hope that a police official working on cybercrime would understand the risks — but in a strong sense the failing was organizational: if my hypothesis is correct, they may have failed to make it easy for people to do the right thing. Let me stress this: a security mechanism that is so inconvenient that it tempts employees to evade it is worse than useless, it's downright harmful. (Note well: I'm not saying that this official did the right thing; I'm saying that organizational policies or technologies may have led to too much temptation for people who are trying to be more productive.)

But how did Anonymous know which outside email account to monitor? This article notes that assorted groups have made a habit of targeting law enforcement email servers, with some success against less-sophisticated police organizations. That would yield a list of email addresses, and perhaps passwords. Perhaps more importantly, it can show who was using an outside mail server, one that isn't protected by VPNs, firewalls, one-time passwords, and the like. At that point, the attackers have several ways to proceed.

First, they could try this law enforcement email password against the outside mail server. The odds are high that it will succeed; far too many people reuse passwords. And why do they do this? Because they have too many passwords to remember, especially if they're all "strong". And of course, people are forbidden to write them down.

Most of the advice we get on security starts with "pick a strong password". (Look at CERT's advice: the very first thing it tells people to do is "always select and use strong passwords". Patches, a really effective defensive measure, are mentioned fourth.) Strong passwords are not a bad idea, but you're in much more trouble if you reuse passwords. No one can possibly memorize all of the passwords they have; reuse is the usual answer.

A second way in which the attackers could have compromised the official's account is via a spear-phishing message, booby-trapped to install a keystroke logger. That's been seen, though more often in a national security context. If the attackers did this, even encrypting the emails wouldn't have helped; the same malware that stole the login password could probably steal the private key as well. But I'm pretty sure that no encryption was employed; most encryption systems are too hard to use. Smart-card based decryption would have helped (though such things are far less convenient to use); though there are still attacks, they're more involved, and arguably less available to a group like Anonymous.

It's clear that there wasn't a single failure involved; in particular, the crucial mistake of forwarding work email to a personal account was quite plausibly a rational response to organizational policies. Preventing recurrences of this kind of incident will not be easy; there are too many weak spots.

Written by Steven Bellovin, Professor of Computer Science at Columbia University

circleid.com | 06-Feb-2012 19:59

WIPO Provides New Top-Level Domain Resources for Rights Holders

Courtesy of Brian Beckham from the WIPO Arbitration and Mediation Center in Geneva, here are a few important links with information that may be helpful for rights holders with ICANN's New gTLD program now launched and accepting applications:

• First, is a helpful FAQ that explains plainly the Legal Rights objection process. It's important that rights owners are very familiar with this process and are ready to respond if in the unlikely but potentially problematic situation that another entity applies for a gTLD that includes their intellectual property.

• Next, comes a summary explanation of the post gTLD delegation (beginning late 2012 or early 2013) rights protection mechanisms included in the program and provided for the defense of intellectual property rights.

• Lastly, WIPO has provided a set of links to analysis and other resources about the New gTLD dispute resolutions mechanisms.

With the May First "reveal date" — the day that ICANN will announce all of the applicants and the strings that have been applied for — approaching quickly, rights owners should be ready to respond. Reading the first article is a great place to start. Thanks to WIPO for sharing these links and this information.

Written by Frederick Felman, Chief Marketing Officer at MarkMonitor

circleid.com | 04-Feb-2012 18:33

No Big Run on IPv4 in 2011

2011 was an interesting year for IPv4: in February 2011, the Internet Assigned Numbers Authority (IANA) handed out their last free IPv4 address blocks to the Regional Internet Registries (RIRs).

In April 2011, the APNIC (the Regional Internet Registry for the Asia Pacific region) started allocating from its last /8. At the RIPE NCC we did not see a big jump in IPv4 address allocations in 2011, as anticipated by some observers.

The image below shows the total amount of IPv4 address space allocated each year (calculated as /16s on the y axis). You can see that in 2011 there was a drop in the amount of IPv4 address space from the previous year, bringing it down to the level of 2008 and 2009. There was no big run on the remaining IPv4 addresses.

Note that this does not correspond with the number of requests. Especially the number of requests for /21s increased in 2011 (you can find more on this in the background article on RIPE Labs).

IPv4 is certainly running out, but there is no great rush for the last addresses as feared by some. It was all pretty much "business as usual". As we've said in the past, predicting exactly when the RIPE NCC will run out of IPv4 address space is difficult. We cannot anticipate the size of requests we'll receive.

For more information and more statistics, please refer to IPv4 Allocation Statistics in 2011 on RIPE Labs.

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC

circleid.com | 03-Feb-2012 17:44

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now.

Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. where it's been available to the public ever since.
Like every other 10-Q, it has a Risk Factors section which lists all the reasons that the company might fail, so don't sue us. Normally those sections are pretty routine, key employees might quit, customers might desert us, key contracts might not be renewed, that sort of stuff. But this 10-Q contained this bit:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company's information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future. The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Apparently nobody got around to reading it until today, at least nobody who understands the business well enough to know what it means.

All the press reports I've seen just regurgitate that paragraph, adding a few quotes from people close to Verisign who all said they didn't know about it either, and security types who told us that it's an enormous big deal. (Now that you've read the paragraph, you're as qualified to pontificate as anyone.)

Personally, I don't know if it's an enormous big deal or not. Risk factor sections tend to be written as pessimistically as possible, so you can skip over the parts about they cannot assure you and so forth. One thing I do know is that it happened over a year ago, so if anything significant happened as a result, and Verisign knew about it, they'd have told us about that, too, on the principle that you release all your bad news at once. So this means that either it really was just a minor network breach, or the evil consequences are so deep and subtle that we may not know about them for years and years, if ever. I'd tend toward the former, but then, I'm not a Verisign stockholder.

Written by John Levine, Author, Consultant & Speaker

circleid.com | 03-Feb-2012 03:48

SEC Filing Reveals Facebook Network Equipment Valued Over $1B at Close of 2011

"Facebook reported in its SEC filing that it owns 'network equipment' valued at $1.016 billion at the close of 2011," reports Rich Miller of Data Center Knowledge. "The number reflects the expense of rapidly building a massive Internet infrastructure, including Facebook's shift from buying vendor gear and leasing data centers to building its own servers, racks and custom data centers."

Photo above shows Facebook's first outside the U.S. data center currently being built on the edge of the Arctic Circle. The northern Swedish city of Lulea chosen for the data center is partly because of the cold climate — crucial for keeping the servers cool — and access to renewable energy from nearby hydropower facilities, according to the company.

Image below is a visualization of Facebook's social graph of 500 million back in 2010 created by intern Paul Butler.

circleid.com | 02-Feb-2012 20:59

DNSChanger Trojan Still Running on Half of Fortune 500s, US Govt

"More than two months after authorities shut down a massive Internet traffic hijacking scheme (link), the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows," reports Brian Krebs. ... "Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities."

circleid.com | 02-Feb-2012 19:28

Value or Love for New gTLDs?

ICANN has started its historic and controversial program to expand the number of generic Top-Level Domains (gTLDs). This essay outlines the factors needed for the program to create economic value, warns against a cognitive trap that complicates selection of a new gTLD and considers the value contribution of the registries. I will not go into relevant macro measures, but I examine the problems associated with the popular measure of simply counting the number of registrations.

The key to understanding the program's economic impact is to follow the theories of economist Paul Romer and look at how the rearrangement of resources creates value. ICANN's program increases the supply of resources that registries have for creating value. Value creation by registries can come from: (1) introducing new TLD signals for things like location, community, and social responsibility (for example, .nyc for New York City, .music to signal community, and .green to signal environmental corporate responsibility); (2) combining information, such as in the .tel model, which provides contact information for the companies using the gTLD; and (3) introducing a gTLD that competes with .com.

Given the new resources provided by ICANN, the burden now lies on the registries to innovate. But they have to be careful of cognitive biases in choosing among the gTLDs. For example, a registry that chooses the proposed .music should ask itself, "Is there value in .music?" The temptation is to ask the far easier "Do we love music?" Not the same thing, but studies show that we often answer an easier question instead of a harder and more relevant one, and that we'll do so without noticing the swap. (For details on cognitive error traps, see Daniel Kahneman, Thinking, Fast and Slow. I have warned against cognitive biases in gTLD value estimation and in domain name appraisals.) Another trap is reliance on the popularity of key words in social media, an approach that flopped with the recent failure to predict the success of presidential candidates.

Remember, there is no easy way to measure new gTLD value creation. The domain name industry has focused on registrations, but that's because they are easily measured and the information is publicly available. Number of registrations does provide a viable measure of a registry's profits, but the registrations may be defensive by brand owners rather than value creating. (For a discussion of alternative measures, see "The Economics of Well-Being” by Justin Fox, HBR January-February 2012.)

New signals and combinations of information, á la .tel, can be value adding for established companies as well as new ones. But switching costs will probably keep most com-branded companies from making the jump. So new companies may converge on a new gTLD that competes with .com while existing companies will more than likely register their brands under a large number of the new gTLDs as a defensive measure. Put all the registrations together and there will be enough revenues for the com-alternative gTLD to be viable.

