CircleID

Green IT Revolutionizing UK Cyber-Infrastructure via Networks, Cloud, Outsourcing, Finan. Incentives

2012-02-10T13:20:01-08:00

As readers of my blogs may know I have long argued that advances in research and education through cyber-infrastructure (or eInfrastructure) can be largely justified, if not entirely paid for through the energy savings of using clouds, networks or outsourcing.

But a big impediment in adopting cyber-infrastructure in most jurisdictions is the lack of financial incentives. The energy savings of cyber-infrastructure are usually earned by the facilities or estates department or rarely based on to researchers and educators. But initiatives like national Green Revolving Funds, funded by the national government such as the 10 million Salix pound program in the UK, and JISC/JANET programs to promote clouds, outsourcing and Green IT are starting to make a difference. More importantly universities such as Cambridge are developing programs to pass on energy savings to individual departments^†.

Another great example is the public-private partnership of London University and UNIT4 to offer shared outsourcing services to UK universities, as well as the recent JANET cloud brokering offering.

If these collocated facilities use green or renewable power, the carbon/energy savings for a university can be significantly greater than more traditional energy saving schemes such as changing light bulbs or adding insulation. Of course, advanced high speed R&E networks supporting Software Defined Networks and Hybrid optical backbones are critical for this vision.

Ultimately I think such initiatives can entirely underwrite the cost of such advanced networks by making Green Revolving Funds aware of the huge energy savings available by integrating advanced networks with clouds and outsourcing. Kudos to JISC/JANET for these forward thinking services.

^† Cambridge Shared Savings – A new case study from the JISC-funded RECSO Project, managed by Forum for the Future with inputs from SusteIT, describes the background, aims and working of the Electricity Incentive Scheme (EIS) that Cambridge University implemented in 2008/09 and has since developed. The Scheme encourages consumers of electricity across the University to maximise their energy efficiency through a system of financial incentives (both rewards and penalties) at a departmental level. It thus achieves the benefits of fully devolved energy budgets without the administrative and managerial implications that this could have involved. The Scheme saved an estimated £820,000 in energy costs in its first year. Although not targeted at ICT, it obviously provides general incentives to tackle its energy use — as evidenced by an Appendix which details how the scheme helped stimulate an innovative green data centre (PUE approaching 1.1) in the Department of Engineering (also featured in the presentations from our September 2011 workshop at Cambridge). (PDF)

Written by Bill St. Arnaud , Green IT Networking Consultant

Follow CircleID on Twitter

More under: Cloud Computing, Data Center

ISPs Are Not Broadcasters, Says Supreme Court of Canada

2012-02-10T08:13:00-08:00

The Supreme Court of Canada has ruled that Internet providers are not broadcasters for the purposes of the Broadcasting Act when they simply transmit content to subscribers, reports Michael Geist. The court noted:

The terms "broadcasting" and "broadcasting undertaking", interpreted in the context of the language and purposes of the Broadcasting Act, are not meant to capture entities which merely provide the mode of transmission. The Broadcasting Act makes it clear that "broadcasting undertakings" are assumed to have some measure of control over programming. ... When providing access to the Internet, which is the only function of ISPs placed in issue by the reference question, they take no part in the selection, origination, or packaging of content. The term "broadcasting undertaking" does not contemplate an entity with no role to play in contributing to the Act's policy objectives. Accordingly, ISPs do not carry on "broadcasting undertakings" under the Broadcasting Act when they provide access through the Internet to "broadcasting" requested by end‑users.

Follow CircleID on Twitter

More under: Access Providers, Law, Policy & Regulation

Study Indicates Nearly Half A Million Jobs Created from "App Economy" in US

2012-02-08T12:58:01-08:00

A new study reveals close to 466,000 jobs have been created in the "App Economy" in United States — up from zero in 2007. The total number of Apps Economy jobs includes jobs at 'pure' app firms such as Zynga as well as app-related jobs at large companies such as Electronic Arts, Amazon, and AT&T, as well as app 'infrastructure' jobs at core firms such as Google, Apple, and Facebook. In addition, the App Economy total includes employment spillovers to the rest of the economy.

The research [PDF] analyzed detailed information from The Conference Board Help-Wanted OnLine (HWOL) database as conventional employment numbers from the Bureau of Labor Statistics were not suitable to track such a phenomenon as this economic ecosystem is so new.

Follow CircleID on Twitter

More under: Mobile, Web

What Does It Take To Repair Trust? What Will It Take ICANN To Win Back "Trust"? (Part I)

2012-02-08T07:47:00-08:00

Some readers may wonder why I chose to raise the issue of "trust" now or even ask what it will take for ICANN to repair it. After all, the New gTLDs have been launched; applications have started being received, and all ICANN official announcements are that all is good and going according to plan.

But many other readers and astute observers of this space, domestic and international, would not confuse the public dead silence we are hearing from ICANN and its insider community or the euphoria of the long awaited application submissions we are seeing to mean that all is perfect. The multistakeholder model, ICANN's version of it, the New gTLD program, ICANN's approach on it, and The Single Root and its unique identifiers are all at graver risk than ever and must be saved before it is too late. Only then can we truly claim to be serving the "Global Public Interest" beyond mere words, slogans, and 11th hour band aid patches.

