Monthly Archives: November 2015

Call for Participation – DNSSEC Workshop at ICANN 55 in Marrakech, Morocco

Do you have an idea for a new way to use DNSSEC or DANE to make the Internet more secure? Have you recently installed DNSSEC and have a great case study you can share of lessons learned? Do you have a new tool or service that makes DNSSEC or DANE easier to use or deploy? Do you have suggestions for how to improve DNSSEC? Or new ways to automate or simplify the user experience?

If you do, and if you will be attending ICANN 55 in Marrakech, Morocco (or can get there), we are now seeking proposals for the ICANN 55 DNSSEC Workshop that will take place on Wednesday, 9 March 2016. Anyone is welcome to send in a brief (1-2 sentences) description of what you would like to talk about to:

The deadline is Monday, 14 December 2015.

Any ideas related to DNSSEC or DANE are welcome. To provide some suggestions, the full Call for Presentations is included below with a list of different ideas. You can also view the agenda of the recent ICANN 54 DNSSEC Workshop in October in Dublin to get a sense of what we talk about at these events.

These DNSSEC Workshops are great ways to bring ideas to the wider DNSSEC community. All sessions are recorded as well so that people get a chance to view them later.

If you are doing anything interesting with DNSSEC or DANE, I’d strongly encourage you to submit a proposal!

The full call for participation is below…

* * *

The DNSSEC Deployment Initiative and the Internet Society Deploy360 Programme, in cooperation with the ICANN Security and Stability Advisory Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 55 meeting on 09 March 2016 in Marrakech, Morocco. The DNSSEC Workshop has been a part of ICANN meetings for several years and has provided a forum for both experienced and new people to meet, present and discuss current and future DNSSEC deployments. For reference, the most recent session was held at the ICANN meeting in Dublin, Ireland on 21 October 2015. The presentations and transcripts are available at:

At ICANN 55 we are particularly interested in live demonstrations of uses of DNSSEC or DANE. Examples might include:

  • Email clients and servers using DNSSEC, OPENPGPKEY, or S/MIME for secure email.
  • Tools for automating the generation of DNSSEC/DANE records.
  • Services for monitoring or managing DNSSEC signing or validation.
  • Tools or services for using DNSSEC/DANE along with other existing protocols and
  • services such as SSH, XMPP, SMTP, S/MIME or PGP/GPG.
  • Innovative uses of APIs to do something new and different using DNSSEC/DANE.
  • S/MIME and Microsoft Outlook integration with active directory.

Our interest is to provide current examples of the state of development and to show real-world examples of how DNSSEC and DANE related innovation can be used to increase the overall security of the Internet.

We are open to presentations and demonstrations related to any topic associated with DNSSEC and DANE.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to by **Monday, 14 December 2015**

Examples of the types of topics we are seeking include:

1. DNSSEC activities in Africa

For this panel we are seeking participation from those who have been involved in DNSSEC deployment in Africa and also from those who have not deployed DNSSEC but who have a keen interest in the challenges and benefits of deployment. In particular, we will consider the following questions: Are you interested in reporting on DNSSEC validation of your ISPs? What can DNSSEC do for you? What doesn’t it do? What are the internal tradeoffs to implementing DNSSEC? What did you learn in your deployment of DNSSEC? We are interested in presentations from both people involved with the signing of domains and people involved with the deployment of DNSSEC-validating DNS resolvers.

2. Potential impacts of Root Key Rollover

Given many concerns about the need to do a Root Key Rollover, we would like to bring together a panel of people who can talk about what the potential impacts may be to ISPs, equipment providers and end users, and also what can be done to potentially mitigate those issues. In particular, we are seeking participation from vendors, ISPs, and the community that will be affected by distribution of new root keys. We would like to be able to offer suggestions out of this panel to the wider technical community. If you have a specific concern about the Root Key Rollover, or believe you have a method or solution to help address impacts, we would like to hear from you.