One reason for gravitating to a com-alternative gTLD is that new companies might feel constrained by the unavailability of desired .com names and thus have a motive to find reasonable alternatives. (See Why Dominant Companies Are Vulnerable by Kyle B. Murray and Gerald Häubl, Sloan Management Review December 2011.) This is especially true because emerging brand owners don't have to acquire any new skills in order to adopt a new gTLD.

Written by Alex Tajirian, CEO at DomainMart

circleid.com | 01-Feb-2012 20:39

StarHub to Acquire '.starhub' New Top-Level Domain

StarHub selects ARI Registry Services and Melbourne IT DBS to help secure '.starhub' in its latest branding strategy

StarHub, a fully integrated info-communications company in Singapore, today announced it will apply for its own branded slice of Internet real estate as part of the revolutionary new Top-Level Domain program, which is set to change the way Internet users navigate the web.

StarHub has partnered with technical registry provider ARI Registry Services and digital brand management services provider Melbourne IT Digital Brand Services (DBS) to help it apply for and operate its '.brand' domain name.

In applying for '.starhub', StarHub joins other leading brands such as Canon, Deloitte and Hitachi in announcing plans to participate in the Internet Corporation for Assigned Names and Numbers' (ICANN's) new Top-Level Domain program, which opened for applications last month.

StarHub aims to create a branded, authoritative corner of the Internet devoted completely to its business interests under the '.starhub' Top-Level Domain. In future, consumers may see new website addresses such as 'mobile.starhub', 'tv.starhub' and 'broadband.starhub' introduced to the brand's marketing and advertising activity.

Mr Oliver Chong, StarHub's Assistant Vice President of Brand and Marketing Communications, explained the '.starhub' Top-Level Domain will position the brand as a leader in the region.

"Our '.starhub' new Top-Level Domain will cement the company's position as Singapore's most innovative info-communications company. We pride ourselves on being at the forefront of innovation and through this initiative StarHub is one of first companies in the region to publicly commit to the next generation of online navigation," Mr Chong said.

"We believe the '.starhub' Top-Level Domain will deliver clear marketing and advertising benefits to StarHub, such as improved online brand recall and a more intuitive consumer experience with easy to remember domain names such as 'mobile.starhub'. We also anticipate potential Search Engine Optimisation (SEO) benefits by operating a more targeted and relevant naming system that is clearly matched with our website content," he said.

"Ultimately, we believe '.starhub' will deliver increased consumer trust and loyalty in our digital brand and enable StarHub to future-proof its online presence."

Mr Adrian Kinderis, CEO of ARI Registry Services — the company chosen by StarHub to provide technical expertise and infrastructure for the initiative — said it was a bold step forward for the company and reinforces its position as a leader in online innovation.

"StarHub is an industry leader and operating a new Top-Level Domain will reinforce its position at the forefront of innovation within the online space. As a proven global registry solution provider, we are extremely excited to be chosen to help support the '.starhub' Top-Level Domain," Mr Kinderis said. "A simple, memorable and branded Internet domain name like '.starhub' will allow consumers to bypass search engines and go directly to the content they are looking for. I anticipate that this announcement by StarHub will open the floodgates for Asian brands to get on board with this exciting initiative and it will be a major boost to the local digital economy."

Mr Theo Hnarakis, CEO & Managing Director of Melbourne IT — the company chosen by StarHub to provide domain strategy and application consulting services — said the decision to apply for '.starhub' would deliver long-term benefits for the StarHub brand.

"The way consumers connect with brands online has changed dramatically in the past few years with e- Commerce booming, mobile Web browsing rising fast and social media usage expanding — all of which has provided brands with opportunities and headaches in equal measure. Vital to the future of nearly every modern company is the ability for customers to easily engage with the business online. Savvy brands like StarHub understand that fact and realise the cornerstone to their future online strategy lies in a '.brand'," Mr Hnarakis said.

The application window for new Top-Level Domains opened on 12 January and will close on 12 April 2012.

circleid.com | 01-Feb-2012 18:20

AT&T's Randall & Stankey: Wireless Data Growth Half The FCC Prediction

John Stankey, President and CEO, AT&T: "Data consumption right now is growing 40% a year."40%, not 92%-120%. "Data consumption right now is growing 40% a year," John Stankey of AT&T told investors and his CEO Randall Stephenson confirmed on the investor call. That's far less than the 92% predicted by Cisco's VNI model or the FCC's 120% to 2012 and 90% to 2013 figure in the "spectrum crunch" analysis. AT&T is easily a third of the U.S. mobile Internet and growing market share; there's no reason to think the result will be very different when we have data from others.

With growth rates less than half of the predictions, a data-driven FCC and Congress has no reason to rush to bad policy. Wireless technology is rapidly moving to sharing spectrum, whether in-building small cells, WiFi, White Spaces, Shared RAN or tools of what the engineers are calling hetnets — heterogenous networks. The last thing policymakers should do is tie up more spectrum for exclusive use; shared spectrum often yields three to ten times as much capacity.

Bad compromises on the video spectrum are unnecessary because plenty of spectrum is unused. That includes the 20 MHz that M2Z would be building out today if Julius hadn't blocked them; the 20 MHz the cable companies are sitting on and want to sell to Verizon; and the 30 MHz or so Stankey identifies as fallow at AT&T.

40% growth is still substantial, but wireless technology is improving at a breathtaking pace. LTE has about 10x the capacity of 2.5G and 4x the capacity of 3G. LTE Advanced, deploying beginning 2013 at Verizon, is designed for 10x the capacity of LTE. Putting more spectrum to use would be great, but let's do it right.

Wireless speeds are actually going up dramatically, with AT&T delivering 2-5 megabits to most of the country and Verizon's LTE delivering 5-12 megabits to 2/3rds of the population. Verizon is ahead of schedule to bring 5 megabits+ to 92% of the country in 2013 and 96-98% in 2015-2016. AT&T and Sprint have raised capex to catch up. 80%+ of the U.S. will have a 5 megabit offering in 2013-2014, 90%+ by 2015 or sooner. That's without any additional spectrum.

Today's wireless networks are designed to be shared: towers, WiFi, White Spaces, DAS and small cells all working together. The best engineers in the world are working on RAN sharing, SON, hetnets, 8x8 MIMO and techniques I'm writing about in my next book, Gigabit Wireless. AT&T in fact is one of the world leaders in DAS, WiFi and femtos and behind the scenes a key thought leader. There's wonderfully exciting stuff I'll be doing my best to translate for non-engineers.

Takeaway: The future is sharing the airwaves so let's get the policy right.

Written by Dave Burstein, Editor, DSL Prime

circleid.com | 31-Jan-2012 22:36

Prof. Dave Farber on Where the Internet is Headed

"Internet protocols simply aren't adequate for the changes in hardware and network use that will come up in a decade or so," says Professor Dave Farber who was recently interviewed by Andy Oram.

"Dave predicts that computers will be equipped with optical connections instead of pins for networking, and the volume of data transmitted will overwhelm routers, which at best have mixed optical/electrical switching," writes Oram. "Sensor networks, smart electrical grids, and medical applications with genetic information could all increase network loads to terabits per second. When routers evolve to handle terabit-per-second rates, packet-switching protocols will become obsolete. The speed of light is constant, so we'll have to rethink the fundamentals of digital networking."

circleid.com | 31-Jan-2012 21:19

DMARC: New Email Authentication Protocol

A consortium of companies including Google, Microsoft, Facebook and Paypal have announced that they were collaborating and coming up with a new protocol known as DMARC — the Domain-based Message Authentication, Reporting and Conformance.

What is DMARC?

This is very much a summary of DMARC in a nutshell (I will probably write an article about this in the future), but from the website:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes — such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

When I first heard about DMARC, I said to myself "Self, why do we need another email authentication protocol?" The answer is that DMARC is not another protocol but instead leverages existing email authentication protocols and provides feedback to the spoofed domain.

SPF already provides a way to say: "If this message fails an SPF check, discard the message." It's called a Hard Fail. However, not all hard fails are illegitimate (there are significant false positives with SPF). DKIM, in itself, doesn't provide a way to discard a message if it fails an authentication check. This makes it less useful in securing the Internet (i.e., it is a barrier to adoption).

Besides which, what happens if an SPF check asses but a DKIM check doesn't? And if one of them fails, who should you tell? DMARC provides a mechanism that says: "If one of these checks fails, discard the message." But furthermore, it also provides a way to tell the responsible party that the message failed a check. For example, if security@paypal.com fails a DMARC check (either through SPF or DKIM), the email receiver can send the message to an email address that says "Hey, this message failed an SPF check. Was it legitimate or not?" If it is a false positive (perhaps a new server brought online), Paypal can add it to its SPF check. If it's a phishing message, Paypal can investigate to have the website taken down.

The strength of DMARC is that it is a stronger way to protect a brand from being abused; receivers can discard spoofed messages and senders can figure out just who, exactly, is sending mail as them.

The weak point of DMARC is, unfortunately, the weak point of SPF and DKIM — spammers and phishers don't need to spoof a domain in order to fool users into taking action. If a spammer sends mail from security@paypal.com.yakzas.com (a fictitious domain), many users just see that first part (paypal.com) without being more aware that there is more to the message.

And if a phisher signs up for a cloud service that issues temporary credentials, they can create the account paypale.onmicrosoft.com and send spam from there to avoid IP reputation blocking (and to the spammer that is abusing our Office 365 service, we know what you're doing, you jackass) while hijacking the reputation of another brand in the From address.

