I don't normally cheer for Google when I don't own shares in the company, but this time I will make an exception. Alma Whitten, Software Engineer at Google, today posted to their Public Policy Blog that IP addresses shouldn't be considered Personally Identifiable Information (PII). This is not a problem in the United States but it is in the EU, and if the EU actually were to legislate this it would most definitely affect Microsoft and Google's business functionality in the EU... more
Last week Sen. Snowe filed bill S.2661, the Anti-Phishing Consumer Protection Act of 2008, or APCPA. While its goals are laudable, I have my doubts about some of the details. The first substantive section of the bill, Section 3, makes various phishy activities more illegal than they are now in its first two subsections. It makes it specifically illegal to solicit identifying information from a computer under false pretenses, and to use a domain name that is deceptively similar to someone else's brand or name on the web in e-mail or IM to mislead people... more
In the news lately have been a number of incidents where U.S. courts, or the U.S. government itself has ordered domain registrars to shut down free speech. First was the E360 vs Spamhaus case, in which accused spammer E360 Insight sued anti-spam organization Spamhaus for labeling them as spammers and won by default when Spamhaus insisted that U.S. courts did not have jurisdiction over them in England and didn't appear. Unfortunately, U.S. courts did have jurisdiction over Spamhaus' domain registrar, who was nearly ordered to shut Spamhaus down (a court order was under consideration). Fortunately, Spamhaus was able to move their registration overseas before any shutdown order could be issued... more
The Comcast traffic shaping case has stirred up passionate debate. Net neutrality proponents are calling for Comcast's head on a platter. The common argument is that Comcast's policy may stifle innovation and competition. If a service provider is allowed to exercise unregulated discretion in how it treats subscriber traffic, it is a slippery slope toward anti-competitive practices. Net neutrality says keep your hands off. Some are preaching net neutrality as if it were an inalienable human right like freedom of speech... more
With IPv4 addresses becoming scarcer, there has been talk that a trading market will develop. The idea is that those holding addresses they do not really need will sell them for a profit. More alarming is that there have been a few articles about how the Regional Internet Registries (RIR) are contemplating creating such a market so that they can regulate it, conceding that it will happen anyway and taking the "if you can't be 'em, join 'em" attitude. This is all a bit disturbing. Maybe I'm naïve, but it's a little unclear to me how an unsanctioned trading market could really operate without the RIRs at least being aware... more
A couple of weeks ago, I read an article on Yahoo that some outfit in Russia claimed to have broken Yahoo's CAPTCHA for creation of new email accounts. Another blogger wrote that it was unlikely that the spamming outfit had achieved 100% success at breaking the CAPTCHA. Yet, in the past couple of weeks, I have noticed something that would seem to confirm the theory... more
Last Friday, Microsoft made an unsolicited offer to buy Yahoo for $31 per share, representing over a 50% premium from Yahoo's then-share price. As an employee working for Microsoft in Exchange Hosted Services (i.e. spam filtering), I'd like to comment on this buyout offer. Leaving aside the question of whether or not this is a good deal for shareholders and what Microsoft's true motivations are for buying Yahoo (namely, to become the number 2 player in the search market), I'd like to look at it from an anti-spam point of view. more
The ITU-T has proposed a new system of country-based IP address allocations which aims to satisfy a natural demand for self-determination by countries; however, the proposal also stands to realign the Internet's frontiers onto national boundaries, with consequences which are explored here. ...we do indeed see the Internet as a single entity, and we even speak of the Internet's architecture as if there was one designer who laid out a plan and supervised its construction. But despite all appearances, the Internet landscape is indeed made up of many separate networks... This article will explore these issues, particularly in light of recent proposals to introduce new mechanisms for IP address management, a prospect which could, over time, substantially alter both the geography of the Internet, and its essential characteristics as a single cohesive network. more
For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM. The danger of course is that the term could be simply popular -- but the trick here is that I'm using something very special as the search term -- the IP address of the poster. more
The Internet Governance Forum (IGF) is an annual UN conference on Internet governance which was held this year in Rio de Janeiro, Brazil. The topics discussed range from human rights online to providing Internet access in developing countries. A somewhat secondary topic of conversation is Internet security and cyber-crime mostly limited to policy and legislative efforts. Techies and Internet security industry don't have much to do there, but I have a few updates for us from the conference. more
I'd like to continue on in my review of the book Spam Kings (read part 1) and make some more comments, particularly regarding the antispammers. One thing that I really liked about the book is learning the history of some of the spam tools. I was never a participant on NANAE (news.admin.net-abuse.email; a USENET newsgroup which discusses e-mail spamming), that was before my antispam time. But I was intrigued by its history. People would gather together and discuss spammers and tools for stopping them, and sometimes spammers would stop by and the flame wars would ensue. more
Or, to be more precise, it sure looks like they do. I wrote on another post on a publicly available spam tool, and I mentioned that I came across a page that allowed people to verify whether or not an email address is actually live. The question naturally arises: do spammers clean up their email contact lists based upon whether or not the address is legitimate? Spammers would have an incentive to do this... Do we actually observe spammers changing their sending patterns? I believe that we have evidence that they do. more
This is an issue of some concern and should be watched carefully: phishers are now trying to get passwords of domain registrants (domain owners). Currently, correspondents inform me that GoDaddy is the target, but there's no reason to think the phishers won't expand to other registrars. Normally, phishers go after bank accounts or other financial information, or sometimes the online accounts of users so that they may send spam. It's not known precisely why phishers are after domain registration information, but the possibilities are chilling... more
There are many network operator group meetings being held these days. Even in the backwater of the South Pacific where I live there is now AUSNOG, and NZNOG is just next door in New Zealand. We now have MENOG in the Middle East and AFNOG in Africa. The original NOG was the North American Network Operators Group (NANOG), and they have the T-Shirts to prove it! NANOG meets three times a year, and I attended NANOG 41 in October 2007. NANOG meetings cover a broad variety of topics, from operational tools, measurement, and peering practices through to a commentary on the state of the Internet industry. Here are my impressions of the meeting. more
There is currently a discussion going on between Milton Mueller and Patrik Fältström over the deployment of DNSSEC on the root servers. I think the discussion exemplifies the difficult relation between those who develop standards and those who use them. On the one hand, Milton points out that the way the signing of the root zone will be done will have a great influence on the subjective trust people and nation states will have towards the system. On the other hand, Patrik states that "DNSSEC is just digital signatures on records in this database". Both are right, of course, but they do not speak the same language... more