Domain industry news

Syndicate content CircleID
Latest posts on CircleID
Updated: 5 hours 48 min ago

GDPR and What Comes Next: The Parade of Horribles

Fri, 2018-02-23 22:31

The compliance deadline for the European Union's General Data Protection Regulation (GDPR) is nearly upon us, the unveiling of a proposed model to bring WHOIS into compliance is said to come from ICANN next week, and everyone is scrambling to understand all that's involved. Implementation of a revised WHOIS model is clearly on the horizon, but what comes after may be the real story! Specifically, if WHOIS information becomes more than nominally restricted, what's the consequence to the data controllers (ICANN and the contracted parties) who implement this revised model?

WHOIS and Critical Tasks

WHOIS is critical for:

  • Informing buyers/sellers/brokers of domain names about the soundness of ownership and transparency into the parties to a transaction;
  • Helping law enforcement and other authorities investigate and resolve criminal activity, and predict the growth or migration of that activity across the DNS;
  • Enabling brand owners and other IP rights holders to protect and defend their marks and assets; and
  • Helping security experts quickly and effectively deal with and identify patterns for the spread of malware, botnets, spam and other abusive behavior in the DNS.

These are but a few examples and, while WHOIS may seem like an "aside" to the critical role domain names play on the Internet, this underlying ownership data is crucial to many functions that keep the domain name system secure and stable.

Curtailing WHOIS - Where will the Data Come From?

I understand that some registrars and registries have embraced — and even started engineering for — a compliance model very similar to ICANN's Model 3, a system the European Commission itself says is probably too restrictive. If a system that obstructive is embraced, data may go away, but the need for that data to perform critical tasks does not. As one industry observer put it:

What the European Data Protection authorities have not yet put together is that the protection of people's mental integrity on the Internet is not solely due to the action of law enforcement, but a cast of others (anti-spam/abuse initiates, DDoS mitigation, etc.) who are not law enforcement but do rely upon visibility into the DNS Whois to perform their services.

Significantly, respected security researcher Brian Krebs also made note of weakening security:

For my part, I can say without hesitation that few resources are as critical to what I do here...than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities.

So what happens next? Contracted parties have more than a small stake in the answer to that. Why? Because they're the caretakers of WHOIS data, and in a world of curtailed WHOIS, the data necessary to critical tasks has to come from somewhere, and be brought to light somehow.

Let's take IP rights enforcement. Say, conservatively, there are 1,000 queries a day (via port 43) to a registrar's WHOIS. Now say, again conservatively, that 1% of those queries yields actionable information. The registrar, today, is off the hook, for the most part. The infringed-upon party usually pursues the matter and goes after ten "bad guys."

In a restricted scenario, perhaps the registrar is now looking at 10 subpoenas for the previously publicly available data. But now assume a larger registrar gets one million queries a day. That 1% becomes 10,000 potential court actions to sort out. And that's BEFORE the community arrives at a layered/gated model, with access offered to accredited third parties (potential mitigations that appear to be months away). I can't imagine a registrar as large as GoDaddy or the Web.com family wants to deal with 10 court-sourced actions, never mind 10,000 or more — on a weekly or daily basis. Contracted parties need to very carefully consider these operational impacts when contemplating which models to implement or push for with ICANN ... as should ICANN.

Other Operational Impacts

A flood of legal service might not capture the whole picture.

  • A restrictive WHOIS means the bad guys can hide more easily, and for longer. Registry zone files could clutter up with bad actors, and registrars may have customers in the house they don't want.
  • Query rates directly to the registrar community will squeeze upstream — especially under some of the layered/gated models being considered.
  • There will be damage to brands, financial institutions, secure sites, and others that rely on the security community to quickly mobilize against bad actors or even anticipate their moves.
  • External entities will be forced to use "blunter" instruments to protect users and consumers, and to pursue bad actors. Perhaps even by black-listing specific registrars or top-level domains.

Accuracy - the Other Liability Not being Considered

After GDPR models are implemented, now hiding behind a "gate" will be a database full of inaccurate or false information. We know this because today it is reported that even in Europe, less than half of WHOIS records contain data that meet operability standards. The European Commission's recently released technical input on ICANN's proposed GDPR-compliant WHOIS models underscored the GDPR's "Accuracy" principle — making clear that reasonable steps should be taken to ensure the accuracy of any personal data obtained for WHOIS databases and that ICANN should be sure to incorporate this requirement in whatever model it adopts.

Many registry and registrar operators may be tempted to say, "So what? It's what the registrant gave us and that's where our obligation ends." But the European Commission official who spoke during the February 22, 2018 discussion hosted by the BC and IPC indicated that controllers are responsible for the data quality under GDPR, and that inaccurate WHOIS data can be the basis of GDPR-based claims by data subjects and other recipients of inaccurate data. This certainly increases the risk to GDPR compliance and begs the question why ICANN wouldn't ensure that contracted parties implement processes to validate and verify the contact information they allow into the WHOIS database.

Getting it Right

After months of discussion, review of countless documents and proposals, and many meetings, I'm still left feeling that we're heading down a path that could result in a system with fewer benefits for all stakeholders and that we're missing an opportunity to properly resolve a decades-old debate.