If you question my opinion on this gravity please take note of how Dr Larry Strickling, US Assistant Secretary of Commerce, concluded his letter to ICANN on Jan 3, 2012 stating:"How ICANN manages the new gTLD program will, for many, be a litmus test of the viability of this approach”.

It is understandable why those in the ICANN community who do see many of these grave risks to the multistakeholder model in plain sight chose to remain silent. Some do so in order not to cause any hiccups or possible derailment to the long overdue, but inequitable to emerging markets, New gTLD program that stands to benefit them, their businesses or their plans. Instead they chose to formulate their message to focus on only the opportunities the new gTLDs will bring, and rightly so, but with little or no attention to their local and global risks. After all, serving the Global Public Interest is not their mandate — it is however ICANN's mandate per the Affirmation of Commitments (AOC) agreement with the US Government, to which and to whom at the very least, it should be accountable.

The Global Picture

Internationalized Domain Name gTLDs, also known as IDN gTLDs, will usher the Global Multilingual Internet I have championed and advocated since the late 1990's, at many levels and roles, to serve "The Global Public Interest" that should empower local citizens.

Readers may be aware that I have also, inside and outside the ICANN fora, created great international awareness of the immense positive benefits of the coming Multilingual Internet that will be born thru IDN gTLDs and the new gTLD program. More acutely, I have not shied away from pointing out the grave risks, some of which remain unaddressed and unresolved. Also, the international relationships that I have created with global leaders in their sectors like Deloitte, VeriSign and others that primarily focus on the emerging markets and IDNs should carry some weight, credibility and validity to the voice of concern I raise, for those who care to listen.

But these accolades do not detract me from following my conscience and beliefs, as I have done over the years, to point out the grave risks I see in plain sight regardless of how unpopular this may make me at first glance with colleagues and fellow ICANN community members. Many are aware that I also have placed serving The Global Public Interest that I have always talked about above any possible personal or business interest. I hope that saying my peace may help save the Multistakeholder model, its principles and the single root of unique identifiers, the 10s, maybe 100s of millions of dollars that applicants are investing in applications, and ICANN from failure, and before it is too late.

The Imminent Grave Risks

Imminent grave risks are facing the Multistakeholder model, the single root, and ICANN itself, as well as serving "The Global Public Interest". In brief they are… Click here to continue reading the full Ankabooot editorial.

Written by Khaled Fattal, Group Chairman, The Multilingual Internet Group

Follow CircleID on Twitter

More under: DNS, ICANN, Internet Governance, Multilinguism, Top-Level Domains

Green Revolving Funds Can Help Fund Costs of Cloud Computing and R&E Networking

2012-02-07T12:20:00-08:00

There have been some interesting new developments in university Green Revolving Funds (GRF) that I believe could be a significant revenue opportunity for cloud suppliers and R&E networks. In this age of severe financial constraints and cutbacks for universities, new revenue models are needed to sustain advanced cyber-infrastructure in support of research and education.

In recent years, GRFs have become increasingly popular on campuses in the United States and Canada. The funds operate and are managed by the university, with loans issued to university departments or campus groups. As of February 2011, there were 52 active green revolving funds in the United States and Canada. These funds were traditionally earmarked for energy efficiency applications like changing light bulbs or boilers. But increasingly they are now being used for IT applications.

Most green initiatives involve ICT in some form or another. A good example is Iowa State University that borrowed $300 from the university GRF to install energy saving software on over 500 computers, which is projected to result in over $49,000 in annual energy savings for the university.

One GRF model, that is gaining popularity, is national or state based GRF funds like Salix in the UK which received over $10m pounds from the UK government. These funds are also being targeted to support IT energy reduction as for example the recent funding of 2 million pounds to University of St. Andrews.

Another model, that is being explored is where the NREN operates a national GRF, sponsored by the national/state government or collectively on behalf of the institutions. Network membership or users fees can then be deducted against the fund, if the institution undertakes activities to reduce their IT energy impact through the use of clouds, remote collocation, offloading campus network management, content peering and other such services.

CANARIE, through the Greenstar program in partnership with the Canadian Standards Association has developed process and procedures on measuring the detailed energy costs savings that are possible through such arrangements.

Some pointers:
Good Overview of Green Revolving Funds
JISC white paper: Using IT to go green at universities & revolving green funds: briefing paper
CANARIE-Greenstar-CSA document

Written by Bill St. Arnaud , Green IT Networking Consultant

Follow CircleID on Twitter

More under: Cloud Computing

Is ICANN Opening up Public Comment Periods in Bad Faith?

2012-02-07T11:02:00-08:00

I read with interest that ICANN opened up yet another comment period on new TLDs.

I believe that I speak for many when I question whether ICANN is opening up these comment periods in good faith, or instead whether these are smokescreens, mere distractions to pretend that ICANN is "listening" to the public while staff and insiders proceed with predetermined outcomes.

I note that as of today, there are multiple past comment periods where ICANN staff have not yet even summarized/digested the public's input. This is simply unacceptable. In other organizations, people would get fired for not doing their jobs in a timely manner. At ICANN, such behaviour is not only tolerated, it is seemingly encouraged. It appears to be part of the culture of "willful blindness" of ICANN staff, insiders and the Board, in order that its "top-down" agenda can be imposed upon an unwilling public, rather than actually listening to the public in the "bottom-up" process that it suggests exists.