The strength of DMARC is not so much that it combats phishing but that if a good domain is authenticated, mail user agents (like Gmail, Hotmail, Outlook, etc) can highlight that the sender is a trusted sender and highlight it in blue or put a little icon beside it. Since users use visual clues to make heuristic decisions, the lack of a trusted symbol can train people to be suspicious.

Anyhow, it's nice to see that the authentication/validation protocols are consolidating.

Written by Terry Zink, Program Manager

circleid.com | 31-Jan-2012 21:02

Public-Private Cooperation Policy for Cyber Security Suggested by Commissioner Kroes

Wout de Natris writes: At a speech during the Security and Defense Agenda meeting on 30 January Vice-President of the European Commission, Neelie Kroes, showed how the Commission envisions public-private cooperation on cyber security.

Remarks by Kroes:

"The Internet does not belong to any one group, but attacks on it affect every group. So let's work together, all sectors, all levels, public and private, national, international and European. So that we can safeguard the security of the systems that increasingly underpin our lives, today and in the future."

"In tomorrow's world, if the Internet is not secured, nothing will be."

Full statement published here.

circleid.com | 31-Jan-2012 20:11

DDoS Attacks Increased by 2000% in Past 3 Years, Asia Generating Over Half of Recent Attacks

In the past three years, Akamai has seen 2,000% increase in the number of DDoS attack incidents investigated on behalf of its customers. The latest State of the Internet report released today by Akamai also identifies top countries from which this observed attack traffic originates, as well as the top ports targeted by these attacks.

From the report: During the third quarter of 2011, Akamai observed attack traffic originating from 195 unique countries/regions, up from 192 in the second quarter. After making its first appearance in the top 10 list in recent memory in the second quarter, Indonesia vaulted to the top of the list this quarter, generating 14% of observed attack traffic. Myanmar, which had suddenly appeared at the top of the list in the prior two quarters, disappeared from the list just as suddenly in the third quarter, potentially indicating that the attack traffic that had been observed originating from the country has either been shut down, or is now coming from other places. With Myanmar dropping out of the top 10 list, South korea moved into it, more than tripling its observed level of attack traffic, responsible for 3.8% in the third quarter. In addition to South korea and Indonesia, Taiwan, China, India, and Egypt were all responsible for higher percentages of attack traffic as compared to the prior quarter.

circleid.com | 31-Jan-2012 19:44

Holding Google to a Higher Standard in Search

Danny Sullivan has been the go-to guy for understanding the world of search for over 15 years. This week he published a really good story on Google Plus Your World. A group of engineers have launched a site called Focus on the User that shows exactly how the new Google service could be including other social media content listings besides only Google Plus, but is not.

Google Plus is of course Google's entry into the social network battle, and the service recently announced over 90 million users. Just this month Google has started inserting social media content from Google Plus listings (when available) into the search engine response pages (SERPs) on Google. However, other major sources of social media content — Facebook, Twitter — are not included.

Danny does a great job of laying out why this is overly preferential, and doesn't deliver the best search result. The engineers from Facebook, Twitter and MySpace behind Focus on the User have developed a bookmarklet called, "Don't Be Evil, get it?" that you can add to your browser to pull more comprehensive social media listings into your personalized search results.

Danny makes a strong case this improves current search results. He provides lots of screenshots like the one below. It's important to note that the bookmarklet is using Google's own algorithmic rankings for these revised SERPs.

Danny also includes the other side of the story. Sites like Facebook and Twitter do not license their content to be crawled, so why should Google include this content?

"Google, in particular its executive chairman Eric Schmidt, has argued that it doesn't have all the data it needs to include other social services in the way it does for Google Plus. The failure to reach a deal with Facebook; the failure to renew a deal with Twitter, these have prevented the social signals it needs from being used, Google has said."

What the Focus on the User group has done is clearly demonstrated that Google could have included other content if it wanted. And to my read Danny has made a convincing argument that Google SHOULD do this, because it delivers the highest quality search results back to the user.

If legal concerns are really what is holding Google back, the company should challenge Facebook and Twitter to allow them to use the same inputs Focus on the User has accessed via the bookmarklet. If those companies refuse, then publicize that decision.

I've installed the Focus on the User tool and I'm doing my own comparisons. If anyone out there is already using it, please drop a comment with your impressions.

Written by Christopher Parente, High Tech Public Relations

circleid.com | 31-Jan-2012 18:01

Reducing Unreachable ICANN Registrations

Recently ICANN (Internet Corporation for Assigned Names and Numbers) published a report on inaccurate registration data in her own databases. Now the question is presented to the world how can we mitigate this problem? There seems to be a very easy solution.

Why register?

The question to this answer seems simple. To know who has registered with an organisation. This makes it possible to contact the registered person or organisation, to send bills and to discuss policy with the members.

The rationale of unreachable registrations

This one completely goes by me. ICANN distributes IP resources at the highest level that are on principle scarce: domain names and IP addresses and sets policy around the distribution of these resources. So it seems to be in the utmost interest of ICANN to have an accurate database. Over the past years it has been shown over and over again, that accuracy was not a priority of ICANN, even against her existing policies.

There does not seem to be a rationale for this lapses in registration measures. ICANN in the end loses money as she provides a service, but is most likely not paid for this service. Next to that it is not good for ICANN's image, as government and LEA reactions have shown over the past years. It could even become a threat to ICANN's very existence.

Cyber crime and enforcement

With the coming of cyber crime, spam and botnets, law enforcement agencies of different back ground became interested in Whois data and were very much frustrated when they found data not to be accurate. (And vetting and revocation mechanisms not being in place.) Whois data is a primary source at the start of investigations. So if these are false this makes investigations harder, not impossible.

Inaccurate data

What can be reasons that data is inaccurate? There can be several reasons. To give a few examples. Someone forgot to change the data after a move of the office, contact person, a merger, bank account, a company stopped its activities, etc. In the meantime the IP resources are still used as they were meant to, but from an unknown address.

A second reason could be that free speech advocates want to have a chance to hide their identity behind a so called proxy registration. This way they are safe from prosecution in their home country. Usually this is supported by western governments.

A third reason can be criminal intent. A person or group of persons uses the IP resources for personal gain through illegal activities. They never intended to provide accurate data. From a society point of view this is an activity that preferably is stopped as fast as possible.

What to do about it?

We are discussing unreachable registered companies. It looks quite simple to me. ICANN has many ways to reach out to these companies and does so. Everyone concerned gets one year to alter the data. As soon as someone complies, the data is submitted to the Whois database, after being vetted by ICANN.

All that have not updated their registration on time -and one year is a very lenient time frame- are de-registered by ICANN and where possible their IP resources taken away.

Legit after claims

If ICANN makes sure there's a good procedure to follow for legit claims after the de-registration that come in anyway, I'm sure this procedure will work. Criminals usually do not show up and try to find new ways to proceed their business.

Vetting of all new registrations

When ICANN makes sure new applicants are vetted before being admitted and an ongoing checking procedure of existing members is put in place, I'm convinced that the Internet will become a safer place for all concerned. Also, she becomes an example for policy at lower level IP resource organisations by setting a standard. It makes one avenue on the Internet harder to reach for criminals.

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

circleid.com | 31-Jan-2012 16:29

BT Working on 300Mbps Residential Pilot Project

Openreach, the lead deployment arm of BT, has issued an announcement asking residents and landlords of apartment blocks to join a pilot project that will eventually bring broadband download speeds of up to 300Mbps to residents.

"Participants will gain access to Openreach’s Fibre to the Premises (FTTP) technology which delivers super-fast broadband speeds," says Openreach. "End users will initially have access to downstream speeds of up to 100Mb/s but these will rise to give users the option of up to 300Mb/s in the spring of this year, the fastest commercially available speeds in the UK for a residential connection. Upstream speeds will also be the fastest in the UK."

circleid.com | 30-Jan-2012 21:43

ARI Registry Services Signs 21 Contracts in the First Week of New TLD Applications

Strong demand shown for new Top-Level Domains as ARI Registry Services wins 21 new contracts in the first seven days of the application window.

ARI Registry Services today announced it signed contracts to provide technical registry services for 21 new Top-Level Domains within the first week of applications opening.

Adrian Kinderis, CEO of ARI Registry Services, said signing 21 contracts in the first week was the perfect start to the application window.

"The opening of the application window on 12 January has clearly motivated applicants to get moving on this unique, yet limited opportunity. We immediately witnessed an influx of enquiries and 21 contracts had been signed by the end of the week," Mr Kinderis said. "The majority of these contracts are .brand TLDs, representing some the largest and most recognisable brands around the world. This indicates that the time of procrastination is over. Applicants need to move now or run the risk of missing out."

According to an analysis by ARI Registry Services, brands have shown the strongest interest (60% of interest) in applying for a new Top-Level Domain, followed by entrepreneurs (30% of interest) and then governments or other groups (10% of interest) wanting to represent their city or region online. An analysis of the industries shows technology brands (20%) lead the pack, closely followed by banks and other financial service providers (11%).

Mr Kinderis said he expects to make public client announcements with major brands in the near future. He also noted there is now no doubt about the level of demand for new Top-Level Domains.

"Critics of the program have suggested there is little demand for new domains. However, from the results we have seen in the first week of applications, we can clearly see strong demand exists."

