Software Insecurity: The Problem with the White House Cybersecurity Proposals

The White House has announced a new proposal to fix cybersecurity. Unfortunately, the positive effects will be minor at best; the real issue is not addressed. This is a serious missed opportunity by the Obama adminstration; it will expend a lot of political capital, to no real effect... The proposals focus on two things: improvements to the Computer Fraud and Abuse Act and provisions intended to encourage information sharing. At most, these will help at the margins; they'll do little to fix the underlying problems. more

DNSSEC and DNS over TLS

The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the relationship between Security Extensions for the DNS (DNSSEC) and DNS over Transport Layer Security. Willem is probably being deliberately provocative in claiming that "DoT could realistically become a viable replacement for DNSSEC." If provoking a reaction was indeed Willem's intention, then he has succeeded for me, as it has prompted this reaction. more

Domain Name Registries Must Do More to Protect Highly-Trafficked Domains

With the recent attacks against high-profile New Zealand domain names including Coca-Cola.co.nz and F-Secure.co.nz, fingers are naturally pointing to Domainz, the registrar of record for these domains, as the party responsible for this lapse in security. While domain name registrars certainly need to ensure the security and stability of their systems, domain name registries must also step up and take responsibility for mitigating risks posed by hackers... more

Will the Cloud Kill Telecom Vendors?

There are many big questions in telecom these days, and this is one that's on my mind right now. Over the past few months, I've participated in events or briefed with leading vendors in our space, namely Avaya, ShoreTel, BroadSoft, Aastra, Metaswitch, Mitel, Interactive Intelligence, and this week Cisco. Every analyst has their own core circle of vendors they stay close to, but I'd say that's a pretty fair representation of who's driving telecom. To varying degrees, all of these vendors have a cloud story, and the more I hear it, the more I start to wonder what it really means. more

European Privacy Authorities Object to ICANN Whois Proposals

In response to a letter from ICANN's Noncommercial Users Constituency (NCUC) to data protection authorities concerning overreaching requests of law enforcement agencies in ICANN's ongoing Registrar Accreditation Agreement negotiations, the Article 29 Data Protection Working Party has written the ICANN Board. more

Building a Strong, Sustainable Domain Name Industry - With Integrity

This week, I had the privilege of presenting at NamesCon on behalf of the Domain Name Association (DNA) -- in my position as Chair of the Board -- to provide an update on our activities and an assessment of our progress as an industry in light of the goals of the DNA. In summary, there is still a long way to go with many challenges to address. Despite this, there is much to be excited about and incredible opportunity for our combined success. Included here is a transcript of my speech. I welcome feedback and comments. more

DNSSEC is But One Link in the Security Chain

As the implementation of DNSSEC continues to gather momentum and with a number of ccTLDs, and the '.org' gTLD having deployed it into their production systems, I think it is worth pausing to take a look at the entire DNSSEC situation. Whilst it is absolutely clear that DNSSEC is a significant step forward in terms of securing the DNS, it is but one link in the security chain and is therefore not, in itself, a comprehensive solution to fully securing the DNS system. more

97% of All Global 2000 Companies at Risk from SAD DNS Attack

There is a new threat in town known as "SAD DNS" that allows attackers to redirect traffic, putting companies at risk of phishing, data breach, reputation damage, and revenue loss. What is SAD DNS? No, it isn't the domain name system (DNS) feeling moody, but an acronym for a new-found threat -- "Side-channel AttackeD DNS" discovered by researchers that could revive DNS cache poisoning attacks. more

Country and Regional TLDs Are Vital in Supporting Online Linguistic Diversity, Study Finds

A study conducted by the Oxford Information Labs in collaboration with Council of European National Top-Level Domain Registries (CENTR), finds that the role of country and regional TLDs is imperative in supporting diversity in global online linguistic. more

Just Say No, to Your ISP Subverting Your DNS Queries

Over the past few weeks I have been seeing reports that some ISP's are actually subverting DNS queries to their own DNS server. Oh the humanity! What this means is that when you (your computer) does a UDP or TCP Port 53 DNS query the ISP is intercepting that and directing it to their own servers. Has anyone been told by their ISP that they are doing this? No? I didn't think so... more

Amazon, Google, And The Prospect of Closed gTLDs - Don’t Believe the Hype

There have been a lot of complaints leveled at companies like Amazon and Google who have applied to register a number of new gTLDs. The criticism is that the public will not benefit from having Amazon own .book, .store, .you, and .grocery if they only use it for their own purposes and don't open them up to sell domains to the broader public, and that allowing these companies to own generic registries will hurt their competitors in that space. Although these arguments are not without merit, there are also positive aspects to having established companies own gTLDs. more

Finland Legislates Universal Broadband

Finland's national broadband strategy (NBS) was set up in 2004 by the Ministry of Transport and Communications with the practical goal of increasing the number of broadband connections. The strategy, part guided by the EU's i2010 'Broadband for all by 2010' plan which focuses on rolling out broadband through a range of measures while promoting competition in and between networks, included an implementation program of 50 separate measures. Broadband access in sparsely populated and rural areas was to be supported by structural funds from the EU and central government. more

CALEA Roundup: 2005-2007

The wrangling around the Communications Assistance to Law Enforcement Act (CALEA) is one of those issues that creeps inexorably forward and is hard to follow unless you're really focusing. So here is a quick, if longish, overview: CALEA is a 1994 statute that requires telephone companies to design their services so that they are easily tappable by law enforcement in need of "call-identifying information." Back in August 2005, following a request from the Dept. of Justice, the Commission moved swiftly to impose CALEA obligations on providers of broadband access services and "interconnected VoIP" services... more

How to Save the “Past” in the “Future of the Internet”: Principles, Procedures and Problems of the Washington Declaration

On April 28, 2022, a "Declaration on the Future of the Internet," initiated by the U.S. government, was signed by 60 governments at the White House in Washington, D.C. According to Jack Sullivan, National Security Advisor to U.S. President Joe Biden, the Declaration is intended to serve as a reference document for future international negotiations on Internet-related issues. Is there a reason why the U.S. government is launching an initiative on the "Future of the Internet" at this point in time? more

Why We’ll Never Replace SMTP

An acquaintance asked whether there's been any progress in the oft-rumored project to come up with a more secure replacement for SMTP. Answer: No. Truly, spam isn't a technical problem, it's a social one. If we could figure out some way to make mail recipient networks and hosts willing to shun known bad actors, even at the cost of losing some real mail for a while until the bad actors cave, it would make vastly more difference than any possible technical changes. more