ICANN should move quickly to consult with all stakeholders to address critical elements of the resulting model, including e-mail address inclusion, verification for accuracy, bulk WHOIS access, and proper scoping. That model must include access to data for security and end-user protection--the latter cannot be imposed retroactively.

This is a critical move, before unintended consequences start to arrive.

Written by Fabricio Vayra, Partner at Perkins Coie LLP

Follow CircleID on Twitter

More under: Domain Management, Domain Names, ICANN, Internet Governance, Policy & Regulation, Whois

Categories: News and Updates

U.S. Government Officials Raise Concerns Over Intel's Long Delay Informing Government on Chip Flaws

Thu, 2018-02-22 21:23

Latest reports suggest Intel Corporation did not inform U.S. cyber security officials about the so-called Meltdown and Spectre chip security flaws until they were leaked to the public six months after Intel was notified about the problem. Stephen Nellis reporting in Reuters: "Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications. Intel said it did not think the flaws needed to be shared with U.S. authorities as hackers had not exploited the vulnerabilities." Details of when the chip flaws were disclosed were detailed in letters sent by Intel, Alphabet and Apple Inc on Thursday in response to questions from Oregon Republican Representative.

Follow CircleID on Twitter

More under: Cybersecurity

Categories: News and Updates

SEC Reinforces and Expands Its Cybersecurity Guidance for Public Companies

Thu, 2018-02-22 20:02

The Securities and Exchange Commission has issued an updated guidance for public companies in preparing disclosures about cybersecurity risks and incidents. SEC Chairman Jay Clayton said: "The guidance highlights the disclosure requirements under the federal securities laws that public operating companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents. It also addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading, and selective disclosures. ... I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors." SEC voted unanimously to approve the guidance on Tuesday according to the released statement.

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Cybersecurity, Policy & Regulation

Categories: News and Updates

Domaining Europe Returning Home to Valencia, Spain for 10th Anniversary Show Next Spring

Thu, 2018-02-22 17:27

The Domaining Europe conference began in Valencia, Spain almost a decade ago and the first seven shows in the annual series were staged at the Hotel Sorolla Palace there. In 2016 conference founder Dietmar Stefitz decided to take the show on the road, staging that year's event in The Hague, Netherlands, followed by the 2017 show in Berlin, Germany this past May. With the 2018 conference marking the 10th anniversary of the popular event, Stefitz decided it was only fitting that the event go back to where it all began in Valencia. So, he has booked the Sorolla Palace and set the dates for June 7-9, 2018.

Stefitz is determined to make the 10th anniversary show a special one so he has already started putting the agenda and speaker's line up together. Braden Pollock is again coming over to Valencia from the United States to moderate the event. Also, they are planning an opening day Keynote address at 10am June 7 featuring pioneering domain investor and DomainMarket.com Founder Michael Mann with a talk titled Get a .com! Mann is also scheduled to participate on a panel discussion devoted to domain valuation.

Stefitz has also identified several other topics that will be explored in depth through presentations and panel discussions at the 2018 event including Inventory Carrying Costs, Brokerage, Domain Portfolio Monetization, Buy Now Pricing vs. Negotiation and Drop Catching. Of course, the latest trends in new gTLDs will also be covered with Stefitz expecting to have .CLUB CMO Jeff Sass, .GLOBAL CEO Rolf Larsen and a representative from Neustar on hand to give attendees an update on that sector. He also has an International Investor Roundtable in the works with participants from Asia, Latin America, Russia, the USA and Europe.

Registration is already open, so it is not to soon to block June 7-9 out on your 2018 calendar to join domain investors, executives and service providers from around the world for this landmark edition of Domaining Europe.

This year Verisign will again be the main sponsor of the event, along with Law.es, dotGlobal, eco, Godaddy, Nidoma, Blacknight, LBM, Bodis and many others. Sponsorship options are still open at vivanco@domainingeurope.com.

Written by Sara Vivanco, Marketing Manager

Follow CircleID on Twitter

More under: Domain Management, Domain Names, New TLDs

Categories: News and Updates

Report Estimates Cybercrime Taking $600 Billion Toll on Global Economy

Wed, 2018-02-21 21:30

Cybercrime is costing businesses close to $600 billion, or 0.8 percent of global GDP, according to a report released today by McAfee, in partnership with the Center for Strategic and International Studies (CSIS). The estimated number is up from a similar 2014 study that put global losses at about $445 billion. The report attributes this growth to cybercriminals quickly adopting new technologies, the ease of engaging in cybercrime — including an expanding number of cybercrime centers — and the growing financial sophistication of top-tier cybercriminals.

Estimated daily cybercrime activity
Source: McAfee / CSIS 2018 reportFrom the report: "Cybercrime operates at scale. The amount of malicious activity on the internet is staggering. One major internet service provider (ISP) reports that it sees 80 billion malicious scans a day, the result of automated efforts by cybercriminals to identify vulnerable targets. Many researchers track the quantity of new malware released, with estimates ranging from 300,000 to a million viruses and other malicious software products created every day. Most of these are automated scripts that search the web for vulnerable devices and networks. Phishing remains the most popular and easiest way to commit cybercrime, with the Anti-Phishing Working Group (APWG) recording more than 1.2 million attacks in 2016, many linked to ransomware. This number may be low since the FBI estimated there were 4,000 ransomware attacks every day in 2016. The Privacy Rights Clearing House estimates there were 4.8 billion records lost as a result of data breaches in 2016, with hacking responsible for about 60% of these."

