Domain industry news

Syndicate content CircleID
Latest posts on CircleID
Updated: 5 hours 8 min ago

What Does Blockchain Have to Do With Voting?

Fri, 2019-08-23 16:45

Apropos of recent news stories about a blockchain-based voting system that was hacked before its first election, someone asked: "Perhaps final recognition that a lot of blockchain is hype? Or simply an interesting side-story?"

A blockchain can ensure that the lies you see are the same lies that were published, but that doesn't have much to do with voting.

Voting has a very peculiar security model — you need to verify that each person voted at most once, you need to count all of the votes for each candidate, and you need not link the two. A lot of very bad voting systems are built by people who wrongly assume that its security model is similar to something else, which it is not.

An obvious example is Diebold who built voting machines that worked like ATMs, which was a disaster, since the way you audit ATMs depends on the details of each transaction being linked to the person doing it.

Paper ballots have a lot to recommend them. It's easy for poll workers to observe that each voter puts one ballot into the box, they're relatively easy to count (we use mark sense machines here) and compared to the spaghetti code in direct recording machines, they're quite tamper resistant.

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Blockchain

Categories: News and Updates

Questions Raised by the Takeover of SNET, Havana’s Community Network

Thu, 2019-08-22 18:13

Last May, Cuba's Ministry of Communication (MINCOM) announced resolutions 98 and 99 limiting wireless transmission power and outdoor cables that made community networks like Havana's SNET, illegal. Since SNET was the world's largest community network that did not have Internet access, implementation of the resolutions was postponed for 60 days for negotiations between SNET administrators and MINCOM. The negotiations have ended with a decision to transfer SNET's services and content to ETECSA, Cuba's government-monopoly ISP, and to provide access through Cuba's nationwide chain of 611 Youth Computer Clubs (YCCs), as illustrated by the diagram shown here.

The new regulations authorize people to install WiFi equipment in their homes and businesses in order to access the YCCs, represented by the blue building, and public WiFi hotspots, represented by the sunny outdoor location. The diagram also shows cables running from the YCCs to larger buildings that may represent ETECSA data centers, wireless Internet points of presence, and homes with DSL connectivity.

The government says SNET "will grow with the increased infrastructure" of the YCCs and ETECSA and claims that the intent of Resolutions 98 and 99 is to expand Internet access, but many in the SNET community fear losing access to and control of the assets they have created. You can see their point of view by searching Twitter for the hashtags #YoSoySnet and #FuerzaSnet. The protesters (and I) have many questions about the takeover, like:

  • While some testing has begun, this conversion will take time and resources — why not allow parallel operation of SNET during the cutover to ETECSA/YCC?
  • How many homes are close enough to connect to current WiFi hotspots and YCCs?
  • Given the current planned infrastructure expansion, how long will it take to re-connect all current SNET users?
  • How many of the 611 YCCs have fiber links and what is the schedule for connecting the others?
  • Are rooftop and other outside antennas legal (MINCOM FAQ 18)?
  • Will wireless network installer be added to the list of self-employment occupations (MINCOM FAQ 19)?
  • What provisions are being made to extend connectivity to community network members in smaller cities, outside of Havana?
  • SNET offers many services in addition to gaming — social networking (similar to Facebook), FTP (file transfer) for content sharing, live music streaming, software for download, and forums for developers and engineers, poetry, literature, comics, and sports. Will all of the current SNET services and content be supported?
  • Was the ETECSA/YCC migration anticipated and planned for during the drafting of resolutions 98 and 99?
  • Were SNET and YCC representatives consulted or involved in the drafting of resolutions 98 and 99?
  • There has been some dissension among SNET administrators in the past — was this agreement approved unanimously?
  • In Spain, the UK, Argentina, and other nations, the decision was made to cooperate with and support community networks — to treat them as cooperatively-owned Internet service providers. Did MINCOM consider that alternative and, if so, why was it rejected?
  • Some SNET members have been detained and threatened for voicing opposition to the takeover of the network — are those reports accurate?
  • What will ETECSA/YCC charge for access to former SNET services?
  • Did MINCOM do a cost/benefit analysis of the conversion?
  • Will former SNET members be compensated in any way for their investment in equipment or time in creating intellectual capital in the form of content, software or communication infrastructure?

SNET was a Cuban success story — a user-owned and operated cooperative that developed infrastructure, applications, and content. SNET and the other Cuban community networks may have connected as many homes as ETECSA's home DSL service, Nauta Hogar. Cuba's community networks also developed human capital — experienced users and technicians who, in the long run, benefit both ETECSA and society.

Skeptics see this takeover as confiscation of community assets rather than an effort to better serve the public. Transparent answers to these and related questions could ease their concerns, and I hope ETECSA and the JCCs can deliver on their promises quickly.

Written by Larry Press, Professor of Information Systems at California State University

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile Internet, Wireless

Categories: News and Updates

Worldwide Broadband Trends as the World Wide Web Turns 30

Wed, 2019-08-21 17:45

Hootsuite is the premier tracker of social media usage around the world. They publish numerous reports annually that track broadband statistics and social media statistic from around the world.

They report the following statistics for the end of 2018. The world has been seeing one million new users online every day since January 2018. That means there are 11 new users on the web every second. There are now 5.11 billion mobile subscribers in the world, 67% of the world's population. 4.39 billion people have access of some sort to the Internet, about 57% of the people in the world. There are 3.48 billion people who use social media.

Mobile subscribers increased by 2% in 2018. Internet users increased by 9.1%, and active social media users increased by 9%.

The US and northern Europe both lead the world in Internet access with 95% of the population using the Internet from a landline or cellular connection. The rest of the world is still far behind. While we talk about the great connectivity in parts of the far east, the region has a 60% penetration of people who use the Internet. That's lower than the 63% penetration in Central America and 74% in South America. The areas with the worst broadband coverage are middle Africa at only 12%, eastern Africa at 32% and western Africa at 41%.

The most considerable growth of Internet users is in India, which saw almost 100 million new Internet users in 2018, a 21% increase. That represents 25% of all new Internet users in the world for last year. Some other countries are growing faster, such as Afghanistan at 156%, Cote D'Ivoire at 69%, Cambodia at 56%, Iran at 29%, and Italy at 27%. Hootsuite has been tracking Internet users since 2014 and has seen more than 1.9 billion people added to the Internet since then.

The World Wide Web turns 30 this year (that's hard for many to believe!). It took 16 years to add the first billion users, six more years to add the second billion. The Internet is now adding a billion users every 2.7 years.

The importance of cellular broadband has grown over time. In 2014, 26% of users connected to the web using a cellular phone. Today that has grown to 48%. The average Internet user worldwide uses the Internet an average of 6 hours and 42 minutes per day. The biggest daily users of the web are in the Philippines, with regular usage of over 10 hours per day. In the US the average is 6.5 hours per day.

Google has the world's two most popular web sites with Google search at number 1 and YouTube at number 2. Facebook is in third, with the top ten rounded out by Baidu, Wikipedia, Yahoo, Twitter, Pornhub, Yandex, and Instagram.

GlobalWebIndex reports that 92% of Internet users (about 4 billion) now watch video each month. To put that into perspective, there are an estimated 6 billion people around the world have access to a television.

It's estimated that more than 1 billion users now stream games, with Fortnite being the number one game in the world. There are also a billion people who watch other people play games, with 700 million people who watch e-sports.

About 40% of Internet users now interface with the web using voice. In China and India, over half of users interface the web with voice.

Social media grew by 288 million new users last year. The US still leads with social media, with 70% of Americans internet users connected to at least one social media site. China also has a 70% social media penetration, followed by 67% in northern Europe and 66% in South America. China added 95 million users to social media in 2018, followed by India at 60 million and Indonesia at 20 million. Worldwide the average social media usage is 2 hours and 16 minutes per day. The Philippines again leads in this category where daily usage is 4 hours and 12 minutes. In the US it's a little over 2 hours per day.

While there are still billions with no access to the web, the web keeps growing at a rapid pace around the world. There are efforts by companies like Google, Facebook, and the satellite broadband providers to bring better broadband to the parts of the world with no connections.

Written by Doug Dawson, President at CCG Consulting

Follow CircleID on Twitter

More under: Access Providers, Broadband, Mobile Internet, Telecom, Web

Categories: News and Updates

Proactive Cybersecurity: What Small Businesses Can Actually Do

Wed, 2019-08-21 17:06

In the business world, there are two main paths a company can take with cybersecurity — the reactive and the proactive approach. The problem with a purely reactive attitude is that it can easily put companies in constant firefighting mode. And for small companies with limited resources, this can turn out to be an increasingly uncomfortable place to be in.