Furthermore, when ICANN does bother to get around to publishing summaries, it's clear that they do not even listen to what the public has to say on the topic! The public opposed new TLDs by a great margin. It was a very clear message, yet ICANN kept ignoring what the public had to say, and mischaracterized their words when speaking to others (e.g. politicians in Washington, etc.) about the public "consensus."

One sees that ICANN continues to speak in that twisted and biased manner in this actual comment period, when it uses loaded phrases such as "carefully crafted, new protections" or "perception" or "perceived need" — the underlying assumption being that the public is simply "stupid" and "doesn't understand" new TLDs, and if only the public "knew better", they would "come around" and "love what ICANN is doing." That is simply preposterous and arrogant. It demonstrates that ICANN is out of touch with reality. The informed public knows that new TLDs will be a disaster, and has said so in clear language at every opportunity. ICANN is not "misunderstood" as some people believe — the public fully understands ICANN, and opposes its plans! Period!

ICANN acts like a greedy politician, asking for a "tax increase" to pay for a new bureaucracy that simply transfers wealth from the public to itself and its insiders. ICANN is not creating new wealth. ICANN is destroying wealth. Taxpayers see through attempts to bamboozle them that the "tax increase" is a good thing. Just as the public sees through attempts by ICANN and its insiders to bamboozle them that this new TLDs plan is "good" for the public. Attempts to dress up their greedy proposal using words like "innovation" fail, because the public is smarter than ICANN and can see through their self-serving proposals.

One need only look at the .XXX rollout, which was a disaster for the public. Millions of dollars were spent by universities, non-profits, individuals and corporations to purchase "protection" so that someone else could not tarnish their image/brand/identity. ICANN and its insiders do not consider this to be a "disaster", though — they look at this as "innovation", and pat themselves on the back saying "job well done." ICANN might pretend "well, no one told us this was going to happen… how were we to know??" That's utter nonsense, of course. One can go back to the analysis of Tim Berners-Lee on new TLDs, who didn't mince his words. He said "New Top Level Domains Considered Harmful". Could one be more clear?? [NB: He was not pointing to just .mobi and .xxx — he was saying this about ALL new TLDs (see the "Title" tag in the W3C page).]

ICANN and its insiders are emboldened by the dot-XXX launch. They want to multiply that "tax" on the public, what many have described as a "protection racket", a thousand-fold. ICANN suggests that "this time will be different" — keep dreaming! The only thing that will be different is the *degree* to which the public will be damaged. ICANN wants to damage the public a thousand-fold, to the benefit of itself and its insiders.

ICANN instead needs to take a step back, whether willingly or by being forced to do so by the GAC, DOC, NTIA, DOJ or by other agents that are representative of the public interest. I suggest ICANN be compelled to do the following:

(1) immediately suspend the new TLDs rollout, and refund all monies collected to date.

(2) terminate the staff who have pushed forward this new TLDs plan over the objections of the public. It's clear that these staff have their own agenda that does not reflect the public interest, and it's time for new blood that is ready to serve the public, rather than staff who want to be masters over an enslaved public.

(3) go back and present true options to the public regarding new TLDs. In our prior recent submissions (see here and here), (which ICANN has yet to summarize, although we repeat much past input) we identified FIVE allocation methods for new TLDs. Five! 5! Yet, ICANN has never presented them all as options to be seriously considered. They simply imposed in a top-down manner their single plan that maximized the benefits to ICANN's insiders, rather than allow for competing alternatives that maximize the benefits, if any, to the public. One can see some of the options that ICANN failed to allow the public to even comment on, such as:

(i) no new TLDs

(ii) .com domains simply "ascending" to the root (no need for "defensive registration" concerns in that scenario, is there??)

(iii) Ascended TLDs approach (see here for full description) which also reduces the need for defensive registrations considerably.

(iv) regular competitive bidding/tenders for lowest cost to registrants (this was the DOJ/NTIA/DOC proposal in December 2008)

(4) go back and do true economic studies that weigh the benefits and the costs on the public (not just the benefit to ICANN and its insiders) for all alternatives (including the four options presented in point (3) above), not just the self-serving single plan that ICANN wants to impose upon the public. The economic studies must be truly independent, with researchers selected by the NTIA/DOC/DOJ or GAC, and not by ICANN staff/insiders.

In conclusion, ICANN simply acts as if it "knows better" (which it doesn't) and dismisses all attacks on its extremist and disastrous plans. It is our true hope that ICANN not be allowed to damage the DNS further. As Tim Berners-Lee wrote:

"The second effect is that instability is brought on. There is a flurry of activity to reserve domain names, a rush one cannot afford to miss in order to protect one's brand. There is a rash of attempts to steal well-known or valuable domains. The whole process involves a lot of administration, a lot of cost per month, a lot of business for those involved in the domain name business itself, and a negative value to the community."

The existence of this comment period about "defensive registrations" is proof that "Sir Tim" was right! (maybe that's why he was knighted, due to his brilliance) We ask that the new TLDs plan be terminated, so that further "negative value to community" does not occur. By continuing to ignore the public's wishes, ICANN is causing DNS instability. A trusted custodian of the DNS would not be causing DNS instability. Yet, ICANN has been doing exactly that. It's time that the world recognizes that ICANN is no longer a trusted custodian of the DNS and its damaging plans must be opposed.

