As attack vectors go, very few are as significant as obtaining the ability to insert bespoke code in to an application and have it automatically execute upon "inaccessible" backend systems. In the Web application arena, SQL Injection vulnerabilities are often the scariest threat that developers and system administrators come face to face with (albeit way too regularly). more
For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. ...Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in it are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. ...So the question is, is it worth the effort to make all of the senders and URLs match up? more
When thinking about the infrastructure of the Internet, it is important to consider the role of government in this infrastructure.
This is a question that involves two aspects: the role of government, and the role of the computer scientists who are part of the needed government structure or institution. Reviewing the history of the development of the Internet helps to highlight the importance of some role for both government and for computer scientists. more
In those circles where Internet prognostications abound and policy makers flock to hear grand visions of the future, we often hear about the boundless future represented by "The Internet of Things". This phrase encompasses some decades of the computing industry's transition from computers as esoteric piece of engineering affordable only by nations, to mainframes, desktops, laptops, handhelds, and now wrist computers. Where next? more
On Saturday, November 29, 2003 a post on the GNSO mailing list indicated that the .name registry website had been hacked. As reported by George Kirikos, "The .name registry's main website www.nic.name has been hacked, as of Saturday evening in North America. According to Netcraft, they're running Linux. They must not have kept up to date with all security updates, or someone cracked a password. Hopefully offsite backups were made, to ensure data integrity." Although, due to this emergency, the .name web servers have been pulled down as of this writing, just a short few hours ago, visitors to the .name registry home page would find a mysterious black screen upon visiting the site, including the following text... more
Facebook announced on Friday that it settled the class action challenging its "Beacon" advertising program. Net result? Facebook establishes a privacy foundation funded with $9.5 million (or what's left of this amount after attorneys' fees, costs, and class claims are deducted)... Beacon was an advertising program launched in November 2007 which (roughly speaking) allowed the transmission of purchase and consumer-related information between partner retailers, Facebook, and of course, your Facebook friends. I don't think many people have a sense of all of the contours of the program... more
Despite the significant traffic that comes from typed-in domain names, the public harumphing and clucking about type-in traffic is climbing in volume as it becomes clear how much money is involved. Articles this week show that domain names, and the people who make money on them, are making some commentators uncomfortable. more
It's been a long time coming, but Canada has an anti-spam law, and one, which sets a new world standard, and a tough, but fair, opt-in protocol for everyone in North America who sends commercial email and other electronic messages. Yesterday, The Canadian Senate voted to accept Bill C-28, and today, December 15, at 13:00 eastern, it will be given Royal Asset of the Governor General of Canada, His Excellency the Right Honourable David Johnston. more
The term "jurisdiction" has various definitions in law, but for our purposes here we can say it is the power of some legal body to exercise its authority over a person or subject matter or territory. In the Internet today, it is territory that gives rise to many major issues. As in real estate, what matters in jurisdiction is "location, location, location". When the Internet and trademark rights began to intersect, it quickly became apparent that traditional concepts of the jurisdiction of courts and legislatures would be seriously strained by situations where a registrant in one country could use a registrar in a second country to register a domain name in yet a third country. more
There's a fascinating blog discussion going on here, here and here. The conversation is around Marc Andreessen's refusal to trash Microsoft and Bill Gates on stage. Andreessen points to the way in which the company drove the industry forward in the 1990's, and Mathew Ingram says "love them or hate them, at least Microsoft standardized the operating-system market"... more
A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don't think much of it. As I said to an Associated Press reporter: "It's the worst kind of vigilante approach," said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. "Deliberate attacks against people's Web sites are illegal." more
In the past, most measurements of registrar market share have tracked overall registrar shares -- number of domains registered by a registrar divided by number of domains registered by all registrars. In this article, I propose some alternatives -- particular subsets of domains in which to measure registrar market shares, providing a basis for comparison with overall market shares. Results vary dramatically across these subsets, with implications on the future customer retention rates of the corresponding registrars. more
A paper by Dr. John C. Klensin, former Vice President of Internet Architecture at AT&T, a Distinguished Engineering Fellow at MCI WorldCom, and Principal Research Scientist at MIT. This paper has been reproduced with kind permission from the Internet Society. "Over the last few years, rising interest in internationalized domain names has been accompanied by interest in using those names at the top level and, in particular, replacing or supplementing country-code based domain names with names in the language of the relevant countries. This memo suggests that actually creating such names in the DNS is undesirable from both a user-interface and DNS management standpoint. It then proposes the alternative of translating the names so that every TLD name is available to users in their own languages." more
ICANN today issued a press release and a series of documents about its relationship with the U.S. Department of Commerce. ...ICANN is no longer bound by the specific set of milestones that were in its prior MoU with DOC. With this freedom comes great responsibility. Without detailed government oversight, and without market competition for policymaking for domain names, ICANN (and the ICANN Board) has a great obligation to be accountable to its community. more
The beginning of a new decade is always an invitation to have a broader look into the future. What, in the next ten years, will happen in the Internet Governance Ecosystem? Will the 2020s see the usual swinging pendulum between more liberal and more restrictive Internet policies in an interconnected world? Or will we move towards a watershed? more
A World-Renowned Source for Internet Developments. Serving Since 2002.