Data on cybercrime remains poor: The authors suggest data on cybercrime remains poor because of governments around the world underreporting and being negligent in their efforts to collect data on cybercrime.

Recommendations: Although the report is mainly focused on cybercrime estimations, and not recommendations, it has offered the following as a matter of obvious steps based on their cost analysis:

  • Uniform implementation of basic security measures such as regular updating, patching, open security architectures and investment in defensive technologies.
  • Increased cooperation among international law enforcement agencies both with other nations' law enforcement agencies and with the private sector.
  • Improved collection of data by national authorities
  • Greater standardization and coordination of cybersecurity requirements particularly in key sectors like finance.
  • Development of the Budapest Convention, a formal treaty on cybercrime which has made slow progress in the face of opposition from Russia and other countries.
  • International pressure on state sanctuaries for cybercrime; imposing some kind of penalty or consequence on governments that fail to take action against cybercrime.

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Cybersecurity, DDoS, Internet Governance, Malware, Policy & Regulation

Categories: News and Updates

ICANN Spearheading Launch of Virtual DNS Entrepreneurship Center of the Caribbean

Wed, 2018-02-21 19:44

The Internet Corporation for Assigned Names and Numbers (ICANN) is spearheading an initiative to launch Virtual DNS Entrepreneurship Center of the Caribbean (VDECC). Gerard Best reporting in the Caribbean Journal: "VDECC aims to open up new money-making opportunities in the DNS industry for Internet businesses and entrepreneurs across the region, including Internet service providers, web hosting companies, top-level domain operators, domain name registrars and resellers, web developers, digital marketers, e-commerce startups and Internet legal experts." The initiative was launched in Port of Spain on Feb. 19.

Follow CircleID on Twitter

More under: DNS, ICANN

Categories: News and Updates

Vermont Governor 5th to Take a Stand Against Rollback of Net Neutrality Rules

Wed, 2018-02-21 19:14

Vermont Gov. Phil Scott is the latest state governor to take a stand against the FCC's rollback of net neutrality rules. Ryan Johnston reporting in StateScoop: "Scott last week took executive action mandating that any internet service provider (ISP) holding or seeking a state contract must include net neutrality protections in its services for all subscribers. He becomes the fifth governor to use the tactic, which is intended to pressure ISPs to operate as if the FCC did not repeal the Obama-era rules."

Follow CircleID on Twitter

More under: Access Providers, Net Neutrality

Categories: News and Updates

WHOIS Access and Interim GDPR Compliance Model: Latest Developments and Next Steps

Tue, 2018-02-20 20:17

WHOIS access and development of an interim GDPR compliance model remains THE hot topic within the ICANN community. Developments are occurring at a break-neck pace, as ICANN and contracted parties push for an implementable solution ahead of the May 25, 2018 effective date of the GDPR.

To quickly recap:

  • Between November 11, 2017 and January 11, 2018, various ICANN community participants submitted different proposed interim GDPR compliance models to ICANN;
  • On January 12, 2018, ICANN published a set of three proposed interim GDPR compliance models of its own design for community input;
  • On January 24, 2018, the ICANN Intellectual Property and Business Constituencies (IPC and BC, respectively) held a community-wide webinar, with in-person attendees in Washington, DC and Brussels, to discuss the ICANN and community models, and key issues and concerns in developing an interim compliance model while preserving access to WHOIS data for specific legitimate purposes, including law enforcement, cybersecurity, consumer protection, and intellectual property enforcement, among other business and individual user needs;
  • On January 29, 2018, ICANN formally closed its community input period on the compliance models;
  • On February 1, 2018, the IPC and BC sent a joint letter to the Article 29 Working Party, with a copy to ICANN, providing an overview of WHOIS uses and needs for law enforcement, cybersecurity, consumer protection and intellectual property enforcement, and how these legitimate purposes fit within the framework of the GDPR;
  • On February 2, 2018, ICANN published a matrix of all the proposed interim compliance models, and a draft summary of discussion and comments regarding the models;
  • On February 7, 2018, the European Commission provided additional input to ICANN regarding the various proposed compliance models; and
  • Between February 10 and February 16, 2018, ICANN provided updates to various community leaders regarding a compliance model that ICANN had begun to coalesce around, based on the prior models, community input, and community discussions (the "convergence model").

ICANN is now poised to formally publish the convergence model, although the community continues to discuss and seek a solution that is acceptable for all stakeholders. As part of those continued discussions, the IPC and BC will be hosting another cross-community discussion, following up on their co-hosted event on January 24. This second event will take place on Thursday February 22, 2018 from 9 am to 12 pm Eastern (US) (1400 – 1700 UTC), with in-person participation in the Winterfeldt IP Group Offices in Washington, DC and the ICANN office in Brussels, Belgium. There will also be remote participation available through Adobe Connect.

We invite all readers to participate in this important ongoing conversation. Please RSVP to denise@winterfeldt.law if you or your colleagues would like to join in person in Washington, DC or Brussels, or via remote participation.

Written by Brian Winterfeldt, Founder and Principal at Winterfeldt IP Group

Follow CircleID on Twitter

More under: Domain Names, ICANN, Law, Privacy, Whois

Categories: News and Updates

SpaceX Starlink and Cuba - A Match Made in Low-Earth Orbit?