With that in mind, experts today suggest proactive cybersecurity by monitoring suspicious activity and identifying risks before they turn into full-blown attacks. In this post, we are going to discuss several recommendations that small businesses can follow to isolate and combat cyber threats proactively at their level.

Look Inward for Weak Practices

For years, cybersecurity strategies for small businesses would typically involve protection from outside risks. However, sometimes the biggest threat may reside within your own organization.

How so? Well, the absence of use policy, as well as overlooked system misconfigurations, can be as dangerous as viruses and other means of cyberattacks. In small companies, such gaps are often unaddressed due to overwhelming task flows and the lack of cybersecurity expertise.

Thankfully, there are a few ways to tackle these risks. First of all, pay attention to usage controls and policies. Data protection regulations and data access limitations need to be clearly documented and consistently enforced to avoid accidental data breaches.

You also need to identify your critical assets — i.e., customer data, a proprietary technology, etc. — and then deploy security software to monitor your networks for possible flaws that can result in the leakage of sensitive data. For instance, a small business can use threat intelligence data feeds to automatically assess their own websites' configurations and detect vulnerabilities that can potentially be exploited by criminals.

Outsource Your Threat Hunting Needs

Threat hunting, the practice of proactively finding and identifying online threats as early as possible, is another way for small companies to stay ahead of cybercriminals.

One of its main aspects is the creation of actionable hypotheses about potential threats and those that may have already bypassed existing defenses. It involves combining and analyzing current intelligence and developing effective responses against cyber attacks before they happen.

Even though the approach is usually associated with large enterprises due to its complexity, small businesses can incorporate it too. The most practical way of doing so is by outsourcing this expertise to an experienced and equipped threat hunting agency. Doing so will provide even minor players in the industry with the capability to analyze threat data and discover upcoming dangers before they cause damage.

Employing Threat Hunting Tools

But outsourcing is not the sole alternative. Many small businesses that lack the budget or the opportunity to hire professional cybersecurity agents to help study their intelligence and look for threats can still take the matter into their own hands.

The option here is to work with software that could facilitate and somewhat automate the process. However, in order for it to be a reasonable and affordable choice, small organizations should first determine which risks they are most prone to — domain infringement, brand abuse, or others — and from there find an application or databases that focus on the corresponding area.

Such tools and sources can permit carrying out the identification, analysis, and even the decision-making often tasked to security professionals ultimately transforming huge amounts of log data and other threat indicators into a list of priorities a company needs to resolve.

Stay on Top of Domain Threats

Threat actors are never short of ideas as they are constantly working on creative ways to strike organizations. But one thing that hasn't really changed is their exploitation of domains — for years they've been impersonating them, populating them with malware, and more.

This means that websites need to be carefully examined before a company starts making contact with them. But the problem is that small businesses don't have enough specialists that could analyze and approve every page the organization needs to interact with.

One way small teams can protect themselves from these threats without hiring an army of cybersecurity professionals is through software that automatically analyses domain infrastructure and gauges its safety — a process also known as domain scoring — and can run unknown sites through prominent malware databases to confirm their legitimacy and verify if they are infected with harmful code.

Educate Employees on Present Dangers

Employees continue to succumb to social engineering scams. In fact, Verizon mentions that phishing and pretexting account for 98% of social incidents and 93% of breaches. Note that 58% of the data breach victims were small companies.

One of the main reasons why such threats have been quite effective is because criminals bank on the lack of cybersecurity knowledge as well as using psychological manipulation to deceive users. And since small teams hardly consist of specialists with deep cybersecurity background, they are easy prey for perpetrators.

This means that it is crucial for such organizations to pay attention to cybersecurity awareness — e.g., educating employees during the onboarding process, teaching everyone proper password handling, and sticking to the cybersecurity house rules in place. Another cost-effective approach is having frequent huddles led by an IT specialist to advise everyone on board how to stay safe from online threats.

Store Data Effectively

Businesses store all kinds of data that range from the information of their customers to the records of their employees and important financial transactions. Losing access to it can be deadly for small business — paralyzing their operations and leading to costly downtime. This is one of the reasons why they need to put thought on backing up their data.

Thankfully, being a small company means that you don't have as much data as big enterprises, which, in turn, makes performing backups a lot easier. A simple concept we recommend to follow is the 3-2-1 backup rule, which implies:

  1. Having at least three backups of your company data
  2. Storing it in two different formats
  3. Keeping at least one copy offsite

In practice, this could be a combination of cloud data backup, together with an external hard drive and local desktop storage. For added safety, you should encrypt the stored data and even have passwords installed on the hard drives you use.

Managing Passwords

As the owner of a small business, handling multiple online accounts is already a part of your day-to-day operations. And to be efficient, you might be tempted to use the same usernames and passwords so they can be easily remembered. Unfortunately, this facilitates the job of a hacker since there is just one password to figure out before taking control of various channels and processes.

One easy-to-implement tip to overcome this dilemma is signing up for a password management application that can securely store and maintain passwords. With this kind of capability, you can begin using long, nonsensical passwords that can be very difficult to break, especially via brute force attacks.

* * *

These are just some of the best practices that small businesses can follow to develop a proactive cybersecurity strategy that works for them in 2019. From performing assessments internally to the active monitoring of a network, business owners can employ a range of techniques to safeguard their organization actively in nowadays' ever-dangerous cyber landscape.

Written by Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Cybersecurity

Categories: News and Updates

WIPO Becomes First Non-Chinese Entity to Provide Domain Dispute Resolution Services for China's .cn

Tue, 2019-08-20 19:59

WIPO's Arbitration and Mediation Center earlier this month became the only non-Chinese entity to provide domain name dispute resolution services for the .CN and .中国 (China) country code Top-Level Domain (ccTLD) — one of the world's largest ccTLDs. Rory O'Neill reporting in TBO writes: "The Cyberspace Administration of China's (CAC) decision to designate the WIPO centre as a dispute resolution provider comes after WIPO chief Francis Gurry and CAC minister Zhuang Rongwen signed a memorandum of understanding last month. ... A number of high-profile brands and IP bodies have taken action against alleged cybersquatters in recent months."

Follow CircleID on Twitter

More under: Domain Names, Intellectual Property, Law

Categories: News and Updates

Huawei Founder in a Staff Memo Warns Company Is Facing a 'Live-or-Die Moment'

Tue, 2019-08-20 18:21

Ren Zhengfei, Founder and Chief Executive Officer, Huawei Technologies

In a memo sent to employees on Monday, Ren Zhengfei, the 74-year-old Huawei founder, has asked its employees to work aggressively towards sales targets and warned that the company is facing a "live-or-die moment." The memo sent to employees on Monday contained numerous military metaphors according to Reuters, which states to have seen the content. An excerpt from the memo reads: "If you cannot do the job, then make way for our tank to roll; And if you want to come on the battlefield, you can tie a rope around the 'tank' to pull it along, everyone needs this sort of determination!" Sijia Jiang who broke the story in Reuters today reports "Huawei will spend more on production equipment this year to ensure supply continuity, cut redundant roles and demote inefficient managers as its grapples with a 'live-or-die moment' in the wake of U.S. export curbs ... Ren said in June the ban was worse than expected..." The memo follows U.S. decision this week to delay the trade ban for 90 days to help U.S. customers "wean themselves off."

Follow CircleID on Twitter

More under: Policy & Regulation, Telecom

Categories: News and Updates

Google Showing Signs of Increased Concerns Over Rising Data Privacy Scrutiny

Mon, 2019-08-19 20:05

Earlier this year, Google quietly terminated its "Mobile Network Insights" service, which provided wireless carriers globally, information on network performance in various locations. The data was derived from devices running Google's Android operating system, and according to a Reuters report, the shut down followed "Google's concerns that sharing data from users of its Android phone system might attract the scrutiny of users and regulators." Angela Moon and Paresh Dave of Reuters write: "The withdrawal of the service, which has not been previously reported, has disappointed wireless carriers that used the data as part of their decision-making process on where to extend or upgrade their coverage. Even though the data were anonymous and the sharing of it has become commonplace, Google's move illustrates how concerned the company has become about drawing attention amid a heightened focus in much of the world on data privacy."

