CircleID

What Does the .CO Launch Mean for New gTLDs?

2010-09-08T14:06:00-08:00

The .CO top-level domain made over $10 million in just a couple of months. What do the results of the .CO re-launch mean for new gTLDs?

Remember, .CO is the country-code TLD for Colombia. Until this summer, you could only register names under .com.co, .net.co, etc. You couldn't register myname.co. Now anyone in the world can register a .co name, and register it directly under the top level. Remember also that as a country-code TLD, .CO was not constrained by ICANN rules, which means that they were able to (re-) launch their TLD relatively quickly. Even so, their rules and regulations closely hewed to the latest ICANN rules, especially in regard to cybersquatting.

The response to the .CO launch was tremendous. Let's review:

11,000 names applied for during the Sunrise Period
28,000 names sold during the Landrush Period (closed July 15, 2010)
Total paid by applicants for Sunrise and Landrush names: over $10 million
Total .co names registered as of this writing: 440,000

What do these numbers mean for prospective new gTLDs? Obviously, they prove that there are lots of buyers out there if the value proposition is good, and that's a very good sign. There is no indication (quite the opposite, in fact) that people have anything against new TLDs. Quite the opposite, in fact: if it's a good one, they'll flock to it in droves.

But .CO is somewhat of a special case. There are a few things to keep in mind:

First, although cybersquatting of brand names was dealt with aggressively by the talented .CO team, we have to assume that many of the registrations were done in hopes of getting traffic from people who forgot to add the "m" to a .com URL. No new gTLDs will be able to benefit from similar fat-fingered mistakes, because ICANN is running a "similarity test" to make sure that there aren't such confusions. We won't know how much typo traffic there actually is until it comes time to renew the names. Then, speculative traffic names will either be renewed (if they received typo traffic) or will be dropped (if they didn't). So keep an eye on next July for interesting stats.

Second, the .CO team is really good, and did everything right. They hired smart veterans and spent a fair amount of time and money making sure that brand owners and registrars knew what was happening, what the rules were, how and when to apply, etc. This had the virtuous double effect of almost completely eliminating complaints about the process and also maximizing registrations. New TLD applicants, take note.

Third, .CO had the field to itself. When new gTLDs start launching, it will probably be on a rolling schedule, but nonetheless there is likely to be more than one launch at any given time.

These are the factors giving .CO an edge, but this doesn't mean that new gTLDs won't be able to duplicate or surpass their success. Many of these considerations are double-edged swords. The fact that .CO is a misspelling of .COM also means that fewer real sites will get built, fewer names will be renewed, and cybersquatting problems will be relatively larger than in most new gTLDs. The fact that .CO spent a lot of money means that their profit margin is lower.

Every new TLD launch will have specific considerations and circumstances that will both help and hinder its growth. Several new gTLDs, especially geographical names and communities, will have natural constituencies that will fuel registrations. Others will have worldwide appeal. Many will not measure their success in registrations, but instead on service to their communities.

Overall, the .CO launch should make prospective new gTLD applicants very happy indeed. It is a great proof of the market, and it shows (once again) that intelligent branding and marketing will go a long way to making a project a success.

Written by Antony Van Couvering, CEO of Minds + Machines

Follow CircleID on Twitter

More under: Domain Names, Domain Registries, ICANN, Top-Level Domains

A Look at How Google, Verizon and the FCC Talks are Playing Out

2010-09-08T08:46:00-08:00

Sam Gustin reporting in DailyFanance: "As Apple (AAPL), Amazon (AMZN), Netflix (NFLX) and Google forge ahead with highly publicized new plans to stream high-speed content like movies and TV shows to your living room, smartphone, telecom and cable giants like AT&T, Verizon and Comcast (CMSCA) have been intensely lobbying to maintain control over the broadband pipes they spent billions to build. Comcast is going so far as to buy a rich content factory, NBC Universal, a deal that would create a $35 billion media and delivery juggernaut."

Follow CircleID on Twitter

More under: Access Providers, Broadband, Net Neutrality, Policy & Regulation, Telecom, White Space, Wireless

NIST Issues Smart Grid Cybersecurity Guidelines

2010-09-07T14:49:00-08:00

The National Institute of Standards and Technology (NIST) issued today its first Guidelines for Smart Grid Cyber Security, which includes high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors, and other threats.

Follow CircleID on Twitter

More under: Cyberattack, Security

DNS Clients Do Request DNSSEC Today

2010-09-06T12:04:00-08:00

After the DNS root zone was finally signed and a number of Top-Level Domains (TLDs) began signing their zones, we were curious to see how many clients actually request DNSSEC information. We looked at the RIPE NCC server that provides secondary service to several country code top-level domains (ccTLDs).

This server answers around 5,000 queries per second on average. In the image below you can see the percentage of those queries that requested DNSSEC information during August 2010:

More than 50% of all queries request DNSSEC information from this server. This is very encouraging and shows that DNSSEC is being deployed.

Here are some guidelines for configuring your caching resolvers to use the root zone DNSSEC key:

BIND: https://dnssec.surfnet.nl/?p=402
Unbound: https://dnssec.surfnet.nl/?p=212

For more details on this topic, please refer to RIPE Labs:
https://labs.ripe.net/Members/dfk/dns-clients-do-request-dnssec-today

Written by Daniel Karrenberg, Chief Scientist at the RIPE NCC

Follow CircleID on Twitter

More under: DNS, DNSSEC, Regional Registries, Security, Top-Level Domains

IPv6: Smart Investments and Smart Grids

2010-09-04T11:53:00-08:00

IPv6 a major catalyst for billions of dollars worth of deals? The Intel announcement of their McAfee purchase for 7.7 billion seems to indicate as much when Dave DeWalt , McAfee CEO is quoted as saying during a conference call; "If we look at the transition from IPv4 to IPv6, we're seeing an explosion of billions of devices and they all need to be secured." Then he continues by saying "The embedded market is a very specific and high-opportunity market for us." His estimate is that the number of connected devices will grow from one billion to 50 billion within 10 years.

In the meantime Baltimore Gas and Electricity (BGE) signed a contract for the provision of IPv6 based smart readers to equip their 1.2 million customers using a 'secure, end-to-end IPv6 platform for BGE to deliver on operational benefits today while also ensuring tomorrow's energy challenges can be met with a scalable and open platform'.

The same day , September 1st, we see Cisco and Itron sign a strategic agreement to 'develop a standards-based, highly secure technology for full IPv6 implementation of field area communications to support smart metering, intelligent distribution automation and interfaces to the customer premise '.

One day later, september 2nd, Cisco announces the purchase of Archrock, a pioneer of IPv6 implementation for sensor network and smart grids , cofounder of IPSO , the alliance promoting IP for small objects, and strong proponent of the IETF 6lowpan recommendation which defines the use of IPv6 for low powered objects.

There is definitely an IPv6 smell in the air these late summer days.

