In order to participate, please RSVP via email to the GNSO Secretariat (gnso.secretariat@gnso.icann.org) to receive the call details.
Whether you plan to participate in the upcoming ICANN meeting in Prague remotely or in person, you're invited to an update on the background and current status of each major policy issue currently under discussion in ICANN.I ordinarily spend a lot of my time talking about the technical aspects of threat detection and examining the tools and strategies that the bad guys are employing to subvert corporate defenses and breach their objectives, so it was refreshing last week to speak with a large bunch of C-level folks from Fortune-250 companies and to get the opportunity to step-back a little.
Talking technical is easy. Distilling technical detail, complex threats and operation nuances down to something that can be consumed by people whose responsibility for dealing with cybercrime lays three levels below them in their organizational hierarchy is somewhat more difficult. Since so many readers here have strong technical backgrounds and often face the task of educating upwards within their own organizations, I figured I'd share 4 slides from my recent presentation that may be helpful in communicating how the world has changed.
The overall context of the hour long presentation was related to the paradigm change from protection back to detection — given the scope and capabilities of modern organized crime. The following slides came from the first quarter of the hour — setting the scene for how protection technologies have failed and what organizations need to do in light of that failure.
In essence, this slide talks about how that adversary has changed from old. Gone are the days of a single hacker looking to break in to an organization and toast all the systems. Sure, some of these guys still exist, but that's not where the threat lies today by any statistical analysis. Instead, what organizations are facing is a complex ecosystem where expertise is plentiful and available for relatively low prices. Most importantly, the adversary is now a professional in every sense of the word and needs to be respected for such. Failure to do so is at your peril.
While the adversary has changed for the worse, so too has the target. Consumerization of IT and BYOD, while buzzwords in every sense of the word, really are fundamentally changing the threat landscape and the ability of organizations to combat sophisticated threats. Speaking with lots of people charged with defending their corporations from within, they really do feel powerless to combat Mac threats, Android malware, etc. or enforce application and desktop policies (for whatever that means in the world of iPads and App stores).
Everything is playing in to the bad guys hands. The devices their targets are using are varied and widespread, they roam and bridge networks, they have hundreds of applications yet few are patched in a timely manner, and the threat of personal information being leached has ensured that encryption of communications is the norm — too bad that those nosey IT security guys can inspect traffic for malicious attacks.
In essence, the onus of securing the enterprise has slipped from the corporate IT folks and landed firmly in to the hands of their enabled workforce — who happen to be poorly suited to the task.
Oh, and then there's the "Cloud". Not the Cloud supplying cheap processing power and high availability mission-critical applications at a fraction of the cost of legacy systems. Rather the Cloud that is the 2nd millennium USB stick — the mechanism for transporting infected files between one device and the next.
IT security departments have invested millions of dollars in their defense in depth strategies. Multiple layers of "protection" (and expense), overlapping redundancies and a continuous stream of alerts have had debilitating effects on thinly-stretched security teams.
Even if those layers of defense had been working, the "solution" for the bad guys was (and is) to "attack in depth". The tools and techniques they now employ are multi-facetted and their complexity is hidden from the attacker. The hard work of innovation and coding was done by some expert far away, and their expertise (along with dozens of others) has been combined into a single campaign.
Last but not least, I talked about the "marginalization of protection". My objective in this part of the discussion was to point out that trying to protect everything has never worked, and will be even less successful going forward. The consumerization of IT and the diversity of devices out there have also forced organizations (including vendors) into an area in which it is simply uneconomical to try and secure.
While effort still needs to be applied to "protecting" the enterprise, my advice is to consolidate those expensive resources around the most valuable things of the organization and only grow outwards from there if you're successful.
In response, organizations need to assume that they are compromised and will continue to be compromised many times over, and often in many interesting ways. The onus shifts to how an organization can rapidly detect a compromise and how seamless the remediation needs to become.
I used to say that the most economical course of action was to simply reimage the computer when you were able to confirm the compromise. Nowadays that may not be quick enough, nor appropriate. Today you should reimage when your threshold of suspiciousness has been reached and, if you can't reimage (e.g. iPads, etc.), then remotely reset the device to factory defaults and wipe any stored content so it can't re-infect itself.
What about those critical devices — such as the CFO's laptop — which can't be reimaged without a lot of disruption? Let's be clear, just because you detected one piece of malware or remote control agent on the device doesn't mean that it's the only one installed. And if you're thinking you can safely remove everything related to the infection, then you're either ill-informed or it wasn't a threat to begin with.