Written by George Kirikos, President, Leap of Faith Financial Services Inc.

Follow CircleID on Twitter

More under: DNS, Domain Names, ICANN, Internet Governance, Policy & Regulation, Top-Level Domains

10 Reasons Why New gTLDs May Not Work For You

2012-02-07T10:29:01-08:00

World's mega businesses are about to wake up to the domain name expansion reality, where suddenly a name identity's exclusive ownership on global canvas of cyber branding and functionality will be ensured via gTLD. Something that traditional trademark system took years to achieve. A gTLD brand is not for everyone, structurally designed for powerful new ideas and established organizations around the world; however, following are the ten reasons why it may not work for you.

1. Localization – Your offerings are focused on local markets and there is no agenda for a multi-directional outward expansion. True, there are millions of successful businesses comfortably paced and happily servicing their local customer base, but a gTLD is most suitable when there is a challenge to tackle unlimited marketing options and enlarge national or global visibility.

2. Discounted Pricing – You pursue a reduced price strategy over creating premium branded goods. Commoditized businesses nestled in their own culture all over the globe stay firmly streamlined with such thinking. A gTLD is for extreme value added models in pursuit of extreme image visibility and mindshare to earn premium profit. This tool is to assist in digital presence and brand name visibility.

3. Brandless Advertising – Your business has a fierce agenda to push more adverting and promotion but not necessarily branding. There are far more businesses using advertising without any clear image positioning mandate or branding. A gTLD is for well defined strategies on market positioning and high value brandable concepts to reach massive customer touchpoints. This platform is for well structured name identities leading charge for brandable offerings

4. Outsourced Talent – Your business model mainly outsources marketing, advertising, branding and IT components. It's very common for businesses to avoid building highly skilled internal teams to integrate and create competitive advantage. A gTLD demands commanding knowledge from the internal teams to interact with highly specialized external services to achieve a comprehensive long term plan. It will allow sophisticated branding maneuvers and tackle futuristic issues.

5. Cyber-Oblivion – Social Media/Multilingulization/Cyber Branding is irrelevant in your successful organization. Organizations must either respond and interact with the rest of the cyber world or prepare to fall into an odd culture separated from the market reality. A gTLD is for aggressively pursuing the global 2 billion online users, driven by innovation and adoptability to global marketing needs in harmony with one internet one world, one name brand and one owner philosophy. It will fit with game changers mentality.

6. Budgetary Constraints – Your current sales volume or profit margins do not allow such expenditures. Almost all businesses are in a catch 22 trying to make such quantum leaps. The costs of gTLD are equal to production cost of a TV commercial. When properly applied, gTLD creates marketing weapons with maximum impact resulting in increased sales advantage and greater profitability. Under right applications it can replicate sub-domain-name branding at fraction of cost.

7. Cascade Effects – Your business model does not allow for the creation of unlimited customer touchpoints and multi-directional expansion. Most businesses structurally are not prepared for unlimited growth. A gTLD cascades downward when there are numerous applications for fully integrated social media and latest cyber technologies. It will spread outwards to increase customer touch points.

8. Convoluted Clusters – Your product and services name identities have become confusing and this lack of symmetry makes the costs prohibitive. Most businesses have either too few or too many brand names due to internal disparities and corporate politics supporting customer's confusion. A gTLD program demands well defined naming architecture to enable distinct name identities to act as precise marketing weapons. It will force corrected rules and vision towards business naming issues.

9. Name Rejection – Your already established name identity has no elasticity for stretching over the canvass of global image and trademarking and it is unable to pass the stringent tests of ICANN. Last century regional names are not capable to fit the next generation of global digital cyber branding. Businesses must either ignore or face the glaring disfunctionalities of their names. A gTLD provides wings to a globally workable name pushing them into a higher stratosphere in the fastest time and at a minimum cost. The ownership of a gTLD name will attract global spotlights.

10. Brandless Empires – You are in the business of making money and have successfully done so. Every corner of this planet has such great examples and yet not every success results in a successful brand delivering value-added experience at higher returns. A gTLD is for those wishing to own exclusive ownership of a globally recognized cyber name identity device, earn the respect and support of national or global mindshare, offer high value premium brands, while pursuing market domination via name identity. Name identity ownership must match high caliber outward bound brandable ideas.

(Excerpted from DOMINATION, THE gTLD NAME GAME by Naseem Javed Copyright © 2012
by permission of Metrostate Syndicate)

Written by Naseem Javed, Corporate Image & Global Naming Expert

Follow CircleID on Twitter

More under: Domain Names, Top-Level Domains

Phish or Fair?

2012-02-07T07:03:00-08:00

It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, accounts@bankofamerica.com, there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook.

Mail authentication schemes like DKIM and the new dmarc.org group use cryptographic signatures to help authenticate mail and prove that it really is from who it purports to be from. So, if the mail can authenticate the sender, the phishing problem goes away, right?

Unfortunately not. One huge problem is that even if you have all the crypto stuff so you can be 100% sure that a message really is from, say, BANK-AMERICA.COM, you don't know whether BANK-AMERICA.COM is actually your bank or not.

I've made a little game called Phish or Fair. It shows you a domain name, you guess whether it belongs to Bank of America. Try it out and see how you do.

