Yahoo Addresses a Security Problem by Breaking Every Mailing List in the World

DMARC is what one might call an emerging e-mail security scheme. It's emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo. DMARC lets a domain owner make assertions about mail that has their domain in the address on the 'From:' line. It lets the owner assert that mail will have a DKIM signature with the same domain, or an envelope return (bounce) address in the same domain that will pass SPF validation. more

Skype’s End User License Agreement

I was looking at the End User License Agreement to which Skype wants people to assent. I noticed the following odd provision (Section 3.2.4): You hereby grant to Skype a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable and transferable licence to Use the Content in any media in connection with the Skype Software, the Products and the Skype Website. more

OARC-40: Notes on the Recent DNS Operations, Analysis, and Research Centre Workshop

OARC held a 2-day meeting in February, with presentations on various DNS topics. Here are some observations I picked up from the presentations in that meeting... In a world where every DNS name is DNSSEC-signed, and every DNS client validates all received DNS responses, we wouldn't necessarily have the problem of DNS spoofing. Even if we concede that universal use of DNSSEC is a long time off ... more

Ready or Not… Here Come the IRC-Controlled SIP/VoIP Attack Bots and Botnets!

A story... ZZZ Telemarketing (not a real name) is locked in a heated fight with their bitter rival, YYY Telemarketing (also not a real name), to win a very large lead generation contract with Customer X. Customer X has decided to run a test pitting the two companies against each other for a week to see who can generate the most leads. The ZZZ CEO has said to his staff that it is "do or die" for the company. If they fail to win the contract, they will have to shut down -- they need to do "whatever it takes" to win over YYY. A ZZZ staffer discovers that part of why YYY has consistently underbid them is because they are using SIP trunks to reduce their PSTN connection costs. But the staffer also discovers that YYY is using very cheap voice service providers who run over the public Internet with no security... more

Ethiopia Shows That Congress Is Right to Be Worried About UN Control of the Internet

Today a key committee in the US Congress approved a resolution opposing United Nations "control over the Internet." While some in the Internet community have dismissed the bipartisan effort as mere political grandstanding, recent actions by some UN Member States show that lawmakers have good reason to be worried. Last month, UN voting member Ethiopia made it a crime -- punishable by 15 years in prison - to make calls over the Internet.  more

How Registrants Can Reduce the Threat of Domain Hijacking

Because domain names represent the online identity of individuals, businesses and other organizations, companies and organizations large and small have expressed increasing concern over reports of "domain name hijacking," in which perpetrators fraudulently transfer domain names by password theft or social engineering. The impact of these attacks can be significant, as hijackers are typically able to gain complete control of a victim's domain name - often for a significant period of time. more

91.3% of Malware Use DNS as a Key Capability

Nearly 92 percent of malware use DNS to gain command and control, exfiltrate data or redirect traffic, according to Cisco's 2016 Annual Security Report. It warns that DNS is often a security "blind spot" as security teams and DNS experts typically work in different IT groups within a company and don't interact frequently. more

Why Does A Technical Manager Function As A Regulator?

Unlike ICANN, the National Telecommunications and Information Administration (NTIA) responded graciously, promptly and substantively to inquiries from the Center for Regulatory Effectiveness (CRE) regarding governance of the internet. CRE sent a letter to NTIA in mid-March asking about public access to documents prepared by ICANN under Memorandum of Understanding (MOU) with NTIA. NTIA provided a quick and clear response to CRE's questions. NTIA also reiterated its commitment to achieving transparency and accountability in ICANN's processes. NTIA's response to CRE, although clear and comprehensive, raised a number of important questions about ICANN and their governance of the internet. more

I Got Fired

It's a story told a thousand times: founder of a company ousted by investors. It's a story so common you can find it any day of the week as a minor headline in a tech blog. Not much of a story at all really, until it happened to me. Minds + Machines, the company I founded in 2009, informed me last week that I was no longer wanted as CEO. Without going into details, which I can't, there were differences and disagreements. Still, it was a surprise. All the plans, the hopes -- pfhhht! into thin air. It sucked. Now what? more

ICANN Board to Vote on Domain Tasting Measure

The ICANN Board will vote today on a new registry service put forward by PIR for .org which is its attempt to solve the domain tasting issue. It takes the form of an amendment [pdf] to the .org contract and enables PIR to charge five cents per domain "when the number of such deleted registrations is in excess of 90 per cent of the total number of initial registrations"... more

ICANN and the Virtues of Deliberative Policymaking - Part I

In this two-part series article, Andrew McLaughlin takes a critical look at the recently reported study, Public Participation in ICANN, by John Palfrey, Clifford Chen, Sam Hwang, and Noah Eisenkraft at the Berkman Center for Internet & Society at Harvard Law School..."The study's presentation and analysis of data contain much of interest, and much that could assist ICANN (and other policy-making bodies) in improving its use and management of online public forums. But the study's value is diminished by two rather fundamental shortcomings: (1) its misapprehension of both the theory and the practice of ICANN's policy-development process, and (2) the sizeable gap between the broad scope of the study's conclusions and the very narrow -- indeed, myopic -- focus of the analysis from which they are derived. Simply put, the study scrutinizes a small and misleading corner of ICANN (namely, its online public comment forums) and leaps to a sweeping (and, in my view, unwarranted) conclusion." more

Key Findings from the 2021 Domain Security Report

With cybercrime on the rise, companies in 2021 have experienced increased ransomware attacks, business email compromise (BEC), phishing attacks, supply chain attacks, and online brand and trademark abuse. While domain cyber risk is rising, the level of action being taken by Forbes Global 2000 companies to improve their domain security posture has remained unchanged, leaving these companies exposed to even more risk. The risk of not addressing your domain security can be catastrophic. more

Only Structural Change Can Save the Mobile Industry

I regularly bring this issue forward, similar to the discussion in relation to the structural separation of the fixed networks, which I began just over a decade ago. What we are seeing in the mobile industry is an infrastructure and a spectrum crunch. The amount of spectrum needed to satisfy people's demand from mobile phones, tablets and soon a range of other smart devices is limitless. Mobile carriers are scrambling for spectrum... more

Spamhaus Appeal: They Win on Substance

The Seventh Circuit has issued its opinion in the continuing saga of E360 Insight vs. the Spamhaus Project. While it is not a complete victory for Spamhaus, they did about as well as anyone could have hoped for under the circumstances. E360 won on the procedural issue, while Spamhaus won on the substance. The procedural issue was whether the default judgement against Spamhaus was properly granted last September. The court session was so odd that the appeals decision quotes several pages of the transcript. more

IGP Asks You to Weigh in on the USG’s .xxx Intervention

Responding to the .xxx intervention by the US Commerce Department, the Internet Governance Project has produced a "STATEMENT OPPOSING POLITICAL INTERVENTION IN THE INTERNET'S CORE TECHNICAL ADMINISTRATIVE FUNCTIONS." You can view the statement here and add your name as a signatory at the bottom. Over 60 people have endorsed it. The Statement claims that "The NTIA's recent intervention in the .xxx proceeding undermines assurances" that the U.S. government's special unilateral authority over ICANN "would never be used to shape policy but was only a means of protecting the stability of the organization and its processes." The NTIA's open acknowledgment of the influence of religious groups made the intervention particularly dangerous. more