I’ve just come across an interesting technique for spamming, although I’m not sure if it’s new as I recall seeing something similar back in the late nineties.

Firstly for anyone who doesn’t know what “whois” is; It is a tool/protocol which allows you to find out information about for example domain names or IP addresses including who they belong to. There are multiple layers in WHOIS and the server and the one operated by Verisign’s registry service is callers ‘whois.crsnic.net’. If you have a .com or .net domain it will have such an entry which points to whichever registrar you used to register the name which in turn provides details of the domain registrant and other contacts.

The registry also stores ‘host records’ which are a specific kind of record used for nameservers. Because of how the domain name system works, if you have a domain (e.g. seb.me.uk), you need to point that domain to some nameservers that know where to direct you to if someone types www.seb.me.uk or sends an e-mail to something ending in seb.me.uk. However, you first need to find the nameserver–If this is within the same domain (e.g. ns0.seb.me.uk) then it needs a ‘host entry’ (sometimes referred to as a ‘hint’) to find the nameserver, which then will give more information about the domain.

These host records are registered at the registry by the registrars and inserted into the DNS zone files. What seems to be happening, is some companies insert host records for server names with for example “someoneelse.com.www.theircompany.com” which then comes up when you search for someoneelse.com even though this is just a host within the theircompany.com domain.

I spotted this today for bulkregister.com, promoting dndialog.com:

Server Name: BULKREGISTER.COM.RESPECTED.BY.WWW.DNDIALOG.COM
IP Address: 81.177.3.240
Registrar: MONIKER ONLINE SERVICES, INC.
Whois Server: whois.moniker.com
Referral URL: http://www.moniker.com/whois/whois.jsp

The legitimate record which is also returned, is:

Domain Name: BULKREGISTER.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.NAME-SERVICES.COM
Name Server: DNS2.NAME-SERVICES.COM
Name Server: DNS3.NAME-SERVICES.COM
Name Server: DNS4.NAME-SERVICES.COM
Name Server: DNS5.NAME-SERVICES.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 16-feb-2007
Creation Date: 08-sep-1999
Expiration Date: 08-sep-2012

I guess preventing host parts with “com” in the middle might help (along with other TLDs although “ns” is a common suffix I suspect.

I’ve written before about security problems in online banking systems, being quite disappointed that financial institutions have been slow to step up security using even the simplest of tools, especially for personal and small business customers.

A couple of months ago, PayPal introduced security tokens in the form of RSA SecurID key fobs, quite an interesting move I expected one of the high street banks to be implementing first. I was however pleased to now see Barclays introducing a pin pad device which will generate a similar code, although this one in conjunction with a chip-and-pin card. This has the potential of being very useful if it can be shared across all cards, although personally I would much prefer a key fob, although as I have stated before, this does suffer from the problem of carrying around many of them, but to be honest I wouldn’t be carrying around a pocket calculator either.

It would be great if banks allowed customers to define their own security levels within a certain framework. For example, I would be quite happy with slightly less security for smaller transactions, and those to payees who I have paid before, and require specific chin-and-pin + pin pad authenticated transaction when making a payment which is quite large or to a new payee. However, banks usually only do something new when they are forced, rather than to try and improve their service, so I guess I’ll be waiting for several years more for this and some XML interfaces.

A CYNICAL VIEW–The Internet is a very powerful enabler of communication and social interaction between existing and new groups of individuals. It affords niche specialities and interest groups the opportunity to interact and collaborate toward their common goals.

The “Web 2.0″ effect is all about users taking control and participating on the web, rather than just being passive readers. This is a truly empowering aspect of the Internet and should not be dismissed. However this is sometimes mistaken for democracy.

The opinion of Internet users isn’t democratic, for the users of the Internet, and more specifically any specific site, is self-selecting. On a simple level, there are accessibility issues both for those who can’t afford it, can’t have the same access to high speed services and always-on browsing, or for example those who can’t access parts of it because of a disability. Also, some people are too busy to take part in extensive web discussions and debates and as such some key stakeholders are excluded from many web interactions.