Tue, 2018-02-20 19:05

I've suggested that Cuba could use geostationary-orbit (GSO) satellite Internet service as a stopgap measure until they could afford to leapfrog over today's technology to next-generation infrastructure. They did not pick up on that stopgap suggestion, but how about low-Earth orbit (LEO) satellite Internet service as a next-generation solution?

SpaceX, OneWeb, Boeing and others are working on LEO satellite Internet projects. There is no guarantee that any of them will succeed — these projects require new technology and face logistical, financial and regulatory obstacles — but, if successful, they could provide Cuba with affordable, ubiquitous, next-generation Internet service.

Cuba should follow and consider each potential system, but let's focus on SpaceX since their plan is ambitious and they might have the best marketing/political fit with Cuba.

LEO satellite service will hopefully reach a milestone this week when SpaceX launches two test satellites. If the tests go well, SpaceX plans to begin launching operational satellites in 2019 and begin offering commercial service in the 2020-21 time frame. They will complete their first constellation of 4,425 satellites by 2024. (To put that in context, there are fewer than 2,000 operational satellites in orbit today).

SpaceX has named their future service "Starlink," and, if Starlink succeeds, they could offer Cuba service as early as 2020 and no later than 2024 depending upon which areas they plan to service first.

What has stopped the Cuban Internet and why might LEO satellites look good to Cuba?

Cuba blames their lack of connectivity on the US embargo, but President Obama cleared the way for the export of telecommunication equipment and services to Cuba and Trump has not reversed that decision.

I suspect that fear of losing political control — the inability to filter and surveil traffic — stopped Cuba from allowing GSO satellite service. Raúl Castro and others feared loss of control of information when Cuba first connected to the Internet in 1996, but Castro is about to step down and perhaps the next government will be more aware of the benefits of Internet connectivity and more confident in their ability to use it to their advantage.

A lack of funds has also constrained the Cuban Internet — they cannot afford a large terrestrial infrastructure buildout and are reluctant (for good and bad reasons) to accept foreign investment. SpaceX is building global infrastructure so the marginal cost of serving Cuba would be near zero.

They say that the capital equipment for providing high-speed, low-latency service to a Cuban home, school, clinic, etc. would be a low-cost, user-installed ground-station. I've not seen ground-station price estimates from SpaceX, but their rival OneWeb says their $250 ground-station will handle a 50 Mbps, 30 ms latency Internet link and serve as a hot-spot for WiFi, LTE, 3G or 2G connectivity.

Since the marginal cost of serving a nation would be small and they hope to provide affordable global connectivity, I expect their service price will vary among nations. Prices would be relatively high in wealthy and low in poor nations — there would be no point in having idle satellites flying over Cuba or any other place.

Expansion of the Cuban Internet is also constrained by bureaucracy and vested financial interest in ETECSA and established vendors. While I do not endorse Cuba's current monopoly service and infrastructure ownership policy, it could remain unchanged if ETECSA were to become a reseller of SpaceX Internet connectivity.

In summary, if Starlink succeeds, they could offer affordable, ubiquitous high-speed Internet, saving Cuba the cost of investing in expensive terrestrial infrastructure and allowing ETECSA to maintain its monopoly. The only intangible roadblock would be a loss of control of traffic. (But Cuban propagandists and trolls would be able to reach a wider audience :-).

That is the rosy picture from the Cuban point of view, what about SpaceX?

OneWeb plans to offer LEO satellite Internet service in Alaska in 2019 and hopes to cover all of Alaska by the end of 2020.

How about SpaceX starting by serving Cuba?

I don't know the SpaceX constellation rollout plan, but satellites that serve Cuba would also be capable of serving the eastern US and FCC licenses are conditional upon providing US service in a timely manner.

Since Cuba is an island nation, portions of the footprint of satellites serving Cuba would fall on the uninhabited ocean. That would reduce population destiny in the satellite footprint area, freeing capacity for use by customers in relatively urban areas.

Selecting Cuba as their initial service market would be an audacious move, but Elon Musk is not a conventional, conservative businessman. SpaceX would get a lot of publicity from a Cuba opening and, like the roadster they just launched into orbit, first offering Starlink service in Cuba would have symbolic value — marking an opening to Cuba.

There is pent-up demand for Internet access in Cuba since they have very poor Internet access given their level of education and development.

Cuba is 166th among the 176 nations the International Telecommunication Union (ITU) ranks on access to telecommunications. Haiti, ranked 167th, is the only nation in Latin America and the Caribbean (LA&C) that ranks below Cuba, yet Cuba ranks 9th in the region on the ITU telecommunication-skills index. Cuba ranks tenth in LA&C on the United Nations Development Programme's human-development index and their mean years of schooling is the highest in the region.

Cuba's relatively high human-development and IT-skill indices reflect their emphasis on free public education at all levels. This is exemplified by the curriculum at Cuba's Information Science University, where students pay no tuition but are required to work on useful applications in education, health, sport, and online government.

But, perhaps the biggest contributor to pent-up demand is El Paquete Semanal, a weekly distribution of current, pirated Internet content that is distributed throughout the nation. I've heard the claim that 95% of Cubans see El Paquete content each week. That sounds high, but it is very popular and has been alleged to be Cuba's largest private employer.