Written by Yves Poppe, Director, Business Development IP Strategy

Follow CircleID on Twitter

More under: IPv6, Mobile

IPv6 Posing New Security Issues

2010-09-03T13:17:00-08:00

"The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. ...its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes."

Read full story: Dark Reading

Follow CircleID on Twitter

More under: DNSSEC, IP Addressing, IPv6, Security

ARF is Now an IETF Standard

2010-09-01T08:57:00-08:00

When a user of a large mail system such as AOL, Yahoo, or Hotmail reports a message as junk or spam, one of the things the system does is to look at the source of the message and see if the source is one that has a feedback loop (FBL) agreement with the mail system. If so, it sends a copy of the message back to the source, so they can take appropriate action, for some version of appropriate. For several years, ARF, Abuse Reporting Format, has been the de-facto standard form that large mail systems use to exchange FBL reports about user mail complaints.

Until now, the only documentation for ARF was a draft spec originally written Yakov Shafranovich (CircleID) in 2005, and occasionally updated originally by him and later by other people including myself. Earlier this year, the IETF chartered a working group called MARF which took that draft, brought the references up to date, stripped out a lot of options that seemed useful five years ago but in practice nobody ever used, and this week it was finally published as RFC 5965.

ARF (or now MARF) is quite simple, a version of the existing Multipart/Report message format that includes information about the report, such as the address of the recipient, descriptive text for a human reader, and a copy of the offending message. Having a standard format for reports, simple though it is, makes them much easier to process. For my tiny system, for example, nearly all of the trickle of reports are about mailing list messages. When a FBL report arrives, an automated script looks at the report and the message, and in the usual case that it's from a mailing list, it creates an unsubscribe request to remove the person from the list. Otherwise, it passes the message along to the human manager so I can decide what, if anything, to do about it. Larger mail systems also use them to collect statistics about their mail-sending customers.

The IETF process works particularly well when it standardizes existing practice, and ARF/MARF is an excellent example of that. The differences between the earlier drafts and the final version make it clearer and more precise, and it's now a proper standard we can cite:

Abuse Reporting Format! Ask for it by name: RFC 5965!

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Email, Spam

Google Voice: Race to the Bottom for Telephony - or Something Else?

2010-08-31T11:26:00-08:00

Just when you thought making phone calls couldn't get any cheaper, along comes last week's news from Google about their latest iteration of Google Voice. There have been several steps along the way for Google to get to this point, and there are a host of reasons why this news is of interest to service providers of all stripes. I often write about how certain technologies and disruptive forces change the business of being a service provider, and this is but the latest example.

Ever since Vonage came to market, residential carriers have been faced with declining revenues for landline service, which itself is quickly losing ground to wireless substitution. Then Skype came along and brought desktop VoIP to a whole new level of adoption. Along with that came a new value proposition for voice. Whereas Vonage was offering a lower cost monthly plan, Skype was offering free or near free voice, driving the price down to levels that no conventional service provider could sustain.

Google has its own take on voice, which is why this story should be of interest to service providers. Vonage is marketed primarily as a replacement service for POTS, making it a direct competitor to telcos. Nothing complicated there—it's really just a price game, but telcos do have more options to bundle telephony with other things—and of course, even more so for cable operators.

Skype is primarily a Web-based IM/chat service, on top of which they do voice very well, and at low cost to subscribers. As popular as Skype is, their proprietary technology keeps them a bit inside their own sphere. They are still a major threat to telcos, but when positioned a bit differently, they can be a very good complement.

The latest news with Google, though, is something entirely different. Their calling service—Google Voice—is mainly an add-on to Gmail, and works a lot like Skype. As such, it's not a pure telephony service like Vonage, and it's not really built off IM/chat like Skype; it's built around email. Of course, Google has all these other tools, but email is ubiquitous, and Google has been successful building a strong user base here. Gmail binds the user more deeply than IM/chat, making it a great platform for both business and personal usage. I'm not alone in noticing these days that when you get a personal email address as a backup for someone you're working with, more often than not it's a Gmail address.

Google already has GTalk, which supports free online calls between Google users—and is comparable to the free calling Skype users have among themselves. Google Voice is much bolder and is their answer to Skype Out/In, and gives Gmail users a PSTN interface to make calls to the rest of the world. In the short term, this may take a bite out of Skype in that Google Voice calls within the U.S. and Canada will be free until year end (but maybe longer). Longer term - along with Skype - Google Voice is more of a threat to telcos as they accelerate the race to the bottom, bringing the value of a voice call pretty much down to where email is.

Why are they doing this?

In my view, it's not to put the telcos out of business. They're offering domestic PSTN calls for free, in the hopes of subsidizing them by charging two cents a minute for international calls. Fair enough, but I don't see that happening, and Google really doesn't need to make money with this service. Of course, free beats paid any day—so long as the quality is comparable—and I see them making the voice pie bigger, much the way Skype has. The key for me is more about how Google Voice interacts with Gmail. By escalating an email message to a free phone call, users will stay longer in the Google environment, and the ability to transcribe voicemail will certainly appeal to some.

However, I think there's more to the story. Am mentioned, Google is coming from a different place than Skype, who depends almost solely on those Skype In/Out minutes for revenues. VoIP service is not expensive to provide, and Google has spent relatively little to get in the game. I would contend that the vast majority of their Google Voice capability comes from three small acquisitions that cost them maybe $150 million. When you think about the annual Capex budget of any incumbent, this really is pocket change. Going back to 2007, they acquired GrandCentral; last year they acquired Gizmo5, and a few months ago, they added Global IP Solutions. Collectively these companies have given them the pieces to offer a very appealing VoIP-to-PSTN service globally, and if they never make a penny from it, so be it.

As mentioned, free beats paid, and there's no better incentive to get people to use your service. Look how long Vonage has been around, and they barely have two million subscribers. Unlike Skype, Google doesn't have to build its user base from scratch, and it won't take long for them to start logging millions of calls. Just consider what happens when school resumes next month, and students will be falling over each other to make free calls home from those super-retro red UK phone booths that will be popping up on college campuses (and solar powered to boot).

As such, Google Voice will be one more reason to cut the cord, and the race to zero just picked up some speed. Thanks to Gizmo5, Google Voice is SIP-based and works nicely on both softphones and hand-held endpoints. Short term, there will be some cannibalization with Android by competing with voice from data plans, but Google will figure out how to make all these pieces fit. This is actually where the GIPS acquisition comes in, with their ability to support both voice and video over mobile devices, which in turn can make Google Voice a great add-on for businesses.

While Google Voice is primarily an outbound telephony service, I think they'll be able to take free calling beyond the desktop, and that's really what service providers need to be thinking about. Free on the desktop is one thing, but when you push out to mobile devices, things get more complicated. If this isn't enough, I think there's a separate agenda at work here, and it's something I've commented about elsewhere for quite some time.

Google is really interested in the voice business, not to make life difficult to telcos, but as a source of raw material—snippets from voicemail and live calls, if you will—that can be harvested for search. I'm not sure about the regulatory issues around this—and apparently Google has been vague here—but certainly for voicemail, free calls will generate a huge cache of "content" that they can apply speech recognition algorithms to and build an archive of audio-based search prompts. Once those audio cues are transcribed into text, they can become hugely valuable for the next frontier—mobile search. This sounds a bit on the dark side ("do no evil" as we're told), but it's a far better way to monetize voice than charging a few cents a minute or a few dollars a month. When viewed from this lens, Google Voice is a very different business than Skype, Vonage, or any telco for that matter. Disruption comes in many forms, and we're seeing a new one with Google Voice. Don't let the race to zero fool you; I think it's just a side-show compared to what Google really has in mind.

This article of mine originally ran today on my Service Provider Views column on TMCnet.

Written by Jon Arnold, Principal, J Arnold & Associates

Follow CircleID on Twitter

More under: Email, Telecom, VoIP, Web

Stopping the Flow of Online Illegal Pharmaceuticals

2010-08-31T08:24:00-08:00

Reading through Brian Kreb's blog last week, he has an interesting post up on the White House's call upon the industry on how to formulate a plan to stem the flow of illegal pharmaceuticals:

The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications.

The invitation, sent via e-mail on Aug 13 by White House Senior Adviser for Intellectual Property Enforcement Andrew J. Klein, urges select recipients to attend a meeting on Sept. 29 with senior White House and cabinet officials, including Victoria Espinel, the Obama administration's intellectual property enforcement coordinator.

"The purpose of this meeting is to discuss illegal activity taking place over the internet generally, and more specifically, voluntary protocols to address the illegal sale of counterfeit non-controlled prescription medications on-line," the invitation states.

Klein did not return calls seeking more information. A spokeswoman for the White House Office of Management and Budget confirmed the event, but declined to offer further details. The meeting appears to be a continuation of the administration's Joint Strategic Plan on Intellectual Property Enforcement, an initiative unveiled in June that promised to "address unlawful activity on the internet, such as illegal downloading and illegal internet pharmacies."

According to the World Health Organization, approximately 8 percent of the bulk drugs imported into the United States are counterfeit, unapproved, or substandard, and 10 percent of global pharmaceutical commerce—or $21 billion—involves counterfeit drugs. LegitScript.com, a verification service for online pharmacies, is currently tracking more than 45,000 rogue Internet pharmacies.

It is unclear to me whether or not the goal of this initiative is to stem the flow of online crime in general or to reduce the flow of illegal pharmaceuticals flowing into the United States (since presumably this cuts into the profits of large pharmaceutical companies… who would naturally want to see their profit margins increased in return for pledging their support for health care reform that was passed earlier this year). Assuming that the target of this are the online pharmaceuticals, there are a few things I can think of. Unfortunately, a three hour meeting really isn't enough to get this off the ground because it is a series of interconnected events that would need to take place. Anyhow, here's a list of things I'd do:

Stopping illegal pharmaceuticals piggy-backs onto stopping illegal <anything> on the 'net. Spammers who advertise illegal software, or fake degrees, or fake enlargement pills, or fake mortgages are all basically doing the same thing. So, any strategy that is aimed at stopping those other things will extend to stopping fake pharmas as well. My point here is that concentrating only on fake pharmaceuticals may exclude strategies that scale to others.
Registrars need to get their act in gear. When a website advertising cheap Viagra goes up, somebody somewhere needs to register that site. Whoever registers is needs to do a better job of verification of the identity who registered it. The problem here is that so many of these sites are registered by registrars in foreign countries which is outside the jurisdiction of the US. However, just like in the Wizard of Oz, there's no place like home and the government can pressure domestic ones to do better proactive abuse mitigation.
WHOIS protected services are questionable. I don't deny the need for WHOIS-protected services in some cases. However, any time I am looking up a suspicious site and the WHOIS registration is protected, that's pretty much all I need to make the determination that the site is abusive. It doesn't cost much to shield your WHOIS information. If you want to do it, that's fine but there should probably be a stricter set of criteria who shielding your information like this requiring you to jump through a couple of more manual hoops.
Crack downs on spammers will go a long ways. One of the chief mechanisms of advertising illegal pharmaceuticals is through the use of spam. We all get it in our inboxes. Of course, there are other avenues of advertisement such as black search engine optimization. However, because it is not particularly difficult to send out a lot of spam and make money off of it, and because there is little chance of repercussion, spammers continue to do it. If law enforcement had more resources dedicated to prosecuting spammers such that it became more de-incentivized, then the supply part of the equation would start to dry up. In other words, putting spammers in prison will help in this regards, and this requires a prioritization of law enforcement resources. Whether or not they are willing to divert resources from one area of law enforcement to another is an open question.
Perhaps walled gardens are a good idea. In Australia, some ISPs kick infected computers off of their network if the ISP can detect that the machine connecting to it is infected with malware. Or, they redirect them to a sandbox and alert the user that they cannot continue until they clean their system. If more ISPs made this a policy, then maybe we'd have less malware abuse flowing back and forth in cyber space. I don't think I'd want government to enforce this, but perhaps ISPs might be willing to voluntarily comply with this.

This is a small list of things that could be done but by no means it is exhaustive. Running up-to-date software is a good idea, and so is running the latest patched version of one's software. What other ideas do you have to cut down on the flow of illegal online pharmaceuticals?

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance, Spam, Whois

House of Cards

2010-08-27T17:38:01-08:00

Time flies. Although it was over 18 months ago, it seems just like yesterday that a small Czech provider, SuproNet, caused global Internet mayhem by making a perfectly valid (but extremely long) routing announcement. Since Internet routing is trust-based, within seconds every router in the world saw this announcement and tried to pass it on. Unfortunately, due to the size of this single message, quite a few routers choked—resulting in widespread Internet instability. Today, over a year later, we were treated to a somewhat different version of the exact same story.

First, let's review the Czech incident from February 2009. There were many positives to take away.

It was precipitated by an honest mistake.
It was an extremely unlikely event, as many stars had to be in exact alignment.
Most of the Internet's core survived.
The response from operators was fast and efficient, with the damage largely contained within an hour.

The complete technical details can be found here.

Deja vu all over again

Fast forward to today: Friday, 27 August 2010. What do you think would happen if another large and unusual routing announcement was made on the Internet? Do you think all the router vendors have perfected their code in the past 18 months? Do you think the entire planet has upgraded to this new, improved and perfect code base? Do you think it makes sense to use the Internet as your testbed? I doubt you answered "yes" to any of these questions.

We'll begin to describe what happened today with a snippet from a private mailing list. We'll purposely leave out the technical details so that we don't inadvertently contribute to the building of a Cybernuke.

On Friday 27 August, from 08:41 to 09:08 UTC, the RIPE NCC Routing Information Service (RIS) announced a route with an experimental BGP attribute. During this announcement, some Internet Service Providers reported problems with their networking infrastructure.

Immediately after discovering this, we stopped the announcement and started investigating the problem. Our investigation has shown that the problem was likely to have been caused by certain router types incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers. The announcements sent out by the RIS were correct and complied to all standards.