Although the first week saw a strong result, Mr Kinderis warned that many potential applicants were still sitting on the fence with a 'wait and see' mentality.

"We have clients that are still undecided about whether they should apply. They have been put off by the negativity that has been surrounding the program. There have been delays and speculation. There is also a misguided perception amongst some that they can wait until the next round to secure their brand or generic category name. My message to those clients is that there is no certainty about when there will be another round. Potential applicants need to understand that if they take a 'wait and see' approach, they may miss out all together," Mr Kinderis said.

The application window for new Top-Level Domains (TLDs) opened on 12 January. ARI Registry Services signed the 21 contracts in the seven day period between 12 and 19 January. Due to confidentiality agreements, ARI Registry Services is unable to reveal any specific details about the contracts. The names of the clients, along with all the other clients ARI Registry Services is working with, will be revealed on 1 May 2012 when ICANN publishes the list of applications it has received.

circleid.com | 30-Jan-2012 16:23

Selecting ICANN's Next CEO - Letter 2

In November 2011, a group of "friends of ICANN" from various countries sent a letter to the Chair of ICANN's Board, expressing concern about the process used previously, and suggesting improvements.

Towards the end of 2011, the ICANN Board set up a Search Committee, chaired by George Sadowsky, and some significant improvements have been integrated into the selection process:

• In the previous round, in 2008-09, some members of the Board had self-appointed themselves to form a Search Committee, which began consultations many weeks before a Board resolution even established it. This time, proper process has been respected.

• In its previous incarnation, the Search Committee had chosen an external consultant without any semblance of a competitive bid, which was odd at a time when the whole of ICANN was gearing up to reaffirm its commitments, including being able to escape "capture" resulting from any conflict of interest. This time, the firm was selected through a call for tenders.

• In 2008-09, responsibilities were blurred between the Search Committee and the consulting firm, each doing a bit of the other's job. This time, applications from candidates are received solely by the consulting firm, which does all the vetting, due process and pre-selection, in (we are told) an independent fashion.

• Transparency has improved; for example, the profile of the CEO job was posted, and the ICANN community invited to review it.

• Previously, the job of CEO had not been advertised other than on the ICANN website, in spite of strong demands by some Board members who remarked that a lack of adequate international publicity weakened the corporation's transparency and reputation. This time, an ad was placed in a world-class weekly, attracting much attention.

In the 2nd letter to the Chair of the Board, 2 questions were raised about the way the ad was run in The Economist:

• Why was ICANN not referred to, simply, as a "not-for-profit" organization?

• Why was the usual "multi-stakeholder organization" description dropped?

Do these two notable departures from long-standing and widely accepted definitions imply that ICANN is considering a change in its identity? In his reply, the Chair of the Board answers these points.

The 2nd letter from these "friends of ICANN", and the reply from the Chair of the Board, can be viewed in full here.

Written by Jean-Jacques Subrenat, Ambassador (ret.)

circleid.com | 30-Jan-2012 16:03

The State of Mail Database Marketing

My mail server has a lot of spamtraps. They come from various sources, but one of the most prolific is bad addresses in personal domains. Several of my users have their own domains, such as my own johnlevine.com, in which they use a handful of addresses. Those addresses tend either to be people's first names, for individual mailboxes, or else the names of companies. If I did business with Verizon (which I do not) I might give them an address like verizon@johnlevine.com. All those domains get mail to lots of other addresses, which is 100% spam.

The made up addresses are largely dictionary attacks, which is obvious when I see sequential spam to barry@, betsy@, and bruno@. Some of them are company addresses that leaked to spammers before the companies went out of business years ago. And some are just mysteries.

My friend Bob Frankston has had his own vanity domain since 1992, which gets a lot of spam to spamtrap addresses. I automatically diagnose and send off abuse reports for a lot of it. Today I got a hand written response to one of them from a database marketing company in Florida. It said, in part:

This email resolves to a master record for [a name and address of a guy in Pennsylvania].

The recorded was added to the client's file on 11/12/2002 per a trip preference card that was sent to the postal address listed above. The trip preference card asks where someone would like to travel, and for their email address to be sent notifications.

If [that address] had changed their mind about receiving emails, we diligently suppress/remove opt outs. However, I do not see that email in our suppression, opt out, or feedback loops.

That wasn't too surprising, I've gotten other mail to that spamtrap from other spammers who gave me the same guy in Pennsylvania, who has no relation to Bob, and it's barely possible that someone could have scribbled something on a postcard that might have been mistranscribed as the spamtrap address, although the name of the alleged subscriber has no visible connection to the spamtrap address either. It's certainly plausible that once someone had the bad info, they sold it to lots of other marketers.

But two things jumped out at me. The first is the date, 2002. They've been spamming this address for ten years. Since it is a spamtrap, it has never responded, never ordered anything, never "opened" a message (ESP-speak for fetching the URLs in the message.) But they keep pumping out the mail anyway. The competent ESPs I know all purge their lists of dead addresses eventually, certainly in a lot less than ten years.

The other is the inability to imagine that every address in their crummy database isn't a live potential customer. This address never "changed their mind" because it doesn't have a mind. It's a spamtrap. It sends no mail, and it won't opt out because it never opted in.

I wish this situation were atypical, but it's not. If the putatively legitimate e-mail marketing industry wanted to understand why they've earned such a poor reputation, it wouldn't be hard to figure out.

Fun fact: Bob's last name happens to be the name of a town in Australia. Someone there has misconfigured one of their systems to send status reports with personal information about their clients to yet another made up address in Bob's domain, which I expect is totally illegal under Australian privacy law. I haven't been able to stop that, either.

Written by John Levine, Author, Consultant & Speaker

circleid.com | 29-Jan-2012 01:15

Protests Erupt Over EU's Anti-Counterfeiting Trade Agreement

In a blog post today, Michael Geist writes: "The reverberations from the SOPA fight continue to be felt in the U.S. and elsewhere (mounting Canadian concern that Bill C-11 could be amended to adopt SOPA-like rules), but it is the Anti-Counterfeiting Trade Agreement that has captured increasing attention this week. Several months after the majority of ACTA participants signed the agreement, most European Union countries formally signed the agreement yesterday (notable exclusions include Germany, the Netherlands, Estonia, Cyprus and Slovakia). This has generated a flurry of furious protest..."

circleid.com | 27-Jan-2012 19:24

IP Address Reputation Primer

There has been a lot of recent discussions and questions about reputation, content and delivery of email. I started to answer some of them, and then realized there weren't any basic reference documents I could refer to when explaining the interaction. So I decided to write some.

This post is about IP address reputation with some background on why IPs are so important and why ISPs focus so heavily on the sending IP.

Why IP addresses?

ISPs built reputation around IP addresses because it was one bit of data that malicious senders / spammers couldn't forge. The connecting IP is a fundamental part of the network transaction and if you forge an IP then SMTP can't work. Because that was the reliable data they had to work with, that's what they used. Even now, when there are other kinds of data, the IP address is still the first thing the receiving MTA sees.

What is IP reputation?

IP reputation can best be summed up as "past performance is an indicator of future results." In other words if recipients responded well to mail from an IP address in the past, then they're likely to respond well to new mail from that IP address.

How is IP reputation measured?

While each spam filtering company and ISP have their own ways of calculating the reputation of an IP address, there are some similarities in what they measure.

• How many non-existent email addresses is this IP attempting to deliver to?
• How many abandoned email addresses is this IP attempting to deliver to?
• How many "known bad" email addresses (spamtraps) is this IP attempting to deliver to?
• How many recipients complain about receiving this mail?
• How many recipients complain about not receiving this mail?
• How respectful of my resources is this IP?
• Does this IP keep connections open for long periods of time?
• Does this IP retry deliveries too aggressively?
• Does this IP stop mailing addresses after receiving a "user unknown" message?
• Is this IP address configured as if the associated machine was infected by a virus?
• Is this IP address listed on blocklists we use?
• That is by no means an exhaustive list of what ISPs measure. If they can measure it they've tried. If the measurement helps them separate spam mail from not-spam mail then they're using it.

How fast does IP reputation change?

IP reputation is often measured over multiple time periods. ISPs can look at a 1 day, 7 day, 30 day and 90 day reputation. A good analogy is stock prices. Prices can be very volatile in the short term, but more consistent over the long term. A single bad day, where one or more reputation measurements go bad, may affect delivery that day or the next day but won't damage an overall good reputation. Likewise, a few days of improved mail may not be sufficient to counter months of poor reputation.

How is IP reputation used?

Mail from IPs with a high reputation is accepted faster and at a higher rate than mail from IPs with a lower or unknown reputation. IP reputation can also influence whether mail is delivered to the inbox or the bulk folder.

Key IP Reputation takeaways

• IP reputation is about how recipients react to mail from that IP. Happy, content recipients turn into good delivery.
• Brief changes (for good or bad) don't necessarily ruin delivery over the long term.
• Steady improvements will result in improved reputation.
• It may takes as much time to change a reputation in one direction or another as it took to establish the reputation in the first place.

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

circleid.com | 27-Jan-2012 02:24

NORDUnet's Brilliant Internet Peering Strategy

Map Showing NORDUnet's 2011 completion of network expansion by taking a third connection to the US in production.
(Click to Enlarge)NORDUnet, the R&E network connecting the Nordic countries has recently undertaken a brilliant Internet peering strategy that will have global significant ramifications for supporting research and education around the world.

