CircleID

IPv6: Smart Investments and Smart Grids

2010-09-04T11:53:00-08:00

IPv6 a major catalyst for billions of dollars worth of deals? The Intel announcement of their McAfee purchase for 7.7 billion seems to indicate as much when Dave DeWalt , McAfee CEO is quoted as saying during a conference call; "If we look at the transition from IPv4 to IPv6, we're seeing an explosion of billions of devices and they all need to be secured." Then he continues by saying "The embedded market is a very specific and high-opportunity market for us." His estimate is that the number of connected devices will grow from one billion to 50 billion within 10 years.

In the meantime Baltimore Gas and Electricity (BGE) signed a contract for the provision of IPv6 based smart readers to equip their 1.2 million customers using a 'secure, end-to-end IPv6 platform for BGE to deliver on operational benefits today while also ensuring tomorrow's energy challenges can be met with a scalable and open platform'.

The same day , September 1st, we see Cisco and Itron sign a strategic agreement to 'develop a standards-based, highly secure technology for full IPv6 implementation of field area communications to support smart metering, intelligent distribution automation and interfaces to the customer premise '.

One day later, september 2nd, Cisco announces the purchase of Archrock, a pioneer of IPv6 implementation for sensor network and smart grids , cofounder of IPSO , the alliance promoting IP for small objects, and strong proponent of the IETF 6lowpan recommendation which defines the use of IPv6 for low powered objects.

There is definitely an IPv6 smell in the air these late summer days.

Written by Yves Poppe, Director, Business Development IP Strategy

Follow CircleID on Twitter

More under: IPv6, Mobile

IPv6 Posing New Security Issues

2010-09-03T13:17:00-08:00

"The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. ...its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes."

Read full story: Dark Reading

Follow CircleID on Twitter

More under: DNSSEC, IP Addressing, IPv6, Security

ARF is Now an IETF Standard

2010-09-01T08:57:00-08:00

When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints.

Until now, the only documentation for ARF was a draft spec originally written Yakov Shafranovich (CircleID) in 2005, and occasionally updated originally by him and later by other people including myself. Earlier this year, the IETF chartered a working group called MARF which took that draft, brought the references up to date, stripped out a lot of options that seemed useful five years ago but in practice nobody ever used, and this week it was finally published as RFC 5965.

ARF (or now MARF) is quite simple, a version of the existing Multipart/Report message format that includes information about the report, such as the address of the recipient, descriptive text for a human reader, and a copy of the offending message. Having a standard format for reports, simple though it is, makes them much easier to process. For my tiny system, for example, nearly all of the trickle of reports are about mailing list messages. When a FBL report arrives, an automated script looks at the report and the message, and in the usual case that it's from a mailing list, it creates an unsubscribe request to remove the person from the list. Otherwise, it passes the message along to the human manager so I can decide what, if anything, to do about it. Larger mail systems also use them to collect statistics about their mail-sending customers.

The IETF process works particularly well when it standardizes existing practice, and ARF/MARF is an excellent example of that. The differences between the earlier drafts and the final version make it clearer and more precise, and it's now a proper standard we can cite:

Abuse Reporting Format! Ask for it by name: RFC 5965!

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Email, Spam

Google Voice: Race to the Bottom for Telephony - or Something Else?

2010-08-31T11:26:00-08:00

Just when you thought making phone calls couldn't get any cheaper, along comes last week's news from Google about their latest iteration of Google Voice. There have been several steps along the way for Google to get to this point, and there are a host of reasons why this news is of interest to service providers of all stripes. I often write about how certain technologies and disruptive forces change the business of being a service provider, and this is but the latest example.

Ever since Vonage came to market, residential carriers have been faced with declining revenues for landline service, which itself is quickly losing ground to wireless substitution. Then Skype came along and brought desktop VoIP to a whole new level of adoption. Along with that came a new value proposition for voice. Whereas Vonage was offering a lower cost monthly plan, Skype was offering free or near free voice, driving the price down to levels that no conventional service provider could sustain.

Google has its own take on voice, which is why this story should be of interest to service providers. Vonage is marketed primarily as a replacement service for POTS, making it a direct competitor to telcos. Nothing complicated there—it's really just a price game, but telcos do have more options to bundle telephony with other things—and of course, even more so for cable operators.

Skype is primarily a Web-based IM/chat service, on top of which they do voice very well, and at low cost to subscribers. As popular as Skype is, their proprietary technology keeps them a bit inside their own sphere. They are still a major threat to telcos, but when positioned a bit differently, they can be a very good complement.

The latest news with Google, though, is something entirely different. Their calling service—Google Voice—is mainly an add-on to Gmail, and works a lot like Skype. As such, it's not a pure telephony service like Vonage, and it's not really built off IM/chat like Skype; it's built around email. Of course, Google has all these other tools, but email is ubiquitous, and Google has been successful building a strong user base here. Gmail binds the user more deeply than IM/chat, making it a great platform for both business and personal usage. I'm not alone in noticing these days that when you get a personal email address as a backup for someone you're working with, more often than not it's a Gmail address.

Google already has GTalk, which supports free online calls between Google users—and is comparable to the free calling Skype users have among themselves. Google Voice is much bolder and is their answer to Skype Out/In, and gives Gmail users a PSTN interface to make calls to the rest of the world. In the short term, this may take a bite out of Skype in that Google Voice calls within the U.S. and Canada will be free until year end (but maybe longer). Longer term - along with Skype - Google Voice is more of a threat to telcos as they accelerate the race to the bottom, bringing the value of a voice call pretty much down to where email is.

Why are they doing this?

In my view, it's not to put the telcos out of business. They're offering domestic PSTN calls for free, in the hopes of subsidizing them by charging two cents a minute for international calls. Fair enough, but I don't see that happening, and Google really doesn't need to make money with this service. Of course, free beats paid any day—so long as the quality is comparable—and I see them making the voice pie bigger, much the way Skype has. The key for me is more about how Google Voice interacts with Gmail. By escalating an email message to a free phone call, users will stay longer in the Google environment, and the ability to transcribe voicemail will certainly appeal to some.

However, I think there's more to the story. Am mentioned, Google is coming from a different place than Skype, who depends almost solely on those Skype In/Out minutes for revenues. VoIP service is not expensive to provide, and Google has spent relatively little to get in the game. I would contend that the vast majority of their Google Voice capability comes from three small acquisitions that cost them maybe $150 million. When you think about the annual Capex budget of any incumbent, this really is pocket change. Going back to 2007, they acquired GrandCentral; last year they acquired Gizmo5, and a few months ago, they added Global IP Solutions. Collectively these companies have given them the pieces to offer a very appealing VoIP-to-PSTN service globally, and if they never make a penny from it, so be it.

As mentioned, free beats paid, and there's no better incentive to get people to use your service. Look how long Vonage has been around, and they barely have two million subscribers. Unlike Skype, Google doesn't have to build its user base from scratch, and it won't take long for them to start logging millions of calls. Just consider what happens when school resumes next month, and students will be falling over each other to make free calls home from those super-retro red UK phone booths that will be popping up on college campuses (and solar powered to boot).

As such, Google Voice will be one more reason to cut the cord, and the race to zero just picked up some speed. Thanks to Gizmo5, Google Voice is SIP-based and works nicely on both softphones and hand-held endpoints. Short term, there will be some cannibalization with Android by competing with voice from data plans, but Google will figure out how to make all these pieces fit. This is actually where the GIPS acquisition comes in, with their ability to support both voice and video over mobile devices, which in turn can make Google Voice a great add-on for businesses.

While Google Voice is primarily an outbound telephony service, I think they'll be able to take free calling beyond the desktop, and that's really what service providers need to be thinking about. Free on the desktop is one thing, but when you push out to mobile devices, things get more complicated. If this isn't enough, I think there's a separate agenda at work here, and it's something I've commented about elsewhere for quite some time.

Google is really interested in the voice business, not to make life difficult to telcos, but as a source of raw material—snippets from voicemail and live calls, if you will—that can be harvested for search. I'm not sure about the regulatory issues around this—and apparently Google has been vague here—but certainly for voicemail, free calls will generate a huge cache of "content" that they can apply speech recognition algorithms to and build an archive of audio-based search prompts. Once those audio cues are transcribed into text, they can become hugely valuable for the next frontier—mobile search. This sounds a bit on the dark side ("do no evil" as we're told), but it's a far better way to monetize voice than charging a few cents a minute or a few dollars a month. When viewed from this lens, Google Voice is a very different business than Skype, Vonage, or any telco for that matter. Disruption comes in many forms, and we're seeing a new one with Google Voice. Don't let the race to zero fool you; I think it's just a side-show compared to what Google really has in mind.

This article of mine originally ran today on my Service Provider Views column on TMCnet.

Written by Jon Arnold, Principal, J Arnold & Associates

Follow CircleID on Twitter

More under: Email, Telecom, VoIP, Web

Stopping the Flow of Online Illegal Pharmaceuticals

2010-08-31T08:24:00-08:00

Reading through Brian Kreb's blog last week, he has an interesting post up on the White House's call upon the industry on how to formulate a plan to stem the flow of illegal pharmaceuticals:

The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications.