Um, while standards compliance is nice, it is foolhardy to assume that all BGP implementations are perfectly compliant, especially given recent history. Over 3,500 prefixes (announced blocks of IP addresses) became unstable at the exact moment this "experiment" started. Not surprisingly, they were located all over the world: 832 in the US, 336 in Russia, 277 in Argentina, 256 in Romania and so forth. We saw over 60 countries impacted by a "correct" announcement that "complied with all standards". The following graph shows the timeline of the event, followed by a map of the impacted countries by prefix count. Notice that it takes a bit for the Internet to stabilize after RIPE claims to have withdrawn the announcement at 09:08 UTC.

Conclusions

On the positive side, the incident was very brief, the damage was limited to under 2% of the Internet and the responsible parties quickly fessed up, aborting their "experiment". On the negative side, the Internet remains a very fragile place, even if that fragility is highly localized and different in different places. Standards aren't followed, code isn't tested and people make mistakes. That's life with any complex system and, while we can certainly do a better job, we will continue to see these types of events no matter what safeguards we might take. What puzzles me is how anyone thought it might be a good idea to test fate in this way. The end result was completely predictable.

Written by Earl Zmijewski, VP and General Manager, Internet Data Services

Follow CircleID on Twitter

More under: Internet Protocol, Security

White House Calls for a Meeting with Domain Registrars, Registries, and ICANN

2010-08-27T11:21:00-08:00

Brian Krebs reporting in Krebs on Secruity: "The Obama administration is inviting leaders of the top Internet domain name registrars and registries to attend a three-hour meeting at the White House next month about voluntary ways to crack down on Web sites that are selling counterfeit prescription medications..."

Follow CircleID on Twitter

More under: Cybercrime, Domain Names, Domain Registries, ICANN, Internet Governance

ICANN's Tokyo Meeting Provides a Little More Clarity on the New gTLD Program

2010-08-27T07:44:00-08:00

New gTLDs continue to be a major topic of discussion within ICANN circles, and the regional meeting currently underway in Tokyo has revealed some interesting updates for potential applicants.

ICANN's Chief gTLD Registry Liaison, Craig Schwartz, delivered a great presentation on the progress being made behind closed doors at ICANN and provided the attendees with an insight into a couple of key changes that are likely to be seen in the Final Applicant Guidebook. As many of our readers would be aware, we have been waiting in anticipation for the new gTLD Final Applicant Guidebook to be approved at a previously unconfirmed meeting of the ICANN Board. The date for this meeting was today announced as September 10th.

Like many others in the industry, we'll be actively watching for the outcomes of this Board retreat where the focus will be on the new gTLD program's remaining unresolved issues. In particular, the Board's willingness to address the complicated Vertical Integration topic (given the inability of the VI Working Group to reach consensus) will be of interest to the many applicants likely to be affected by the outcome.

On another interesting note, one very important topic that has been flying under the radar is Registry Transition, namely the current requirement for new gTLD applicants to provide both a backup Registry Services organisation and a financial instrument sufficient to guarantee a minimum of three years of Registry operations in the event of the TLD owner being unable to operate it.

Obtaining a backup Registry Services provider is not particularly difficult. However, for many potential applicants (in particular smaller community-based applicants) the requirement to obtain a letter of credit from a financial organisation is an enormous burden and a significant additional cost.

Acknowledging this today and noting that the protection of the Registrant is paramount to this process, Schwartz said that ICANN had invested significant time and will further expand the recent concept of Emergency Backend Registry Operator (and yet another acronym, EBERO) whereby qualified applicants (i.e. Existing Registry Operators) could tender to ICANN to provide 'temporary' Registry Services in the event of critical failure of the Registry Operator to operate the gTLD.

This is a great initiative and should be welcomed by the community for two key reasons:

a) It has the potential to remove the requirement to name a pre-organised backup Registry Service.

b) It has the potential to reduce the level of financial guarantee to ICANN from applicants.

Other interesting points worthy of note from yesterday's session:

Communications Plan – This is being worked on by ICANN currently but won't be rolled out until the Final Applicant Guidebook is approved, almost guaranteeing that the earliest date for applications will be March or April 2011
DAGv4 Summary of Analysis – This won't be released to the public until after the Board's retreat, which is a surprise given that the public comment finished quite some time ago
IDN ccTLD Fast Track – ICANN have 33 applicants, representing 22 languages, currently under review as this program continues to drive the expansion of the internet across the globe

All in all, these small yet important pieces of information represent yet another positive step forward in the new gTLD process. I for one can't wait to see what the next few months will bring.

Click here if you want to see the presentations from the Tokyo meeting as provided by ICANN.

Written by Tony Kirsch, Senior Manager - International Business Development, AusRegistry International

Follow CircleID on Twitter

More under: Domain Names, Domain Registries, ICANN, Multilinguism, Top-Level Domains

IPv6 Deployed But in Unexpected Places

2010-08-26T14:21:00-08:00

Eric Vyncke reporting in the NetworkWorld: "IPv6 exists for more than 15 years and it is rumored to be deployed extensively in Asia and especially in Japan and China with Africa being the last continent to deploy IPv6. Another place where there should be a lot of deployments is of course in the USA with the US Government IPv6 mandates. But, when it comes to measure where web sites are actually deployed over IPv6, the rumor proves to be just a myth..."

Follow CircleID on Twitter

More under: IPv6

Ensuring Maximum Resilience to the DNS?

2010-08-26T10:34:00-08:00

Yesterday CommunityDNS noticed a sudden, heavy spike in traffic through its Anycast node in Hong Kong. While comfortably processing queries at 863,000 queries per second for close to 2 hours the occurrence was undeniable. While we can't say the increase in traffic was specifically due to DDoS, its sudden increase is suspicious and reminds us that DDoS is still a popular tool used by the malicious community.

DoS and DDoS attacks are happening throughout each day. Just as UltraDNS was twice regionally impacted in 2009 by DDoS traffic, Register.com with close to a 3 day outage in 2009, and DNS Made Easy, the recent target creating close to a 1.5 hour outage for its users earlier this month, we (enterprise, ISPs, hosting firms, registrars and DNS providers) are not all immune to such malicious antics. While all queries appeared legitimate in yesterday's spike, there is no reason to believe CommunityDNS was the intended target for the sudden increase in traffic. However, it still raises the issue of the impact such malicious activity can have on the general user base as well as online economy.

Last year and earlier this year CommunityDNS worked on a study developed for the EU Commission's office of Directorate-General for Justice, Freedom and Security, regarding the resilience of the DNS for the EU and its member states. The study pointed out the affects such malicious activity has on the confidence of legitimate Internet users. Such affects erode confidence, thus the EU's online economy not able to reach its full potential. The same concept would apply to any online economy. The study also noted how "suspicious" traffic appeared more elevated in some European cities over others. A recent Forrester survey indicated organizations experienced more than 350,000 DDoS attacks in 2009. Another study, from Arbor Networks, yielded a statistic of approximately 3% of the Internet's traffic is tied to DDoS, or roughly 1,300 attacks each day.