The political situation is the elephant in the room. The US has formed a Cuba Internet Task Force and Trump is following President Obama's lead in seeking to strengthen the Cuban Internet, so it unlikely that the US government would object to SpaceX offering Starlink service to Cubans.

That being said, such a move would be unpopular among some members of Trump's Cuban "base." While there might be some domestic political cost to SpaceX, an opening to Cuba would be seen as extremely positive in Latin America and the rest of the world and SpaceX and Tesla are global companies.

Written by Larry Press, Professor of Information Systems at California State University

Follow CircleID on Twitter

More under: Access Providers, Broadband, Policy & Regulation, Wireless

Categories: News and Updates

Hackers Use Tesla's Amazon Cloud Account to Mine Cryptocurrency

Tue, 2018-02-20 18:37

Tesla's cloud environment has been infiltrated by hackers and used to mine cryptocurrencies, researchers have discovered. Other victims include Aviva and Gemalto. According to reports, the incident was first discovered by security company RedLock a few months ago when its research team found hundreds of Kubernetes administration consoles accessible over the internet without any password protection.

Initially RedLock discovered instances belonging to Aviva, a British multinational insurance company, and Gemalto, the world's largest manufacturer of SIM cards. From the report: "Within these consoles, access credentials to these organizations' Amazon Web Services (AWS) and Microsoft Azure environments were exposed. Upon further investigation, the team determined that hackers had secretly infiltrated these organizations' public cloud environments and were using the compute instances to mine cryptocurrencies (refer to Cloud Security Trends - October 2017 report). Since then, a number of other cryptojacking incidents have been uncovered and there are notable differences in the attacks. ... latest victim of cryptojacking is Tesla. While the attack was similar to the ones at Aviva and Gemalto, there were some notable differences. The hackers had infiltrated Tesla's Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry."

Follow CircleID on Twitter

More under: Blockchain, Cloud Computing, Cyberattack, Cybersecurity

Categories: News and Updates

Botnets Shift Focus to Credential Abuse, Says Latest Akamai Report

Tue, 2018-02-20 17:49

Akamai's Fourth Quarter, 2017 State of the Internet, was released today in which it states that the analysis of more than 7.3 trillion bot requests per month has found a sharp increase in the threat of credential abuse, with more than 40 percent of login attempts being malicious. Additionally, the report warns DDoS attacks remain a consistent threat and the Mirai botnet is still capable of strong bursts of activity.

14% Increase in DDoS: "Akamai's findings also confirmed that the total number of DDoS attacks last quarter (Q4 2017) increased 14 percent from the same time last year (Q4 2016). While previous reports from this year showed the intensity of the Mirai botnet fading, Akamai saw a spike of nearly 1 million unique IP addresses from the botnet scanning the Internet in late November, showing that it is still capable of explosive growth."

Cybercriminals are increasingly leveraging bot activity for malicious use: "Many of the botnets traditionally responsible for DDoS attacks are being used to abuse stolen login credentials. Of the 17 billion login requests tracked through the Akamai platform in November and December, almost half (43 percent) were used for credential abuse."

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Cybersecurity, DDoS

Categories: News and Updates

US Congress Considering Legislation to Authorize Faster Access to International Electronic Data

Mon, 2018-02-19 20:15

A legislation called, Clarifying Lawful Overseas Use of Data Act, or Cloud Act, was introduced on Monday by Congress aimed at creating a clearer framework for law enforcement to access data stored in cloud computing systems. Ali Breland reporting in The Hill: "[The] bill is aimed at making it easier for U.S. officials to create bilateral data sharing agreements that allow them to access data stored overseas and also for foreign law enforcement to access data stored on U.S. firms' servers. ... Federal law currently doesn't specify whether the government can demand that U.S. companies give it data they have stored abroad. The CLOUD Act would amend this, likely impacting Microsoft's pending Supreme Court case over data it has stored in Ireland."

Follow CircleID on Twitter

More under: Cloud Computing, Data Center, Law

Categories: News and Updates

U.S. Lawmakers Moving to Consider New Rules Imposing Stricter Federal Oversight on Cryptocurrencies

Mon, 2018-02-19 20:00

Reuters reports today that several top lawmakers have revealed a "bipartisan momentum is growing in the Senate and House of Representatives for action to address the risks posed by virtual currencies to investors and the financial system." David Morgan
reports: "Even free-market Republican conservatives, normally wary of government red tape, said regulation could be needed if cryptocurrencies threaten the U.S. economy. ... Much of the concern on Capitol Hill is focused on speculative trading and investing in cryptocurrencies, leading some lawmakers to push for digital assets to be regulated as securities and subject to the SEC’s investor protection rules."

Follow CircleID on Twitter

More under: Blockchain, Law, Policy & Regulation

Categories: News and Updates

SpaceX Launching Two Experimental Internet Satellites This Weekend

Fri, 2018-02-16 21:10

On Saturday, SpaceX will be launching two experimental mini-satellites that will pave the path for the first batch of what is planned to be a 4,000-satellite constellation providing low-cost internet around the earth. George Dvorsky reporting in Gizmodo: "Announced back in 2015, Starlink is designed to be a massive, space-based telecommunications network consisting of thousands of interlinked satellites and several geographically dispersed ground stations. ... The plan is to have a global internet service in place by the mid-2020s, and get a leg-up on potential competitors. ... Two prototypes, named Microsat 2a and 2b, are now packed and ready for launch atop a Falcon-9 v1.2 rocket."