Follow CircleID on Twitter

More under: Mobile Internet, Privacy

Categories: News and Updates

Study Reveals U.S. Carriers Throttle Online Video on Their Mobile Networks Even When Not Congested

Mon, 2019-08-19 19:12

A new study conducted by researchers at Northeastern University and the University of Massachusetts Amherst involving 650,000 tests indicates U.S. carriers are throttling online video on their mobile networks regardless of whether or not those networks are congested. While U.S. wireless carriers have long insisted that the slowing down of video traffic on their networks is to avoid congestion and bottlenecks, throttling is occurring all the time this study has found.

A large-scale study of net neutrality violations and their implications is long overdue, says the group that conducted the research. They wrote: "In the intervening decade, the Internet has evolved in two key ways that require a new approach to auditing. First, today's dominant source of Internet traffic is video streaming from content providers, not BitTorrent. Second, users increasingly access the Internet from their mobile devices, often with a spectrum-constrained cellular connection. There is a need to conduct a study of net neutrality violations that takes these changes into account. We address this need using 1,045,413 measurements conducted by 126,249 users of our Wehe app, across 2,735 ISPs in 183 countries/regions."

Follow CircleID on Twitter

More under: Mobile Internet, Net Neutrality, Telecom, Wireless

Categories: News and Updates

Threat Intelligence in Latter 2019: Overcoming the Same and New Challenges

Mon, 2019-08-19 18:02

Does threat intelligence (TI) work? I looked into that question last year, exploring the reasons why it actually doesn't and what can be done to remediate the situation. Since then, more companies have incorporated TI into their security processes, and many are still not getting the benefits they expect.

What's causing the dissatisfaction? Interestingly, pretty much the same aspects — i.e., mismatches with cybersecurity needs, lack of resources, implementation challenges, and other misunderstandings and misconceptions — and new ones.

So, how can we bridge these gaps in the second half of 2019? TI is of complex nature and a change of perspective, alongside a strong commitment to best practices, are necessary to overcome the hurdles along the way. Let's dig into the latest learnings in the field and figure a way forward.

Analyzing and operationalizing TI takes time

Gathering any form of intelligence and applying the corresponding insights is something that cannot and should not be rushed. Likewise, getting the most value from TI requires diligent and thorough analysis with the right metrics, scope, and depth at the outset. Otherwise, it's not easy to measure progress. All of that takes time, and impatience could set in and affect the quality of data collection, processing, and interpretation.

TI may end up too general and off-target

TI analysis goes from broad to specific, and it's important to carry out the process all the way through because threats are subtle and dangerous in detail. If TI results and interpretations are too general, they'll likely fail to address the areas that need particular attention. It's up to users to narrow down the focus to get intel relevant to their brand or industry — e.g., online fraud for payment processors, DDoS or ransomware for large enterprises, etc.

Over-reliance on manual processing and analysis is bad

TI is labor-intensive, sometimes more than it needs to be. As part of TI's implementation, security staff must find a balance and leave sufficient legwork to automated systems, possibly with machine-learning capabilities. In turn, threat intelligence analysts can spend more time on strategic and urgent tasks that allow for a more effective and faster response to immediate threats.

TI is not your average cybersecurity operation

The practice has its specificities and therefore requires people capable of handling the particular operational and technical elements for, say, the integration of a threat intelligence API into pre-existing security applications. In a similar vein, TI teams also need enough resources and logistics to avail of specialist equipment and skills — of course, in line with an organization's sector and its core activities and salient vulnerabilities.

Actions must be taken based on TI insights

As bad actors adjust their tactics, so should people within organizations. As a means to detect what's wrong with systems and online assets over time, TI and its actionable insights must be disseminated to forewarn employees and help decision-makers make wise acquisitions and security investments. A new malware, for example, should be immediately put on the radar and steps on how to counter it be immediately laid down.

On an external level, sharing intelligence with other organizations creates an early-warning network that thwarts attacks and facilitates the dismantling of threat infrastructure.

Integrate with your tools and teams

TI should not be a lone-wolf fighting an independent battle. Instead, it should be integrated as a major part of the overall cybersecurity strategy. The effectiveness of SIEM, as well as other important incident management systems, is enhanced when they are complemented by TI's contextual analysis and actionable recommendations to halt attacks.

* * *

The said benefits of threat intelligence remain elusive at times. Proactive measures need to be put in place in 2019 and beyond in order to overcome challenges and successfully implement the practice as part of integrated cybersecurity efforts.

Written by Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Follow CircleID on Twitter

More under: Cyberattack, Cybersecurity, Networks

Categories: News and Updates

Almost All 5G Estimates for 2019-2020 Need to Be Doubled

Mon, 2019-08-19 17:38

The remarkable take rate in Korea and China is invalidating almost all projections of 5G subscriptions. The 5G promotion has consumers wanting to buy, buy, buy. Huawei Mate 20 5G is selling for only US$30 more than the 4G model. At that price, who would want to buy a 4G phone that could be obsolete in a year or two? In the first two weeks of sale, over a million Chinese bought Huawei's 5G phone.

One of the best analyst group on earth currently expects China to have 31 million subs in 2020. Two million+ Chinese are signing up in August 2019, a pace almost sure to increase. It's almost certain that China in 2020 will have more than that group's 73 million worldwide estimates. Korea is at 2 million after four months. KT is confident of 5 million Koreans taking 5G in 2019 from the three carriers. It estimates 30% of the country will switch to 5G by the end of 2020, about 15 million phones.

The new data is forcing everyone to rethink. If the Americans and Europeans switched to 5G in 2020 at even a quarter of the Korean expectation, that would be over 40 million.

Prices of 5G phones are plummetting in China. As I write, the Chinese smartphone maker, Oppo, is selling a premium 5G phone for $580. Vivo is about to announce an even lower price. Nine phone makers are in active production, and competition is becoming intense in Asia. It only costs about a dollar to airfreight a phone to Europe. The low prices are likely to spread and drive sales.

China Mobile and others say 5G phone prices will fall to under $300 in 2020.

Written by Dave Burstein, Editor, DSL Prime

Follow CircleID on Twitter

More under: Mobile Internet, Telecom, Wireless

Categories: News and Updates

Domain Name Registrar Isn't Liable for Counterfeit Goods – InvenTel v. GoDaddy

Sun, 2019-08-18 17:51

InvenTel makes security cams for cars. It is trying to crack down on Chinese counterfeiters. It brought a prior lawsuit against a wide range of defendants, including GoDaddy. InvenTel voluntarily dismissed GoDaddy from that suit. It brought a second round of litigation involving a new counterfeit site allegedly by the same bad guys, www.hdminorcarnbuy.com, a domain name registered via GoDaddy. Initially, InvenTel claimed GoDaddy hosted the site as well, but it dropped that claim. So the suit against GoDaddy devolves into a simple question: can GoDaddy be liable for counterfeiting activity for registering the domain name?

The answer is no. This is wholly unsurprising because most of these issues were litigated and resolved in the 1990s, making this an old school case. On the plus side, it's a nice reminder that the law hasn't changed in the past two decades.

Federal Trademark Infringement. In the ACPA, Congress provided a safe harbor for domain name registrars (15 U.S.C. § 1114(2)(D)(iii)). This safe harbor hasn't been litigated very often, so this is a rare but otherwise unremarkable opinion applying the safe harbor. The court says:

"The only pleaded basis for GoDaddy's knowledge that the Website would be used to infringe is the Li Defendants' conduct using other websites and the Prior Action. But GoDaddy's domain name registration system is automatic. Therefore, without a warning that the specific URL being registered would be used for an illicit purpose, GoDaddy did not have a "bad faith intent to profit" from the automatic registration of 'www.hdmirrorcambuy.com.' In other words, failing to prevent its computer system from registering the Website does not constitute 'bad faith.' Plaintiff provides no basis for the proposition that GoDaddy must predict which URLs will be used for infringement purposes and proactively stop them from being registered."

To be clear, I don't think this passage supports the inverse proposition, i.e., that GoDaddy would be automatically liable if it had gotten a warning that a domain name was being used for illicit purposes.

State Direct Trademark Infringement. GoDaddy didn't "use" the allegedly counterfeited goods.

State Indirect Trademark Infringement. The Ninth Circuit shut down registrar liability in the 1999 Lockheed v. NSI ruling. "GoDaddy does not control or monitor the instrument of infringement (i.e., the Website)."

Direct Copyright Infringement. As a registrar, GoDaddy doesn't "copy" anything.