The invitation, sent via e-mail on Aug 13 by White House Senior Adviser for Intellectual Property Enforcement Andrew J. Klein, urges select recipients to attend a meeting on Sept. 29 with senior White House and cabinet officials, including Victoria Espinel, the Obama administration's intellectual property enforcement coordinator.

"The purpose of this meeting is to discuss illegal activity taking place over the internet generally, and more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications on-line," the invitation states.

Klein did not return calls seeking more information. A spokeswoman for the White House Office of Management and Budget confirmed the event, but declined to offer further details. The meeting appears to be a continuation of the administration's Joint Strategic Plan on Intellectual Property Enforcement, an initiative unveiled in June that promised to "address unlawful activity on the internet, such as illegal downloading and illegal internet pharmacies."

According to the World Health Organization, approximately 8 percent of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard, and 10 percent of global pharmaceutical commerce—or $21 billion—involves counterfeit drugs. LegitScript.com, a verification service for online pharmacies, is currently tracking more than 45,000 rogue Internet pharmacies.

It is unclear to me whether or not the goal of this initiative is to stem the flow of online crime in general or to reduce the flow of illegal pharmaceuticals flowing into the United States (since presumably this cuts into the profits of large pharmaceutical companies… who would naturally want to see their profit margins increased in return for pledging their support for health care reform that was passed earlier this year). Assuming that the target of this are the online pharmaceuticals, there are a few things I can think of. Unfortunately, a three hour meeting really isn't enough to get this off the ground because it is a series of interconnected events that would need to take place. Anyhow, here's a list of things I'd do:

Stopping illegal pharmaceuticals piggy-backs onto stopping illegal <anything> on the 'net. Spammers who advertise illegal software, or fake degrees, or fake enlargement pills, or fake mortgages are all basically doing the same thing. So, any strategy that is aimed at stopping those other things will extend to stopping fake pharmas as well. My point here is that concentrating only on fake pharmaceuticals may exclude strategies that scale to others.
Registrars need to get their act in gear. When a website advertising cheap Viagra goes up, somebody somewhere needs to register that site. Whoever registers is needs to do a better job of verification of the identity who registered it. The problem here is that so many of these sites are registered by registrars in foreign countries which is outside the jurisdiction of the US. However, just like in the Wizard of Oz, there's no place like home and the government can pressure domestic ones to do better proactive abuse mitigation.
WHOIS protected services are questionable. I don't deny the need for WHOIS-protected services in some cases. However, any time I am looking up a suspicious site and the WHOIS registration is protected, that's pretty much all I need to make the determination that the site is abusive. It doesn't cost much to shield your WHOIS information. If you want to do it, that's fine but there should probably be a stricter set of criteria who shielding your information like this requiring you to jump through a couple of more manual hoops.
Crack downs on spammers will go a long ways. One of the chief mechanisms of advertising illegal pharmaceuticals is through the use of spam. We all get it in our inboxes. Of course, there are other avenues of advertisement such as black search engine optimization. However, because it is not particularly difficult to send out a lot of spam and make money off of it, and because there is little chance of repercussion, spammers continue to do it. If law enforcement had more resources dedicated to prosecuting spammers such that it became more de-incentivized, then the supply part of the equation would start to dry up. In other words, putting spammers in prison will help in this regards, and this requires a prioritization of law enforcement resources. Whether or not they are willing to divert resources from one area of law enforcement to another is an open question.
Perhaps walled gardens are a good idea. In Australia, some ISPs kick infected computers off of their network if the ISP can detect that the machine connecting to it is infected with malware. Or, they redirect them to a sandbox and alert the user that they cannot continue until they clean their system. If more ISPs made this a policy, then maybe we'd have less malware abuse flowing back and forth in cyber space. I don't think I'd want government to enforce this, but perhaps ISPs might be willing to voluntarily comply with this.

This is a small list of things that could be done but by no means it is exhaustive. Running up-to-date software is a good idea, and so is running the latest patched version of one's software. What other ideas do you have to cut down on the flow of illegal online pharmaceuticals?

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance, Spam, Whois

House of Cards

2010-08-27T17:38:01-08:00

Time flies. Although it was over 18 months ago, it seems just like yesterday that a small Czech provider, SuproNet, caused global Internet mayhem by making a perfectly valid (but extremely long) routing announcement. Since Internet routing is trust-based, within seconds every router in the world saw this announcement and tried to pass it on. Unfortunately, due to the size of this single message, quite a few routers choked—resulting in widespread Internet instability. Today, over a year later, we were treated to a somewhat different version of the exact same story.

First, let's review the Czech incident from February 2009. There were many positives to take away.

It was precipitated by an honest mistake.
It was an extremely unlikely event, as many stars had to be in exact alignment.
Most of the Internet's core survived.
The response from operators was fast and efficient, with the damage largely contained within an hour.

The complete technical details can be found here.

Deja vu all over again

Fast forward to today: Friday, 27 August 2010. What do you think would happen if another large and unusual routing announcement was made on the Internet? Do you think all the router vendors have perfected their code in the past 18 months? Do you think the entire planet has upgraded to this new, improved and perfect code base? Do you think it makes sense to use the Internet as your testbed? I doubt you answered "yes" to any of these questions.

We'll begin to describe what happened today with a snippet from a private mailing list. We'll purposely leave out the technical details so that we don't inadvertently contribute to the building of a Cybernuke.

On Friday 27 August, from 08:41 to 09:08 UTC, the RIPE NCC Routing Information Service (RIS) announced a route with an experimental BGP attribute. During this announcement, some Internet Service Providers reported problems with their networking infrastructure.

Immediately after discovering this, we stopped the announcement and started investigating the problem. Our investigation has shown that the problem was likely to have been caused by certain router types incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers. The announcements sent out by the RIS were correct and complied to all standards.

Um, while standards compliance is nice, it is foolhardy to assume that all BGP implementations are perfectly compliant, especially given recent history. Over 3,500 prefixes (announced blocks of IP addresses) became unstable at the exact moment this "experiment" started. Not surprisingly, they were located all over the world: 832 in the US, 336 in Russia, 277 in Argentina, 256 in Romania and so forth. We saw over 60 countries impacted by a "correct" announcement that "complied with all standards". The following graph shows the timeline of the event, followed by a map of the impacted countries by prefix count. Notice that it takes a bit for the Internet to stabilize after RIPE claims to have withdrawn the announcement at 09:08 UTC.

Conclusions

On the positive side, the incident was very brief, the damage was limited to under 2% of the Internet and the responsible parties quickly fessed up, aborting their "experiment". On the negative side, the Internet remains a very fragile place, even if that fragility is highly localized and different in different places. Standards aren't followed, code isn't tested and people make mistakes. That's life with any complex system and, while we can certainly do a better job, we will continue to see these types of events no matter what safeguards we might take. What puzzles me is how anyone thought it might be a good idea to test fate in this way. The end result was completely predictable.

Written by Earl Zmijewski, VP and General Manager, Internet Data Services

Follow CircleID on Twitter

More under: Internet Protocol, Security

White House Calls for a Meeting with Domain Registrars, Registries, and ICANN

2010-08-27T11:21:00-08:00

Brian Krebs reporting in Krebs on Secruity: "The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications..."

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance

ICANN's Tokyo Meeting Provides a Little More Clarity on the New gTLD Program

2010-08-27T07:44:00-08:00

New gTLDs continue to be a major topic of discussion within ICANN circles, and the regional meeting currently underway in Tokyo has revealed some interesting updates for potential applicants.

ICANN's Chief gTLD Registry Liaison, Craig Schwartz, delivered a great presentation on the progress being made behind closed doors at ICANN and provided the attendees with an insight into a couple of key changes that are likely to be seen in the Final Applicant Guidebook. As many of our readers would be aware, we have been waiting in anticipation for the new gTLD Final Applicant Guidebook to be approved at a previously unconfirmed meeting of the ICANN Board. The date for this meeting was today announced as September 10th.

Like many others in the industry, we'll be actively watching for the outcomes of this Board retreat where the focus will be on the new gTLD program's remaining unresolved issues. In particular, the Board's willingness to address the complicated Vertical Integration topic (given the inability of the VI Working Group to reach consensus) will be of interest to the many applicants likely to be affected by the outcome.

On another interesting note, one very important topic that has been flying under the radar is Registry Transition, namely the current requirement for new gTLD applicants to provide both a backup Registry Services organisation and a financial instrument sufficient to guarantee a minimum of three years of Registry operations in the event of the TLD owner being unable to operate it.

Obtaining a backup Registry Services provider is not particularly difficult. However, for many potential applicants (in particular smaller community-based applicants) the requirement to obtain a letter of credit from a financial organisation is an enormous burden and a significant additional cost.

Acknowledging this today and noting that the protection of the Registrant is paramount to this process, Schwartz said that ICANN had invested significant time and will further expand the recent concept of Emergency Backend Registry Operator (and yet another acronym, EBERO) whereby qualified applicants (i.e. Existing Registry Operators) could tender to ICANN to provide 'temporary' Registry Services in the event of critical failure of the Registry Operator to operate the gTLD.