Then see if you can figure out why a bank would use over a thousand different domains. My example here is Bank of America, but they're no worse than other big banks; I picked them because their name is easy to search for.

If banks were serious about phishing, they'd pick one name, one domain, and use that consistently. But they don't.

PS: BANK-AMERICA.COM belongs to some guy in France.

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Email, Security

New gTLD Application Monitoring? Now?

2012-02-06T15:48:00-08:00

Why in the world would any company sign-up for a "New gTLD Application Monitoring Service" when ICANN intends to publicly post all applications on May 1st?

Domain Name Watching and Trademark Watching Services make perfect sense when new registrations and applications are being submitted and granted on a daily basis. I think that we can all easily agree that trying to understand new domain name and trademark registrations without an automated service would be nearly impossible.

And when ICANN eventually moves away from these discrete application rounds, I will be the first one to recommend an Application Watching Service.

However, as all new gTLD Applications in this first round will be publicly posted to the ICANN website on May 1st , it would seem that reaching for Ctrl-F would be the quickest and easiest way to search for exact- and near-matches.

Additionally, the applications that are likely to cause the greatest concern are probably those that consist of generic terms being applied for by a single company which intends to restrict ownership to only itself. So looking through the list of applications will be critical — you may not know what is of concern until you actually see it.

Be wary of companies offering new gTLD Application Watching Services at this time. Given that the number of submitted applications will likely be between 1,000 and 1,500, companies should be able to easily review the full list on May 1st, and quickly identify applications of concern.

Written by Elisa Cooper, Director of Product Marketing at MarkMonitor

Follow CircleID on Twitter

More under: Domain Names, ICANN, Top-Level Domains

Mobile Internet Usage at 8.5%, Doubled From Last Year

2012-02-06T15:13:00-08:00

Global internet usage through mobile devices, has almost doubled to 8.5% in January 2012 from 4.3% last year according to a new report from web analytics StatCounter. While this stat excludes tablets, firm's research arm highlights the increasing use of mobile devices to access the internet with market share doubling year on year since 2009. Nokia leads worldwide, most probably driven by its dominance in India. Apple is second globally but leads the US and UK markets. In the UK RIM is second only to Apple.

Follow CircleID on Twitter

More under: Mobile, Web

The FBI and Scotland Yard vs. Anonymous: Security Lessons

2012-02-06T10:59:00-08:00

A lot of people are fascinated by the news story that Anonymous managed to listen to a conference call between the FBI and

Scotland Yard. Some of the interest is due to marvel that two such sophisticated organizations could be had, some is due to schadenfreude, and some is probably despair: if the bad guys can get at these folks, is anyone safe? To me, though, the interesting thing are the lessons we can learn about what's wrong with security. Many of the failures that led to this incident are endemic in today's world, and much of the advice we're given on what to do is simply wrong or arguably even harmful.

The first issue is how Anonymous managed to record the call. The ways we'd see it done in a movie — tapping a phone line or listening to law enforcement official's cell phone — are comparatively difficult to do. They're not impossible, but they're not the easy way for a task like this. Rather, what appears to have happened is what most outside security experts immediately suspected: Anonymous read an email giving the details of the call, and simply dialed in, in the same way as the intended participants. The message was sent to "more than three dozen people at the bureau, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden;" a single security flaw anywhere along the chain could have resulted in the leak.

Here we see the first flaw: the call details were, effectively, a shared credential. It is quite probable that the conference call moderator had no idea who had dialed in. We see the same phenomenon with role accounts: many people share the password for the login, email access, etc. It may happen in the large — postmaster@example.com — it may happen when a vacationing executive gives a secretary the password to his or her email account; it may happen when spouses or romantic partners share passwords. Whatever the reason, it creates a security risk.

Reading further into the article, we see that "One recipient, a foreign police official, evidently forwarded the notification to a private account". At that point, it's tempting to blame that official, say he or she was poorly trained or disobedient, and stop worrying. Apart from the self-evident fact that a single security lapse shouldn't compromise everything (a proposition easier to state than to make happen), I strongly suspect that this unnamed official was behaving very rationally: he or she either wanted email access that was too inconvenient via the proper mail servers, or wanted a different human interface. If this person had no access to work email from home, or felt that, say, gmail was enough better that their productivity was improved, it's not surprising that this would happen. It shouldn't happen — and one would hope that a police official working on cybercrime would understand the risks — but in a strong sense the failing was organizational: if my hypothesis is correct, they may have failed to make it easy for people to do the right thing. Let me stress this: a security mechanism that is so inconvenient that it tempts employees to evade it is worse than useless, it's downright harmful. (Note well: I'm not saying that this official did the right thing; I'm saying that organizational policies or technologies may have led to too much temptation for people who are trying to be more productive.)

But how did Anonymous know which outside email account to monitor? This article notes that assorted groups have made a habit of targeting law enforcement email servers, with some success against less-sophisticated police organizations. That would yield a list of email addresses, and perhaps passwords. Perhaps more importantly, it can show who was using an outside mail server, one that isn't protected by VPNs, firewalls, one-time passwords, and the like. At that point, the attackers have several ways to proceed.

First, they could try this law enforcement email password against the outside mail server. The odds are high that it will succeed; far too many people reuse passwords. And why do they do this? Because they have too many passwords to remember, especially if they're all "strong". And of course, people are forbidden to write them down.