Indirect Copyright Infringement. There was no direct copyright infringement taking place when GoDaddy registered the domain name.

Direct Patent Infringement. GoDaddy didn't make, use, or sell the counterfeit goods.

Indirect Patent Infringement. "GoDaddy permitting its computer system to automatically register the Website, even with knowledge of the Prior Action, is not an activity GoDaddy knew would 'cause infringement.' As previously stated, GoDaddy is not obligated to proactively guess which proposed domain names will likely be used for nefarious purposes."

State Consumer Fraud Act. InvenTel wasn't GoDaddy's "consumer."

The court summarizes:

"As to the automatic registration of the Website...that conduct cannot produce direct or contributory intellectual property liability on the facts of this case. GoDaddy did not have the requisite knowledge that the Li Defendants would use the Website to infringe on InvenTel's intellectual property rights when it engaged in the only conduct at issue — providing domain name registration services. InvenTel cannot plausibly allege GoDaddy acted with the requisite knowledge, as InvenTel filed its Complaint without even notifying GoDaddy of the new Website. Even considering facts outside the Complaint set forth by InvenTel, GoDaddy could not be liable. InvenTel has not presented any theory under which GoDaddy is obligated to monitor and predict which websites might be used for infringing purposes. Even when the same individual registers multiple websites, it is the intellectual property holders' responsibility to protect their property, not third parties'. Had InvenTel taken advantage of GoDaddy' s takedown request procedures, and GoDaddy refused to deregister the Website (despite evidence of infringement), InvenTel may have a claim. But here, InvenTel ran to federal court without informing GoDaddy of the infringement. Having no notice of the infringement, liability will not attach because GoDaddy did not take any action with the requisite knowledge."

A periodic reminder that even if the law doesn't require notice-and-takedown, courts are unimpressed when plaintiffs could have solved their problems by sending takedown notices.

As far as I can tell, the court doesn't distinguish between domain name registration and domain name hosting (as opposed to website hosting, which the court does distinguish). I wonder if the court would be more amenable to liability for domain name hosting. The above passage suggests it might be.

Trademark, copyright, and patent law all have discretionary fee-shifting provisions. Given the complete lack of merit in this case and the venerability of the legal principles it raised, I wonder if the court will be amenable to a fee-shift request from GoDaddy.

Case citation: InvenTel Products, LLC v. Li, 2:19-cv-09190-WJM-MF (D.N.J. Aug. 13, 2019)

Written by Eric Goldman, Professor, Santa Clara University School of Law

Follow CircleID on Twitter

More under: Domain Management, Domain Names, Law

Categories: News and Updates

The Pros and Cons of Introducing New gTLDs

Fri, 2019-08-16 01:31

Every time new concepts are introduced, much debate ensues as to the advantages and disadvantages such a change would bring forth. We've seen that happen with the launch of IPv6. Detractors and supporters rallied to make their respective arguments heard.

One thing is sure though. The need for a much larger IP address space is something both parties are in agreement with. In the past 10 years alone, the number of Internet users has grown almost fourfold from 1.7 billion June 2009 to 4.4 billion as of June 2019. And if a researcher's calculations are right, as many as 380 websites are created per minute. An increasing number of start-ups are also established over time that need to make their own mark on the World Wide Web.

Given the constantly rising volume of businesses, it isn't surprising for much-sought-after domains to become harder to come by. Every company, after all, would go for a domain that aptly describes their business and matches their brand so they would be easy to find in the ever-growing global community that is the Internet. The seeming lack of domain choices has led to the proposal to widen the top-level domain (TLD) space.

And so in 2015, the Internet Corporation for Assigned Names and Numbers (ICANN) announced the introduction of more than 500 new generic TLDs (gTLDs) to accommodate the growing demand. Of course, this spurred talks about the good and bad that this change would bring about. Let's take a closer look at both sides of the coin.

The Good

The availability of new gTLDs provides entrepreneurs with more domain name options to choose from. Companies in need of easy-to-remember domains for their websites will no longer be limited to using the more commonly used and likely saturated gTLDs (.com, .net, .org, etc.). With the addition of hundreds of gTLDs to choose from, they would stand a better chance of obtaining ownership rights to a domain that would best fit their brand.

Domainers and domain registrars whose main task is to provide clients with lists of potential domains for their business would be able to give more choices apart from what may be left available in the popular gTLD and even country code TLD (ccTLD) spaces. This can, of course, result in better customer satisfaction.

The Bad

It's no secret, everyone approaches anything new with a bit of caution. That said, because newly created gTLDs are not so known, site visitors, especially those that have had run-ins with cybercriminals, may be wary of visiting sites that sport them. It is, after all, known that cyber attackers often hide their trails by using less popular TLDs.

Cybercriminals and attackers may have gained a bigger playing field as well. Their domain choices, much like the rest of the world's, increased. Cybersecurity specialists and law enforcement agencies will need to scour a much bigger base when going after threat actors.

Given the bigger volume of TLDs to monitor, website owners and brand agents would also have to spend more time and exert greater effort to keep tabs on potential cases of copyright infringement and trademark abuse.

Takeaways

Just as connectivity can be considered a double-edged sword, the Internet's growth presents both risks and opportunities as well. But because change is constant, anyone with an online presence, whether an individual or a company, just needs to remain ever-vigilant to threats in order to stay safe. We can only expect to see the World Wide Web expand more, bringing with it both the good and the bad. We just need to be prepared with not just reactive but also proactive measures to maintain the security of our digital assets.

Written by Jonathan Zhang, Founder and CEO of WhoisXMLAPI & ThreatIntelligencePlatform.com

Follow CircleID on Twitter

More under: Cybersecurity, Domain Names, Registry Services, New TLDs

Categories: News and Updates

The Promise of Multi-Signer DNSSEC

Thu, 2019-08-15 23:32

DNSSEC is increasingly adopted by organizations to protect DNS data and prevent DNS attacks like DNS spoofing and DNS cache poisoning. At the same time, more DNS deployments are using proprietary DNS features like geo-routing or load balancing, which require special configuration to support using DNSSEC.

When these requirements intersect with multiple DNS providers, the system breaks down. DNSSEC cannot currently work with two or more providers if those providers offer proprietary DNS features. In this article, we'll explain why this happens and present an innovative technical solution that was recently adopted in an RFC draft and is under evaluation by the DNS operations working group in the IETF. We will show how NS1 implements this solution and describe another way that organizations can achieve DNS redundancy with DNSSEC.

The Problem of Multi-Signer DNSSEC

DNSSEC is a set of extensions that improve the original DNS protocol to make it more secure. Its main objective is to allow DNS clients to verify that they are receiving correct DNS information and not fake information injected by attackers.

DNSSEC defines new types of DNS records, which hold cryptographic signatures of DNS data and share a public key that allows verification of the data. The signatures are a proof that the data has not been tampered with and are authentic because the private key that was used to create the signatures is held only by the DNS zone owner.

The problem begins when organizations have three requirements, all of which are quite common in modern DNS deployments:

  1. DNSSEC – they want to secure DNS communication using the DNSSEC protocol.
  2. Multi provider – they want to run DNS with more than one provider at the same time. This is commonly used to setup redundant DNS, ensuring services remain available even if one DNS provider fails.
  3. Advanced and Proprietary DNS features – most DNS providers today offer capabilities that go beyond the standard DNS protocol in order to route traffic based on rules or conditions such as resource availability or geo-routing that can route users, via DNS, to a server near them, or Global Server Load Balancing to route users between several servers. See for example NS1's DNS traffic steering capabilities. Since these capabilities extend standard DNS, many of these advanced features are implemented in proprietary ways.

Using current DNS infrastructure, if you meet requirements #2 and #3, DNSSEC will simply not work. Let's understand why.

In traditional DNS, all records are static. The zone file is signed with DNSSEC and distributed to DNS providers (in case you use more than one). All providers serve the records from the same file. Every client who sends a query for a record gets the same answer, regardless of which DNS provider that client is communicating with.

However, when we introduce requirement #3, proprietary DNS features, DNS records are no longer static. The DNS answer might change for a specific query. For example, you might want to provide a different DNS response depending on the geographical location of the user, the server you want to route the user to, performance considerations, etc.

Each DNS provider that has proprietary DNS features has an internal method for making DNSSEC work with their traffic management features. For example, NS1 signs each individual response on-the-fly when generating the response (this is called DNSSEC online signing).