3. Implementing DNSSEC validation at Internet Service Providers (ISPs)

Internet Service Providers (ISPs) play a critical role by enabling DNSSEC validation for the caching DNS resolvers used by their customers. We have now seen massive rollouts of DNSSEC validation within large North American ISPs and at ISPs around the world. We are interested in presentations on topics such as:

  • Can you describe your experiences with negative Trust Anchors and operational realities?
  • What does an ISP need to do to prepare its network for implementing DNSSEC validation?
  • How does an ISP need to prepare its support staff and technical staff for the rollout of DNSSEC validation?
  • What measurements are available about the degree of DNSSEC validation currently deployed?
  • What tools are available to help an ISP deploy DNSSEC validation?
  • What are the practical server-sizing impacts of enabling DNSSEC validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, technical support, etc.)?

4. The operational realities of running DNSSEC

Now that DNSSEC has become an operational norm for many registries, registrars, and ISPs, what have we learned about how we manage DNSSEC? What is the best practice around key rollovers? How often do you review your disaster recovery procedures? Is there operational familiarity within your customer support teams? What operational statistics have we gathered about DNSSEC? Are there experiences being documented in the form of best practices, or something similar, for transfer of signed zones?

5. DANE and DNSSEC application automation

For DNSSEC to reach massive deployment levels it is clear that a higher level of automation is required than is currently available. There also is strong interest for DANE usage within web transactions as well as for securing email and Voice-over-IP (VoIP). We are seeking presentations on topics such as:

  • What tools, systems and services are available to help automate DNSSEC key management?
  • Can you provide an analysis of current tools/services and identify gaps?
  • Where are the best opportunities for automation within DNSSEC signing and validation processes?
  • What are the costs and benefits of different approaches to automation?
  • What are some of the new and innovative uses of DANE and other DNSSEC applications in new areas or industries?
  • What tools and services are now available that can support DANE usage?
  • How soon could DANE and other DNSSEC applications become a deployable reality?
  • How can the industry use DANE and other DNSSEC applications as a mechanism for creating a more secure Internet?

We would be particularly interested in any live demonstrations of DNSSEC / DANE application automation and services. For example, a demonstration of the actual process of setting up a site with a certificate stored in a TLSA record that correctly validates would be welcome. Demonstrations of new tools that make the setup of DNSSEC or DANE more automated would also be welcome.

6. When unexpected DNSSEC events occur

What have we learned from some of the operational outages that we have seen over the past 18 months? Are there lessons that we can pass on to those just about to implement DNSSEC? How do you manage dissemination of information about the outage? What have you learned about communications planning? Do you have a route to ISPs and registrars? How do you liaise with your CERT community?

7. DNSSEC and DANE in the enterprise

Enterprises can play a critical role in both providing DNSSEC validation to their internal networks and also through signing of the domains owned by the enterprise. We are seeking presentations from enterprises that have implemented DNSSEC on validation and/or signing processes and can address questions such as:

  • What are the benefits to enterprises of rolling out DNSSEC validation? And how do they do so?
  • What are the challenges to deployment for these organizations and how could DANE and other DNSSEC applications address those challenges?
  • How should an enterprise best prepare its IT staff and network to implement DNSSEC?
  • What tools and systems are available to assist enterprises in the deployment of DNSSEC?
  • How can the DANE protocol be used within an enterprise to bring a higher level of security to transactions using SSL/TLS certificates?

8. Hardware Security Modules (HSMs) use cases and innovation

We are interested in demonstrations of HSMs, presentations of HSM-related innovations and real world use cases of HSMs and key management.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence) description of your proposed presentation to by **Monday, 14 December 2015**

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:

Mark Elkins, DNS/ZACR

Cath Goulding, Nominet UK

Jean Robert Hountomey, AfricaCERT

Jacques Latour, .CA

Xiaodong Lee, CNNIC

Luciano Minuchin, NIC.AR

Russ Mundy, Parsons

Ondřej Surý, CZ.NIC

Yoshiro Yoneya, JPRS

Dan York, Internet Society

Written by Dan York, Author and Speaker on Internet technologies

Follow CircleID on Twitter

More under: DNS, DNS Security

Continue reading

Posted in circleid | Tagged , | Comments Off on Call for Participation – DNSSEC Workshop at ICANN 55 in Marrakech, Morocco

The Cock and the Goat: ICANN in the Age of Horrorism

Like everyone else, former ICANN board members have been preoccupied by the horrific November 13th, 2015 attacks on Paris, France, by a bunch of cold-blooded mass murderers. Our email list discussion of the Paris attacks covered a number of issues, including the inevitable question: what, if anything, should ICANN do in response?

Some list subscribers concluded that the events had nothing to do with ICANN’s mission, and that we should just sigh and move on. Others, on the other hand, said: not so fast, it would serve ICANN well to take a closer look at the matter, and its ramifications on wider world of ICANN. This later group (to which I belong) argued that some aspects of the reaction to the attacks on Paris might have significant bearing on ICANN’s mission, as narrowly-defined as it is. The discussion, which over 3 days ran in a flurry of some 56 emails, reminded me of an African story about a cock and a goat …

The cock and the goat

Once upon a time, a cock was in a pen it shared with a goat and a sheep, and engaged in a discussion with them about a war that was raging in a neighboring country. The goat and the sheep lamented the loss of lives, and devastation caused by the war. The cock told them they were wasting their time, and wondered why they should bother about a war so far away, a war between human beings, and one that had nothing to do with them. Still, the goat and the sheep said, they felt bad about the war, and prayed it would end soon. The cock said it would not be bothered, and could not care less about the duration or outcome of the war.

A few weeks after this discussion, their owner received their relatives fleeing the war from the neighboring country. A day later, they overheard their owner’s wife asking her husband, “What do we cook for our guests?” Without hesitation, he replied, “Why don’t you kill the cock for them?” She promptly agreed, and so was sealed the fate of the cock who had concluded the war next door had nothing to do with him. In the aftermath of the attacks on Paris, the question then is: does ICANN run the risk of suffering the fate of the cock by staying aloof of the response to the events in Paris, and future events of global significance?

The war against terrorism

Whatever position ICANN takes, the rest of the world, especially the Western world, has firmly decided to combat the scourge of terrorism. In an address to a joint session of parliament in the Palace of Versailles, President Hollande of France said that “France is at war,” and that France would take internal measures, and engage its international partners in its fight against terrorism. Accordingly, Hollande has held talks with France’s allies around the world to drum up support for a strong response to the attacks on Paris.

The G20 leaders (including the US, China, and Germany), who met Turkey around the time of the terrorist attacks on Paris, pledged their support for France, and engaged in a flurry of consultations to develop strategies for fighting the terrorists. The US, for one, has decided to share targeting information, and facilitate intelligence sharing with France. In the same vein, the UK recently announced a 5-year £1.9 billion investment plan to protect Britain from cyber attacks, and develop their capabilities in cyberspace.

Already, the Internet is being drawn into the debate. Some have concluded that the Internet is increasingly becoming an important tool for terrorists, and hence, a major challenge in developing an effective response to the terrorist attacks on Paris. Although some have tempered this argument, the reality is that governments are building more facilities, spending more money, and recruiting more people in readiness for a battle royal on the Internet. ICANN might very well be caught in the cross-fire.

Suffering terrorism

Although it will be crazy to expect ICANN to be front and center in the fight against terrorism, it will also be foolhardy for it to pretend all of this has nothing to do with it. The case for ICANN taking more than a cursory look at events such as the attacks on Paris is multifaceted. First, security experts concede that it is almost impossible to prevent future terrorist attacks, and “we cannot kill our way out of this war.”

In the two weeks since the attacks on Paris, Mali and Tunisia both suffered terrorist attacks with significant loss of lives. Terrorism (or horrorism as I prefer to attacks of the ilk of those on Paris) is now more than ever a fact of life. Each attack presents its own set of problems and challenges, and ICANN must evaluate them accordingly.

Second, ICANN has in the past been directly affected by mere threats of terrorism. ICANN 37 was held in Nairobi, Kenya in 2010 under a pall of fear about the risk of a terrorist attack or attacks. In 2011, ICANN 41 was moved from Amman, Jordan, to Singapore because of fears about the so-called Arab Spring protests then raging in the Middle East. I was on the ICANN board when the ICANN 37 and 41 meetings were held, and I recall the difficulties in making decisions about the venues of these meetings, the impact the decisions had on ICANN’s relation with countries in these sub-regions, as well as the associated costs and inconveniences.

ICANN’s mission was also impinged in the aftermath of the Boston Marathon bombing of April, 2013. According to a Cisco report, two botnets were launched after the bombings. The botnets rode on a massive spam campaign that lured victims to links with videos of the bombing, and malicious .jar files. The spam generated by the botnets accounted for up to 40 percent of the total spam during that period. The same report also said that the Boston Marathon bombing also led to the registration of “hundreds” of domain names related to the tragedy. The Cisco report shows that terrorist attacks often have a direct impact on the security and stability of the Internet, and hence impinge on ICANN’s core mission.

ICANN: cock or goat?

Against this background, my opinion is that the question should not be whether or not ICANN should react to terrorist and similar incidents of global impact, but how it should. In this regard, the starting points should be ICANN’s strategic plan and the enterprise-wide risks identified by ICANN, as well as the Risk Committee of the ICANN board. The 2016-2020 strategic plan for ICANN has 5 strategic objectives, each with its associated goals, outcomes, and risks to its attainment.

ICANN can use its strategic plan to prepare a matrix to evaluate the impact of major global events on its strategic objectives, goals, outcomes, and associated risks. This way, the assessment of each event will be based on ICANN’s mission and priorities, and guard against mission creep. The task of evaluating the impact of terrorist attacks and other global events on ICANN can be crowd-sourced to the community by establishing an interactive version of the strategic plan for people to suggest any risks and opportunities they see as pertinent to the organization. ICANN can then shift through and assess these suggestions, just as they presently manage public comments.

Although some might argue that such on-going assessments might be distracting, the fact of the matter is that these global events not only have direct impacts on ICANN (as with the case of the choice of meeting locations), but also indirect effects such as a poisoned atmosphere for be debate about Internet governance. Having a system in place to give these events the attention they deserve, and involving the community in evaluating their impacts will be money and time well-spent for ICANN.

The alternative is for ICANN to act like the cock in our story, and not bother one bit about events around it. Although it might have been easy to argue in early 2011 that the self-immolation of an unemployed youth in Tunisia had nothing to do with ICANN’s core mission, the fires that event started ultimately ended up costing ICANN. By ignoring the world around it, ICANN might wake up one day to find that the global war against terror has been brought into its narrowly-defined turf, and then just like the cock, be had for dinner.

Written by Katim S. Touray, International Development Consultant, and ICT for development advocate

Follow CircleID on Twitter

More under: Cybercrime, ICANN, Internet Governance

Continue reading

Posted in circleid | Tagged , , | Comments Off on The Cock and the Goat: ICANN in the Age of Horrorism

Officially Compromised Privacy

The essence of information privacy is control over disclosure. Whoever is responsible for the information is supposed to be able to decide who sees it. If a society values privacy, it needs to ensure that there are reasonable protections possible against disclosure to those not authorized by the information’s owner.

In the online world, an essential technical component for this assurance is encryption. If the encryption that is deployed permits disclosure to those who were not authorized by the information’s owner, there should be serious concern about the degree of privacy that is meaningfully possible. Potentially competing with an owner’s need for privacy are the legitimate investigation needs of law enforcement. Hence the current debate engendered by calls for “extraordinary access” — that is, the requirement for a backdoor to encrypted data.

When those making such calls are powerful government officials, effective opposition to them takes skill, credibility and gumption. In that regard, publication of “Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications” was an especially noteworthy event, both for its content and for its remarkable list of authors — all fifteen of them, representing three generations of senior security technical expertise, who offered careful explanations of the unavoidable technical and operational problems that are produced by any attempt to embed secondary, “exceptional” access to encrypted content.

In recognition of their singular effort and accomplishment, the authors were recently honored with the 2015 J.D. Falk Award from the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG). The award is given “recognizing a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” It should be noted that the M3AAWG membership was enthusiastic about this award to the authors, in spite of the fact that pervasive encryption makes the work of M3AAWG members more difficult — encryption blocks some anti-abuse techniques.