So as the Internet marches on with the needed ramp up of DNSSEC, the rollout of IDNs and eventually the addition of new gTLDs, the malicious community continues their global activity. Such activity should make us all question, "Are we doing the best we can to ensure maximum resilience for Internet users and online economies?" The best way to ensure maximum resilience for users, businesses and the general online economy is through platform diversity. Where one has an open source-based DNS platform, a non-open source-based platform should be used. A mix of hardware platforms, upon which the open source and non-open source DNS software operates, is also necessary as the hacker community has more tricks up their sleeve than DDoS attacks. Adding hardware and software diversity into an infrastructure with strong security, ample capacity and scalability is the strongest method for ensuring maximum resilience to the DNS.

Written by Chuck Kisselburg, Director, Strategic Partnerships

Follow CircleID on Twitter

More under: Cybercrime, DNS, DNSSEC, Security

The Window of Opportunity for ccTLDs

2010-08-25T19:27:00-08:00

The announcement that .co has already achieved over 450,000 new registrations since the opening up of the second level a month ago demonstrates that there is strong demand in the global domain name marketplace for quality new domain spaces.

Though .co is the country code Top Level Domain (ccTLD) for Colombia, the second-level registrations (i.e. company.co) are available on a global basis and it is being pitched as a direct competitor to the dominant .com gTLD. Google has altered its algorithm to increase the relevance of search results in the .co domain by treating .co as a gTLD and allowing .co website owners to specify the geographic regions they are targeting. Though .CO Internet has the freedom enjoyed by all ccTLDs of not having to operate under ICANN's policy framework, they have elected to adopt policies that very closely match that framework, including the Uniform Domain Name Dispute Resolution Policy (UDRP).

The launch of second-level registrations under .co therefore represents, to all intents and purposes, a new gTLD launch, and appears to be a popular alternative to .com for both large corporations and small businesses, at least at this early stage. Overstock's purchase of o.co for US$350,000 shows a high degree of confidence in the new .co brand, and Twitter has also joined their list of high-profile anchor tenants, launching t.co as a secure URL shortening service. Anecdotal evidence also suggests that small businesses are taking the opportunity to secure names within this new space that they had been unable to register in .com or other spaces.

The .co launch is just the latest in a long line of examples of the opportunistic repositioning of ccTLDs to compete in the global market against the 'official' gTLDs. Colombia, like Montenegro (.me) and Tuvalu (.tv) and a number of others are simply leveraging their luck in the two-character assignment lottery by opening up their ccTLD to the world. Both Colombia and Montenegro have however tried to maintain the best of both worlds by reserving third-level registrations (such as .com.co and .com.me) for local entities, thereby providing trusted and dedicated domain spaces for the domestic market, while reaping the benefits of having a desirable ccTLD extension by opening up the second level to the world.

Despite the fact that they are globally-focused and effectively gTLDs, the success of .co and .me highlights the market opportunity that currently exists for other ccTLDs that are yet to establish a clear market position.

Of course, the vast majority of countries do not have the opportunity to reposition themselves as gTLDs to chase the global market, and in most cases there will be a clear preference to focus on the needs of the local market.

A report [PDF] released by Eurid (the .eu Registry) in June highlights the power that well-established and effectively managed ccTLDs can exert in their local markets. In Sweden, for example, the local .se ccTLD scored nearly 100% in terms of awareness and 49% for preference, compared with only 34% for .com. Similar rankings are likely to be enjoyed by other well-established ccTLDs, and we've seen similar numbers in relation to the position of .au in Australia.

Many ccTLDs however face a raft of challenges that are preventing them from achieving anything like this sort of local market position. These challenges can include the absence of local control, legacy systems, inefficient registration processes and restrictive policies, as well as a general lack of local capacity.

When ICANN's new gTLD program finally comes to fruition (likely towards the latter part of 2011), there will be a dramatic increase in choice for prospective domain name registrants across all regions and language groups. Those ccTLDs that are yet to position themselves as the pre-eminent domain space and default choice in their local markets therefore have a finite window of opportunity in which to do so, to ensure that they are not consigned to relative obscurity in the face of dozens of new Top Level Domains.

Written by Jon Lawrence, Business Development Consultant, AusRegistry International

Follow CircleID on Twitter

More under: DNS, Domain Names, Domain Registries, Top-Level Domains

Omnibus Cybersecurity Bill May Not Go Where Original Authors Intended

2010-08-25T19:17:00-08:00

In an interview with GovInfoSecurity, Sen. Thomas Carper said that the U.S. Senate is considering attaching cybersecurity legislation to a defense authorizations bill. Though clearly a ploy to be able to say "we did something about those evil hackers" before the elections, CAUCE applauds the attempt. There can be no doubt that the United States (and many other countries) sorely needs better laws to deal with these threats.

Further, Senate Majority Leader Harry Reid has asked that the cybersecurity bills currently in front of various committees be combined into one single, omnibus bill, which would presumably then be attached to the defense authorizations bill. Here's where we start to get worried.

Each of the bills we've seen (and we surely haven't seen them all yet) have some good points, and some...let's just call them unintended consequences. In every case it's obvious that the authors' intentions were good, but they needed some expert advice from people who understand the technical and legal realities of the internet today.

One such expert, a long-time CAUCE supporter who asked to remain anonymous, shares his review of one of those bills: S. 3742, the "Data Security and Breach Notification Act of 2010." You can read the original and check its current status here.

Please note that this is not legal advice. Our expert is not a lawyer, I'm not a lawyer, and CAUCE did not consult with any lawyers before publishing this article.

Our expert says it's going to be difficult to construct a single good omnibus cybersecurity bill. The bigger and more complicated it gets, the less likely it is that anyone will actually read the bill before voting on it—particularly when they're in a hurry to go home and win an election.

He highlights a few specific items which could be troublesome for just about anyone running a mail server, a web site, or other online services which collect or transit any information:

Page 2, Section 2 (a)(2)(A): More or less everyone's going to need to have personally identifiable information (PII) security policies
Page 3, Section 2 (a)(2)(B): ... and an information security officer
Page 3, Section 2 (a)(2)(C): ... and a process for monitoring for PII breaches
Page 3, Section 2 (a)(2)(D): ... and a process for mitigating PII vulnerabilities
Page 3, Section 2 (a)(2)(E): ... and a process for securely deleting electronic records containing PII
Page 4, Section 2 (a)(2)(F): ... and a process for securely destroying paper and other non-electronic records containing PII
Page 4, Section 2 (b): If you're an "information broker" (which would include nearly anyone who collects information and shares it with anyone else), you have additional obligations, including needing to submit policies to the FTC, needing to provide consumer access to information, tracking access to information maintained by the broker, etc.
Page 13, Section 3 (a)(1): Requires notification solely to US citizens and residents in the event of a breach. Of course, that presumes you know the nationality/immigration status of those whose PII data you hold (hmm, I don't think *anyone* I know does, except for HR departments with regard to their own employees). If I were a covered entity, I'd be strongly inclined to begin soliciting that information from everyone I get PII data from, although of course that may trigger a whole different set of issues, particularly in areas where immigration related issues are a hot button topic.
Page 14, Section 3 (b)(2): Notification by a service provider triggers reporting requirements. This is going to make LOTS of friends for service providers, given the affirmative notification and credit protection obligations that customers accrue after being notified.
Page 19, Section 3 (d)(2)(A): Alternative notification is available for incidents involving LESS than 1,000 individuals. This is goofy.
Normally alternative notification is allowed as an option when the number of covered individuals is very LARGE not very small. For example, some state laws permit alternative notification in cases where costs of providing notice would exceed a quarter million dollars, the affected class of consumers to be notified exceeds 350,000, or the notifying party doesn't have sufficient contact information to provide notice.
There's language on page 22 of the draft bill that may allow regulatory additions to expand when substitute notification is permissible, but the basics for when substitute notification should be permissible should be part of the core statute, not an after-the-fact, maybe-yes, maybe-no regulatory add on by the agency.
Page 25, Section 3 (d)(2)(B): imposes compliance burdens on entities for a year before technical compliance guidance is available. Enforcement of the act should be held until the guidance envisioned by 3(d)(2)(B) is available, and realistically it will take probably an additional period after that for sites to deploy the recommended technology (new projects don't happen over night).
Page 26, Section 3 (h): Potentially requires notification in polyglot languages. This can be a huge administrative PITA—consider the "simple" case of the EU, where there are "only" 23 official languages (Bulgarian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hungarian, Irish, Italian, Latvian, Lithuanian, Maltese, Polish, Portugese, Romanian, Slovak, Slovene, Spanish and Swedish, plus (semi-official) Catalan, Galician, and Basque).
This section could be potentially exceptionally burdensome if the FCC suddenly mandates that sites provide notification in multiple foreign languages (I could see an argument for requiring Spanish as well as English, but there are some communities in the United States where other languages are also very common).
Page 28, Section 4 (b)(1): It seems unnecessarially combative to define all data security incidents as "unfair or deceptive acts or practices." Data security incidents are not typically something which a covered entity intentionally does, neither are such breaches typically "unfair" or "deceptive" in the same way that some TV or Internet huckster's "miracle" product or pyramid sales scheme might be.

The most persuasive argument in the other direction is probably that currently most states already have their own PII breach notification laws, and it can be a pain to try to stay in compliance with 46 different PII information security and breach notification statutes. So again, the intention is clearly good, but in practice...it needs some careful review.

So there are the results from one bill, examined by one expert. He's one of the best minds in the cybersecurity community, yet he may still have missed something. With legislation as important as this, smushing it all together and rushing to attach it to something unrelated is simply a bad idea. This is a topic which requires careful thought, from multiple people who really do know what they're doing—and who can explain it to the Congressional staffers who will write the resulting bill, and then to the Senators and Representatives who will collectively make the decision.

Once that education has occurred, it should quickly become evident that while some of these bills do overlap, others do not. Some will disagree. Some simply contain bad ideas. All of this has to be worked out. Then, finally, it might make sense to combine them—not now, and not just because they all have the prefix "cyber" in the title somewhere.

This article was originally published by CAUCE.

Written by J.D. Falk, Director of Product Strategy at Return Path

Follow CircleID on Twitter

More under: Cybercrime, Law, Policy & Regulation, Security

Network Neutrality in the Wireless Space

2010-08-25T14:49:00-08:00

There's been a tremendous amount written about the Google-Verizon joint proposal for network neutrality regulation. Our commentary at the EFF offers some legal analysis of the good and bad in this proposal. A lot of commentary has put a big focus on the exemption for wireless networks, since many feel wireless is the real "where it's gonna be," if not the "where it's at" for the internet.

Previously I wrote about support for the principles of a neutral network, but fear of FCC regulation and decided that the real issue here is monopoly regulation, not network regulation. My feelings remain the same. In wireless we don't have the broadband duopoly, but it is a space with huge barriers to entry, the biggest one being the need to purchase a monopoly on spectrum from the government. I don't believe anybody should get a monopoly on spectrum (either at auction or as a gift) and each spectrum auction is another monopoly bound to hurt the free network.

Most defenders of the exemption for wireless think it's obvious. Bandwidth in wireless is much more limited, so you need to manage it a lot more. Today, that's arguably true. I have certainly been on wireless networks that were saturated, and I would like on those networks to have the big heavy users discouraged so that I can get better service.

With Martin Cooper (Left), former Motorola vice president and division manager who in the 1970s led the team that developed the handheld mobile phone (as distinct from the car phone).
Source: WikipediaAs I said, on those networks. Those networks were designed, inherently, with older more expensive technology. But we know that each year technology gets cheaper, and wireless technology is getting cheaper really fast, with spectrum monopolies being the main barrier to innovation. We would be fools to design and regulate our networks based on the assumptions of the year 2000 or even on the rules of 2010. We need to plan a regime for what we expect in 2015, and one which adapts and changes as wireless technology improves and gets cheaper. Planning for linear improvement is sure to be an error, even if nobody can tell you exactly what will be for sale in 2015. I just know it won't be only marginally better or cheaper than what we have now.

The reality is, there is tons of wireless bandwidth—in fact, it's effectively limitless. Last week I got to have dinner with Marty Cooper, who built the first mobile phone, and he has noticed that the total bandwidth we put into the ether has been on an exponential doubling curve for some time, with no signs of stopping. We were in violent agreement that the FCC's policies are way out of date and really should not exist. (You'll notice that he's holding a Droid X while I have the replica Dyna-Tac. He found it refreshing to not be the one holding the Dyna-Tac.)

Bandwidth is limitless both because we keep improving it, and because we can build picocells anywhere there is demand. The picocells use very high frequencies and won't go through walls. You may think that's a bug, but actually it's a feature, because you can have two picocells in different rooms that don't interfere much with each other, and get gigabits in each individual room. While wireless use is growing quickly, much of that is coming inside buildings.

In the past, having so many cells would be too expensive. But today the electronics for the cells cost a pittance compared to what old thinking predicted. And that's going to continue. This is just one way we know to get more bandwidth for everybody.

The original question was whether it was good for somebody to be soaking up the wireless bandwidth in your area downloading a movie, and whether networks needed to throttle such users. We scream out that they should, but our thinking is short-term. It is the congestion caused by these heavy users, after all, that drives the innovation and network expansion. If we can "solve" our problem with network management rather than putting in more bandwidth, then we don't create as much incentive to make the bandwidth technology cheap. If the only way we can solve the problem is to boost the network capacity to match the wired one, that's how we will solve it.

Some have argued, in fact, that it's cheaper to solve these problems with more bandwidth than it is to solve them with network management. Network management turns out to be pretty hard, and requires lots of work by human beings, and thus it's quite expensive. And it's not getting cheaper, for it is not a problem that Moore's law (or Cooper's law) helps you as much with. Boosting the network is such a problem. And if you solve congestion this way, and drive the creation of better and cheaper products, not only do you get reduced congestion but you also get a nice fast network when it's not congested. It's a huge win for the network and for the world, since everybody gets to buy the new technology, while not everybody needs the network management.