This is a great initiative and should be welcomed by the community for two key reasons:

a) It has the potential to remove the requirement to name a pre-organised backup Registry Service.

b) It has the potential to reduce the level of financial guarantee to ICANN from applicants.

Other interesting points worthy of note from yesterday's session:

Communications Plan – This is being worked on by ICANN currently but won't be rolled out until the Final Applicant Guidebook is approved, almost guaranteeing that the earliest date for applications will be March or April 2011
DAGv4 Summary of Analysis – This won't be released to the public until after the Board's retreat, which is a surprise given that the public comment finished quite some time ago
IDN ccTLD Fast Track – ICANN have 33 applicants, representing 22 languages, currently under review as this program continues to drive the expansion of the internet across the globe

All in all, these small yet important pieces of information represent yet another positive step forward in the new gTLD process. I for one can't wait to see what the next few months will bring.

Click here if you want to see the presentations from the Tokyo meeting as provided by ICANN.

Written by Tony Kirsch, Senior Manager - International Business Development, AusRegistry International

Follow CircleID on Twitter

More under: Domain Names, Domain Registries, ICANN, Multilinguism, Top-Level Domains

IPv6 Deployed But in Unexpected Places

2010-08-26T14:21:00-08:00

Eric Vyncke reporting in the NetworkWorld: "IPv6 exists for more than 15 years and it is rumored to be deployed extensively in Asia and especially in Japan and China with Africa being the last continent to deploy IPv6. Another place where there should be a lot of deployments is of course in the USA with the US Government IPv6 mandates. But, when it comes to measure where web sites are actually deployed over IPv6, the rumor proves to be just a myth..."

Follow CircleID on Twitter

More under: IPv6

Ensuring Maximum Resilience to the DNS?

2010-08-26T10:34:00-08:00

Yesterday CommunityDNS noticed a sudden, heavy spike in traffic through its Anycast node in Hong Kong. While comfortably processing queries at 863,000 queries per second for close to 2 hours the occurrence was undeniable. While we can't say the increase in traffic was specifically due to DDoS, its sudden increase is suspicious and reminds us that DDoS is still a popular tool used by the malicious community.

DoS and DDoS attacks are happening throughout each day. Just as UltraDNS was twice regionally impacted in 2009 by DDoS traffic, Register.com with close to a 3 day outage in 2009, and DNS Made Easy, the recent target creating close to a 1.5 hour outage for its users earlier this month, we (enterprise, ISPs, hosting firms, registrars and DNS providers) are not all immune to such malicious antics. While all queries appeared legitimate in yesterday's spike, there is no reason to believe CommunityDNS was the intended target for the sudden increase in traffic. However, it still raises the issue of the impact such malicious activity can have on the general user base as well as online economy.

Last year and earlier this year CommunityDNS worked on a study developed for the EU Commission's office of Directorate-General for Justice, Freedom and Security, regarding the resilience of the DNS for the EU and its member states. The study pointed out the affects such malicious activity has on the confidence of legitimate Internet users. Such affects erode confidence, thus the EU's online economy not able to reach its full potential. The same concept would apply to any online economy. The study also noted how "suspicious" traffic appeared more elevated in some European cities over others. A recent Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet's traffic is tied to DDoS, or roughly 1,300 attacks each day.

So as the Internet marches on with the needed ramp up of DNSSEC, the rollout of IDNs and eventually the addition of new gTLDs, the malicious community continues their global activity. Such activity should make us all question, "Are we doing the best we can to ensure maximum resilience for Internet users and online economies?" The best way to ensure maximum resilience for users, businesses and the general online economy is through platform diversity. Where one has an open source-based DNS platform, a non-open source-based platform should be used. A mix of hardware platforms, upon which the open source and non-open source DNS software operates, is also necessary as the hacker community has more tricks up their sleeve than DDoS attacks. Adding hardware and software diversity into an infrastructure with strong security, ample capacity and scalability is the strongest method for ensuring maximum resilience to the DNS.

Written by Chuck Kisselburg, Director, Strategic Partnerships

Follow CircleID on Twitter

More under: Cybercrime, DNS, DNSSEC, Security

The Window of Opportunity for ccTLDs

2010-08-25T19:27:00-08:00

The announcement that .co has already achieved over 450,000 new registrations since the opening up of the second level a month ago demonstrates that there is strong demand in the global domain name marketplace for quality new domain spaces.

Though .co is the country code Top Level Domain (ccTLD) for Colombia, the second-level registrations (i.e. company.co) are available on a global basis and it is being pitched as a direct competitor to the dominant .com gTLD. Google has altered its algorithm to increase the relevance of search results in the .co domain by treating .co as a gTLD and allowing .co website owners to specify the geographic regions they are targeting. Though .CO Internet has the freedom enjoyed by all ccTLDs of not having to operate under ICANN's policy framework, they have elected to adopt policies that very closely match that framework, including the Uniform Domain Name Dispute Resolution Policy (UDRP).

The launch of second-level registrations under .co therefore represents, to all intents and purposes, a new gTLD launch, and appears to be a popular alternative to .com for both large corporations and small businesses, at least at this early stage. Overstock's purchase of o.co for US$350,000 shows a high degree of confidence in the new .co brand, and Twitter has also joined their list of high-profile anchor tenants, launching t.co as a secure URL shortening service. Anecdotal evidence also suggests that small businesses are taking the opportunity to secure names within this new space that they had been unable to register in .com or other spaces.

The .co launch is just the latest in a long line of examples of the opportunistic repositioning of ccTLDs to compete in the global market against the 'official' gTLDs. Colombia, like Montenegro (.me) and Tuvalu (.tv) and a number of others are simply leveraging their luck in the two-character assignment lottery by opening up their ccTLD to the world. Both Colombia and Montenegro have however tried to maintain the best of both worlds by reserving third-level registrations (such as .com.co and .com.me) for local entities, thereby providing trusted and dedicated domain spaces for the domestic market, while reaping the benefits of having a desirable ccTLD extension by opening up the second level to the world.

Despite the fact that they are globally-focused and effectively gTLDs, the success of .co and .me highlights the market opportunity that currently exists for other ccTLDs that are yet to establish a clear market position.

Of course, the vast majority of countries do not have the opportunity to reposition themselves as gTLDs to chase the global market, and in most cases there will be a clear preference to focus on the needs of the local market.

A report [PDF] released by Eurid (the .eu Registry) in June highlights the power that well-established and effectively managed ccTLDs can exert in their local markets. In Sweden, for example, the local .se ccTLD scored nearly 100% in terms of awareness and 49% for preference, compared with only 34% for .com. Similar rankings are likely to be enjoyed by other well-established ccTLDs, and we've seen similar numbers in relation to the position of .au in Australia.

Many ccTLDs however face a raft of challenges that are preventing them from achieving anything like this sort of local market position. These challenges can include the absence of local control, legacy systems, inefficient registration processes and restrictive policies, as well as a general lack of local capacity.

When ICANN's new gTLD program finally comes to fruition (likely towards the latter part of 2011), there will be a dramatic increase in choice for prospective domain name registrants across all regions and language groups. Those ccTLDs that are yet to position themselves as the pre-eminent domain space and default choice in their local markets therefore have a finite window of opportunity in which to do so, to ensure that they are not consigned to relative obscurity in the face of dozens of new Top Level Domains.

Written by Jon Lawrence, Business Development Consultant, AusRegistry International

Follow CircleID on Twitter

More under: DNS, Domain Names, Domain Registries, Top-Level Domains

Omnibus Cybersecurity Bill May Not Go Where Original Authors Intended

2010-08-25T19:17:00-08:00

In an interview with GovInfoSecurity, Sen. Thomas Carper said that the U.S. Senate is considering attaching cybersecurity legislation to a defense authorizations bill. Though clearly a ploy to be able to say "we did something about those evil hackers" before the elections, CAUCE applauds the attempt. There can be no doubt that the United States (and many other countries) sorely needs better laws to deal with these threats.

Further, Senate Majority Leader Harry Reid has asked that the cybersecurity bills currently in front of various committees be combined into one single, omnibus bill, which would presumably then be attached to the defense authorizations bill. Here's where we start to get worried.

Each of the bills we've seen (and we surely haven't seen them all yet) have some good points, and some...let's just call them unintended consequences. In every case it's obvious that the authors' intentions were good, but they needed some expert advice from people who understand the technical and legal realities of the internet today.

One such expert, a long-time CAUCE supporter who asked to remain anonymous, shares his review of one of those bills: S. 3742, the "Data Security and Breach Notification Act of 2010." You can read the original and check its current status here.

Please note that this is not legal advice. Our expert is not a lawyer, I'm not a lawyer, and CAUCE did not consult with any lawyers before publishing this article.

Our expert says it's going to be difficult to construct a single good omnibus cybersecurity bill. The bigger and more complicated it gets, the less likely it is that anyone will actually read the bill before voting on it—particularly when they're in a hurry to go home and win an election.