Those proprietary DNSSEC implementations are quite different between providers. It is no longer possible to provide one zone file, sign it one time and distribute it between providers. Each provider generates tailored DNS responses which cannot be easily pre-signed with a single DNSSEC key.

A Strategy for Solving the Multi-Signer DNSSEC Problem

A solution to this problem has been proposed in a recent IETF draft, co-authored by NS1's Jan Včelák. The solution is straightforward but requires some background to understand, let's go through it step by step.

A Bit of Background: KSK and ZSK

Let's start by defining two important concepts:

  • The Key Signing Key (KSK) is the key used to sign and therefore authenticate other DNSSEC keys to sign the zone content. The private part of the key is kept by the zone owner and the public part of the key is published in the DNS. The key is also referred to from a parent zone which establishes a secure delegation between the parent and the zone.
  • The Zone Signing Key (ZSK) is the key used to sign all records in the zone, except for the DNSKEY record which is signed by KSK.

Sharing the ZSK Between Providers

The proposed strategy for multi-signer DNS is that each DNS provider should use a separate zone signing key for the records they serve, but all providers have to agree on the total set of DNSSEC keys being used, which includes all of the KSK and ZSK. Therefore each provider has to import the public keys of every other provider.

Why would one DNS provider need the public keys of the other providers?

Take a domain, example.com, with two DNS providers A and B and with each provider using a separate KSK and ZSK. There is a secure delegation from the parent zone (".com"), which contains signed DS records pointing to both providers' KSK.

Now the DNS resolver has to fetch the DNSKEY record for the zone which contains the DNSSEC keys to be used for validation. If it chooses to talk to provider A, the resolver obtains the DNSKEY, validates the response, and then caches it. This is illustrated below.

At a later point in time, the resolver might query another record in that zone, but now it talks to provider B's name servers. It gets a response, but that response is signed by B's ZSK which is not present in the cached DNSKEY record received from A. This is illustrated by provider B returning an answer signed by the orange and purple keys.

That's why provider A's DNS response needs to include the ZSK for provider B, and vice versa. Every provider has to import public keys of every other provider. This is the basis for the multi-signer DNSSEC solution.

Two Models for Making Multi-Signer DNSSEC Work

We've presented the basic principle that makes multi-signer DNSSEC work — that each provider needs to import and provide to its users the ZSKs of all the other providers. This ensures that the next time a user makes a query, they can still validate their DNSSEC data even if they reach another provider. There are two models for making this happen.

Model 1: One Zone Owner and One KSK

Who is it for?

Model 1 uses a single KSK managed by one of the providers or the zone owner. This model is suitable for organizations that require a better control of the KSK and want to manage all signing keys for the zone themselves.

How it works

Each of the providers, A and B, has its own set of zone signing keys (ZSK). The zone owner retrieves the public keys from the providers, builds the DNSKEY record set which contains the public KSK and public ZSKs of the providers, signs it using the private KSK, and provides the resulting DNSKEY record set along with the signature to the two DNS providers.

Source: DNS OARC Presentation

The above diagram illustrates that the DNS record set is always served with the same signature, generated in advance by the zone owner. But any other content in the zone is signed by the ZSKs held by the different providers.

Because each DNS provider has the same DNSKEY record set, even if the resolver caches a response from one provider, they have all public keys needed to validate responses sent by the other provider.

Model 2: Shared Trust, Two KSKs Distributed to Two DNS Providers

Who is it for?

Under model 2, each provider uses independent KSK and ZSK. This model is suitable for organizations that do not require tight control of the KSK and instead require a solution with full redundancy.

How it works

Each provider has their own ZSK and KSK. They independently reach out to the other provider, get the public keys that provider is using, and add their own public keys. As a result, they all end up with the same DNSKEY record set which is signed by their own KSK. The DNSKEY record and the signatures are then added into the zone.

In this setup, the parent zone contains DS record referring to KSK of each provider. No matter what provider the DNS resolver selects to get any zone record, it will always be able to validate their authenticity because both KSKs are trusted and the DNSKEY record set is the same at both providers.

Multi-Signer DNSSEC Status at NS1

At this stage, NS1 has working prototype implementation of the interface required to support Model 1: Our REST API enables to retrieve public keys we use for signing and also allows publishing the final DNSKEY record set and its signatures. At the same time, we are building an open-source component that allows you to run NS1 and any common open-source DNS server (for example BIND) in the multi-signer DNSSEC configuration.

NS1 is currently working with other DNS providers to implement the same interface, which will also eventually enable running the Model 2, which has the benefit of full DNS provider redundancy.

While we are talking to different providers to enable Model 2, you can achieve the same results solely leveraging the NS1 Domain Security Suite.

Domain Security Suite

NS1 Domain Security Suite Includes:

  • A fully managed, single tenant, globally anycasted DNS network dedicated to your zones
  • A second, redundant DNS network hosted with a third party vendor on hardware, IPs, and ASNs that are physically and logically separate from the NS1 Managed DNS network
  • Support for full traffic management and DNSSEC on both networks
  • Full use of NS1's suite of advanced traffic steering capabilities on both DNSSEC-protected DNS networks
  • Single pane of glass management

Written by Jan Včelák, Lead Software Engineer at NS1

Follow CircleID on Twitter

More under: Cybersecurity, DNS, DNS Security

Categories: News and Updates

Call Spoofing: Congress Calls on FCC, Russia and China Answer

Thu, 2019-08-15 21:10

It is both amusing and dismaying. Last year, Congress passed Ray Baum's Act telling the FCC to do something about those pesky incoming foreign SPAM calls and texts with the fake callerIDs. The FCC a couple of weeks ago responded with a chest thumping Report and Order claiming it has "extraterritorial jurisdiction" that it does not have and promising it will do something. Don't hold your breath on that one.

In less than two weeks, the world's only global intergovernmental telecommunication standards body — which also has real jurisdiction over those calls, texts, and identification — is convening its network security group in Geneva. It is known as Study Group 17. Indeed, it has a pre-existing sub-group on spam calls.

The FCC in typical current fashion input nothing into this study group, and indeed has largely not participated for the past decade or more in any work. It was left to both Russia and China yesterday to table new work items into the meeting to help implement Ray Baum's Act's call for action. Congress calls for action, Russia and China answer!

The Russian proposal is from its NIIR institute in the Ministry of Informational Technologies and Communications in Moscow — by one of its senior leaders who also happens to be vice-chair over the "Numbering, naming, addressing, routing and service provision" working party in the ITU-T's Operations study group. This group notably is responsible for the global numbering standards and identification mechanisms at issue.

The Russian proposal calls for a description of the technical requirements for telecommunication management systems and/or client support services to receive notifications of incoming spam calls. The work includes scenarios of interactive interaction of clients with operators/service providers of telephone communication networks about incoming spam calls and the necessary technical measures. To implement such a mechanism, a number of technical measures are proposed, the implementation of which by operators/service providers and equipment manufacturers will contribute to the quickest and least costly scenario of involving the subscriber/recipient of spam calls and texts.

The proposal from China is from its most dynamic telecom service provider, China Unicom, by staff from its Network Technology Research Institute — proposing the development of a machine learning/AI technical framework for tackling the global spam challenges. The proposal notes that "some telecommunication operators of China have used ML/AI to counter-voice spam since 2015, and the techniques to counter spam are effective and efficient. In fact, U.S. industry and the FCC itself have made the same observations.

The China Unicom proposal intends to define the general technical framework for countering spam based on machine learning. It will provide general scenarios, characteristics of the spam, introduction of machine learning, and define a general technical framework, and workflows, to achieve effective governance and control of spam.

Twenty-five years ago, it would have been the FCC together with U.S. industry making these proposals and leading the efforts to implement global solutions with significant resources, and help coordinate among the many industry bodies already involved in this effort. Today, the FCC doesn't even show up. Maybe eventually, someone will "make the FCC great again."

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

Follow CircleID on Twitter

More under: Internet Governance, Policy & Regulation, Spam, Telecom

Categories: News and Updates

The 2019 IPv4 Market: Mid-Year Report

Thu, 2019-08-15 16:54

After a slow start to 2019, the volume of IPv4 numbers traded is picking up — though still far below the peak trading periods of 2018. By this same time last year, the total quantity of numbers flowing to and from organizations in the ARIN region was just over 27 million. But 2018 was the most active year ever in the IPv4 market. This year is not shaping up to be as active. In 2019 (through July), just over 17.5 million numbers have transferred — representing a 35% decline from last year over the same time period.