It's been popular to tell Google they are being evil by getting together with Verizon on this deal. I suspect it's more a case of not thinking about the future. Once the FCC encodes rules into law, we'll have them for decades, and even if we're lucky enough to get the right rules today, they won't be the right rules for the future. Alas, they will probably be the rules the lobbyists want.

If the FCC or FTC want to make rules, they should be monopoly busting rules. Let's have better roaming, for example, so our devices can readily and rapidly make use of the small cells. Most new phones have 802.11, so what about a system where any operator of a short-range access point can easily make it a picocell and sell service to the wireless company (now a wireless aggregator) at negotiated or auctioned rates. Most wifi hotspots would be happy to do this at very low rates (they often do it free right now) that can easily be bundled with any plan. A hotspot that wants to charge extra might only get premium customers.

A good roaming system helps enable the ethic I think is right for spectrum sharing—"don't be selfish." Under this regime you are required to use only as much power and spectrum as you need, and if you're inside a building and there is a nice 100 megabit in-room 5ghz wireless, you should not be broadcasting to everybody for a mile around at 850mhz. Doing so is wasteful and doesn't make sense. If the FCC needs to do anything, it should slightly tweak things to encourage such good behaviour.

Written by Brad Templeton, Electronic Frontier Foundation (EFF) Boardmember, Entrepreneur and Technologist

Follow CircleID on Twitter

More under: Broadband, Mobile, Net Neutrality, Policy & Regulation, Telecom, Wireless

Verizon: Advent of 4G LTE, WiMAX-Based Devices Will Only Increase the Need for IPv6

2010-08-25T10:30:00-08:00

Verizon Business has a message to companies still reluctant to migrate their networks to IPv6: You're better off doing it now than later. William Schmidlapp, Verizon Business's product manager for Internet dedicated access services, says that the advent of 4G LTE and WiMAX-based devices will only increase the need to switch over to IPv6, since each of those devices will require its own IP address…

Read full story: Network World

Follow CircleID on Twitter

More under: Broadband, IP Addressing, IPv6, Mobile, Wireless

Russian Cybercrime is Organized / Russian Cybercrime is Not Organized

2010-08-25T10:23:00-08:00

I like to read other people's stories when it comes to spam, and I like Box of Meat. It's always alerting me to interesting stories around the web that deals with cyber security. But the more I read, the more I see conflicting views on the state of the criminal cybercrime world. On the one hand, the Russian criminal cybercrime underworld is a scary, organized place where people are actively trying to do the rest of us harm. On the other hand, there is the position that that position is an exaggeration of what it is actually like and that it's a bunch of ragtag folks who have some advanced computer skills but they are not formally organized. They trade amongst each other for the highest prices and exchange goods and services like the open market but they are not colluding with each other. I see this very similarly to how I see cyber warfare—on the one hand there are the hawks who believe national cyber threats are behind every corner, and on the other hand there are the doves (for lack of a better word) who claim there is no national cyber threat, it's all about crime that has moved online.

Consider excerpts from this article from the New York Times:

MOSCOW—On the Internet, he was known as BadB, a disembodied criminal flitting from one server to another selling stolen credit card numbers despite being pursued by the United States Secret Service. And in real life, he was nearly as untouchable—because he lived in Russia. BadB's real name is Vladislav A. Horohorin, according to a statement released last week by the United States Justice Department, and he was a resident of Moscow before his arrest by the police in France during a trip to that country earlier this month.

...

The seizing of BadB provides a lens onto the shadowy world of Russian hackers, the often well-educated and sometimes darkly ingenious programmers who pose a recognized security threat to online commerce—besides being global spam nuisances—who often seem to operate with relative impunity.

Law enforcement groups in Russia have been reluctant to pursue these talented authors of Internet fraud, for reasons, security experts say, of incompetence, corruption or national pride. In this environment, BadB's network arose as "one of the most sophisticated organizations of online financial criminals in the world," according to a statement issued by Michael P. Merritt, the assistant director of investigations for the Secret Service, which pursues counterfeiting and some electronic financial fraud.

...

According to the Secret Service statement, Mr. Horohorin managed Web sites for hackers who were able to steal large numbers of credit card numbers that were sold online anonymously around the globe. Those buyers would do the more dangerous work of running up fraudulent bills. The numbers were exchanged on Web sites called CarderPlanet carder.su and badb.biz—according to the Secret Service, and payment was made indirectly through accounts at a Russian online settlement system known as Webmoney, an analogue to PayPal.
...
Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals' expertise or for allowing their networks of virus-infected computers to be used for political purposes—to crash dissident Web sites, perhaps.

Reading this article, you would come away with the impression that these guys are very good at what they do—they have extensive computer hacking and social engineering skills, are well educated not to mention being good at money laundering (or being affiliated with people who are good at it). We see terms such as 'sophisticated' being used to describe these people. They are a definitive threat and the odds of actually arresting them are small; when they are arrested, it is seen as the exception and not the norm. In any case, they are not a ragtag bunch of people but instead are well organized and intentional about their behavior.

Worse yet, there are possible collusions between themselves and national intelligence agencies. This makes the general public even more concerned because the not-so-subtle implication is that not only do these people have extensive hacking skills, they could potentially use this to cripple national infrastructure if a hostile government, directed by an intelligence agency, instructed them to do so. The general public isn't entirely clear on what spy agencies do anyway, but in our cultures we are ingrained with the belief that they do some nasty stuff. Just imagine what they could do with a small army of hackers.

However, contrast that article with excerpts from this one in eWeek:

When people think of cyber-crime, the typical image being pushed today is that of highly organized criminal operations. New research, however, suggests the underbelly of cyber-space may be less mafia-like than some think. In an effort to improve the level of understanding of today's black hats, security researchers Fyodor Yarochkin and "The Grugq" have spent several months looking at Russian hacker forums.

"It is an ongoing project that we started about 18 months ago," Grugq told eWEEK. "Originally it started when Fyodor investigated some service offerings from Russian hacker forums for a specific project that I was working on. It turned out to be extremely interesting and amusing, so we discussed doing more long-term monitoring on the forums. It grew from there into what is now a continuous monitoring program."

Their research was presented last month at the Hack in the Box 2010 conference in Amsterdam. What the two found was that the image of a highly organized cyber-underworld run by hardcore criminals is not the order of the day. Instead, the dozen or so hacker forums they analyzed illustrated that many of the users are "geeks, not gangsters," the researchers said.

"Basically, from what we've seen on the forums much of what goes on with the sales of services is much more petty criminal activity, or crimes of opportunity," Grugq said. "Often poor students who like to hack for fun will sell access to a server they've owned. Many don't even realize that this is an illegal activity. This sale will be for $20 or $30, which is a lot of money for a poor student in Russia, but for a hardened criminal mastermind bent on destroying Western civilization—not so much."