Most of the advice we get on security starts with "pick a strong password". (Look at CERT's advice: the very first thing it tells people to do is "always select and use strong passwords". Patches, a really effective defensive measure, are mentioned fourth.) Strong passwords are not a bad idea, but you're in much more trouble if you reuse passwords. No one can possibly memorize all of the passwords they have; reuse is the usual answer.

A second way in which the attackers could have compromised the official's account is via a spear-phishing message, booby-trapped to install a keystroke logger. That's been seen, though more often in a national security context . If the attackers did this, even encrypting the emails wouldn't have helped; the same malware that stole the login password could probably steal the private key as well. But I'm pretty sure that no encryption was employed; most encryption systems are too hard to use. Smart-card based decryption would have helped (though such things are far less convenient to use); though there are still attacks, they're more involved, and arguably less available to a group like Anonymous.

It's clear that there wasn't a single failure involved; in particular, the crucial mistake of forwarding work email to a personal account was quite plausibly a rational response to organizational policies. Preventing recurrences of this kind of incident will not be easy; there are too many weak spots.

Written by Steven Bellovin, Professor of Computer Science at Columbia University

Follow CircleID on Twitter

More under: Email, Security

WIPO Provides New Top-Level Domain Resources for Rights Holders

2012-02-04T09:33:00-08:00

Courtesy of Brian Beckham from the WIPO Arbitration and Mediation Center in Geneva, here are a few important links with information that may be helpful for rights holders with ICANN's New gTLD program now launched and accepting applications:

• First, is a helpful FAQ that explains plainly the Legal Rights objection process. It's important that rights owners are very familiar with this process and are ready to respond if in the unlikely but potentially problematic situation that another entity applies for a gTLD that includes their intellectual property.

• Next, comes a summary explanation of the post gTLD delegation (beginning late 2012 or early 2013) rights protection mechanisms included in the program and provided for the defense of intellectual property rights.

• Lastly, WIPO has provided a set of links to analysis and other resources about the New gTLD dispute resolutions mechanisms.

With the May First "reveal date" — the day that ICANN will announce all of the applicants and the strings that have been applied for — approaching quickly, rights owners should be ready to respond. Reading the first article is a great place to start. Thanks to WIPO for sharing these links and this information.

Written by Frederick Felman, Chief Marketing Officer at MarkMonitor

Follow CircleID on Twitter

More under: Domain Names, ICANN, Top-Level Domains

No Big Run on IPv4 in 2011

2012-02-03T08:44:00-08:00

2011 was an interesting year for IPv4: in February 2011, the Internet Assigned Numbers Authority (IANA) handed out their last free IPv4 address blocks to the Regional Internet Registries (RIRs).

In April 2011, the APNIC (the Regional Internet Registry for the Asia Pacific region) started allocating from its last /8. At the RIPE NCC we did not see a big jump in IPv4 address allocations in 2011, as anticipated by some observers.

The image below shows the total amount of IPv4 address space allocated each year (calculated as /16s on the y axis). You can see that in 2011 there was a drop in the amount of IPv4 address space from the previous year, bringing it down to the level of 2008 and 2009. There was no big run on the remaining IPv4 addresses.

Note that this does not correspond with the number of requests. Especially the number of requests for /21s increased in 2011 (you can find more on this in the background article on RIPE Labs).

IPv4 is certainly running out, but there is no great rush for the last addresses as feared by some. It was all pretty much "business as usual". As we've said in the past, predicting exactly when the RIPE NCC will run out of IPv4 address space is difficult. We cannot anticipate the size of requests we'll receive.

For more information and more statistics, please refer to IPv4 Allocation Statistics in 2011 on RIPE Labs.

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC

Follow CircleID on Twitter

More under: IP Addressing, Regional Registries

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

2012-02-02T18:48:00-08:00

The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now.

Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. where it's been available to the public ever since.
Like every other 10-Q, it has a Risk Factors section which lists all the reasons that the company might fail, so don't sue us. Normally those sections are pretty routine, key employees might quit, customers might desert us, key contracts might not be renewed, that sort of stuff. But this 10-Q contained this bit:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company's information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future. The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Apparently nobody got around to reading it until today, at least nobody who understands the business well enough to know what it means.

All the press reports I've seen just regurgitate that paragraph, adding a few quotes from people close to Verisign who all said they didn't know about it either, and security types who told us that it's an enormous big deal. (Now that you've read the paragraph, you're as qualified to pontificate as anyone.)

Personally, I don't know if it's an enormous big deal or not. Risk factor sections tend to be written as pessimistically as possible, so you can skip over the parts about they cannot assure you and so forth. One thing I do know is that it happened over a year ago, so if anything significant happened as a result, and Verisign knew about it, they'd have told us about that, too, on the principle that you release all your bad news at once. So this means that either it really was just a minor network breach, or the evil consequences are so deep and subtle that we may not know about them for years and years, if ever. I'd tend toward the former, but then, I'm not a Verisign stockholder.

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Cyberattack, DNS, Security

SEC Filing Reveals Facebook Network Equipment Valued Over $1B at Close of 2011

2012-02-02T11:59:00-08:00

"Facebook reported in its SEC filing that it owns 'network equipment' valued at $1.016 billion at the close of 2011," reports Rich Miller of Data Center Knowledge. "The number reflects the expense of rapidly building a massive Internet infrastructure, including Facebook's shift from buying vendor gear and leasing data centers to building its own servers, racks and custom data centers."