NORDUnet is now emerging as one of the world's first "GREN"s — Global Research and Education Network. NORDUnet is extending their network infrastructure to multiple points of presence throughout the USA and Europe to interconnect to major Internet Exchange Points (IXPs). This will allow them to negotiate as a Tier 1 Internet service provider and exchange traffic with other global commercial Tier 1 Internet transit providers. NORDUnet is also playing a global leadership role by extending this service offering, on a shared cost basis, to NRENs such as SURFnet (Netherlands), PIONIER (Poland) and perhaps others.

Many network operators ask why they should build an extensive peering network when transit prices are only marginally more expensive than peering (and still dropping)? The NORDUnet engineering team are one of the first to understand that Internet peering is not about cost comparison between peering and transit pricing.

Most universities (as well as consumers and business) have a fixed budget for Internet connectivity. So regardless of traffic volumes they can only spend so much money for Internet transit. As result many institutions cap traffic volumes to commercial transit providers. But peering traffic is done on a settlement free basis and therefore traffic volumes are not linearly related to cost. Many NRENs have discovered that content peering traffic has a huge benefit for their connected institutions in stabilizing costs without restricting use of the network. On some NRENs, content peering traffic is now 90% of their overall traffic volume. By connecting to the major IXPs in the USA, NORDUnet can eliminate purchase of virtually all transit traffic. Traffic volumes are expected to immediately jump because now institutions will not have to cap formerly transit traffic.

This arrangement will have a huge benefit for the research community as more and more computational research is done on commercial clouds in the US. NORDUnet realizes, that despite concerns about US Patriot Act, researchers are voting with their wallets and using commercial cloud providers and value added cloud providers in the US. Many research disciplines, especially genomics and bio-informatics are being increasingly dependent on commercial application providers, because they have the necessary tools critical to their research. Numerous bioinformatics companies, like SoftGenetics, DNAStar, DNAnexus and NextBio, have sprung up to as they have found life sciences a fertile market for products that handle large amounts of information. Access to these commercial organizations through the commercial Internet or Open Lightpath Exchanges is essential for the future of research.

This initiative by NORDUNet will have profound implications for the future of the Internet and data intensive science. The obvious next step after exchanging peering traffic is also to use this links for dynamic lightpaths and virtual networks for large data flows. It is no surprise that networks like NORDUNet and SURFnet are also leading the developments of dynamic optical networking through GLIF. The other important development is for other NRENs to build similar global links and exchange peering routes so collectively they can represent themselves as a global Tier 1 and finally eliminate the archaic telco business models that currently dominate the Internet. This will significant benefits for those NRENs who are deploying community IXPs and can extend the benefits of content peering to community anchors and support community broadband developments.

Peering traffic also goes hand in hand with dynamic optical networks and GOLEs. Some NRENs are under pressure by some large institutions threatening to leave. Some institutions think that by directly connecting to a GOLE and purchasing commercial Internet for the balance of their traffic is all they need for R&E connectivity But peering dramatically changes the balance as it is a service and business model that is not available from commercial providers. The cost savings are dramatic for the connected institution and it does not cripple researchers accessing commercial research services such as clouds because of traffic caps.

Once again, NRENs and GRENs are demonstrating their important role in redefining the critical role of the Internet and creating new opportunities for the global informational economy. Kudos to NORDUnet.

Written by Bill St. Arnaud , Green IT Networking Consultant

circleid.com | 27-Jan-2012 00:52

Making the Web Faster: Google Working on Enhancing Transmission Control Protocol (TCP)

As part of its efforts to speed up the delivery of web content, Google has proposed changes to Transmission Control Protocol (TCP), "the workhorse of the Internet." Yuchung Cheng who works on the transport layer at Google writes:

"To deliver content effectively, Web browsers typically open several dozen parallel TCP connections ahead of making actual requests. This strategy overcomes inherent TCP limitations but results in high latency in many situations and is not scalable. Our research shows that the key to reducing latency is saving round trips. We’re experimenting with several improvements to TCP."

Cheng believes the current transport layer badly needs an overhaul to catch up with other (networking) technologies. Read more.

circleid.com | 27-Jan-2012 00:47

Nixu DDI Awarded Gold Medal for Its IPv6 Support

Nixu DDI Software Appliance Platform Awarded Gold Medal for Its IPv6 Support on 21st December 2011Nixu Software has been awarded the IPv6 Ready Gold Certificate by the IPv6 Ready Forum for its DDI Software Appliance platform on 21st December 2011. The tests, which were carried out by an independent third party approved by the IPv6 Ready Forum, validated the interoperability between Nixu DDI Software Appliance platform and other networking products with IPv6 Ready Gold Certificate. Other manufacturers with IPv6 Ready Gold Certificate include Cisco Systems, Juniper Networks, RedHat, VMware, Hewlett-Packard and IBM.

The exhaustion of IPv4 address space in 2011 made IPv6 connectivity an unavoidable reality. While most organizations are yet to face an urgent need for introducing IPv6 support in their networks, they should nonetheless, plan ahead to ensure a smooth transition to a dual-stack environment. The increased complexity of the IPv6 address syntax and the vast size of the available address space mean that DDI services (DNS, DHCP, IPAM) play an even more pivotal role in managing these dual-stack networks.

Having introduced full dual-stack support already in 2004, Nixu Software has been a pioneer in the wide-scale adoption of IPv6 network connectivity. Juha Holkkola, the Managing Director of Nixu Software, said in this regard: "When we started out working with dual-stack environments, there was no strict standard, let alone any certification available. Now that IPv6 is going mainstream, we decided that it was a good time to have Nixu DDI platform's world-class IPv6 support formally acknowledged. Our products sailed through the testing phase in a matter of weeks, which is pretty impressive considering that for some of our competitors it has taken over a year, while for others it seems completely impossible."

To celebrate this achievement, Nixu Software has released a new version of howismydns.com, a free online test tool used to validate the configurations of public DNS servers. This latest version provides complete support for dual-stack networks, allowing fully transparent testing process for IPv4, IPv6 and dual-stack DNS deployments. In addition to IPv6 support, the new toolset also comes with a number of DNSSEC validation tests. To try out the latest IPv6 DNS and DNSSEC testing tools, please visit howismydns.com.

circleid.com | 26-Jan-2012 23:36

We Are All Internet Exceptionalists Now

The Stop Online Piracy Act (SOPA) and its defeat call attention to a delicious irony in public discourse on Internet governance. Even those who don't want the Internet to be an exception from traditional forms of regulation and law are forced to admit that something new and exceptional must be done to bring it under control, such as massive departures from traditional concepts of territorially bounded sovereignty through the use of in rem jurisdiction. Reinforcing the irony, these attempts by the anti-exceptionalists to subordinate the Internet to established institutions immediately locks them into conflict with a highly mobilized, highly transnational community of Internet users and service providers who vow to resist those controls. The resistance comes precisely because the mobilized community believes that the controls cannot be applied to the Internet without threatening to fundamentally alter its status as an open, innovative and — dare we say it — exceptional space. In other words, we are all Internet exceptionalists now.

You know that the anti-exceptionalists have raised the white flag of surrender when they are forced to whine that the thousands of web publishers who went dark are "abusing their power” — thus admitting that a critical mass of Western society's eyes are turned toward the Internet and that the people who occupy and publish and interact in that globalized space constitute enough of a cohesive community to collectively turn against those who threaten them.

It doesn't matter whether one is on the pro-control or anti-control side of the spectrum; governing the internet forces a choice upon one: either go for new and unprecedented forms of technical intervention and transnational political cooperation, or go for some kind of ratification and institutionalization of the Internet's special status as a zone for the free flow of information and a diminished role for territorial government and traditional informational property rights.

Mind you, one needn't be a cyber-utopian to be an Internet exceptionalist. In other words, you don't have to believe that the Internet will by its very nature make politics fair and democratic and that the good guys will always win. SOPA or some equivalent could rise again, in some other form. Some key actors could be bought off with some concessions in the new legislation. The mobilized community's resolve could weaken over time, as it grows accustomed to things. We need to be heedful of Benkler's warning that as the networked environment resists control, there will be strong pressures to suck ever more of it into the law enforcement vortex. But surely, after 15 years of these battles (starting, roughly, with the CDA mobilization of 1996) we can dismiss these jaded admonitions that Internet regulation is just business as usual. If the Internet stops being an exception, we will have no one but ourselves to blame.

Written by Milton Mueller, Professor, Syracuse University School of Information Studies

circleid.com | 26-Jan-2012 17:27

NASA Website Blocked Due to DNSSEC Error

A misconfiguration in NASA's DNSSEC implementation on its website caused Comcast's network to block users from the site last week. NASA had incorrectly signed DNSSEC in its implementation of the new security protocol that last week, causing Comcast's newly DNSSEC-enabled service to automatically block access to the site. the day part of the Web went dark in protest of controversial anti-piracy legislation, leading some users and pundits to inaccurately speculate this was Comcast's way of protesting the government-based bills.

Read full story: Dark Reading

circleid.com | 25-Jan-2012 23:30

When Were They Hit? New Report from Neustar Details DDoS Attack Trends

Neustar Insights: DDoS Attack Trends 2010-2011 – Report highlights trends in the origin, timing and size of DDoS attacks, comparing data from 2010 and 2011.
(Click to Download)As distributed denial of service (DDoS) attacks threaten more businesses, the need to understand them is more important than ever. A new report from Neustar helps to frame the problem with key data on attacks over the past two years.