...

"In terms of percentage, there'd be two to three guys working on stuff professionally, versus 10 to 20 hobbyists," he continued. "Most of the activity is essentially petty criminal activity where guys are trying to make a little extra cash on the side. You can think of it as a self-organizing hierarchical system with needs and people able to provide goods and services to satisfy the needs."

...

"From what we can guess," Grugq said, "any [mob] involvement is more along the lines of some people at the very top of the stack have to pay off the real gangsters. ... So, for example, if you are organizing a massive credit card cash-out scam which nets millions of dollars, you'll have to pay protection money to the mob to not get robbed. It doesn't look like the mob itself is organizing these cash-outs though.

"We're not disputing that organized crime is involved with cyber-crime, but the popular conception of leather jacketed thugs running around with firearms and laptops is not in line with what we have observed from the actual communities," he said. "It seems like it is very useful for some companies to popularize the scary idea of Russian cyber-gangsters, but honestly the involvement seems to be much more hands off."

This is quite a bit different than the perspective offered by the first article. Here, we still have perpetrators that are advanced hackers with strong computer skills. However, they are not organized amongst each other and view their craft like a bunch of frat boys. They boast amongst themselves. They argue amongst themselves. They don't even seem to realize that what they are doing is illegal. What makes the problem so widespread is that the cost of technology has dropped so much and Internet access has become so ubiquitous that they can do a lot of damage with limited human resources.

A few weeks ago I wrote about how many hackers who get arrested are arrested because of their own hubris. They do not have their egos in check and therefore end up leading a cyber paper trail straight to their lairs. Their lack of life experience leads to carelessness, and when that occurs they get caught. It is more of a bunch of individual actors doing stuff, trading stuff, trying to make some money. This is hardly the portrait painted by the New York Times.

So which portrait is correct?

Well, to be sure, there are many hackers out there that are hobbyists, and they are the ones that get caught. But it certainly seems like there are plenty of organized criminal groups out there (such as Avalanche). A conspiracy is often a "nice" way to explain all that's wrong in the world, but most conspiracies rarely hold up to close examination (never attribute to malfeasance what you can simply attribute to incompetence).

My theory is that this is a variant of the Pareto principle. The Pareto principle, also called the 80/20 rule, states that 80% of the effects are from 20% of the causes. In a business, 80% of the revenue comes from 20% of the sales. 80% of the systems crashes are caused by 20% of the bugs. 80% of the movement on the stock market comes on 20% of the days (not sure if this one is true… it sure feels like it).

In the same way, 80% of the cybercrime is caused by 20% of the cyber criminals. The other 80% of the cyber criminals do some damage and are not so difficult to back trace. They are nuisances and commit online fraud but will always remain small potatoes. By contrast the good ones, the 20%, are very good at what they do. They are smaller and better and cause more damage, and get paid more. The reason they get paid more is because they are more skilled and have the full repertoire—good computer skills and good people management skills, that is, the ability to stay anonymous.

People who are good at their craft usually make more money, and in order to stay alive in the criminal underworld (that is, without getting arrested), you need to be good. Not everyone is good at what they do (like the players on my favorite football team which explains their current 2-6 record). The ones who aren't that good browse forums and chat openly about stuff. They don't make too much money. The ones who are good are busy honing their craft, coming up with new ways to separate people from their money and they don't browse forums. They are spending their time getting better at what they do, not raising their profile.

That's why the second article paints a picture of a disorganized structure of hackers. The hackers that they can examined fall into the 80% that just aren't the kingpins of the industry. That's why the first article paints a picture of doom and gloom, they are studying the elite group of hackers that are difficult to catch and more difficult still to profile.

That's my theory.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Security

IT Risks for Cloud Computing

2010-08-25T07:53:00-08:00

As the industry-wide paradigm shift to cloud computing and software-as-a-service gradually continues to make the transition from buzz to reality, security and availability continue to emerge as the main barriers to customer adoption. A recent ISACA survey of over 1,800 US IT professionals found that only 17 percent believe the benefits of cloud computing outweigh the risks. Only one in 10 respondents said they would consider using software-as-a-service (SaaS) for mission-critical applications.

While some of this hesitance can probably be attributed to an overabundance of caution and the general human tendency to be wary of change, some security concerns are well-founded.

Companies entrusting their sensitive data to a SaaS provider need to be reassured that the data cannot be accessed by unauthorized third parties, such as employees and other customers of the provider, whether at rest or in transit. Data leakage has always been a potential issue at the low end of the hosting market—budget customers on shared servers—but the co-tenancy sometimes involved in cloud computing carries the perceived risk of bringing the problem to enterprises. SaaS providers need to be open and transparent with their customers about their security precautions, such as their encryption and access control regimes, as well as their layers of physical security.

There are other concerns, such as distributed denial-of-service attacks. As DNS service providers and others can attest to, when you have many thousands, or millions, of customer accounts running on the same infrastructure, you increase the risk of that infrastructure becoming the target of an attack. It's the old all-your-eggs-in-one-basket problem. To a DDoS-attacker focused on extortion, political retribution or simple vandalism, a broad customer base looks more like a convenient, aggregated attack surface. They can channel their resources on a narrower choke point, getting their message across by attempting to cause maximum collateral damage.

Of course, the opposite case can also be made: securing systems can be an expensive proposition, and companies can actually benefit from the substantial economies of scale that SaaS providers offer in terms of cost and security. Benefits include the availability improvements brought about by consolidated patch management, the economics enabling a much more diverse technology base that is less vulnerable to exploits, and the ability to quickly respond to DDoS attacks by reallocating resources.

It's important that both SaaS providers and their customers do not overlook reliable DNS provision as a key component of their overall security strategy. Companies can often blow their budgets on a super-redundant hosting infrastructure and forget about DNS—the only way their customers can actually reach it. Far too many times DNS is allowed to become the weak link in the chain, making it an ideal target for would-be attackers. All DNS services must come with a Service Level Agreement (SLA). Accepting anything less than 100% up-time for that SLA means you are accepting downtime for your business.

SaaS customers, however, often forget about DNS. Signing up for Google Apps, for example, is fairly straightforward and free, so it's easy to be quickly lured into a false sense of security, believing that your critical applications now reside on one of the world's largest and most robust data centers. This is of course not completely true. While cloud services such as Google Apps have brought many efficiencies to enterprises, they usually do not natively support DNS resolution. If you've forgotten to effectively provision your DNS, and it goes down, so does your Google Apps.

For a SaaS provider, surveys showing customer reluctance to adopt your services should of course be of some concern. But this hesitance also provides cloud computing companies with excellent opportunities to differentiate their services. When customers make buying decisions with security and availability as their primary concern, there's a clear incentive for SaaS companies to compete on security—a rising tide that carries all boats with it.

Written by John Kane, Vice President of Corporate Services, Afilias

Follow CircleID on Twitter

More under: Cloud Computing, Data Center, DNS, Security