The award event resulted in production of three videos discussing the content of the paper, the process of producing it, and its role in the public policy debate over exceptional access:

The essential concerns raised by the report’s authors are listed in its Executive Summary, noting that exceptional access would:

  • Force a U-turn from the best practices now being deployed to make the Internet more secure
  • Substantially increase system complexity and thereby increase risk
  • Create concentrated targets that could attract bad actors

The report was initially instrumental in altering public discussion about governmental exceptional access and in the plans for pursuing it. However some officials continue to press vigorously for this capability, although they do not detail the specifics they are seeking, and they do not address the basic technical and jurisdictional problems with such a capability. On the technical side, the assessment by the report’s fifteen experts is that the technical community simply does not know how to provide exceptional access in a manner that is sufficiently reliable and constrained.

Some government officials dismiss the aggregate expertise embodied in the report’s authors and instead say that technicians merely need to try harder. Given the many and continuing major breeches of government and private online systems and the documentation of unconstrained access already obtained through various persistent monitoring programs, such casual dismissal of the authors’ assessment is cavalier and does them — and us all — a serious disservice.

Written by Dave Crocker, Consultant

Follow CircleID on Twitter

More under: Censorship, Cyberattack, Cybercrime, DNS Security, Internet Governance, Malware, Policy & Regulation, Privacy, Security, Spam

Continue reading

Posted in circleid | Tagged , , , , , , , , , | Comments Off on Officially Compromised Privacy

Zero Rating: Something Is Better Than Nothing! Or Is It?

One of the primary purposes of global Internet Governance Forum (IGF) is to introduce a wide range of topics to newcomers and provide them with the opportunity to take back what they have learned in the hopes of establishing an understanding of the Internet Governance philosophy at the community or national level. As a first time participant at the 10th Global Internet Governance Forum (IGF 2015) that took place in Joao Pessoa Brazil, in early November of 2015, I felt the burden of being a representative from a developing country, a place where discussion of important issues is limited to a small group of individuals, often in informal settings, over coffee or in my case, green tea. The conference however, was a platform where discussions took place between key stakeholders including government personnel, regulators, civil society as well as Internet services providers.

I felt overwhelmed as I was listening to discussions on relatively new and some familiar topics. The burden felt heavier as I realized that the resources available to me to introduce or actualize these discussions to my community were much more limited. This was partly because of the supply side of the resources and also because of the interest within the community. Most of civil society, government, private sector and even technologists in Afghanistan simply do not seem concerned about the architecture of the internet technologies, physical location of a root server or the treatment of information intermediaries with our data. Instead, the topic that appears to be of more importance to our community is access and zero-rated packages offered by the telecommunication companies.

Zero rating is a pricing strategy by the Internet providers where web services are discriminated based on its content. It might come in different flavors in developed and developing countries but the overall purpose is that giant corporations provide free or cheaper access to their content while disallowing or throttling the rest.

But let me give you another fact as well. In my country, Afghanistan, the phrase “something is better than nothing” is widely known and accepted both culturally and religiously. The notion behind this phrase is the concept of thankfulness but it could also be interpreted as “take whatever you are offered, keep your expectations low and don’t ask for more or you will get nothing!” We literally had next to NOTHING in terms of Information Technology or Internet access 13 years ago. The whole of the country had a few hundred or maybe thousand landlines and internet was introduced to citizens at an extremely high cost through microwave satellites after 2002. So “nothing” is a scary fact that almost every internet user has experienced and still experience on a regular basis from terrorists who routinely target our sole fiber optic line by cutting them.

Thus, the zero rating approach in developing countries carries the same meaning and the telecom companies along with the government and regulator either shut down or disregard any voices that raise concerns over the filtering of the internet. Filtering is what technically happens when Internet services providers with an agreement with Information intermediaries only offer one or a few of the billions of the applications available over the internet.

Aside from this traditional shutting down mechanism, the government or the regulator does not have a net neutrality policy. So for them the issue has not been identified as a problem and the workable solution to the issue would be to exchange one zero-rating package with another.

Moreover, there are other challenges which further hinder in the development of net neutrality policies in developing countries. For example, the government might not have the will or interest; the government legislature structure might not have any knowledge of the topic; regulators have no idea about the consequences of zero-rating packages that already exist or don’t feel enough appropriate pressure from the civil societies; civil societies or individual activists are not vocal enough in getting their message out; users are happy with what they get because for them Facebook is internet and that is where they get most or all of their online engagement; and finally, developing countries’ limited involvement in Internet Governance scenes, whether global or regional IGF or ICANN or any other platform, makes the net neutrality topic much more esoteric than it is in the developed world, resulting in zero-rated mechanisms to be rather appealing since it allows the un-connected citizens to go online.

The “connecting the next billion” phrase also does the unjust of pushing the Net Neutrality issue to the back seat. Internet has historically seen a steady growth over the last two decades. The emphasis on the mere connection to some parts of the internet does not help Net Neutrality debate in developing countries.

However, in the greater picture the zero-rated offerings, even with their appeals for a poor nation like Afghanistan, have social and economic consequences for developing countries. The Facebook or WhatsApp only packages or ‘unlimited free access to Facebook only’ in a paid internet package, for example, have pushed citizens away from the actual benefits of the internet to a mere communication tool. This approach also limits individuals from producing content in terms of blogs, videos, access to government services and academic researches that is widely available in non-Facebook internet.

Social media has generally affected the domain name and web services business. In Afghanistan bloggers, authors, poets, musicians, politicians, sports celebrities etc. have switched to free Facebook profiles and pages instead of setting up their portfolio on their own website with their own domain name. While other countries have embraced the mobile app business instead, in Afghanistan the zero-rated services (monthly Facebook bundle by Roshan or Internet with free Facebook by MTN) have drained the demand of web and mobile apps for developers.

It appears that we are still struggling in figuring out whether something is better than nothing or if ‘nothing’ now might get one ‘everything’ at the end? It is a debate that might satisfy government, regulators and information intermediaries, in countries where net neutrality policies do not exist, however it does not address the root concerns. Net Neutrality and zero-rating are national policy issues and therefore they must be addressed and discussed at the national level. Moreover, our national issues as I have highlighted above are not disconnected from the overall purpose of a platform like the IGF. Indeed, it is gatherings like the IGF that provide the expertise in identifying the challenges and consequences of zero rated mechanisms. It is also a site that triggers these discussions at the local/national level and in Afghanistan. My observations, as highlighted above, is just one beginning.

Written by Said Zazai

Follow CircleID on Twitter

More under: Access Providers, Broadband, Internet Governance, Net Neutrality, Policy & Regulation, Telecom, Web

Continue reading

Posted in circleid | Tagged , , , , , , | Comments Off on Zero Rating: Something Is Better Than Nothing! Or Is It?

The Emotional Cost of Cybercrime

We know more and more about the financial cost of cybercrime, but there has been very little work on its emotional cost. David Modic and I decided to investigate. We wanted to empirically test whether there are emotional repercussions to becoming a victim of fraud (Yes, there are). We wanted to compare emotional and financial impact across different categories of fraud and establish a ranking list (And we did). An interesting, although not surprising, finding was that in every tested category the victim’s perception of emotional impact outweighed the reported financial loss.

A victim may think that they will still be able to recover their money, if not their pride. That really depends on what type of fraud they facilitated. If it is auction fraud, then their chances of recovery are comparatively higher than in bank fraud — we found that 26% of our sample would attempt to recover funds lost in a fraudulent auction and approximately half of them were reimbursed (look at this presentation). There is considerable evidence that banks are not very likely to believe someone claiming to be a victim of, say, identity theft and by extension bank fraud. Thus, when someone ends up out of pocket, they will likely also go through a process of secondary victimisation where they will be told they broke some small-print rule like having the same pin for two of their bank cards or not using the bank’s approved anti-virus software, and are thus not eligible for any refund and it is all their own fault, really.

You can find the article here or here. (It was published in IEEE Security & Privacy.)

This paper complements and extends our earlier work on the costs of cybercrime, where we show that the broader economic costs to society of cybercrime — such as loss of confidence in online shopping and banking — also greatly exceed the amounts that cybercriminals actually manage to steal.

Written by Ross Anderson, Prof. of Security Engineering at Computer Laboratory, University of Cambridge

Follow CircleID on Twitter

More under: Cyberattack, Cybercrime, Security

Continue reading

Posted in circleid | Tagged , , | Comments Off on The Emotional Cost of Cybercrime