"Neustar® Insights: DDoS Attack Trends 2010-2011” features data compiled by Neustar's Security Operations Center, which monitors and mitigates DDoS attacks 24/7. Key findings include:

• 75% of large-scale DDoS attacks originate in China, home to hundreds of millions of computers with unpatched operating systems, which are easy to infect and enlist in botnets (ad hoc networks used in DDoS attacks).
• By a dramatic percentage DDoS attacks are growing in size. The largest in 2011 was ten times the size of 2010's largest DDoS attack.
• Historically, more DDoS attacks occur in Q4, during the busiest ecommerce season. While this held true in 2010, Q4 attacks dropped in 2011.
• A large percentage of DDoS attacks occur at the beginning of the work week...
• During core business hours. No doubt, attackers are trying to hit when companies have the most to lose, during peak hours for sales and operations.

Overall, the data describes a problem that is growing, not diminishing. According to other industry sources, there are over 7,000 DDoS attacks worldwide every day. What's at risk? Corporate websites, online revenues, brand equity and more. Any business that relies heavily on the Internet, especially for ecommerce and customer service, could find itself vulnerable to a costly outage.

Besides illuminating the problem, Neustar's report also provides common-sense tips for defending against DDoS attacks. The report concludes with a quick outlook for 2012. With DDoS attacks becoming more sophisticated and major events on the horizon — for example, U.S. elections and the London Olympics — organizations of all types should prepare for the worst.

circleid.com | 25-Jan-2012 18:28

Failing to Act on Accountability

More than a year has passed since the first organizational review team delivered its final report on ICANN's accountability and transparency. Disappointingly, ICANN has done precious little to act on a key recommendation in that report. Its failure to act threatens to damage ICANN's credibility, just as it enters one of the most critical periods in its history.

In December 2010, the Affirmation of Commitments Accountability and Transparency Review Team (ATRT) published its Final Recommendations. The ATRT urged that "the ICANN Board should ... seek input from a committee of independent experts on the restructuring of the three review mechanisms — the Independent Review Panel (IRP), the Reconsideration Process and the Office of the Ombudsman." It explained that the committee should conduct "a broad, comprehensive assessment of the accountability and transparency of the three existing mechanisms and of their inter-relation, if any ..."

Timing was considered crucial. The ATRT assigned Recommendation 23 a "high priority" and specified that it was to be implemented "[a]s soon as possible, but no later than June 2011." This urgency reflects the intrinsic importance of Board review mechanisms to ICANN's accountability and the compromise behind referring that issue to an expert committee: the ATRT's members were uniquely divided over whether ICANN needs a review procedure that entails binding authority over the Board.

Quite apart from the urgency expressed by the ATRT, ICANN promised in the Affirmation of Commitments to act on the recommendations of such organizational review teams within six months. Yet ICANN recently confirmed that it has so far failed to carry out the very first task in implementing Recommendation 23 by engaging a committee of independent experts. Not until November 2011 did the Board Governance Committee direct staff to draft a Request for Proposal. And still another two months have passed without that RFP being posted.

A new White Paper details ICANN's inaction and its consequences, but even a high-level summary of the implications paints a troubling picture:

• ICANN's inaction is inconsistent with its obligations under the Affirmation.
• Failure to act undermines the voluntary self-correction process prescribed by the Affirmation by casting doubt on whether organizational reviews can bring about needed institutional changes.
• It substitutes top-down management for bottom-up consensus by interposing a management decision in place of the ATRT's recommendation.
• It frustrates the process of forming future bottom-up consensus by inhibiting, if not preventing, the ICANN community from having an open and fully-informed conversation about what standard of accountability the ICANN Board should adopt.
• Finally, ICANN's failure to implement the ATRT's recommendation is a missed opportunity to show that ICANN is committed to honoring the Affirmation and the processes it agreed to there, regardless of where they lead.

With a multi-million dollar New gTLD Program now underway, ICANN's accountability profoundly matters to stakeholders around the globe. One hopes that ICANN will offer them the reassurance that it stands behind its written commitments. To do that, it should implement ATRT Recommendation 23 promptly and completely.

Written by R. Shawn Gunnarson, Attorney at Law, Kirton & McConkie

circleid.com | 25-Jan-2012 01:18

MarkMonitor to Exhibit at Internet Tech Policy Exhibition and Reception to be Held on Capitol Hill

On Wednesday Jan. 25, the Congressional Internet Caucus Advisory Committee (ICAC) will host its 15th annual tech policy exhibition, the longest running technology exhibition on Capitol Hill. As part of the exhibition, MarkMonitor® will demonstrate its brand protection and antipiracy technology.

This is a widely attended educational event hosted by the Congressional Internet Caucus Advisory Committee (ICAC), part of a 501(c)(3) charitable organization. More information about the 15th Annual Tech Exhibition and Reception can be found at:

http://www.netcaucus.org/events/2012/kickoff/

What: Congressional Internet Caucus Advisory Committee's 15th Annual Kickoff Reception & Technology Exhibition
When: 5-7 PM, Wednesday, Jan. 25, 2012
Where: Hart Senate Office Building, Room 902
RSVP: RSVP's appreciated. Please register at the website or onsite at the event.

Follow the event on Twitter: #ICACTech

This event is free and open to the public.

circleid.com | 24-Jan-2012 19:52

Privacy Rules to Change in the EU, But What If …?

In a presentation EU Commissioner Viviane Reding gave a preview of the new Privacy regulation her DG is preparing. As she states, privacy rules need to be brought up to date and harmonized. With all 27 member states having the same rules and tools to enforce, a company only will deal with one privacy commissioner, i.e. the one of the country of its main establishment. What a lot of red tape gotten rid off. So, what if we, for the sake of this blog, take this initiative towards spam and cyber crime. What would this do to spam enforcement?

ACMA receives a major compliment

In 2004, when I first entered the anti-spam arena, this was a mantra that I had to hear very often: "Spam is international. We cannot do anything", spoken with a lot of emphasis and some despair. Unfortunately in 2012 this is still true for many countries. Not because of the fact that it is impossible to do something about spam, no, but due to a lack of initiatives. I think that a great compliment to Australia's ACMA (Australian Communications and Media Authority) was published on CircleID in a comment to an article about the impact of Canada's spam law on local businesses. Brett Watson, an Australian internet engineer, writes:

"However, my present (and general) lack of anything to complain about reflects well on the law and its enforcement… Perhaps what's most telling is that I have, for the first time, subscribed to some advertising newsletters in recent years. I don't feel the need to jealously protect my email address any more, or diligently use uniquely tagged addresses when handing them over. I trust ACMA to keep the companies in line, and the trust seems well placed so far."

This proves that fighting spam is effective and that the combination enforcement with filtering by ISPs keeps mailboxes clean. Spam hasn't gone away, but at national level companies are disciplined and mostly act within the law in the few countries with vigorous enforcement bodies.

Who enforces what?

Privacy and spam are closely related. Spam is seen as an invasion of privacy. But it goes way beyond mere privacy. Privacy sensitive data is often used, sold or worse stolen in order to approach people. Whether to sell a(n illegal) product, phish for more (bank)data or industrial espionage, a stolen e-mail address is often the basis of law violations. The patchwork of enforcement agencies, unclear enforcement powers, the lack of understanding of the issues at stake, of resources, training or powers, the unavailability of online reporting of spam or cyber crime, all make that enforcement is far from optimal in most countries.

Standardisation of spam and cyber crime law

Could a standardised law, with a standardised toolkit for enforcement agencies make a difference? Yes, I think that it would. For the public it would mean that there is the certainty that when the law is broken, it is clear who to report to and that it is likely that an investigation follows. That it makes a difference to complain. For senders it also sets clear boundaries. Their business continues, as is proven in e.g. The Netherlands, but in compliance with the law. Next to that it offers this clearness in 27 states.

As spam, e-fraud, phishing, cyber crime and worse are all so closely related and often involves several countries, it makes sense to be more directive from Brussels. At national level there are so many different laws, ministries and enforcement agencies involved, that coordination there is almost utopian. Next to the fact that success without industry participation is clearly unthinkable. Despite the fact that the Dutch National Cyber Security Centre is a promising initiative, it is obvious that for most countries this form of public-private cooperation is hard to attain.

A proposed course of action for the EU Cyber Security Centre

The discussion about the EU Cyber Security Centre is under way. Let me give a pointer on what the centre could do. To my mind it ought, also, to actively collect, analyse and share data with those involved: public and private entities, universities. This gives the centre coordinative powers in matters cross border and across different enforcement organisations as well. Two difficult hurdles taken… should this come to pass. The combination of the overview and oversight with the transparency caused by available, shared data makes all concerned answerable for their (lack of) actions to the centre and each other. I am also convinced that this model will lay the foundation for cooperation with whole new groups of Internet industry partners that are now harder to reach/convince.

Ambition at Commissioner level

If Commissioners Kroes, Malmström and Reding used their powers to harmonise the laws and enforcement in the way Ms. Reding proposes for privacy, i.e. the same law and enforcement tools, standardised enforcement agencies and a point of case handling, the fighting of privacy infringements, spam, malware and cyber crime may actually take a turn for the better. They are so intertwined that another approach is (well, should be) almost unthinkable.