The high volumes in 2018 were the result of an increased supply of large blocks entering the market. Between 2017 and 2018, there were double the number of transactions and a more than 15% increase in volume of IPv4 addresses sold in the large block market, most of which occurred in Q3 2018, when the second highest quantity of IPv4 numbers were traded in any quarterly period. The two quarters that followed, however, were the quietest in the history of the market as a result of limited supply rather than constrained demand. There were no large block transfers during this period.

The large block scarcity in Q4 2018 and Q1 2019 pushed prices up considerably. These rising prices shook loose some additional large block supply and produced a handful of large block transactions in Q2 of this year.

Although the volume of numbers traded has declined from last year, the total number of transactions is still trending upward, as it has year after year. This upward trend is attributable to continuing growth in small blocks transactions. In the first two quarters of 2019, over 75% of transactions involved trades of fewer than 4,000 IPv4 numbers. This reflects growth of 6% compared to the first half of 2018.

To date, the 2019 inter-RIR market has had no large block transactions, but there have been a steady stream of small and medium block trades. Also, there has been big news in the international market. LACNIC recently ratified a policy that will permit inter-RIR transactions. And there is an inter-RIR transfer policy proposal under consideration in AFRINIC.

Market Consolidation for /17+ Blocks

The current IPv4 market for /17 and larger blocks is consolidating around the trading activity of just a few buyers. In 2016, for example, there were approximately 30 buyers of nearly 80 /16 blocks traded; 95% of those blocks were sold outside of large block transactions to small and mid-block buyers (i.e., buyers purchasing fewer than 1MM numbers). Since then, the number of /16 blocks entering the market has increased - in the first half of 2019, over 100 /16s were sold - but the number of buyers and percentage of blocks traded outside of large block transactions has declined substantially. There were only 9 buyers altogether with less than 10% of the blocks sold to buyers picking up fewer than three /16s.

This same consolidation trend pervades the entire market for /17 and larger blocks. Since 2016, seller diversity (i.e., measured as the total number of sellers compared to the total number of transactions) remains high as sellers continue to stream into the market. Buyer diversity, however, has steadily decreased. See Table 1.

Block Prices Continue to Increase

Demand for address space remains high, and supplies are constrained. These factors are exerting upward pricing pressure. But at the same time, sophisticated buyers are looking for ways to use their leverage to relieve that pressure. In this climate, sellers need real-time pricing intelligence, effective bid processes, and experienced transaction guidance to help ensure they are closing deals that maximize the value of their address space.

IPv6 Deployment Picking Up ... A Bit ... in 2019

Worldwide end user adoption hit an all-time high of nearly 29% in June 2019, according to Google IPv6 statistics. See https://www.google.com/intl/en/ipv6/statistics.html. This represented a nearly 3 percentage point increase since January. This is slightly better than the rate of progress made during the same time period last year, but in line with global adoption rates in prior years.

By the end of Q2 2019, global user connectivity ranged between 25% (on weekdays) to around 29% (on weekends). Over the last two months in Q2, there was some upward progress in the U.S., but the adoption rates in the U.S. remains a few percentage points shy of its peak in late 2018 when adoption hit 40%.

There continues to be little progress in the number of websites reachable over IPv6. According to Alexa Top 1000 statistics, at the end of July, 25% of websites were reachable over v6, which reflects no improvement over the last two years.

As in the past, there is no evidence that IPv6 is replacing IPv4 as the dominant protocol for Internet routing or that the migration to IPv6 has had any material impact on the IPv4 market. Based on the current status of IPv6 adoption, we expect nothing to change in this regard for the remainder of 2019.

Written by Janine Goodman, Vice President and Co-founder at Avenue4 LLC

Follow CircleID on Twitter

More under: IP Addressing, IPv6

Categories: News and Updates

Are the Telcos Crying Wolf?

Thu, 2019-08-15 02:44

We recently have heard much complaining from the telecommunications companies concerning the margin squeeze they experience from NBN Co. While they certainly do have a point, it is also essential to look at the other side of the coin.

Why have the telcos allowed this situation to happen in the first place? We have seen an explosion in the telecommunications industry over the last decades. This led to the arrival of internet companies which are currently amongst the largest corporations in the world. This is a clear indication that telecommunications is a very lucrative industry, indeed.

So, what are the telcos complaining about? Why have they not been able to claim their share of this massive growth?

The telecoms industry was right at the forefront of the digital explosion. However, for many decades telcos refused to accept these changes, fighting any form of transformation to protect their business, aimed at protecting their very lucrative voice-based revenue streams, often with margins above 100%.

They made it impossible for new players to enter the market. They didn't allow them to use the national infrastructure in any effective or efficient way to develop new services. As a result of this behavior, there were in the 1990s more than 25 anti-competitive investigations simultaneously proceeding against Telstra.

While fighting all of those rear-guard battles, the traditional telco industry took its eye off the future and companies such as Google, Apple, Facebook, Amazon, and many others in the internet market had a free rein to develop so-called "over the top" — OTT — business models, in which they used the existing telecoms infrastructure to distribute their own services to end-users. Ever since that time, telcos have complained about the situation.

Several countries had to implement "net neutrality" regulations to ensure that telcos wouldn't misuse their infrastructure monopoly to stop the introduction of new innovative video-based services and apps such as Skype and WhatsApp.

Despite what could be called "missed opportunities" for telcos, they were able to maintain a strong market position in the basic telecoms market relating to connectivity. The massive increase in OTT services also stimulated a far greater use of the telecoms network. And today, in most cases, telcos remain strong and healthy players in the connectivity market. However, this has become a low-margin utility service. There is little room for them to develop more value-added products with opportunities for premium based revenue models.

The traditional telecoms industry around the globe is under pressure and is suffering from the massive transformation that happened under their eyes. However, in Australia, the situation is perhaps getting worse as the Government has created a separate telecoms wholesale company to prevent the incumbent Telstra to maintain their struggle hold on the market, as it happened in the 1990s as mentioned above.

The plan envisaged by the Australian Labor Government was to develop a super-high-speed broadband network based on fiber to the home infrastructure. The argument was that this would create a very powerful new platform on which all players in the telecoms market had an equal retail chance to build a range of new digital economy products and services. Putting aside if the existing telcos would indeed be able to build and deliver such services, the fact is that this network eventuated.

So the traditional telcos have now a double whammy against them. They missed out on value-added revenue opportunities. They lost this market to internet companies. On top of that, they are now also being squeezed in their traditional market of providing connectivity services.

This is not a pretty picture for the industry, and it will be interesting to see how this will develop over the coming years. I have always argued that the telecoms market is a critical one for nation-building and is a national asset and should not just be looked at from a profit-making perspective.

We now see international nervousness about Chinese companies dominating the telecoms industry. Perhaps it is time to have a holistic look at the telecoms market and — as a nation — make decisions of what we expect from this market and what the industry means for our society and economy. As mentioned before, such an all-encompassing review is well and truly overdue.

Written by Paul Budde, Managing Director of Paul Budde Communication

Follow CircleID on Twitter

More under: Telecom

Categories: News and Updates

Irland Leads Europe's .eu Domain Registrations in Q2

Wed, 2019-08-14 22:26

Irland is reported as the top country for the growth of .eu domains in the second quarter of 2019. The latest report released by EURid, the operator of Europes .eu domain, has attributed 18% of the growth of the European domain to Ireland followed by Portugal with 16.1% and Norway with 10.8%. "The high increase in Ireland could be related to the notice about UK withdrawal from the EU and its subsequence to UK .eu domain name holders," says EURid. "Some of the UK domain name holders may have had the chance to transfer the domain names to their branches in other countries of the EU and EEA, e.g. the neighboring Ireland." Germany remains the top country of registrants with close to a million (978,566) .eu domains registered.

Follow CircleID on Twitter

More under: Domain Names, Registry Services

Categories: News and Updates

MANRS Observatory: Monitoring the State of Internet Routing Security

Tue, 2019-08-13 17:12

Routing security is vital to the future and stability of the Internet, but it's under constant threat. Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, driven by the networking community and supported by the Internet Society, aiming to reduce the most common threats to the Internet's routing system through technical and collaborative action. As the effort gets traction and more awareness, we, as the MANRS community, need to ensure its transparency and credibility. This is why we've launched a free online tool so that MANRS participants can see how they're doing, and what they can improve, while anyone can see the health of the Internet routing at a glance. The MANRS Observatory measures networks' adherence to MANRS — their "MANRS readiness" — a key indicator of the state of routing security and resiliency of the Internet.