He highlights a few specific items which could be troublesome for just about anyone running a mail server, a web site, or other online services which collect or transit any information:

Page 2, Section 2 (a)(2)(A): More or less everyone's going to need to have personally identifiable information (PII) security policies
Page 3, Section 2 (a)(2)(B): ... and an information security officer
Page 3, Section 2 (a)(2)(C): ... and a process for monitoring for PII breaches
Page 3, Section 2 (a)(2)(D): ... and a process for mitigating PII vulnerabilities
Page 3, Section 2 (a)(2)(E): ... and a process for securely deleting electronic records containing PII
Page 4, Section 2 (a)(2)(F): ... and a process for securely destroying paper and other non-electronic records containing PII
Page 4, Section 2 (b): If you're an "information broker" (which would include nearly anyone who collects information and shares it with anyone else), you have additional obligations, including needing to submit policies to the FTC, needing to provide consumer access to information, tracking access to information maintained by the broker, etc.
Page 13, Section 3 (a)(1): Requires notification solely to US citizens and residents in the event of a breach. Of course, that presumes you know the nationality/immigration status of those whose PII data you hold (hmm, I don't think *anyone* I know does, except for HR departments with regard to their own employees). If I were a covered entity, I'd be strongly inclined to begin soliciting that information from everyone I get PII data from, although of course that may trigger a whole different set of issues, particularly in areas where immigration related issues are a hot button topic.
Page 14, Section 3 (b)(2): Notification by a service provider triggers reporting requirements. This is going to make LOTS of friends for service providers, given the affirmative notification and credit protection obligations that customers accrue after being notified.
Page 19, Section 3 (d)(2)(A): Alternative notification is available for incidents involving LESS than 1,000 individuals. This is goofy.
Normally alternative notification is allowed as an option when the number of covered individuals is very LARGE not very small. For example, some state laws permit alternative notification in cases where costs of providing notice would exceed a quarter million dollars, the affected class of consumers to be notified exceeds 350,000, or the notifying party doesn't have sufficient contact information to provide notice.
There's language on page 22 of the draft bill that may allow regulatory additions to expand when substitute notification is permissible, but the basics for when substitute notification should be permissible should be part of the core statute, not an after-the-fact, maybe-yes, maybe-no regulatory add on by the agency.
Page 25, Section 3 (d)(2)(B): imposes compliance burdens on entities for a year before technical compliance guidance is available. Enforcement of the act should be held until the guidance envisioned by 3(d)(2)(B) is available, and realistically it will take probably an additional period after that for sites to deploy the recommended technology (new projects don't happen over night).
Page 26, Section 3 (h): Potentially requires notification in polyglot languages. This can be a huge administrative PITA—consider the "simple" case of the EU, where there are "only" 23 official languages (Bulgarian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portugese, Romanian, Slovak, Slovene, Spanish and Swedish, plus (semi-official) Catalan, Galician, and Basque).
This section could be potentially exceptionally burdensome if the FCC suddenly mandates that sites provide notification in multiple foreign languages (I could see an argument for requiring Spanish as well as English, but there are some communities in the United States where other languages are also very common).
Page 28, Section 4 (b)(1): It seems unnecessarially combative to define all data security incidents as "unfair or deceptive acts or practices." Data security incidents are not typically something which a covered entity intentionally does, neither are such breaches typically "unfair" or "deceptive" in the same way that some TV or Internet huckster's "miracle" product or pyramid sales scheme might be.

The most persuasive argument in the other direction is probably that currently most states already have their own PII breach notification laws, and it can be a pain to try to stay in compliance with 46 different PII information security and breach notification statutes. So again, the intention is clearly good, but in practice...it needs some careful review.

So there are the results from one bill, examined by one expert. He's one of the best minds in the cybersecurity community, yet he may still have missed something. With legislation as important as this, smushing it all together and rushing to attach it to something unrelated is simply a bad idea. This is a topic which requires careful thought, from multiple people who really do know what they're doing—and who can explain it to the Congressional staffers who will write the resulting bill, and then to the Senators and Representatives who will collectively make the decision.

Once that education has occurred, it should quickly become evident that while some of these bills do overlap, others do not. Some will disagree. Some simply contain bad ideas. All of this has to be worked out. Then, finally, it might make sense to combine them—not now, and not just because they all have the prefix "cyber" in the title somewhere.

This article was originally published by CAUCE.

Written by J.D. Falk, Director of Product Strategy at Return Path

Follow CircleID on Twitter

More under: Cybercrime, Law, Policy & Regulation, Security

Network Neutrality in the Wireless Space

2010-08-25T14:49:00-08:00

There's been a tremendous amount written about the Google-Verizon joint proposal for network neutrality regulation. Our commentary at the EFF offers some legal analysis of the good and bad in this proposal. A lot of commentary has put a big focus on the exemption for wireless networks, since many feel wireless is the real "where it's gonna be," if not the "where it's at" for the internet.

Previously I wrote about support for the principles of a neutral network, but fear of FCC regulation and decided that the real issue here is monopoly regulation, not network regulation. My feelings remain the same. In wireless we don't have the broadband duopoly, but it is a space with huge barriers to entry, the biggest one being the need to purchase a monopoly on spectrum from the government. I don't believe anybody should get a monopoly on spectrum (either at auction or as a gift) and each spectrum auction is another monopoly bound to hurt the free network.

Most defenders of the exemption for wireless think it's obvious. Bandwidth in wireless is much more limited, so you need to manage it a lot more. Today, that's arguably true. I have certainly been on wireless networks that were saturated, and I would like on those networks to have the big heavy users discouraged so that I can get better service.

With Martin Cooper (Left), former Motorola vice president and division manager who in the 1970s led the team that developed the handheld mobile phone (as distinct from the car phone).
Source: WikipediaAs I said, on those networks. Those networks were designed, inherently, with older more expensive technology. But we know that each year technology gets cheaper, and wireless technology is getting cheaper really fast, with spectrum monopolies being the main barrier to innovation. We would be fools to design and regulate our networks based on the assumptions of the year 2000 or even on the rules of 2010. We need to plan a regime for what we expect in 2015, and one which adapts and changes as wireless technology improves and gets cheaper. Planning for linear improvement is sure to be an error, even if nobody can tell you exactly what will be for sale in 2015. I just know it won't be only marginally better or cheaper than what we have now.

The reality is, there is tons of wireless bandwidth—in fact, it's effectively limitless. Last week I got to have dinner with Marty Cooper, who built the first mobile phone, and he has noticed that the total bandwidth we put into the ether has been on an exponential doubling curve for some time, with no signs of stopping. We were in violent agreement that the FCC's policies are way out of date and really should not exist. (You'll notice that he's holding a Droid X while I have the replica Dyna-Tac. He found it refreshing to not be the one holding the Dyna-Tac.)

Bandwidth is limitless both because we keep improving it, and because we can build picocells anywhere there is demand. The picocells use very high frequencies and won't go through walls. You may think that's a bug, but actually it's a feature, because you can have two picocells in different rooms that don't interfere much with each other, and get gigabits in each individual room. While wireless use is growing quickly, much of that is coming inside buildings.

In the past, having so many cells would be too expensive. But today the electronics for the cells cost a pittance compared to what old thinking predicted. And that's going to continue. This is just one way we know to get more bandwidth for everybody.

The original question was whether it was good for somebody to be soaking up the wireless bandwidth in your area downloading a movie, and whether networks needed to throttle such users. We scream out that they should, but our thinking is short-term. It is the congestion caused by these heavy users, after all, that drives the innovation and network expansion. If we can "solve" our problem with network management rather than putting in more bandwidth, then we don't create as much incentive to make the bandwidth technology cheap. If the only way we can solve the problem is to boost the network capacity to match the wired one, that's how we will solve it.

Some have argued, in fact, that it's cheaper to solve these problems with more bandwidth than it is to solve them with network management. Network management turns out to be pretty hard, and requires lots of work by human beings, and thus it's quite expensive. And it's not getting cheaper, for it is not a problem that Moore's law (or Cooper's law) helps you as much with. Boosting the network is such a problem. And if you solve congestion this way, and drive the creation of better and cheaper products, not only do you get reduced congestion but you also get a nice fast network when it's not congested. It's a huge win for the network and for the world, since everybody gets to buy the new technology, while not everybody needs the network management.

It's been popular to tell Google they are being evil by getting together with Verizon on this deal. I suspect it's more a case of not thinking about the future. Once the FCC encodes rules into law, we'll have them for decades, and even if we're lucky enough to get the right rules today, they won't be the right rules for the future. Alas, they will probably be the rules the lobbyists want.

If the FCC or FTC want to make rules, they should be monopoly busting rules. Let's have better roaming, for example, so our devices can readily and rapidly make use of the small cells. Most new phones have 802.11, so what about a system where any operator of a short-range access point can easily make it a picocell and sell service to the wireless company (now a wireless aggregator) at negotiated or auctioned rates. Most wifi hotspots would be happy to do this at very low rates (they often do it free right now) that can easily be bundled with any plan. A hotspot that wants to charge extra might only get premium customers.

A good roaming system helps enable the ethic I think is right for spectrum sharing—"don't be selfish." Under this regime you are required to use only as much power and spectrum as you need, and if you're inside a building and there is a nice 100 megabit in-room 5ghz wireless, you should not be broadcasting to everybody for a mile around at 850mhz. Doing so is wasteful and doesn't make sense. If the FCC needs to do anything, it should slightly tweak things to encourage such good behaviour.