The combination of a pro-active EU Cyber Security Centre with a layer of harmonisation where enforcement is concerned will prove to be a structural step forward from the present situation in many countries. Yes, this is ambitious, but it is clear that the present approach is not going to change much. Everything cyber is still a field day for criminals and a private company, Microsoft, so far is the most successful in fighting botnets. This ought to be different, shouldn't it?

Written by Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement

circleid.com | 24-Jan-2012 17:59

Sedari Signs With Dot Moscow Bidders

Sedari has been engaged by the Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID), a not-for-profit Russian foundation which is preparing applications for the .MOSCOW and .MOCKBA (in Cyrillic) top-level domain names. The implementation of the new top-level domains will make possible websites with addresses such as WWW.COMPANY.MOSCOW and for museums МУЗЕИ.МОСКВА.

"Russia, though cautious in their approach to IDNs in the new TLD program, trusts Sedari with one of their critical national assets — its capital city" said Sedari's CEO Dr Liz Williams. "This is the first of Sedari's city domain names to be signed and one of a number of Internationalised Domain Name applicants we are advising. FAITID is a great organization full of enthusiastic and experienced professionals who will offer Muscovites and others exciting opportunities for second-level names in Russia," Williams continues.

The .MOSCOW and .МОСКВА project is backed by Moscow's local government and won an impressive showing of support from over 17,000 Internet users in on-line and off-line polls.

"Implementation of any TLD is a complicated project with many issues to resolve" says Dmitry Burkov, FAITID Board Member, "That's why we've chosen Sedari as our strategic international partner for .MOSCOW and .МОСКВА. Sedari management has the experience and industry knowledge on ICANN that makes us confident the company is familiar with all the procedures of the corporation, in particular related to new TLDs. Together with Sedari we'll make the project for Moscow top-level domains successful giving Russian users more choice in the domain name space."

About FAITID

FAITID is the Foundation For Assistance For Internet Technologies And Infrastructure Development, a Moscow-based not-for-profit multistakeholder organization. Introduction of the domains for the Russian capital is the initial and key FAITID project. FAITID's structure involves all interested parties in the process of the TLDs implementation such as local government, the private sector, and Internet community representatives.

circleid.com | 24-Jan-2012 17:53

.ORG, The Public Interest Registry Welcomes Nancy Gofus As Chief Operating Officer

Nancy Gofus joins .ORG, The Public Interest Registry (PIR) as Chief Operating Officer.ORG, The Public Interest Registry (PIR) — manager of the world's third largest generic top-level domain — today named Nancy Gofus as chief operating officer. A long-time veteran of the telecommunications industry, Ms. Gofus will oversee the marketing, sales, product and strategy functions, helping CEO Brian Cute expand PIR's global presence as well as develop and execute marketing strategies that further grow the .ORG domain in existing and new markets.

Currently, Ms. Gofus serves as board chair of the national board for Volunteers of America — a national non-profit dedicated to helping those in need live healthy, safe and productive lives. In this capacity, she works closely with the executive team on expanding the organization's reach and raising awareness of its efforts in helping senior citizens, veterans, and at-risk youth, children and families nationwide. Previously, Ms. Gofus' served as senior vice president of global product management for Verizon Communications in 2009 and chief marketing officer at Verizon Business from 2006 to 2008. In that capacity, she was primarily responsible for delivering and communicating Verizon Business' value proposition by developing and overseeing the marketing strategy, advertising, brand management, and product management. Prior to the Verizon/MCI merger in 2008, Ms. Gofus developed and delivered MCI's new generation of services, guiding the evolution of MCI's product line and helping companies make the transition from traditional data services to IP services.

"Nancy brings to PIR that unique blend of non-profit, marketing and communications experience which directly speaks to PIR's core mission to both serve in the public interest and provide a safe, more secure Internet," said Brian Cute, chief executive officer of PIR. "Nancy's business acumen and international experience will help continue our reputational growth as an exemplary registry and further solidify .ORG's position as the domain of choice for non-profits, individuals and the like. As the Internet grows due to the introduction of new top-level domains, so will PIR's commitment to the public."

Added Ms. Gofus: "As a non-profit, PIR understands the needs of that community and has truly been seen as partner to international organizations looking to build their online presence. I have long admired their work, and I'm thrilled to have the opportunity to work alongside Brian and the rest of the PIR team to help advance .ORG's impact and reach on a global scale."

A graduate of the College of William & Mary, Nancy also currently serves on the Foundation board of The College of William and Mary. Previous work experiences include time as executive vice president of marketing and customer care for XO Communications from 2000 to 2003. During her tenure, she helped drive the company's growth from $250 million in revenues to over $1 billion.

circleid.com | 24-Jan-2012 06:58

Exporting SOPA-Like Rules to Other Countries

"While SOPA may be dead (for now) in the U.S., lobby groups are likely to intensify their efforts to export SOPA-like rules to other countries," says Michael Geist in a blog post today.

Geist writes: "With Bill C-11 back on the legislative agenda at the end of the month, Canada will be a prime target for SOPA style rules. In fact, a close review of the unpublished submissions to the Bill C-32 legislative committee reveals that several groups have laid the groundwork to add SOPA-like rules into Bill C-11, including blocking websites and expanding the 'enabler provision' to target a wider range of websites. Given the reaction to SOPA in the U.S., where millions contacted their elected representatives to object to rules that threatened their Internet and digital rights, the political risks inherent in embracing SOPA-like rules are significant."

circleid.com | 23-Jan-2012 21:58

European Commission Proposes "Right to be Forgotten" Internet Law

A new law promising internet users the "right to be forgotten" will be proposed by the European Commission on Wednesday. It says people will be able to ask for data about them to be deleted and firms will have to comply unless there are "legitimate" grounds to retain it. The move is part of a wide-ranging overhaul of the commission's 1995 Data Protection Directive.

Read full story: BBC

circleid.com | 23-Jan-2012 21:04

Minds+Machines Works with .bayern

The Directors of Top Level Domain Holdings Limited (AIM:TLDH.L), the only publicly traded company focused exclusively on acquiring and operating new generic top-level domains ("gTLDs"), are pleased to announce that Bayern Connect GmbH, the German operating company in which TLDH has a majority holding, has been exclusively awarded the contract to apply for the .BAYERN gTLD string by the Bavarian State Government. Top Level Domain Holdings' wholly owned registry services company, Minds+Machines, will provide the back-end registry services for the proposed new domain. Revenue to the Company will be based on a share of the revenues generated by the domain.

Antony Van Couvering, CEO of Top Level Domain Holdings, commented:

"We view .bayern as a very significant win for Bayern Connect and for TLDH. We are fully aware of the responsibility entrusted to us and plan to fully support Bayern Connect in its mission. Germany has 82 million inhabitants, 62 million internet users [source: ITU September 2009] and 15 million domain names registered under .de [source: Denic Statistics]. By comparison, Bavaria has 12.5 million inhabitants. We foresee a long and mutually profitable relationship with Bayern Connect and the people of Bavaria through this initiative."

Top Level Domain Holdings is currently supporting a portfolio of gTLD applications ranging from geographic applications, wholly-owned or joint venture applications for generic word based domains, and applications by third party clients where Top Level Domain's registry services company, Minds+Machines, provides the registry service.

About Top Level Domain Holdings Limited

Top Level Domain Holdings is a publicly traded holding company listed on the London AIM market. The company is focused on the new top-level domain space. Top-level domains, such as .com, run by VeriSign (NASDAQ: VRSN), and .biz, run by NeuStar (NYSE: NSR), are regulated by ICANN. ICANN has announced plans to expand the number of top-level domains. TLDH intends to make targeted investments in this space, focusing on both infrastructure technologies and specific top-level domains.

circleid.com | 20-Jan-2012 19:16

CRIDO Sells "Do Not Sell List"

Coalition for Responsible Internet Domain Oversight, or CRIDO, released a plan they called a "peacemaker" three days before the Jan. 12th, 2012 launch, which would allow brands to begin the ICANN application process but would allow organizations and companies the opportunity to place their brand names, without cost, on a temporary "do not sell" list. ICANN so far has not responded to the "do not sell" list, and CRIDO is getting restless and threatening lawsuits.

According to CRIDO, their members represent some 10,000 brand names, so let's evaluate the makeup of this highly desirable "do not sell" list, but first, the three typical brand name groups in the marketplace:

1. Hassle-free names that are on a solid footing. For example: Microsoft, IBM, Nokia, Toyota, Intel, Disney, BMW, Gillette, Honda, Google, Cisco, Honda, Sony, Nike, Ikea, Nintendo or Gucci.)

2. Troublesome names that carry varying degrees of confusion. For example: GE, BT, CA, SK, or LG. Major brand names with two-letter names run into difficulty, as two-letter suffixes are reserved for countries, like .jp for Japan. Names like iSong, Citi, AIG, UMS or MPC types will require special scrutiny to stay clear from any confusion with other users. Names that come in two or more parts, like Mercedes Benz, Merrill Lynch, Harley Davidson, Goldman Sachs, Morgan Stanley, Hewlett Packard — such names may pass, but two-word names are overly cumbersome in usability.

3. Borderline disaster names — those that are simultaneously used by hundreds or thousands of unrelated entities, making it difficult to claim exclusive ownership. (For example: United, Premier, Delta, National and so on.)

Please do not be shocked that only a minuscule percentage is made up of hassle-free names. Incidentally, in applying the nomenclature rules, the majority of CRIDO brand names would be considered "troublesome" or outright "disaster" names. However, it's also important to note that at one time, what we now call borderline disaster names were fashionable, but over time they either became generic or lost their distinction through mergers and acquisitions. Most importantly, last-century thinking was much less global, and last-millennial tools of image expansion were not as cheap and freely accessible as today.

So now brand owners have two choices: Either walk on a tightrope and adopt a workable name to cross the global digital chasm, or simply do nothing and let the diluted name identity hang the image to a slow death.

This is where CRIDO's "do not sell" list gets sticky. First, how do you determine the real owners of a name like National or United? Second, what kind of marketing geniuses will chase after such weak names that they'd require CRIDO's "do not sell" protection? Ideally, such names should be on a "please do not ever buy list" for being almost useless and for having extremely high maintenance costs.

If such a list were ever compiled, would CRIDO indirectly admit the fallacies on behalf of their industry and expose the hardcore problems of the global naming and trademarking chaos? Is CRIDO simply trying to provide a soft landing to millions of dysfunctional brand names already sucking oxygen as you read this?

For example, according to Superbrands, a brand ranking company, in 2011, "Autoglass is a leading consumer automotive service brand, providing vehicle glass repairs and replacements to more than 1.5 million motorists every year. With the widest-reaching auto glazing network in the U.K. and Ireland, Autoglass has over 100 branches nationwide and 1,300 mobile service units operating 24 hours a day, 365 days a year. Autoglass is part of Belron group, operating in 33 countries with a team of more than 10,000 highly skilled technicians."

This is great achievement for a high-profile regional company. Assume they also try the gTLD .autoglass, to allow them a more localized global agents' network with the issuance of tens of thousands of sub-domain names around the world. Such localized customer touchpoint branding would open up mass customer acquisition. But would it be possible under this name?

As you stretch the brand name "autoglass" or "auto glass" on the global canvas, the name starts to tear. Its generic nature and the massive brand dilution created by thousands of other companies around the world using "auto glass" devalues this brand name to no more than a "generic description." Where, then, should it be listed in a "do not sell" list or, more appropriately, "please do not ever buy" list, or perhaps each?

The corporate world is full of such names hanging in purgatory, where they have acquired partial authority in certain markets but will never have enough to power play in the global arena. The boardroom needs the answers to who are the beneficiaries of such bad names and why such issues are not on top of the agendas.

Here is another example of "Nationwide," according to Superbrand 2011:

"Nationwide is more than 160 years old and is now the world's largest building society. Unlike its bank competitors it has no shareholders, so its only focus is its 14 million members. This 'proud to be different' approach has helped it to become the U.K.'s third-largest mortgage and savings provider, with a quarter of U.K. households having a relationship with the society."

How many organizations are called "Nationwide" around the globe? Please do not guess, as it may give you that sinking feeling.

According to various studies by, ABC Namebank, on global naming dilution, when you observe that "there are 100 most diluted names around the world in use by some 100 million businesses," a logic-defying picture of waste emerges. The century-old models start showing cracks, and the need for a single universal name clearance solution appears to be the most logical solution.

ICANN's proposal for a single global trademark clearance house is a very bold step forward. Such moves must overcome the fragmented trademark procedures as I've discussed in a recently released book 'Domination, the gLTD name game'

No matter what action ICANN takes, it's highly recommended that such a "do not sell" list must be compiled by CRIDO in any case, so the corporate world can witness the chaos and abuse of naming and trademarking, and hopefully acquire some "please do not ever buy" lessons.

Written by Naseem Javed, Corporate Image & Global Naming Expert

circleid.com | 19-Jan-2012 23:58

Feds Shut Down File-Sharing Website Megaupload.com, Seven People Charged

Federal prosecutors in Virginia have shut down one of the world’s largest Internet file-sharing sites, Megaupload.com, charging its founder and others with violating piracy laws, the Associated Press reports today. "The indictment was unsealed Thursday, one day after websites shut down in protest of two congressional proposals [SOPA & PIPA] intended to thwart the online piracy of copyrighted movies and TV programs."

From the FBI report today: "Seven individuals and two corporations have been charged in the United States with running an international organized criminal enterprise allegedly responsible for massive worldwide online piracy of numerous types of copyrighted works through Megaupload.com and other related sites, generating more than $175 million in criminal proceeds and causing more than half a billion dollars in harm to copyright owners, the U.S. Justice Department and FBI announced today."

circleid.com | 19-Jan-2012 21:05

Data Quality in the RIPE NCC Service Region

In an earlier article on CircleID, Registry Data Quality Assessment, we discussed the importance of high quality and accurate IP registry data. At that time, we focused mainly on the accuracy of legacy address space: IP addresses that were given out prior to the existence of the RIPE NCC and that are not part of the current registry system.

In this article, we want to present the efforts to keep the address space that is the responsibility of the RIPE NCC up to date and well maintained. When the RIPE NCC allocates addresses to a Local Internet Registry (LIR), the LIR is then the authorised holder and has responsibility for the registration and maintenance of all assignments it makes from this address range.

The RIPE NCC audit activity proactively checks the quality and validity of registry data, both in the internal records maintained by the LIRs and the public records in the RIPE Database. In 2011, approximately 400 audits were opened, which means that the LIR's records were reviewed and, if necessary, together with the LIR, corrected and updated. Taking into account that there are over 7,800 LIRs in the RIPE NCC service region, this might sound like a drop in the ocean. However, an LIR's registry data is also checked every time an LIR requests additional address space. This means that specific audits are carried out in addition to these regular checks and are often performed for LIRs that have not been in contact with the RIPE NCC for a longer period of time.

In the image below, you can see the type of issues that occurred during the audits in 2011. Note that multiple issues can be found in one audit.

During an audit, the following issues are typically found:

• Invalid records, such as:
  
  • more IP addresses registered than were approved
  • unapproved network names
  • missing network objects in the RIPE Database
• Overlapping assignments registered in the RIPE Database
• Resources returned
  
  • assigned PI or AS number resources are no longer valid or in use and are returned to the unused pool
• Internal records updated
  
  • Organisation contact data
• Assignment window (AW) abuse
  
  • if assignments are made that exceed the LIR's AW or are otherwise not compliant with the AW policy

The RIPE NCC works with the LIRs during an audit to assist in the resolution of any issues. An audit is closed only when all issues have been resolved or the audit is no longer relevant for other reasons, such as LIR closure, acquisition and so on.

Please refer to the 2011 Audit Results on RIPE Labs for a more detailed description of the audit activity and some other statistics.

Written by Mirjam Kuehne

circleid.com | 19-Jan-2012 18:41

Implications of Canada's CASL - Toughest Anti-Spam Law the World Has Ever Seen

Businesses operating in Canada are set to come under one of the toughest anti-spam laws the world has ever seen. While Canada was dragging the chain when it came to introducing anti-spam legislation, it is now making up for lost time. Ottawa's new law — expected to be operational early this year — has severe fines for violations and is viewed by some as too tough.

Known as CASL, the new law aims to crack down on spammers and mailing list companies but in doing so, tightly regulates the way businesses can market to prospective customers via email and online.

In a nutshell, CASL requires a business to obtain consent from the recipient before it sends out commercial electronic messages (CEMs). It isn't limited to email; consent must be given for any electronic message, which could also include messages sent via social media, text messaging, instant messaging, sound or video. If your business operates outside of Canada, you shouldn't assume the Anti-Spam Act doesn't apply to you. If a computer system within Canada is used to send, receive or even route the message, then the law could also apply to you.

It is in obtaining consent before sending an electronic message where the Canadian Anti-Spam Act differs from its American equivalent. The United States' CAN-SPAM Act requires that recipients are given an opt-out option from commercial messages but under CASL, recipients must opt-in to receive electronic messages.

The fines for violating the Anti-Spam Act are hefty. The maximum penalty per violation for an individual is CAD $1,000,000 and $10,000,000 for corporations. With potentially crippling fines waiting in the wings for violators, how can you ensure your company is compliant?

The first thing is to be aware of which messages require consent before they are sent. There are a few exceptions, which include personal relationships or when the company is providing requested information. Consent can usually be implied if there is an existing business arrangement of two years or more, or if an email address has been disclosed in the course of business. You can read more about exceptions to CASL here.

If your electronic message doesn't fall under an exception category, then you will need to obtain consent before sending it. The message should also include an unsubscribe mechanism. To ensure compliance, your company should establish procedures to obtain consent for electronic messages and educate staff on the Anti-Spam Act. The most important thing to remember before you press 'send' is the onus is on your company to prove you received consent.

Do you operate a business in Canada? How do you think the Anti-Spam Act will affect the way you market electronically? Please contribute to the conversation below.

Sources:
Canada's Anti-Spam Legislation: Casting a Wide Net
Anti-spam law draws backlash
Three 2011 developments that changed your inbox forever
Canada: Preparing For Canada's New Anti-Spam And Online Fraud Act
CAN-SPAM Act: A Compliance Guide for Business

Written by Susanna Sharpe, Social Media Manager

circleid.com | 18-Jan-2012 21:17