Facebook Constructing New Data Center - Located 62 miles south of the Arctic Cicle, Lulea. Facility consists of three 300,000 square feet server buildings; scheduled for completion by 2014.

Photo above shows Facebook's first outside the U.S. data center currently being built on the edge of the Arctic Circle. The northern Swedish city of Lulea chosen for the data center is partly because of the cold climate — crucial for keeping the servers cool — and access to renewable energy from nearby hydropower facilities, according to the company.

Image below is a visualization of Facebook's social graph of 500 million back in 2010 created by intern Paul Butler.

Facebook 'Friendship Visualisation' shows pairs of friends between the world's cities based on company's 500 million user base in 2010. Facebook's current user base at the time of its SEC filing is reported to be over 800 million.(Click to Enlarge)

Follow CircleID on Twitter

More under: Data Center

DNSChanger Trojan Still Running on Half of Fortune 500s, US Govt

2012-02-02T10:28:00-08:00

"More than two months after authorities shut down a massive Internet traffic hijacking scheme (link), the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and on PCs at nearly 50 percent of all federal government agencies, new research shows," reports Brian Krebs. ... "Internet Identity, a Tacoma, Wash. company that sells security services, found evidence of at least one DNSChanger infection in computers at half of all Fortune 500 firms, and 27 out of 55 major government entities."

Follow CircleID on Twitter

More under: Cybercrime, DNS, Malware, Security

Value or Love for New gTLDs?

2012-02-01T11:39:00-08:00

ICANN has started its historic and controversial program to expand the number of generic Top-Level Domains (gTLDs). This essay outlines the factors needed for the program to create economic value, warns against a cognitive trap that complicates selection of a new gTLD and considers the value contribution of the registries. I will not go into relevant macro measures, but I examine the problems associated with the popular measure of simply counting the number of registrations.

The key to understanding the program's economic impact is to follow the theories of economist Paul Romer and look at how the rearrangement of resources creates value. ICANN's program increases the supply of resources that registries have for creating value. Value creation by registries can come from: (1) introducing new TLD signals for things like location, community, and social responsibility (for example, .nyc for New York City, .music to signal community, and .green to signal environmental corporate responsibility); (2) combining information, such as in the .tel model, which provides contact information for the companies using the gTLD; and (3) introducing a gTLD that competes with .com.

Given the new resources provided by ICANN, the burden now lies on the registries to innovate. But they have to be careful of cognitive biases in choosing among the gTLDs. For example, a registry that chooses the proposed .music should ask itself, "Is there value in .music?" The temptation is to ask the far easier "Do we love music?" Not the same thing, but studies show that we often answer an easier question instead of a harder and more relevant one, and that we'll do so without noticing the swap. (For details on cognitive error traps, see Daniel Kahneman, Thinking, Fast and Slow. I have warned against cognitive biases in gTLD value estimation and in domain name appraisals.) Another trap is reliance on the popularity of key words in social media, an approach that flopped with the recent failure to predict the success of presidential candidates.

Remember, there is no easy way to measure new gTLD value creation. The domain name industry has focused on registrations, but that's because they are easily measured and the information is publicly available. Number of registrations does provide a viable measure of a registry's profits, but the registrations may be defensive by brand owners rather than value creating. (For a discussion of alternative measures, see "The Economics of Well-Being” by Justin Fox, HBR January-February 2012.)

New signals and combinations of information, á la .tel, can be value adding for established companies as well as new ones. But switching costs will probably keep most com-branded companies from making the jump. So new companies may converge on a new gTLD that competes with .com while existing companies will more than likely register their brands under a large number of the new gTLDs as a defensive measure. Put all the registrations together and there will be enough revenues for the com-alternative gTLD to be viable.

One reason for gravitating to a com-alternative gTLD is that new companies might feel constrained by the unavailability of desired .com names and thus have a motive to find reasonable alternatives. (See Why Dominant Companies Are Vulnerable by Kyle B. Murray and Gerald Häubl, Sloan Management Review December 2011.) This is especially true because emerging brand owners don't have to acquire any new skills in order to adopt a new gTLD.

Written by Alex Tajirian, CEO at DomainMart

Follow CircleID on Twitter

More under: Domain Names, ICANN, Top-Level Domains

AT&T's Randall & Stankey: Wireless Data Growth Half The FCC Prediction

2012-01-31T13:36:00-08:00

John Stankey, President and CEO, AT&T: "Data consumption right now is growing 40% a year."40%, not 92%-120%. "Data consumption right now is growing 40% a year," John Stankey of AT&T told investors and his CEO Randall Stephenson confirmed on the investor call. That's far less than the 92% predicted by Cisco's VNI model or the FCC's 120% to 2012 and 90% to 2013 figure in the "spectrum crunch" analysis. AT&T is easily a third of the U.S. mobile Internet and growing market share; there's no reason to think the result will be very different when we have data from others.

With growth rates less than half of the predictions, a data-driven FCC and Congress has no reason to rush to bad policy. Wireless technology is rapidly moving to sharing spectrum, whether in-building small cells, WiFi, White Spaces, Shared RAN or tools of what the engineers are calling hetnets — heterogenous networks. The last thing policymakers should do is tie up more spectrum for exclusive use; shared spectrum often yields three to ten times as much capacity.