Written by Brad Templeton, Electronic Frontier Foundation (EFF) Boardmember, Entrepreneur and Technologist

Follow CircleID on Twitter

More under: Broadband, Mobile, Net Neutrality, Policy & Regulation, Telecom, Wireless

Verizon: Advent of 4G LTE, WiMAX-Based Devices Will Only Increase the Need for IPv6

2010-08-25T10:30:00-08:00

Verizon Business has a message to companies still reluctant to migrate their networks to IPv6: You're better off doing it now than later. William Schmidlapp, Verizon Business's product manager for Internet dedicated access services, says that the advent of 4G LTE and WiMAX-based devices will only increase the need to switch over to IPv6, since each of those devices will require its own IP address…

Read full story: Network World

Follow CircleID on Twitter

More under: Broadband, IP Addressing, IPv6, Mobile, Wireless

Russian Cybercrime is Organized / Russian Cybercrime is Not Organized

2010-08-25T10:23:00-08:00

I like to read other people's stories when it comes to spam, and I like Box of Meat. It's always alerting me to interesting stories around the web that deals with cyber security. But the more I read, the more I see conflicting views on the state of the criminal cybercrime world. On the one hand, the Russian criminal cybercrime underworld is a scary, organized place where people are actively trying to do the rest of us harm. On the other hand, there is the position that that position is an exaggeration of what it is actually like and that it's a bunch of ragtag folks who have some advanced computer skills but they are not formally organized. They trade amongst each other for the highest prices and exchange goods and services like the open market but they are not colluding with each other. I see this very similarly to how I see cyber warfare—on the one hand there are the hawks who believe national cyber threats are behind every corner, and on the other hand there are the doves (for lack of a better word) who claim there is no national cyber threat, it's all about crime that has moved online.

Consider excerpts from this article from the New York Times:

MOSCOW—On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service. And in real life, he was nearly as untouchable—because he lived in Russia. BadB's real name is Vladislav A. Horohorin, according to a statement released last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

...

The seizing of BadB provides a lens onto the shadowy world of Russian hackers, the often well-educated and sometimes darkly ingenious programmers who pose a recognized security threat to online commerce—besides being global spam nuisances—who often seem to operate with relative impunity.

Law enforcement groups in Russia have been reluctant to pursue these talented authors of Internet fraud, for reasons, security experts say, of incompetence, corruption or national pride. In this environment, BadB's network arose as "one of the most sophisticated organizations of online financial criminals in the world," according to a statement issued by Michael P. Merritt, the assistant director of investigations for the Secret Service, which pursues counterfeiting and some electronic financial fraud.

...

According to the Secret Service statement, Mr. Horohorin managed Web sites for hackers who were able to steal large numbers of credit card numbers that were sold online anonymously around the globe. Those buyers would do the more dangerous work of running up fraudulent bills. The numbers were exchanged on Web sites called CarderPlanet carder.su and badb.biz—according to the Secret Service, and payment was made indirectly through accounts at a Russian online settlement system known as Webmoney, an analogue to PayPal.
...
Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals' expertise or for allowing their networks of virus-infected computers to be used for political purposes—to crash dissident Web sites, perhaps.

Reading this article, you would come away with the impression that these guys are very good at what they do—they have extensive computer hacking and social engineering skills, are well educated not to mention being good at money laundering (or being affiliated with people who are good at it). We see terms such as 'sophisticated' being used to describe these people. They are a definitive threat and the odds of actually arresting them are small; when they are arrested, it is seen as the exception and not the norm. In any case, they are not a ragtag bunch of people but instead are well organized and intentional about their behavior.

Worse yet, there are possible collusions between themselves and national intelligence agencies. This makes the general public even more concerned because the not-so-subtle implication is that not only do these people have extensive hacking skills, they could potentially use this to cripple national infrastructure if a hostile government, directed by an intelligence agency, instructed them to do so. The general public isn't entirely clear on what spy agencies do anyway, but in our cultures we are ingrained with the belief that they do some nasty stuff. Just imagine what they could do with a small army of hackers.

However, contrast that article with excerpts from this one in eWeek:

When people think of cyber-crime, the typical image being pushed today is that of highly organized criminal operations. New research, however, suggests the underbelly of cyber-space may be less mafia-like than some think. In an effort to improve the level of understanding of today's black hats, security researchers Fyodor Yarochkin and "The Grugq" have spent several months looking at Russian hacker forums.

"It is an ongoing project that we started about 18 months ago," Grugq told eWEEK. "Originally it started when Fyodor investigated some service offerings from Russian hacker forums for a specific project that I was working on. It turned out to be extremely interesting and amusing, so we discussed doing more long-term monitoring on the forums. It grew from there into what is now a continuous monitoring program."

Their research was presented last month at the Hack in the Box 2010 conference in Amsterdam. What the two found was that the image of a highly organized cyber-underworld run by hardcore criminals is not the order of the day. Instead, the dozen or so hacker forums they analyzed illustrated that many of the users are "geeks, not gangsters," the researchers said.

"Basically, from what we've seen on the forums much of what goes on with the sales of services is much more petty criminal activity, or crimes of opportunity," Grugq said. "Often poor students who like to hack for fun will sell access to a server they've owned. Many don't even realize that this is an illegal activity. This sale will be for $20 or $30, which is a lot of money for a poor student in Russia, but for a hardened criminal mastermind bent on destroying Western civilization—not so much."

...

"In terms of percentage, there'd be two to three guys working on stuff professionally, versus 10 to 20 hobbyists," he continued. "Most of the activity is essentially petty criminal activity where guys are trying to make a little extra cash on the side. You can think of it as a self-organizing hierarchical system with needs and people able to provide goods and services to satisfy the needs."

...

"From what we can guess," Grugq said, "any [mob] involvement is more along the lines of some people at the very top of the stack have to pay off the real gangsters. ... So, for example, if you are organizing a massive credit card cash-out scam which nets millions of dollars, you'll have to pay protection money to the mob to not get robbed. It doesn't look like the mob itself is organizing these cash-outs though.

"We're not disputing that organized crime is involved with cyber-crime, but the popular conception of leather jacketed thugs running around with firearms and laptops is not in line with what we have observed from the actual communities," he said. "It seems like it is very useful for some companies to popularize the scary idea of Russian cyber-gangsters, but honestly the involvement seems to be much more hands off."

This is quite a bit different than the perspective offered by the first article. Here, we still have perpetrators that are advanced hackers with strong computer skills. However, they are not organized amongst each other and view their craft like a bunch of frat boys. They boast amongst themselves. They argue amongst themselves. They don't even seem to realize that what they are doing is illegal. What makes the problem so widespread is that the cost of technology has dropped so much and Internet access has become so ubiquitous that they can do a lot of damage with limited human resources.

A few weeks ago I wrote about how many hackers who get arrested are arrested because of their own hubris. They do not have their egos in check and therefore end up leading a cyber paper trail straight to their lairs. Their lack of life experience leads to carelessness, and when that occurs they get caught. It is more of a bunch of individual actors doing stuff, trading stuff, trying to make some money. This is hardly the portrait painted by the New York Times.

So which portrait is correct?

Well, to be sure, there are many hackers out there that are hobbyists, and they are the ones that get caught. But it certainly seems like there are plenty of organized criminal groups out there (such as Avalanche). A conspiracy is often a "nice" way to explain all that's wrong in the world, but most conspiracies rarely hold up to close examination (never attribute to malfeasance what you can simply attribute to incompetence).

My theory is that this is a variant of the Pareto principle. The Pareto principle, also called the 80/20 rule, states that 80% of the effects are from 20% of the causes. In a business, 80% of the revenue comes from 20% of the sales. 80% of the systems crashes are caused by 20% of the bugs. 80% of the movement on the stock market comes on 20% of the days (not sure if this one is true… it sure feels like it).

In the same way, 80% of the cybercrime is caused by 20% of the cyber criminals. The other 80% of the cyber criminals do some damage and are not so difficult to back trace. They are nuisances and commit online fraud but will always remain small potatoes. By contrast the good ones, the 20%, are very good at what they do. They are smaller and better and cause more damage, and get paid more. The reason they get paid more is because they are more skilled and have the full repertoire—good computer skills and good people management skills, that is, the ability to stay anonymous.

People who are good at their craft usually make more money, and in order to stay alive in the criminal underworld (that is, without getting arrested), you need to be good. Not everyone is good at what they do (like the players on my favorite football team which explains their current 2-6 record). The ones who aren't that good browse forums and chat openly about stuff. They don't make too much money. The ones who are good are busy honing their craft, coming up with new ways to separate people from their money and they don't browse forums. They are spending their time getting better at what they do, not raising their profile.

That's why the second article paints a picture of a disorganized structure of hackers. The hackers that they can examined fall into the 80% that just aren't the kingpins of the industry. That's why the first article paints a picture of doom and gloom, they are studying the elite group of hackers that are difficult to catch and more difficult still to profile.