Here is what the MANRS Observatory is in a nutshell:

  • Performance Barometer: MANRS participants can easily monitor how well they adhere to the requirements of this initiative and make any necessary adjustments to their security controls.
  • Business Development: Participants can see how they and their peers are performing. They can leverage the MANRS Observatory to determine whether potential partners' security practices are up to par.
  • Policy: Policy makers can better understand the state of routing security and resilience and help improve it by calling for MANRS best practices.
  • Social Responsibility: MANRS implementation is simple, voluntary, and non-disruptive. The Observatory can help participants ensure they and their peers are keeping their networks secure, which helps improve routing security of the Internet as a whole.

The Observatory has two views: public, open to everyone, and private, available to MANRS participants. The public view user can look at the routing security metrics and statistics on a global, regional, and economic level, while MANRS participants can see performance of individual networks (of more than 64,000!) and even drill down to a detailed monthly incident report for the networks they operate.

  • The public view is aimed at anyone interested in routing security. Users can see the status at a glance for every country on an interactive global map and drill down into data for a chosen country.
  • The private view is intended for network operators. It lets them measure their MANRS readiness and quickly identify problematic areas to help them improve the security of their networks. It also adds an element of accountability where networks can see how well others are keeping their side of the street clean, which helps improve routing security of the Internet as a whole.

The metrics and statistics to measure MANRS readiness are calculated by tracking the number of incidents and networks involved, their anti-spoofing capabilities, and completeness of routing information in public repositories, such as IRRs and RPKI. This data is gathered from trusted third-party sources. (For more information on how MANRS readiness is measured, read "Measurement Framework") The Observatory was developed jointly with the MANRS community but still has to pass the test of real-life usage and validation by MANRS participants.

One of the main objectives of the Observatory was to report on cases of MANRS non-compliance, and it provides reliable information on that. However, measuring network security from the outside is difficult, and even with highly-reputed data sources, there are sometimes false positives or false negatives (an incident that went unnoticed by the data collection systems). To put it into context, in 2018 alone, there were more than 12,000 routing outages or attacks, such as hijacking, leaks, and spoofing. We're working with our partners to improve the quality of incident data continuously.

While MANRS is seeing steady adoption — worldwide, there are now over 200 network operators and more than 30 IXPs supporting our initiative — we need more networks to implement the actions and more customers to demand routing security best practices. The more organizations apply MANRS actions, and the fewer security and related incidents happen, the more secure and resilient the Internet will be!

Explore the MANRS Observatory.

A slightly edited version of this article was published here in the Internet Society's blog.

Written by Andrei Robachevsky, Senior Technology Programme Manager at Internet Society

Follow CircleID on Twitter

More under: Cybersecurity, Networks

Categories: News and Updates

There is Always a Back Door

Tue, 2019-08-13 01:06

A long time ago, I worked in a secure facility. I won't disclose the facility; I'm certain it no longer exists, and the people who designed the system I'm about to describe are probably long retired. Soon after being transferred into this organization, someone noted I needed to be trained on how to change the cipher door locks. We gathered up a ladder, placed the ladder just outside the door to the secure facility, popped open one of the tiles on the drop ceiling, and opened a small metal box with a standard, low-security key. Inside this box was a jumper board that set the combination for the secure door.

First lesson of security: there is (almost) always a back door.

I was reminded of this while reading a paper recently published about a backdoor attack on certificate authorities. There are, according to the paper, around 130 commercial Certificate Authorities (CAs). Each of these CAs issue widely trusted certificates used for everything from TLS to secure web browsing sessions to RPKI certificates used to validate route origination information. When you encounter these certificates, you assume at least two things: the private key in the public/private key pair has not been compromised, and the person who claims to own the key is really the person you are talking to. The first of these two can come under attack through data breaches. The second is the topic of the paper in question.

How do CAs validate the person asking for a certificate actually is whom they claim to be? Do they work for the organization they are obtaining a certificate for? Are they the "right person" within that organization to ask for a certificate? Shy of having a personal relationship with the person who initiates the certificate request, how can the CA validate who this person is and if they are authorized to make this request?

They could research the person — check their social media profiles, verify their employment history, etc. They can also send them something that, in theory, only that person can receive, such as a physical letter, or an email sent to their work email address. To be more creative, the CA can ask the requestor to create a small file on their corporate web site with information supplied by the CA. In theory, these electronic forms of authentication should be solid. After all, if you have administrative access to a corporate web site, you are probably working in information technology at that company. If you have a work email address at a company, you probably work for that company.

These electronic forms of authentication, however, can turn out to be much like the small metal box which holds the jumper board that sets the combination just outside the secure door. They can be more security theater than real security.

In fact, the authors of this paper found that some 70% of the CAs could be tricked into issuing a certificate for just about any organization — by hijacking a route. Suppose the CA asks the requestor to place a small file containing some supplied information on the corporate web site. The attacker creates a web server, inserts the file, hijacks the route to the corporate web site, so it points at the fake web site, waits for the authentication to finish, and then removes the hijacked route.

The solution recommended in this paper is for the CAs to use multiple overlapping factors when authenticating a certificate requestor — which is always a good security practice. Another solution recommended by the authors is to monitor your BGP tables from multiple "views" on the Internet to discover when someone has hijacked your routes, and take active measures to either remove the hijack, or at least to detect the attack.

These are all good measures — ones your organization should already be taking.

However, the larger point should be this: putting a firewall in front of your network is not enough. Trusting that others will "do their job correctly," and hence that you can trust the claims of certificates or CAs, is not enough. The Internet is a low trust environment. You need to think about the possible back doors and think about how to close them (or at least know when they have been opened).

Having personal relationships with people you do business with is a good start. Being creative in what you monitor and how, is another. Firewalls are not enough. Two-factor authentication is not enough. Security is systemic and needs to be thought about holistically.

There are always back doors.

Written by Russ White, Infrastructure Architect at Juniper Networks

Follow CircleID on Twitter

More under: Cybersecurity

Categories: News and Updates

Satisfying the Evidentiary Demands of the UDRP

Mon, 2019-08-12 16:29

It continues to surprise that some counsel in proceedings under the Uniform Domain Dispute Resolution Policy (UDRP) are unaware or oblivious of its evidentiary demands, by which I mean they file and certify complaints with insufficient evidence either of their clients' rights or their claims. Because the UDRP requires conjunctive proof of bad faith registration and bad faith use (as opposed to the disjunctive model of the Anticybersquatting Consumer Protection Act), it should be ingrained for counsel experienced in the jurisprudence to know they cannot hope to succeed with marks postdating registration of domain names.

Yet, whatever the level of counsel experience with UDRP jurisprudence suing when there is no actionable claim is a recurrent feature on the docket. Examples: Puretalk Holdings, LLC v. Domain Administrator / Fundacion Privacy Services LTD, FA1906001848525 (Forum August 5, 2019) (<pure talk.com>, mark postdating domain name registration by15 years); Art-Four Development Limited v. Tatiana Meadows, D2019-1311 (WIPO July 29, 2019) (<aizel.com>, also postdating by almost 15 years). In Femida a/k/a International Legal Counsels PC v. Reserved for Customers / MustNeed.com, FA1906001847829 (Forum July 25, 2019) the postdating is quite short, but still "Respondent's domain name was registered before the first use and registration of the Complainant's mark."

Claiming cybersquatting against domain names predating marks in commerce is obviously misguided, but challenging domain names with deficient evidence of a mark's right or a respondent's bad faith is careless or worse. It is no more sufficient to have a naked right than it would be for complainants to succeed on respondents default. Respondents did not appear in Pure Talk and Art-Four; Complainants failed because it was impossible for them to succeed. The answer to why complainants fail depends in part on complainants linguistic brand choices, and in another part, on failing to marshal proof supporting their claims. For marks composed of dictionary words, descriptive phrases, and short strings of letters, the evidentiary bar is higher because complainants are not alone in the sole magnets for having associations with allegedly infringing names. The bar is higher still for complainants of unregistered marks.

Whereas complainants of registered marks have standing by virtue of their registrations, those with unregistered marks only have standing on proof of secondary meaning antedating registration of the challenged domain name. (Under the ACPA the "mark [must be] distinctive at the time of the registration of the domain name" regardless whether registered or unregistered). Applications awaiting approval by trademark registries are not deemed to qualify as a right; nor are marks registered on the Supplemental Register in the US, although unregistered rights may include trade names and personal names if they are found to be functioning as trademarks. (See earlier essay Do Trade Names Qualify as Trade Marks for Purposes of the UDRP?)

