/ Most Viewed

ICANN Uses For-Profit Companies as “Comparables” in Its Employee Compensation

According to page 123 of ICANN's annual report: "...Commitment to continued payment in the salary span of 50th to 75th percentile of for-profit market place of companies of a similar size and complexity to ICANN..." Note that the comparables have been "for-profit". This is obviously ridiculous, given the purported non-profit nature of ICANN, with its inherent job security... more

Close to 735K Fraudulently Obtained IP Addresses Have Been Uncovered and Revoked, ARIN Reveals

The American Registry for Internet Numbers, Ltd. (ARIN) has won a legal case against an elaborate multi-year scheme to defraud the Internet community of approximately 735,000 IPv4 addresses, the organization has revealed. While the specifics of the findings are not released, John Curran, ARIN President and CEO said the fraud was detected as a result of an internal due diligence process. more

IPv6: Extinction, Evolution or Revolution?

For some years now the general uptake of IPv6 has appeared to be "just around the corner". Yet the Internet industry has so far failed to pick up and run with this message, and it continues to be strongly reluctant to make any substantial widespread commitment to deploy IPv6. Some carriers are now making some initial moves in terms of migrating their internet infrastructure over to a dual protocol network, but for many others it's a case of still watching and waiting for what they think is the optimum time to make a move. So when should we be deploying IPv6 services? At what point will the business case for IPv6 have a positive bottom line? It's a tough question to answer, and while advice of "sometime, probably sooner than later" is certainly not wrong, it's also entirely unhelpful as well! more

Examining Two Well-Known Attacks on VoIP

VoIP is here to stay. In fact many incumbent telecommunication carriers have started offering VoIP service for sometime and several new VoIP service providers have emerged. Aside from issues such as quality of service, the aspect of security, or lack thereof, is misunderstood by some of the VoIP service providers. This purpose of this article is to discuss two of the most well known attacks that can be carried out in current VoIP deployments. more

Adult-Related TLDs Considered Dangerous

In an RFC prepared by Donald E. Eastlake 3rd and Declan McCullagh, an analysis is offered for proposals to mandate the use of a special top level name or an IP address bit to flag "adult" or "unsafe" material or the like. This document explains why these ideas are ill considered from legal, philosophical, and technical points of view: "Besides technical impossibility, such a mandate would be an illegal forcing of speech in some jurisdictions, as well as cause severe linguistic problems for domain or other character string names." more

Fake Bank Site, Fake Registrar

In our continuing review of Rogue Registrars we have stumbled upon on a very elaborate fake banking site for "Swiss Bank" or "Bank of Switzerland". To the casual Internet consumer this site probably appears legitimate, but a number of clues tip off the fraud. Phishing sites are everywhere so this does not immediately raise eyebrows until you review the Thick WHOIS record for the domain. more

Summary Judgment Denied in a Case of Creative Typosquatting

In the case of Lands' End, Inc. v. Remy, the defendant website owners were accused of crafting a clever scheme to get some extra commissions from their affiliate relationship with landsend.com. It looks like the scheme has backfired, however, as Lands' End's claim against the defendants under the Anticybersquatting Consumer Protection Act, [15 U.S.C. §1125(d)] ("ACPA") has survived a summary judgment motion and the case is heading for trial. more

New Top-Level Domains and Software Implications

Many software applications rely on validation routines to check the validity of domain names. By validation, I mean here to test the string submitted by the user and see if it matches a pre-defined pattern. A typical example are web forms that need to validate e-mail addresses. This is by new means a new issue. It first appeared with the introduction of the .info Top-Level Domain (TLD). more

Google’s Top-10 Search Terms Dominated By Trademarks

According to Google's 2006 Year-End Review, dubbed Zeitgeist, or the cultural climate of an era, a majority of the top-ten search terms for 2006 were trademarks. Topping the list is the registered BEBO mark which is held by Bebo.com LLC, a California company that runs a social networking website. Second on the list was MYSPACE, the registered mark associated with Newscorp's $580 million social-networking giant. Next, as a result of a majority of the world catching soccer fever over the summer, "world cup" ranked as the third most searched term... more

Bug Reveals the Snooper in VeriSign’s Site Finder

Here's another interesting angle on the Verisign Site Finder Web site. VeriSign has hired a company called Omniture to snoop on people who make domain name typos. I found this Omniture Web bug on a VeriSign Site Finder Web page... more

IDN and Homographs Spoofing

There is a published spoofing attack using homographs IDN. By using a Cyrillic SMALL LETTER A (U+430), Securnia is able to pretend to be http://www.paypal.com/. Actually this is well-documented in RFC 3490 under the Security Consideration: "To help prevent confusion between characters that are visually similar, it is suggested that implementations provide visual indications where a domain name contains multiple scripts. Such mechanisms can also be used to show when a name contains a mixture of simplified and traditional Chinese characters, or to distinguish zero and one from O and l..." more

Introductory Remarks from Innovation ‘08

Here's my opening remarks from Media Access Project's Innovation '08 in Santa Clara this morning. A DVD will be available shortly. This was a lively discussion, with Google and Vuze on the case. Good morning and welcome. My name is Richard Bennett and I'm a network engineer. I've built networking products for 30 years and contributed to a dozen networking standards, including Ethernet and Wi-Fi... I'm opposed to net neutrality regulations because they foreclose some engineering options that we're going to need for the Internet to become the one true general-purpose network that links all of us to each other, connects all our devices to all our information, and makes the world a better place. Let me explain. more

Domain Name Registrar Allows Completely Blank WHOIS

In a very casual and low-key footnote over the weekend, ICANN announced it would be further bypassing the Affirmation of Commitments and ignoring the WHOIS Review Team Report. There will be no enhanced validation or verification of WHOIS because unidentified people citing unknown statistics have said it would be too expensive... As a topic which has burned untold hours of community debate and development, the vague minimalist statement dismisses every ounce of work put in by stakeholders. more

DNSSEC: Once More, With Feeling!

After looking at the state of DNSSEC in some detail a little over a year ago in 2006, I've been intending to come back to DNSSEC to see if anything has changed, for better or worse, in the intervening period... To recap, DNSSEC is an approach to adding some "security" into the DNS. The underlying motivation here is that the DNS represents a rather obvious gaping hole in the overall security picture of the Internet, although it is by no means the only rather significant vulnerability in the entire system. One of the more effective methods of a convert attack in this space is to attack at the level of the DNS by inserting fake responses in place of the actual DNS response. more

Non-Commercial Website Domain Names Using Trademarks

There are now several different courts of appeals that have upheld the right of individuals to post a non-commercial website using the domain name www.company.com, and there are as yet NO appellate decisions that forbid such websites outside the context of the serial cybersquatter who tries to erect a so-called gripe site as a CYA measure after being sued. In fact, it seems to me that we are getting close to the point where companies that sue over such websites have to consider seriously the possibility that they will not only lose the suit, but face a malicious prosecution action... more