Bad compromises on the video spectrum are unnecessary because plenty of spectrum is unused. That includes the 20 MHz that M2Z would be building out today if Julius hadn't blocked them; the 20 MHz the cable companies are sitting on and want to sell to Verizon; and the 30 MHz or so Stankey identifies as fallow at AT&T.

40% growth is still substantial, but wireless technology is improving at a breathtaking pace. LTE has about 10x the capacity of 2.5G and 4x the capacity of 3G. LTE Advanced, deploying beginning 2013 at Verizon, is designed for 10x the capacity of LTE. Putting more spectrum to use would be great, but let's do it right.

Wireless speeds are actually going up dramatically, with AT&T delivering 2-5 megabits to most of the country and Verizon's LTE delivering 5-12 megabits to 2/3rds of the population. Verizon is ahead of schedule to bring 5 megabits+ to 92% of the country in 2013 and 96-98% in 2015-2016. AT&T and Sprint have raised capex to catch up. 80%+ of the U.S. will have a 5 megabit offering in 2013-2014, 90%+ by 2015 or sooner. That's without any additional spectrum.

Today's wireless networks are designed to be shared: towers, WiFi, White Spaces, DAS and small cells all working together. The best engineers in the world are working on RAN sharing, SON, hetnets, 8x8 MIMO and techniques I'm writing about in my next book, Gigabit Wireless. AT&T in fact is one of the world leaders in DAS, WiFi and femtos and behind the scenes a key thought leader. There's wonderfully exciting stuff I'll be doing my best to translate for non-engineers.

Takeaway: The future is sharing the airwaves so let's get the policy right.

Written by Dave Burstein, Editor, DSL Prime

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile, Policy & Regulation, Telecom, White Space, Wireless

Prof. Dave Farber on Where the Internet is Headed

2012-01-31T12:19:00-08:00

"Internet protocols simply aren't adequate for the changes in hardware and network use that will come up in a decade or so," says Professor Dave Farber who was recently interviewed by Andy Oram.

"Dave predicts that computers will be equipped with optical connections instead of pins for networking, and the volume of data transmitted will overwhelm routers, which at best have mixed optical/electrical switching," writes Oram. "Sensor networks, smart electrical grids, and medical applications with genetic information could all increase network loads to terabits per second. When routers evolve to handle terabit-per-second rates, packet-switching protocols will become obsolete. The speed of light is constant, so we'll have to rethink the fundamentals of digital networking."

Follow CircleID on Twitter

More under: Broadband, Internet Protocol, Web

DMARC: New Email Authentication Protocol

2012-01-31T12:02:00-08:00

A consortium of companies including Google, Microsoft, Facebook and Paypal have announced that they were collaborating and coming up with a new protocol known as DMARC — the Domain-based Message Authentication, Reporting and Conformance.

What is DMARC?

This is very much a summary of DMARC in a nutshell (I will probably write an article about this in the future), but from the website:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes — such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

When I first heard about DMARC, I said to myself "Self, why do we need another email authentication protocol?" The answer is that DMARC is not another protocol but instead leverages existing email authentication protocols and provides feedback to the spoofed domain.

SPF already provides a way to say: "If this message fails an SPF check, discard the message." It's called a Hard Fail. However, not all hard fails are illegitimate (there are significant false positives with SPF). DKIM, in itself, doesn't provide a way to discard a message if it fails an authentication check. This makes it less useful in securing the Internet (i.e., it is a barrier to adoption).

Besides which, what happens if an SPF check asses but a DKIM check doesn't? And if one of them fails, who should you tell? DMARC provides a mechanism that says: "If one of these checks fails, discard the message." But furthermore, it also provides a way to tell the responsible party that the message failed a check. For example, if security@paypal.com fails a DMARC check (either through SPF or DKIM), the email receiver can send the message to an email address that says "Hey, this message failed an SPF check. Was it legitimate or not?" If it is a false positive (perhaps a new server brought online), Paypal can add it to its SPF check. If it's a phishing message, Paypal can investigate to have the website taken down.

The strength of DMARC is that it is a stronger way to protect a brand from being abused; receivers can discard spoofed messages and senders can figure out just who, exactly, is sending mail as them.

The weak point of DMARC is, unfortunately, the weak point of SPF and DKIM — spammers and phishers don't need to spoof a domain in order to fool users into taking action. If a spammer sends mail from security@paypal.com.yakzas.com (a fictitious domain), many users just see that first part (paypal.com) without being more aware that there is more to the message.

And if a phisher signs up for a cloud service that issues temporary credentials, they can create the account paypale.onmicrosoft.com and send spam from there to avoid IP reputation blocking (and to the spammer that is abusing our Office 365 service, we know what you're doing, you jackass) while hijacking the reputation of another brand in the From address.

The strength of DMARC is not so much that it combats phishing but that if a good domain is authenticated, mail user agents (like Gmail, Hotmail, Outlook, etc) can highlight that the sender is a trusted sender and highlight it in blue or put a little icon beside it. Since users use visual clues to make heuristic decisions, the lack of a trusted symbol can train people to be suspicious.

Anyhow, it's nice to see that the authentication/validation protocols are consolidating.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Email, Spam