Follow CircleID on Twitter

More under: Access Providers, Broadband, Wireless

Categories: News and Updates

A Brooklyn Bitcoin Mining Operation is Causing Interference to T-Mobile's Broadband Network

Fri, 2018-02-16 18:53

AntMiner S5 Bitcoin Miner by Bitmain released in 2014. S5 has since been surpassed by newer models.The Federal Communications Commission on Thursday sent a letter to an individual in Brooklyn, New York, alleging that a device in the individual's residence used to mine Bitcoin is generating spurious radiofrequency emissions, causing interference to a portion of T-Mobile's mobile telephone and broadband network. The letter states the FCC received a complaint from T-Mobile concerning interference to its 700 MHz LTE network in Brooklyn, New York. In response to the complaint, agents from the Enforcement Bureau's New York Office confirmed by using direction finding techniques that radio emissions in the 700 MHz band were, in fact, emanating from the user's residence in Brooklyn. "When the interfering device was turned off the interference ceased. ... The device was generating spurious emissions on frequencies assigned to T-Mobile's broadband network and causing harmful interference." FCC's warning letter further states that user's "Antminer s5 Bitcoin Miner" operation constitutes a violation of the Federal laws and could subject the operator to severe penalties including substantial monetary fines and arrest.

Jessica Rosenworcel, FCC Commissioner, in a tweet said: "Okay, this @FCC letter has it all: #bitcoin mining, computing power needed for #blockchain computation and #wireless #broadband interference. It all seems so very 2018."

Follow CircleID on Twitter

More under: Access Providers, Blockchain, Broadband, Telecom, Wireless

Categories: News and Updates

Hackers Earned Over $100K in 20 Days Through Hack the Air Force 2.0

Fri, 2018-02-16 15:47

The participating U.S. Airmen and hackers at the conclusion of h1-212 in New York City on Dec 9, 2017

HackerOne has announced the results of the second Hack the Air Force bug bounty challenge which invited trusted hackers from all over the world to participate in its second bug bounty challenge in less than a year. The 20-day bug bounty challenge was the most inclusive government program to-date, with 26 countries invited to participate. From the report: "Hack the Air Force 2.0 is part of the Department of Defense's (DoD) Hack the Pentagon crowd-sourced security initiative. Twenty-seven trusted hackers successfully participated in the Hack the Air Force bug bounty challenge — reporting 106 valid vulnerabilities and earning $103,883. Hackers from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium, and Latvia participated in the challenge. The Air Force awarded hackers the highest single bounty award of any Federal program to-date, $12,500."

Follow CircleID on Twitter

More under: Cybersecurity

Categories: News and Updates

WHOIS Inaccuracy Could Mean Noncompliance with GDPR

Thu, 2018-02-15 20:41

The European Commission recently released technical input on ICANN's proposed GDPR-compliant WHOIS models that underscores the GDPR's "Accuracy" principle — making clear that reasonable steps should be taken to ensure the accuracy of any personal data obtained for WHOIS databases and that ICANN should be sure to incorporate this requirement in whatever model it adopts. Contracted parties concerned with GDPR compliance should take note.

According to Article 5 of the regulation, personal data shall be "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay." This standard is critical for maintaining properly functioning WHOIS databases and would be a significant improvement over today's insufficient standard of WHOIS accuracy. Indeed, European Union-based country code TLDs require rigorous validation and verification, much more in line with GDPR requirements — a standard to strive for.

The stage is set for an upgrade to WHOIS accuracy: ICANN's current approach to WHOIS accuracy simply does not comply with GDPR. Any model selected by ICANN to comply with GDPR must be accompanied by new processes to validate and verify the contact information contained in the WHOIS database. Unfortunately, the current Registrar Accreditation Agreement, which includes detailed provisions requiring registrars to validate and verify registrant data, does not go far enough to meet these requirements.

At a minimum, ICANN should expedite the implementation of cross-field validation as required by the 2013 RAA, but to date has not been enforced. These activities should be supplemented by examining other forms of validation, building on ICANN's experience in developing the WHOIS Accuracy Reporting System (ARS), which examines accuracy of contact information from the perspective of syntactical and operational validity. Also, validation and accuracy of WHOIS data has been a long-discussed matter within the ICANN community — with the 2014 Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service (RDS) devoting an entire chapter to "Improving Data Quality" with a recommendation for more robust validation of registrant data. And, not insignificantly, ICANN already has investigated and deployed validation systems in its operations, including those in use by its Compliance department to investigate accuracy complaints.

Despite its significance to the protection and usefulness of WHOIS data, the accuracy principle is surprisingly absent from the three WHOIS models presented by ICANN for discussion among relevant stakeholders. Regardless of which model is ultimately selected, the accuracy principle must be applied to any WHOIS data processing activity in a manner that addresses GDPR compliance — both at inception, when a domain is registered, and later, when data is out of date.

All stakeholders can agree that WHOIS data is a valuable resource for industry, public services, researchers, and individual Internet users. Aside from the GDPR "Accuracy" principle, taking steps to protect the confidentiality of this resource would be meaningless if the data itself were not accurate or complete.