That's my theory.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Security

IT Risks for Cloud Computing

2010-08-25T07:53:00-08:00

As the industry-wide paradigm shift to cloud computing and software-as-a-service gradually continues to make the transition from buzz to reality, security and availability continue to emerge as the main barriers to customer adoption. A recent ISACA survey of over 1,800 US IT professionals found that only 17 percent believe the benefits of cloud computing outweigh the risks. Only one in 10 respondents said they would consider using software-as-a-service (SaaS) for mission-critical applications.

While some of this hesitance can probably be attributed to an overabundance of caution and the general human tendency to be wary of change, some security concerns are well-founded.

Companies entrusting their sensitive data to a SaaS provider need to be reassured that the data cannot be accessed by unauthorized third parties, such as employees and other customers of the provider, whether at rest or in transit. Data leakage has always been a potential issue at the low end of the hosting market—budget customers on shared servers—but the co-tenancy sometimes involved in cloud computing carries the perceived risk of bringing the problem to enterprises. SaaS providers need to be open and transparent with their customers about their security precautions, such as their encryption and access control regimes, as well as their layers of physical security.

There are other concerns, such as distributed denial-of-service attacks. As DNS service providers and others can attest to, when you have many thousands, or millions, of customer accounts running on the same infrastructure, you increase the risk of that infrastructure becoming the target of an attack. It's the old all-your-eggs-in-one-basket problem. To a DDoS-attacker focused on extortion, political retribution or simple vandalism, a broad customer base looks more like a convenient, aggregated attack surface. They can channel their resources on a narrower choke point, getting their message across by attempting to cause maximum collateral damage.

Of course, the opposite case can also be made: securing systems can be an expensive proposition, and companies can actually benefit from the substantial economies of scale that SaaS providers offer in terms of cost and security. Benefits include the availability improvements brought about by consolidated patch management, the economics enabling a much more diverse technology base that is less vulnerable to exploits, and the ability to quickly respond to DDoS attacks by reallocating resources.

It's important that both SaaS providers and their customers do not overlook reliable DNS provision as a key component of their overall security strategy. Companies can often blow their budgets on a super-redundant hosting infrastructure and forget about DNS—the only way their customers can actually reach it. Far too many times DNS is allowed to become the weak link in the chain, making it an ideal target for would-be attackers. All DNS services must come with a Service Level Agreement (SLA). Accepting anything less than 100% up-time for that SLA means you are accepting downtime for your business.

SaaS customers, however, often forget about DNS. Signing up for Google Apps, for example, is fairly straightforward and free, so it's easy to be quickly lured into a false sense of security, believing that your critical applications now reside on one of the world's largest and most robust data centers. This is of course not completely true. While cloud services such as Google Apps have brought many efficiencies to enterprises, they usually do not natively support DNS resolution. If you've forgotten to effectively provision your DNS, and it goes down, so does your Google Apps.

For a SaaS provider, surveys showing customer reluctance to adopt your services should of course be of some concern. But this hesitance also provides cloud computing companies with excellent opportunities to differentiate their services. When customers make buying decisions with security and availability as their primary concern, there's a clear incentive for SaaS companies to compete on security—a rising tide that carries all boats with it.

Written by John Kane, Vice President of Corporate Services, Afilias

Follow CircleID on Twitter

More under: Cloud Computing, Data Center, DNS, Security

Anatomy of a Domain Name Land Rush

2010-08-25T07:33:00-08:00

The launch of a new or repurposed Top-Level Domain (TLD) is always surrounded with speculative activity. Some domainers will register domains in the new TLD with hopes of getting rich quick. Others will do so because the same domain in .com is worth a lot of money. And then there are the developers who see the prospect of building a carefully branded website in the new TLD. And with all those proposed new generic Top-Level Domains (gTLDs), this cycle will be repeated. But what does a Domain Name Land Rush look like? It looks like this: HosterStats.com: Domain Landrush Graph .asia

The .asia sponsored Top-Level Domain (sTLD) is a very good example of how a new TLD evolves over the first few years of its operation. The Land Rush phase lasted from April 2008 to September 2008. During this time the numbers of new registrations massively outnumbered the numbers of deletions. For any new TLD, many of the domain name registrations during this period are speculative but there is also an element of brand protection as existing businesses register their brand in the new TLD. Brand protection registrations are a significant part of the registrations in new TLDs.

The end of the Land Rush phase in .asia occurred in September 2008. The volume of new registrations began to decline and the monthly registration figures started to move towards what would become the "normal" level of new registrations for .asia sTLD.

The first anniversary of the Land Rush phase is always a tough time for a new TLD. This is when many of the speculative registrations that could not be sold or monetised are dropped. This anniversary is sometimes referred to as the "Junk Dump". The deletions peaked in June 2009. However the interesting thing is that the numbers of new registrations remained relatively stable. The second Land Rush anniversary is when more of the domains that made it through the first anniversary are dropped. Some of these are reregistered domains that had been dropped in the first anniversary. The deletions in the second anniversary peaked in June 2010.

The new gTLDs will all go through a similar evolution. The Land Rush graphs may differ slightly but they will all have to deal with the first and second anniversaries and the deletions. But as with the gold rushes and the land rushes of old, those who made the real money sold the tools and supplies to the prospectors.

Written by John McCormac, CIO of www.hosterstats.com

Follow CircleID on Twitter

More under: Domain Names, Domain Registries, Top-Level Domains

The Web is Dead: What This Means to ICANN, New gTLD Program and the Domain Industry

2010-08-24T14:48:00-08:00

While we are spending years figuring out how to create the perfect generic Top-Level Domain (gTLD) launch and guidebook, the Internet is moving along at an extraordinary pace without any care about ICANN policy-making. The fact of the matter is ICANN is a ghost to the ordinary person or Internet company. You can not imagine how many times I had to explain what ICANN is, what ICANN does and why ICANN is important.

While the Internet is moving along with exciting innovations and new platforms of communication, ICANN is still working at dinosaur pace, still playing catch up and still not aligning the realities of the Internet to policy-making. Interest groups, corporate monopolies, politics and conflicts of interest still rule supreme.

Chris Anderson, the editor of Wire Magazine, in a recent front-page Wired article called "The Web is Dead" proclaims that the world wide web is dead and we are experiencing the beginning of the next generation of the Internet. Anderson explains:

"Two decades after its birth, the World Wide Web is in decline, as simpler, sleeker services—think apps—are less about the searching and more about the getting. You wake up and check your email on your bedside iPad—that's one app. During breakfast you browse Facebook, Twitter, and The New York Times—three more apps. On the way to the office, you listen to a podcast on your smartphone. Another app. At work, you scroll through RSS feeds in a reader and have Skype and IM conversations. More apps. At the end of the day, you come home, make dinner while listening to Pandora, play some games on Xbox Live, and watch a movie on Netflix's streaming service. You've spent the day on the Internet—but not on the Web. And you are not alone."

The reality of the matter is that the web is not quite dead yet. It is evolving. Devices are becoming more and more important than ever before. Mobile devices have paved way for the app revolution. These apps do not reside on the web but on the Internet for the purpose of creating a better user experience for the consumer as well as creating "closed" and "controlled" economies bound by distribution gatekeepers. This might be the beginning of the death of the "open" web as we see it. The move away from Flash programming in mobile devices in favor of non-web-based applications illustrates the gradual move away from a web-centric Internet, but the reality of the matter is that the Web will continue to exist given the human need for open-access to information and connecting with like-minded communities or social networks.

One point is certain. ICANN is wasting precious time trying to create a perfect solution in regards to new gTLDs. Can ICANN predict the future? No-one thinks so, but ICANN's propensity to solve any possible problem that might arise is clouding the process itself. ICANN is well-equipped and capable of dealing with any secluded abuse that might arise and react to any potential future issue. ICANN is losing its prime focus and is distancing itself from real task at hand which is no other than to introduce innovation and competition in the domain space and expand the Web.

The odds against new entrants are high. However, ICANN still insists on archaic concepts such as not allowing new registries to engage in free-trade, be able to sell direct as well as be flexible to introduce their own innovations. The self-proclaimed ICANN Business Constituency that should be all about free-trade claims that free trade is a terrible idea for new registry entrants and keeping the monopolistic, restrictive and anti-business regime at bay with the status quo is the best option for businesses. The ICANN Business Constituency that alleges to represent small-business interest and open, free markets is what your typical economist will call an oxymoron that is inconsistent with the modern economic framework of business practices. Does it have credibility? None whatsoever. I can only imagine what happens behind closed doors for a Business Constituency to oppose free trade for new entrants.

While the Internet moves towards a new direction, ICANN stands and ponders on issues that delay innovation, competition and the expansion of the Web. Big brand holders are still complaining about implementing more trademark mechanisms or further improving the existing ones that were created to please them. Why is ICANN wasting more time with that? Is there a method to retrieve your trademarked domain if someone else is abusing it? Yes. ICANN has gone beyond what is necessary. Will new gTLDs introduce more harm or benefits to the Internet society? If ICANN is all about open-access, free trade, competition, fairness and represent the Internet community, it has to align itself with what is happening in the Internet space today and not be stuck in the '90s.

The Web is not perfect. The big brands and corporations that ICANN seeks to protect who are delaying everything are not perfect. For example, the Web has been used by companies such as Google and Internet Service Providers to piggyback on intellectual property issues. What ICANN is dealing with in regards to implementing additional trademark mechanisms is tiny in regards to the harm that has been inflicted by many corporations that are regarded as the "backbone" of the Web. Google and major ISPs have been piggypacking intellectual property owners for their own profit and not much has been done about it. Both Google and the ISPs have been profiting from the unauthorised distribution of copyrighted works. Google makes money and generates traffic so they do not care about intellectual property. The ISPs get paid higher fees from consumers wanting higher bandwidth to download illegally at faster rates. Rampant piracy translates to billions of dollars of profits. 95% of music on iPods is illegal. Apple knows that but their marketing is clear: fit tens of thousands of songs on your iPod (irrespective if its illegally downloaded or not).

The Internet is dominated by many corporations who really have no respect for intellectual capital. If ICANN wants to make a difference that matters in Intellectual Property, then perhaps they need to be involved with other more significant issues that affect the Internet. If they are responsible for implementing trademark mechanisms for TLDs, then why not actually make a difference where it counts and where copyright holders are suffering from piracy, which has cost many their jobs? The trademark issues that will arise from new TLDs are insignificant if compared with the harm inflicted by piracy to copyright holders. My point is that ICANN has done enough to appease the trademark community. They are offered the trademark mechanisms to solve cybersquatting, even though the potential harms are expected to be tiny in comparison (if any). Copyright holders do not enjoy such benefit because of the very nature of the Web and its chaotic openness. I thought Rod Beckstrom understood this concept. I did after-all I read his book. Action is needed now, not just mere words.

With the Internet moving away from the Web, the repercussions to the domain industry will be felt. Domain name parking will become obsolete and the astronomical prices that premium, one-word .COM domains sell for will fall significantly and industry will experience less million-dollar domain name sales. There is no better time to sell your domain portfolio than right now unless you are developing it or unless you believe that apps and mobile devices with proprietary, closed ecosystems is not a reality.

ICANN needs to finally get the new TLD program launched without any further delays. The delays are unwarranted given the very few issues that are left such as Vertical Integration, pricing on bulk same-translated strings and establishing a better and fairer point system for community applicants that will also prevent abuse.

Unless ICANN shares Chris Anderson's viewpoint that the Web is dead, ICANN has to finally acknowledge the financial harm and opportunity costs that all the delays have inflicted to all applicants that have been clinging to ICANN timing promises to launch their respective TLD. The Web depends on it since it is shrinking. Time to join forces with the new Internet economy and space. It is time to expand the Web and introduce new complementors to the Internet: new TLDs.

Written by Constantine Roussos, CEO & Founder of .Music & Music.us

Follow CircleID on Twitter

More under: Cybersquatting, DNS, Domain Names, Domain Registries, ICANN, Internet Governance, Law, Mobile, Policy & Regulation, Top-Level Domains, Web

Network Neutrality is the Wrong Fight!

2010-08-24T10:32:00-08:00

Winning would mean giving up much more important rights—historical rights that were in place in the US as recently as 1995 and remain in place in most of Europe even today.

We shouldn't settle for network neutrality. It's a poor substitute for what we had and much less than what we need. Let me explain. There are two topics to discuss. The first is "common carriage," a centuries old legal concept that applied to the US telecom industry throughout most of the 20th century. The second involves communications protocols. Both topics are complex, so I will cover only what's needed to understand why we shouldn't accept network neutrality and why, at a minimum, we should fight for enforcement of existing common carriage rules.

Network neutrality is about allowing any Internet application to run over an Internet connection, i.e. over a connection that uses Internet Protocol (IP). But under common carriage as it applied prior to the late 1990s, we had a more powerful right—the right to run any kind of network protocol, IP or otherwise, over a lower, simpler service which today we call a "bit stream*." Why does this matter? Because real innovation is also possible at these lower layers and that innovation continues to be important. But today, such lower layer innovation is restricted to inside one building or one campus. Yes, we can tunnel some lower level innovations over IP, but not all of them and only at a cost.

IP telephony (VoIP) is one place where problems arise. Most enterprises use IP PBXs internally, yet calls between enterprises use the PSTN. Many companies have attempted to address this gap, but progress is slow and expensive. Within an enterprise, IP telephony packets are given priority, but that priority is not supported on Internet access links and network neutrality doesn't help. As a result, to interconnect VoIP calls, enterprises must lease separate dedicated access circuits—circuits usually based on bit stream access—to support "SIP trunks." Up until the late 1990s, these circuits were regulated under common carriage. Today they are an unregulated monopoly, with prices derived from the cost of voice circuits 15-20 years ago, i.e. abnormally expensive for today.

Common carriage is the legal concept that, in exchange for government granted monopoly access to rights-of-way, the monopolist must carry anyone's traffic over the resulting infrastructure, at regulated rates. For centuries this has applied, to canals, to roads, to railroads, to telegraph lines and, until nearly the end of the 20th century, to telecommunications lines. But during the legal battles after the Telecom Act of 1996, the FCC basically gave up on common carriage.

If we accept Network Neutrality instead of common carriage, we guarantee future innovations happen only above the IP layer. Innovation at lower layers will be restricted to enterprise or campus applications. That's too bad as it was the existence of common carriage that allowed the Internet to develop in the first place. Do we want to eliminate that kind of innovation in the future?

If anything, we should be fighting to extend the ideas of common carriage to lower layers, e.g. dark fiber. Installing dark fiber is expensive and requires access to rights-of-way that are limited. The installed fiber is capital expensive infrastructure that lasts for decades. Such conditions justify granting monopoly access, in exchange for common carriage and regulated rates of return. But when you light up a dark fiber, you use (relatively) low cost gear with a short life (even if it can survive for ten years, Moore's Law renders it functionally obsolete within 2-3 years). What's more, there's rapid innovation in opto-electronics gear. Just look at the order of magnitude difference in cost between enterprise and carrier fiber-optic gear.

Today, the US is loosing leadership in all things Internet. Network Neutrality will just put a nail in our coffin. To stop our decline, fight for restoration of the common carriage principals that existed through most of the 20th century and still exist in law. To regain world leadership, fight to extent those principals to include access to dark fiber at regulated rates.

_____
* Bit stream access. In the 20th century two regulated services provided what the 21st century calls bit stream access. These were voice telephony and T1 circuits. T1 circuits directly carry a stream of digital bits. Modems allowed voice connections to carry digital bits, for example, for bulletin board services and other purposes long before the Internet became popular.

Written by Brough Turner, Founder & CTO at netBlazr

Follow CircleID on Twitter

More under: Access Providers, Broadband, Net Neutrality, P2P, Policy & Regulation, Telecom, VoIP, Wireless

Wired vs Wireless Debate Becomes a Core Policy Differentiator in National Election

2010-08-24T09:48:00-08:00

I never thought I'd see the day when the difference in capability between a wireless and a wireline Internet would become a core policy differentiator in a national election, but this has now happened in Australia.

Perhaps it's a timely indicator of just how important the Internet is in our daily lives these days, and how much we've managed to associate keeping in touch with family and friends with tools such as Jabber and Skype, and just how much of our daily working life is now mediated by email. It seems that everyone has an interest in a ubiquitous, fast and cheap internet. Now that interest has been taken up as a major policy differentiator by both sides of the political spectrum in the recent Australian election. What was this all about?

On the one hand there is the National Broadband Network (NBN), an ambitious project to replace the now quite old telephone copper pair access network with a comprehensive fibre optic system. The copper pair network was originally funded by the public purse many decades ago, and has since been passed into private hands, along with all the other network assets of the former monopoly telephone operator. The NBN plan is to provide a layer 2 national fibre access network that would provide a last mile conduit to the majority of the nation's 6 million households and business premises. The NBN was intended to be revolutionary in terms of the change in capability of the national network and lift achievable last mile access speeds from DSL-speeds of 1 to 10 Mbps to a uniform level of access speeds of 100Mbps for every customer. Curiously, the election campaign has managed to squeeze more capacity out of the network and the political rhetoric has managed to up the access speed of this network tenfold to claimed access speeds of 1Gbps. This network is intended to be truly prodigious and the harbinger of bountiful benefits for everyone for many decades to come! Of course such a massive undertaking to rewire an entire continent does not come cheap, and the budgeted cost of providing this infrastructure to its 21.5 million population is a $43 billion impost, or a cost of $2,000 for every Australian resident. This project is a public works program, and the evolving expectation is that the network will once more be a public asset, in the same way that the original copper telephone network was constructed using a funds underwritten by the public purse. In every respect the project is intended to be game-changing. The ubiquitous use of high capacity across the entire population is intended to alter the way in which services are delivered, in which we define work and entertainment and the way in which a relatively small population in the south Pacific Ocean defines its place as a developed and hopefully highly competitive economy in a global context. These are indeed great expectations and the price tag is entirely commensurate with the level of euphoric optimism that is associated with this national project.

On the other side of the political spectrum there is a proposal to scrap this scheme immediately after the election. Lest this political party be perceived as technical troglodytes, they propose to replace it with a program of installing a swathe of wireless access points, particularly in the semi-rural areas of the Australian continent, and undertake some form of unspecified upgrade of parts of the existing copper pair network. This is a far more modest program, which is reflected in the price tag, currently estimated to cost the Australian taxpayer a mere $6 billion Australian dollars.

Each side of this political debate is keen to paint their chosen Internet technology in the most positive of lights, and portray the alternative in as dark a light as possible. A national network based on expansion of wireless infrastructure is portrayed as retrograde and hopelessly ineffectual in terms of national infrastructure. A fibre optic network is portrayed as being wastefully extravagant, unnecessary, and behind the times in today's i* world of wireless access devices. As a result, this ordinarily somewhat dry debate conducted between engineering, product and business line managers within the industry about the relative merits and weaknesses of mass access wireless and wireline networks has come to the surface of the political world for a day or two of mass media focus.

What lies behind this debate? In our efforts to convert every home and office into a wifi hotspot and convert every handset into a 3G wireless client have we really turned our back on the wired Internet? Is the copper pair, and even the concept of the fibre access network already being consigned to the dustbin of historical technologies, and will wireless totally dominate the future of the Internet? Or does the wired network have an assured future as an essential path to higher capacity and greater diversity and utility of the Internet, while wireless is just a passing fad that cannot sustain the full load of the diversity of needs of tomorrow's Internet?

The case for comprehensive uptake of wireless networking in the world of consumer electronics is close to overwhelming in today's environment. This month it has been reported that the 5 billionth device will "plug" into the Internet. It is statistically likely that this 5 billionth device will not exactly "plug in" to the network but wirelessly associate with a nearby base station! Wireless has been focal point for the Internet's evolution in the past few years, fuelled largely by the market success of Apple's various i-devices and the competitive responses from other suppliers. An earlier press story, again from Australia, illustrates this rather dramatic growth of the wireless market sector:

"Use of wireless broadband services mushroomed during the past year [2009] to reach more than 2 million subscribers, driven by the popularity of wireless modems and mobile devices such as the iPhone. The Australian Communications and Media Authority's communications report [for 2009] revealed the use of wireless broadband services jumped by 162 per cent in 2008-2009. ... Wireless broadband subscribers accounted for 25 percent of the number of Internet subscribers, up from 11 per cent in 2008."
The Australian, Wednesday 13 January 2010

There is no doubt that wireless services are so popular with consumers that they attract a price premium for their services. It is still the case that SMS messages in the mobile network are the most expensive data service on the planet, measured in units of dollars per megabyte, but other wireless 3G data services are also up there in terms of the margins of price over cost, particularly if one is daring enough to use international mobile roaming services for data! In the Australian market, for example, for the same $50 per month a consumer can access an Internet service with a usage cap of 3Gb per month with a wireless service provider, or take a service with a cap of up to 100Gb per month with a DSL service provider. Why is the wireless service some 30 times more expensive? The cost or provisioning a wireless service is dramatically lower than the cost of a wired service. The return on the investment of a wireless tower in densely populated urban environments is dramatically higher than the business case of dragging more wires through existing communications conduits. Even taking into account the lease costs of the radio spectrum, wireless services still represent a much higher margin activity than wires services. So its evidently not the relative costs of the service that determines the retail price of the service. Perhaps its more of a case of provider push coupled with consumer pull. Wireless services resonate with consumers in terms of convenience, and are prepared to pay a premium for this convenience. Consumers are prepared to pay higher prices for mobile services. Providers use this preference to add a premium to their mobile products and services, making this a more attractive product for them in terms of return on investment in service infrastructure. In every respect this looks like a mutually satisfactory setup.

There is always a "but" in these arrangements. The perennial question that gets posed about these innovations in service delivery in the internet is: "But does it scale?" When we consider not just a population of some 6.8 billion humans, but a population of over 100 billion chattering devices, will this approach scale?

In other words, is wireless an infinitely exploitable resource? Can we expect ever-increasing numbers of services, ever-increasing intensity of use, and ever-increasing capacity from the wireless network in the future? Like the air we breathe, the radio spectrum is a shared resource with many competing potential uses, from broadcast media, such as radio, television and geolocation to private point-to-point services with mobile telephony, and various permutations of satellite services. And of course, not all radio spectrum is the same. Lower frequencies provide better penetration through buildings, and can extend beyond line of sight, but have limited bandwidth. Higher frequencies have higher bandwidth, but are more readily absorbed by hills, buildings, and even walls. And of course the radio spectrum is a shared medium, so it is necessary to manage the spectrum as a common resource and coordinate the various potential users of the spectrum. The spectrum space is already full, and the prospect of displacing the existing users to make way for a massively larger Internet appears to be an unlikely outcome.

The part of the spectrum is that can be used for wideband digital communications is very limited. As more subscribers crowd in the same shared spectrum space the problem is that the quality of the service ultimately degrades. This can be mitigated to some extent by using more and more base stations with smaller radii of coverage, but at the same time this approach increases the issues with cross talk and signal interference and the complexities with mobile station handover.

The service performance with wireless also suffers, with signal dropouts, higher bit error rates, higher jitter and sudden changes in access capacity due to the method of channel contention in 3G. All of these are particularly hostile to the TCP protocol, and while there has been much said about the rapid rise of theoretical carriage capacity of wireless systems in recent times, achievable sustained data transfer rates using TCP in the wild fall far short of the hype.

Does an investment of $6 billion of public funds into wireless infrastructure represent a wise investment in national infrastructure for a future extending for many years into the future? Or would this be a case of making a investment in a current technology that is closer to a fad than an enduring element of a digital infrastructure? Also, given that the current wireless internet has already been enthusiastically constructed with private capital investment, should further public funds be expended in undertaking a public works program that may well be undertaken by private capital in any case?

There is no doubt that if we are facing a bandwidth hungry Internet future, then fibre optic wireline services can provide much greater reticulated capacity to the network. Unlike wireless, wireline systems behave consistently in terms of bit error rates, latency management and jitter. As a result the TCP transport protocol behaves with close to maximal efficiency, and can achieve sustained data rates equal to the line bandwidth, even at gigabit per second rates. All this prodigious performance can be achieved on fibre optic systems without crosstalk and without interference between users. Because the signal is guided by the wire the systems exhibit far higher energy efficiency, and can operate at far higher speeds. If speed and capacity are what we are after, then speed and capacity is precisely what fibre optic systems can deliver.

But of course despite all these efficiency and performance differentials, it's still a wired service, and the service is tethered to the end of the wire. That limits its usefulness and utility in an acknowledged highly mobile world. However, the choice is not quite so stark as a choice between an RJ45 connector and a 3G modem. WiFi has also revolutionized the consumer marketplace, and these days its quite commonplace to see appliances use WiFi as a connection medium. There is no doubt that I have no interest in using a carrier's 3G network to send a print job to the printer sitting beside me on my desk—that's a job for my local WiFi network, as is access to a home server and a myriad of other local operations in the home and at the office.

Where should public funds be spent? On a comprehensive revamp of the wired access network, replacing the aged copper pair telephone network with a highly capable fibre optic network? Or on improving access in those areas where the copper pair network simply cannot support high speed access by public investment in wireless infrastructure?

In trying to answer this question, we return to a persistent theme in the area of public communications infrastructure. What's the role of public capital investment and how is that balanced against the role of private capital investment? Is it possible for private investment to fulfill the entirety of a public agenda? Given that a capable, cost efficient and effective public communications infrastructure that encompasses an entire national constituency is seen as a core deliverable of any national communications policy regime, then how is this best achieved today?

To more back from generalities to the specifics of this broadband investment choice, is it realistic to expect that we have further decades of useful life from an already ageing copper pair infrastructure? As a consequence, should current public investment focus on current gaps in the national infrastructure, using a relatively cost effective approach of plugging these gaps using wireless infrastructure where the copper network is simply inadequate, and leave the remainder of the network in situ, as being adequate for the moment Or should we leave such wireless infrastructure investment to private enterprise, given that this technology is enjoying strong consumer attention and there is a continuing investment in wireless infrastructure by the industry actors. Instead, should a public investment program focus on a longer term national program of replacing the copper loop with a comprehensive fibre optic network? From such a longer term perspective perhaps the NBN is the better approach, as we need to concede that the level of investment required for a national very high speed access infrastructure in a fibre access network is probably well beyond the scope of private capital works investment. So far all that the industry has achieved in this space has been the rewiring of the CBDs in the major cities, while the upgrading of remainder of the network has been effectively ignored. It appears that this is, like many major infrastructure projects in the past, one that properly sits in the realm of a public investment program, in the same way that we've made investments in national road, rail and shipping infrastructure in the past.

That's the spectrum of choice between wireless and wired infrastructure programs for a better, faster and broader broadband Internet by the two Australian political parties. The wired vs wireless debate has become a matter for the electorate to decide.

Written by Geoff Huston, Author & Chief Scientist at APNIC

Follow CircleID on Twitter

More under: Access Providers, Broadband, Policy & Regulation, Top-Level Domains, White Space, Wireless