Frankly, if you have critical devices that cannot be reimaged for any reason at the turn of a hat, then you've got bigger problems with your IT operations than mere breaches by professional criminals, and your organization needs to reevaluate its security operations at a fairly fundamental level. If a device is so critical that it cannot be recovered, it most certainly shouldn't be a roaming laptop, accessible via the Internet, and is operated by personnel with higher than average probabilities of being targeted.
Written by Gunter Ollmann, VP of Research at Damballa
Follow CircleID on Twitter
More under: Cyberattack, Cybercrime, Malware, Security
The World Intellectual Property Organization (WIPO) recently issued a detailed press release regarding Uniform Dispute Resolution Policy (UDRP) cases for which it provided arbitration services in 2011 and, once again, the number of WIPO filings was up. According to WIPO: "In 2011, trademark holders filed a record 2,764 cybersquatting cases covering 4,781 domain names with the WIPO Arbitration and Mediation Center (WIPO Center) under procedures based on the Uniform Domain Name Dispute Resolution Policy (UDRP), an increase of 2.5% and 9.4% over the previous highest levels in 2010 and 2009, respectively."
Yet that's an incomplete picture. At the other major UDRP arbitration provider, the National Arbitration Forum (NAF), 2011 case filings were down 4% in 2011, declining from 2,177 cases in 2010 to 2,082 in 2011. The vast majority of these cases (96.2%) involved gTLDs like .com and .net; cases were concluded an average of 35 days after filing, but some were resolved in as few as 20 days — and 17%, a full one-sixth of filed complaints, were resolved directly by the parties with no need for panel arbitration. (That noteworthy record again raises the question of why a supplemental Uniform Rapid Suspension (URS) process is even needed for new gTLDs, but that's a separate subject.)
So, overall, the WIPO 2.5% increase was balanced out by the NAF 4% decrease and total UDRP filings at the two principal ICANN-accredited arbitration providers were essentially flat in 2011.
The Internet Commerce Association's (ICA's) Code of Conduct condemns intentional cybersquatting, so we are happy to see filings stabilize and would be delighted to see them decline further in the future. But we do think these filing figures need to be calmly placed in the broader context of total domain registrations. And, according to VeriSign's December 2011 Domain Name Industry Brief, domain registrations increased by 8.9 percent in the preceding year.
So, we think it's quite significant that total 2011 UDRP case filings did not increase notwithstanding a near-9% increase in total domain registrations. This marks yet another year in which UDRP filings declined as a percentage of all domain registrations.
While the NAF press release does not include the total number of domains involved in the cases filed with them we can guesstimate that, when we also include the additional second tier UDRP arbitration providers, approximately 9,000 domains were at issue in all 2011 cybersquatting cases filed with all UDRP providers.
That's 9,000 out of a total of about 220 million registered domain names. In other words, for each million domain registrations there are about 41 domains alleged to be cybersquatting in UDRP cases.
We expect that trademark interests will counter that the number of UDRP filings represents just "the tip of the iceberg" of abusive domain registrations, and will also point out that some but not all ccTLDs are subject to UDRP. And we'll concede those points — while also noting that .com and .net registrations totaled 112 million, just over half of all domains, and that these are the gTLDs that attract the most Internet traffic and are therefore most likely to be abused by intentional cybersquatters. So, while UDRP filings are not an exact proxy for the full extent of cybersquatting, they are the best measure we have of instances in which the resulting harm or domain value were judged sufficient by a trademark owner to invest the relatively modest sums of a $1300 filing fee plus associated attorney fees.
We are also well aware of studies — like this from Sophos — indicating that major brand names are subject to significant typosquatting. Despite finding that malware was virtually nonexistent on such websites, that study nonetheless observed that "typosquats are by no means harmless". Yet, other than the 2.7% of typosquatted domains that "fell into the loose category of cybercrime", a significant portion of the remainder of typosquatted websites appear to fall outside the scope of the "bad faith registration and use" standard required for a successful UDRP filing. So it's not just that rights holders have concluded that a particular typosquatted domain isn't worth the monetary cost of filing and pursuing a UDRP — they may have also concluded that they would not prevail. That is, those domains may fall more into the category of annoying nuisance rather than bad faith infringement, and are not generally associated with criminal activities such as phishing or with bad acts such as malware distribution.
Notwithstanding this contextual decline of 2011 UDRP filings, we are quite sympathetic to the costs imposed on brand owners of maintaining portfolios of defensively registered domain names that could be easily cybersquatted if released back for public sale. Reducing this cost is a subject that could certainly be addressed by an open and inclusive UDRP reform process within ICANN — if trademark interests will ever stop working to defer the initiation of such a process.
We'd also point out that if even one-one-hundredth of one percent of all domains registered today were cybersquatting in a manner sufficient to justify a UDRP filing that would currently total about 22,000 domains, and the actual number of UDRP filings last year involved less than half as many domains. In other words, based just on UDRP filings, more than 99.995 percent of all domains are not cybersquatting. That's right, 2011 UDRP filings involved less than one-two-hundredth of one percent of all registered domains. Even if the filed cases understate the incidence of UDRP-violating cybersquatting by a factor of one hundred, the problem would rise to just under one-half of one percent of all domains, with the remaining 99.5 percent being non-infringing.
We note all this not to excuse cybersquatting but to indicate that the problem appears to be small, manageable, and diminishing as a percentage of registered domains year after year based on UDRP filings — and that the UDRP provides a relatively fast and inexpensive alternative to litigation in court. So any trademark interest advocacy for 'rights protections' that are more numerous and stringent than what's already available is not strongly supported by the available evidence.
We'd also note that many ICA member providers of "parking" or other domain monetization services, as well as of secondary domain marketplaces, have established either formal or informal means by which trademark owners can bring alleged infringement claims to their attention and block clearly infringing domains. These services are available at no cost to trademark owners, and should often be their first recourse in advance of filing a UDRP claim.
As for the WIPO press release declaration that, "With the domain name coordinating body, ICANN, allowing for a massive increase in the number of new domains, brand owners' resources will likely be stretched further.", that seems entirely speculative for now — especially since brand owner resources were not stretched further in 2011 with total UDRP filings being flat, and actually declining in the context of an expanding DNS environment. WIPO's statement also ignores the fact that the Trademark Clearinghouse will let trademark owners secure, block, and issue warnings in regard to new gTLD domains in an unprecedented manner to reduce cybersquatting.
So let's wait and see what applications are actually filed for new gTLDs, and then wait to see what registrants they attract and what visitor traffic they generate, and then make a judgment on the impact of new gTLDs on trademark owners that is informed by facts rather than speculation. (We note in passing that NAF's statement makes no similar gloomy predictions regarding cybersquatting at new gTLDs.)
One final thing to remember is that arbitration providers like WIPO can affect the number of UDRP filings by allowing its panelists to alter long-established practices and thereby change UDRP policy in a one-sided manner. For example, recently a WIPO panel ruled that ceat.com must be transferred to CEAT Ltd., an Indian tire company, even though there was scant evidence that the domain had been registered, much less used, in bad faith (See: CEAT Limited, CEAT Mahal, v. Vertical Axis Inc. / Whois Privacy Services Pty Ltd). Another WIPO panel recently ruled in FACI Industries v. BuyDomains.com, Inventory Management that faci.com be transferred to the non-famous metal casting firm of FACI Industries of Bolingbrook, Illinois even though there was ample evidence that the registrant exercised due diligence to avoid infringing the complainant's trademark rights (See: FACI Industries v. BuyDomains.com, Inventory Management). As the dissenting panelist in CEAT stated, "To hold that such a valuable word cannot be used as a domain name simply because "the domain name is a trademark and has no descriptive meaning" is not supported by the Policy and is a very severe restriction on the right to register a domain name that is not contemplated by ICANN in its policies or practices… That is simply a rewriting of the Policy that is entirely unsupported. Clearly, registering a word that both parties say is an acronym and using it for purposes unconnected with the Complainant or its activities does not violate the Complainant's trademark rights or the Policy.”
These rulings open the door to any short domain name that can constitute an acronym for one or multiple organizations being subject to "first to file" UDRP actions encouraged by trademark attorneys. We are already seeing an uptick of new UDRPs related to acronym domains, and if this becomes a flood in the remainder of 2012 — encouraged by the ceat.com and faci.com rulings, which deviate from years of UDRP practice related to acronym domains — does that mean that cybersquatting is up, or that cybersquatting has been unilaterally redefined down by WIPO panelists and that as a result the trademark bar sees a new UDRP opportunity to bring to clients' attention?
These disturbing and controversial acronym domain rulings again illustrate why WIPO and other UDRP providers should reconsider allowing panelists deemed "neutrals' to also serve as advocates for complainants or registrants, given the clear potential for conflicts of interest, and the certain appearance of potential conflicts. It also illustrates that prior decisions should have a more binding precedential effect that they are accorded under the current WIPO Overview. The UDRP process should remain an available remedy for squelching a declining pool of infringing domains, but not permitted to be a mercurial full employment program for creative trademark attorneys.
ICA will continue to press for meaningful UDRP reform, including changes to assure that arbitration "neutrals" do not have inherent conflicts. But for now we are happy to note that total UDRP filings continue to decline as a percentage of all domains and remain a tiny fraction of the overall DNS infrastructure. That's something worth remembering the next time you see allegations that cybersquatting is out of control.
Mr. Corwin serves as Counsel to the Internet Commerce Association
Written by Philip S Corwin, Founding Principal, Virtualaw LLC; Counsel, Internet Commerce Association
Follow CircleID on Twitter
More under: Cybersquatting, Domain Names, ICANN, Internet Governance, Law, Policy & Regulation, Top-Level Domains
In my previous blog on the topic, I stated that the business case supporting the IPv4 roll-out in the late 90s was the Internet. Although IP depletion will slowly become a reality, the chances are that due to mitigating technologies such as NAT and DNS64, it may take quite a while before organizations in the developed economies will get serious about IPv6.
So where should we look to find a business case for IPv6?
Over the last year or two, the shift towards cloud computing paradigm has started to make some pretty impressive waves. Although still at a relatively early stage, we are seeing both service providers and enterprises coming out with brand new strategies for public and private clouds. Based on the recent developments, we estimate that by 2015, the way in which applications and network services are consumed will be very different from what it is today. The discontinuity here will be just as big as the Internet was some 15 years ago.
As far as the IPv6 business case is concerned, not many people have realized how critical IP addresses and DNS is for the cloud orchestration process. To commission or decommission a virtual machine, one needs to reserve or to free an IP address, preferably within a window of 300 milliseconds. Further, in order for that newly commissioned virtual machine to be easily accessed, a DNS entry is also needed. With Infrastructure 1.0 utilizing IPv4 spaces managed with Excel spreadsheets, the cloud doesn't scale.
To address this issue, anyone serious about cloud computing will have to come to accept that Infrastructure 2.0 is required in order for the cloud computing paradigm to work as intended. If someone is to make a considerable investment in cloud environment, protecting the investment for at least the next 10 years becomes essential. And the way I see it, this is where IPv6 comes in.
In this light, IPv6 can be viewed as a similar enabler to the cloud as IPv4 was for the Internet. From the business perspective, IPv6 enables the cloud to scale into the foreseeable future. Furthermore, by making IPv6 a standard feature in clouds, organizations investing in them can make sure that their basic architecture will stand the test of time, thereby optimizing the cloud ROI.
Written by Juha Holkkola, Managing Director of Nixu Software
Follow CircleID on Twitter
More under: Cloud Computing, Internet Protocol, IP Addressing, IPv6
Intuit picks up Apps.net domain name and other notable domain purchases.
The biggest name on this week’s end user domain sales report is Intuit. The company (of Quicken and Quickbooks fame) bought Apps.net for EUR 21,400 at Sedo. It already owns Apps.com. It offers Intuit Apps for many of its products.
Here are other domain name purchases by end users over the past week.
Sedo
Ad network Multi-View, Inc. made this week’s big $112,000 purchase of AHHA.com.
Travel Networks Europe Ltd, owner of rental car finder CarJet.com, paid 3,000 GPB for CarHirecover.com
Jasper Engines & Transmissions paid $2,000 for MyJapser.com.
The restaurant data company behind FoodServiceReport.com bought RestaurantData.com for $1,299.
Travel services company HOTELBEDS SPAIN, S.L.U. bought AttractionStore.com for $1,895 and ResortActivities.com for $1,295.
University of Toronto mathematician James Colliander bought CrowdMark.com for $995. It will be interesting to see what he does with it.
Afternic
Westport, Connecticut cycling/spin studio JoyRide Cycling Studio picked up JoyrideStudio.com for $1,495. It currently owns Joyride-Cycling.com and JoyrideWestport.com.
Embassy Loans bought the singular version of its domain name — EmbassyLoan.com — for $1,500.
Healthcare company Primary Care Partners in South Florida bought HealthyPartners.com for $3,788.
The Catamaran Company, seller of catamarans (a type of boat), paid $2,088 for LagoonCatamarans.com
Elite Estate Buyers Inc, which already owns EliteAuction.com, bought EliteConsignment.com for $2,088.
Business intelligence company Third Time dropped the hyphen in its domain name for $1,200 by picking up ThirdTime.com. Nice purchase.
Book publisher Health Communications, Inc, whose slogan is “The Life Issues Publisher”, bought LifeIssues.com for $8,800. Nice sale.
Godat Landscape Construction Company paid $1,388 for Godat.net.
ShortTermStays.com, an L.A. short term rental referral service, bought ShortTermStay.com for $2,100.
It appears that Lufthansa Technik has purchased LTCS.com for $2,500. The whois record for the domain doesn’t mention the company, but the registrant’s email address is LTCS.aero, which is owned by Lufthansa. The actual registrant is Gordon Weller, Sr. Director Customer Service & Account Management for the company.
Max New York Life bought MaxLifeInsurance.com for a whopping $21,000.
Affordable Power, L.P., which goes by the name APG&E, picked up APGE.com for $5,088.
The owner of Waverlyhomes.ca bought Waverlyhomes.com for $2,000.
Calgary Co-operative Association Ltd. bought YourCoop.com for $2,655.
A brand new company called Canada Carbon has purchased none other than CanadaCarbon.com for $1,995.
Instant Home Loans, Inc. d.b.a. Instant Capital, bought InstantCapital.com for a strong $14,500. Its web site is MyInstantCapital.com.
American Trash Management, a unique company whose mission is to “reduce the environmental impact, costs and problems of trash”, bought SmartTrash.com for $2,188.
Production company Flatland Pictures bought MusicProfessor.com for $1,888. Perhaps the title of an upcoming film?
© DomainNameWire.com 2011.
Get Certified Parking Stats at DNW Certified Stats.
Related posts:
Request for .xxx domain name denied.
United Kingdom insurance company BGL Group Limited, better known as CompareTheMarket.com, is the first complainant to lose a UDRP for a .xxx domain name.
The company filed the complaint against UK resident Jon Watkins, who registered the domain back in December when .xxx became generally available.
But as I’ve argued previously, it can be rather difficult to prove bad faith in the registration of a .xxx domain name. Most complainants aren’t in the adult entertainment business. And few .xxx domain names will be parked, which could have result in PPC ads related to a complainant. So unless the mark is very famous (and not descriptive/generic) or the owner of the domain tries to sell the domain to the complainant, proving registration in bad faith isn’t easy.
That’s what happened here. A Czech Arbitration Court panel wrote:
But Complainant fails to prove bad faith registration or use of the domain. Complainant states that the domain is “completely inactive”. Complainant does not show that Respondent tried to sell the domain to Complainant, has registered other infringing names, or otherwise has tried to profit from the domain or cause any other harm to Complainant. Respondent is not shown to have had prior UDRP cases in which he has been an unsuccessful Defendant. Clearly, “compare the market” could relate to myriad different types of markets and myriad different comparisons within each one, as demonstrated by a simple web search.
I’m not quite sure why BGL went after this domain name. If it were an active domain name with porn on it and it was getting search rankings I’d understand. Otherwise this seems like a waste of money.
Companies have filed over 20 UDRP cases against .xxx domain names. None had lost prior to this case.
© DomainNameWire.com 2011.
Get Certified Parking Stats at DNW Certified Stats.
Related posts:
Zimbabwe.com sells for a fraction of what it sold for in 2007.
We always hear stories about people who bought domains and flipped them for many times their purchase price. But the opposite also happens.
Take the case of Zimbabwe.com, which just sold for $42,500 at Sedo.
The last time this domain (reported) sold was in 2007. Purchase price: $130,000.
It’s possible the domain also changed hands in 2008. Regardless of if it has changed hands since 2007, the domain took a total haircut of $87,500 during that period.
Not pretty.
There’s not a whole lot you can do with Zimbabwe.com from a commerce perspective other than offer elephant hunting trips.
Ideally a buyer would use the domain to help shed more light on Robert Mugabe’s atrocities.
© DomainNameWire.com 2011.
Get Certified Parking Stats at DNW Certified Stats.
Related posts:
