Wampum

I'm going to switch over nai.nic-naa.net from wordpress to drupal+civicrm. I've started a FaceBook group -- Friends of NAI in the IANA root.

Its going to be fun, that's it, fun.

Posted by EBW at 09:05 PM | Permalink | Comments (0) | TrackBacks (0)

James Cowie's The Proxy Fight for Iranian Democracy at the always readable rensys | blog is quite interesting, as is Craig Labovitz's A Deeper Look at The Iranian Firewall at the Arbor systems security blog.

Posted by EBW at 03:58 PM | Permalink | Comments (2) | TrackBacks (0)

• Amended Guidebook Sections and Explanatory Memoranda
• Analysis of Public Comment to Applicant Guidebook version 2
• Final Report on Trademark Protection in New gTLDs
• Draft Implementation Plan for the IDN ccTLD Fast Track Process
• New Registrar Contract
• Root Server System Root Scaling Study

Amended Guidebook Sections and Explanatory Memoranda

According to ICANN, many changes to the Draft Applicant Guidebook have been made as a result of the comments received to date. While revisions include amendments to the handling of geographical names, evaluation questions, comparative evaluation scoring, dispute resolution procedures and other registry agreement provisions, the requirement for Thick Whois appears to be the most notable. The public comment period for the guidebook excerpts will last from May 31, 2009—July 20, 2009. The comments received together with the outcomes of the discussions relating to the overarching issues will constitute the basis for the third version of the guidebook that will be published at the end of the third quarter 2009.

Analysis of Public Comment to Applicant Guidebook version 2

In response to the more than 200 comments received covering the second version of the Applicant Guidebook for new generic top-level domains, ICANN has published a comprehensive report. The report provides an analysis of the comments received and is broken into the following sections: General Concerns, Trademark Protections, TLD Demand and Economic Analysis, Potential for Malicious Conduct, Root Zone Scaling, Evaluation, Financial Considerations, Objection Process, Registry Agreement, String Contention, IDN and Respondents.

Final Report on Trademark Protections in New gTLDs

The Implementation Recommendation Team (IRT) posted its final report which identified the following proposed solutions: IP Clearinghouse, Globally Protected Marks List and associated Rights Protection Mechanisms, and standardized pre-launch rights protection mechanisms; Uniform Rapid Suspension System; Post delegation dispute resolution mechanisms; Whois requirements for new TLDs; and Use of algorithm in string confusion review during initial evaluation. A public comment period covering the final report will last from May 29, 2009 to June 29, 2009.

Draft Implementation Plan for the IDN ccTLD Fast Track Process

ICANN has released a revised Draft Implementation Plan for the IDN ccTLD Fast Track Process in an effort to elicit further community feedback both during and after the ICANN meeting in Sydney, Australia. A public comment period will last from May 31, 2009 to July 15, 2009. Comments received will be used to revise this implementation plan in preparation of a final version prior to ICANN's meeting in Seoul, 26-30 October 2009.

New Registrar Contract

The new Registrar Contract consists of 17 amendments to the Registrar Accreditation Agreement (RAA). The amendments significantly increase the protections in place for domain registrants and the changes include: enhanced enforcement tools to assure full compliance with the ICANN contract and policies, expanded requirements for reseller agreements, additional audit and data escrow requirements, more explicit requirements for providing contact information, and new notice requirements and termination provisions. All new registrars will be required to sign the new agreement, as will any existing registrars that renew their accreditation.

Root Server System Root Scaling Study

A study to determine the potential impact on the operation of the root server system of adding IPv6 address records, IDN top level names, other new TLDs, and new records to support DNS security to the root zone has been commissioned and will be completed by the end of August 2009.

The goal of the study is to construct a model of the root server system (including all of its provisioning and query components) that shows how the different parts are related, and how changing something in one part affects each of the other parts. A public comment period covering this study will last from May 28, 2009 to July 31, 2009.

Posted by EBW at 07:38 PM | Permalink | Comments (0) | TrackBacks (0)

Apropos of what is going on in Iran, Twitter amazingly announced that it would take Twitter out for 90 minutes at 9am in Tehran.

Maintenance window tonight, 9:45p Pacific

We will have 90 minutes of maintenance starting tonight at 9:45p Pacific. Critical network upgrades will be performed during this time.

Update (2:03p): Unfortunately the timing of this maintenance period is not within our control as our provider needs to perform these network upgrades. We apologize for the outage and hope to be back from the maintenance as quickly as our host can perform the work.

Update (4:24p): Downtime has been rescheduled for 2p Pacfiic tomorrow, June 16th. Please read more on our blog.

Down Time Rescheduled

A critical network upgrade must be performed to ensure continued operation of Twitter. In coordination with Twitter, our network host had planned this upgrade for tonight. However, our network partners at NTT America recognize the role Twitter is currently playing as an important communication tool in Iran. Tonight's planned maintenance has been rescheduled to tomorrow between 2-3p PST (1:30a in Iran).

Our partners are taking a huge risk not just for Twitter but also the other services they support worldwide—we commend them for being flexible in what is essentially an inflexible situation. We chose NTT America Enterprise Hosting Services early last year specifically because of their impeccable history of reliability and global perspective. Today's decision and actions continue to prove why NTT America is such a powerful partner for Twitter.

Posted by EBW at 09:05 PM | Permalink | Comments (0) | TrackBacks (0)

For those of you using a Microsoft Licensed Product.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA09-160A

Microsoft Updates for Multiple Vulnerabilities

Original release date: June 09, 2009
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Office
* Microsoft Internet Explorer

Overview

Microsoft has released updates that address vulnerabilities in
Microsoft Windows, Office, and Internet Explorer.

I. Description

As part of the Microsoft Security Bulletin Summary for June 2009,
Microsoft released updates to address vulnerabilities that affect
Microsoft Windows, Office, and Internet Explorer.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code,
gain elevated privileges, or cause a vulnerable application to
crash.

III. Solution

Microsoft has provided updates for these vulnerabilities in the
Microsoft Security Bulletin Summary for June 2009. The security
bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any
potentially adverse effects. Administrators should consider using
an automated update distribution system such as Windows Server
Update Services (WSUS).

IV. References

* Microsoft Security Bulletin Summary for June 2009 -

* Microsoft Windows Server Update Services -

* US-CERT Vulnerability Notes for Microsoft June 2009 updates -

____________________________________________________________________

The most recent version of this document can be found at:

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA09-160A Feedback VU#983731" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit .
____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

____________________________________________________________________

Revision History

June 09, 2009: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSi7EY3IHljM+H4irAQKpUwgAqcYG1SVf4dPt7wevUx9UIKyw/RWG/wCI
+ns9UEmk4Pbdu8Tj+snDsNxxOnvdUGnWzfbuBFrzexr+u3zY0BgvBQ50eaYnYyVn
Iv9yxxxKfdvQEQIiPi/5gWl05k4axYdSjEYLZqNkQIj1VvqJOhCWaHKPsJZykdZq
ZZLd8aFxxM7fj0RrKeorXGiApw45kP9a133EN7NRf8CvYsNKnUTMYVPC2bTaq0Jb
HCjjEOwBWaP6YjqQ1laVslCHzOVpFzQnkl+IKBsoDAu1397KjwobIR340YyW6K4g
ckdod5TwdG77KOcNZHAp+uQMffGOaCfqj/MFk7qEYxN7/0gJXuB8mQ==
=9e4w
-----END PGP SIGNATURE-----

Posted by EBW at 08:57 PM | Permalink | Comments (0) | TrackBacks (0)

The 60-day review that Melissa Hathaway completed on April 17th contained a recommendation for a cross-agency oversight of network and host security. Today President Obama announced that he's going to accept her recommendation and "appoint an adviser to oversee the security of government and business computer networks in response to widespread attacks and information theft."

Cspan coverage is here: http://cspan.org/Watch/Media/2009/05/29/HP/R/19192/Pres+Obama+announces+cyber+security+policy.aspx

Since Ira Magaziner shorted the first Clinton administration on public policy in the post-ARPA network, there's been nothing, so this is a significant speech. Still, he didn't say "reports to me" or other indica that the appointee will start with real responsibility and authority, or just muddle along his or her way via jaw power.

Posted by EBW at 03:54 PM | Permalink | Comments (0) | TrackBacks (0)

Someone on a list wrote this morning that:

Barack Obama mentioned Conficker by name in his cyber czar remarks today.

In a series of notes I've written in the past few days on a list I concluded earlier this morning that

on bad days i think the credit card model is past its sell-by date, and that it is now standard art to use domains, like compromised addresses and the attached nodes, as infinite sources of zero cost to replace transient assets for system designers.

I write a lot more than that actually, but like this blog, it is more for personal reasons than anything else.

Posted by EBW at 11:33 AM | Permalink | Comments (0) | TrackBacks (0)

From something I'm writing at the moment (actually slaving away over several, progressively less opaque, drafts of since the middle of last week):

...
The interesting question is how this will happen, and who will benefit.

Video cable operators, latecomers to the residential loop IP address provisioning industry, were able to use DHCP to enter the access network market and compete with the generally lower DSL prices.

The transformation of address blocks from sources of addresses allocated by Carriers to their POP constellations across LATA boundaries, globally unique but with no persistent association to individual computers across dial-up sessions, to sources of addresses persistently allocated by subscriber loop and CATV plant operators, only locally unique and with persistent association to individual computers has been a fundamental change.

Comcast, Time Warner Cable, Cox, Cablevision, Charter, Bright House, Qwest, AT&T and Verizon all compete on pricing, bundling and marketing strategies, and persistence and locality models drives consumer and geographic profiling across all of their broadband service areas.

Cable operators offer broadband service tier priced in the range of $40 to $45 per month, and standard cable modem speeds have climbed from an average high of three Mbps in 2004 to 10-15 Mbps, and in some markets as much as 30 Mbps.

Verizon offers FiOS Internet and TV services and similar services¹ are offered by AT&T and Qwest, augmenting their 256Kbps xDSL services market priced in the range $30 to $35 per month.
are offered by AT\&T and Qwest, at the same data rate tiers and prices. DHCP has made residential broadband possible, for both CATV and DSL technologies.

The fundamental technical and policy issue is that the DNS is about to become an application with local semantics, a residential application, and coincidentally share a significant property of the DHCP model --- the locality and persistence of address mappings. This yields an important policy tool to the urban registry operator.
...

¹Bundled voice, data, and video, aka "Tripple Play", or if you prefer "Tripple Pay".

Posted by EBW at 06:17 PM | Permalink | Comments (0) | TrackBacks (0)

So there are the top 25 Metropolitan Statistical Areas (MSAs), and I'm spending today, today -1, today -2, ... and likely today +1 and today +2, ... finishing off a response to a "request for information" to any random registry, registrar, or the growth industry of "gTLD domain consultants" (the predicted pyramid ponzi scheme as people who came to the ICANN zoo with less than enough pocket depth to last out the last five years of winter, and looking now at starvation spring, having eaten their seed corn) that the largest entity within the largest MSA published for a ".NYC" ...

But what makes one MSA more likely to adopt a program to develop a TLD? To choose to find an alternative to .COM and its clones, or the local ccTLD¹? Is it a muni wifi? Is it the literacy rate? What are the meaningful criteria to distinguish between Riverside–San Bernardino–Ontario, ranked 14th, and Seattle–Tacoma–Bellevue, ranked 15th?

What does it take to seize the net? A permission slip from Adelphia or Comcast or Time-Warner? A note from a open-government-is-a-joke doctor of public policy? Enough quarters to feed the Internet Advertizing Board's pervasive cookies and coke vending machine?

If you think you know the heading of a column in a spreadsheet for deciding the netability of a city, dork on the comment link and type, please.

¹For these 25 urban areas, the local ccTLD operator is unfortunately the company for which I wrote the winning application back in 2001. The operator prefers a .COM clone in its properties-under-management because if it makes the .COM rich, it must be the best idea in town.

Posted by EBW at 10:16 AM | Permalink | Comments (0) | TrackBacks (0)

Craig Labovitz at Arbor Networks posted this. 5% of the North American traffic went away for a couple of hours yesterday, the outages list exploded, mostly with junk content.

Posted by EBW at 11:13 AM | Permalink | Comments (0) | TrackBacks (0)

Aneesh P. Chopra. Little "formal IT training" is how DotGov Spotlight has it. When I think of the people who wanted the job I just laugh. He might as well have appointed a stamp collector as SecState.

Hey, 150 for-profit hospitals pooling revenue analytics via a "business intelligence platform" sounds like behavioral targeting, a la CMGI or DoubleClick or ... . That and having no visible wins out of 18 starts burning eight figures in seed capital as a VC during the last years of the second Clinton administration and the first year of the Bush/Cheney Regime. Huzzah!!!

I'm underwhelmed. We could have had a serious person.

Posted by EBW at 10:05 PM | Permalink | Comments (0) | TrackBacks (0)

In case you missed the packets, cuts proximal to 37°29'44.00"N 122°14'44.31"W and 37°15'20.79"N 121°48'9.38"W have had a significant effect on North American Network Operations.

Of course, if you don't use, and the services you do use don't use, primitives which have a dependency upon routing to the area bounded below by South San Jose and above by Redwood City, that is, "Silicon Valley", then you may not have been effected.

I was, and I'm at Cape San Blas, Florida, and I bounce my packets directly off a satellite to Reston, Virginia, and then mostly to Maine and Europe, but ... I do touch several tarbabies along the way up and down the link-to-session stack.

A few days after the Atta Gang completed their mission, and we both realized MB'd actually seen Atta plus 2 on T minus one, that is, one dangling thread, MB and I had dinner in a quite place. I explained how I thought Chellie should (then) run against Susan, on defense, "in depth". Spending money on domestic hospital beds, on domestic routers and links. It didn't happen, Chellie lost to Susan, and here we are, six years later, and Tom's lost to Susan too.

This dropped in:

Activity Type Code Desc: PROGRESS COMMENTS
Activity Type Code: PROG

OTDR readings were taken by AT&T West and a cut was located 1600 ft from
the San Jose, CA central office. AT&T West technicians are onsite
working to isolate the exact location of the cut. There are 4 cables
impacted. AT&T Mobility has 61 GSM and 45 co-located UMTS sites out of
service off of Santa Clara Base Station Controllers 15 & 23, and Santa
Clara Radio Network Controller 4. E911 has 52 Location Measuring Units
down. The AT&T West Santa Cruz 11 central office (41,803 ATNs) is
experiencing an SS7 isolation and the San Martin central office (11,904
ATNs) lost it's umbilical and is isolated at this time. The Bailey
remote site (4,973 ATNs) is also isolated. Scott's Valley has 3 out of 4
SS7 links down. The Santa Cruz 01, Aptos, Scott's Valley, Felton,
Boulder Creek, Ben Lomand, San Jose 11, San Jose 13, San Jose 21 central
offices have trunks impacted such that all lines are busy and incoming
calls are receiving trouble messages. The Santa Cruz County SO (178,040
ATNs), Scott's Valley PD (12,007 ATNs) and the UC Santa Cruz PD (14,909
ATNs) are all without ALI at this time. The Gilroy PD PSAP and the
Morgan Hill PD and CDF have been rerouted with ALI/ANI. The Felton CDF
has not been rerouted. There are 17 DSLAMS and 4 ATMS out of service
impacting DSL service. There are 3 SMDI Links down impacting voicemail
service. Verizon's Morgan Hill and Gilroy central offices are currently
isolated. There have been 224,865 blocked calls.

Someone I don't know wrote on the operator's list:

That AT&T has stopped provisioning protection fiber for automatic restoral is mind boggling.

That our crack (or on crack) govt contracting/emergency-preparedness staff didn't demand protected facilities for 911 is another mind boggling issue.

That there is no over-under wide-area back-up coverage for the cellular canopy ...

We posture and orate about being prepared for terrorist attacks and natural disasters, and then events like these reveal the reality:

The emperor has no clothes.

Update: AT&T is offering six figures for information leading to the conviction of ... which of course could just be contact negotiation tactics on T's side.

Posted by EBW at 06:51 PM | Permalink | Comments (1) | TrackBacks (0)

S.773
Title: A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009)
Cosponsors (3)
Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Commerce, Science, and Transportation.

Of some professional interest is the following:

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS.

(a) IN GENERAL. - Within 1 year after the date of enactment of this Act, the
Secretary of Commerce shall develop or coordinate and integrate a national
licensing, certification, and periodic recertification program for
cybersecurity professionals.

(b) MANDATORY LICENSING. - Beginning 3 years after the date of enactment of
this Act, it shall be unlawful for any individual to engage in business in the
United States, or to be employed in the United States, as a provider of
cybersecurity services to any Federal agency or an information system or
network designated by the President, or the President's designee, as a critical
infrastructure information system or network, who is not licensed and certified
under the program.

Here's the current public key for .gov:

gov. 257 3 7 "AwEAAZ1OCt7zZxeaROvz XNCNlqQWIi++p5ABXSox qJ65WQko6xrI9RImK7IB T5roFhXjBDGJ8ld9CYIE N94kK83K/QwUGCJ+v3vI QFi09IqsPeRdHTQyghWW bhzAZpnlZ16imXB4yFZj dbV2iM66KcgsESQMPEcI ayDQJh6JEi1wmslrYvRR J6YPOWrlLD0RmdtCaRuz lUE0RiWSem/i8vDFdmsS wChRMcORklKqjqt1+RBI iEFJGKIz7lGc9DXRwkBf b+halii+jrELiZAPzfO7 rf08l3QlgHEuxclTTdEa xctPd2O2U/Hl9tRgkxRL /Zv1i0sEx2mOJGcUCeVm 4Hf2aM8=";

S.778
Title: A bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor.
Sponsor: Sen Rockefeller, John D., IV [WV] (introduced 4/1/2009)
Cosponsors (3)
Latest Major Action: 4/1/2009 Referred to Senate committee. Status: Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

This is probably the job a Republican friend of mine is angling for, not that his politics matter much to the mission ... but perhaps politics matters more to "security" than meets the eye. Is Microsoft's monopoly litigation and settlement history relevant to host system monoculture, in the governmental as well as the business and residential computing markets? Are race-to-the-bottom network management operational practices fundamental to the lack of admission control policies on access networks? If "network" is defined to exclude the demographic unwilling or unable to expend $600/year for residential broadband (dsl or cable), and rural demographic, are the security properties of a video delivery system "national"?

Obviously I've thought too much about this.

Posted by EBW at 09:17 AM | Permalink | Comments (0) | TrackBacks (0)

On March 29th, just five days ago, the Cobell legal team obtained a report written in May 2008 by Inspector General Earl E. Devaney and finalized on the eve of the June 2008 trial. The report is here.

I'll write follow-ups when I'm not behind on work, paid and volunteer. The category will be "behind the cshell curtain", as its technical, rather than one of our Indian or DOI/DOJ corruption categories.

Starting from a packet capture on egress traffic (from the DOI border router) showed SSN's in plain text is pretty good for an attorney trying to bring the existences of, and the concealment of, the IG's report, to the attention of the court as evidence in support of the plaintiff's specific claims as to the integrity of the DOI's Individual Indian Trust (IIT, not "IT") fund accounting infrastructure is OK.

After I read the whole report a couple of times I may come up with an even more "your hair is on fire" motivation for the importance of the IG's report to the fact situation. As to the concealment by one Secretary, that's why we have courts and elections, though both premises appear to be profoundly compromised -- first, the removal of Judge Royce Lamberth and the afactual reversal of his order to protect the integrity of the IIT infrastructure by department-level security measures (aka "the DOI internet quarantine"), and second, the continued position of the administration, independent of Party, to litigate rather than settle the IIT case.

I once had to go on an "Acker's Letter" mission for IBM Research, and my packet capture (to show that in fact IBM's Academic Unix product did do class C routing correctly) netted me a final exam in networking, also in plain text. I thought that was rather amusing at the time and just last week I was mentioning that to Radia Perlman as we discussed how networking is taught -- usually as if either the IP stack, or the ISO stack, were as natural as gravity and not the result of a lot of engineering design compromises and dead ends.

Posted by EBW at 09:05 AM | Permalink | Comments (0) | TrackBacks (0)

A good chunk of my time since Mexico has been spent on this. I don't know if tomorrow will be a non-event, which is an event no matter what, or an event.

Posted by EBW at 09:25 PM | Permalink | Comments (0) | TrackBacks (0)

I've spent the week in San Francisco, as an individual contributor to the IETF, which is all any of us are, at least in theory. We managed to both avoid a trainwreck, and surprisingly, make significant progress, in the IDNAbis working group.

Normal progress was also made in the trajectory towards signing the IANA root, though we'd considerable exchanges of notes when .gov was signed, and a larger user base began actually using a signed TLD than we'd experienced with .MUSEUM, or than Sweden, the Cezch Republic, or Brazil had previously experienced.

Today's political and policy news is that the administration has indicated its intent to nominate Larry Strickling to be the new head of the National Telecommunications & Information Administration, which has oversight responsibility for ICANN under the JPA and also the IANA Function contract, though most of the beltway and industry world is fixated on digital television at the moment, and broadband as the digital messiah, with "network neutrality" thrown into the feed-the-failing-telcos-and-cables mix somewhere.

I'm looking at the ACA's press piece, it concludes with this:

"ACA congratulates Mr. Strickling on his nomination, and we look forward to working with him in connection with NTIA's grant program and other matters related to broadband deployment, particularly in small markets and rural areas," said American Cable Association President CEO Matthew Polka.

One of the structures here, as at many campgrounds, was built in the 1930's by the WPA's CCC. It wouldn't be useless to restart the CCC and build more enduring structures (Grace just asked me about frame vs post-and-beam house construction, motivated in part by yesterday morning's tornado watch that had MB and the kidz and dog and cat in a reinforced cinder block structure before they were free to come and pick me up at Pensacola, where I flew in from California to a lovely line of T-storms and rain) in the current parks, and in new parks (population and economic contractions have some features that can be transformed from "bad" to "good"), and it also wouldn't be useless for the new CCC doing rural projects actually informed the administration back in distant Washington City, as the old CCC did, of the actual conditions in rural America, broadband delivery capabilities included.

There are copperheads up here on Weeping Springs Ridge, and down in the Apalachicola River, alligators. What I hope to see is the Apalachicola dusky salamander, so I'll walk to the spring between rainy periods. A sort of "go to water".

Posted by EBW at 08:37 AM | Permalink | Comments (0) | TrackBacks (0)

The IETF schedule is finally reflecting the USG inflicted visa barrier. IETF-73 was at Minneapolis, IETF-74 is here in San Francisco, IETF-75 will be in Stockholm, and IETF-76 will be in Hiroshima, all per prior schedule ... but thereafter, excepting IETF-77 in Anaheim, no IETF for the next several years will be held in the United States. The North American meetings will be held in Canada, not the United States. The Atlanta meeting is scratched and that meeting will be held in Canada or Asia.

The IDNA work in 2003 would have had a different outcome if we'd had meetings in East Asia, or if Asians didn't have to scale legal mountains to get to the Minneapolis and London meetings where the die was cast.

The IDNA work in 2007-9 would have a different outcome if we'd had meetings in West Asia, or if Arabs and Iranians didn't have to scale legal mountains to get to the Minneapolis and San Francisco meetings where the die was cast.

It is a moment, like when we declined to accept the NIST requirement that no protocol specification mandate strong crypto.

Posted by EBW at 08:05 PM | Permalink | Comments (0) | TrackBacks (0)

An armadillo was rustling around in the palmettos next to my dish pans when I left. Quiet rolling through the mossy oaks, stop, unlock gate, move truck, lock gate and turn on to the road, out through cow pastures and then the scent of orange blossoms for miles until I fetch up on the road north, towards Orlando, and dawn on the highway. Flight out of Orlando to National. At 10am I walked into Wilmer Cutler & Pickering Hale & Dorr and for the next two hours it was all Chattam House Rules (no quotes) with the Assistant Deputy Secretary of Commerce and her staff and "the domain name industry". Then I'd another half hour with ... people and then reversed my steps, starting at the WashLaw bookstore for Prosser, Wade & Schwartz on torts, a walk to Farragut West, only to find the metro closed, a man-meats-train event, so a quick cab ride to Foggy Bottom, and the Blue Line back to National, a jog through the terminal (people let me jump two security lines) to just make the 3pm back to Orlando, and the traverse from freeway to highway to byway to the scent of orange blossoms, the cow fences, and finally the gate and the road to camp.

Kezzie greeted me with the news that the hole next to my dishpans was the home of a gopher tortoise, which adds to the number of four-legged persons who rustle in the grasses and palmettos next to my kitchen.

I informed the United States that there would be a pan-tribal Indian application in the current ICANN new gTLD round, and the response was flattering (my 1999 work was known) and positive (could linguistic and cultural applicants, Indian and sub-state European public governments, enter into contracts with a 501(c)(3)? We talked about the UPU problem. From there the conversations became closer to the quick. I discussed what I think are serious problems and found myself asked for recommendations. These are non-Indian issues.

Posted by EBW at 10:38 PM | Permalink | Comments (0) | TrackBacks (0)

The "Arabic Script" effort somehow proximal to both the IETF's IDNA activity and ICANN appears to be failing. Just to make things more amusing, the IETF's IDNA effort which less than seven days ago in Mexico City I said was not melting down is doing just that.

First, the problem domain of "Arabic Script" is not Arabic, in fact, only half of the writers and readers of languages which use Arabic Script are writing or reading Arabic, and the problem wouldn't exist, like others, if "we" weren't using Unicode, which smushed the Arabic, Persian (Farsi or Dari), Pashto, Urdu and Kurdish, character collections, among others, into one unwieldy blob.

A solution would be to simply abandon the fiction of "Arabic Script" and deal with Arabic without damage to the languages other than Arabic that use Arabic characters -- African languages, non-Semitic West Asian language, even East Asian languages (and as a plus for the truely obsessed, even Hebrew, as there exists one example of a merchant correspondence in Hebrew written in Farsi, an interesting example of commercial encryption -- from before Old World and New World peoples made their unhappy acquaintances.

Second, the problem is, lack of clue. Names in the DNS are simply thing slightly more persistent than ip addresses, or slightly more memorable than dotted quads, or both. Someone misinformed the Arab League's technical committee, and someone left them uncorrected in that state of misinformation, and so those two dozen national representatives have thought for the past three years that their job is to figure out what "names" are "necessary" or "correct" in Arabic. Not unsurprisingly, nuances in Farsi, Pashto, and Urdu are both outside their ken, and "incorrect" in Arabic.

Third, the Unicode character repertoire, less charitably the UTC glyph dump, a printer's wet dream, more friend of ink on paper than to the ordinary necessity of characters such as sorting and searching, contains many glyphs that look alike, and this "0" resembles "O" and "1" resembles "l" property which Latin Script readers and writers of domain names are mostly well past confused by, offers much, much more to the craft of construction of confusingly similar strings.

Again, a solution would be to simply abandon the fiction of a universal character set and go back to asking Moscow if they know how to encode modern Russian. Rinse and repeat for modern forms of traditional (Taipai) and simplified (Beijing) Chinese, and so on. A fundamental problem has been the rejection of national standards where present, by the IETF, about which I've written previously. I suppose I should grovel and find the links.

Fourth, surrounding all the real technical issues is the non-technical issue of "security and stability". The credit card model and all the fun and games that exist in the universe created by a VISA click and kwel tricks that make visually similar strings fueled by Google Ads ... profitable ... is just ... well ... a gamer's paradise, and rather than look intelligently at gaming, the "S&S mantra" has everyone looking at presenting problems, here, IDN, elsewhere, FastFlux, rather than at ... guess what ... the credit card model.

But what does it really mean, really, if the ASWIG effort fails due to X, the endemic disease of the ICANN gTLD registries, which simply stated, means that no matter how generous the hand, and no matter how sharp the knife, no ICANN gTLD pizza can be cut in more than one pieces?

Simply that Arabic in the DNS is intentionally damaged, and the damage extends to twice the number of users of Arabic -- the users of Arabic Script -- Farsi, Urdu, ... all the way to Malaysia.

And what does it really mean, really, if the IETF's IDNA2008 effort fails due to several causes but fundamentally the same cause present in IDNA2003, which is to say, racism manifested on the 7-bit / 8-bit barrier?

Simply that the partition we've all be carefully overlooking continues, unhealed, for the immediate present, and may grow larger.

I'll put the time I've been giving to the Arabic and non-Arabic script issues on getting Tsalagi and Cree localizations of Wikipedia. At least the outcome will be something some Indians can use, regardless of what happens to International Standards for non-Latin Characters in the DNS and applications.

Posted by EBW at 10:20 PM | Permalink | Comments (0) | TrackBacks (0)

A simple day. The ICANN Board, most familiar faces, sits to deliberate issues. There are no real surprises, so our work was adequate. Afterwards we meet for several hours, the CORE Plenary, so a complete budget review, and then a review of our last day's work.

I've not written about so much.

Normand and I spend the evening shopping from the vendors who line the park and then walk out to the Zocalo and return. I'd heard he had gotten his room rate reduced from 800 pesos per night to 500 pesos, because of the noise, and I assumed his room opened on the Reforma, but no, it was on the interior, just four floors below mine. And indeed, the compressors did shut off at 9:45pm, I'd simply not been in my room that early, and they are noisy.

Posted by EBW at 10:56 PM | Permalink | Comments (0) | TrackBacks (0)

Today is the oddest day ever. Odder than Saturday, when we stopped doing every-ICANN-meeting work, and worked on how we work. Today we put some SO reps and the GAC reps and let them try to talk to one another.

Policy Development Processes (PDPs) are the means to improve contracts. One view. PDPs need not result, no matter how long their work or how demanding their purpose, in changes to contracts. Another view. We are here for the public good. Yet another view. What is the public good? Yet another.

It is an odd form of meeting, where people are encouraged to raise sheets of paper, green or red for yes or now, and white for questions. Unique, in getting more than just the usual broadside of shot exchanged between the GNSO and GAC chairs, instead there were rounds of grape and canister (the "public good" exchange between X and Y was rather interesting, given who X and Y are), with borders away and borders repelled by swashbucklers from the Intellectual Property mob and the Government mob.

In the evening we round up forty five of our closest friends and march down Juraez to the Torre Latinamerico and then up two elevators to the 41st floor to cocktails and dinner. Periodically I looked up and down the table and all I saw were smiles.

Posted by EBW at 09:02 AM | Permalink | Comments (0) | TrackBacks (0)

An odd day. It began with breakfast with someone from the American Banking Association, and lunch with the operator of the national registry of a very small African country that's been the locus of civil war for 15 of the last 20 or so years and has no external connectivity (via landline).

In the evening the Gala took place in San Hipolito Convent. When the current Chairman of the Board started the standard stump speech I stepped out and slipped into the church next door where mass was being held and soaked in the quiet and calm after the cacophony and chaos of endless deal making. At the sign of peace everyone turned to shake the hands of those nearby, a ritual ICANN cannot imitate.

Posted by EBW at 05:26 PM | Permalink | Comments (0) | TrackBacks (0)

Cary Karp (.museum) was kind enough to make arrangements that lead to my having the kind guidance of a local academic through the public Mayan collection of the National Museum of Anthropology, and afterwards, to the restricted access library of the museum, where I was able to go, fold by fold, through the screenfold pictorial manuscript known as the Tira de la Peregrinación (the migration strip), also named the Codex Boturini.

The morning was spent with Registry Constituency business.

The one thing I'd hoped to get, the universe of diacriticals for Mexican Indian languages using Latin Script, was the one thing I didn't get. I did however get an hour long demonstration of reading Mayan Script, and that was more than fun.

I rushed back to the At-Large Summit to participate in a panel -- Dr. Heike Jensens' panel "Power Issues in New gTLDs: Gender, Development and Big Business". I've been making powerpoint (a tool I despise) slides in every semi-private moment since I arrived and I run over my allotted time but ... when I stop talking about development, in Indian Country and Africa ... there is applause. Not the polite stuff, but hands banging hands. A rare moment in my otherwise fairly private life. Afterwards Heike and I are taped for broadcast and we escape giggling like kids.

Posted by EBW at 05:37 PM | Permalink | Comments (0) | TrackBacks (0)

Meetings with customers. Back to back, all morning. What has changed in the Guidebook, what hasn't, how this affects reasonable people, in reasonable situations, attempting to cope with ICANN's presumption that everyone trying to get use the DNS is either a dangerous crook or a dangerous fool.

It isn't that surprising that mirrors reflect.

Normally I spend Monday's in the cc Tech Day. Today I was luck to spend an hour in public meetings, the rest was all private, and John and Cary spent their time at the pyramids, which had I gone to, I'd have had to dance on.

Posted by EBW at 10:02 PM | Permalink | Comments (0) | TrackBacks (0)

Sunday. Walking to the venue I notice the morning air is oddly quieter. Traffic police have closed Juarez street and the public park has merged with the street and the private space of the Sheraton. Through out the day, in the moments when I can get outside, I marvel at children on bikes in some video shoot, at carefree strollers, and the intermingling of ICANNistas, corporate and government, latin and non-latin, and the Sunday People, shoppers, tourists, and vendors of the historic district.

The day is filled with GNSO policy, a joint meeting of the GNSO and the GAC on fast track for IDNs, the meat of this ICANN. I can't begin to express how many strands of the web are tangled here.

In the evening John, Cary and I go towards the Zocalo in search of a restaurant at the Spanish Casino, which we find closed for the day, and so we have tacos at a small taquiria.

Posted by EBW at 08:42 AM | Permalink | Comments (0) | TrackBacks (0)

The Standard Saturday GNSO Council meeting isn't happening at this meeting, instead, we few, we lucky few, are remaking the GNSO, and this morning I'm sitting in on a meeting on how "working groups" shall, in the future, be constituted, tasked, and report.

The first "working group" under the new model, on "fast flux hosting", was a hare started by the "Business Constituency" (a non-contracted party under the new structure), and captured by their allies in the "security" rackets, so I'm here with a partially healed case of road rash.

Posted by EBW at 12:16 PM | Permalink | Comments (0) | TrackBacks (0)

Via NANOG, and Farber's IP, as well as OUtAGES.

If you can't read this email, please go to:
http://www.orange.com/en_EN/press/press_release/cp081219en.html
Paris, December 19, 2008
Three undersea cables cut: traffic greatly disturbed between Europe and Asia/Near East zone

3 cables cut this morning (Sea Me We3 partly + Sea Me We4 + FLAG) France Telecom Marine cable ship about to depart

France Telecom observed today that 3 major underwater cables were cut: Sea Me We 4 at 7:28am, Sea Me We3 at 7:33am and FLAG at 8:06am.

The causes of the cut, which is located in the Mediterranean between Sicily and Tunisia, on sections linking Sicily to Egypt, remain unclear.

Most of the B to B traffic between Europe and Asia is rerouted through the USA.

Traffic from Europe to Algeria and Tunisia is not affected, but traffic from Europe to the Near East and Asia is interrupted to a greater or lesser extent (see country list below).

Part of the internet traffic towards R?union is affected as well as 50% towards Jordan.
A first appraisal at 7:44 am UTC gave an estimate of the following impact on the voice traffic (in percentage of out of service capacity):
- Saudi Arabia: 55% out of service
- Djibouti: 71% out of service
- Egypt: 52% out of service
- United Arab Emirates: 68% out of service
- India: 82% out of service
- Lebanon: 16% out of service
- Malaysia: 42% out of service
- Maldives: 100% out of service
- Pakistan: 51% out of service
- Qatar: 73% out of service
- Syria: 36% out of service
- Taiwan: 39% out of service
- Yemen: 38% out of service
- Zambia: 62% out of service

France Telecom immediately alerted one of the two maintenance boats based in the Mediterranean area, the "Raymond Croze". This France Telecom Marine cable ship based at Seyne-sur-Mer has received its mobilization order early this afternoon and will cast off tonight at 3:00 am with 20 kilometers spare cable on board. It should be on location on Monday morning for a relief mission.
Priority will be given to the recovery of the Sea Me We4 cable, then on the Sea Me We3.

By December 25th, Sea Me We4 could be operating. By December 31st, the situation should be back to normal.

Posted by EBW at 12:30 PM | Permalink | Comments (0) | TrackBacks (0)

During the first IETF effort at making Unicode and the DNS co-exist, which is to say, make it possible for network resources to be named in scripts other than the letters-digits-hyphen subset of the ASCII encoding of the Latin character set, the hardest problem attempted was this one:

For literate users of the characters that Unicode "unified" and call "Han Script" or "CJK Script" (Chinese, Japanese, Korean), many of the characters are "the same", whether rendered in the Traditional form (historic, Taiwan, Chinese in Asia, Chinese diaspora), or the Simplified form (PRC). To prevent confusion, we needed to come up with a rule so that asking for a glass of water in SC and asking for a glass of water in TC got the same glass of water. The Chinese Domain Name Consortium (cn, tw, sg, hk) and the JET (cn, tw, kr, jp) came up with one answer. The IETF ignored it, and so we have both a separate RFC for how to run a registry that provides names in Chinese, and (sotto voice) a second unique global DNS root that contains three labels in the root not present in the IANA root ... in Chinese.

Of course, nothing is in "Chinese" or anything else, everything is encoded into the letters-digits-hyphen subset of the ASCII with the header "xn--" so that what follows is displayed as a Chinese character or a Latin letter with an umlaut, etc.

The current hard problem for the second IETF effort at making Unicode and the DNS co-exist is bidirectionality in Arabic Script, and Hebrew Script. This affects Arabic, Farsi, Urdu, Dari, ... even Awi, used to write Malay, and Hebrew and Yiddish, and mixing left-to-right scripts with these scripts, and mixing digits, here are Arabic, Farsi and Urdu, respectively, which oddly enough, I can now pick out letters, a precursor to a simple kind of reading.

But I've also got these issues -- adding two particular scripts to ICANN's IDN testbed in the IANA root. Cherokee and Inuktitute, but what is more important than either is Cree, which I've gone blind checking if the w-dot and dot-w boundary, which doesn't match the Plains (nuances omitted) vs Y Cree (nuances omitted) boundary, for the character "x" used instead of ".", as punctuation. Then there's Dené and ... I now understand why Unicode's "Han Unification" is so despised in Asia.

And after that come smaller problems, the diacritical mix and random character missing to make Diné correct, for the Mexican Indian languages, for ... even Choctaw according to a friend.

Anyway, that's work. Some of it. And I've less than a month to finish the Cherokee and Cree localizations to get those two scripts into the set in the test IANA root.

Anyone want to help?

Posted by EBW at 08:18 AM | Permalink | Comments (0) | TrackBacks (0)

I've spent at least half my waking hours since mid-afternoon of the 17th, when the proposal to ban any but one of the Latin, Arabic-Indic, and Eastern Arabic-Indic digits in any DNS label was made to the IETF's IDNAbis WG, on Arabic Script and Arabic Script Typography.

I'd seen mixed Latin and Arabic-Indic in Cairo. I learned to read Arabic digits reading license plates which are (on plates only a few years old) dual texts. The "never ever" scope of the proposal seemed to misstate to my credulous peers (the definition of "internationalization expert" in most ASCII-centric computing corporations is the first Asian coder at hand) a couple of conflated issues.

Here's something anyone with bandwidth and an interest in literacy, anybody's literacy, should sit through. An Evening of Arabic Typography.

As one of my correspondents from Tehran noted after scores of frequently more difficult than necessary interactions on two overlapping lists:

There seems to be a divide in list between Arab and Persian view points on various matters which really has nothing to do with being Arab or Persian. The point is that all our Arab colleagues are governmental people (mostly coming from the regulatory body); they're used to ordering people around and telling the customers what they can register. In our case, being non-governmental, we have to serve the customers and are perhaps more sensitive to their needs.

As it that weren't enough fun, Google has an effort underway for Emoji (絵文字), or "picture characters", the graphical versions of :-) and its friends, are widely used and especially popular among Japanese cell phone users.

Uses of Arabic Script, ranging from spray paint on junk cars to high-end arabic typography, and what characters we allow in domain names is non-trivial, and our choices are authority (excluding things like Emoji) and its non-adherents. Perhaps authority and its non-celebrants.

At least my eyes aren't bleeding. When I reviewed Siksika (hi mom!), the Crees (note the plural, you don't want to know about the w-dot and dot-w boundary in Cree, let alone the Eastern Cree Syllabics -- Th-Cree, n-dialect, ... and Western Cree Syllabics -- Y-Cree boundary, which isn't in the same place), Carrier/Dené, and Inuktitut my eyes were definitely bleeding.

Posted by EBW at 07:31 PM | Permalink | Comments (0) | TrackBacks (0)

Several of the people I was on the ICANN policy call on the 27th are traveling to Hyderabad, India, for the IGF. At several points I thought I'd be traveling to Hyderabad as well (just the thought makes by butt ache), for several interrelated reasons, but one of my co-workers is attending, so the attacks in Mumbai (Bombay) worried me. The IGF website was updated overnight with this:

The IGF Secretariat of the Internet Governance Forum is saddened by the tragic events of Mumbai and offers its sympathies to the families of the victims and the wounded, and its solidarity with the authorities and people of India.

The Secretary-General has issued a message of sympathy and support.

The IGF meeting in Hyderabad will go ahead as scheduled.

We take the safety of participants very seriously and the UN security team is working closely with the Indian police in order to provide as safe an environment as can be.

Posted by EBW at 08:39 AM | Permalink | Comments (0) | TrackBacks (0)

Kurt Prinz, ICANN's Senior VP of Services, in response to my question about the costs of the proposed dispute resolution processes for "legal rights" objections and "community" objections, says

... a community based TLD really goes to the misappropriation, I would put, goes to the misappropriation of a community label which causes that community to object.

Its been almost 10 years, but there it is, a right we didn't have is now accepted process.

Actually I was asking a cost justification question as both the "legal rights" and "community" objection processes seem to deal with "substantial" and "significant" standards, and while ICANN's proposed to use WIPO for "legal rights" and the International Chambers of Commerce for "community" (as well as "public morality") objections, and the proposed costs are wicked dissimilar, with a marks right being much cheaper to uphold than a non-marks right.

Pequot.com, CrazyHorseMaltLiquor.com, Cherokee.com, ... now none of those are going into the DNS root, at least, not as cultural appropriations commercial or trademark plays.

It got better as the call went on. We're getting alot of the harsh edges towards community identified applications smoothed, and we're still working on the cost issue. And after two wicked civil and productive hours by the usual suspects, we still have two sections of the draft to take questions on, so another call next week.

I'm pretty happy, I can see all my eggs hatching and the chicks making it to flight.

Posted by EBW at 07:42 PM | Permalink | Comments (0) | TrackBacks (0)

I was just asked to submit an application for the GNSO's representatives to ICANN Geographic Regions WG. I sent the following which I'd written a month ago in a Constituency context.

Let me state what I see are issues:

1. citizenship is not necessarily coincident with residence, my initial point. A person who left Ethiopia as a youth and living in California ever since is a poor choice for "the voice of Africa". This is not a hypothetical.

2. I think Israel is in the same part of the world as Lebanon, Syria, Jordan and Egypt. However, Israel choses to identify as part of Europe. Do we have any interest in, that is, _do_we_benefit_by_, forcing one model of region or another on parties seeking to stand for diversity determined responsibilities? Its not just Israel, also Turkey, Azerbaijan and Uzbekistan identify as "Europe", at least for sports. Where is New Caledonia or Tahiti? How about Guyane?

To use the usual mantra, ICANN should not be in the business of defining geographic regions against the will of those folks. Let them choose whether they wanted to vote in one region or another. ICANN should not be telling them what they are, but telling them that they should opt for one and only one description. Something along the lines of "bottom up" vs "top down" is appropriate here.

3. The pseudo-geograpical approach has been problematic from the begining. Requiring someone from the fictitcious AP region normally means having someone from Australia or New Zealand. Try and wrap your head around the idea that because Paul and Peter are Antipodeans, ICANN is therefore an Asian-centric organization. ICANN determining that Peter, Paul, Bruce and Adrian are "Asians", not "Europeans", is simply bizarre. Did I mention the problem isn't hypothetical?

Now for the cure:

We have adequate representation from the brightly light parts of the world city-to-city link map, which Fred Baker was kind enough to point out to me at Paris. Fred's worked (charity) on getting infrastructure into Kabul, and parts of Africa, as do I.

Here's the URL for the world city-to-city link map.

ICANN is staffed primarily from the OECD states. The existing "diversity" requirement has been gamed throughout ICANN's existence to favor rich, well-connected Anglo-Saxons from all over the world. We need to restate the requirement towards material diversity, not fictional diversity, towards some goals of folks, staff or elected, coming from non-OECD countries, the darker parts of that map.

The UN's model doesn't fit our needs, which is convenient because we _don't_ benefit by pretending treaty organization regionalism is an adequate representation of diversity of network penetration and availability.

So, to a first order, our goal should be half of staff and half of elected roles are the responsibilities of persons from (and not in the remote past either) the non-OECD economies, because our present model is "only token participation, as staff or elected", by persons from anything but OECD economies.

Our market is pretty darn good in the OECD market. Where we need help growing our market is in the non-OECD market, and last I looked, 2/3rds of the world's population are in non-OECD countries, and the cost of a domain name is still within the envelope for a huge user base all now well served with cheap cell phones that are already web enabled.

What we're doing isn't making us as much money as doing something else.

Posted by EBW at 06:38 PM | Permalink | Comments (0) | TrackBacks (0)

Peter was the first person I spoke with when I got to the venue hotel Sunday evening. He was working on this and today made the following announcement:

Just want to announce for the history record that last week we did OC768/STM256 NY/USA-Lulea/SE using routers with integrated optics all the way. Longest hopp was SeaGirt to Blabjerg at some 7500km using RZ-DPSK modulation on the underwater cable.

Interface facing submarine cable in Denmark when link came up..

POS0/5/0/0 is up, line protocol is up
Interface state transitions: 235948
Hardware is Packet over SONET/SDH
Description: "TAT14 Chan 14, fiber 2 to SeaGirt"
Internet address is 192.108.195.29/30
MTU 4474 bytes, BW 39813120 Kbit
reliability 255/255, txload 14/255, rxload 0/255
Encapsulation HDLC, crc 32, controller loopback not set, keepalive not set
Last clearing of "show interface" counters 00:20:14
30 second input rate 145190000 bits/sec, 33312 packets/sec
30 second output rate 2277465000 bits/sec, 333788 packets/sec
38828898 packets input, 20633312397 bytes, 10 total input drops
0 drops for unrecognized upper-level protocol
Received 0 runts, 0 giants, 0 throttles, 0 parity
10 input errors, 10 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
325196864 packets output, 276372852009 bytes, 0 total output drops
0 output errors, 0 underruns, 0 applique, 0 resets
0 output buffer failures, 0 output buffers swapped out

--Peter

Data rates are much higher, and prices much lower, in many of the OEDC countries, than they are in the US.

During the Plenary Peter walked around with a camera shooting with such detachment from the surroundings that I thought of Jonah.

Posted by EBW at 03:24 PM | Permalink | Comments (0) | TrackBacks (0)

Ari Schwartz (CDT), Danny Weitzner (W3C) and Adam Palmer (PIR) are all on Jules Polonetsky's (DoubleClick, now Google) new privacy thingee. I remember when Jules was Chief Privacy Officer and Special Counsel at DoubleClick. We used to face off in the IAB (Internet Advertising Board, not Internet Architecture Board) calls and the W3C P3P Specification Working Group calls every week.

I also remember that after 9/11 the "Chief Privacy Officer" was about as welcome an idea in Occupied North America as Chief Indian Officer.

So I guess this means that 9/11 is over, and business is back to having to make non-security cases for unlimited access to Personally Identifying Information (PII).

That's a win if you didn't get it. And those of us who weren't asked, most of the P3P effort, are kind of instantly public for not having been asked to be private.

At the Apps Area Open meeting in Minneapolis we discussed Oauth, and more generally, the W3C's new, and oddly incoherent notion spatial location and privacy, relative to the P3P work, or the IETF GeoPriv work. I've a GeoPriv task to review and propose modifications consistent with my prior data collection policy phrase in the EPP spec, or the compact policies phrase in the P3P cookie spec.

As if that weren't enough cookie dough, the undying cookie spec has deltas that, siren like, called out to me again.

Quick. How many Web2.0 mechanisms to steal state, aka session data, aka personally identifying information, can you think of? HTTP Cookies? Good. JavaScript? Good. Flash? Good. ... Its an inobvious list.

Posted by EBW at 07:58 PM | Permalink | Comments (0) | TrackBacks (0)

It is the Technical Plenary, and there's about a thousand of us in the hall. He had a "first IETF" badge on, so I introduced myself and asked a few questions. He'd attended the low power routing working group meeting. Then I asked more questions. Then I asked more questions. Then I asked to see his presentation. Then I asked him to take my card and to email me his presentation. He'd gotten 300+km distance using commercial off-the-shelf wifi kit. I just thought "Dinétah, Northern Roadless Canada, ..."

And he just got asked to come to the podium and accept the Jon Postel Service Award for 2008. Professor Emanno Pietrosemoli of the Fundacion Escuela a Latinoamericanana de Redes. For pioneering network testbeds in rural Africa and South America.

Photos when I get them. They are kwel!

Posted by EBW at 06:46 PM | Permalink | Comments (0) | TrackBacks (0)

The subject of a proposal to the IDNAbis working group is to prevent any label (any part of a domain name bounded by "dots") from having any digits from two or more of these sets, but the first three in particular.

The problem is somewhat non-trivial to state: the visually similar glyphs (0, 1, 2, 3, 7, 8, 9) in the two "Arabic-Indic" forms are different code points, and, some Arabic preference is to only allow Latin (here called "European") and to disallow any "Arabic-Indic" glyphs because they are not "Arabic", and some Arabic preference is to allow one or the other of both "European and "Arabic-Indic", though not necessarily within a single label, and of course the Farsi/Urdu preference is for the Extended Arabic-Indic glyphs, here labeled "Eastern" with the Farsi/Urdu noted also. As if that weren't sufficiently distracting, these are bidirectional, that is, left-to-right characters within all of the right-to-left Arabic Scripts (Arabic, Farsi, Urdu, ...), but that's not the problem, and they could all be "normalized" (a Unicode term of art), but that would just transform one hard problem into another.

GIven that "equal" in arabic is يساوي (YOUSAWI : ي س ا و ي) and "is" in arabic is هو (HOWA: (ه و)

Suppose that:

"lesson.0equals٠.learn-arabic-digits.us" or lesson.۰يساوي0.learn-arabic-digits.us or lesson.۰هو0.learn-arabic-digits.us
...
"lesson.9equals٩.learn-arabic-digits.us" (repeat for يساوي and هو)

are domain names, with some lesson for Arabic learners at each URL suggested by the domain name.

Is this a bad thing?
If "equals" is replaced by "is", is the answer any different?
If the English words such as "equals" or "is" are replaced by Arabic words, is the answer any different?
If the latin digit and the arabic-indic digit are not separated by any non-digit characters, is the answer any different? The code points in Unicode are shown below, there's an obvious reversed direction that I can't figure out how to fix in MT 3.2, which has always been challenged by anything non-ASCII in the first place.

Western Arabic (U+0030..U+0039)
| 0 || 1 || 2 || 3 || 4 || 5 || 6 || 7 || 8 || 9

Middle East Arabic (U+0660..U+0669)
| ٠ || ١ || ٢ || ٣ || ٤ || ٥ || ٦ || ٧ || ٨ || ٩

Eastern Arabic (U+06F0..U+06F9)
| ۰ || ۱ || ۲ || ۳ || ۴ || ۵ || ۶ || ۷ || ۸ || ۹

For your cut and paste joy, the wiki formatted table is below the jump. You've now seen "a hard problem" for internationalization. Its not really that hard, but its passing for one this week and two weeks ago in Cairo.

Continue reading "simple digits" »

Posted by EBW at 03:38 PM | Permalink | Comments (0) | TrackBacks (0)

In this footage I'm sitting next to the camera, and the footage begins with Paul Strahura of Enom handing the mike to Dirk Krischenowski who makes the point that its not just .berlin that is at risk due to the time its taking ICANN to accept community-sponsored and city-sponsored applications, but also ICANN which is at risk. Next after Dirk are former ICANN Board member Nii Quanor who will clear up a misconception about the proposal for a .africa, followed by Young Eum who will comment on the oddity of treating Australia and New Zealand as "Asia" (to the general exclusion of non-Anglophones and the specific preference of Sydney over Seoul for the next "Asia" ICANN meeting), and the overwhelming US/European origins of the ICANN staff. Her message will result in what really is a surprising outburst the following day by Paul Twomey, the president of ICANN (and an Ausie).

One of the interesting bits of ICANN-ology is the fact that there is a queue behind Dirk. Staff has scattered mics all over the hall to make the queue "go away", but we still queue up. Later I'll speak from the farthest corner of the hall, where a mic finds me, on the problem of regions and assumptions, and suggest that . we need more poor people where it matters.

Posted by EBW at 11:05 AM | Permalink | Comments (0) | TrackBacks (0)

The video begins with day 1 at the first of two back-to-back days for the GNSO Council, the policy making body for generic (as opposed to "country code") top-level domains. The sequence begins with me asking Kurt (ICANN staff) a question that seems to be about policy but is actually about process -- how does the Council re-assert a policy reversed by Staff? See link.

Visible in the first segment are Tim Ruiz, VP of Policy for GoDaddy (pink shirt on my right, largest registrar by market share and rep from the Registrar Constituency), across the table are Paul Strahura of Enom (2nd largest registrar by share, an observer), Adrian Kinders (AusReg, also an RC rep). Responding initially are Avri Doria, nomcom rep to the Council and chair, followed by Kurt's (Staff) response. Also in the frame are Mike Palage, observer and former rep, Glenn de Saint Gery (Staff), and several Registry Constituency reps, the closest being Jordi Ipa (.cat), next to Avri is co-chair Chuck Gomes (Verisign and a rep) and across the table, Thomas Roessler (W3C), the incoming technical liaison to the ICANN Board. There are several ICANN Board members "in chairs" or at the table between the GNSO Council reps and the observers.

Next is Werner Staub asking about the false dichotomy between "open" and "community" models later the same session (which we call "the GNSO showing of the Kurt Show", Kurt repeats this several times during the week). Next to Werner and not very visible are most of the Registry Constituency reps and observers, with the exception of Chuck, who's next to Avri as co-chairs.

The next segments are for tone -- our booth, where we did a surprising amount of business, I'd no idea our reputation was so high, our workshop ("GAC stuff" means Bertrand was writing something for the Governmental Advisory Committee, which he co-chairs), which got very high marks from the Intellectual Property constituency and others, and one of the quieter moments of Kash Mahdavi's party for .tel (seriously, a half dozen shawms qualify as an acoustic WMD, a belly dancer is not inherently dangerous) out at Giza, and footage from the trip organized by Skenzo -- so a bus load of ICANN accredited registrars and domainers (typo-squatting and expired domains pay-per-click and similar monitization schemes type people).

Posted by EBW at 09:17 AM | Permalink | Comments (0) | TrackBacks (0)

I was disappointed to learn that ICANN staff had recommended Sydney over Seoul for the next Asia meeting. "Asia" in ICANN-esse means Anglophones in Austrailia and New Zealand and the occasional exception elsewhere in Asia.

The current board let the staff error go -- Seoul's cost was $300,000 more than Sydney's, but the issue is much more than what are, to be honest, peanut (note the singular) in ICANN's budget, but "corrected" by deciding to hold the next meeting in Seoul, bumping Europe (and our bid for Barcelona) off the 2009 schedule.

The previous day when the Board was taking public comment on regional diversity there was no shortage of comment to the effect that a pile of Aussies and Kiwis did not add up to a bit of Asian representation in a predominantly Anglo-American organization. I rose to speak to the regions not being quite it either, and that OEDC vs non-OEDC was more likely to bring us views we don't already know (as if more reps from the rich bits of North America and Europe were likely to increase human knowledge about network needs), see map above, etc.

It was well received. The same point in the Registrar's Constituency, where I even argued that there is more money to be made if we can get a smarter about diverse material conditions Board and Staff and Councils seemed to fall rather flat.

Posted by EBW at 01:18 AM | Permalink

The entire meeting was in Arabic, except for ICANN keywords, which actually made it easy to follow. Being I suppose one of the available iso3166 wonks, I spent part of the meeting chatting with my seatmates on nuances relevant to ICANN and the Arab League.

It was interesting watching the Government Advisory Committee (GAC), At Large (ALAC) and Country Code (CCNSO) and the few "generic" people thrash out why, and how, to improve their collective advocacy, their lobbying, and all in Arabic. I was a fly on the wall, doing "traffic analysis" on English keywords, as revolution against Euro-American-centricism was being plotted, for a second time.

More on "the Pink Bits" and Euro-American-centricism tomorrow, when the Board trys to dig its way out of having been recommended to schedule the Asia meeting in an English speaking country (again).

Posted by EBW at 01:17 AM | Permalink | Comments (0) | TrackBacks (0)

In the mid-afternoon we held our workshop -- a first for us -- on the ICANN meeting schedule, in a room ICANN provided, with ICANN scribes and ICANN translators and ICANN audio and text feeds to to the network-attached world. The session before ours was Internet Governance, the session after ours was ICANN Strategic Planning, so we were in the warm-to-hot part of the stove-top.

While the feeds were set up I told a story -- eleven years ago I had a few ideas while participating in Working Group C -- the working group (or zoo) tasked to consider, and perhaps answer, the questions of how many new gTLDs to be introduced in 2000/2001, and what kinds. Anyway, I wrote them down and posted it and from that paper came the model of sponsored gTLDs, such as .aero, .coop and .museum, and for my punishment Louis Touton had me edit the XML in the registry contract "live" during the Montevideo ICANN meeting. A few years later the model of a linguistic and cultural gTLD, which was also in that paper, was turned into an application for .cat, and as punishment Amadeu Abril y Abril asked me at the Rome ICANN meeting to be the CTO for the application for .cat. Finally, this year another idea in the paper, that "rights of others" means more than just trademark, and rights senior to trademark, came to life and was adopted by the Intellectual Property practitioners who also lobby ICANN, and as punishment I was the convener of today's workshop. The lesson here isn't that I'm wicked clever or to stupid to avoid oncoming cars (a Cairo traffic and pedestrian metaphore), but that the temporal offset from articulation to execution is some non-trivial number of years.

Of course, those ideas were all in the Working Group C paper for a top-level domain for Indians, one we policy and operate, a "g" under ICANN Consensus Guidelines, rather than a "c", which I'd asked Jon Postel for, and which the rush of events -- the mad scramble for seats, the better seats, at the table of the "new entity" froze out all other projects and resulted in what we call ICANN, or on bad days, "ICANN'T".

The workshop was a success. The Intellectual Property Constituency will kill some applicants, but they've chosen not to bloody our collective swim suits, and we sold our ideas to the subset of the swarm of applicants who aren't in it for the chum.

A day well spent. I think the real punishment was having to listen to a hammy voice-over at the light-show out at the pyramids culminating a grade-Z sci-fi script in a thunderous voice "Man fears Time but Time fears the Pyramids!!!"

Fortunately I got to chat with someone partial to the idea that people with handsets but not laptops will produce, not simply consume translated-for-size, content for other people with handsets but not laptops.

Posted by EBW at 10:15 AM | Permalink | Comments (0) | TrackBacks (0)

I start the day in the Registry Constituency meeting and end it in the Registrar Constituency meeting. The new gtlds handbook is almost the only issue in either room. The existing registries look at the proposed contract with horror -- ICANN proposes that it can modify the contract with the new gtld registries at any time -- that sets a precedent and eventually it may bite the existing registries also. The existing registrars look at the new gtld application fees with absurd interest -- not because they are sufficient concerned about the viability of registry start-ups to find a means to solve a problem that has existed since .museum, .aero, and .coop were launched in the 2001 round, but because many are planning to submit applications to operate registries.

Can registries own registrars? We started with a single, unified registry-registrar model -- it was Network Solutions, split into the Verisign Global Registry and Network Solutions Registrar units, so we have a "no" rule. But can registrars own registries? Can a registry own a registrar if the registrar does not do registrations for that registry, but for others?

Finally, while we don't talk much (if at all) about those who don't have any meaningful access to the namespace (and I'm so amused by staff's concern about "protecting the registrants", and making the start-up cost for community-based registries identical with the start-up cost for speculative registries, Indians are protected wicked good by not allowing them to have any namespace), we're wasting time talking about what if the Trumps want a vanity tld. A .trump. or a .trademark. A lot of registrars are stirring up the trademark holders with the message "You must apply for .foobar, and we can help you.", where "foobar" is just about any corporate name or mark. Dot IBM. Dot Kleenex. Dot Junk. But Dot Money.

Posted by EBW at 10:18 AM | Permalink | Comments (0) | TrackBacks (0)

An issue I'd hoped the candidate in the OH-15th would work, even before the market crashed a month ago, was payday lending. The republican candidate being a mortgage lending lobbyist with a record of opposition to regulation and a payday lending issue being on the ballot made this appear rather obvious. At least to us, not that particular campaign, which may win, or lose, the lottery today, on the coattails of the national campaign, which prior to the market crash, was several points down in Ohio, and in the OH-15.

Here's an absolute gem from the W3C's mobile web for development mailing list: in Finland (home of Nokia) mobile phones are being used to offer "loans" at an annual interest rate of 298%.

Under the deregulate-is-always-good umbrella, it never rains.

Posted by EBW at 04:07 AM | Permalink | Comments (0) | TrackBacks (0)

Mercifully, the Egyptian Government was too busy to fill the evening with a speaker, and we few, we happy few, we band of Smothers Brothers, could spend the evening at the Barron's Hindu Palace talking with each other about petty nonsense.

Posted by EBW at 04:39 PM | Permalink | Comments (0) | TrackBacks (0)

Draft Applicant Guidebook, Module 4 String Contention Procedures, has a process for determining the outcome where two or more community-based applications, an one or more speculative (or "commercial" or "open", which ever adjective suits one's tastes) application for some string (or set of similar strings) exists.

Suppose that there are four applications for ".cherokee": one by the Cherokee Nation of Oklahoma (CNO), one by the United Kitowah Band (UKB), one by the Eastern Cherokee Nation (ECN), and of course, one by Chrysler LLC, (JEEP).

Suppose that at least one of the three community-based applications elect for comparative evaluation. This sends all of the applications in the contention set to comparative evaluation. Because the Chrysler LLC application is not community-based, it can not win the comparative evaluation. However, if at least two of the CNO, UKB and ECN applications meet the comparative evaluation's minimum threshold, then there is no clear winner of the technical evaluation.

The staff proposed "next step" at this point is for all of the applications in the original contention set to bid for .cherokee. Obviously Chrysler LLC wins at this point and the ICANN process awards .cherokee in the unique DNS global root in perpetuity (or as long as grass grows, rivers flow, and car manufacturing, or alternatively, brand management is profitable, to Chrysler LLC.

So, if two or more community-based applications exist for a string, or two "similar" strings, then the string will go to any non-community-based application for the same, or similar string, if it has better access to bidding capital.

Similarly, suppose one of the set of applications from the {CNO, UKB, ECN} does not meet the minimum threshold, and Chrysler LLC, for some reason, withdraws its bid. Again, the contention set goes to auction, and the the ICANN process awards .cherokee in the unique DNS global root in perpetuity, to the applicant with the best access to bidding capital, which could have been the application which did not meet the minimum threshold.

So, if if two or more community-based applications exist for a string, or two "similar" strings, then the string will go to the community-based application for the same, or similar string, that has better access to bidding capital.

Restated, any name of any community can be captured by submitting, or causing to be submitted, a pro-forma "community-based" application which meets the "minimum threshold", and optionally, if the goal is a "open" registry, a separate non-community-based application, with better access to bidding capital than the actual community submitting a community-based application.

Posted by EBW at 02:31 AM | Permalink | Comments (0) | TrackBacks (0)

Today is GNSO Council, full-day-o-work. This issue is (insert favorite set of indigenous polities) vs car company, or bloggers vs exploiters of blogs, and here is where we are at the moment.

1.2.2 Two Application Types: Open or Community-Based

1.2.2.1 Definitions

For purposes of this RFP, a community-based gTLD is a gTLD that is operated for the benefit of a defined community consisting of a restricted population. An applicant designating its application as community-based will be asked to substantiate its status as representative of the community it names in the application, and additional information may be requested in the event of a comparative evaluation (refer to Section 4.2 of Module 4).

An applicant for a community-based gTLD is expected to:

1. Demonstrate an ongoing relationship with a defined community that consists of a restricted population.
   
2. Have applied for a gTLD string strongly and specifically related to the community named in the application.
   
3. Have proposed dedicated registration and use policies for registrants in its proposed gTLD.
   
4. Have its application endorsed in writing by an established institution representing the community it has named.
   

Objection/Dispute Resolution – All applicants should understand that an objection may be filed against any application on community opposition grounds, even if the applicant has not designated itself as community-based or declared the TLD to be aimed at a particular community.

Refer to Module 3, Dispute Resolution Procedures.

String Contention – Any applicant that has been identified as part of a contention set (refer to Module 4.1) may be obliged to participate in either a comparative evaluation or another efficient mechanism for contention resolution if the application reaches the string contention stage and the applicant elects to proceed.

A comparative evaluation will take place if a community-based applicant in a contention set has elected
comparative evaluation.

Another efficient mechanism for contention resolution will result in other cases. If a comparative evaluation occurs but does not produce a clear winner, the efficient mechanism will then result.
Refer to Module 4, String Contention Procedures, for detailed discussions of contention resolution procedures.

Contract Execution and Post-Delegation – A community-based gTLD applicant will be subject to certain post-delegation contractual obligations to operate the gTLD in a manner consistent with the restrictions associated with its community-based designation, once it begins operating the gTLD. ICANN must approve material changes to the community-based nature of the gTLD and any associated
contract changes.

1.2.2.3 Changes to Application Designation

Source: Pages 12 and 13 of Module 1 Introduction to the gTLD Application Process.

Posted by EBW at 10:22 AM | Permalink | Comments (0) | TrackBacks (0)

And its $185,000. We're taking that as a given, and yes, three years of staff-time to review an application for Wales or blogs or ... soup spoons seems a trifle dear.

It is a major win for Verisign, recall, ICANN was created to transform a monopoly market into a competitive one, that Verisign bears zero cost, and the entire new gTLD process is supposed to be self-supporting, with "no cross-subsidization".

The 2000 round cost was one quarter the cost now proposed, though to be fair, only 7 of 40+ got approved, and no fees were returned, so the effective cost is equivalent, assuming that all current paid applications are approved.

With any luck Rubini will win the day, the markets will be closed for a week, and we can blame ICANN.

Posted by EBW at 10:11 AM | Permalink | Comments (0) | TrackBacks (0)

That's 1,400 people looking at their last high-tech paycheck for a while.

Posted by EBW at 08:12 PM | Permalink | Comments (0) | TrackBacks (0)

The AT&T branded copy at MIT's cutely named "New York Talk Exchange" (is it crashing too?) is as follows:

World Within New York shows how different neighborhoods reach out to the rest of the world via the AT&T telephone network. The city is divided into a grid of 2-kilometer square pixels where each pixel is colored according to the regions of the world wherein the top connecting cities are located. The widths of the color bars represent the proportion of world regions in contact with each neighborhood. Encoded within each pixel is also a list of the world cities that account for 70% of the communications with that particular area of New York.

No mention of intercept, "legal" or otherwise, but this, not pillow talk between consenting US nationals in South West Asia, is what ABC could be reporting. After all, the ABC brand isn't compromised by coverage of the AT&T brand.

If you can't see the NYTE logo at the upper right, click on the permalink, the color-to-country legend is not to be missed.

Posted by EBW at 07:45 AM | Permalink | Comments (0) | TrackBacks (0)

The Secretary of Lieberman's Mess mentioned he envisions a defensive system that "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target." Unfortunately, he wasn't referring to coastal batteries ready to target shoals of irksome jellyfish, but something to do with the innertubes. The intellectual wreckage is here -- CNN Junk Tech: Homeland Security seeks cyber counterattack system

An NANOG contributor wrote my first reaction to Chertoff's statement is that the antiaircraft barrage already exists, is called Windows XP Pro Service Pack 3, which is sufficiently fanatical on my machine that its uninstaller committed suicide.

Naturally, the Secretary of Lieberman's Mess did not mention the fact that 9 out of 8 computers in the Microsoft monopoly market zone have been, are, or will be, attack assets of anyone who decides to use them.

Posted by EBW at 03:48 PM | Permalink | Comments (0) | TrackBacks (0)

The IEPREP Working Group's charter originally included more than just figuring out how, assuming some administrative requirement, to seize unpolicied network resources for higher, policied ends. The use case was disaster response, and we started work with one of the three items on the wishlist being:

Access and transport for database and information distribution applications relevant to managing the crisis. One example of this is the I am Alive (IAA) system that can be used by people in a disaster zone to register the fact that they are alive so that their friends and family can check on their health.

The WG produced RFCs 3487, 3689, 3690, 4190, 4375, and 4958, all dealing with router and voip issues, that is, creating the mechanisms for ranking resources and allocating by ranking, but nothing for the "I Am Alive" system. That was the one thing I thought was more important than dumping local yocals and their silly chatter off the net so that General Halftrack could save the world.

I thought, since we had this thing we'd written for domain name registration, which just happened to have this irritating (in the sense of enabling automated harvesting of email addresses for sale within the gray-to-black spam marketplace) mechanism for creating WHOIS data, and having written it so that just about any linux laptop could be configured to run the client end of the protocol in less time than it takes to write this post, that we were close to having an "I Am Alive" system.

The problem was, the router weenies wanted to re-solve the problem shown to be wicked difficult in the RSVP work in the prior decade, the scaling of connection state necessary to reserve resources, and the WG drifted off into the then-new Real Time area of the IETF, cause that was a cool problem to solve and few of the VoIP people lived through the RSVP effort.

Anyway, we still don't have a global, or a national, or a state, or a city, or a tribal, or a ... application where people, the ones that don't need network in an emergency, at least not as much as General Halftrack does, can beacon after some mass casualty event that they are still among the quick. After the Katerina landfall and a group of people were working around the dysfunctional FEMA to provide wireless access and backhaul to what was left of the wireline infrastructure, it was apparent that (a) people really do need network after a disaster, to find housing and more, and (b) an IAA beaconing system would have revealed the magnitude of those not causing an IAA registration much more quickly than FEMA allowed. The game of keeping the number of corpses caused by Brownie and other RNC morons under the number of corpses caused by Mohamed Atta and his gang of 18 suicides could have been brought to an earlier conclusion.

The rumors coming out of the Ike landfall area are disquieting. Nothing really has changed since Katerina, and the provisioning data for an IAA system could include more (or "later") data than simply "insert name alive at some-time and some-place", it could include looking for who and needing what and going to where and ... data -- and it could be someplace a little less inobvious than somewhere in the maze of which government's and which relief organization's dotted namespaces.

I'm in the name space business, and I'm writing applications for new top level domains, and I'm sure that my company, which is about as goodie two shoes as there is in the internet, can operate a .sos, we operate several top level domains already and expect to operate more, after all, we're not unskilled or unclued, so I'll write the application. We don't yet know what the ICANN fee will be, it was $50k per in the last round, and the figure could be much higher in the coming round, now scheduled for 2Q2009, but that's just "ask for" money -- when we ask for it, people will give it. The alternative is leaving the body count in FEMA's hands, and that's hardly a win in the Grover Norquist drown-government-in-a-bathtub moral universe. At least not for those still alive in the disaster area.

.sos -- a top level domain for I Am Alive (IAA) applications.

Posted by EBW at 02:56 AM | Permalink | Comments (0) | TrackBacks (0)

As I walked across the street today to a Starbucks (wicked huge hot milk "venti latte", the Swiss form of caffine uptake might as well be chewing on beans) this afternoon it occurred to me to "look carefully", to look to remember where I was, my life in this Mrs. Dalloway moment. The day the Russian exchanges closed.

Later I called up the ABA and after some forwarding talked about a meeting at the ABA next Friday, when I'm back in DC (though I really rather be in OBX, kayaking with the kids).

As if banking has a future...

Posted by EBW at 05:24 PM | Permalink | Comments (0) | TrackBacks (0)

Three years ago our application for the first linguistic and cultural top-level domain, .cat for the Catalan linguistic and cultural communities, was approved.

The idea was my circa 1999 proposal for .naa, but I was unwilling to risk $50,000 of own and tribal money in the circa 2000 ICANN process, a wise choice as only 7 of 41 applications were approved and so 34 checks were deposited and not returned.

Posted by EBW at 09:19 AM | Permalink | Comments (0) | TrackBacks (0)

I'm back to using my VSAT, so I haven't bothered to download the chrome binary (that's what visits to wifi hot spots are for, along with the designer coffee), but others have and there is a significant difference (as in "very bad") between the Google Corporation's chrome and the Mozilla Foundation's firefox browsers.

Two machines with flushed caches loaded the default page for www.berkeley.edu. The chrome machine immediately queried for the hostnames for *all* of the links on that page, even though that browser had not yet visited any of them.

Another test was run once with Firefox (with all the various extensions turned off) and then again with Chrome (after flushing the windows DNS cache). The sample of websites is CNN, BBC, Washington Post, a few web comics, a weather site, slashdot, the register.

Firefox generated 194 DNS packets (queries and responses)
Chrome generated 638 DNS packets (queries and responses)
Chrome was 3.289x the query load of Firefox.

Because both use the publicsuffix.org, see ttps://wiki.mozilla.org/Gecko:Effective_TLD_List, a really silly idea in so many ways, the .co registry is going to get really hammered. I've no idea if Google is picking up the load at the Universidad de Los Andes, which runs the NIC for Columbia.

Posted by EBW at 09:58 AM | Permalink | Comments (1) | TrackBacks (0)

There's a blog by one of my peers, Gene Spafford, that I just came across. He wrote up a report after the then-presumptive nominee came to Purdue last July which I recommend highly -- Barack Obama, National Security, and Me

Posted by EBW at 08:46 AM | Permalink | Comments (0) | TrackBacks (0)

The zone file for the Czech Republic's namespace is digitally signed (DNSSEC) effective September 1st, and the OMB recently published the requirement that .gov zone file also be made secure using DNSSEC.

Something to read: link.

Posted by EBW at 01:07 PM | Permalink | Comments (0) | TrackBacks (0)

One of the striking things about working in the ICANN market is the presence of government and business, and the absence of labor. There was a .union proposal in the 2000 round, but nothing since, and I can't recall meeting anyone from a union at ICANN, tracking the issues or simply filling a chair.

In theory, the identification of public policy with private interest is called something that starts with the letter "F". In practice its all a palette of nice buzz words, none of which sound like "wage" or "collective bargaining" or "working conditions".

So labor's stake in the technical coordination of the Internet, or Internet Governance (your choice of terms) is ... zero.

Happy Zero Day.

Posted by EBW at 07:43 PM | Permalink | Comments (0) | TrackBacks (0)

Someone suggested that I "really ought to read the whole FCC thing. everybody else is sorta pulling out the parts that they want to highlight. but the story in the full FCC order is astounding."

The thing is here.

And Comcast just announced a monthly b/w cap. Of course, if you don't like it, in a free market, you can always switch cable providers, neh?

Posted by EBW at 07:52 AM | Permalink | Comments (0) | TrackBacks (0)

Our FEMA chit, applied for August 31st, granted September 23rd, and received September 27th, is the thumbnail.

Today is Saint John's birthday. I recall when he and W split a tart. Katrina was making landfall on NOLA.

Posted by EBW at 09:36 AM | Permalink | Comments (0) | TrackBacks (0)

An outage has occurred at FAA facility in Hampton, Ga. This facility processes flight plans.

Update #1
ATLANTA -- The Federal Aviation Administration said a communication failure Tuesday at a Georgia facility that processes flight plans for the eastern half of the U.S. was causing flight delays around the country.

An FAA Web site that posts airport status information showed delays at some three dozen major airports coast-to-coast, advising passengers to "check your departure airport to see if your flight may be affected."

FAA spokeswoman Kathleen Bergen in Atlanta said there are no safety issues and officials are still able to speak to pilots on planes on the ground and in the air.

She said she doesn't know how many flights are being affected.

Bergen said the problem that occurred Tuesday afternoon involves an FAA facility in Hampton, Ga., south of Atlanta, that processes flight plans. She said there was a failure in a communication link that transmits the data to a similar facility in Salt Lake City.

As a result, the Salt Lake City facility was having to process those flight plans, causing delays in planes taking off. She said there were no problems with planes landing.

"There will be flight delays," Bergen said. "It could be any location because one facility is now processing flight data for everybody."

A spokesman for Hartsfield-Jackson Atlanta International Airport, the world's busiest airport, did not immediately return a call seeking comment on the impact there. Bergen said officials at the Atlanta airport were entering flight data manually to try to speed things up.

The communication failure was causing delays for departures and arrivals at Baltimore-Washington International Thurgood Marshall Airport, according to airport spokeswoman Cheryl Stewart. However, she did not have a number on delays.

The FAA has asked that no new flight plans be filed, Stewart said. If an airline has not filed a flight plan yet, that flight can't leave. However, some flights had already filed their plans and those planes were being allowed to depart, Stewart said.

Brenda Geoghagan, a spokeswoman for Tampa International Airport in Florida, said "it may just be too soon" to determine the impact there. Christine Osborn, another spokeswoman at the Tampa airport, said there have been no delays due to the flight plan communication failure. But she said she anticipates problems in the coming hours.

"There's definitely going to be some impact," she said.

At Miami International Airport, there were no delays or cancelations due to the communication failure, said spokesman Marc Henderson.

"There are cancelations due to weather from the hurricane, but not due to this," he said.

The National Airspace Data Interchange Network is a data communications system for air traffic controllers. It's used to distribute flight plans and allows controllers to know when planes are leaving, where they're going and other details.

Allen Kenitzer, a western regional spokesman for the FAA, said the Utah system could handle the extra load while workers tried to get the Atlanta system back online, but it was expected to slow down air traffic.

"We're not going to let an unsafe condition exist. It's just going to be slower," Kenitzer said.

Posted by EBW at 04:21 PM | Permalink | Comments (0) | TrackBacks (0)

That's a view of the DNC's tech. Obviously, no one who's ever previously done a build-out was involved. Wired's photo guy apparently didn't guess his photo would take only hours to land in the operator's rogue gallery of spaghetti westerns.

I'm looking forward to more pasta when the RNC techies step up to the plate.

Posted by EBW at 12:48 PM | Permalink | Comments (0) | TrackBacks (0)

When Kurt Prinz briefed the GNSO Council (and observers) in Los Angeles April 10th and 11th, the new gTLD process model flows transition through an "auction" state in two of the three paths where two or more applications existed for the same (or similar) strings. At that time Kurt, speaking for Staff, was clear that the existence of a well-defined community was not dispositive, which surprised the Council members from the Intellectual Property Constituency present who recalled coming to the opposite position at San Juan. For Staff, a well-defined community was "a pebble" to weigh in some balance, where the name-squatting speculative bidder's claims to make "better use" might prevail. The weights of pebbles and the market-cap of the "better use" claimants were not defined.

Kurt's pebble makes a cameo in The Economic Case for Auctions, as a 25% bidding credit ... offered to community-based bidders whose community is located primarily in least-developed countries, so it seems safe to assume that Chrysler LLC will simply have to offer 1.25 times the money to ICANN as a consortium which includes the governments or institutions of the Cherokee Nation of Oklahoma, the United Keetoowah Band of Cherokee Indians, and the Eastern Band of Cherokee Indians. Of course, the ICANN lobbyists for Chrysler LLC may ask for, and may obtain, a ruling on the question of whether "Indian Country" is "located primarily in least-developed countries", and as horked as the economy is in the nine districts of the CNO/UKB and the Qualla Boundary, they could be described as "inside" the United States, which could cut Chrysler LLC's overbid by a quarter.

Obviously, as the author of the original sTLD proposal in Working Group C, for a TLD operated by and for Indians, and as the coordinator of the Indigenous Intellectual Property Constituency, one of the three original IPC constituency proposals, that's a bean of no small size wegdged way up my nose.

But that's not all, as the narrator of the Ginzu knives promotion promises, there's more. Much more.

The Executive Summary informs us that scarce resources are efficiently allocated through auctions, a claim articulated in full at page 2, para 6, through the end of page 4, while three paragraphs above the anonymous author notes that that TLDs are not a scarce resource. This may reflect a division between the anonymous authors, or a brief moment of sobriety by a single, conflicted author. There are as many potential new gTLD bid strings as there are stars on a clear night in Marina del Rey. What is (relatively) scarce is the number of bid-capable efforts, which presently numbers in the low hundreds, and the whole point of the exercise is to intelligently deal with the subset of those bidders who chose well-known strings and chose not to encumber their application, or more importantly, the legal entity with whom ICANN might contract, with a well-defined community.

The anonymous author(s) claim that value is defined by the presence, or absence, of bids. However, the W3C may offer a community identified proposal, a dispositive bid for $0 for the most sought after of all potential candidate strings ".WEB", preventing any bids, to remove ".WEB" from ICANN's GNSO policy area. The MicroSoft Corporation may offer $1 more than any bid (open assending assumed) or a year's marketing budget (sealed bid assumed), for the same ends. The real value here is defined by the capture of the rights of others or theft of some linguistic commons, and as a corollary, value is defined by replication of the unpolicied, unsponsored, .com business model. ICANN is not handing out random string sausages to queued up Soviet housewives eager to go home and get on with cooking up something filling with cabbages, it is letting Verisign and other high-cap speculators grab at a very small cloud of marques and generics, and bid price is claimed to be a sufficient surrogate for all forms of merit, all purposes, and all policies.

Worse, Microsoft could put in an application for .ETOAIN-SHRDLU or .SHAZAM, again, a bid price of $0, and bundle "free" domain names into its products and send the entire ICANN market, Verisign's .COM franchise included, the way of the Linotype. The anonymous author(s) have completely missed the real contours of both the real ICANN market, and the real value(s) present in this market.

The three particular claims made that form the second paragraph of the Executive Summary contain assumptions that should be identified.

The first claim assumes that unit price times volume corresponds to value.

This violates the consensus of Working Group C, which established the parity of unrestricted and restricted applicants in the 2000 round. I know, I drafted the restricted text that Jonathan Weinberg worked into the working group's Oct. 23, 1999 interim report.

The second claim assumes that marginal cost corresponds to value.

This violates the consensus of Working Group A, which established the parity of prior claims and any other allocation mechanism, and which cannot sensibly be reduced, in an intellectual property regime encompassing hundreds of jurisdictions, to simple estimates of marginal cost. I know that too, because members of Working Groups A and C exchanged notes during the pendency of our respective working groups.

This too violates the consensus of Working Group C, which established the parity of policy other than the de minimus "first come, first served", assumption of the credit card industry risk, and negligence policy that defines the "unrestricted" policy model. I know that too, because, well, see above.

The third claim restates the first claim, with the odd twist that a "scarce resource" declines in value if reserved, whether by a "speculator" or a responsible intellectual property custodian, or ICANN. Is anyone certain, certain enough to commit ICANN's and scores of registries', registrars', and other applicants' resources, eight-figures sure, that the value of .WEB is less today that it was in 2000? That the value of .SPORT is greatest before the IOC, the professional sports associations, the broadcasters and the advertisers appreciate it, now, and not ten years from now?

The remainder of the Executive Summary (paragraphs 3 and 4) are irrelevant, other than making the mildly amusing case, years late, by a bystander, that the .ORG and .NET redelegation "technical evaluations" were utter rubbish, and that in retrospect, Paul Vixie's and Carl Malmud's groups, or SWITCH, and not Hal Lubson's and Philipp Grabensee's groups, that should be operating .ORG, or that CORE and not VGRS, should be operating .NET. The author doesn't actually say that, of course, that could cause Sudden Consultant Termination Syndrome, but if ICANN can't do comparative evaluations in the future, and will be hopelessly gamed, it was hopelessly gamed and couldn't do them in the past either.

The notion that ICANN, that the ICANN stakeholders, have no interest in the policies or practices of an applicant to operate a gTLD registry, other than the applicants ability to pay -- we don't need no stinkin' rules, we've got cash -- is illuminating as an evaluation of ICANN as an institution.

If there is a place in the ICANN problem's allocation arena where the resources are scarce, and the policy of the bidders, as a class, of utter disinterest, other than their ability to pay, it is the allocation of single-character domains in COM, NET, and ORG. And neither Overstock, nor Oprah, propose to operate a gTLD registry, just an SLD of no particular import.

Posted by EBW at 08:43 PM | Permalink | Comments (0) | TrackBacks (0)

I wish Larry had talked about the period prior to the commercial interchange agreement, when public money pushed the then-UUCP and FidoNet envelope, but he does pretty good starting from the end of that epoch, the late Clinton years, to the present.

Via CircleID.

We do talk about this on the operators lists. In Japan a real 100m/100m is about USD30/mo. In the States
USD90/mo gets 256k/768k. As far as the internet is concerned, the United States is a third world country, and that's before you take a step outside the CATV loops of TimeWarner and Comcast, or beyond the 5,000 foot radius from a local exchange carrier's central office. The Bush years have been years of profit taking, not innovation or investment.

Posted by EBW at 04:23 PM | Permalink | Comments (0) | TrackBacks (0)

The McCain Campaign's policy people have put their stake in the ground. Here's how they frame the issues in the first pararaph:

John McCain has a broad and cohesive vision for the future of American innovation. His policies will provide broad pools of capital, low taxes and incentives for research in America, a commitment to a skilled and educated workforce, and a dedication to opening markets around the globe. He’s committed to streamlining burdensome regulations and effectively protecting American intellectual property in the United States and around the globe.

I look at this as the ideas of Mike Powell and Meg Whitman, and a lot of unimportant wordsmithing, and recently I wrote something similar for a down-ticket candidate. You, or One, or I (isn't voice fun) tries for ideas that matter, and then try to connect the dots, for the staff of a candidate who needs clue, e.g., to make effective calls to the Dem major contributor lists for area codes 415, 408, 650 and 831. The ideas in Mike Powell's and Meg Whitman's tech policy piece are surprising ... in their absence.

Western Union Telegraph Company v. The Commonwealth of Pennsylvania 128 U.S. 39[3] containes an idea that matters -- that states may not tax interstate telegraph messages. Of course, credit for that idea goes to Chief Justice Melville Fuller, who wrote the decision in 1888, and "policy" is a cognate for "tax".

It is an interesting piece of writing, and it may achieve the probable political goal of making technology a non-issue in the campaign.

Note well that Obama's tech plan (like McCain's) is silent on warrantless spying. A vote for either is a vote for that.

Other reviewers: Susan Crawford at circleID, Kevin Werbach, also at circleID, David Isenberg, also at circleID, and Harold Feld at wetmachine, Matt Stoller at OpenLeft, which I include just to show that a lack of seriousness in an otherwise smart guy isn't good politics or good policy.

See also Kevin Werbach's post and Michael Powell's reply to Kevin Werbach.

Update: A revised version of this is up at CircleID.

Posted by EBW at 11:46 AM | Permalink | Comments (0) | TrackBacks (0)

I've posted this at circle.wabanaki.net.

Posted by EBW at 05:55 PM | Permalink | Comments (0) | TrackBacks (0)

Someone wants to modify registrar and registry contracts to require 24/7 staffing. The supporting claim for this is that the incremental cost of round-the-clock staffing to correctly handle domain take-down demands from just about everywhere and just about anybody in just about any language without liability to the registrar or registry operator is zero.

Yes. According to the ICANN "Business Constituency", the incremental cost in going round-the-clock with complex problem capable staff is zero. Clearly we are paying way too much for swing and night shifts.

Someone else wants registrars to cease serving registrants using "consumer grade" addresses. If you're not using a FOO-approved colo-provider in a BAR-approved address block, you can kiss that web site goodbye.

Yes. According to the ICANN "Security and Stability Committee", it is in everyone's best interests if devices attached to "consumer-grade networks" don't actually work, except as sinks for trusted flows of data. The sources of trusted data won't be *nix boxes on subscriber loops, because (I kid you not) the majority of boxes on subscriber loops run an inherently insecure operating system product (correct), and the best available means of discriminating between criminally repurposed network-attached computers and non-repurposed network-attached computers to ban subscriber networks is not to discriminate between criminally repurposed and not repurposed devices, but to ban them all (incorrect).

Note well: The "security and stability" part of the internet under ICANN's purview that is directly affected by "fast flux" is ... zero. But that doesn't dampen anyone's enthusiasm.

Someone else (that's a logical "else", it could in fact be the same lobbyists) wants domain registrations to provide complete and accurate identification for all registrants of domain names, which would then be available to anyone, in particular, the robots who scrape registrar WHOIS data.

Another policy gem from the best minds of the ICANN "Security and Stability Committee". Never mind that we've had the what-to-do-about-WHOIS problem for seven years or so. Definitely a locusts-and-plague thing.

Then there's the gem of a proposal, which you'd think could only come from someone who thinks ICANN is government, rather than someone so "inside" s/he's a member of the GNSO Council. ICANN should have a policy solution for criminal use of the DNS. All criminal use?

The upside is that "terrorism" is no longer on the Manditory To Recite list, which I think is the only proof available that time has passed in the movable circus that orbits Admiralty Way in Marina del Rey.

I'll have to look at the budget and move that we registrars zero out the SSAC part of the budget, or divide it up between the Constituencies so we can hire "experts" not brain-dead ab initio. At the moment the SSAC is behaving like Mamluks running riot in Egypt. Dog alone knows what the "Businesses" are who's interests are advanced by ICANN's Business Constituency within the GNSO.

Posted by EBW at 07:25 AM | Permalink | Comments (0) | TrackBacks (0)

I was amazed to find myself today in an policy discussion (ICANN context) where the "enforcement" interests actually want to ISPs to filter (drop) HTTP requests into "residential" addresses. These same "enforcement" interests would also like ICANN accredited registrars and registries to filter (drop) domain name management requests (usually via webform or email or fax or phone) that would associate a domain name with an address in an ISP's ""residential" address" blocks.

The rational is the same as the usual DoJ cant, minus the pseudo-terrorism -- child porn, phish, and the rock star of the moment -- "fast flux".

It is wicked odd the "security profession" is fixated on shutting down web servers on residential loops, I keep expecting my mom to sweep in and say "It is not, I repeat NOT the policy of the Department of Defense, the National Science Foundation, or those nincompoops over at Commerce, to build out a resilient multi-carrier settlement-free packet network simply to shut down residential mimeographs."

Posted by EBW at 10:58 PM | Permalink | Comments (2) | TrackBacks (0)

I'd meetings today, about what to do with the http spec, something to do with dns operations, something more to do with domain names that appear to allow encodings other than ASCII (but really not, its a presentation layer illusion), and one on getting DNSSEC operational for ccTLDs. The last one was a small meeting, and after someone offered to show the cache poisoning attack. Two laptops, one running a recursive server, one running the cache poisoning attack. No external connectivity so no risk of spread, and to make it simple, the server listened on only one port.

Time from start to finish ... three seconds. Non-optimized code. Loops not unrolled, interpreted code, etc. Speeding it up by a factor of 3 trivial.

Update: Its live in the wild.

Posted by EBW at 08:27 PM | Permalink | Comments (0) | TrackBacks (0)

Last week something happened. Stephen Spoonamore spoke in the question of the 2004 Ohio ballot tabulation. I'd hoped to get a chance to meet him, but my week was hijacked by post-ICANN work, pre-IETF work, and goD forbid, work-work. Oh! And a birthday!! Kezzie is 6!!! Next week is IETF, so other than secret meetings of the DNS cabal or the arabic script literacy posse, and a meeting I set up this week, next week is toast. Still, what happened is significant. Here are the technorati links to blogs that mention Stephen Spoonamore, including Susie at Suburban Guerrilla, which caught my eye, and TChris at TalkLeft, where Jerelyn's been on Diebold from the beginning.

The story has legs, and BradBlog is doing the leg work the journamalists are only too happy to miss. The kids and I walked past the OSU J-School today on an errand at the Near East and African department offices, by way of the Math Dept., and I actually felt pity for the smug, self-contained children who elect to attend the J-School. Kids for whom the troll in Spoonamore's allegorical box always gives the correct ballot tabulation, and ponies too.

If you want to start reading the case material, start here at the Moritz election law site with King Lincoln Bronzwell v. Blackwell. I am.

Of course, something happened this week too. It may be an interesting weekend, and I'll be at the IETF at the dnsops wg meeting, though not the dnsext wg meeting, and that should be about as educational as anywhere else I could be.

File under: Election Law Litigation

Posted by EBW at 06:42 PM | Permalink | Comments (1) | TrackBacks (0)

In yesterday's conference call someone joked that we should stop using skype "so the Americans couldn't listen in".

After the obligatory "which American" (I'm the only North American on the ExCom calls) and the laughter I said "I hate to break this to you but Verizon's got exchange points in Europe and we know there are gigataps in all the North American Verizon exchanges with black backhaul to parts unknown, so ..."

There was silence, then some "ah shits" and more laughter. But I expect we're going to go crypto soon.

Posted by EBW at 08:02 PM | Permalink | Comments (0) | TrackBacks (0)

DNS-OARC is providing a Web-based DNS Randomness Test, which no one in the blogosphere (y! sctp!) is likely to notice, so I've lifted the bits that work.

See this for details, such as how to interpret POOR, which, as of this morning, is what the TimeWarner/RoadRunner DNS infrastructure is reported as, for source port randomness.

Posted by EBW at 10:18 AM | Permalink | Comments (4) | TrackBacks (0)

The cat is out of the bag. Things may be different, depending on what recursive DNS server you use.

Dan Kaminsky's upcoming presentation at Blackhat (in August) has been leaked by someone with a better idea on how to manage really bad things involving lots of vendors and operators.

The CERT cite is "VU#800113 Multiple DNS implementations vulnerable to cache poisioning".

For those not listening,

we can infect a name server in 11 seconds now, which was never true before

Posted by EBW at 08:50 AM | Permalink | Comments (0) | TrackBacks (0)

In an exchange of notes in the past 48 hours, in response to a query by the Asia-Pacific Top-Level Domain manager (in New Zealand) for additions to his list of Arabic Script Languages (languages that use the arabic script, which includes Arabic, Persian (Farsi), Urdu, Sindhi, Kurdish, Baloochi, Pashtoo, Jewi (also "Jawi"), Azarbaijani, Swahili, Dari and Tadjik), the IT manager for Office of the National Security Council (NSC) Presidential Palace, Kabul, Afghanistan wrote to point out that Dari and Pashtoo use some extra characters to be added beside the Arabic Scripts. In response, the Arabic Script IDN Working Group chair, in Pakistan, using the idna-arabicscript at invalid.irnic.ir (address slightly modified to prevent spam), hosted in Iran, asked for details, which promptly came from Afghanistan Computer Science Association (ACSA), in the Ministry of Communications, Floor #: 13, Kabul, Afghanistan.

Afghanistan, Pakistan, Iran, easily coordinating. Don't tell Fox and Friends.

My part of this is African languages (about which I know only enough to ask African language users) that use Arabic script, such as Wolof in Senegal.

Its an interesting list, I'm forced to actually read Arabic (ranges 0600-06FF), Arabic Supplement (range 0750-077F), Arabic Presentation Forms-A (range FB50-FDFF) and Arabic Presentation Forms-B (range FE70-FEFF), and recognize characters, in Arabic language, and in languages other than Arabic that use Arabic script (particularly those that have extensions not correctly characterized in Unicode 5.1 / ISO 10646 mumble, or not present (yet).

Next after is the hiddeous wreckage inflicted by Xtain missionaries in Africa, a whole bunch of International Phonetics symbolic rubbish added onto the Xtain-familiar Latin character set. Every Xtian had his or her own idea of the perfect notational form ...

Posted by EBW at 09:30 AM | Permalink | Comments (0) | TrackBacks (0)

At the Paris ICANN meeting two weeks ago the policy body responsible for the generic namespaces, that is, for governing (or the reverse) Verisign's .COM and .NET franchises, and the rest of the competitive commercial registries, and the registrars, voted to "form a Working Group of interested stakeholders and Constituency representatives, to collaborate broadly with knowledgeable individuals and organizations, in order to develop potential policy options to curtail the criminal use of fast flux hosting."

The authoritarian principle is simple -- all "fast flux" is illegitimate, unless it is done by Akami or some other miscreant that uses the DNS to reduce the cost of operating a wicked big raised floor facility, or by the military trying to do "agile hosting".

Except that there are other users of the DNS than criminals, corporations, and crowns.

I'm mulling over the claim that the technique allows evasion from authoritarian regimes. That there is a significant civil society requirement for persistent names which are resistant to attempts to modify or delete them -- names like "burma-needs-a-change.mm" or "iraq-for-the-iraqis.iq" or ... "we-blame-rehnquist.us".

As absurd as it may seem, what I do about this matters, and I've already written a "restatement of sorts" (pun intentional) to point out that the problem scope is poorly stated, because the problem isn't "agile hosting" by guys, good, bad, or simply ugly.

Posted by EBW at 08:29 AM | Permalink | Comments (0) | TrackBacks (0)

While Lambert asks Whither Progressive Blogosphere 2.0?, I'm oddly interested in the relationship of spam to the federal executive service. Neil Suryakant Patel interests me.

Last March the former assistant general counsel at UUNET Technologies was nominated for the position of Assistant Secretary for Communications and Information at the Department of Commerce. In ICANN-speak that means head of the NTIA. In FCC-speak that means head of the digital TV roll-out. Plus some other stuff, like wiretap.

Knowing as we do, now (and then) that post-USENIX, the UUNET trajectory (acquired by MFS, acquired by WorldCom, merged with MCI, acquired by Verizon) was fueled by dotBomb finance and spam (until well after the Verizon acquisition), just what is the point in handing over the DoC's Communications and Information AS job to the guy who did e-commerce, internet taxation, and internet security and abuse for UUNET, particularly when we know UUNET's policy during his tenure as the goto person was to ignore abuse reports?

Seriously. Just what part of "e-commerce, internet taxation, and internet security and abuse" is useful or relevant to the political, policy or operational aspects of domestic and international telecommunications and information policy activities?

What part of lobbying for "e-com" and "no taxes" (ignoring the "no security or abuse rules" bits) is useful or relevant to the Federal use of the electromagnetic spectrum or the performance of telecommunications research and engineering or the resolution of technical telecommunications issues for the Federal government and private sector or the administration of infrastructure and public telecommunications facilities grants?

Less than a quarter of all SMTP traffic is something other than spam, and the nominee to head the NTIA is one of the many who made his way in business as an Environmental Polluter -- one who's business model is designed to benefit by gathering revenue for management and the shareholders while imposing on others the economic losses arising from polluting operations.

Then there's the minor problem that the nominee is one of Dick Cheney's staffers. First as staff secretary then as a domestic and economic policy adviser.

With all the abuse models currently operational, phishing, fast-flux networks, botnets on a vast scale, spam over mail, spam injected into blogs, ... just what do you imagine is the future Assistant Secretary for Communications and Information at the Department of Commerce's instruction, via the National Telecommunications and Information Administration (NTIA), to the Internet Corporation for Assigned Names and Numbers (ICANN), pursuant to the Joint Project Agreement (JPA) between the United States Department of Commerce and ICANN, if UUNET's abuse guy is confirmed?

Its wierd that just about everyone I know professionally appears to be more qualified than the current nominee.

Posted by EBW at 05:32 AM | Permalink | Comments (2) | TrackBacks (0)

This dropped into the mailbox yesterday evening, so I picked up the fix and installed it on the NS set I run. If the "cyberdefense" weenies in the Air Force and the Department of Heimat Security were worth the workfare, they, not Dan Kaminsky and Paul Vixie, would be in the find-to-fix loop.

Anyway, this is what the real thing looks like.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-190B

Multiple DNS implementations vulnerable to cache poisoning

Original release date: July 08, 2008
Last revised: --
Source: US-CERT

Systems Affected

Systems implementing:
* Caching DNS resolvers
* DNS stub resolvers

Affected systems include both client and server systems, and any other
networked systems that include this functionality.

Overview

Deficiencies in the DNS protocol and common DNS implementations facilitate
DNS cache poisoning attacks. Effective attack techniques against these
vulnerabilities have been demonstrated.

I. Description

DNS cache poisoning (sometimes referred to as cache pollution) is an attack
technique that allows an attacker to introduce forged DNS information into
the cache of a caching nameserver. The general concept has been known for
some time, and a number of inherent deficiencies in the DNS protocol and
defects in common DNS implementations that facilitate DNS cache poisoning
have previously been identified and described in public literature. Examples
of these vulnerabilities can be found in Vulnerability Note VU#800113.

Recent research into these and other related vulnerabilities has produced
extremely effective exploitation methods to achieve cache poisoning. Tools
and techniques have been developed that can reliably poison a domain of the
attacker's choosing on most current implementations. As a result, the
consensus of DNS software implementers is to implement source port
randomization in their resolvers as a mitigation.

US-CERT is tracking this issue as VU#800113. This reference number
corresponds to CVE-2008-1447.

II. Impact

An attacker with the ability to conduct a successful cache poisoning attack
can cause a nameserver's clients to contact the incorrect, and possibly
malicious, hosts for particular services. Consequently, web traffic, email,
and other important network data can be redirected to systems under the
attacker's control.

III. Solution

Apply a patch from your vendor

Patches have been released by a number of vendors to implement source port
randomization in the nameserver. This change significantly reduces the
practicality of cache poisoning attacks. Please see the Systems Affected
section of Vulnerability Note VU#800113 for additional details for specific
vendors.

As mentioned above, stub resolvers are also vulnerable to these attacks.
Stub resolvers that will issue queries in response to attacker behavior, and
may receive packets from an attacker, should be patched. System
administrators should be alert for patches to client operating systems that
implement port randomization in the stub resolver.

Workarounds

Restrict access
Administrators, particularly those who are unable to apply a patch, can
limit exposure to this vulnerability by restricting sources that can ask for
recursion. Note that restricting access will still allow attackers with
access to authorized hosts to exploit this vulnerability.

Filter traffic at network perimeters
Because the ability to spoof IP addresses is necessary to conduct these
attacks, administrators should take care to filter spoofed addresses at the
network perimeter. IETF Request for Comments (RFC) documents RFC 2827, RFC
3704, and RFC 3013 describe best current practices (BCPs) for implementing
this defense. It is important to understand your network's configuration and
service requirements before deciding what changes are appropriate.

Run a local DNS cache
In lieu of strong port randomization characteristics in a stub resolver,
administrators can protect their systems by using local caching full-service
resolvers, both on the client systems and on servers that are topologically
close on the network to the client systems. This should be done in
conjunction with the network segmentation and filtering strategies mentioned
above.

Disable recursion
Disable recursion on any nameserver responding to DNS requests made by
untrusted systems.

Implement source port randomization
Vendors that implement DNS software are encouraged to review IETF Internet
Draft, "Measures for making DNS more resilient against forged answers," for
additional information about implementing mitigations in their products.
This document is a work in progress and may change prior to its publication
as an RFC, if it is approved.

IV. References

* US-CERT Vulnerability Note VU#800113 -

* US-CERT Vulnerability Note VU#484649 -

* US-CERT Vulnerability Note VU#252735 -

* US-CERT Vulnerability Note VU#927905 -

* US-CERT Vulnerability Note VU#457875 -

* Internet Draft: Measures for making DNS more resilient against forged
answers -

* RFC 3833 -
* RFC 2827 -
* RFC 3704 -
* RFC 3013 -
* Microsoft Security Bulletin MS08-037 -

* Internet Systems Consortium BIND Vulnerabilities -

____________________________________________________________________

US-CERT thanks Dan Kaminsky of IOActive and Paul Vixie of Internet Systems
Consortium (ISC) for notifying us about this problem and for helping us to
construct this advisory.
____________________________________________________________________

The most recent version of this document can be found at:

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA08-190B Feedback VU#800113" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit .
____________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

____________________________________________________________________

Revision History

July 8, 2008: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSHPRlXIHljM+H4irAQLzsgf/SHKWDnJ+/OI42x+gbgKTXCjKffPOYicl
Sruqe4kCR3k0OuEZS90VsvhaSuiWV1GvASbwLDGTjfh1Q7jZU3g4GMY/DEcZXerF
vGC/NiOuaoWfjLkQsOkJKIReKqcDZEOVQD7PIIxVYYZJn8u99X/JSGQ/KMe8h5x+
CzBVepk06FvRnT3+y21YECnMRoTzxTmqbLqm1lH9OnyRZ+ORoE4QBUJvN69EB4fO
15JF+y8ZKcGJaczMM+mdNOfaQcQAHZ1B8zTQlBfm1L35gtjnjhvZAwHtde/E0sl6
vGaDtbGJ/IPRS5b5y/mXReOl1ExrMb0VyWneM3Ddcdo7X5iB892AUg==
=22We
-----END PGP SIGNATURE-----

Posted by EBW at 06:54 AM | Permalink | Comments (0) | TrackBacks (0)

Google's position on the issue of whether end-point identifiers (the IPv4 addresses of computers that access their content) identify persons, at least it's position as represented on its Are IP Addresses Personal? at its googlepublicpolicy.blogspot.com post of February is ...

We ... are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot. The policy debate about data protection and IP addresses will continue, but it’s important to have a firm grasp of the technical realities of the debate in order to reach conclusions that make sense.

Alma Whitten, Software Engineer

all data from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website

Something to remember everytime you click on a YouTube embed (I'm going to take all of them out of our archives, cause people still do read Wampum, not just robots), or engage in happy happy social networking, or go kumbaya! with the Unity Pony posse, who look to be an partially disrobed and hairy crowd chasing an inelegantly naked person mounted on a lame horse.

Here's the ruling: Viacom v Google

Oblig note: I contribute to the W3C's PLING list, the successor to the W3C's Platform for Privacy Preferences (P3P) Project, to which I was a contributor, and in particular, on the very issue of ipv4 address being personal data or tending to identify a person or personally identifying information or ... I advocated that even three out of four octets of an ipv4 address was sufficient to identify an individual.

Obviously, I think data correlation is possible. The problem is not the instantaneous present, its the correlates past, present, and future. But Google bought DoubleClick, and I worked for Engage, the less successful, non-deterministic, aggregate behavior profiling on-line ad network company.

Anyway, all your data is Viacom's, and anyone else they shop it too. Click on dudes!

Posted by EBW at 03:15 PM | Permalink | Comments (1) | TrackBacks (0)

I missed Jerome à Paris, who blogs at European Tribune. I was going to swap Internet Policy up close and smelly with Eric's annotations for some time on the subject of financing off-shore wind projects, which he's actually pulled off.

After our last meeting Elmar, Werner and I use the VeloLib system and rent bikes and cycle away from the local landmark (Montparnass tower in high definition uglyness) towards a distant landmark (Eiffle Tower), and return, where Werner leaves for Geneva. Then Elmar and I continue in another direction, resolutely towards the Seine, passing the Sorbonne and dropping in by accident on the largest legal research library in Europe, where we two are allowed in the back way to the reading room, the Arab Institute and finally Notre Dame, where we rack our rentals and sit for a beer while the sun sets.

Metro back and final goodbyes, Elmar to Dortmund and I to ... the Indians Fire, now joined by the Basin Fire Complex.

When I left for Paris, the Indians Fire (a place in the Santa Lucia Mountains, between the Big Sur Coast and the Salinas Valley, where I've spent time as a boy) was 35,000 acres and when the prevailing upper level winds took the smoke plume over King City, we'd no shadows at mid-day.

That fire is now twice as big, there are fire evacuees in our camp, and another fire that started five days ago during a lightning storm, at the Big Sur Coast, is now 30,000 acres, and the two fires are probably going to join in a day or two. Many places I've camped in or hiked in or fished in as a boy are burnt already or will be burned in days. The Tassajara Zen Center will probably burn.

The air in the central coast is grey, the outline of the nearest hills is indistinct. It is unhealthy to breath so we're going to move camp Tuesday or Wednesday.

The english expression is "where there is smoke, there is fire". The flames can't be seen, but the smoke plumes from the Indians and Basin fires sure can be.

I feel like I've come home to ... a global warming daymare. However, the kids are happy to see me and MB is excited to be paid senior staff for a campaign that (finally) has a chance, a good chance, of winning, and I've got a ton of work to do.

Posted by EBW at 01:21 PM | Permalink | Comments (0) | TrackBacks (0)

The day begins with the Good meeting the Bad. The At Large Constituency (ALAC) briefing the Registrar Constituency (RC) on their planned "Summit", which if funded would bring lots of people from the hundred-plus Internet Society chapters and similar "at large" but not otherwise "stakeholders" in ICANN, and begging we wealthy, miserly, penny pinching Registrars for funding, or a nod of approval.

The irony is that the real reason the RC votes to cut ICANN funding for travel isn't beacuse the RC is opposed to funding travel by non-funded participants to ICANN meeting, but because we can't find a way not to be paying the business class air fare and five star hotel costs of the Intellectual Property Constituency (IPC), the so-called Commercial and Business Users Constituency (CBUC), and the so-called Internet Services Provicer Constituency (ISPC). The latter three are wicked non-poor and the cross-corrolation of their voting patterns is in the high 80 percentiles, which is a polite means of observing that the issues advanced by commercial and business entities and network operators at ICANN are profoundly unlikely to be unrelated to intellectual property. They get snippy when we use the C word, "captured", or the S word "shells".

Anyway, whether the venue is Cairo or Mexico City, I used my mic time to ask the organizers to bring more than just "policy" to the event, but that they make an effort to help identify the requirements for scripts their communities use, and send that data to us, then I flit off to the "IDN Workshop".

The close of the day is the open mic, which I actually manage to pass on this time, followed by the Board voting on things decided well before the open mic period.

Structural reform from the multi-stakeholder form (Ira Magaziner's leperous legacy) to contractual parties and non-contractual parties, with the voting not changed or slightly changed or more than slightly changed from the present balance of powers (see Good, Bad, and inferred Ugly, above) passes in part, and the new gTLD process passes.

Posted by EBW at 11:58 AM | Permalink | Comments (0) | TrackBacks (0)

The evening event is the gala at the Hôtel de Ville, and while transport through the Metro has been organized, we take a cab and end up with a former Tsahal intel operative and a former South Lebanon Army operative chattering happily about old time in the front seat, while Amadeu and I head to an event who's outcome we do not yet know ...

The Hôtel de Ville is impressive, and despite having brought the wrong ticket, I'm let in, my ticket being the equivalent or more exclusive (in spite of the fact I'd given it away and unaware I'd two of the precious things or that I had the wrong ticket). Mirrors, flags and so on. We work our way towards the front and the acoustics are amazingly bad. The French is "wao wao wao wao", then the translation in English is "wah wah wah wah", but eventually I can lip-read and some of the text is intelligible.

Charles de Gaulle spoke here upon the liberation of Paris from the Nazis in 1944. Fortunately, he had a mic and his speech was recorded. It is what should be taught, not The Little Prince. Imagine having a president who didn't merely speak intelligibly, but was more than just glib rhetorical moments. It is the "I have a Dream" voice and text for the French.

Then the moment. Jean-Louis Missika, deputy mayor for innovation, announced the city's official support for .paris. We'd done it. Sebastian for Paris, Dirk for Berlin, Amadeu for an as yet unidentified city, we'd gotten the city TLD model an actual face. As early as that morning we'd not known if that phrase would be in the text. Champagne was served and while Germany and Turkey contested the field of honor on the wide-screens just outside the hall, along with most of the attendees, Amadeu and I just sat on the now-empty stage and chatted with friends working on cities or linguistic and cultural proposals or watched the "ICANN kids" play act the capture of Paris by Pyrates.

At some point I got pulled of for 15 minutes of fame on Catalan video and gave a surprisingly good television interview. I'd no idea I was actually presentable and comprehensible. The subject was the .cat cultural and linguistic TLD, and my crimes were having written the original sponsor TLD paper, the ancestor of .coop, .aero and .museum, and having been the CTO of the .cat proposal, at least on paper, at least as far as ICANN and other Catalan sponsors were concerned.

Posted by EBW at 09:28 AM | Permalink | Comments (0) | TrackBacks (0)

Issues. Whether one brings the interests of a registrar, or a registry, today was issues. I cover registries for CORE, and as at LA and Delhi I participated in this agenda. At the end of the day I'd a quarter of an hour scheduled in the registrar constituency meeting, where I talked about two technical issues. The first was the assumptions we had when drafting the Extensible Provisioning Protocol, a universe long past of six or so registries and sixty or so registrars -- an order of magnitude off on one axis, and in not very long, an order of magnitude off in the other axis as well. The second was the process consequence of having originated no technical requirements at all for a change in the mechanism currently used to present ASCII strings as non-ASCII characters.

Verisign, and in the registrar constituency, GoDaddy and Network Solutions, are the giants in the rooms.

Posted by EBW at 01:11 AM | Permalink | Comments (0) | TrackBacks (0)

I skipped the ccTLD Technical, I'd done that at Los Angeles and New Delhi, and my interest in ccTLD operational art is narrower now than it was then. Which are IPv6 ready, which are DNSSEC ready, which are offering the xn--hokeymumble.ccTLD form of "International Domain Names" (they turn into strings of Unicode glyphs in your browser, if you're lucky and easily amused), and so on. Instead I'd a series of meetings to vet the technical sense of proposals ...

In the afternoon I attended the Security meeting. In LA "frontrunning" was a big deal, but there was no evidence that it existed, which was amusing. In New Delhi the largest registrars announced that they were doing it "to protect the registrants" (ha!). Mercifully, now the subject areas were more concrete -- registrar impersonation by phishers and much more fun ... "the issues, unanticipated consequences, and security vulnerabilities that result when a name service provider intercepts a "non-existent domain (NXDOMAIN)" response and modifies that response to redirect the client resolver to an alternative IP address."

At the end of the day I was happy to give the rare invitation to cocktails at the Au Toit de La Grande Arche to a potential partner from one of the Celtic linguistic and cultural proposing groups. I was bushed after a day of meetings with new TLD proposants, some with more negatives than positives, some worth following up on. I'd dinner with Amadeu Abril y Abril and his wife Marta and Mar, their beautiful daughter, who could say "mama" and "dada" and "ola" and point to "ecce" (me) and point to herself.

Posted by EBW at 02:18 PM | Permalink | Comments (0) | TrackBacks (0)

On June 23rd, 1983, Paul Mockapetris and Jon Postel ran the first successful test of the automated, distributed Domain Name System.

Posted by EBW at 02:37 AM | Permalink | Comments (0) | TrackBacks (0)

The best part of the day was going over the character sets for the Ga language (Accra area of Ghana) and the Ewe language (elsewhere proximal to Ghana). The worst part of the day was listening to an independent reviewer construe the mission and purpose of the At Large Constituency as being best uncorrupted by having voting rights on the ICANN Board, and by their unsullied purity, the guardians of the public trust.

Never mind that the Board of Directors of a California 501(c)(3) public trust corporation have a dual trust duty, to the public trust and to the entity which the Board governs. Either California law no longer applies, something to task Jerry Brown now that he's AG, or the existence of a Vestal Virgin entitles the Corporate Senate to whore about with swine and wine.

Other bits of the day were (spear) fishing for registrars and stupid tricks ISPs are now using to add value (or why everything now points to a Yahoo! monitized ad page for users of several ISPs, Hughes Network included). Odd how "stability and security" of the Internet is recited like a meaningful mantra by ICANN staff whenever discussion turns to what-the-heck-is-going-on-with-internationalized-domain-names, while elsewhere, an inconsistent DNS is now the norm, not the exception.

Our perennial favorite was the new gTLD workshop, where staff again recited the process now another ICANN Freedman equivalent unit translated into the future, unless the IDN mess really blows up at the August IETF meeting in Dublin, see para supra, at which point IDNs are dead for the foreseeable future.

So, I'm now one half of the working group on Roman (and drug or doG crazed ("missionary inflicted" if you prefer) phonetic dingbat) character sets used by West African languages, in addition to being a contributor to the Arabic Script IDN Working Group. Thank goodness there's a bunch of university students in Accra who don't know that to me they look surprisingly like people with shovels standing proximal to where I imagine a ditch should be.

Pity my grand's pass on, I could use some kitchen Scots.

Posted by EBW at 04:50 PM | Permalink | Comments (2) | TrackBacks (0)

I spent the afternoon discussing Arabic scripts, something the Unicode Consortium created, which is to say, the scripts used to write Arabic language texts, Urdu language texts, and of course, Farsi language texts. Seated next to me was the operator of the Iranian domain registry, who, like me, did maths at Berkeley.

We were figuring out what is wrong with Unicode/IETF, from the point of view of the Awai script, which is used to write Malay, and which is mostly taken from the Unicode "arabic script" set of code points. Doing something constructive.

Meanwhile the papers are full of Likudnic/Cheney foolishness.

Posted by EBW at 12:58 PM | Permalink | Comments (0) | TrackBacks (0)

Theories of Auctions and Theories of Self-Interest

If the allocation mechanism chosen for strings proposed to be added to the IANA root as top-level domains, where two or more proposals exist for those strings, is "auction", is there a conflict of interest?

It may be if ICANN benefits from the proceeds, direct or indirect, of auctions.

If two or more proposals are made for a string, and one self-identifies as "community based", e.g., a cultural or linguistic community, and one (or more) of the "open" proposals is claimed by its author as bringing "more value to the DNS" (an undefined term), if being "community based" is not dispositive, then which proposal prevails? If a car manufacturer can bring "more value to the DNS" than some Jay Random Tribe(s) of Indians, should ICANN award the names of the Jay Random Tribe(s) of Indians to a car manufacturer?

Gaming the rules is a cottage industry in the domain name business.

Today was spent on the calculus of gaming, and by the bye, online privacy is toast.

Posted by EBW at 05:45 AM | Permalink | Comments (0) | TrackBacks (0)

You might think, after almost 8 years of study, debate, and so forth, we'd be done with WHOIS. We're not. Today we were churlishly reminded by the members elected to the GNSO Council (think "Hairspray" if you draw a blank) by "the Business Constituency" (a fraud that consists of three people and a dog), that privacy is frivolous, and that spam, porn, phish, and so on are what happens when WHOIS doesn't provide accurate data ...

At least we're no longer terrorists. The climate has slightly improved and the usual Federal Clowns aren't present doing dog-and-ponys on the mission of the moment.

The absurdity of it is beyond words. In a universe of 170,000,000 data points, what sample size is required to provide a degree of accuracy, and how much time to manually process each response, if a survey to determine ... oh, and no one actually has a hypothesis that can be tested, but the day when WHOIS is shut off is moved another several years into the future, so that "studies" can be done.

On one side of the table is Intellectual Property Constituency, the (fake) ISP Constituency and the (fake) Business Constituency, all citing G-Men and boogie-men for why privacy is a very bad thing. What they really mean is they can't be bothered with tiered access, with proving a data request is reasonable, they just want access without restriction (just like the {spam | porn | phish | ...} sources, who harvest the same data from the same sources -- the one thing we do have useful stats for.

On the other side of the table are the evil, horrible, profiteering Registrar Constituency, the evil, horrible, profiteering Registry Constituency (I wear both hats), and the evil, horrible, profitless non-commercial and at-large Constituency.

Jean Paul-Sartre is buried just down the street. I suppose his being dead means he doesn't have to worry about his personal privacy, or spending time before going on to Soviet Hell (from an old IWW song my dad taught me) listening to pious cant about how WHOIS protects us from spam, porn, phish, and the next best exploit, while direct advertisers and Google accumulate and corollate personal data and monitize that "legally".

Posted by EBW at 05:11 PM | Permalink | Comments (0) | TrackBacks (0)

Today I'm attending the seventh meeting of Egeni, an ISOC France event. The schedule is for several round-tables on Internet Governance, and from my point of view what we're discussing is choice among several abstract models. The second round-table is futurologists competing for who can cast the widest net. The third round-table is about users.

What's missing? In round-table #1, where government and industry (in the form of the Chambers of Commerce) are present, labor is not. No one from CWA, the AFL-CIO, the ILO. It is a failing that the ILO is absent. There is a term for Capital and Government united -- Fascism. I suppose everyone just assumes that every communications worker, every coder, every keyboarder, every ... worker already has good wages and working conditions and health insurance and portable and safe retirements. There are no worker issues, and people without money simply have no use for data.

In round-table #2, where the lot of the future is cast (always a amusing diversion) there is no one from a handset vendor, or from an auto manufacturer (high end passenger cars now include 50 electronic control units, and the complexities of cable and harness integration in chassis construction is making these wireless. Oh Dog help me. Round-table #2 is rat holing into China firewall bashing and pedophilia. I could have stayed home and turned on the RNC technology show on CNN or Fox. I suppose hearing this in French is educational. The saving grace of this interminable boredom is a brief detour to post-apocalyptic Uganda by Fred Baker.

In round-table #3 where the users are the objects of discussion, but not actually present, no browser vendor is present.

We did what we called the catwalk (in honor of our starting .cat for Catalelan) to talk about new gTLD. On the "cakewalk panel" are Tijani BenJemaa for .med (the Mediterranean Union), my friend Dirk Kirchenowski for .berlin, Tom Lowenhaupt for .nyc and Werner Staub for several of our joint projects -- .bzh (Bretagne), .gal (Galacia) and .cym (Wales). I spoke about .nai.

Posted by EBW at 03:19 AM | Permalink | Comments (0) | TrackBacks (0)

Some enterprising souls obtained Comcast's password for Comcast's Network Solutions account, leaving this note:

KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven

Kevin Poulsen has a piece up at Wired, which has the inside skinny.

Posted by EBW at 09:44 PM | Permalink | Comments (0) | TrackBacks (0)

For reasons that pass understanding, I'm on Erick Erickson's "RedState" mailing list. Here's today's toast:

The legislation would allow the government to eavesdrop on phone calls made outside this country to other people outside this country, but whose calls are routed through this country (the majority of international phone calls are routed through the U.S.).

The Blue Dogs said the FISA legislation should include targeted immunity for phone carriers who help the government stop terrorists.

While the Blue Dogs were willing to sign the letter to Nancy Pelosi, they have been unwilling to actually sign a discharge petition, which would bring this matter to the floor of the House without Nancy Pelosi's consent.

Below are the names and phone numbers of the Blue Dogs who talk a good game, but fail to act. Please call them and urge them to sign the discharge petition on H.R. 5440.

Continue reading "Some email from the wiretap-is-good camp" »

Posted by EBW at 02:23 PM | Permalink | Comments (0) | TrackBacks (0)

Not a bad draft, but see 28(a)(2) when combined with 28(d)(2) for potentially interesting unintended consequences. The use of "broadband" in this context is not how the term is used by network operators, designers and protocol developers, but it could be "democracy" or "virtue", so the abuse of language is not too absurd.

Sec. 28. (a) It shall be unlawful for any broadband network provider--

(1) to fail to provide its broadband network services on reasonable and nondiscriminatory terms and conditions such that any person can offer or provide content, applications, or services to or over the network in a manner that is at least equal to the manner in which the provider or its affiliates offer content, applications, and services, free of any surcharge on the basis of the content, application, or service;

(2) to refuse to interconnect its facilities with the facilities of another provider of broadband network services on reasonable and nondiscriminatory terms or conditions;

(3)(A) to block, to impair, to discriminate against, or to interfere with the ability of any person to use a broadband network service to access, to use, to send, to receive, or to offer lawful content, applications or services over the Internet; or

(B) to impose an additional charge to avoid any conduct that is prohibited by this subsection;

(4) to prohibit a user from attaching or using a device on the provider's network that does not physically damage or materially degrade other users' utilization of the network; or

(5) to fail to clearly and conspicuously disclose to users, in plain language, accurate information concerning any terms, conditions, or limitations on the broadband network service.

(b) If a broadband network provider prioritizes or offers enhanced quality of service to data of a particular type, it must prioritize or offer enhanced quality of service to all data of that type (regardless of the origin or ownership of such data) without imposing a surcharge or other consideration for such prioritization or enhanced quality of service.

(c) Nothing in this section shall be construed to prevent a broadband network provider from taking reasonable and nondiscriminatory measures--

(1) to manage the functioning of its network, on a systemwide basis, provided that any such management function does not result in discrimination between content, applications, or services offered by the provider and unaffiliated provider;

(2) to give priority to emergency communications;

(3) to prevent a violation of a Federal or State law, or to comply with an order of a court to enforce such law;

(4) to offer consumer protection services (such as parental controls), provided that a user may refuse or disable such services;

(5) to offer special promotional pricing or other marketing initiatives; or

(6) to prioritize or offer enhanced quality of service to all data of a particular type (regardless of the origin or ownership of such data) without imposing a surcharge or other consideration for such prioritization or quality of service.

(d) For purposes of this section--

(1) the term `affiliate' means--

(A) a person that directly or indirectly owns, controls, is owned or controlled by, or is under the common ownership or control with another person; or

(B) a person that has a contract or other arrangement with a content or service provider concerning access to, or distribution of, such content or such service;

(2) the term `broadband network provider' means a person engaged in commerce that owns, controls, operates, or resells any facility used to provide broadband network service to the public, by whatever technology and without regard to whether provided for a fee, in exchange for an explicit benefit, or for free;

(3) the term `broadband network service' means a 2-way transmission service that connects to the Internet and transmits information at an average rate of at least 200 kilobits per second in at least one direction, irrespective of whether such transmission is provided separately or as a component of another service; and

(4) the term `user' means a person who takes and uses broadband network service, whether provided for a fee, in exchange for an explicit benefit, or for free.', and

(3) by amending subsection (a) and the 1st sentence of subsection (b) of section 11 by striking `and 8' and inserting `8, and 28'.

Posted by EBW at 02:34 PM | Permalink | Comments (0) | TrackBacks (0)

The 9th Circuit just issued a ruling on a question I'm sure has been at the back of the minds of everyone from outside the police state who fly into LAX to attend ICANN meetings.

We must decide whether customs officers at Los Angeles International Airport may examine the electronic contents of a passenger's laptop computer without reasonable suspicion.

Posted by EBW at 05:14 PM | Permalink | Comments (0) | TrackBacks (0)

Where in the following code fragment, does the possibility of a violation of US law lie, and what is the law possibly violated?

...
<option value="IR"

>
Iran (string in farsi, deleted because the perl/mysql interface is braindead)
</option>
<option value="IQ"

>
Iraq (string in arabic, delted because ... )
</option>
...

Continue reading "Elements of a Crime" »

Posted by EBW at 01:43 PM | Permalink | Comments (2) | TrackBacks (0)

The end-to-end list is experiencing a sudden discussion, one brought about by the lack of discussion. What is preventing innovation? Restarted, where does wicked abuse of incumbent monopoly power lie? In the network, where those evil ISPs make HuffPo load slower, if at all, than CNN and Fox? In the middle-boxen, where track-the-employee and every-last-eyeball value-add "deep inspection" measures every mouse nibble? Or in the end host systems, where a benign "Major Company" wisely controls a network stack (and the memory protection model we all know and love as the home of virii, spam, n'bots)?

Now all the people who answered (a), its the wicked ISPs and would the FCC or Congress please pass a rule or a bill or something, can't read the following without also knowing the outcome of the research suggested is "no impact".

In the US and Europe at least, one Major Company that controls a network stack has been judged thoroughly and beyond appeal by the courts to have a legal monopoly, with the strong assertion that makes by definition about consequent market power. That *legal* position cannot be disputed.

It would take a stronger argument than a mere vague handwave by a computer scientist toward the word "competing interests" to convince most economists and lawyers that when such a company keeps its network drivers protected, proprietary, and engages in agreements with hardware vendors to "certify" their drivers and hardware, the playing field for competition enables easy implementation of anything in that dominant network stack.

Of course, computer scientists are welcome to their political opinions and dissent. But in science, dissent requires testable proof.

Thus, I propose that the next PlanetLab scale experiment on new system architectures be carried out, not with Linux, but with Windows Vista. And without any prior agreement with Microsoft that gives the researchers licenses and access to code and internal interface privileges that students in, say, Ecuador don't have.

Based on that test, we can ascertain whether the monopoly in legal fact has an impact on research freedom.

Posted by EBW at 04:50 PM | Permalink | Comments (0) | TrackBacks (0)

When does the claim by privileged elites for an additional franchise to operate a namespace in the DNS root prevail over the claim of unprivileged non-elites?

This is a question that shouldn't have arisen, as the legislative body (and in the ICANN reform context we're now talking about the Generic Name Supporting Organization (GNSO) as a "legislative body", at least within ICANN), in the results of it's working group on the subject, determined that where a community applied for a string, that if there was one or more communities applying for the same string, the breath and depth of "community support" for each competing application would be objectively determined.

Somehow that comparative evaluation criteria where [warning: example use of "Cherokee"] "two factions claiming to be the Cherokee Community" (for large values of "Cherokee") both apply for .cherokee, who cannot accommodate compromise, say Ross Swimmer's community of vigorously uncolored "Cherokees" -- bleached water subsequently carried by Wilma Mankiller and Chad Smith, vs the United Colors of Beneton community of "Cherokees", has become this:

Comparative Evaluation Criteria : Assessing "added value" of a TLD

• Categorizes a broad and lasting field of human, institutional, or social endeavor or activity
• Represents an endeavor or activity that has importance across multiple geographic regions
• Has lasting value
• Enhances diversity of the namespace
• Enriches broad global communities
• Meets needs that cannot reasonably be met in existing TLDs
• Enhances competition in registration services

So now we know that whatever the relative merits are of Chad's angry mob versus everyone else who's comfortable with accommodation around color and culture within a Cherokee Nation that isn't a racial farce, that if Verisign or NeuStar or Afilias or Google or ... claim they will (someday) realize the superior benefits made possible by their superior civilization capitalization and technology, that .cherokee (or whatever else should be expropriated, for the greater good, etc.) is their's to enjoy.

Oddly enough, I wasn't the only one to point out to "staff" that they'd gone off reservation.

Posted by EBW at 03:44 PM | Permalink | Comments (2) | TrackBacks (0)

For over a year I and a bunch of IETFers argued the issues on the Raven List, and the result was RFC 2804 IETF Policy on Wiretapping. In a nutshell, after we tried to clear our heads of everything we believed about Anglo-American jurisprudence since Charles I was shortened by a head, we tried to come to grips with wiretap as a functional requirement in the architecture of the net.

From my perspective, as an OS geek, it amounted to a requirement that the allocators for threads, memory and scheduling set up not one flow-forwarding collection of resources, but a replication resource, the tap. Fair enough, an interesting problem, a kind of malloc() that had a (let's be sophisticated) lazily evaluted copy-on-write semantics to a second execution context ... so the data plane is done. But the control plane must perform both flow set-up, and independently, that is, from independent from call set-up (viewing the target packet train within a potentially larger set of packet trains as a "call"), there is the call intercept.

The control plane requirement is for a means to over-ride any access control mechanism associated with any access restriction placed by the control plane, and priority over, and therefore more fundamental resource allocation primitives than those contained in the data-path for flow set-up, forwarding and tear-down. If that last bit wasn't obvious (it wasn't to us, initially), think of trying to get a fully loaded box to start a tap on an existing flow. To succeed some resources have to be recovered from existing flows. Starting a tap has to slow down some calls, and just to make it more fun, the call to be tapped can't be in the set of calls to experience resource starvation, least the tap be detectable directly from the tapped flow.

Oh. And that over-ride-all-protections and starve-the-innocents control and data plane capabilities have to be protected from misuse, because the Mob shouldn't be able to just hire CMU grads and conduct surveillance operations on the FBI ... or worse scenarios.

So politely, we opined in our collective judgment that "legal intercept" was unsound engineering.

Abstract

The Internet Engineering Task Force (IETF) has been asked to take a
position on the inclusion into IETF standards-track documents of
functionality designed to facilitate wiretapping.

This memo explains what the IETF thinks the question means, why its
answer is "no", and what that answer means.

So the statement by John Brennan link is not just a political problem for those he successfully advises (Senator Barrak Obama), but is a technical problem for anyone with policy oversight over the National Telecommunications and Information Administration, within the Department of Commerce.

There is this great debate over whether or not the telecom companies should in fact be given immunity for their agreement to provide support and cooperate with the government after 9/11. I do believe strongly that they should be granted that immunity, because they were told to do so by the appropriate authorities that were operating in a legal context, and so I think that's important. And I know people are concerned about that, but I do believe that's the right thing to do. I do believe the Senate version of the FISA bill addresses the issues appropriately.

The image is from Orgone Lab, which looks like they'd be happy to sell my mom this blanket. I'd prefer something in a woodpecker with acorns.

Posted by EBW at 03:35 PM | Permalink | Comments (0) | TrackBacks (0)

This is a two page overview of the NORTH AMERICAN INDIGENOUS (.NAI) proposal for a cultural and linguistic top-level domain in the current (ca 2008/9) ICANN new gTLD rounds. The original proposal for a NORTH AMERICAN ABORIGINAL (.NAA) to ICANN was drafted in 1999.

Background

This proposal is the continuation of the original North American Aboriginal (.NAA) proposal¹ for a "sponsored generic" top-level domain operated by a consortium formed by the original proposants -- the Nevada Indian Environmental Coalition, the Treaty 7 Tribal Council, the National Indian Telecommunications Institute, the Intertribal Council on Utility Policy, and the Western Abenaki of Maine, as a shared registry on a cost-recovery, tribal infrastructure development basis, with a core policy that registry data is a public resource, subject to tribal and other privacy limitations, held in trust for the indigenous public.

In the intervening decade the personnel, interests, and abilities of authors of the .NAA have changed, as have the consensus policies of ICANN.

Introduction

There are well in excess of 1,500 indigenous cultural and linguistic entities in North America. These range from the largest, the Navajo and the Cherokee, numbering in the hundreds of thousands of enrolled members (viewed as indigenous legal entities) and culturally and/or linguistically affiliated educational, cultural and linguistic institutions, groups, clans, extended non-clan kinship networks, and individual persons, to groups consisting of a very limited number of culture and language practitioners, to groups engaged in cultural and linguistic recovery, and even peoples adopting an existant related culture and language as their plan for cultural and linguistic survival.

In addition to these general purpose legal, cultural and linguistic entities, there are tens of thousands of individuals creating works of indigenous scholarship, teaching in and administering indigenous primary, secondary, and post-secondary academic institutions, creating works of classical and contemporary music, fine arts and crafts, the culinary arts, clothing, teaching indigenous languages and managing indigenous cultural and linguistic materials.

In addition to these contemporaneous sources of cultural and linguistic activity there are hundreds of thousands of archived documents, recordings, and objects, in holdings of various kinds, in the Americas, in Europe, Asia, and the Pacific, and hundreds, if not thousands, of archivists and archives.

Finally, consistent with our original purpose of creating a means for Indigenous Intellectual Property, also known as Traditional Knowledge, to become incorporated within the evolving quasi-legal ICANN system, and thereby protecting and advancing the interests of Indigenous peoples, implicit in our express choice in 1999 of the Mataatua Declaration, and our long history of work between Indigenous people in the Americas and the Pacific, the proposal includes "light the path" provisioning of indigenous resources for follow-on efforts in subsequent rounds of ICANN's evolving new gTLD process.

Why Generic?

The earliest effort to obtain any form of an indigenous namespace was the attempt by the late Dr. John Mohawk (Sotsisowah) to convince the late Jon Postel to create and delegate a namespace. This effort was doomed by Dr. Postel's choice to use ISO 3166, commonly called "country codes" (though many of its entries, then and now, are non-countries), to manage the task of making changes to the (pre-DNS) host tables. The next effort was a proposal by Mr. Eric Brunner-Williams to Dr. Postel to use X.121, which contains "continental codes", to allow non-national entry into the DNS root, prior to the establishment of ICANN, or ICANN's "new TLD" process of 1999-2001. The proposal died with Dr. Postel as the problem of determining the form and controlling authority of "the new entity", initially the International Ad Hoc Committee (IAHC) and eventually the Internet Corporation for Assigned Names and Numbers (ICANN), became controlling.

With the possibilities of an pre-generic alternative to a ccTLD exhausted, the focus of our effort became the ICANN gTLD, and we contributed to ICANN's Working Group C, authoring the "sponsored gTLD" model subsequently used by the proposals for .aero, .coop, and .museum in 2001/2002.

There are significant advantages to the "generic" TLD which are overlooked by applicants fixated on obtaining ccTLDs. These are:

• direct immediate use of the ICANN accredited (gTLD) registrars
  
• indirect immediate use of multiple ccTLD registrars via a "public interest (ICANN accredited) registrar"
  
• stability of contractual relationship with ICANN
  
• the "consensus policies" of the GNSO
  
• insulation from government(s)

The offset is the application cost, and the ongoing presumption that Verisign's for-profit business model, copied by Afilias and NeuStar, serves all uses of all namespaces.

Education

Educational institutions, from child-care to Haskell Indian Nations University, the entire gamut of pre-primary, secondary, and post-secondary academic institutions, will use the namespace for their institutional names, their teaching faculty and non-teaching staff, their students and alumni. Implicit in the use of a namespace is literacy, both in the languages of the dominant culture, and in the languages of the students, whether an indigenous language is their first or subsequent language, and our fundamental goal is to preserve and increase indigenous textual literacy, using ASCII, extended ASCII, Inuktitut syllabics, and Cherokee syllabics.

Cultural

Cultural institutions, museums, galleries, ateliers, individual artists, and cultural objects will also use the namespace.

Linguistic

Language standardization committees, preservation projects, writers and oral traditionists (story tellers), and works within the written and oral traditions will also use the namespace.

Non-Indigenous Use

Indigenous people and their cultures and languages co-exist with settled immigrant people and their cultures and languages. Indigenous schools purchase textbooks from specialist educational publishers. Indigenous museums and galleries purchase insurance policies. Much of Indigenous economic activity has consumer or producer dependencies with settled immigrant economic activities. Where the locus of non-indigenous use of the namespace is to maintain and develop the cultural and linguistic interests of an indigenous community, or their economic interests, that use will be encouraged.

Technical

During the first five years of operations, the provisioning side will be carried out using the CORE registry fabric in Europe and the publication side will be carried out using the DNS and WHOIS constellation of WAMPUMPEAG (Western Abenaki of Maine), supplemented by additional DNS constellations, e.g., ISC, PCH, etc. During the second five years of operations, both provisioning and publication will be carried out from facilities within North America.

¹ A Position Paper on some new gTLDs

Your comments are sought. You know who you are.

Posted by EBW at 12:33 AM | Permalink | Comments (6) | TrackBacks (0)

Are any of Wampum's readers also readers of Khmer or Tibetan?

Posted by EBW at 01:26 PM | Permalink | Comments (0) | TrackBacks (0)

Effective October, the price for names ending in .com will be $6.86, and for names ending in .net the price will be $4.23.

That doesn't include any additional fee to ICANN, nor the registrar mark-up, or mark-down where overcharging for hosting packages provide the offset.

Posted by EBW at 10:23 PM | Permalink | Comments (0) | TrackBacks (0)

Reading S.2661 is depressing. Here's the worst crud from the "Findings". I put a call into Olympia Snowe's Porland office this morning.

(2) Phishing e-mails are becoming more sophisticated by having malicious spyware attachments that once opened covertly record the keystrokes and passwords of computer users, or install malware software.

Keystroke logging software developed by the Federal Bureau of Investigation is pervasively deployed, and is "not detected" by commercial anti-virus software. As we mentioned in RFC 2048, building wiretap into the network, at the physical forwarding elements or application layer filtering, which is what anti-virus software is, creates an exploitable mechanism for uniformed, and non-uniformed criminals.

(6) The United States is consistently 1 of the top 3 countries that host the most phishing websites. In November 2007, the United States hosted approximately 24 percent of phishing websites.

This is a baffling factoid. There are 150m second-level entries in the global namespace, 70m are in .com, 10m are in .net, so half the global namespace is published by VGRS and easily half of the A records published by VGRS' resolve to ipv4 addresses in blocks allocated by ARIN, so one could just as well have written "Verisign" as "United States", and then relied upon existing contract, rather than ignoring existing contract, involving the DoC, the NTIA, ICANN and VGRS.

(7) A form of phishing known as `Spear Phishing' targets companies and government agencies to gain unauthorized access to their computer systems in order to steal financial information, trade secrets, or even top secret military information.

The final example of masquerading as a trustworthy entity, using socially engineered payloads against specific targets, to acquire valuable information, usually usernames, passwords and credit card details, but here "top secret military information" is reasonable, if you believe that DISNET is connected to MILNET and MILNET to "the Internet", and that each connection is a policy-free (non-filtering) gateway.

When I ran SRI's largest internal (and external) network, I'd one of the seven MILNET to ARPANET mail gateways in my shop. Neither MILNET nor ARPANET (modernly "the Internet") were classified networks. In the basement was a SCIF, on DISNET. I once "broke" the ARPANET by adding subnets for a Usenix meeting. That got me a same-day call from the ARPANET NOC at BBN. If I'd connected my DISNET node to either my MILNET IMP (modernly, router) or my ARPANET IMPs (ditto), I'd probably still be inside Leavenworth.

Whoever wrote the final cherry on that slice of pie was either plain ignorant or interestingly dishonest.

I've probably tossed them by now, but back when I hosted Barry's Amptoons his URL earned several multi-hundred node DDOS attacks, and I was always amused to find military assets, pwned of course, in the logfile of each attack. Calling their owners was always good for a laugh.

(9) Phishing operators utilize deceptive domain names for their schemes. They routinely register domain names that mimic the addresses of well-known online merchants, and then set up websites that can fool consumers into releasing personal and financial information.

This mixes two issues, to the loss of sense of both. The appearance of a domain name in the payload of some phish isn't the same thing as the actual domain name. This is why, when you look at a phish payload you often find that Sears or Bank of America appear to be operating out of Russia, the Ukraine, and China. The problem is "HTML-enabled" email. It makes pretty, and it makes hiding all kinds of neat toys, from web beacons that disclose every reading of a payload by an "HTML-enabled mail reader", to the bones of every phish.

The other issue is what is really at play in S2661. Trademark. This is more overtly discovered in the 12th Finding:

(12) Deceptive domain names, and the abuses for which they are used, threaten the integrity of domain name system. Businesses, small and large, rely upon the integrity of the domain name registration to ensure that their brands aren't misrepresented. The World Intellectual Property Organization reported in April 2007, that the number of Internet domain name cybersquatting disputes increased 25 percent in 2006.

Remember, you got here because the Peoples Liberation Army or someone is spear fishing in the third deck of E-ring, the SCIF that houses the secure-side of the office of the SecDef, the senior staffers of the OSD, and all the happy campers awaiting the return of Donald Rumsfeld. Where you're about to go to prevent this critical disclosure of "top secret military information" is ... a bunch of Intellectual Property lawyers in Geneva (I'm actually going there next week, not just to Geneva, but to the World Intellectual Property Organization) and a more accurate WHOIS database.

That's sure to foil the PLA, the KGB, and reverse Global Warming too.

I'll cover other parts of this gem in the near future. I operate an ICANN Accredited Registrar, one with its operational facilities in Portland and Bangor. The pointy end of S.2661 is aimed at Registrars, apparently because we either control the PLA, the KGB, and the melting point of ice, or because Markmonitor is using Olympia Snowe's office for marketing.

Markmonitor is big on phish. They're the registrar of record for verizon.com. Some of us registrars would like them to take down that domain as we know there is criminal conduct going on there. Phishing on a continental scale.

Posted by EBW at 10:29 PM | Permalink | Comments (0) | TrackBacks (0)

I'm upgrading the wampumpeag servers to the RELGENG_7 tag, which is the fancy I-build-it-myself way of saying "Yippee! Freebsd 7 went GA last week!

Here's the FreeBSD 7.0 RELEASE Announcement.

The remaining new disks are going into the remaining servers next week, more joy and handsprings.

Posted by EBW at 12:43 PM | Permalink | Comments (1) | TrackBacks (0)

The Constitutional Court in Karlsruhe is going to allow Magic Lantern for a very small number of anti-terrorism investigations.

The Austrian government is looking at the possibility of allowing remote keystroke logging as well, but as the writers at le Monde point out, its in the United States where the use of similar technical mechanisms is most common.

If you're wondering why undetectable remote keystroke logging hasn't turned up a single 101st Fighting Keyboarder banging out "kill some domestic enemies" screeds or a single AutoAdmit stalker of female law students, so am I.

Posted by EBW at 07:34 PM | Permalink | Comments (0) | TrackBacks (0)

Today Olympia Snowe, Bill Nelson, the most conservative Democrat in the Senate, and Ted Stevens, the guy who made "intertubes" famous, introduced a bill "aimed at ending the deceptive practice known as phishing".

The dumb way to proceed is to attach some liability to the actual practice of phishing, from the banal stuff like putting "looks similar" characters in a domain name, like the famous crylic "a", so that urls that look like "paypal.com" go to someplace novel, where credit cards are harvested, to the slightly less banal stuff like putting html glop into "html enhanced email" and urls that look like "paypal.com" also go to someplace novel, where credit cards are also harvested, and lots more variations on the theme of misdirection.

The better way to proceed is to reduce the time each phish pitch can work from the weeks-to-days, which is the present operational art, to minutes, which is both technically possible, and administratively possible. In fact, it is something I've been working towards for several years (phish is only a recent use of domain names and network addresses for black-hat fun and profit), and encouraging the institutional framework that can cause such a reduction in the time-to-live for crap that drops into your inbox or otherwise arrives at your mouse's nibbly nose via one of a number of behavior profiling applications (aren't ads kwel?) would be wicked useful.

The interesting challenges are things like double-fast-flux, where the name servers for the urls used by the thousands of attack assets for "where the money goes" are rotated across many name servers and many, many more hosts and ... all wicked quick. We can effectively engage that too, and with relatively thick fingered and clumsy policy tools, as simple as putting a fee on name server changes, a fee as small as a penny, in addition to the smarter bits we use to measure it.

Registrars sell domain names. Registries publish domain names. We operate on a time-scale of seconds to minutes, and we can, if ICANN (our regulator, your incorporated-in-California 501(c)(3) successor-in-interests to DARPA, ARPA, the NSF and the Department of Commerce) assists us, do to the use of domain names for spam, phish and lots of other applications of idle hands and criminal minds, what the simple application of a 20 cent fee did to the domain tasting sub-industry (another industrial strength scam, on trademarks and typos generally, all fueled by Google Ads (aren't ads kwel?).

My point here is the same point I made over a decade ago to the then Chief Scientist at the NSA, geeks beat heat. He took my point, which is why there is a Computer Emergency Response Team, to ask us what to do when something really awkward happens. Phish isn't really awkward, its just a big heap of small robberies.

We know (a) that what was unorganized crime using computers, aka "cyber-crime", is now organized. In fact, there is a market for attack assets, just like there is a market for AK-47s and RGPs. We know (b) that gaming the system can be fixed. We know (c) that very, very few computer scientists want to work with or for John Ashcroft or Alberto Gonzales or Michael Mukasey, and that the "other side of the shop" went non-linear under Donald Rumsfeld et seq., and everything under DNI Mike McConnell is "complicated" by pervasive wiretap, about which we have spoken authoritatively in RFC 2804 IETF Policy on Wiretapping.

But it takes non-dumb on the public policy side of the table. That was the most attractive bit about the idea of Larry Lessig running for the seat vacated by Tom Lantos' death. Someone in the lower body who actually has clue, not about real estate or used cars or banks or big law, but about the anomaly we call the net.

I can't help but think of the anti-internet-gaming bill introduced by the GOP member from the IA 2nd. Null content but lots of happy applause. Punished credit card companies for doing what credit card companies weren't doing anyway. Bag of hammers dumb.

Here's the lnk to Olympia's technology staffer's latest PR gimmik.

Posted by EBW at 11:41 PM | Permalink | Comments (0) | TrackBacks (0)

Step one on the path to a 1U in a rack "away".

Posted by EBW at 12:46 AM | Permalink | Comments (0) | TrackBacks (0)

Every once in a while a mailing list I subscribe to explodes. In the past 24 hours the NANOG list exploded over the YouTube in Pakistan event.

Here's the most accessible technical presentation I'm aware of yet, Martin Brown's Pakistan hijacks YouTube at the Renesys blog.

Highly recommended.

Posted by EBW at 01:39 PM | Permalink | Comments (0) | TrackBacks (0)

Lest We Remember: Cold Boot Attacks on Encryption Keys

A simple technique for looking for memory leaks is applied to the problem of determining memory persistence, with the novel assistance of a sharp thermal gradient. Not as photogenic as the liquid oxygen meets oxidants experiments (how to put a backyard barbie into low neighborhood orbit), but there are some pictures.

Enjoy. Something to keep in mind when entering or exiting a "cryptographically challenged jurisdiction" with a laptop at the approach of a White Shirt armed with ... only a can of compressed air.

Posted by EBW at 12:47 PM | Permalink | Comments (0) | TrackBacks (0)

Eventually MB's work on the larger cloud of corruption within the DOJ, the DOI, the MMS, and of course, the BIA, will reach the point where more interesting things are possible than just a braziltelecom user's midnight download of 3,815 entries out of wampum's vault -- not the usual spider indexing.

So I'm interested in the Gag Order that Jeffery White ordered on the 15th in the US District Court for Northern California. h/t Avedon.

You might think that "law" that results in ICANN accredited domain name registrars, a California LLC in particular, getting a TRO to take down a website that hosts leaked memos, memos like the ones that come our way, from somewhere, or "heavily redacted", come from FOIA filings by CREW and others, would be of interest to the civil libertarians of the ICANN policy domain.

One of the more amusing things that happened at the New Delhi ICANN meeting was when Robin Gross made the following utterance:

>>ROBIN GROSS: I just wanted to second what Adrian said and also take issue with the choice of this venue. I'm considerably concerned about an organization that calls itself "inclusive and bottom-up" et cetera, et cetera that would select a venue and all the surrounding venues where less than 1% of the world's population can even afford to be in the room. That's unexcusable. That's unconscionable.

We were in India, a country with 11 official scripts and 22 official languages, next to Pakistan with some of the same, and some different, ditto for Iran and Afghanistan, and looking in the other direction, Bengaladesh, Burma, Cambodia, Laos, ... and we were there to work on getting more than ASCII [a-zA-Z][0-9] and "-" into the DNS, what we call LDH for lettersdigitshyphen, and Robin was going non-linear -- "That's unexcusable. That's unconscionable." -- because the Taj Palace room rate, like all the five-stars in the diplomatic enclave of New Delhi (construction going on like Beijing '08 for the '10 Commonwealth Games) is around $500/night. Delhi is full of family hotels, we booked a floor at a room rate of $50/night.

The previous night I'd the pleasure of words with Ms. Gross, who is certain that "free speech" requires that the names of all Indian tribes, like "Cherokee" or "Lakota" be free for unlicensed commercial users like auto companies. She never got beyond the phrase "free speech", and "first come, first served".

So not only are kwel words about exotic people and their culture the property of the first person with $6.20 each, but Asians don't need scripts to allow languages to allow meaningful words as domain names more than they need cheaper room rates in five-star hotels (which tossed in the meeting rooms and the meals as well).

At least her term expires this year. Compared to Norbert Klein, also a Non-Commercial User Constituency rep, who single-handedly brought the Internet to Cambodia, she's the protagonist from "Legally Blond", but without fashion sense or common sense.

But the take away is that to the North American representative to the policy making body for generic top-level domains isn't interested in illegal wiretap in North America, or suppression of websites in North America that host documents that governments and corporations want suppressed, by courts of law in North America, she just wants "Lakota" to be free to the first buyer with six dollars and change, for large values of "Lakota".

She'd her moment of clarity. I understand that Michelle Obama just had one too. She's ashamed of her neighbors.

Posted by EBW at 06:03 PM | Permalink | Comments (0) | TrackBacks (0)

Those of you looking for extra-jurisdictional hosting, in Canada or Mexico, the European Union, Switzerland, Norway, Iceland, ... leave a note in comments. I'm moving Wampum, and I'll be happy to share what I already know about hosting service providers and colo (self-hosting) providers.

Keep in mind what extra-jurisdictional hosting does mean -- your colo or hosting provider won't receive a covert warrentless "national security letter", your provider won't receive a federal, or state subpoena, and your provider's network provider(s) won't have a black tap and back-haul to an undisclosed location for real-time "sampling".

There will still be illegal intercept, but it will occur only in the US, were writers and readers are unable to use networks except those in which illegal intercept has been accomplished by force majeure.

I've been hosting Wampum, the Koufax Awards, and intermittently, some other blogs, along with the Draft Gore 2008 site, and some other campaigns (with actual candidates!!!) on the Wampumpeag servers for several years -- a mix of Movable Type, Wordpress, Mediawiki, Drupal, ...

Another area to consider as a change in how we write and read is whether we use public encryption to re-assert a right of personal and political privacy.

Posted by EBW at 08:33 PM | Permalink | Comments (1) | TrackBacks (0)

The phone at San Diego County's Sweetwater Campground worked fine until yesterday. Then it was administratively failed. This afternoon a contractor came out and removed the equipment. We chatted briefly, as he loaded the last of the structure into his truck.

The end of an era. I suppose they'll keep their jail contracts, there's wicked good money in overcharging a population that has to go LD to family and friends, not to mention members of the defense bar, or courts' clerks, for case management.

Posted by EBW at 06:52 PM | Permalink | Comments (0) | TrackBacks (0)

A relative called today, someone who'd been senior staff on Dodd's Iowa campaign, apropos of nothing in particular.

I've mentioned this paper before. Its only 10 pages of pdf, and accessible for non-specialists.

Posted by EBW at 11:03 PM | Permalink | Comments (0) | TrackBacks (0)

A fourth submarine cable in the middle east was damaged Sunday between Haloul, Qatar and Das, United Arab Emirates.

This is in addition to the damage affecting the FLAG, SAE-ME-WE4, FALCON cables.

For those who's first issue is whether or not Iran is the target of a network partition, that is, of some physical plane "information operation", possibly from reading something at Slashdot, or at the Internet Traffic Report, the answer is "No".

This Thursday I leave for New Delhi. I'll be there for a week. About 20% of Iran's network capacity has been lost, which is a lot, but nothing like the loss for other areas formerly served by the severed cables, India lost 50%, Egypt 80%, or the total partition (100% loss) that occurred to Pakistan last year.

Resourcs: Todd Underwood's Renesys Blog, the SLAC E2E project, the NANOG list traffic, and far off friends.

In keeping with the "Blogroll Amnesty Day" theme, this data will self-distruct and probably cause irreparable harm to computers and domestic animals if linked to by amnesiacs.

Enjoy!

Mediterranean Cable Break, Mediterranean Cable Break, part II, and Mediterranean Cable Break, part III.

Effects of Fibre Outage through Mediterranean at the Internet End-to-End Performance Monitoring Project at SLAC.

Posted by EBW at 09:58 PM | Permalink | Comments (1) | TrackBacks (0)

Steve Bellovan, Matt Blaze, Whitfield Diffie, Susan Landau, Peter Neuman and Jennifer Rexford have a 10 page paper in the IEEE journal Security and Privacy entitled Risking Communications Security: Potential Hazards of the Protect America Act.

I've put a copy up here. Its 10pages.

You all have 15 days to read this and get it onto the A list blogs, which may pick it up on their own anyway. Its a page a day. You can fax a page a day to your choice of Senators.

I'm going to send a copy to Tom Allen, who could beat Susan Collins this fall.

Posted by EBW at 10:22 PM | Permalink | Comments (0) | TrackBacks (0)

We know now that the Metropolitian Area Exchanges which Verizon operates -- MAE West in San Jose, MAE East in New York, and the rest -- WDC, Miami, Dallas, Chicago, Los Angeles -- have gigataps with black backhaul to ... somewhere. Yesterday Peter Scharr issued a ruling for the member states of the European Union, that ip addresses are personal data.

So what is the legal status of the wiretaps in Verizon's MAEs in Frankfurt and Paris?

Are US nationals protected by EU member state data protection law, by the Treaty of the European Union, when in the territorial jurisdiction of an EU member state? While I'm in Paris next June for the ICANN meeting, using a local ISP to Jabber or Skype or Gizmo to someone in Berlin, say, the Data Protection Commissioner for Berlin, on errors and errata in, or updates to, the P3P specification on the Protection of Personal Privacy since the W3C shutdown the Privacy and P3P project in 2002, on the off chance that I'd like to co-author an update to our last work item -- P3P1.1, which was more or less killed by the governmental data mining rush in personally identifying data that followed 9/11, or contribute to W3C Policy Languages Interest Group, in particular, the meta-language for the provisioning of data protection policy between cooperating data protecting entities, will the United States have the cooperation of French, and/or German authorities, to copy all of my data that transits the Verizon operated MAEs in Europe, as they have in the Verizon operated MAEs in the United States?

There were times when data going from my set of ARPA IMPs (modernly routers) in Menlo Park to the ARPA IMPs in UCLA would not go down the PacTel trunk from SF to LA, instead they'd be routed, with perceptible delay in those 56Kb days, to the ARPA IMPs in Salt Lake, and then to WDC, and then to UCLA. With terrestrial (trans-oceanic) fiber, backhaul from Paris to Halifax to CONUS where the tap may now be (illegally applied), and than backhaul back to Paris, would be much more difficult for the endpoint to detect... unless the traceroute data shows that the packets disapear from the obvious route, and return to it with an increment in the hop count, which is easy enough to forge...

Unless Dodd wins the filibuster, its bedtime for Bonzo for data protection and data or voice personal privacy, and both data and voice for political change tend toward comic. Make some Senatorial aide pick up a phone and chat about the difference between legal, and illegal intercept. Tell them that you'd like a law that will allow you to wiretap your political opponents...

Posted by EBW at 09:08 PM | Permalink | Comments (0) | TrackBacks (0)

During the work of writing the W3C's P3P spec we considered whether an ipv4 address, an end-point identifier, was personally identifying information. We agreed that a complete ipv4 address -- a dotted quad -- numbers of the form 36.26.36.dd (to pun on Avedon Carol's Bra-of-the-Week standard) was "PII", but disagreed as to how much of the dotted-quad to delete so that the remainder would no longer be personally identifying information.

TheP3P Spec Working Group adopted Martin Presler-Marshall's (IBM) definition -- "a partialip element represents an IP version 4 address (only - not a version 6 address) which has had at least the last 7 bits of information removed."

My position was that 7 bits was insufficient, and we needed to limit the bits collected to 16 out of the 32, to avoid off-line and on-line data collection correlation from transforming a partialip element into a unique personal identifier. I won't argue with people who think that because they are behind a commercial or residential NAT or in a (not very dynamic over time, and wicked static for days and weeks on end) ISP managed DHCP block, they are "anonymous". They're wrong. But the Working Group went with the 7bit mask.

Today Peter Scharr issued a ruling for the member states of the European Union, that ip addresses are personal data. Google/DoubleClick differs of course, which is amusing when you consider that DoubleClick's core business model was, and is, deterministic, not statistical, behavioral profiling. Its the difference between knowing that 36.26.36.dd statistically appears to be a person-with-breasts, and knowing that the person is named Jane Doe, and having access to her credit-card transaction history, including her shopping at Bras of the World, and every other bit of linked data Equifax et alia sell.

For background see European Commission > Justice and Home affairs > ... > Data Protection page.

Of course, none of this applies in the US, where everyone is wiretapped. Don't forget you could have supported Chris Dodd in Iowa, and you can still support Chris Dodd on the coming FISA replay.

Posted by EBW at 03:49 PM | Permalink | Comments (0) | TrackBacks (0)

On an Ops list we're discussing a surprising civil case in North Dakota. In what follows "zone transfer" means "copy".

A operates a Unsolicited Bulk Email (UBE) business (you may use "spammer" if you like), and organic to the business of ... spamming ... operates one or more Domain Name System (DNS) servers, one of which is authoritative for a domain and the associated zone which A uses to originate streams of UBE.

B (You may use "anti-spam vigilantee" if you like) requests a zone transfer for the associated zone from a DNS server under the control of A. The DNS server under the control of A is configured to allow zone transfers unconditionally. This is the default configuration of this particular DNS server.

A then sues B for a privacy cause of action.

There's a lot of nuances that are discussed by, what amounts to the experts on the subject, and its not my intent to recite, or discuss the merits, of each.

What I remind wampum's readers is that there really still is very little "law of the internet", and lawlessness begins, like the rot in fish, at the head. I don't mean ICANN, I mean FISA and the employees of the United States who assert their conduct is not criminal because they conduct it, but that arbitrary conduct by others is criminal because they assert that it is so.

That's why Chris Dodd's position on FISA is a matter of life, or civil death, to everyone who uses a can tied to a string that may or may not be tied to one or more other cans. The rotten Cappo del Pesce crowd are doing whatever the hell they want with all the string, weaving nooses for any they think would look better walking in the air.

Posted by EBW at 01:01 PM | Permalink | Comments (0) | TrackBacks (0)

In December, 2000, the assignee did not have direct access to the data and so "discovered" (there is prior art) a method that infers the data sought. Enjoy reading link.

Of course, all those personal information forms social networks and on-line retailers vacuum up tend to geo-locate the allocations of every dynamically assigned address block ISP use to provision wireless and wireline access points.

Jonah's been vomiting during the night and so we're up with not a lot to do but read USPTO filings.

Posted by EBW at 07:42 AM | Permalink | Comments (0) | TrackBacks (0)

In the small matter of the proposed acquisition of Hellman & Friedman Capital Partners V, LP, (Click Holding Company) By Google Inc., File No. 071 0170, only one FTC Commissioner offered a dissent. Here's a link to Commissioner Pamela Jones Harbour's dissent (13pp .pdf)

Having been the point person for statistical targeting at the W3C's P3P Spec WG, I think the majority blew it, at least on the privacy issue.

If the EU approves the acquisition we'll block Google's address blocks and ban its spiders, as we currently do for DoubleClick's address blocks and spiders.

Why anyone on the left hand side of the dial bothers to (a) blog about the noxious national security mania and (b) run Google Ads is just one of those little inconsistencies "benefit" brings to any calculus of motive and belief.

Time to look at the alternative search engines.

Posted by EBW at 11:07 AM | Permalink | Comments (0) | TrackBacks (0)

MAE West (San Jose) is known to be tapped, and the documentation suggests that the other MAE sites, Washington D.C., New York, Miami, Dallas, Chicago, San Jose, and Los Angeles areas are tapped as well.

This is wicked bad. The MAEs in Paris and Frankfurt may be tapped as well, in violation of German and French law, as well as US law. Its all data. All of it. What little is left is simply no matter at all.

Via testimony of an AT&T network engineer cited in support of the motion by Chris Dodd and Russ Feingold.

Update: Reid pulled the FISA bill until after the New Year.

Posted by EBW at 05:24 PM | Permalink | Comments (0) | TrackBacks (0)

Chris Dodd is leaving Iowa to go to Washington City to filibuster the NSA/GOP version of the FISA bill.

I suggest viewing the demo on Glimerglass's Government and Signals Monitoring & Analysis web page. At the point where multicast is mentioned is where the technical mechanism for intercept (wiretap) is casually referenced.

If the NSA/GOP bill becomes law we will move Wampum to Switzerland. Not because of what has happened, but because of what will happen.

Update: Clinton and Obama will not join Dodd. Feingold and Kennedy will join Dodd.

Name Fax Voice

Feingold (202) 224-2725 (202) 224-5323
Dodd (202) 224-1083 (202) 224-2823
Obama (202) 228-4260 (202) 224-2854
Sanders (202) 228-0776 (202) 224-5141
Menendez (202) 228-2197 (202) 224-4744
Biden (202) 224-0139 (202) 224-5042
Brown (202) 228-6321 (202) 224-2315
Harkin (202) 224-9369 (202) 224-3254
Cardin (202) 224-1651 (202) 224-4524
Clinton (202) 228-0282 (202) 224-4451
Akaka (202) 224-2126 (202) 224-6361
Webb (202) 228-6363 (202) 224-4024
Kennedy (202) 224-2417 (202) 224-4543
Boxer (415) 956-6701 (202) 224-3553

Call'em. If the aid says (like Bernie's) that s/he is a co-sponsor, tell the aid that that is necessary, but not sufficient. Their boss must get on the floor with Dodd, Feingold and Kennedy.

Posted by EBW at 12:05 PM | Permalink | Comments (1) | TrackBacks (0)

Nii Quaynor, who I have the privilege of friendship, was just awarded the Postel Award, named after Jon Postel, who I also had the privilege of friendship, at last week's IETF in Vancouver.

I was thinking about Nii when responding to a motion to prevent ICANN funding the travel and per diem costs of persons elected to the Generic Domain Names Supporting Organization (GNSO) Council, that as corrupt as it is, we shouldn't make it economically impossible for the best among us to sit with the worst, and the merely mediocre, to make public policy in a regime privatized by Bill Clinton and Ira Magaziner.

So a few minutes after responding to the motion in the public Registrar's mailing list I just happened to look over at icann.org and was wicked pleased and surprised to see this -- link.

Posted by EBW at 02:13 PM | Permalink | Comments (0) | TrackBacks (0)

Unless you have an interest in submarine cables you probably wouldn't know that a major trans-Pacific segment, operated by Souther Cross Cable, makes landfall in Hillsboro, Oregon. SCC's VP of Ops has confirmed that hurricane-strength storms and flooding have wiped out the carrier's Oregon cable route and halved its bandwidth between Australian and the US.

We've seen much of the net unreachable due to flapping BGP sessions causing route dampening on a lot of address space in Australia, so if Oz is unreachable where ever you are, this is probably why.

Posted by EBW at 08:10 PM | Permalink | Comments (0) | TrackBacks (0)

I spent a portion of my early afternoon explaining that it takes the Folgers seats (price point < $10/mo) plus the Latté seats (price point > $40/mo), that's narrow-band plus broad-band to the caffine impaired and/or tea drinking demographic, to make user-centered (and therefore possibly "progressive") policy proposals to States Legislatures for data networks. It was a recitation (with a wicked temporal offset) from what I wrote at Larry Lessig's blog the day after Howard Dean wrote off the urban and rural demographics in his quest for activist mindshare in the primary phase of the last cycle. Reruns.

I spent another portion of my early afternoon explaining that, in Maine at least, if you want to form an effective coalition to keep Verizon from ripping off (a) the State, and (b) the subscribers, and (c) the CWA, and (d) the independent telcos and finally (e) the Maine ISPs that form the Maine ISP Association, that it is wicked useful to talk to (d) and (e), especially (e), rather than say, just stylish advocacy groups and the CWA (most of who's employees in Maine work for Verizion or its rip-off successor in the Northern New England wire-line market).

Translated from the geek, it means page bloat sucks, the digital divide is real, and if you can't get little-r-republicans (half of whom are business owning Dems) on the theory of competition vs monopoly, then you loose, with or without an extra helping of Progressive Vangardism.

How were your hours between lunch and tea?

Posted by EBW at 06:14 PM | Permalink | Comments (0) | TrackBacks (0)

The FCC has the authority to regulate cable if and only if (a) 70 percent of all U.S. households are able to subscribe to a cable service with at least 36 channels and if (b) 70 percent of those households subscribe to such service. The first threshold was crossed years ago, and the FCC is now informed by an independent audit that the second threshold was crossed this year. In the trade this is "the 70/70 provision".

It is reasonable to question if the study that made finding (b) is correct, and even Commissioner Jonathan Adelstein, a Democrat who favors unbundling (or how we stop paying Rupert Murdoch for Fox when all we wanted was culture or sports or ... ) and the positions of record of Consumers Union, has doubts. Of course, Commissioners Robert McDowell and Deborah Taylor Tate, both Republican appointees, doubt the validity of the study which if accepted, would trigger the 70/70 provision and put cable within the jurisdictional reach of the FCC.

The cable industry (Comcast, TimeWarner, Fox) response is that DirecTV, Dish, ... and Verizon and AT&T have just enough market share to prevent the 70/70 provision from being triggered.

The Senate Commerce Committee's Jim DeMint (R-S.C.), John E. Sununu (R-N.H.), Kay Bailey Hutchison (R-Tex.) and Gordon Smith (R-Ore.), wrote a nice piece of fiction, words to the effect that innovation would be stifled if ... let me know what "innovation" you've seen and been benefited by (so no citing rotating visuals that actually hurt your eyes, blinking cursor kind of eye candy). John Boehner and 23 other House Republicans wrote another bit of corporate lobby cover.

Meanwhile, something interesting is happening at the ITU-D which I'll write about soon, and something else is happening, also interesting, in the French internet market, which I'll also write about soon. As for us in the USofA, the FCC vote on whether 70/70 has been triggered was delayed, so Fox won the day.

Posted by EBW at 03:04 PM | Permalink | Comments (0) | TrackBacks (0)

The 30th meeting of ICANN is being held this week at the Hilton Hotel at Los Angeles International Airport, and today UNITE HIRE! Local 11 is picketing this particular Hilton property -- the Hilton LAX -- for unfair labor practices. I spoke with Kristin Winn, one of the organizers, before crossing the picket line, and I was surprised to learn that ICANN's president had already agreed not to continue to use the Hilton LAX for future meetings until the labor dispute is resolved. Basically, hotel workers are more likely (48%) to be injured than the average for the service sector, and injuries have gone up 210% for housekeepers, and 38% for all workers, at the Hilton LAX, since the beginning of 2003. Good for Paul Twomey (who's parents are sitting next to me, which may explain why he's being good).

I picked the photo because so much of ICANN's public policy problem space is about the laws (or their lack) for national namespaces (ccTLDs), a not inconsiderable number of which are either run on shoestrings, and sometimes quite creative shoestrings, e.g., Namibia (.na), or are run by commercial operators who's primary public policy goal is contract renewal and monopoly profit extraction (NeuStar and .us, Verisign and .tv, etc.). Why is this like this year's best and brightest of port-a-potties? Consider the policy around the WHOIS service? In how many national jurisdictions can personal privacy be reduced to input for mechanically harvested addresses for the purposes of SPAM targeting? The corollation between WHOIS and SPAM is beyond debate but ... trademark and law enforcement's best-and-brightest are concerned that anyone may be a trademark terrorist (a happy collision of their core claims), so everyone must surrender their contact information.

Potty policy.

The real issues before ICANN are structural change, the use of scripts other than ROMAN (actually a restricted set of US-ASCII) in the root and in the existing second-level namespaces, e.g., .com, .net, .org, .de, .fr, the 3rd round of new gTLDs (reminder, the 1st round was .biz, .info, .name, .coop, .aero, .museum, the 2nd round was .cat, .jobs, .travel, .mobi) and changes to the process of evaluating new gTLD applications and its budget and planing processes.

The enduring organizational tensions are between US governmental control (the annual agreement renewal) and multi-governmental control, between governmental control and other sources of authority for the formation of policy, between Verisign and not-Verisign, and between IP claims on the namespace and any other use of the namespaces. Its likely that you are "other".

The 31st meeting will be held in New Dehli in February, the 32nd in Paris in June.

How many scripts are used by governments in India? How many scripts are used by Indian governments in the Americas?

Posted by EBW at 10:51 AM | Permalink | Comments (0) | TrackBacks (0)

I am amazed that both InterOp, with which I had something to do, and Haliburton, and Eli Lilly, and E.I. duPont de Namurs with which I did not, all have /8 allocations. A /8 is like a monopoly on salt.

Posted by EBW at 12:00 AM | Permalink | Comments (0) | TrackBacks (0)

Did you ever work on mk++? If so, and you'd like get in touch, send a note to mk at abenaki wabanaki net.

Posted by MB Williams at 02:35 PM | Permalink | Comments (0) | TrackBacks (0)

Eric's playing with MT, so I'm just seeing if it's working...

[I upgraded from 3.2 to 4.0 without problem, in fact, while minding Jonah in the children's room of the King City Public Library, which is a testimony to the simplicity of the process. However, the 4.0 internal UI wasn't what I wanted, so I dropped and recreated the database, loaded from a dump image, and restored all the cgi-bin files. ebw]

Posted by MB Williams at 12:10 AM | Permalink | Comments (0) | TrackBacks (0)

Stratton Sclavos is leaving Verisign. I admire the lobbying record of Verisign during Sclavos' tenure as CEO. VGRS runs ICANN and the DOC policy a lot more than any other collection of "internet actors".

Posted by EBW at 10:50 PM | Permalink | Comments (0) | TrackBacks (0)

Imagine twenty people stuck in a room at Ricky's Hyatt in Palo Alto for the better part of a day discussing Internet Privacy. Imagine that the issue that takes hours is whether collected data that is associated with some policy may be associated with, without disclosure to the persons it was collected from, with data collected with some other policy.

There are advocates for and against.

One advocates that the World Wide Web Consortium's Platform for Privacy Preferences specification for "linkage" should allow, without disclosure, linkage of data collected from subjects under one policy to be linked, without disclosure, to data collected under other policies.

One advocates that the W3C's P3P spec for "linkage" should not allow cross-policy linkage without disclosure.

The first advocate was Brook Dobbs, then at DoubleClick, which was acquired by Google for $3.1bn on 4/13/07.

The second advocate was Eric Brunner-Williams, then at Engage, which failed in 2001. Mere dot bomb splat.

The outcome was that the W3C's P3P Spec required disclosure of cross-policy data linkage. Of course, there was an invisible elephant in the room. Linkage to data collected off-line ... all the Equifax data, everything in the bricks-and-mortar retail merchant data, all the mortgage and auto data ... all the searchable public records ...

Ironically, today I got a call from a Google recruiter ... to let me know that they'd filled the req I'd applied to.

It was a wicked funny call.

Oh. The meeting had another important result. The team from Redmond came in threatening to drop all 3rd-party cookies and left agreeing to adopt the glop-on-cookie mechanism to provide a privacy policy. Google still allows you to find HTTP Trust Mechanism for State Management. Dan Jaye was the primary author of draft-jaye-http-trust-state-mgt-00.txt, when the glop was syntactically expressed as EBNF, and cluttered with broken digital signatures. I was the primary author of -01, when the glop was syntactically expressed as a reduced P3P vocabulary in XML. It was an exciting meeting. Two rounds of hardball, one with DC and the other with MS. If I hadn't nearly died from bad sushi (sea urchin roe) on the flight back to Boston, it would have been a complete triumph.

Anyway, effective today, when you Google, you DoubleClick.

Posted by EBW at 09:37 PM | Permalink | TrackBacks (0)

In comments to the Positive Koufax post I mentioned the differences between the Bangor machine (wampum) and the Portland machine (koufax,draftgore,etc). I've upgraded the mysql and php version on the Bangor machine, so there are no substantive infrastructural differences between these two. There still remains the problem that I can't get the Bangor colo operator to fix the in-addr.arpa (reverse lookup) problem, or the protocol and port filtering at the access router, which eliminates the Bangor machine for email purposes, but other than that, the two remaining functional wampumpeag machines are, as local execution platforms, indistinguishable.

Trans: Other than email, which isn't a default part of any blog or cms package, both machines are happy. I'd still like to have disks to bring back the other three systems in Portland.

In other news, today's solar storm is making news in the satellite community. Learn more (while we're hammered, as our link is VSAT provisioned) at the NOAA's Space Environment Center. Its Northern Lights time.

Posted by EBW at 12:02 PM | Permalink | TrackBacks (0)

My friend Lorrie Cranor wrote a few days ago that the W3C's P3P activity was closing down.

Occasionally I post that Dennis Kucinich or some other progressive shouldn't allow tracking gifs to be embedded into their outreach mailings, by the shops that handle their on-line work. Someone frequently asks in comments "Why do you care?" or "So what?".

Now it doesn't matter any more. There is no market for privacy in the on-line consumer data extraction industry. We've tried for a decade, and quite simply, for all the historic rhetoric of privacy advocates, users have no actual expectation of privacy that has economic manifestation.

What P3P was, was the idea that policy could be attached to URLs, in particular, that policy descriptions about data collection could be attached to commercial web sites that collect user data, and that the policy descriptions could be expressed in some syntax that could be evaluated by logic added to web browsers. I wrote internet-drafts on how policy could be added to HTTP cookies, a mechanism used to implement sessions in the sessionless HTTP protocol, and implemented the evaluation logic in a snapshot of the Mozilla browser. Others in the P3P Specification Group similarly implemented evaluation logic in several other browsers, and wrote policy descriptions for exemplar commercial web sites, and addressed related problems such as how to exchange definitions of permissible, or impermissible, data collection policies (APPEL).

With the closure of the W3C's P3P activity, there is no institutional counter-force to the market data collectors. None. It is open season on millions of click-streams. There is no bag limit, no limit on the number in possession, and all methods of capture are legal. This means that the NSA's program, or programs even more arbitrarily intrusive, have no substantive political opposition. Al Gore may have spoken out against pervasive wiretap, but most of the '08 repitoire of notable names, and the millions of ordinary names, are untroubled, even comforted, by pervasive wiretap.

Something else happened this week. An application vendor decided to compete with a platform vendor. Due to the disparity of the capitalizations and market penetrations of the vendors, the platform vendor is doomed. The application is a database, the platform is a Linux distribution. They are Oracle and Redhat, respectively.

The base of the ice sheet that is the Linux market just liquified, but when the ice sheet will move, and where, intact or fragmented, and whether the ice will even continue to survive in the sea of windows, is unknown. Motion is slow, even undetectable, when it begins, and both unsteerable and unstoppable when detected.

Posted by EBW at 10:07 PM | Permalink | Comments (2) | TrackBacks (0)

That's the view of today taken at about 7pm. The load average on the server hosting Wampum (and nothing else) was in the mid-60s for part of the 4 o'clock hour (EDT). Our normal load is about 1 and change. For those of you who know what this means it is a dual processor (996.85-MHz 686-class) node w/1GB of RAM and two ST318437LC (all the load inelegantly on one partition of one drive), and about 65 perl5.8.8 processes and the same number of httpd (2.0.55) processes, and a 4.1.18 mysqld process.

We are cpu bound here, not b/w bound (that bill will fall due soon), unlike '04 when we were b/w bound. Its an ad, in a sense, for MT 3.2. Just for completeness, when we hosted Alas A Blog and Barry's blog was targeted by a ddos (several hundred attack nodes doing an ad insertion campaign made _much_ worse by MT's then-foolish-anti-comment-spam dorkage), the load average went to about 100 w/o crashing the host.

Why people engage in synchronous behavior is beyond me, I can't even get myself near a mall after Halloween, but it does make for interesting system load mix and performance data.

Posted by EBW at 08:05 PM | Permalink | Comments (1) | TrackBacks (0)

A host is a host from coast to coast,
and no-one can talk to host that's close,
unless the host that isn't close
is busy hung or dead.

Looks like blogger is toast this evening. We'll take guest pieces from Blogistanis during the diaspora, or until the weather breaks in the Autonomous Blogger Region of Googlestan.

The arcane reference is to the Atlanta USENIX errno joke competition.

Posted by EBW at 09:05 PM | Permalink | Comments (1) | TrackBacks (0)

"There are two types of computer users in the world...those that have lost data, and those that are going to."
Bill Hassell, circa 1972

Mental retardation is not limited to the inner circle of the Bush Regime. Every company in the anti-viral industry has given this worm a handle, hence the need for a "Common Malware Enumeration" value. The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop. It will then disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will also add itself to the list of auto-start programs in your registry. However, before you call "help", call your Senator and explain that there is no choice concerning Choice. If you live in Pennsylvania you get the privilege of an extra call to Bob Casey, and the same text you use for Spector and Santorum is good enough for Casey.

Here's your AV contacts:

F-Secure: Nyxem.E

Grisoft: Worm/Generic.FX

H+BEDV: Worm/KillAV.GR

Kaspersky: Email-Worm.Win32.Nyxem.e (recommended for the quality of their exposition)

McAfee: W32/MyWife.d@MM

Norman: W32/Small.KI

Panda: W32/Tearec.A.worm

Sophos: W32/Nyxem-D

Symantec: W32.Blackmal.E@mm

TrendMicro: WORM_GREW.A

I'll provide updates if there is any interest. If the worm's author had any sense s/he'd have made the payload active around 1 April, and catch lotsa tax returns in prep while looking like a weenie joke. In the network operational community we're catching the infected boxen that report to the known tick boxes and sending the infected addrs lists back to the ISPs (grouped by the ISP's ASN), in the belief that the ISPs (and ASPs and corporate operators) will do the right thing. Ha!

I was on the phone for three-quarters of an hour today taking a call from a reporter from the WSJ and only about 60 seconds was on CME-24. I'm partial to the Blackadder series, hence the slightly associative image.

Posted by EBW at 08:49 PM | Permalink | TrackBacks (0)

The Ponemon Institute polled a random sample of 1,017 Internet users with eight questions on Google and warrentless bulk query disclosure to the USG. The results are here (pdf).

In comments to Inktomi (Yahoo!, AOL, MSN, etc.) banned Chris Clarke provided the generic answer for how to block Inktomi for bloggers (and other Apache users) who don't have access to the httpd.conf file (usually in /usr/local/apache/conf and requiring superuser privilages), but who can create an access control file called .htaccess in their home directory. This is the .htaccess version:

order allow,deny
Deny from 66.196.64.0/18
Deny from 68.142.192.0/18
Deny from 72.30.0.0/16
allow from all

<Directory /some_name_here >
# deny INKT CIDRs
Deny from 66.196.64.0/18
Deny from 68.142.192.0/18
Deny from 72.30.0.0/16
< /Directory >

The Search Engine Industry is watching this. You can't impeach Bush, but you can impeach Gonzales one blog at a time. You can also spread the "This site blocks collaborators" meme. Anyone with gif/jpg skills should use them, I'll host the bits. Notes outstanding to the accomplished Julia of SisyphusShrugged (link fixed) and Kevin of The American Street and the