Both ICANN Panels and US courts (and, no doubt, other jurisdictions) insist that proof of secondary meaning "includes evidence as to (1) the length and continuity of a mark's use, (2) sales, advertising, and promotional activities, (3) expenditures relating to promotion and marketing, (4) unsolicited media coverage, and (5) sales or admission figures." The Panel in Facele SPA v. Jason Owens, D2019-0140 (WIPO July 28, 2019) (<facele.com>, Complainant represented by counsel) gives a thoughtful discussion of these expectations:

Even if the Complaint had only included details of the Complainant's pre-2010 sales and advertising figures accompanied by examples of how the mark has been used, that would have been helpful. (Emphasis added).

Since the facts the Panel references should be within a complainant's knowledge and control, failure of proof, evasiveness, or silence supports an adverse inference that the mark was not used before the registration of the domain name; if it were, the proof would have been submitted (or carelessly omitted).

A good illustration of this deficiency of proof is Empire Engineering LTD v. Liamuiga LLC, FA1906001847862 (Forum July 22, 2019) <empireengineering.com>). In this case, Complainant (represented "internally" presumably by an attorney) had to deal with the descriptive nature of the alleged mark. While the phrase "empire engineering" is hardly striking as an indicator of source, it is certainly capable of functioning as a mark. However, the Panel dismissed the complaint because "Complainant has not provided evidence of secondary meaning with respect to the expression 'Empire Engineering'". As in Facele SPA, Complainant (but more particularly its representative) failed to take into account the quality of and demand for proof to establish rights under paragraph 4(a)((i) of the Policy.

Failure to establish common law rights also sunk Complainant in Aurora Cannabis Inc., Aurora Marijuana Inc., Aurora Cannabis Enterprises Inc. v. Byron Smith, D2019-0583 (WIPO July12, 2019) (<auroradrops.com>). The Panel held

If there was indeed common law use of the AURORA DROPS at any relevant time by the Complainants, proof of that use was also deficient. This may be a function of the fact that the marijuana market in Canada was only operational at full scale beginning in October 2018. In any event, the Complainants' evidence of common law rights has not satisfied the Panel that there was a substantial reputation as of April, 2017, when the disputed domain name was registered. The Complainants' belated attempt to register AURORA DROPS has only served to muddy the waters."

The underlying concept of secondary meaning is proving reputation in the marketplace, not now but then. The evidence must be sufficient to show that the mark would have been recognized by consumers as a source of complainant's goods or services.

The same deficiency is noted in another common law claim, Dakota Access, LLC (c/o Energy Transfer LP) v John Saldis, FA1906001849464 (Forum August 6, 2019) (<dakotaaccess pipeline.com>). Here "Complainant has not adduced any evidence of trademark registration." While it "contends [it] has used the DAKOTA ACCESS PIPELINE name in publicity materials, contracts, and filings with state and federal regulatory agencies," it has not produced them:

The only supporting evidence adduced by Complainant is a presentation deck named "Energy Transfer LP Investor Presentation — June 2019". It is unclear to the Panel how this presentation deck supports Complainant's contention. This 45-page presentation deck seems to only have one reference to "Dakota Access Pipeline" in a map, without any elaboration as to the relationship of "Dakota Access Pipeline" with either Dakota Access, LLC or Energy Transfer LP. In addition, while the timing of when a complainant has acquired common law rights in a mark is not relevant for the panel in deciding on this element, the Panel notes that this presentation deck is dated June 2019, which is later than the creation date of the disputed domain name (September 18, 2016).

Even where marks allegedly predate domain name registrations, complainant's must still anticipate legitimate interests and rights defenses squarely undercutting their claims of cybersquatting. In Royal Caribbean Cruises, Ltd. v. James Booth, BQDN.com, D2019-1042 (WIPO July 17, 2019) (<rcc.com>) Complainant argued that the three-letter string infringed its unregistered four-letter acronym, "rccl." This raised a problem as summarized by the three-member Panel:

the Respondent raises a reasonable question regarding whether a four-character mark which is an initialism or acronym can be found to be confusingly similar to a three-character domain name which, as here, shares part of the same character set. The Respondent points out that, if a finding of confusing similarity is made in those circumstances, the logical extension is that all four-character initialisms/ acronyms would be regarded as confusingly similar to all partially corresponding three-character domain names. (Emphasis added).

Interestingly (and unusual), the Panel declined to make a ruling under Paragraphs 4(a)(i) and 4(a)(ii) and rested its dismissal of the complaint on 4(a)(iii):

The Panel is inclined to favor the Respondent's case on registration in bad faith [and] accepts that the Respondent more probably than not acquired the disputed domain name due to its value as a short, ubiquitous and memorable three-letter string which would be attractive to a wide variety of existing and potential entrants to the marketplace rather than in a bad faith attempt to target one specific rights owner in the form of the Complainant.

In fact, such findings under either 4(a)(ii) or 4(a)(iii) have been made "in multiple past cases." For example, the panel noted in Compañía Logística de Hidrocarburos CLH SA v. Privacy Administrator, Anonymize, Inc. / Sam Dennis, Investments.org Inc, D2018-0793 (WIPO June 13, 2018) (<clh.com>) that "it is commonly accepted that absent factors to the contrary in a particular dispute [of which there are none offered in this case], trading in domain names is a legitimate activity that has grown into a substantial market over the years."

The facts in A Mediocre Corporation v. Domain Admin / Domain Registries Foundation, FA190600 1849931 (Forum July 27, 2019) (MORNING SAVE and <morningsafe.com>, Complainant represented by counsel) look like a textbook example of typosquatting, substituting an "f" for a "v" (which on the Qwerty keyboard sits immediately below the "f"). I like Andrew Allemann's comment on DomainNameWire.com because it suggests an approach which counsel did not pursue and was not taken into account in deciding the case:

There are plenty of Wayback Machine screenshots showing early use of the MorningSave. These could have been included with date stamps to show the [earlier] use.

Although the Panel rejected Complainant's argument, it more appears the dismissal was based on Complainant's failure to offer the necessary proof to support its claim. Complainant's contention based on constructive notice was rejected as not applicable in a UDRP proceeding (counsel should have known this!).

Mr. Allemann may very well be right about Mediocre that counsel could have done better. It applies to other cases of which it could be said that but for the deficiency of proof, the result would have been different if proof had been properly marshaled. For example, in Numerix LLC v. Dagmar Brebock, FA190600 1846731 (Forum July 25, 2019) (NUMEREX and <nurnerix.com> the confusing similarity is with the "rn" which replaces the "m." It would not be unreasonable to ask, who got it wrong the Panel or Complainant's counsel? The Panel found that Complainant limited its proof to asserting that "Our domain name Numerix.com has been registered and in use since at least 1998 with corporate formation in 1996." An astute commentator (Evan Brown this time, udrptracker.com) offered the following "practice tip":

If you own trademark registrations, be sure to actually plead them in the complaint. This UDRP case should not have been lost on these grounds. Some panels cut no slack, even when there is obvious evidence outside the record.

What Mr. Brown means by "outside the record" is that Panels are not forbidden to do research on the Internet and trademark databases, which it didn't do hence his wry comment that "some panels cut no slack." Substituting "rn" for "m" is right out of the squatters handbook: <rnerial.com> for MERIAL, <ernersson.com> for EMERSON, <freernanco.com> for FREEMAN, are some examples, all of them resulting in transfers. There is no indication that Complainant's counsel in Numerix brought this history of typosquatting practice to the Panel's attention. (This is probably a good candidate for an ACPA action).

If only for instructional purposes, complainants and their counsel should pay close attention to Panels' reasoning of what evidence is necessary to satisfy claims of cybersquatting. As I have pointed in earlier essays, complainants only get one shot in a UDRP at proving cybersquatting; there is no such pleading as an "amended complaint" under the UDRP. See UDRP Complaint: Actually, a Motion for Summary Judgment and Words and Descriptive Phrases as Trademarks Registered as Domain Names.

Written by Gerald M. Levine, Intellectual Property, Arbitrator/Mediator at Levine Samuel LLP

Follow CircleID on Twitter

More under: Domain Management, Domain Names, Intellectual Property, Law, UDRP

Categories: News and Updates

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer