E-CRIME AND ABUSE OF THE DNS FORUM: A GLOBAL PERSPECTIVE Wednesday, 4 March 2009 ICANN - Mexico City >>DENISE MICHEL: For those who just came in, my apologies for those early birds. This is going to become quite repetitive. But for those who just arrived, welcome to the e-crime and DNS abuse forum. On this slide here are the names, locations, and a brief description of each breakout session. At 5:00, for the last hour of this forum, you are going to have to choose one of these four breakout sessions to participate in. The purpose of these breakout sessions is to allow the audience participants to discuss these issues in greater depth and come up with any suggestions or next steps or issues or concerns that they may have. The results of these breakout sessions will be presented in the public forum on Thursday, and also posted on this Web site. Also, there's staff at the door handing out white question cards. Please make sure you get one, ten, fill them out, any questions that you have that you would like to incorporate in this forum. Please complete them. Just hold them newspaper the air and the staff will come and get them and bring them up to the front, and we will incorporate as many questions as we can into the forum as we have allowed Q&A time after each of these sessions. Thank you, and welcome to the forum. >>DENISE MICHEL: Please take your seats. We are going to get started. And I would like to take this opportunity to again remind the people who have just entered to look at this screen. We are running four breakout sessions at the same time for the last hour of this forum. You will need to choose between these four. Choose one. We have got the title, the location, and a sentence about what they are going to be focusing on. You will need to choose one of these breakout sessions to participate in for the last part of the forum. The results of these breakout forums, any concerns, issues, suggested next steps or recommendations, will be presented at the public forum on Thursday. And it will also be posted on the Web site. Make sure you have got a few question cards. When you came in the door, we have staff passing out question cards. We have Q&A time throughout this forum, but we are taking questions from the cards. So make sure any questions that occur to you during this forum, write them down. Just hold them up in the air and staff will bring them up and they can be incorporated to the extent possible that we have time. And we'll incorporate as many questions as possible. So please make sure you use those cards for questions. My name is Denise Michel. I am the vice president of policy for ICANN, and it's my great pleasure to welcome you to the e-crime and DNS abuse forum, and also to introduce our first speaker. Welcoming remarks will be given by Alejandro Pisanty. He is an august member of the ICANN community, one of those individuals that helped with the foundation and creation and growth of ICANN from the early years. He is based here in Mexico City. He currently is director of computing and academic services at the autonomous University of Mexico. He was. And he has moved on to better and greater things. And we're so pleased to have him here to give us some welcoming remarks and start the forum. Alejandro. >>ALEJANDRO PISANTY: Thank you, Denise, and thank you to all the workshop organizers for inviting me. This time I cannot only say I stand on the shoulders of giants, but I sit at the table with people I look up to. It's a great honor. I will speak in English because there are no -- as it happens, there have been no headsets provided on the podium, so I will not put you through the double effort of understanding what I mean to say in going through the Spanish. This workshop has been organized by a distinguished group of specialists in information security and Domain Name System, and a group of people dedicated to the promotion of the diffusion of technical and policy knowledge in ICANN, in particular, and in public policy, security, and so forth. And I would like to express my thanks to this dynamic team which did a detailed, thorough job, and I am sure that I am conveying the thanks of all the other people here on top to this great team, and I hope Margie will convey these thanks specifically to everyone. It's a well-known fact that the Internet provides a space in which all forms of conduct, of human conduct progressively get expressed, and some new ones appear, but in a large fraction what we see are new expressions for new ways to express existing conducts. And these will include both positive, generous, philanthropic, what have you, and they will include all kinds of bad conduct, including serious crime. The work to understand, prevent, detect, stop, fight cybercrime, or crime done with Internet and I.T. media, to mitigate it's effects, to help people and organizations recover from their effects, necessarily happen in a number of spheres, some of which are completely alien or basically non-overlapping with the ICANN field. However, there is an intersection, and it's an important, highly nontrivial intersection. Further, ICANN has to pay very careful attention to security issues, both in running the infrastructure of the Domain Name System and in coordinating the part that it coordinates, and an example of that, of course, just making sure that everybody is making their copy of the root servers available and keep its integrity, and it has to pay attention to the uses and abuses of the work it does, of the Domain Name System and the IP addressing location system, for crime. Therefore, there's attention paid, and this is the object, the purpose of this meeting in particular, is to pay attention to a specific set of crime activities which relies on different forms of abuse of the Domain Name System. These cover a very, very wide spectrum, which will be covered by the speakers, from those in which the object of the crime itself is the DNS infrastructure, like hijacking of domain names or cybersquatting, to others which are much more sophisticated and which all sorts of malware relies on abuses of the Domain Name System to do the criminal's jobs. The stakeholders in these activities are more fine-grained than those that we consider in the World Summit on the Information Society analysis. There we consider a very big picture of civil society, technical community, governments, and business. And here it goes into a much more finer grain to include final Internet users, domain name registrants, banks, and other intermediary -- other financial intermediaries, as well as people who deal with payphone cards, anything that can be traded for money. All the authorities that are involved in law enforcement, judges, lawyers, experts before the courts, prosecutors, ISPs, and information security specialists, consumer defense authorities, and even treaty organizations, which have to deal with the different aspects of cybercrime, in the case, specific case of abuse of the Domain Name System. Groupings like the Anti-Phishing Working Group have been doing a great job of fighting specific crimes as those connected with phishing. They have created on their own governance models that bring all these stakeholders together, and they have been extremely effective in bringing specific representatives of these stakeholders. I will make a brief reference to a closer instance of this kind of multistakeholder work which is work we have done in Mexico. For several years, and with an initiative that we took from the national university where I was the CIO and the UNAM-CERT which is a part of this unit headed by Juan Carlos (saying name), and Alfredo Reyes (saying name), who I hope is here, or will be arriving soon, who was heading an electronic commerce branch of -- unit of one of the major banks in Mexico, and whose attraction -- attention was attracted to phishing, in particular, by several incidents, we formed a group that has now been named e-crime by (saying name), and this group has managed to be an informal coordination mechanism between banks, the CERT, experts, and other authorities. And it has grown to be quite effective, at least for the takedown of phishing sites. And it has also shown us some of the complexities which I will briefly refer to in advance of what the other speakers will surely do in more formal and a better way. We found that there was intense pressure from some of the banks for NIC Mexico, the ccTLD manager, to institute the very rapid takedown procedure for some of the domain names under dot MX that were being used for these abuses. And we quickly found that bank X dot com, dot MX, would have created some whites or at least registered some names of whom the bank itself was not aware. And yet they looked to everything ripe for a takedown. So the abuse of the system indemnifying or keeping away from the ability, dot MX managers and so forth, become really complex matters. A similar analysis was being made a bit later and at the time by dot Asia with a proposal for rapid takedown in similar circumstances. So I only mention this in order to underline that the problems that we will be describing, that distinguished panelists will be touching upon, are really complex. There are no simple solutions, and it takes a battery of experts, like the one up here plus the many more out there, to face these difficulties. So in the session you will see a general landscape of cybercrime, of the abuses of the Domain Name System, a number of different responses, a role for ICANN in particular in some of these cases. And a larger set of presentations, after which, as Denise has announced, they will be breakout sessions to discuss in more detail and to have contributions from the participants. I am sure this is going to be an exciting and extremely informative session, so stay plugged. Thanks a lot. >>CHERYL LANGDON-ORR: Thank you very much, Alejandro. My name is Cheryl Langdon-Orr, and I am the chair of the At-Large Advisory Committee. And coming from the consumer Internet end user end of the spectrum, i have the honor of being the moderator of this afternoon's session for the first panel. Your first panel of experts are going to explore the e-crime landscape, and it is my absolute privilege to introduce a fellow ALAC member, hailing from the North American region, Mr. Beau Brendler, the director of Consumer Reports WebWatch and the Internet integrity division of Consumers Union. The floor is yours, Beau. >>BEAU BRENDLER: I think we found out we have to hold these mics down the whole time so if I have a thumb spasm in the middle of this presentation -- >> Hold the red button -- >>BEAU BRENDLER: There aren't any red buttons. Anyway we already know this is the e-crime workshop. Consumers Union is a an organization that represents 7 to 9 million people in the United States and Canada and has close ties to consumer organizations around the world. So as I am going through this presentation I want to be clear about, when I say consumers, generally speaking, I am speaking about end users. So this is a survey I am going to refer to briefly. It is something we did over the summer. It is statistically representative of New York State only, but of course New York state is kind of an interesting -- it's an interesting statistical place to look at. It's got Manhattan in the south and then of course it's got -- oh. Thanks. Can you hear? Is it on? Okay. And then in the north is Rush Limbaugh country. So it's very diverse. Of course it's very diverse in terms of ethnic community. So we're only talk about 14% of people in New York state have actually registered a domain name. So it's sort of a statistic to keep in mind as we go. The same population doesn't really know anything about WHOIS. 68% of the 2,000 people we spoke to said that they didn't know what it was and weren't aware of what it could do, which we thought was very interesting. And you can make arguments any direction on that, but again, that's just for New York state. We have all seen plenty of statistics like this before and we are going to see lots of them today, so I am not going to dwell on them for a long time, but here is a big page of statistics for you from consumer reports and Consumers Union. We don't take any advertising, so these statistics are what they are. The ones that are labeled New York come from the study that I was referring to earlier. 24 percent of New Yorkers report a malware infection. 27% download from the Web less frequently as a result of fears about crime. When they look for help, most of them turn to an ISP and it's actually a fairly small number. When they are looking for help, 19% turn to an ISP, and much smaller numbers turn elsewhere, to law enforcement organizations. 64% have received a pharmacy spam, and I'm sure the number is probably just about the same in this room. Getting down to the bottom there, you will see those four statistics that are labeled CR. Those are actually indicative of the U.S. as a whole, so Americans lost 8.5 billion dollars, that's regular consumers, in 2008. 2.9 billion of that was viruses, 3.6 billion of that was spyware, and 2 billion was to phishing scams. One of the things we found out at Consumer Reports and elsewhere is that it's actually not all that hard to find examples of this stuff going on. I have a couple people to thank for sending me these kinds of things. Derrick Smythe who runs an organization called artists against 419 and also Garth Bruen of Knujon who I think has made quite a splash here, and you will hear from later. But this is a Russian site that basically advertises to other people who want to get into the illegal pharmacy business. I don't know how well you can see that graphic down at the bottom there but I think it's kind of interesting. It's sort of a corrupted, I guess, caduceus. It's like a snake with a martini glass. "GlavMed is the best way to convert your pharmacy into the money. Forget about miserable sums you are getting sending your visitors to PPC pharmacy results," and on and on. My organization is very interested in health, so the proliferation of online pharmacies and such is of great interest to us. You can actually go to this URL and see quite a bit more robust discussion on this, but this is a discussion on a chat board where people who are trying to figure out what the best target is to host an illegal pharmacy, talk about which are good registrars and which are not. Paul Stahura is probably not going to be too happy. He and I have chatted a bit this week. If you look at the very bottom there, people are looking for suggestions, go to namecheap.com because he is a reseller of eNOM, not directi and other registrars that have actively begun to combat pharmacy. I encourage you to go to that URL and look at the whole conversation. [ Speaking too quickly ] Journalism is undergoing an enormous transformation. People are doing blogs as a result. Sometimes the blogs may not -- you can't necessarily believe everything you read in a blog. I pick this out because it demonstrates that here is a frustrated consumer who basically went and posted a letter to the CEO of GoDaddy. Is it Rick pars sons? Is he here in Mr. parsons I don't know. But anyway, he just says you are the CEO of GoDaddy, and then he, of course, puts links to the Registrar Accreditation Agreement and says, "Please read this. Please read this." The point I am trying to make here is not an obvious one. It's just that what we see a lot is people are frustrated that they are not getting a response to something. They want a response. If there's a problem, they want to hear back from somebody, be it an organizational body, be it a company just, you know, that their complaints and concerns are heard. We see a lot of this stuff because they get frustrated and come to us as a consumers organization and say can you do something about this for us. So as a result, in terms of consumer education, this is what we tell people. This is what we tell seven to 9 million subscribers across the United States and Canada. You probably won't like it. Don't use sites in dot info, dot biz, it dot RO, dot RU, and dot CN. Don't use sites who have that domain if you have six. Use WHOIS to investigate Web sites, when it's reliable. Sometimes it's reliable enough to give you a clue. And just don't do business with any Web sites that are using private proxy registration. That's what we tell people. Just don't do business with those companies. DNS and e-crime no myth. I just put this here because when I started out with doing ICANN work back in Puerto Rico, whenever this topic was brought up, people tended to say that's out of scope. We don't talk about those things and such. So I think today is terrific and I am very glad to be here and I am glad that these sort of things are being addressed. You will see that quote there, "We believe that malicious code using the DNS to enable the propagation of worms and establishment of large botnets is likely to continue." That came from an ICANN blog post by Greg Rattray. So it's nice to see this organization looking at these things and addressing them and holding a forum like this. So that's our Web site where we talk about a lot of this stuff. We're just launching that second URL there where people can go to get help removing badware from their computers. It's a joint venture between us and the Berkman center at Harvard University. So it looks like I have only taken up six minutes. >>CHERYL LANGDON-ORR: Thank you, sir. I did say to the team I wanted to gain a little time. They shall doing a great job so far. [ Applause ] >>CHERYL LANGDON-ORR: Pieces of information. One of them is most important for you to listen to now, and I apologize that it will only be coming to you in English. The reason it will be coming you only in English is because I have been passed a note that says the following: The interpreters have been pulled to facilitate a program for the president. They will return at 3:30, and it's certainly my job to apologize most deeply that that's affecting the beginning of our session. Please, we will have interpreters back in the room, and certainly the working groups will be fully running in Spanish with English and French interpretation available, but the program will run in Spanish. I have taken up two more of those minutes that we valuably grabbed back off Beau. I will be able to take questions and we will have question times at the end. That's why your white cards are for and there is an Adobe room if you have chat messages. Our next is Fred Felman. >>FRED FELMAN: Thanks very much, Cheryl, and thanks, ICANN, for giving us the opportunity to speak. My presentation will take six times as long because I am going to do in English, Spanish, French, Italian. Not actually. MarkMonitor represents a very large portion of the global 2000 companies. We count as our customers probably about half our more of the world's largest sites in terms of traffic according to LEXA. So our perspective is that of the IP owner and the brand holder. The data that I am going to present today is based on information that has been gathered as part of our brand jacking index studies that we have been running for two years. Slower, okay. I am being told to speak more slowly. Our data that we are presenting today is based on our brand jacking index. We have been gathering it for the last two years, and we also have some data that we have been gathering from a phishing perspective through our anti-phishing operations in D.C. which we also publish through the APWG, the Anti-Phishing Working Group. I think Beau really summarized this very well in his examples, that really confidence in the Internet is interrupted because of all the scams that we have seen. And a lot of people think because the brand rights holder are relatively obstreperous about protecting their rights that this is a brand holder problem, and really it's not. This is about protecting consumers. And in fact, when you look at trademark law specifically, it was constructed to protect consumers. And that's the perspective that we're coming from, especially when you talk to people like Fabricio Vayra and Kristina Rosette of the Intellectual Property Constituency, and that's why they do what they do and why they work as hard as they do to protect the rights of brand holders so they can protect consumers, and that's what we are engaged in. I think this is a relatively savvy crowd so I don't think I need to go through this slide in detail about what is lost by consumers as they are bilked on the Web. But you can see from the ones we have listed here that they are relatively harmful. And if you think about it not from your own perspective but from the perspective of if you get a call from your mother, your sister, your brother or some family member when they answered a phishing attack or when they purchased some counterfeit pharmaceuticals, how you react to that, it might be different from thinking about this problem in the abstract in the statistics. And oftentimes, the human emotion of what happens to these folks gets lost in the statistics. So with that, let's go on and let's look at some of the examples of the abuse that occurs. And I am going to be looking at abuse that occurs in combination with the domain name space. All the examples I am showing you are domain name space abuses in connection with other abuse, we call this blended abuse. And I am going to dig down in detail to talk to you about phishing and some of the trends there. I think one of the reasons is that it's one of the most quantifiable forms of abuse. That's one. And, two, it's one of the most growing forms of abuse. This example is -- gosh, it's one of the more unique examples of it. While there is domain name space abuse in the phishing world, most of it is not of this nature, by the way. And why I say that is this: Phishers don't depend on the search engines, don't depend on people finding their sites. They actually use Spam and other methods to drive people to their site. So when you see high five's name listed in the domain name, that's a relatively unique incident of this type of abuse. And I would say that the other type of Domain Name System that occurs which is much more prominent, the domain names are abused in a different way. You see multiple domain names used as a front for the botnets and for the Fast Flux networks that underlie these attacks and the automated systems that support that. And they abuse the domain name system as well, but not using brand names specifically. In the past years we have seen substantial growth. We saw about a 7.3% increase in the attacks against these brand holders. We saw 135% increase in attacks against other types of Web sites. And others are things that are not financial, not auction, not payment systems. Those attacks were actually pretty large in number. We saw 11,000 attacks against 75 companies, and you can bet that that was very disruptive for their customers as well as the smaller businesses that were in that category. So very, very problematic for these customers -- excuse me, for these Web users. I would say that from a dollar perspective, we capture a certain amount of it through the FBI reporting online, and that's where Gartner gathered the figure of $3.2 billion lost, but I suspect it's a lot more than that because people are reluctant to admit oftentimes when they become the victim of a crime. The shame of it, for one. So let's dig a little bit deeper in terms of phishing. I'm just going to spend a few moments, because I don't think this is all that significant to this audience. I will say that the phishing host company is largely dependent upon two issues -- where the resources that can be abused and where are they least likely to encounter enforcement such that they get shut down quickly. And that really drives where it's hosted. And, when I say "hosted," that's not the domain name. That's actually where the contented host is hosted. These sites are generally hosted on sites that have been hacked. They're PHP and other exploits for unupdated servers. And, when you look at the quarter-by-quarter results, you see the United States is up there quarter after quarter after quarter. So, you know, we contribute our fair share to crime. The secondary and tertiary are often times where it's easier or, excuse me, where it's less easy to shut these sites down. In terms of the statistics of where these are hosted from a top-level domain or ccTLD perspective, these are how those stats sort of rank in the last quarter. And so this is a single quarter of data. And it's really largely based on the ease of access automation and other sort of, you know, methods, hijacking, and what kind of defenses are available. And I think it's really important before I leave the topic of phishing, which is -- while this is one of the most measurable and one of the most damaging and one of the most obvious forms of abuse, it's also one where we've seen significant amounts of effective remediation of these incidences. Most -- most registrars, most ISPs are very responsive and are helpful in terms of taking down these sites. There are some very -- some very big exceptions to that. And we could always use some improvement. But this is one form of crime that we have effective remediation if not protection from. Some of the other things I'd like to show you -- this one was relatively hard to edit because, you know, we wanted to figure out how could we be least offensive for a large audience. But I think we'll probably manage to offend someone by showing the example. But the reason for showing this example is, increasingly, brands are used to draw people's eyes to pornography and other what some people might consider objectionable material. And while, you know, a purse shopper who came to badgucci.com or an apparel or accessory shopper might not be offended, someone who is actually drawn to a site like this from a cartoon character brand targeted to children, which I can show you many examples of as well, might be less tolerant of that type of abuse. In fact, we've seen a 21% year-over-year increase in this type of abuse. And only 30 companies -- and that's just their company name alone -- we saw 1600 sites in this last quarter that hosted this type of comment -- excuse me -- content, using a brand holder's company name in the URL. So I mentioned blended abuse. One of the primary vectors of blended abuse is using brand holders names in domain names and driving search traffic or driving traffic there via spam or some other method. This example is one of those. In this case it was Disneycasa.com. There were cartoon characters represented. There were all kinds of methods of SCO used to actually drive traffic to this site while it was up. Luckily, the browser providers are relatively good remediation of this type of event. We can actually submit sites of this type asking others to -- as can others who provide filtering services to Firefox and also to Internet Explorer so that they can block these sites. So there are methods of blocking this content. But, still, often times the lag time between when it is blocked and when it appears is significant enough to sting millions of users, as you saw from the statistics in Beau's presentation just a second ago. It's probably pretty easy for you to write off, you know, a site that is counterfeiting a purse or a belt or a piece of media. It's as -- as something that you know, people know that that's counterfeit and it's not problematic. They know that they're buying from a site that's illicit, and they know they're buying goods that are likely to be illicit. Pharmaceuticals are a different story. Some very large percentage of spam is directed towards driving traffic to pharmaceutical sites. This one actually contains the name Lipitor in it. You know, while this is worrisome, international, and persistent, it's also deadly. There was a publicized case in Vancouver of a woman who purchased pharmaceuticals on online from an illicit pharmacy. And it was proven she died from heavy metal poisoning from pharmaceuticals she bought from a site like this. So we might be able to laugh off some of the other types of abuses. But think more deeply when you buy a pair of jeans or a pair of shoes or a pair of toenail clippers of an illicit brand because there's very likely some crime below that. A lot of these sites finance organized crime. A lot of these sites actually use labor, which is dangerous, including child labor in places, you know, where they don't allow child labor. So be very careful about using these types of sites. And we should all try and play a part in saving consumers from this type of abuse. Now, I want to say one thing -- and I know I have to wrap up here, so this is my second to last slide. I'll make it very quickly here -- is that action does yield results with kiting and tasting. We did see that ICANN and Google and lawsuits were made against sites. And we saw an 84% increase in -- excuse me -- decrease in tasting and kiting after that occurred. And, lastly, you know, I really want to encourage further dialogue about how to protect users from the type of abuse. And I'm glad to see that we've got such a good group to do that. And we've got some great panelists who follow me to discuss it, and I want to thank you for the opportunity to speak once again. >>CHERYL LANGDON-ORR: Thank you, Fred. And a round of applause indeed as well. [Applause] We now move to Jeffrey Bedser, who is the president and chief operating officer of Internet crimes group. And we're switching now from establishing the landscape to sizing and scoping of e-Crime. Thank you, Jeffrey. >>JEFFREY BEDSER: Thank you and thanks for having me here today. I hope you have a lovely afternoon. And I have to acknowledge that I actually recognize fewer of the faces in front of me than I do behind me. So the group I interact with for my short-term as ICANN the past two years as a member of SSAC has been primarily the people on this panel. So, trying to keep on schedule here, actually, that slide was meant to be removed. So we'll move past that one. No. There we go. Okay. This was a live on Monday in the press. And it's an interesting play on the way the media looks at the issues that we're addressing. And this is talking about the Conficker botnet. And it's talking about how Conficker is potentially targeting a subdomain of Southwest Airlines for Friday the 13th of this month. However, it's interesting to show how the media play is being established. However, it's been very clear to me by experts that understand Conficker far better than I do that this has actually been nullified as an issue by efforts taken on by people in this room. So looking at, however, the statistic that 250 possible domains are generated a day -- I've heard up to 500 -- you will see Conficker generate up 7,750 domains. It's much more detailed in the presentation. So the topics to cover today are the e-Crime ecosystem, the emerging efforts that are focused on protecting the end user against Internet-based crime. A bit of analysis that's going to illustrate that e-Crime is able to exploit those resources. How the criminal element do attacks. And how that is distinguished from legitimate traffic. And, finally, I'll talk about global hot spots for botnet and malware activity. So in e-Crime ecosystem. We need to be very clear because in the last 20 years, 10 years in particular, there's been a perception that e- crime is potentially for script kiddies. It's those that are doing it for the benefit of the challenge. e-crime is certainly not that any longer. e-crime is all about capitalism, is about making money, is about making money anyway possible. And, as long as we keep that as a very clear perspective, everything else we'll be talking about becomes clear. So many of you might see the part I highlighted in red on this particular clipping and say I don't believe that $1 trillion worldwide in losses to intellectual property is possible. You know, a trillion is a very big number. And, until recently with the global economy, most of us didn't even think in those terms. However, even if it's wrong by a factor of one and you drop a zero off that, you still have $100 billion. You start thinking about that type of losses and where that money could be possibly channeled to, and it starts to become a real pictures. The two biggest emerging threats, two of the biggest emerging threats are targeting crimeware and malware. Steal passwords, credit card numbers, and documents for the purpose of credit card fraud and identity theft. And, secondly, the lax intellectual property laws and enforcement. That's not lax enforcement based on efforts by law enforcement. It's usually a jurisdictional problem and a resource problem. So what are the tools here? The first tool I want to talk about is the botnet. So everyone is probably somewhat clear of the botnet because it's been around for sometime now. And you can read the definition for yourself about the zombie army and how it works. But, you know, according to a report from Russian-based Kaspersky Labs, it is botnets that pose the largest threat to the Internet. I'll give you supporting information for that shortly. Let's talk about the botnet lifecycle for a moment. A bot herder creates and configures initial bot parameters such as infection vectors. They are going to affect the DNS flow through e-mail, through downloading, what the pay load is going to be, what methodology for stealth they're going to use, and command and control details. How they're going to get hold of these bots once they're created and use them and control them to do whatever they choose to do with them. The next step, of course, is to register a dynamic DNS. Next is to register a static IP. And then the bot herder will launch or seed new bots. And then, of course, the bots spread. We see botnets in 8 to 10 million of infected machines. And a paradigm shift in the last round of botnets is that previously the majority of botnets were infecting consumers, end users on broadband connections within their cable modems and DSL lines. Conficker, as an example, actually has a 60 to 70% of business machines as its infections based on the way it spreads. So what are the criminal benefits of creating a botnet? Well, first of all, you're shifting the cost of your illegal business to others. You don't have to pay for the processing power. You don't have to pay for the bandwidth. You have a buffer. You're anonymous behind a criminally compromised machine. You are providing the criminal massive information processing resource at a minimal cost. Don't forget about the SETI project which had a downloadable app for years now that allowed you to use your computer's processing speed and time to chart the stars. Think about the number of machines at the command and control in this environment. 8 million. 10 million. 20 million computers, all that processing power available? So botnet -- what do the botnets facilitate? The highest bidder? Lowest bidder? Whoever's willing to pay? I think we should be very clear in most of the e-crime ecosystem that it is a business, that people that create the botnets aren't the people who use the botnets. They sell access to the botnet to others for spamming, for phishing, for pharming, et cetera, for selling products and services, for extortion. Think about having 8 million computers sending one packet of 200k all to the same IP address at the same time. Yeah. I'm not going to do the math, but I'll let you do the math .so, thinking about how that can be distributed in denial of service attack in a way, no infrastructure out there, even the biggest e-commerce sites can handle or government sites, military sites identity theft, of course, and phishing e-mails. So more reason for botnets-- people will pay for untraceable servers. Every aspect of crime -- I'm not just talking about e-crime as far as hackers and people attacking infrastructure. All levels of crime will pay good money for an untraceable server to conduct their business. People will pay for stolen information. The people that use a botnet to do an identity theft phishing, pharming, what have you, aren't the ones who use that data. They then sell the data they collected to others who then do the crime and identity theft against the victims. So they literally do rent out time on the botnets. They rent out segments of their botnets. I've actually seen some of them attack each other's botnets to hide activity on someone else's botnet, just like in the real world for business. and adware companies, of course, will pay per installed system because in a pay-per-click environment, the more revenue you're going to generate. I'm going to -- try to be brief on time, I won't go through all the details on all the charts but a rough botnet attack configuration there for your perusal. This one I'll go for a little bit. I have to take no credit for any of the graphics in this presentation as in I used Google images to find every one that I used, not having time to put them together myself. However, the author of this is unknown, so I'll give some unknown attribution. If you look at this quickly, the pirate using infected computers uses a compromised machine. Once those compromised machines are compromised, they dial home to an iRC or Internet relay chat channel to notify that they're under control. He then sells the access to our friend with the very evil looking face who then uses that command and control back to the iRC channel to launch whatever type of attack he wants to use. So types of attacks, obviously, denial of service attack is not something anyone in this room is unfamiliar with. Click fraud, again. Access number replacements where a -- where the botnet operator replaces the access numbers to a group of dial-up bots to try to get victims phone numbers. Given enough bots participating in this type of attack, victim is consistently bombarded with phone calls attempting to connect to the Internet. There's very little to do other than shutting the lines down. Fast flux is an advanced technique used to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts. If you're trying to do investigations or reactive enforcement against one of these networks, the fact that the DNS records are constantly changing so you cannot actually get ahold of who or where to contact to get the system shut down. There's some excellent papers put out by the SSAC on that very topic. So the DNS flaw that Dan Kaminsky had uncovered, in summary, there isn't a patch for this problem. And, when before you had things like typo issues where someone typed in the wrong domain and someone would host it to try to do phishing and to do all kinds of compromises on domains, the fact that someone can actually use this flaw to legitimately take the traffic going to a CNN, BBC, an e-Trade, any online financial banking site and make the user believe they're at the real site, everything looks like the real site because the DNS has been poisoned. Start thinking about the way that can be used in a cyberterrorism scenario where you can basically control what people see when they look to the news to find out what's going on and control the information being spread. To profiting from the DNS flaw, a couple more lovely charts that I take no responsibility for but I can't give any credit because I don't know who put them together. An attacker can set up a whole Web site that looks enough like the original or, let's face it, exactly like the original to not raise any suspicion, redirecting popular search engines to a malicious domain or redirecting to a bank site as they're entered into the system. You've got zero day attacks that occur between the time of the security vendor's release patches and DNS servers get patched. And, of course, URL filtering based on products will prove insufficient on dealing with type of attack because filtering the domain doesn't help you when the DNS record is pointing to a different domain anyway. So another fancy chart on pharming. Same model. Where you're basically leading people to a different site that they believe is the real site, so they enter their credentials and can you steal them or pharm them. The term "pharming" is a neologism based on pharming and phishing. And, again, you can read through the description here, the source being Wikipedia. So methods for dealing with the criminal attacks, network activity. Number one, of course honeynets and honeypots using computers that are set up to be compromised so that researchers and analysts can look at the details of what has occurred, what has happened, what is being done to work out countermeasures and effects. Blackhole routing, sinkhole routing can be very effective to, basically, take those domains out. So the traffic -- in my company we call it "drop into the bit bucket," so the traffic just goes away. Filtering on the service and filtering on a destination address can be effective in very small scales. But, when you're looking at 8 million, 10 million compromised systems and those source IP addresses, filtering based on IP address doesn't help. It's almost impossible to actually get to the volume you need to solve these problems. And, of course, you've got some hybrid methods as well. The Internet is not a stable environment. And, of course, we all know that, and we all don't like to say it out loud. But it reforms itself very rapidly. And there's always new technologies being deployed and new exploits being deployed. And, as a result of that, very dynamic environment countermeasures have to be considered very carefully to the impact they can have. So what are the efforts to combat? Number one, on March 20th of this month, Impact Center goes live. It's the international multilateral partnership against cyber threats. They're working with partnerships with Interpol for the law enforcement aspect. They're working with the United Nations and other such organizations in an attempt to gather information on cyber threats on a global scale and refer that to law enforcement and different research labs, et cetera. So we can actually do a false multiplier for the efforts that are currently going on. The honeynet project is an interesting and exciting effort to take all the honeypot researchers from around the world. They get together several times a year to compare notes and share information about what they're collecting based on what the threat communities are up to and what they're doing. So just a couple of global hot spots and malicious activity. There's a snapshot of some activity showing the sourcing. This is an interesting one. Hopefully, it will do an auto play for me. Maybe it's not going to. All right. Well, basically, if -- there we go. I see a mouse moving. Okay. Well, doesn't look like it's going to start. But what it would do, if it was working the way it's supposed to, it would be showing a 5-day period of botnets and compromised machines calling home to the command and control iRC channel. And what it does - - basically, what you're seeing is the spots that are white are the hottest spots of activity and darker red is smaller. And it's, basically, showing where this botnet is .and command and control activity is going back to the system. Over a 5-day period you'll see brightening and darkening based on time of day, et cetera. It will show how many systems are infected and where they are. It's very interesting bright spots there that you wouldn't expect. For example, Kuala Lumpur. (off microphone) And you can start wondering about how that's been impacted. So to sum it all up with -- wow, four minutes to spare. e-Crime is for profit. Anybody leaving this room and says to me anything differently, I'll have a very lengthy debate with you, depending how much energy I've got. Any component of infrastructure that can be compromised to enable these ill-gotten profits will be utilized. Don't kid yourself that anything is bullet proof for any period of time. There are people out there and organizations and groups in -- loose groups people know each other by screen NICs to people who know each other on the streets that are working on the next thing to take advantage of to give them the edge for profitability in their criminal enterprise. Today's botnets and pharming are part of organized crime. Tomorrow, state-sponsored cyber terrorism. There's indicators that what happened in Estonia and what happened in Georgia, the infrastructure being used to launch those attacks were compromised systems and part of botnets .who launched those attacks is up in the air because why? Because the botnets are anonymous. However, they were being utilized. Do the people who created those botnets know they're being utilized for cyber terrorism? They probably knew afterwards. Beforehand? No. It's the highest bidder who gets access to them. Don't expect the researchers and technology companies to solve these problems. It's always reactive when it comes to research. What are they doing? What have they done? How can we stop them? The technology companies are going to have to deploy technical, so it's always going to be solving yesterday's problem. In my humble opinion, international cooperation between the entities that run the infrastructure, thus, the people in this room as part of the ICANN organization, the policy makers, and law enforcement together can facilitate a means to the end where the intelligence can be gathered. The infrastructure can be improved to prevent many of these problems. Time to spare. Or did I go over? [Applause] >>CHERYL LANGDON-ORR: Thank you, I think, gentlemen. I'm not sure thank you is quite right summing up here. From the consumer end of the table, I'm feeling a little less secure than I did when I first met you. And I guess that leads to the first question that's been passed up to me. And I gather this is directed to all the panels. So whoever wants to jump in, go for it. And we've got about 10 minutes to deal with any other questions. But deal with this one as long as you wish. But can you make an assessment on the impact? And there's a part two to it. Are there more effective alternatives working or being built? I gather that's in terms of solution. Who would like to take that first. Jeff? Fred? >>FRED FELMAN: I think in terms of impact, it's hard to measure it because it strikes so many different parts of the web and so many consumers in so many different ways. You see things that are indicators as opposed to global indicators of the impact. In terms of methods of dealing with it, there are a lot of things under discussion right here at ICANN at this meeting. People were thinking about new ways to protect consumers in the new global top-level domains. So I think there's hope, and I think there's a lot of good thought being put behind it. >>ALEJANDRO PISANTY: Cheryl, that question has impact for -- it's my question because impact in capitals and it's for an assessment of the impact initiative for the later speaker. >>BEAU BRENDLER: I don't understand. >>CHERYL LANGDON-ORR: Alejandro, can you repeat? And, believe it or not, repeat slower and louder. We don't have good acoustics just here, and they'd like to understand your question. >>ALEJANDRO PISANTY: Thank you. I am asking, Jeff, for an assessment of the impact initiative which you mentioned and whether there are other alternatives at work or being built in the Internet community. >>CHERYL LANGDON-ORR: Go ahead, Jeff. >>JEFFREY BEDSER: When it comes to the impact initiative, the jury is out as it hasn't launched yet. However, in my opinion, the issue of law enforcement is always going to be jurisdiction. The issue with policy makers and government is always going to be jurisdictions. And having an internationally recognized organization that can coordinate those efforts and share the IP intelligence is probably the best way forward. I'd love to see it being successful. I hope it is successful. Of course, it's left to be seen. >>CHERYL LANGDON-ORR: Beau? Perfect timing for a second question. Why isn't take-down or the list of possible -- sorry. Why isn't take- down on the list of possible combat tools? Who would like to take that? >>FRED FELMAN: I guess I can take that now. In fact, take-down is being used in phishing. And there's been discussions in terms of ways to more effectively and more quickly remediate existing intellectual property abuses in combination with the DNS system. So there are proposals and discussions in process. The IPC has made some suggestions in terms of those. And there were about -- I don't know. There were hundreds of comments made to the draft applicant guidebook suggesting that and other ways in the new TLDs. >>JEFFREY BEDSER: The take-down is a very effective reactionary tool. But, when you realize that the majority of entities that use the techniques of creating phishing domains and pharming domains, et cetera, for every one you take down, they've got several hundred ready to go live to take the traffic. So, while it's an effective tool and necessary tool, you must do take-downs to protect the consumers from going to that site. It doesn't do much to go against the infrastructure that the criminals are using to create the crime. So it's -- the old American game of whack-a-mole where you can play all day trying to hit down those moles and they're going to keep popping back up again unless do you something stronger. So I don't see it as a long-term tool. >>CHERYL LANGDON-ORR: So we're looking at a toolkit, not just one approach. Are there any other questions coming up on the cards at this point in time? If not -- yes. Have we got any, just checking? Yes? No cards coming up. >>ALEJANDRO PISANTY: I have been conveyed one by e-mail. >>CHERYL LANGDON-ORR: Yes, we do. Thank you. >>FRED FELMAN: While it's coming up, I would add other protection methods in gTLDs being considered are observed lists of globally recognized names so that abusers aren't able to register those names. And also more effective way of handling sunrise periods so that globally recognized name owners can actually get those names and reserve them. >>CHERYL LANGDON-ORR: Okay. We have two in the lineup here. The first one, jump in with your buzzers, gentlemen, whoever wants to grab it first wins it. Do you think the ccTLD must analyze the content of web pages? Go ahead, Beau. >>BEAU BRENDLER: Analyzing content gets a little scary. But I was inspired to hear from the new contract compliance officer. His last name is Giza. I forget his first name. He's maybe here. David. Oh, he's behind me. ccTLDs are on the list in a similar way for actually -- he can just speak to this issue himself. I think contract compliance is really throughout the situation where the consumer protection function comes in. Apart from ccTLDs, I mean, it's really the registrar accreditation agreement, I think, that affects most of the problems associated with consumer protection and fraud. So -- >>FRED FELMAN: And I guess I would like to add to that, I guess there are some examples of ccTLDs that are very responsible in terms of content. My understanding is that in dot DE, if you actually do have commercial content on your site, you actually must have to have the name and contact information of the person running the site so that, actually, law enforcement can deal with fraud and abuse. And that's an amazing inhibitor of that type of abuse when you actually must do business in the clear like you must do in the real world. For instance, in the United States you have to have a "doing business as." You have to be a known entity. >>CHERYL LANGDON-ORR: As a mere consumer, I must say that works for me. We have a question written in Spanish which Alejandro is going to read to the record. Again, Alejandro, we have awful acoustics. If you can read it loud and clear. Go ahead. >>ALEJANDRO PISANTY: It's a comment growing on the impact one from Yvonne Munoz who is in the audience, a Mexican I.T. lawyer. She opened the Impact Alliance web site and her anti-virus is warning her of spyware. >>JEFFREY BEDSER: I'm not affiliated with the impact alliance. I don't know if it was the dot org or which version it was of the site, but it's impact hyphen alliance dot org is their site. So I don't know if the virus is on a mockup or the original, but obviously proving all the same flaws and vulnerabilities we spoke about earlier. >>BEAU BRENDLER: Could be a drive by exploit. >>FRED FELMAN: I have guess I would say it's a common vector to use a site that actually impersonates a security site to be a vector for infection, and that's very common. They will use variations of names of common security brands and protection and consumer oriented sites to snag people into putting malware on their machines. >>CHERYL LANGDON-ORR: And we are moving to yet more questions. We have got their juices going, gentleman. E-crime has failed to capture, in inverted commas, the attention of mainstream media. Hence the low public awareness. What safeguards and media campaign are under way and what are best practices? Perhaps Beau. >>BEAU BRENDLER: Can I actually just see that so I can -- I'm not sure I agree with the premise that e-crime has failed to capture the attention of mainstream media. I think there's a fair amount of coverage about -- we have talked about the Conficker worm here. That hit the major media. So I dispute that premise, although I don't know what country the originator of this question comes from so I can really only answer for the United States. But safeguards and media campaigns under way. There are organizations that have come out with best practices, including my own. And in terms of registrar conduct types of self-policing, I know that Cheryl has had some experience with that. So I know some specifics, if you want to talk about it off-line. >>CHERYL LANGDON-ORR: Okay. And it's hard with so little time to choose the best ones, because I have got quite the card hand here. Enterprise security has blocked entire TLDs to prevent malware downloads and Spam for years. Do you think ISPs would eventually consider such action if the situation gets worse? >>JEFFREY BEDSER: Not only would they consider it. I think use the McColo example that was in the media a couple of months back where the downstream ISP that provided the bandwidth to the collocation facility called McColo that was hosting a very large number of spamming operations, phishing, pharming, child pornography. The downstream provider was notified of the -- the downstream bandwidth provider was notified of the problems and actually did shut off the center. I think it did result in a temporary reduction in Spam of over 60% for about a day. >>FRED FELMAN: I guess I would add to that, surgical methods of actually removing abuse, other than at the domain level, have been sort of spotty. It's actually hard to use reputation analysis to determine what parts of the Web are dangerous. There is a group within ICANN, a working group called RISG, which is working on actually trying to correlate some of that data. >>CHERYL LANGDON-ORR: Okay. Well, I'm apologetic now, and most humbly apologizing for the excellent questions that are still coming in, but I like to make the trains run on time. So at some 39 seconds over, we are going to end our panel. There will be a short change of staffing up here, and please stay tuned for the next session 2. Thank you all. [ Applause ] >>CHERYL LANGDON-ORR: We will keep all these unanswered questions and take those questions on notice, and I'm sure the panel will be happy to respond to them within the Wiki spaces and the archive record. So we will ensure that your questions are answered. >>GREG RATTRAY: Good afternoon, everyone. Is this on? Can everybody hear me? Okay. My name is Greg Rattray. I'm the chief Internet security advisor ICANN and have pleasure of moderating this panel this afternoon. I have to congratulate Cheryl for the success she had for keeping her panel on time and I will try to achieve the same. I have been asked to encourage the audience to write down questions and send up, although I believe that procedure has already been working pretty well, at least from the last panel. So I imagine there will be much more than that with this panel. And without further ado, I am going to introduce Rod Rasmussen as our first speaker, the president and chief technology officer at Internet identity, and he is going to present us case studies and global criminal attacks. Rod, over to you. >>ROD RASMUSSEN: Thank you, Greg, and thank you to the ICANN community for giving us the opportunity to speak today. I am going to go through some real-life examples that are very recent in criminal attacks and how they interact with the overall DNS and domain name community. And as part of -- make sure this actually works. Did I just turn it off? Here we go. So I am going -- to begin with, I am going to give a quick, kind of place in the ecosystem for how the various players that are here on the panel fit, so that we can go through that all in quick order. And then go into the two various attacks and examine those. So just to give you a perspective of where I am, our company is what we would call a first responder in the real world. We are the folks who work for the victimized companies, banks and ISPs, even registrars that have been hit with phishing attacks, malware attacks, et cetera. And contrary to popular belief and kind of outside of the community, this is really not a law enforcement activity. It's really a private sector activity. Either a company like mine or the actual brand holders themselves or even volunteers from the public do this kind of work. Law enforcement may be called in in certain countries to give a final order on things, but they are typically not out there looking at individual instances of this type of thing. So really what you have to do is work with the community to find the right people to be able to remove the types of attacks. And this is what we call takedowns. But you have to know what you are dealing with. Are you dealing with a machine that's been hacked into? Are you dealing with an account that's been set up at a hosting provider, or are you dealing with a domain name that was set up and is being used in conjunction with a botnet or something like that. Depending on what kind of attack it is depends on who you need to work with in order to get it mitigated. So this diagram here is supposed to represent the ICANN domain name side of the world where you have the various contracts and players that are responsible for putting in place domain names and keeping them running. ICANN has contracts with the registries, the ccTLDs, and gTLD registries that work with registrars. Registrars actually get domains out to the public, and sometimes through a reseller. And that's a part of the ecosystem we have to work with, obviously, when you are dealing with a domain name issue. There's a whole bunch of other parts of this industry as well, and it ranges from all the way at the backbone to the people providing large pipes of connectivity, all the way through the ISP or Web hosting company to the company or even the individual who has that connectivity, and then on to the person who actually has a Web site or a computer that is being used in some way to facilitate the crime. What's important here to look at is, the closer to the problem you get, you get down towards the actual owner of that content, that's actually the person you want to get to. Unfortunately, scalability-wise and being able to reach them, it's the opposite. As far as being able to have effect. So this is the kind of system we have to work within, and as you can imagine, over time, you spend a lot of time creating relationships and working in coalitions and creating industry groups and things like that to help facilitate everybody working through this, because it's a very complex problem that spans the globe. So that's my really quick overview of the whole setup. I am going to now go into the actual attacks here. Now, the first one that we are going to talk about is CheckFree. And this is one that -- of the two cases, this is one we were very directly involved with. The other one I'm going to talk about from more of a third-party observer perspective. But to give you an idea and some background here, who is CheckFree? They basically are an online bill pay for the United States. Most banks and financial institutions use them to do online bill pay services, which means that they have a very high impact for their presence online, obviously. And they have a lot of direct integration with those banks, and utilities and other folks who are the companies who provide services to consumers to be able to come in and pay for their bills and things like that. So given that large footprint, we will take a look at what actually happened to them in early December. So a quick summary of what happened. Somebody came in and took over the CheckFree's domain name portfolio at their registrar. They changed the DNS servers for those domains and pointed, with a wildcard fashion, basically every host name that would resolve under their domain names to a malware server that was in the Ukraine. That's a bad thing. What happened? Anybody who tried to go to CheckFree.com or any of their other domain names were redirected, instead, to a malware server and were exposed to getting malware download on their computer. Some customers actually were infected with that malware. A lot of other people, though, were just kept from doing their bill pay. And this was on the first, second, third of the month. As you can imagine, that had a big impact on both consumers and the financial institutions that were using that, or using the CheckFree system. And what was worse is that it wasn't just going to CheckFree.com or their domains. It was actually in the back-end system of the banks. The good news is CheckFree regained control of their domains after about eight hours; however, because of the way DNS works, the bad guys set it up so the domains would resolve for another 48 hours. So for a lot of consumers, they were still being pointed to the wrong place on the Internet to get to their bill pay systems. And so a lot of banks and credit unions around the United States shut off entirely their bill pay system for two days. And the net result on the infections is at least 10,000. I have heard more, but at least 10,000 people got infected through this. So let's take a look at the infrastructure of CheckFree and how this actually happened with the bank of this they are doing good things with DNS that allows them to scale rapidly to their consumer base, which is the banks, and they create a host name underneath their domain name for each financial institution so that they can manage their own systems, IP addresses, et cetera, and then as they make changes, it doesn't affect their banking partners. And they have got thousands of them around the country and around the world. This is great because you can do this rather rapidly. However, the weakness is that DNS has to be working correctly. And if somebody takes over the DNS or poisons it or what have you, then those relationships that you set up on a trust basis no longer work. So here is how it actually works. Graphically, you have credit unions, utilities, et cetera. They have their Web sites. They have a direct link to this host name that's under the one of the CheckFree domains. That pops you over to the bill pay server. And of course this is the weak link here in that these domain names were all taken over in a few seconds using the registrar account. So this obviously exposes a weakness that was, to the banking industry, largely not understood before this attack. And I would also say it's probably still largely not understood by a lot of the people in the financial industry still. So just to -- for those in the room who aren't as familiar with DNS resolution, although in this community I bet most of you are. When I explain this to bankers, it takes a long time to go through this. What you have typically is if you have a person coming in from their browser, they will ask for a host name that they want to go to to do their bill pay system. It will run through a resolver at their ISP, and if the resolver doesn't know what it is, it will go out and query the com name server and it will say go over here and get the CheckFree.com and eventually it will get back to the actual resolver and it will say okay, go get your Web site because it is at this IP address and um get your bill pay system. Works great. What happened in the CheckFree attack is the bad guy took over the entry put in the com zone because he took it over at the registrar, at their management system. So now, when you go to the name server that the com zone is telling you to go to, it takes you over to, actually, the name servers that are run by the registrar, which he took advantage of that system to then give it a new IP address. And that IP address gets cached by the ISP, and the person who is looking for their bill pay site gets that in their browser, and they go, okay, take me to that IP address. Well, unfortunately, now you are downloading malware. So that's just a quick overview of how the attack worked. It was rather simple. You just take it over and point it somewhere else. And by the way, not only was every Web site affected. Their e-mail infrastructure was affected as well because it was mail.checkfree, or what have you, underneath their domain name. So not only could you not get the Web site and you get a malware download, but if sent in an e-mail in to complain about it or to give them a heads up, it was bouncing. Fortunately, it was bouncing. They didn't actually take over the email So the attacker took control of the domains. They broke into the account because they already had the user name and password. That could have been done either through a phishing attack, which happened to have hit a few weeks before that or somebody could have installed a key logger software, some sort of spy software onto the computer of the person who was managing the domain account. They changed the DNS for the domains, and actually took advantage of very good and very robust DNS system at Network Solutions and changed the A records to point over there. And then in response, CheckFree, actually, really responded well on this. There were a couple of issues that came up in this process. First of all, who is CheckFree. I had to explain to you who they are. If you are calling up a registrar or somebody else like that with a problem like this, they may not know who you are. One of the favorite examples I like to use is UMPQUA Bank. What is an UMPQUA? It's the largest bank in Oregon. They have a million customers. If they had this same kind of problem and called up a registrar, they may not jump as quickly as if Visa or somebody like that called up. The other little twist is the administrative e-mail address for the domain account was actually under CheckFree.com. [ Speaking too quickly ] So if you send an email to confirm your identity, it doesn't work so well. So there's a few operational things that showed up. The bad news is this TTL was set for 48 hours, and TTL is time to live in DNS terms. So for 56 hours net we ended up with a problem. Now, just for motivation on this, we're looking at this, and we have tied the same incident to six -- or to some phishing attacks that were launched against two of the largest registrars about six weeks prior to that. The same exact IP address that was dropping malware was also seen to be several of the domain names of account holders at those two registrars were pointed at that same Ukrainian server at the same exact time as this incident. So it looked like the person who was doing this actually took over several different accounts at once, probably from the phishing account, and redirected that to this malware site. So they were really trying to drop malware on people's systems. I don't think they knew they were taking over the largest bill pay system in the United States. This could have been a far worse event if they actually knew what they were doing. Just to run through the rest of this, TTL kept this up a long time because ISPs cache this information on their resolving name servers, and you can't really update that from the outside. There's really not part of the protocol for that. So that keeps the attack up once it's in there. That's a problem. So you have got these vulnerabilities here at the zone itself. You can either take over an account or hack into a registrar. That happened recently, and repoint all the domains. You can attack the name servers themselves, either directly through a hack or through something like the Kaminsky vulnerability where you can poison the cache. And of course you can do the same thing at the resolver level, and it would be the same methodologies. All these places now are lessons we have learned out of this as far as vulnerabilities in the DNS system. So DNS is really not a security conscious protocol. It's really set up to make things work, not make them secure, at least in the current form. Domain registrations themselves are vulnerable through their registrar systems and through the registrars themselves, potentially. Another thing here that I should point out is that a lot of those bill pay systems just trusted the fact that if they handed it off to CheckFree that CheckFree was there. They weren't doing checks to make sure CheckFree wasn't in the Ukraine or something like that. So you can harden your own systems on that. So that's the CheckFree incident. I am going to talk about McColo and Srizbi. That's my final case here. I have to give some credit to Brian Krebs at the Washington post who did a lot of work on this, and Alex Lanstein at fireeye who took front and center on this. A lot of people in the research community as well worked on this for a long time. I had nothing do with it. So I am just reporting on this one. So what is, was, McColo? It's a very decent sized Web hosting firm in San Jose, offered -- if you looked at the Web site, offered kind of normal hosting services. But if you took a look at underneath, they were doing a lot of really interesting things that got the attention of security research and law enforcement, folk like that. If you are familiar with EST domains, that is where they had a lot of their content, including, I believe, their Web site. Their IPs at McColo were on tons of black lists everywhere and everybody in the ISP community was talking about the situation there. So this is really tiny, it's a little bit better on the screen in the back but basically this is just a little example of the kinds of things McColo was hosting: A pharma distribution, child pornography sites, payment schemes, botnets, lots and lots of botnets and that's where Srizbi comes in here. The command and controls, or C and C's. That's the computer that tells the bots what to do, and so it has to come to a certain central location to get that information. So what happened in the fall is that a lot of people were paying attention to them, a lot of people were talking about them, and calling them up and you would call McColo and they would do some things if you said theirs there's a problem here, they would take it out but it would end up on another IP address that's on their same Autonomous System Number, the IP number they control. So what's interesting is they took a little bit different tact, and Brian Krebs actually called the upstream providers to do an interview about McColo and provided them with a lot of information about what was going on there. And the upstream providers decided we're going to de-peer these guys because they are violating our terms of service, et cetera. So basically if you de-peer somebody, their IP ranges won't resolve anymore on the Internet. So they are an island on the Internet separated from everybody else. And that was the article that appeared in the Washington Post. And that's what happened. Very graphical. This is Spamhaus's statistics on Spam. That's what happened overnight. Spam dropped 50 to 75% depending on whose stats. Spamcop, same type of thing. Massive decrease in Spam. Why? The botnets that were controlling -- or the command and control centers for most of the large botnets were taken off-line and the bots couldn't reach them because it wasn't being routed. Retail fraud plummeted. That was an interesting one. It turns out that there's a lot of stolen credit cards and things like that being used to purchase goods and that almost disappeared overnight. The reason for that is that McColo hosted a bunch of these proxy networks, these underground proxy networks, so people would come in to use proxy from their computer to obfuscate who they are and they would go in with a credit card to a Web site and buy something with a stolen credit card and you wouldn't know what IP they were using. Also, e-mail harvesting disappeared as well for a while. These are people who were scraping Web sites looking for e-mail addresses so they can send Spam. All of this was all in the same center. However, as you might imagine that bad guys had a backup plan. First thing they did is they actually had an emergency peering relationship which they fired up over the weekend which allowed them to get their IPs up again. Lot of the botnets updated. But it was a success story there because that got shut down within about a day, which was pretty quick over a weekend. It was a European provider, American hosting involved, so it was a pretty good deal there. However, one of the biggest botnets out there called Srizbi, you have to love the way the AV guys come up with this stuff, was not. It was estimated at the time it was about 30 to 50% of the bots out there. So the interesting thing about Srizbi is they had put into the code a back door access so that if they couldn't reach the IP address that was their command and control, they would try a series of domain names to get their instructions from. There's about 40 or so domains that were set up on a daily basis, and about three days they were good for. So fireeye cracked that algorithm and found out those domains actually weren't registered. So fireeye started registering those domains which worked very well for finding out things about the botnet and things like that but it got really expensive really fast. And so there was a deal worked out where, with some people in the domain registration community, so fireeye wouldn't have to take the cost of doing that, unfortunately there was a gap in doing this and Srizbi was able to update a large chunk of their botnets so if we as a community are going to respond to this, there's an organization you have to do to actually make sure it works. The good news is they are not using that botnet anymore. Srizbi is not the only one. We heard about Conficker already. That's been a great success story. It's been in the press. From a policy standpoint, how do we deal with this as an ongoing issue, these botnets that are using domain names on a standard basis? And this one with Conficker, it's 500 domains a day. What's the next one going to be? My last slide, criminals are very smart. However, I think we have smarter people. So we should be able to beat them, I think, in the long run. They are now using the DNS system to their advantage and it's not just setting up phishing domains. They are actually cracking into various levels of services and exploiting the weak points. And of course DNS really wasn't designed with this in mind. So we're all involved at whatever level we are, and I think we are going to talk about the various levels next. >>GREG RATTRAY: Thank you very much, Rod. We are now going to start a series of five-minute drills. We have a half an hour for each of the additional panelists to provide a perspective on these issues. So we're going to begin with Tim Ruiz, the vice president of corporate development and policy for the GoDaddy group. So Tim, on your mark, get set, go. >>TIM RUIZ: Thank you. I have no slides, so this is it. First of all, again, GoDaddy is the largest registrar in the world. We have over 33 million domain names under management. And actually, tens of thousands, I think maybe even hundreds of thousands, of hard- working, honest customers with domain names using dot info and dot biz TLDs, and protecting their privacy using domains by proxy. Again, being the largest registrar, 33 million domains, we certainly get complaints of criminal abuse or other types of abuse on a daily basis. And the way we handle that is we deal with it basically in two categories based on the type of response. So from third parties or some of the watchdog groups that we have become well-known to us and that we try to work closely with, the way we deal with those issues is a little bit differently than what we might when law enforcement contacts us. So when a third party contacts us with a complaint of criminal activity or abuse, the first thing we do is first look at the services that that customer is using. It might be a domain name, it may be hosting. They might have e-mail. They may not necessarily be exactly what the complaint was about but they will be related services, potentially. And that information is important to us because it tells us what we need to do in order to investigate and to confirm the criminal activity or the abuse that's been reported to us. So once we have determined that, then we do our investigation and we require that we're able to actually document the activity, document and confirm the complaint. And if we're able to do that, then we move to take action. If it's a domain name, it maybe to put that domain name on hold. If it's a Web site, it comes down. It just depends on the service that is being affected or the services that they have. And in addition, once we handle that -- we move to handle that complaint specifically first, but then we'll move on and we will actually coordinate our -- our abuse department will coordinate with our fraud department which deals with things a little bit differently. They are looking at payment fraud. And many times we're able to correlate or coordinate the complaint we had on abuse with the payment information that we have on that particular customer account. And by doing that, we are able to identify, many times, other domain names or services that this individual was using or paid for, perhaps, fraudulently and so we are able to take action against those names and services as well. And of course there are often cases where we are not able to take action because we can't confirm ourselves. There may be a situation where the evidence just isn't there to us or it's the judgment call that we don't really feel we are qualified to make. Maybe a situation we're the domain name registrar but the actual issue has to do with hosting and the domain name isn't hosted with us and we don't have access to the files or the logs in order to confirm the complaint. In those cases, then we will usually refer the complainant either to the provider that can get them the assistance they need or to law enforcement. And it's important to note that we never reveal customer information outside of the public WHOIS data to any third-party complainant. In regards to law enforcement, it's a little bit different. Our only verification is to verify who is talking to us. We want to confirm that they are actually from the law enforcement agency that they claim to be from. We want to confirm that they are who they are and they are acting in an official capacity. So we might be able do that by a return phone call. Sometimes if we are very familiar with the agency and the individual we are working with, we might be able do that through a return e-mail and being able to check very aspects of the e-mail, the headers or whatever it might be. But we have to be able to confirm that we are talking to law enforcement. If we are, then we immediately take action to take the hosting site down, put the domain name on hold, deactivate it, whatever is necessary. And usually at their instruction. Sometimes they have various instructions in regards to data that they might need to collect for their particular investigation. It may involve a subpoena, et cetera. But again, it's important, unless there is a subpoena involved, we do not reveal customer information to law enforcement, either, other than what's in the public WHOIS database. So that's pretty much the two paths we take in responding to criminal complaints and abuse. Thank you. >>GREG RATTRAY: Thank you, Tim. So I'm going to pass the mic on down to Greg Aaron. And Greg is the director, key account management and domain security at Afilias. So over to you. >>GREG AARON: Thank you. I manage operations for the dot info registry, and also domain security. And I'm a member of the Steering Committee of the Anti- Phishing Working Group. As a registry, why did we decide to get involved in e-crime issues. Well, the main reason is that we want our TLD to be a relatively safe and trusted place for registrants and for end users. We also did it because registries can be a target of e-crime. That happens seldomly, but if it does happen, we want to be in a position to know how to respond to it effectively and keep registry operations running efficiently and keep the TLD up. So how do we respond? One of the main ways that we work is with our registrars. We act, in a lot of ways, as a clearinghouse that is receiving information about potential problems. We investigate those, and if we do find that there is a problem, we push that information out to the sponsoring registrar. And we do that for two reasons. One is that we want the registrar to know what's going on with the domain, and they have the direct contractual relationship with the registrant. And I'll get into why that's important. Also, we do it because the registrar may have additional information that we don't have. The registrar, for example, is the party that is taking in the credit card information, and they may be able to find out that the criminal registered a domain name using a fraudulent credit card number. Also, the registrars have data that we don't have. For instance, they know which reseller may be involved. They may be able to see behind privacy protection, and learn more about the registrant and that may help them make a decision about what to do. In all cases, we want to provide the registrar with forensic information. Specifically document, as Tim said, what is going on with that domain. And then the registrar can take that information and make a judgment. This method has been very successful for us. During 2008, we worked with our registrars to get about 90,000 domains suspended. That means, they were put on hold by the registrar. In addition, there were several thousand other domains where we helped get those domains cleaned up, because there was some sort of a vulnerability, malware or phishing happening on an innocent registrar -- innocent registrant's site. And so that was a good outcome. Those sites remained up, but the registrants could have their problems addressed without an interruption to their Web sites or their e-mail. We do this also with an anti-abuse policy that we put in at the registry level, and it basically deals with the kinds of abuse on the slide. These are basically criminal issues, and that info -- a policy sets expectations for registrants, and it also puts terms of service in place that we can rely on. On occasion, we do suspend domain names at the registry level. That's mainly in cases where there is an imminent problem, such as a DDOS attack being run through a domain name, or in cases when there is a serious problem and the registrant -- and the registrar cannot be reached or if they are not responsive. It's important to note that all of these types of abuse on this slide are all very different. They effect people different ways, and they are carried out by criminals in different fashions. And what that means is that each one of those types of abuse has to be investigated and mitigated in very different ways. The way you deal with malware, for example, is very different than the way you work to solve a phishing problem or so on. For instance, with phishing, you may have a domain registered by the phisher or you may have a compromised site. So there is not a one-size-fits-all solution. And to deal effectively with these problems, it does take a certain amount of background knowledge and takes sometimes a little bit of patience. There are even rare cases in which you do not want to take action or suspend a domain name, such as when a site needs to be sent to law enforcement, for them to take a look at. That's often the case with child pornography. You want to send it to them. They can investigate it, they can confirm, and they can decide what action they want to take, if any. So also problems vary greatly by TLD, by registrar, and by country. Those differences are very important. Certain types of abuse only happen in a few TLDs, and so on. So it's very interesting to track those problems. Data is very important. I think it's very important to the community to understand the issues and understand where they lie. Thank you. >>GREG RATTRAY: Thank you, Greg. Pass the mic on down, and next we'll have Jeff Neuman, vice president for law and policy at NeuStar. >>JEFF NEUMAN: Thank you. I just want to start here, let's see if this works. Great. I am going to actually -- because I know the time is short, I am going to go through some of these slides fairly quickly. >>JEFF NEUMAN: Just want to start here, see if this works. Great. I'm going to actually -- because I know the time is short. So I'm going to go through some of these slides fairly quickly. NeuStar was actually one of the first registries, in fact, the first gTLD registry, to actually put into place an anti-abuse program. In fact, we started in 2006. I'm just going to go to the next slide. Why do we get involved, and why do we get involved so early? It turns out -- and this was kind of referenced in the last panel. But it turns out that dot biz was, back in 2004, 2005, one of most dangerous -- called one of the most dangerous TLDs by some studies from McAfee and some other security companies. Turned out that a number of our names were being -- a number of our names were being blocked by ISPs so that, when our legitimate dot biz owners were sending e-mails, they were actually being filtered out and never getting to the place they were supposed to go. So what we did is, obviously, it's weighing the pros and cons and potential liability of a registry getting directly involved. And we just came to a determination that we needed to do something about our brand. We needed to do something so that the legitimate dot biz owners could actually use their domain names and e-mail addresses. So that we do is or what we've been doing since 2006 is we receive complaints from the outside world. We also instituted a program of proactive detection of names used in dot biz and also dot U.S. as well. We actually have in-house a team that performs these investigations on our own laboratory environment. So, if -- you heard the panel before. If you actually click on a link that has malware associated with it, that's a bad thing that could infect your entire network. It could spread. So what we do is we have a laboratory environment where all of the harm is actually limited into that lab. After the investigation or, as a result of the investigation, what we do is analyze the data and prepare a pretty comprehensive report. And over the last few years we've actually honed down that report to state all the essential data. If it turns out that a domain name is being used for phishing, pharming, malware, botnets, what we do next is -- let me see if this works here. We take action. So, again, once we verify that a domain name or dot biz or dot U.S. domain is being used for phishing, pharming, or malware, we send a report, as Greg said, to a registrar that sponsors the registration giving them the subset of all the investigation results, really informing them of what's going on with the domain name. At that point, we have a strict policy, a 12-hour policy. We send all the information to the registrar. And we give them 12 hours to take down the domain name. And our philosophy is either they do it or we will. So, like it says, if there's no response received from the registrar or they don't comply, we take the name out of the zone. To clarify, we don't delete the domain name registration. We just take it out of the zone so that it does not work. I'm happy to say that a large majority of the ones that we detect -- and over the few years we've done well over -- around 100,000, if not a little bit more -- most of them are taken down by the registrar. I would say about 90% of them. And, again, we've taken down thousands of domain names and dot biz in the last three years. The interesting thing is we've had no lawsuits, no complaints. And we're very comfortable with our policy. And we think that, ultimately, we're protecting the end users. So the take-down is only one piece of the puzzle. It's important for participants here, and other people will be talking about it as well to participate in a number of security forums, attend security conventions, and participate in security groups. As Greg was alluding to, integration of law enforcement is also integral. You want to make sure you have, as a registry, a collaborative effort to share data with law enforcement. And, in the case of something like child pornography, you know, at least in the United States, even going to that site and, essentially, downloading the material is a crime in and of itself. So, if we get a complaint about child pornography, we're not going to do the investigation ourselves. We're going to send it to our contacts within law enforcement. They'll verify whether it is indeed child pornography. And, if it is, it will come down. Another point that Greg made is that one of the goals we have is to not hinder existing investigations. So, if there is an investigation going on that we find out from law enforcement, you know, we don't want to necessarily take it down. Or, alternatively, we might set up a honeypot or direct the traffic to a honeypot so that law enforcement can collect their vital information. Again, this effort is still very nascent among all the registries. And we encourage all the registries to take part in this effort so that we can share more data and stop this nefarious activity. >>GREG RATTRAY: Thank you, Jeff. We're still quite right on schedule. So next up is Oscar Robles Garay, chief executive officer NIC Mexico and chairman of the board ccTLD. So, Oscar, over to you. >>OSCAR ROBLES GARAY: Thank you, Greg. Yes, this is a very good idea to discuss these kind of topics and -- but, unfortunately, it's not easy to implement it, if the relevant authorities are not properly involved in these kind of discussions. What I will try to tell you is what we have done in the past regarding this kind of activities. In 2007 we engaged in a discussion with our advisory committee to allow NIC Mexico staff to identify and shoot down phishing Web sites and shoot down the domain name. Sounds like a good idea, but it wasn't very easy to implement it. First, because we were jumping into a -- into the regulation of the conduct of our customers, which is the regulation of content, which, by the way, is not our faculty, is not our activity. It is the activity of the authorities, not the NIC Mexico. But, second, that, even if we were successful in the regulation of this activity -- and this is small effort, by the way, because it is only small part of all the issues that we are discussing at this table. There was a real risk to be later implementing similar actions to prevent other kind of misconduct on the Internet, which is far beyond our scope. So we don't want to step into this these kind of discussions. We don't want to step into these kind of activities to regulate what is conduct, even though they are our customers. So, regarding the decision to regulate these conducts, we decided to refrain from doing so. So we didn't do it. But that doesn't mean that we didn't do anything on this regard. We enter into communication with the federal Mexican police, the relevant authority for these cases, in order to establish a proper mechanism to incorporate them in the discussion and the resolution of these problems, because that could be seen as a misuse of a domain name. But some of our colleagues just mentioned, there is a lot of implications behind this misuse of domain names and most of them regarding with real fraud behind this. So we were successful in this. And we have shoot down some Web sites, I mean, domain names that are used in the illegal or fraudulent activities. And that's what we have done. Similar what - - in what, as mentioned Tim Ruiz from Google, that we enter into contact with the relevant authority and see what is what we can do regarding our contract with our customers and regarding the lock alone in Mexico. Considering that we're not only a registrar, but we're also a registry. We are the one in charge of the dot MX on file. So, currently, we have successful, as I was mentioning, to send some cases to them. And, in coordination with the computer emergency response team at the national university CERT-UNAM, we've been able to take down some domain names. So the best part in this is that always the authority, the local authority has been involved with the decision. And we haven't had to take any individual or unilateral decision in this regard. Thank you. >>GREG RATTRAY: Thank you, Oscar. Next we have Bobby Flaim, supervisory special agent of the U.S. Federal Bureau of Investigations. So Bobby, you're up. >>ROBERT FLAIM: Hi, thank you. Very nice to be here. Just to let you know some of the FBI efforts in cybercrime as it pertains to domain names. First of all, I work at FBI headquarters, which is the administrative arm of the FBI. And how we deal with cybercrime within the FBI -- and we're just one of a lot of American law enforcement that deals with cybercrime. I know the Secret Service does, the Postal Inspector does, and there's a few others. But, insofar as the FBI, we have 56 field offices throughout the United States. Each of the field offices has a cybercrime. Some of our larger offices has between 3 and 4 cybercrime squads in which we deal with all types of cyber crimes from intrusions, phishing, malware, botnets, the whole nine yards. That's number one. The number two thing that we do is we have an Internet crime complaint center where we actually take in via telephone and also via the web criminal complaints -- or not criminal complaints but complaints of suspicious activity on the Internet. And last year alone we received 275,000 complaints, which is a 33% increase over 2007 based on that preliminary cases that were referred, there was about a quarter million dollars in damages. As you heard from Jeff Bedser, that's just a very small percentage. So, obviously, there's a lot going on out there. And this is just a small portion that we alone are seeing. The other thing that we also do within the cyber division -- we actually have a cyber division and headquarters that administrates all of the 56 field offices -- is we have a cyber fusion center which actually deals very specifically with phishing, malware, botnets, spam, so on and so forth. And many of the panelists on here have already dealt with them on many occasions. The other thing that we do is we also work with industry. The best way to find out what's going on with crime and on the Internet is actually to deal with the people that see this and deal with this on an everyday basis which is the registries, the registrars, the Internet service providers, ICANN, the RARs, everybody. And how we have effectively engaged or we have begun to engage is we're part of the registry safety group. We've dealt a lot with Rod Rasmussen and his anti-phishing working group. We've dealt with Microsoft. They have a lot of botnet initiatives and conferences. We've also attended those. Another thing that we also do on the field level, each one of our FBI field offices has what's called Infraguard, which is community outreach to the business leaders of our community with the slant, obviously, towards Internet crime and what's going on on the Internet and how we can facilitate more security and stability on the Internet and address their concerns on the very local level. The other thing that we do is we also deal very effectively with our other law enforcement partners throughout the world. You're going to hear later from RCMP, who is on the panel here. we deal a lot with them. We U.K. law enforcement here. We have Mexican law enforcement here. And we get together and we compare notes. And we try to strategize very broadly and internationally as well. As you can see, there's lots of different ways that do it officially. We do it through liaison. We do it in many different ways. But always, again, there's a lot more to do. We need a lot more help, like everybody else. We can always use more bodies and more funding, but that's just the nature of the beast. So thank you very much for being here. And I guess I will just pass the mic. >>GREG RUTH: Bobby, thank you. I do have an announcement before we start with Vanda, which is that right now, in terms of translation services, only English and Spanish are available. I'm told that French will be up soon, but there isn't an estimated time for the fix. And that there are headsets outside. And I would encourage -- I have a few questions for the session after Vanda speaks. But anybody else who has a question, please write it down and pass it up. So with that, I'd like to introduce Vanda Scartezini at the at-large committee, former ICANN board member, and cofounder Polo Consultorias. Vanda, your turn. >>VANDA SCARTEZINI: Thank you. My point here is to put some ideas about what the users are facing besides the technical problem we just heard about from our colleagues. There are some other issues that are beyond the capacity of users, innocent users, most of them, to deal with. And they are mostly doing the legal frameworks external from their countries and sometimes even political issues. For instance, the (inaudible) existence law enforcement in many small countries and less developing countries where some operators goes there so it can be victims of those services. The reality of multi-jurisdiction, it's another issue for innocent people for around the world. They can be sued, for instance, for reasons they may be not aware of. And in another country, in how they can face the cost of defense themselves about that. It's -- I believe, the only alternative is to have an international collaboration to get some issues be done in their own countries. There is a lot of things to do. There is nothing really in the table for that. We have Budapest agreement. But until now it's very restricted and mostly not applied in many countries. So it's something that we need to deal with. Another important issue, I believe, is what we call the discrimination by location. Even when the crime is detected and solved, sometimes they cannot be compensated because they are not hesitant in that country. So how they can be, you know, compensated for the loss they have. But there are other issues that in local legislation that I believe people need to fight to have those legislations in the better way to defend their rights. For instance, to give more -- much power for the - - to the ISPs, for instance, to allow them to shut down the domains without real and clear process to do so. Or even the demand for long- term logs, for instance, could be good for the police to get, you know, the criminal. But let's think about the developing countries and small communities. The people cannot get the logs for so long. The storage cost of this will impact many of the small ISPs and may shut down if it goes in the local legislation. Or for even some protection about the bad use of those logs. Well, there is a lot of issues that we need to discuss about the users' perspectives. And, just to finish, I will encourage people to participate both in the technical side but also at local level to avoid legislation abuse. And later on we'll have some opportunities to talk in Spanish for the community, Spanish community about what is going on in the legislation in our continent. Thank you. >>GREG RATTRAY: Thank you, Vanda. I think we're pretty close to on time. I believe there's another set of questions coming up. I already have a few right here. Thank you. So I'm going to start with the questions that I have in front of me. The first one we actually don't know the originator of the question. I'm actually going to ask both Jeff Neuman and Bobby Flaim to provide a perspective on this. The question reads as follows: It seems like a lot of the examples and case studies are at least partially dependent on cooperative relationships to address. The question reads" True? And, if so, are you concerned about how this can scale with Internet growth? So I guess, Jeff, I'll have you go first. Couple minutes and then Bobby. >>JEFF NEUMAN: Sorry. Can you repeat the last part of that? Sorry. >>GREG RATTRAY: The last part is that, given that the response is largely collaborative, will this scale with Internet growth? >>JEFF NEUMAN: You know, that's a good question. The first part is yes, it does rely on collaborative effort with law enforcement. I know Adam Palmer will be up here in a little bit to talk about the Internet registry safety group, which is an initiative by the registries to come up with some way to share important data with all of the other registries, gTLDs and ccTLDs to make them aware of what's going on. And, you know, for example, when we do an investigation on a dot biz name, often times we'll find a dot com, dot net, dot info, all sorts of other TLDs because, generally, they're not focused on one TLD. And we'll on our own send that information to the registries, and the other registries will send us information. And the same thing true with law enforcement. So we're trying to find a way that we can come up with a standard data sharing plan to involve law enforcement and the registries. >>ROBERT FLAIM: Yes, I would certainly echo Jeff's sentiment. With any type of law enforcement, it's critical that you deal very effectively with the community, with businesses. Because that is where you get your best information from. Obviously, even with the FBI, even though we're very well known, we are actually, if you look at the numbers, a very, very small agency considering what our scope and our duties are. So it's critical for us to actually make sure that we work very well and that we have the proper contacts with people within the community. And, like Jeff was saying and I mentioned earlier, we were an observer with the RISG, the registry Internet safety group. And we look forward to any type of contacts and working with all of industry. And absolutely it will scale. >>GREG RATTRAY: Thank you, Bobby. I have a pretty robust set of questions now. So I'm going to take, let's see. I'm going to take this one. Actually, it's from Doug Brent, ICANN COO, to Greg Aaron, which is: How big an abuse team does Afilias need to investigate and effect take downs -- or to effect the named 80,000 take-downs in a year? >>GREG AARON: Where are you, Doug? It's a hard question because we sometimes have people involved in our NOC or our tech support teams also involved. But we've got, like, a couple of people who are doing investigation, you know, on a full-time regular basis, and then we have support from other groups. >>GREG RATTRAY: Sorry, Greg. We're looking at the questions. Thank you. So we have another question for Bobby Flaim from Ramos Neija. And I've got translation services from Alejandro. So how much cooperation do you get from ISPs regards combating child pornography? >>ROBERT FLAIM: For the most part, it's very good. We, actually, have what's called an innocent images group that deals specifically with child pornography. And, as you can imagine, it would vary. But I would say I'm not 100% familiar with everything that innocent images does and who all their contact images are. But we have extremely satisfied with the cooperation we have gotten from ISPs and registries and registrars in dealing with child porn. It's such a huge problem. But, by and large, it's so universal. And the reaction to it is so universal that we actually deal very effectively with the industry in combating the problem. >>GREG RATTRAY: Thank you, Bobby. A few more questions. So to Tim Ruiz at Go Daddy, how proxy or privacy servers affect what you're capable or willing to (off microphone). >>TIM RUIZ: The way our proxy service works is it actually has an agreement with the beneficial user, we'll say, of the domain name. And the terms and conditions of that agreement is very same, if not identical, to what we require of any registrant. So, if we get a complaint of abuse or activity on domains by proxy, we take the same action as we would with any other name. >>GREG RATTRAY: Thank you, Tim. I've got two questions left. Both are fairly global. So I'm going to give Rod, who's been targeted by the first one, the chance to answer. With all the flaws in the Internet architecture, some researchers have proposed a clean slate approach. What do you think about it? >> ROD RASMUSSEN: It's instead of building the 747 mid flight, we're going to land the thing and take off with something new again. Just, as a general opinion, I think we're way too far down the train track at this point with this engine, to use another analogy. And there are far too many vested interests from governments, commercial entities, et cetera, in the current system to just call a halt to it and say we're going to rebuild the entire infrastructure. So in the community, the security community, we deal with this all the time. And there's always proposals for things like that. But they never really go anywhere. I just wanted to say one thing. Bobby gave me far too much credit. It's not my APWG. It's all of ours, I just happen to show up at the meetings a lot. so I would encourage anybody who is interested in this and the phishing phenomenon, in particular, we have an open membership. You can come and join us. So on behalf of the APWG, I'd like to say thank you for having us here, and we would certainly like more participation. We're very happy with what we've gotten so far. >>GREG RATTRAY: Thank you, Rod. I think I'm going to use the remaining three minutes or so and actually ask the panel this question because the question is addressed to everyone, which is what does the panel believe will be the impact on e-Crime with the expansion of new gTLDs if the current issues remain unaddressed? Rod, you get to skip this one. I think I might just down from Tim and then down the table, if you can just make a quick comment on the most important point you think in that regard. >>TIM RUIZ: I think the most important point for me is I don't think it will serve to facilitate or expand e-crime. I think it's going to continue to be a problem until we do what we can to address it. The number of gTLDs isn't going have as big an impact as if we just sit by and do nothing. >>JEFF NEUMAN: Yeah, I want to agree with that. You know, it's amazing. But, you know, there's always that argument that the more TLDs you have, the more crime you have. Especially with the types of e-Crime we deal with -- the phishing, pharming, malware and bots. It's really, for the most part, TLD agnostic. They don't care what TLD they use. They don't even care, most of the time, what name they use. Right? Whichever names they can get the cheapest or wherever they can go where there's the least likelihood to be taken down, that's where they're going to go. Most of the names we see used in phishing or pharming, at least in dot biz are klp249k6.BIZ. It's a nonsensical name that has no meaning. So just -- increasing the number of TLDs is not going to increase the crime. People who want to commit crime are not going to now commit more crimes because there's more TLDs. They're still going to commit the crime on the existing amount of TLDs. >>OSCAR ROBLES GARAY: I will use an analogy on this. You will note some countries the increase of drug dealers in the schools is becoming more bigger and bigger. That doesn't mean that we should stop building more schools. We should fix the problems. Engage the authorities and all the relevant parties and try to solve those issues. The domain names are not the problem. It's the reflect of the social conducts. >>VANDA SCARTEZINI: Yeah. From the point of view of users, I don't see that it will increase or decrease. It will be the same. Because, for one side, they can have small communities in the small TLDs and maybe not so, you know, interesting for any attack. But, certainly, they can be less technical to defend themselves. So you'll be compensated for one side or another side. So I don't see that the new TLD will have any impact really in the crime scene. You want to -- >>GREG RATTRAY: Rod, you want to take a shot at this, too? >>ROD RASMUSSEN: Just a couple thoughts here. We've already seen patterns. In fact, Greg Aaron and I do a study semi annually for the APWG on patterns of phishing across different TLDs. It's quite obvious that phishers will target attack those with the weakest link as far as security procedures and policies, et cetera. So, introducing new gTLDs will have a larger threat space, as we call it, and more opportunity for criminals to get into there. However, it's also an opportunity, if we think about this right now and actually include that in part of the process for the new gTLDs. The other problem is we've had problems in the past with registrars and resellers of registrars who are either shady or directly connected to online -- organized crime. As you have more registry operators, there's a larger opportunity for somebody in that community to get into the system. At the registry level that has far more impact than at the registrar level. >>GREG RATTRAY: Thank you, Rod. And thank all the panelists. We're about out of time. There is a question remaining. There may be another one or two in the queue. They'll be posted in the chat room. And I would ask the panelists, when they get a chance, to take a look at the chat room. And, if they're directed to them, answer those in the chat room. So with that, I'd like to thank the panel and turn it back over. [Applause] >>GREG RATTRAY: And one other administrative announcement. The French translation is now online as well. >>DENISE MICHEL: While we are changing panelists, I have a quick announcement. Will George Atenio, Mandaher Labidi, Eduardo Diaz, and Neil Schwartzman see Leslie on staff in the back of the room. Thank you. >>LYMAN CHAPIN: Thank you for bearing with us while we do another changing of the guard. This is a difficult exercise. We are exceeding the capacity of the table here. This panel is going to operate according to a slightly different model. The first two sessions laid out the landscape of e-crime, what it is, how it works, and how law enforcement and other groups are responding to it. And in this session we're going to talk about the role of ICANN and its stakeholders in respond to go e-crime in the use of the DNS. And we are looking in particular at the way in which current gTLD and ccTLD policies and the contractual obligations of registries and registrars and the effects of efforts of industry groups outside of ICANN contribute it that response. So we have, I believe, either nine or ten speakers, and we have just 30 minutes. So I have asked each of the panelists to be brief in introducing him- or herself, and then we'll move into a format in which I will ask questions that will be picked up by one of the panelists and then spark a discussion around the rest of the panelists. I would like to encourage people in the audience that you can write questions on index cards. And we will take those questions at the end. Steve, you are at the far end of the table. If you want to give a quick introduction and then we will start. >>STEVE METALITZ: Did you just want me to introduce myself? I couldn't hear what you said. >>LYMAN CHAPIN: Please just introduce yourself because we are not going to do this as a presentation format. >>STEVE METALITZ: I am Steve Metalitz. I am president of the intellectual property constituency at ICANN. >>GARTH BRUEN: Garth Bruen from Knujon.com. >>ANDY STEINGRUEBL: Andy Steingruebl from PayPal. >>ADAM PALMER: Adam Palmer from dot org, the Public Interest Registry. >>ROELOF MEIJER: Roelof Meijer of SIDN, the registry for dot NL. >>DAVID GIZA: David Giza, senior director of contractual compliance with ICANN. >>JON NEVETT: Jon Nevett from Network Solutions and chair of the registrar constituency. >>RUDI VANSNICK: Rudi Vansnick, chair of ISOC Belgium and board member of the EuRALO at-large. >>LYMAN CHAPIN: I am Lyman Chapin. I am just moderating but I am also a former director of ICANN. >>MARC MOREAU: Marc Moreau. I'm with the Royal Canadian Mounted Police. >>LYMAN CHAPIN: Questions that we are going to present to the panel are going to be displayed on the screen. For the benefit of those getting translations, if I read them -- I will read the questions. The first question is what are the top two challenges faced by consumers, interveners and law enforcement agents when responding to e- crime and DNS abuse? And Garth, I think you are the point man for this question. Let me know if you knee the hand-held mic. >>GARTH BRUEN: Thank you. When reporting abuse and fraud, instead of being helped, the consumers are often pushed into a maze with no map. Obfuscation by industry experts, experts at manipulating hosts, ISPs, registrars and the general architecture of the Internet, they confound investigators. There could be potentially a dozen or more companies involved in the promotion and execution of a single illicit transaction domain, and often, these companies are distributed through different countries. And this is done on purpose. Within this complex structure, there is significant misdirection and falsification deliberately put into place to frustrate investigators and consumers. The deep manipulation of registrars and resellers can only happen if the registrars and ICANN allow it. In these cases, we can use policy, not just technology, to fix this. And I'll keep that short. Thank you. >>LYMAN CHAPIN: Rudi, do you want to chime in on that one? >>RUDI VANSNICK: First, thank you for giving us the occasion to speak up in name of the Internet users, the consumer, as part of the at- large community. From the point of view of the user, the domain name space is fuzzy, fairly difficult to understand. If we look at the presentations we have seen before, if you would show these presentations to a citizen, he or she would probably never get to the Internet, at least I wouldn't. In that regard, it seems to me that the big challenge for the ICANN community is to clarify the positions and responsibilities of each of the parties involved, be it registries, registrars, or registrants. And on top of that, I think that ICANN has a specific role to inform all of us what is how to do when it goes wrong. And I would like to use something which is used in the automobile industry. It helped a lot of people, a lot of us to not get lost in the streets. And perhaps an ICANN GPS would be a solution for not getting lost and to find the way we could have solutions. Just pointing out that the upcoming new gTLDs process and the IDNs especially will make it more difficult to understand the road signs, to understand the street names, and to not get lost somewhere in the middle of the jungle. The challenge will be to keep that GPS updated and correct. And I think it is also the need of the global world involving government, registries, and all the other parties, but certainly the user should not be forgotten, as the user is the one who knows if the roadmap fits, if the others is correct. And I hope I made clear that it is not a job of one party. It is, rather, the job of all of us working closely together: Governments, policy, technical partners, and last but not least, the consumer, who pays most often for the final result being good or being bad. And I'm almost sure that the at-large community is ready to take up the task and make the ICANN GPS the tool you all need. >>LYMAN CHAPIN: Okay. Marc. It takes a while to warm up. >>MARC MOREAU: With regards to challenges from the law enforcement community, I would say that the top two challenges is really the preservation of the evidence and also retaining of the integrity of that evidence. I know it's not sexy, I understand that, but there are reasons why we need to have that and to contain that and assure that we can bring that before the courts as well. That's of the utmost importance. Now, the problem that we have, and Jeffrey had mentioned that in his previous presentation, and I can add this, because I can add a whole bunch. I know you are asking just for the top two, but there's a whole bunch, one of the ones that we have is certainly jurisdiction. And with jurisdiction, that really touches on all the different various countries. Everybody has their own laws, and that's understandable and that's fair. In Canada, for example, what we have, the federal -- we have federal police, we have the provincial police and we also have the municipal police. So whenever we get a complaint, we have to triage and figure out who is going to lead that investigation. So that's not always an easy process because in some cases there are no police services available to really lead those investigations. However, I have to say that in Canada, we do enjoy an excellent working relationship amongst all the different law enforcement services. I could add, for example, that we have somebody here from the Quebec provincial police, (saying name) is here, and I think that is just a demonstration of other police services in Canada that recognize the importance and the need to attend these types of meetings. >>LYMAN CHAPIN: Thank you. We'll move on to the second question. What existing ICANN or ccTLD policies or contractual obligations are useful in the fight against e- crime, and which ones are not effective? And I think it's natural to start this with David Giza. >>DAVID GIZA: Thank you. And I'd like to inform the audience that I am the new senior director of contractual compliance at ICANN. I am very happy to be with the organization. I just want to go on record and reassure you that ICANN fully understands the importance of e-crime, and we are clearly intending to define our role going forward with the help of all communities. Specifically with regard to the question, I think many of you know that GNSO has a Fast Flux hosting working group that is doing some excellent policy development work in preparation for what will become, I believe, a very significant policy that can help us address e-crime. From the contractual compliance world, many of you may know that in our Registrar Accreditation Agreement, we do have certain provisions there that are useful in addressing e-crime, and I would like to just spend a minute and tell you what they are. One in particular is section 5.3.3 of ICANN's Registrar Accreditation Agreement. Most of you won't know what that section is from memory, and quite frankly, neither do I, but I know it well enough because I have written it here and have worked with it to tell you that it's a clause that basically allows ICANN to terminate a Registrar Accreditation Agreement when registrars are convicted of a felony for a misdemeanor related to financial activities or judged by a court to have committed fraud or breach of a fiduciary duty. Now, you may be asking yourselves has ICANN ever used that particular provision to actually terminate a registrar, and the answer to that question would be yes. Just this past year, in 2008, we terminated a registrar called EST domains because one of its principal officers was convicted of financial fraud. That is one example of how we use that tool in our Registrar Accreditation Agreement I think very proactively and effectively. Another point I just want to raise is concerning the issue of Spam, there is a section in our RAA, 3.7.8, that requires registrars, as many of you know, to investigate WHOIS inaccuracy claims. And I think registrars generally do a good job in that regard. And that provision was intended to put registrars in a position where they would receive, from ICANN, WHOIS inaccuracy claims and then it would be incumbent upon the registrars to conduct an investigation, and many registrars do that, I think, very diligently and then they report back to ICANN in some instances, but in not all, what findings they have with respect to their work. I think that that's a particular tool that although it doesn't directly address the massive Spam problem, we do believe that we can work more collaboratively, not only with registrars but also with law enforcement agencies, again to find a path forward that is based -- for example, on the good work that was recently done with the Conficker worm situation. So in closing on that point, we are diligent and we are working very collaboratively with everyone at this table, including members of the community sitting in the audience, to, again, find a path forward to proactively address e-crime in the future. >>LYMAN CHAPIN: Thank you, Dave. Would anyone else like to give a perspective? That's a good perspective from ICANN. How about someone from perhaps outside of ICANN? Maybe Garth or Andy? >>GARTH BRUEN: Sure. Recently, thanks to Dave and some other folks, the WHOIS data problem reporting system has been greatly improved. I believe Sean Powell and Roman from ICANN worked on it, and I think they are doing a terrific job. And these kind of tools are needed. More tools like this need to be added to the toolbox. But it's working so far. >>LYMAN CHAPIN: Okay. Thanks. We are going to go on to the next question. Which one change in policies or contracts would be most effective to reduce instances of e-crime without inadvertent consequences? And why don't we start, Steve, with you. >>STEVE METALITZ: Thanks very much, Lyman. I am going to answer this not with the one change but with the one goal that I think we ought to achieve, and that's better WHOIS data and better access to it. But I will make two modest proposals for changes in policies or contracts that might help advance that. One would be to require registrars to verify WHOIS data at the time of registration. As we heard on the previous panel, registrars, at the time of registration, generally have -- they do a credit card verification, so they have access to data that's more likely to be accurate. Then, of course, they, under the status quo, they go ahead and let people enter inaccurate data that is later publicly displayed in WHOIS. So it seems to me there are things that could be done to improve the accuracy of WHOIS data at the time of registration by tying it in with a credit card verification. And secondly, more and more WHOIS data that is provided by registrants, whether it's accurate or not, is not publicly displayed because of proxy services. And we heard on the previous panel from one of the biggest providers of proxy services, Domains by Proxy. And I took down what Tim said, which was, "We never reveal customer information outside of public WHOIS data to any third party other than law enforcement unless there is a subpoena involved." Of course Domains by Proxy runs pursuant to section 3.7.7.3 of the Registrar Accreditation Agreement, and I haven't committed that to memory either, but I do recall that it says in a situation like that, if someone comes to Domains by Proxy, and I'm singling them out but they were on the previous panel, and provides reasonable evidence that the domain name is being used to inflict harm, I would say a category that includes the commission of e-crimes, they have a choice, then. They can either reveal the actual registrant data or data for the beneficial owner, as I think Tim called it, or they can take on all the responsibility, all the liability for any of the crimes the person is committing using that domain name. Well, I guess Domains by Proxy and GoDaddy are taking on a heck of a lot of liability now if, in fact, they never reveal customer information to any third party unless there is a subpoena involved. That's not what the Registrar Accreditation Agreement says they should do, and I think better enforcement of that provision and clarification, if it's needed, of what that requirement requires would be a step forward that ICANN could take. Thank you. [ Applause ] >>LYMAN CHAPIN: Thank you. Jon. >>JON NEVETT: Sure, thanks, Lyman. I think that the -- to answer the question, in addition to what Steve said, and we could talk about that in a little bit, but the biggest change in policy or contracts that would help reduce instances of e- crime without inadvertent consequences, and let's not forget the last clause, but I think today was a day that is important in the fight against domain abuse and other nefarious activity in the Domain Name System. The GNSO Council this morning unanimously passed a set of amendments or recommended to the board a set of amendments to the Registrar Accreditation Agreement, and the biggest change in that set of amendments are additional compliance and enforcement tools for ICANN to ensure that registrars are complying with the Registrar Accreditation Agreement. Registrars, before this set of amendments goes into effect, are not subject to audits. We are not subject to fines, we are not subject to suspensions, we are not subject to group liability. And all of that is going to be taken care of with this new set of amendments. So we -- I think that's a great development. While the set is not perfect, and we are going to talk about other changes in the future, but it's a very important step, and this agreement has not been amended since 2001. So the modernization of the agreement and these additional enforcement tools will give David and his team the ability to go after the registrars that are not complying, to level the competitive playing field, and to make Internet and registrants and users safer. So I think that's a big win for this whole room. >>LYMAN CHAPIN: Thank you. The first set of questions that we have just gone through focused on ICANN. The next set of questions is going to focus on other industry groups. The first in the next set is what industry efforts have been undertaken in the community to curb the rise of e-crime and DNS abuse? And a sub-question is, to what extent to ICANN contracted parties or ccTLDs participate? And Adam, why don't you take the first stab at that one. >> Adam Palmer: Again, I am Adam Palmer. I am policy counsel at dot org, the Public Interest Registry. Earlier, you heard both Jeff Neuman from NeuStar and Greg Aaron of Afilias talk about the abuse policies that those registries, as good responsibility within the registrar community, have taken on themselves to adopt. Dot org has recently adopted a similar aggressive policy against abuse. But what we have also realized as a registry and ICANN community is that we have to do other projects collectively, and not just individually. And that each of us may have different views and different ideas that we can bring to create a safer ICANN community, a safer Internet. At the India ICANN, we had the first meeting of the Registry Internet Safety Group, RISG, which you may have heard of. It was designed as a collaborative effort to share ideas for best practices, to facilitate dialogue, and to combat domain abuse. Currently, in the spirit of cooperation, there are not just registries and not just gTLD registries, although there are several of us, including dot org, NeuStar, Afilias, but there's also registrars, such as Jon Nevett with Network Solutions, Melbourne IT and GoDaddy, also part of this group are international members such as Nominet and Roelof with SIDN, his -- the international ccTLDs. We also have security vendors, such as Cyveillance, MarkMonitor, and Symantec, and McAfee. So it's a group that has a wide viewpoint, can offer different angles and ideas to combat domain abuse. To follow up, what we are not and what we are striving not to be is censorship or Internet police, but we do want to collaborate against domain abuse and to adopt best practices, and we are currently in the effort of finalizing some data sharing programs amongst all our members that include, also, law enforcement members as observers from both the U.K. and the FBI federal law enforcement. Again, this is ongoing effort that meets regularly to address and fight some of these issues and to self-regulate against abuse within the industry. >>JON NEVETT: Thanks, Adam. In addition to the Internet registry safety group that Adam mentioned, you Anti-Phishing Working Group, you heard from Rod in the last panel, and the registrars collaborated on a best-practices document that was issued in this past October, so a few months ago. The APWG visited the registrar community on two or three occasions, and we worked very hard in getting out a document that hopefully all registrars will adopt, because they are the best practices to help avoid and fight phishing. >>LYMAN CHAPIN: Anyone else like to comment on this question? Okay. We'll move on to the next one. This question reads, "Which types of data sharing or informal cooperation is or should be taking place?" And the two subquestions are, to what extent is more information sharing or additional cooperation needed? And what additional types of information would be appropriate. And Andy, I think you were going to take the lead on this one. >>ANDY STEINGRUEBL: Sure. At PayPal we do outreach with a number of different organizations. I wanted to highlight, I group it into three areas. What I am deliberately not going to talk about are all the PIR incident handling we do in the investigation of a single fraud claim or something like that. So the group, the outreach and data sharing we do into three groups. One related to law enforcement, the other related to industry and community groups, and the third one, independent security researchers. So on the law enforcement side, we actively work with law enforcement in quite a number of countries on both responding to their requests for information as well as reaching out to them with information about criminal activity. And to address the greater data sharing piece, one of the things we have seen across both PayPal and eBay and that you will see in the news quite a bit, I think, is the greater information sharing about what actually constitutes e-crime and how do local authorities or state authorities, wherever they may be, investigate it? They don't always have the tools to do so. And so the greater information sharing in that area is really training and awareness for those law enforcement agencies that we're asking to help out and take on cases, because they may not know how to actually investigate or how to process the data we actually give to them or other organizations give to them. I wanted to single out a couple of industry community organizations we participate in. There's -- We're a sponsor for stopbadware.org as well as the APWG. We participate in the FFISAC and FSTC to do data sharing amongst industry groups related to phishing, other spoof sites, fraudulent activity, malware analysis, things we have seen, people feeding us data and so on. I think what would help in those areas, not enough people know about those, not enough people subscribe to those feeds, even though a lot of the data is free. So to the extent that more people subscribe to that data and bundle it with their products to actually block malware sites, to block phishing sites from users' browser or at the ISP level, the better off, I think, we'll be. And the third group I want to single out are individual security researchers, or teams of security researchers. They may not be affiliated with one of those groups. We do a lot of research sharing with individuals related to some of the work that some of the DNS spoofing folks have been doing out of IFC, out of Georgia Tech, related to exactly how much DNS spoofing, active spoofing, is going on right now. So you see a lot of research in that area. And so collaborating with them to figure out what's going on so we can understand the scope of the problem, how many people are really getting harmed by it, and so on. >>LYMAN CHAPIN: Thank you. Any other comments from the panel? Okay. The last question that we are going to deal with before we get to questions from the audience and from the chat room is, what policies or contract terms do the recipients of takedown requests, such as registrars, registries, or ISPs, rely on in responding to e-crime? And what procedures are followed upon receipt of takedown requests related to e-crime 1234? And Roelof, I think you were going to start on that one. >>ROELOF MEIJER: I will answer that one mainly from a registry perspective. One can fairly argue that there are laws, there is law enforcement, and as a registry, you have nothing to do with whatever your registrar does with his domain name. And you should just await a court order or a subpoena before you do anything. I have to admit that that was the policy of SIDN until a few years ago, and we have shifted since then for exactly the reason that Greg Aaron phrased in the previous panel, that we want our TLD to be a safe place, a safe Internet environment that can be trusted by the users. So what do we do about that? Photograph we have contracts with all our registrants, and of course with all our registrars, in which we have abuse policies that enable us to intervene or to instruct a registrar to intervene. Another example is that we demand from our registrars that they verify registrant data, that they keep them accurate, and that they are always able to identify the registrant if there is a problem. And if they can't, that's already grounds for cancellation of the domain. Another recent initiative that we were part of was a code of conduct for notice and takedown, which was supported by about 80%, so far, of the ISPs in the Netherlands, and about 50% of the hosting companies, which ensured -- implies that if a party gets a complaint of illegal or criminal content or use of a domain, that he has to take that complaint and do something with it. We heard from one of the first speakers that users get frustrated because they file a complaint and they never hear anything about it, and that's exactly what this code of conduct tries to address. It doesn't mean that the party that gets the complaint is the one that has to take the final action, but it means that he has to the responsibility to transfer the complaint to the party that can take action. So first, of course, to the owner of the information, if it's about the legal content, and if that doesn't work, to the owner of the Web site, and if that doesn't work, to the hosting party, et cetera. And finally, they might come to us, although I have to say that very rarely happens. We had only two of those requests in 2008, both of which we followed up on. But, well, we seem to be very effective in our measures to make the dot NL zone into a safe environment because we always do very well on the list of the APWG and other reports. >>LYMAN CHAPIN: Thank you. Marc. >>MARC MOREAU: From a law enforcement perspective, you really had me worried at the beginning when you answered that question, when you were saying you were just leaving it up to law enforcement to come and serve the subpoenas to shut it down. So I am extremely happy to hear, and I think that's the point that I want to make is I think everybody has realized and has evolved, I guess, and everybody has matured as to what the experience of the end users can be within the society that we have today. So I commend everybody that has worked towards that, that mean and that end. And I hope that we can go forward, because ultimately, what we want to be able do, and I think with the people that I have been around, this is my third ICANN meeting, and the more I speak to the different people involved in this community, I think there is an effort there to make it more of a safe experience. And hopefully we can all share in that responsibility, and I think we are. So I commend everybody photograph. >>LYMAN CHAPIN: Thank you. Jon. >>JON NEVETT: Thanks. As far as a registrar perspective, the keys to succeeding in responding to these takedown requests is having a very strong acceptable use policy in contracts with our customers, dedicated staff that look at these issues as soon as they come in in a timely manner. We have 24-by-7 folks that are ready to look at any of these complaints that come in. And depending on the complaint, we will either reach out to the customer or even suspend or delete the name, depending on the circumstances. We work very closely with third parties, law enforcement, NIC MIC on child pornography. So we are very active in those areas. The key is, from my perspective, the experience of the end users, as you just mentioned. Not only are we a service provider but, at times, we can be a victim ourselves. I recall an instance a couple months ago, there was a phishing against us, and it wasn't obviously registered at Network Solutions, but we reached out to the registrar, who wasn't available. It was in China, so it was difficult to reach them from the U.S. with time differences and everything. And then we reached out to the registry, and the registry didn't take the same approach that you did at that time, and it was very difficult because, you know us. Take down the name. And they were, well, give me a court order. So, I understand the frustration of being a victim of a crime, and, you know, if we could come up with some best practices for the registry group and registrars, that would be incredibly helpful. >>LYMAN CHAPIN: Anyone else have a comment on this particular question before we move on to questions from the participants and audience? No. Okay. That's the end of the list of canned questions. I want to encourage people to make use of the white cards that are being handed around by the ICANN staff to write down questions. We do have a question from the ICANN chat room that is direct specifically to one of the panelists, to David Giza. And it reads: RAA, Registrar Accreditation Agreement clause 5.3.2.1 applies to registrars. Why not to proxy servers? >>DAVID GIZA: Thank you for the question. The short answer is that ICANN today does not have a contract in place with a proxy server. For example, let's say a law firm. And so that provision has not been interpreted as essentially enforceable or binding on a proxy server. >>LYMAN CHAPIN: Okay. Are there any cards coming up from the audience? >>STEVE METALITZ: Lyman, can I chime in on that question? >>LYMAN CHAPIN: I should lean forward. Yes, please do, Steve. Yes. >>STEVE METALITZ: Thank you. I think Dave is technically correct. Of course we on the previous panel had a registrar describing himself as operating a proxy service and the registrar has a contract with ICANN. But I think in terms of the Registrar Accreditation Agreement amendments that Jon talked about, and I agree with him that the action of the GNSO Council today recommending these new amendments was a big step forward, but another thing I think was very important in that resolution was the statement by the registrar constituency that they will work in good faith to discuss future amendments to the RAA. And I think this is a good example of why there's more extensive modernization of this agreement is needed. Because in 2001, proxy services were much less prevalent than they are today, and they also operated differently, and there are many other changes, of course, that have taken place in the market. So I hope that we will grasp this opportunity and that the registrars will step forward and work with us to try to improve this agreement on a fast track so that we can really get a 2009 era agreement in place. >>LYMAN CHAPIN: Thank you. Any other panelists have comments on that question? David? Okay. We do have a couple questions from the audience. And the first is a question for Paypal for Andy. By moving your customer data to servers and databases in Luxembourg, you've made it extremely difficult for nonlaw enforcement to investigate fraud due to data protection laws. Do you have any mechanism planned that will allow us, under limited and legitimate situations, to gain access as did you in the past? Andy, does that sound like a fair question? >>ANDY STEINGRUEBL: It's a fair question. But one I, unfortunately, can't answer. But I'm happy to direct the questioner to the right people internally, if you'd like to catch me afterwards. >>LYMAN CHAPIN: Okay. Thank you. Second question is what ccTLD policies or contractual obligations are useful or not useful in fighting e-Crime? And that, of course, is a recapitulation of the question we asked. And the person who submitted this question asks us "This time please answer this question." And the ccTLD is underlined. So I think the emphasis here is on ccTLD policies as opposed to gTLD policies. Roelof, I think that's to you. >>ROELOF MEIJER: Okay. So I'm not sure which question I didn't answer. What ccTLD -- I was talking about ccTLD policies. I think one of them, which is quite effective, is, effectively, we require our registrars to have actual and accurate identifying data of every registrant. I think that's one of the most effective ones that we have. So that's an obligation, and it's part of our policy. What is not useful. I don't think we have any unuseful clauses in our policy, to be honest. If I was aware of them, I would take them out. >>LYMAN CHAPIN: Okay. Thank you. Panelists, you should feel free to jump in with a comment on any of these if you feel you have something to add. The next question is: Wouldn't the use of proxy services by registrants be comparable with regards to registrars and registries to a bank taking in business from clients holding accounts in financial tax havens? Why not disallow proxy services all together? Who would like to -- Jon? >>JON NEVETT: We don't operate a proxy service. But, you know, it's the unintended consequence piece that really jumps out at me on that one. Proxy services and privacy services are very popular because people want to protect their privacy. There's certainly a lot of folks that don't want to be harassed, don't want spam -- don't want to be spammed, want to keep their personal information like their address and phone number confidential. And the vast, vast majority of these customers aren't committing crime. So we don't want to throw out the proverbial baby with the bath water when we know that there's a huge market demand for privacy. >>LYMAN CHAPIN: I'll just add to that that there's been a very lengthy and sometimes passionate debate within ICANN, within the GNSO concerning the tradeoff between privacy concerns of people who have, in many cases, particularly in individual specific cases, very legitimate concerns about exposing their information. This, of course, comes up in the WHOIS debate as well. And the tradeoff between that and trying to eliminate the kinds of abuses that proxy services can lead to, I think, is one that we're going to continue to have for sometime. They're legitimate interests on both sides of that question. And certainly in the years in which I've been following that debate and that conversation, I haven't seen anything that looks like a clear resolution that would make either side happy. >>STEVE METALITZ: Lyman, could I chime in? >>LYMAN CHAPIN: Yes, Steve. Go ahead. >>STEVE METALITZ: Of course to say some ccTLDs do not permit proxy services. And it might be interesting to look at what their experience has been and whether the privacy of registrants really has been compromised by that. But there certainly are some legitimate services for proxy registrations in some circumstances, and it's well-entrenched in the gTLD world. So I'm not sure we can, even if we wanted to, turn back the clock on that. I think the important thing is making sure that those services operate according to very clear and -- very clear rules that help to protect consumers and help to assist in the fight against e-Crime. I don't think we have that situation today. But I think it certainly may be achievable. >>GARTH BRUEN: I'd like to comment as well. Two points. I have to disagree with Jon politely that I don't think that WHOIS records is a good source of spam -- e-mails for spammers. It doesn't really -- they don't really get them that way. And, in terms of proxy services and privacy, privacy is very important. And I think one of the best solutions would be to draw a very firm line between personal usage and informational sites and commercial sites. By disallowing any commercial site to have a private or proxy record, you would preclude any fake pharmacy or counterfeit goods operation on the Internet. >>JON NEVETT: I have personal information of being spammed based on WHOIS. I registered a domain name, and I got an e-mail asking me to renew my domain name. I got a letter asking me to renew my domain name, and it had my expiration date. And, you know, I had no contact with this company before. So I'm not sure how extensive it is. Maybe a study on that would be interesting. But there's certainly some use of that. >>GARTH BRUEN: I do believe you. I just don't think it's a good source of information for them. I believe that people do get spammed because of it. >>LYMAN CHAPIN: Thanks. We have time for probably two more questions, because one of the questions, I think, is a pretty straightforward yes or no. Are amendments to registrar accreditation agreements being applied retroactively? >>JON NEVETT: The way the contract reads now, they are applied upon renewal of the contract. So, when every registrar comes up for renewal, they'll have the new agreement. Whenever any new registrar gets accredited, they'll have the new agreement. The other aspect that the community has gotten together and discussed is to add some kind of incentive to get the existing registrars to sign on early before the renewal date. So that way the registrar that takes on the additional costs of complying with the new agreement, changing their Web site, changing their contracts, adding their liability, all the other stuff, we want as many registrars as possible on the new agreement as soon as possible. So there might be some way through the ICANN budget that we could penalize registrars who don't sign the new agreement and incent registrars who do. >>DAVID GIZA: I'd also like to echo what Jon is saying with respect to the RAA agreements. I can tell you that the compliance is very pleased that the GNSO approved the motion that was pending before them today. We're very hopeful that our ICANN board will act on that motion. And, as a result, we believe that within the next 18 to perhaps 24 months about 70% of registrars will be renewing their registrar accreditation agreement. And, as Jon pointed out, we're going to work very collaboratively with the registrar community to make sure we get them all on board as quickly as we can. >>LYMAN CHAPIN: Thank you. The last question, how can we get -- how can we get in contact with a registrar or registry in event of illicit conduct? >>ROELOF MEIJER: Replying for SIDN, that's fairly easy. On our Web site is our contact. It has our telephone number. There's even a number for emergencies. >>RUDI VANSNICK: I'm happy that this question pops up. But it shows, again, that we need a clear roadmap. The person probably posing this question is sitting in the room, so he knows quite -- he or she knows quite a lot about the ICANN, about registries, about registrars. Nevertheless, they're asking this question. And, coming back to my proposal, we should try to find a way to get the best way -- when it goes wrong, the best way for the user to find the place where it can help. A Web site is not always a solution, as we have seen that in many cases. The Web site doesn't reflect the right information, as we know, that some of the registrars tried to fake as much as they can. So, saying that the Web site is a solution is for me not a solution. Perhaps having a good GPS of ICANN would help us. >>JON NEVETT: I believe ICANN does maintain a database of registries and registrars with contact information. Also, one of the new amendments of the RAA that we've been talking about requires every registrar to have updated contact information on their Web sites. So, hopefully, everyone will comply with that. >>ADAM PALMER: This is Adam also. I wanted to emphasize we've talked briefly about some of the abuse policies. As registries, we are not passively ignoring some of the crime or problems that are occurring but are taking active steps to address it and to prevent it. >>LYMAN CHAPIN: Okay. Thank you. We have about one minute. If there is someone on the panel who has a burning issue that they've been dying to mention but have not had a chance, you have about 60 seconds. No. Okay. In that case, I will thank all of you for your participation both in the form of listening to our panelists talk this afternoon and also by sending questions up to the front. I appreciate that. I'll turn it back over to Denise. And our next activity, I believe will be the breakout sessions. >>DENISE MICHEL: So for all of those in the audience -- [Applause] Yes, a great panel. Thank you. >>DENISE MICHEL: So, for all those in the audience who would also like to talk about solutions instead of just listening to problems, pick a breakout session. There will be staff at the doors with a sign. Let me run through these really quickly. The e-crime in Latin America will be conducted all in Spanish in this main ballroom. So, if you're interested in e-Crime in Latin America, move up to the front of the ballroom. And we'll have English translation if other people want to come. Consumer protection in existing gTLDs and new TLDs, there's an orange sign by the door. They'll take you across the hall to that room. Role of ICANN in e-Crime, follow the blue sign there at the door. They're going to the second floor to your room. Law enforcement and ccTLDs, follow the red sign here at the door. They're just going to take you across the hall. And, while you're thinking and moving to your breakout session -- and be mindful, you only have an hour. And the results of this breakout session, all the breakout sessions will be raised in the public forum tomorrow. I'd like to give a special thanks to the at-large summit participants and organizers for inspiring this forum and providing a number of topic, themes and also panelists. I'd also like to thank Margie Milam, especially, on the policy staff for pulling this event together and also, especially, Dave Piscitello on the policy staff, Rod Rasmussen, one of the panelists, and Liz Gasster for providing the initial IDS and structure to pull this forum together. I also want to let you know that there will not, unfortunately, be scribes at the breakout sessions. But we will have staff monitoring the chat room. So for those online on the chat room, feel free to offer contributions and suggestions to be incorporated in each breakout session. And make sure that you follow the signs that I've just announced and take a look at the rooms on this overhead. And find me or other staff, if you have any questions. And thank you again for participating.