The motives of users on the internet is hard to determine. Although this isn’t exclusively an online problem, the network of trust is still developing online and it’s therefore difficult to know which reviews, opinions or ratings are more ‘useful’ than others.

Some have argued that the introduction of citizen journalism is lowering standard of reporting and thus making accurate news reporting with professional standard harder. Just because many people believe an article is good, doesn’t make it an accurate reflection of the facts. It may be possible to get a high rating for an article simply because it appeals to the populist expectations of the participating audience.

I am not in any way suggesting that the web 2.0 revolution is a backward step. It is a positive next evolution in the future of the Internet. Over time, it will improve the quality of participation and overcome many of these issues and it will be the next era of the Internet as active participation is no longer reserved to the technical elite.

I have to admit I wasn’t expecting PayPal to be the first company that realised phishing was a real problem but having just read a BBC News article reporting that PayPal is introducing a security token, I am very pleased to see this happen.

How they work?

These Verisign tokens are devices that generate one-time passwords every 30 seconds using a cryptographic key known only to the token and the server. PayPal will be selling these for $5 (USD) which is frankly a ridiculously cheap price for these tokens. The suggestion on BBC’s site that PayPal should be providing them for free is interesting, but I would pay a lot more if I managed to persuade my banks to provide these. Separating the authentication from a computer by requiring the user to type the tokencode into the system will vastly improve security, although this doesn’t solve the problem outright.

The article does acknowledge a problem with man-in-the-middle attacks which are still possible as long as the malicious party is ready to use the tokencode immediately it becomes available to them. This means that someone engaged in phishing would need to run a site which persuaded you to give then the tokencode, which they then used to login into PayPal straight away. This does decrease the window of opportunity significantly however. One-time passwords in general have always suffered from race conditions, which this is not too different from.

The keyring problem..

These tokens have already been used in the corporate market for many years with RSA SecurID being one of the leaders. Similarly banks have used them for specific applications like corporate banking, stock brokerage, etc. When they wake up and realise the benefits of cutting fraud and introduce them for all customers, we are all going to have fun carrying around one of these tokens for each of our bank accounts, workplace login systems, etc. They may be getting smaller but they aren’t that small.

Sooner or later, some kind of hybrid solution needs to be found. Sharing the token ‘secret key’ (the encryption key located on the token and the server) is clearly not an option, unless it’s a full private-public key infrastructure, although with codes as short as six (or in RSA SecurID special applications I believe they can be up to eight) digits long, I’m not sure how feasible that would be whilst maintaining security seeing as you don’t want your employer having the keys to your bank account, etc.

Another option is a trusted third party verification system, something that is already being tried on the Internet in general for unified logins. However, it then comes down to the question do you trust the third party. Is it wise to put all eggs in one basket?

What I suspect will happen, certainly for devices which show digits on the front, is that hybrid devices will come in which can securely store multiple secret keys which in turn work for different functionality. In the long run, it’s also quite possible that smart cards will take over in which case fully PKI infrastructure will manage the problem with a single key. The reason why these ‘tokencode’ devices are so useful is because they require no hardware interface to a PC (although some have USB interfaces) which mean they can be rolled out at minimal cost. To an extent this already happens with RSA having soft tokens for PDAs and mobile phones.

Open standards & low quantities

The one change I would like to see this industry make is for the standards to become open and for individual keys to be sold without the need to buy a huge infrastructure to go with it as this would encourage even smaller companies to adopt these which are currently priced for the corporate market. RSA has launched an SecurID appliance but the cost per user is still very large and the licensing overly complex–Charge £10-20 per token and £10 per order to deliver the keys and allow open development of the server applications. Of course, I doubt RSA will go that way as they would fear their corporate business, but sooner or later this cash cow will mature into a competitive industry. It is worth adding there are more open platforms than others, some of which are linked below.

I have also just seen the Initiative for Open Authentication which is trying to unify authentication architectures and looks promising.

Links

Verisign
RSA SecurID
Aladdin eToken
ActivIdentity

I spent the best part of an hour reading an interesting document entitled A Cost Analysis of Windows Vista Content Protection by Peter Gutmann which discusses problems that Microsoft Windows Vista introduces into the general PC market by its implementation of copy protection measures which will both increase the cost of hardware as a whole (not just for Vista users) as well as artificially degrading output of high quality devices.

Microsoft’s new system of handling device drivers (the pieces of software that interface between hardware and the operating system) and the standards they require all such drivers to adhere to will require hardware manufacturers to change the way they design hardware. Specifically, they need to do so in such a way as to make it very difficult for someone to intercept signals for ‘protected content’ (e.g. movies, music, etc.)

To achieve this, hardware designs need to be less modular. Traditionally, modularity has been used by manufacturers to develop multiple products using the same core framework or circuit board, a bit like each car model has the same frame with different extras. This reduces development and production costs as these can be shared across a larger number of units. By removing this flexibility, the cost of hardware (sound cards, graphics cards and motherboards at least) will rise and since Microsoft is in such a dominant position in the market, it means the cost increases will affect everyone including non-Vista users. With requirements to encrypt communications between devices, the cost in processing terms, and therefore power consumption, will also rise. In a world which is increasingly aware of the impact of the green impact of technology, this is counter-productive.

Not only are Linux and other users faced with potentially increasing hardware costs, the author of this document suggests that the specifications for the hardware need to be closed to be certified to work with Vista and thus reducing the likelihood that open source drivers could be developed making them incompatible with Linux operating systems for example.

Essentially, Vista’s new copy protection system means you can’t play legally purchased content (e.g. movies) with a legally purchased high quality monitor if it doesn’t support the copy protection standards.

If this wasn’t enough, Microsoft is employing a driver revocation system which allows it to disable any devices which ‘leak’ protected content (allow you to copy a movie for example) rendering parts of your PC as useless as a brick.

These are just some of the issues raised by this paper. There’s a summary of the issues on TheRegister for those too busy to read the full document:
http://www.theregister.co.uk/2006/12/27/windows_drm_monstered/

It may not be obvious from the above, but I am a Microsoft fan. I like linux shells but I prefer Microsoft as a workstation OS. I like the way Microsoft software works and how predictable the features are (I’m not quite sure of the new IE7/Vista ideas but I won’t judge that yet). I have dabbled with OS X but I like Windows too much to switch. Will this be the catalyst for change in my position?

These two words are the most abused terms in broadband advertising. The Advertising Standards Authority (ASA) did publish an critical adjudication against Carphone Warehouse using “free forever” in its TalkTalk advertising, but there is still a lot of marketing material which is open to misunderstanding by naive consumers in particular as to the nature of the costs and limits of a particular product or service.

Let me be clear about this – There is no such thing as “free” or “unlimited” anything which doesn’t at the very least rely on the law of averages. Any company using these terms is relying on income from something which helps make particular options or features available at no additional cost. Usually they are suffixed by an asterisk or other reference to a footnote detailing the terms, or worse, text such as “Terms and conditions apply. See website for details”.
So why am I so wound up about this? – I view using these terms as being dishonest.. Let’s look at the word “unlimited” for a second. It means “without limit”. Therefore by definition “unlimited internet” means “internet without limits”. Now I can understand that it is not possible to run a service which is not contended (and thus limited in some way) but my issue is where the small print includes concepts such as a ‘Fair Usage Policy’ (which comes under various names including Acceptable Use Policy, Sustainable Usage Policy, etc.)

These policies effectively place limited on what is and is not acceptable, thereby rendering the product no longer unlimited. The honest service providers call these services ‘unmetered’. I am not suggesting that all products should employ charging by usage, but if they have limits in the form of FUP/SUPs, they should be clearly labelled as such. ‘Unmetered’ is understood to mean you won’t get a meter reading each month on how much you’ve used.

Recently, several broadband service providers have started offering ‘free broadband’. This is another term I taker issue with–It’s not really free.. you have to subscribe to some other service to qualify so in reality there is a cost. This is slightly less of an issue as it can be argued the broadband is free whether you take it or not, however I am quite concerned many users do not see past the headline when choosing a provider.

Following my discussion on social exclusion if Internet sites have to resort to micropayment charging for visitors, a comment asked if I believe that Internet access is a social right, like housing and food.

The modern economy is making increasing use of the Internet to lower transaction costs which seeks “Internet discounts” for everything from insurance services to banking benefits and accessing government services online. Even HM Revenue & Customs is giving financial incentives to companies who file annual employer returns electronically (with a view to making it compulsory for the remaining businesses – It already is for larger ones). The capability of the Internet to lower barriers to entry in markets, increase competition and increase access to information (a key requirement for a ‘perfect competition’ economy) is phenomenal and it is something that every part of society needs to be able to access.

I guess by that I am indeed arguing basic Internet access is a social right just like housing and food. In the modern economy, exclusion from this can restrict your career prospects, access to online learning material, etc. If on the other hand you’re asking me if playing online games, and downloading movies online is a social right, clearly the answer is no. I am therefore not arguing the government should be running a national UK Broadband Service, but that we should be conscious that the ability to access the Internet can have significant social benefits. Premium Internet access is still a luxury.

The question I was posing in my micropayments article was whether a trend towards usage charging might lead to exclusion of those who can only just afford the cost of accessing the Internet.

Running a web site that relies on advertising as its only source of income has presented some interesting challenges. Over time, various users have suggested that we should be offering subscriptions or taking donations as a way to fund the site, and maybe use this as an option to allow individuals to opt out of advertising.

Whilst there are no widely used micro-payment solutions around so the feasibility of such a system would still be questionable, it raised some concerns about impact on society if the net moves towards this system to replace advertising.

Let’s assume that when visiting an information website, you pay 5 pence (say 10 cents for the Americans) per month to access that site. Now this may be regarded by many as a wholly reasonable price, and everyone can afford 5p can’t they? Well yes maybe, but what if they visit lots of websites.. If the fee was based on usage of a site, then it would need to be higher. Maybe frequent users pay £1/month ($1.90).. but with a dozen sites that’s a significant income loss to those on very low incomes who could most benefit from the Internet.
Now some will argue that this would be a choice for users who can decide they will pay to not watch adverts, but my question would be, would advertisers be interested in targeting those who can’t afford to buy an opt-out from advertising anyway since their disposable income would be lower? I don’t know the answer to that, but I think it poses an interesting social exclusion question to any changes in how web sites are funded and we might find separate search engines for developing countries as they could not afford to pay the same rates as those in developed countries.

On Friday, a press release landed in my mailbox which made me ask exactly what do people expect from low cost services. It contains a quote from an individual describing himself as a “business owner” who had a problem with his broadband service provider who was in dispute with its supplier. Apparently he operates an “Internet retail business” and says that his business would have gone under if his broadband service had been down for six weeks.

This is where I have a problem.. How can a business have no contingency plans in place to cope with a fairly sizeable risk that a single broadband connection could be down for an extended time period? Are they hosting their website on the end of their £10.99 DSL line? If you run a business which is so dependent on your connection, then get a leased line, or at least multiple broadband connections with different providers, and ideally different technologies.

The UN Internet Governance Forum is currently taking place in Athens with not far from 1,500 attendees registered for a room that can’t hold more than 800, to discuss four key topical issues of Openness (freedom of expression, flow of information, etc.), Security (trust), Diversity (multilingualism, local content) and Access (connectivity, policy and cost). Having attended the Nominet organised “The Road To Athens” meeting a few weeks ago, I was quite surprised as the openness of the organisers, Mr Nitin Desai in particular, to encouraging wide participation in the process.

Karl Auerbach in his blog makes reference to a paper he wrote which argues that stakeholderism is a ‘regressive idea’ in conflict with the principle of democracy adding that stakeholderism is about organisations rather than individual people having influence in the process. I think he has some point in that anything you put in the way has the potential to distort the interests of the stakeholders, but on the other hand is our political system any better?

Democracy is an imperfect system along with all others in politics, but it’s the best of a bad bunch which tries to achieve a result with everyone is represented fairly. With the national governments the population feels it is ‘important’ enough to get involved and vote, but looking at the elections run by Nominet for the Board of Directors and the Policy Advisory Board, the turnout is such that most members who can vote don’t. Many put this down to Nominet not doing enough, and whilst I’m no stranger to criticising Nominet where necessary, I think they have and continue to make an effort to engage the membership. Many stakeholders are busy and thus sometimes it is left to those who are not to elect individuals to represent them, so I’m not quite certain that a democratic solution is perfect. Democracy also encourages ‘politics’ to get elected in the first place, which is not about representing the electorate, but persuading them you will represent them. I think in Nominet’s case, the election of half of the members of the PAB has resulted in a group of people overall who will bring on board a wide range of views. There are very few groups which are as diverse in their views and interests as the PAB. I believe this makes it a very strong forum as compared to other systems which restrict choices to nominating committees, etc.

I think the way in which a stakeholder model (and I mean from an ‘organisational’ point of view) works depends heavily on the values the individuals involved share and to what extent they can distance their own personal beliefs, agendas and ulterior motives from trying to consider the bigger picture.

The concept of a ‘stakeholder’ is not in my view exclusive of the concept of democracy, but it is the implementation of the structure of a mechanism which takes these into consideration that may at times suffer from. A ‘stakeholder’ is someone who holds a stake in the outcome of a decision or policy, someone who is affected by it. This may, but need not be, financial. I suspect the mistake often made is to appoint an organisation to ‘represent’ a particular stakeholder group who is not in a position to do so. I suspect for example ‘intellectual property’ interests can be better represented by an individual than ‘the consumer’ which is a wider ranging group with disparate beliefs.

Taking the democracy principle further, it could be argued that all democratic governments would be suitable to represent their entire nation within a forum such as the IGF. With due respect to politicians and their hard word on our behalf, I would prefer to have wider input in such an important process. It is also not possible to exercise micro-democracy on every decision. If the population of a particularly country is growing at a phenomenal amount, does that mean they should dictate how the Internet works because they have many individuals? I think the answer is no, in the same way the Internet should not be run by the U.S. Government either. What is needed is a middle ground which takes into consideration all the viewpoints, and that is what a stakeholder approach attempts to do.

We also need to recognise that particular stakeholders may have more of a stake than others depending on the policy in question. If we are examining Internationalised Domain Names (domains with accents, or characters from Japanese, Chinese or Arabic languages for example) then the IDN users are a very significant stakeholder group, whilst their significance to the location of root servers is far less relevant (although the same people as a regional group may well have a strong stake in that debate). We need to accept the concept of dynamic stakeholder groups which may vary across time and on different issues. This concept is something I think the IGF has understood from the reference on BBC News from Nitin Desai where he makes reference to dialogue and formation of “coalitions of the willing” rather than a decision making meeting.

As with democracy, stakeholder theory is imperfect both in principle and implementation, but it is not ready to be dropped quite yet. What we need to recognise, which I believe is Karl’s fundemental concern, is that this should be an inclusive rather than an exclusive approach, and this needs to be on a level field rather than giving exclusivity or premium status to particular organisations, especially on a general level.

We have already seen with the IGF a wide ranging range of views on the igf2006.info site, recognising that interests are not limited to the people at the event in Athens in person. This is the beginning of something very interesting. It would be very refreshing to see the United Nations adopt the IGF model of encouraging wider participation more in every type of forum it hosts. The Internet is not a technical development, but a social one, and it will change the world of representation within every level of politics and governance.