Written by Fabricio Vayra, Partner at Perkins Coie LLP

Follow CircleID on Twitter

More under: Domain Names, ICANN, Privacy, Whois

Categories: News and Updates

Who Will Crack Cloud Application Access SLAs?

Wed, 2018-02-14 20:14

The broadband industry doesn't have an agreed-upon unit of supply and demand that meaningfully "adds up". This is rather odd for a service that aspires to be a utility. It is also a barrier to a much-needed transformation from "bit pipes" to "digital supply chain management".

The chart below ought to be in every basic undergraduate textbook on packet networking and distributed computing. That it is absent says much about our technical maturity level as an industry. But before we look at what it means, let's go back to some basics.

When you deliver a utility service like water or gas, there's a unit for metering its supply. The electricity wattage consumed by a room is the sum of the wattage of the individual appliances. The house consumption is the sum of the rooms, the neighbourhood is the sum of the houses, and so on. Likewise, we can add up the demand for water, using litres.

These resource units "add up" in a meaningful way. We can express a service level agreement (SLA) for utility service delivery in that standard unit in an unambiguous way. This allows us to agree both the final end-user delivery, as well as to contract supply at any administrative or management boundaries in the delivery network.

What's really weird about the broadband industry is that we've not yet got a standard metric of supply and demand that "adds up." What's even more peculiar is that people don't even seem to be aware of its absence, or feel the urge to look for one. What's absolutely bizarre is that it's hard to get people interested even when you do finally find a really good one!

Picking the right "unit" is hard because telecoms is different to power and water in a crucial way. With these physical utilities, we want more of something valuable. Broadband is an information utility, where we want less of something unwanted: latency (and in extremis, loss). That is a tricky conceptual about-turn.

So we're selling the absence of something, not its presence. It's kind of asking "how much network latency mess-up can we deal with in order to deliver a tolerable level of application QoE screw-up”. Ideally, we'd like zero "mess-up" and "screw-up," but that's not on offer. And no, I don't expect ISPs to begin advertising "a bit less screwed-up than the competition" anytime soon to consumers!

The above chart breaks down the latency into its independent constituent parts. What it says is:

  • For any network (sub-)path, the latency comprises (G)eographic, packet (S)ize, and (V)ariable contention delay — the "vertical" (de)composition.
  • Along the "horizontal" path the "Gs", "Ss", and "Vs" all "add up". (They are probabilities, not simple scalars, but it's still just ordinary algebra.)
  • You can "add up" the complete end-to-end path "mess-up" by breaking each sub-path "mess-up" into G, S and V; then adding the Gs, Ss, and Vs "horizontally"; and then "vertically" recombining their "total mess-up" (again, all using probability functions to reflect we are dealing with randomness).

And that's it! We've now got a mathematics of latency which "adds up", just like wattage or litres. It's not proprietary, nobody holds a patent on it, everyone can use it. Any network equipment or monitoring enterprise with a standard level of competence can implement it as their network resource model. It's all documented in the open.

This may all seem a bit like science arcana, but it has real business implications. Adjust your retirement portfolio accordingly! Because it's really handy to have a collection of network SLAs that "add up" to a working telco service or SaaS application. In order to do that, you need to express them in a unit that "adds up".

In theory, big telcos are involved in a "digital transformation" from commodity "pipes" into cloud service integration companies. With the occasional honourable exception (you know who you are!), there doesn't seem to be much appetite for engaging with fundamental science and engineering. Most major telcos are technological husks that do vendor contract management, spectrum hoarding, and regulatory guerrilla warfare, with a bit of football marketing on the side.

In contrast, the giant cloud companies (like Amazon and Google) are thronged with PhDs thinking about flow efficiency, trade-offs and protocols, and how to globally optimise the whole data centre to user device system. They also commonly own the environment that delivers the user experience (smart TV, smartphone, tablet, etc.) Plus there's the hyper-distribution capability of app stores to reach all endpoints very quickly. So they are positioned well to drive an application-centric model.

There are big cost savings and quality of experience gains to be had by adopting "standard" metrics and "composable" SLAs. (Try delivering electricity or water without standardised units to see why!) For newer distributed applications, you can't deliver them at all without adopting "proper" engineering and rigorous science: a rocket isn't just a scaled-up firework. So whoever masters this very basic idea of a unit that "adds up" is in a better position to economically command the value chain.

The strategic questions are these:

  • Will telcos "get it" and take over the supply chain from the "inside, outwards"? Or will cloud companies "get it" and invade telecoms from the "outside, inwards"?
  • How will the profit pool get re-divided as a result? This is a bit like how things shifted between handsets and networks when power transitioned from Nokia to Apple.

My bet is that the answer is the "outside-in" case: whoever captures the end user experience using metrics that "add up" is in a position to then contract and command the rest of the supply chain to do its will. Telcos will not auto-transform; they will be forcibly transformed. The (enterprise and cloud) connectivity "buy side" has the incentives to tighten up the SLAs on offer; the "sell side" mostly seems pretty content with the status quo.

It is a bit like in the 1990s when there was a big debate about how best to deliver mobile coverage through building walls. In the battle between macrocells vs. microcells, "outside-in always wins." You don't try to cover outdoors from indoors; you do try to cover indoors from outdoors. Indeed, everything was configured to meet the most "outdoors" condition. We call them "mobile" networks for a reason!

So are "cloud SLA networks" the "new mobile networks"? We will find out! I think so. You can tell who really "gets it" by who adopts a "unit" of supply and demand that properly "adds up." This is the essential prerequisite for a new "digital supply chain management" industry to emerge. Because at the end of the day, if you can't "add up" your cloud application demand, and build a matching network supply SLA, then that's a big strategic minus.

Written by Martin Geddes, Founder, Martin Geddes Consulting Ltd

Follow CircleID on Twitter

More under: Access Providers, Broadband, Cloud Computing, Telecom

Categories: News and Updates

Donuts Acquires .TRAVEL TLD

Wed, 2018-02-14 19:14

Donuts Inc. today announced it has acquired the .TRAVEL domain name from registry operator Tralliance Registry Management Company; the .TRAVEL domain becomes Donuts' 239th TLD. From the annoucement: "Since its launch in 2005, the .TRAVEL domain has been embraced by the travel industry. Domain names ending in .TRAVEL now identify tens of thousands of travel businesses and organizations on the Internet. The .TRAVEL domain is widely recognized as of the highest quality, and is used by leading travel businesses such as: visitloscabos.travel, adventures.travel, hongkongdisneyland.travel, goldman.travel, AARP.travel and tens of thousands of others."

Follow CircleID on Twitter

More under: Domain Names, Registry Services, New TLDs

Categories: News and Updates

GDPR - Territorial Scope and the Need to Avoid Absurd and Inconsistent Results

Wed, 2018-02-14 17:54

It's not just establishment it's context!

There is an urgent need to clarify the GDPR's territorial scope. Of the many changes the GDPR will usher in this May, the expansion of EU privacy law's territorial scope is one of the most important. The GDPR provides for broad application of its provisions both within the EU and globally. But the fact that the GDPR has a broad territorial scope does not mean that every company, or all data processing activities, are subject to it. Rather, the GDPR puts important limitations on its territorial scope that must be acknowledged and correctly analyzed by those interpreting the regulation for the global business community. Otherwise, it could lead to absurd implementation and bad policy which no one wants.

EU Establishment

In essence:

  • Where registrars are established in the EU, the registrars' use and processing of personal data is subject to the GDPR. That is no surprise to anyone.
  • Where registrars have no establishment in the EU, but offer domain name registration services to data subjects in the EU, the processing of personal data in the context of such offer will also be subject to the GDPR. Again no surprise and logical.
  • However, where a registrar is based outside the EU, without an establishment in the EU, and uses a processor in the EU, such non-EU based registrar (as a controller) will not be subject to the GDPR due to the EU based processor's establishment in the EU. The GDPR only applies to the controller according to Article 3 (1) GDPR where the processor in the EU would be considered the controller's establishment. If the controller uses an external service provider (no group company), this processor will generally not be considered an establishment of the controller. It would only be caught by GDPR if the processing is done "in the context" of that establishment. That is the key, and I'll discuss an example of potentially absurd results if this is not interpreted correctly. NB All obligations directly applicable to the processor under the GDPR will, of course, apply to the EU based processor.

WHOIS

If we look at the example of WHOIS (searchable registries of domain name holders) where there is presently much debate amongst the many and varied actors in the domain name industry over whether public WHOIS databases can remain public under the GDPR. The second part of ICANN's independent assessment of this issue offered an analysis of the GDPR's territorial reach that deserves closer scrutiny. Addressing the territorial limits of the law, the authors state: "Therefore, all processing of personal data is, no matter where it is carried out, within the territorial scope of the GDPR as long as the controller or processor is considered established within the EU; the nationality, citizenship or location of the data subject is irrelevant." In other words, the authors conclude that as long as a controller or processor has an "establishment" in the EU, all processing of personal data it undertakes, regardless of the location or nationality of the data subject and regardless of whether the processing has any nexus to the EU, is subject to the GDPR.

This is wrong. The analysis overlooks key language of the GDPR. Under Article 3.1, the law applies not to any processing that is done by a company that happens to have an establishment in the EU, but to processing done "in the context of" that establishment.

This distinction makes a difference. Imagine, for example, a Canadian company that has an office in Paris. Under the authors' analysis, the GDPR would apply to all processing done by that company simply by virtue of it having a Paris office, whether the data subjects interacting with it were French, Canadian, or even American, whether they accessed the company's services from France, Canada, or the U.S., and even if all the processing occurred outside of the EU. This would be an absurd result inconsistent with the text of the GDPR and sound policy. In order to determine whether the GDPR applies, one must look not only at whether the company has an establishment in the EU but also at whether the processing occurred within the context of that establishment. If the processing occurs in the U.S. or Canada for a Canadian data subject without any link to the EU establishment, clearly the processing is not done in the context of the EU establishment. Thus, the GDPR does not apply.

Understanding the territorial reach — and the limitations of that reach — of the GDPR is critical. The GDPR has the potential to shift global data privacy law and policy. As such, stakeholders must be well-informed on both the substance as well as the reach of the law's protections.

Written by David Taylor, Lawyer, Partner at Hogan Lovells

Follow CircleID on Twitter

More under: Domain Names, ICANN, Law, Policy & Regulation, Privacy, Registry Services, Whois

Categories: News and Updates

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer