No Such Weblog

The Hulk wasn't as successful as anticipated due to illegal copies of an early version that made it to the Internet -- at least that's what a report on German TV tonight wanted to make viewers believe, in the context of some IP-perspective reporting about our localized version of the DMCA. I don't buy that propaganda, though: The cinema trailer I saw earlier this year was certainly enough to keep me from watching that film.

Via CircleID comes a pointer to Bob Frankston's essay Implementing .DNS: We're selling numbers. Big numbers and we promise that we'll never sell the same number twice. The benefits: Stable URLs that don't suddenly point to unrelated content, and domain names that come without semantic connotations and all the baggage these bring into the game.

Alexander Svensson notes that .kids.us is going to be launched on Thursday. He takes a critical look (in German) at some of the questions that a kid-safe domain will have to face: Kid-safe content is a relative notion; a movie that's R-rated in the US can be considered harmless here. Also, the policies in place in .kids.us are so restrictive that the only content available is non-interactive, static, and un-linked. "Families would probably be better off with a CD-ROM with kid-safe content", Alexander writes.

While the objections are well-taken, I have a problem with his final conclusion, that not delegating .kids in 2000 may have been the best decision ICANN has ever made. On the merits, he's right. But should ICANN look at these merits? Shouldn't it have permitted a .kids domain, and let it fail?

Via Dave Farber's IP list: Reporters sans frontières has published a worldwide press freedom index that attempts to assess the actual freedom of the press throughout the globe. Surprisingly, the US is only on place 17 -- behind much of the EU, Canada, and even Costa Rica.

Via EUpolitix.com: European commissioner with responsibility for data protection Frits Bolkestein will tell colleagues that the EU has failed to obtain key safeguards on information European air carriers are compelled to give to the US authorities.

A large collection of documents related to communications interception (and its implementation), air line passenger data transfer, and related topics has made it to the web.

Ian Clarke -- founder of the Freenet project -- is planning to leave the US. GrepLaw serial interviewer Mikael Pawlo has talked to him.

The battle about the JAP anonymizing proxy continues: After a decision of the Lower District Court in Frankfurt to add surveillance features to the system had been suspended by the District court (details; code is law analysis), German federal police obtained a search warrant from the Lower District Court last Friday. The data captured while the surveillance measures were in place (a single record was collected) were turned over to police during a search conducted Saturday. The Lower District Court's decision to issue the search warrant is believed to be illegal, and will be taken to a higher court. In particular, there was no obligation to turn over the data until a final decision is reached on the legality of the original surveillance measures.

Press release: German / English

I just trackback-spammed another weblog, inadvertently: Movable Type believed the ping was unsuccessful when it had been successful, and trackback autodiscovery kept adding the URL to the list of sites to be pinged. I've now turned off track-back autodiscovery.

Feature wish for Movable Type: Dedupe trackback pings.

Mailing list discussion about the search against the JAP anonymizing proxy is taking off on FITUG's debate mailing list; a quickly-updated unofficial archive is here.

ALAC proudly presents: alac.info (aka: Blogging At Large), the committee weblog. The hope is that we can turn this into a place where you can regularly find first-hand notes from committee members on current topics.

Of course, alac.info has the blogging software's comment feature enabled, so please feel free to let us know your views.

(void *) (it's pronounced "elsewhere") is where I'm going to post those short little links without much of a comment. The main purpose of that blog is to make an RSS feed available which can be syndicated into the side bar of this one.

Writes Dave Wiener: After the recent email meltdown, I didn't send today's DaveNet out via email. He might have given up on e-mail -- but why force others who are able to cope with its problems to give up on it, too? RSS might be a good additional offer for making content available. But for many things, it can't replace e-mail.

Vittorio Bertola looks at the possible ways in which the ALAC could focus its work, and implicitly takes up some recent criticism.

Karl Auerbach (who doesn't seem to believe in trackback) responds to yesterday's notes on representativity, and tries to figure out what I meant.

A brief remark I wrote two years ago -- I can't access msn.com any more; MSN displayed a stupid IE advertising page for users of Mozilla and similar browsers back then -- is gaining unexpected popularity thanks to Google. I can't access MSN seems to be a common query there today -- kind of comical, given MSN's ambitions to compete with Google.

(Maybe these people are looking for this information.)

Here are the scripts that I use to send out daily "CVS repository changes" messages to the mutt-dev mailing list. Terse documentation inside.

Not ICANN-related, but aggregator-related: Library Stuff reports that My Yahoo now has a really nice RSS aggregator module. Current bugs mostly look like they'll be fixed quickly: Currently, that aggregator can't deal with description-only feeds (like Scripting News or (void *)), and it seems to have problems to properly digest time stamps in "non-funky" Userland or Blogware feeds. "Funky" Movable Type blogs work perfectly, though.

Heise reports (in German) about a preliminary injunction by a court in Hamburgt which found "be-mobile.de" to be confusingly similar to "t-mobile.de", since both domain names sound similar. Previously, a lower court that apparently focused on the written form of the domain names had found no confusing similarity, and had not granted the injunction.

Further discussion (in German).

Florian Hitzelberger has interviewed Sabine Dolderer (.de; Google translation) on a number of topics, including ICANN reform -- There is no new era. ICANN 2.0 is just presenting itself in a more friendly way than ICANN 1.0. --; ccNSO and the question whether .de will join -- We're currently assessing whether the possible benefits of joining the ccNSO would outweigh the problems. The problem is, we don't find such benefits. --; possible government control over .de; whether or not .de will adopt the UDRP -- There's neither a reason, nor demand for doing this. --; international uniform WHOIS policies -- A globally uniform policy would fail due to divergent privacy laws. --; and a host of other topics. Worth reading.

The written testimony for yesterday's WHOIS hearing is now available from the web page of the subcommittee on courts, the Internet, and intellectual property: Metalitz; Edelman; Farnan (FBI); Kassinger (DoC).

From NANOG: During the root zone (.) update later today, specifically with root zone serial number 2003090501, the entries for .org will be modified. Effective with the 2003090501 load, the entry will reflect the removal of the Verisign NSTLD.COM nameservers. The .org zone file will continue to be pushed to the Verisign nameservers for a short period of time.

Heise online reports about a judgment from a Hamburg court that would limit the availability of .ag domain names in Germany to "Aktiengesellschaften" (abbreviated AG), the equivalent of a corporation.

Here are the tools I used to de-spam mutt's bug-tracking system over the week-end. The underlying software is debbugs, the Debian Bug Tracking System.

Writes Paul Twomey to Chuck Gomes: We understand that VeriSign has stated it intends to launch offering the WLS to the public in October 2003. We wish to reiterate, and reaffirm our mutual understanding, that the WLS may not be launched until 1) negotiations on conditions for offering the WLS are final and the contractual amendments to the .com and .net agreements effected and 2) in accordance with our Memorandum of Understanding with the United States Department of Commerce, the Department of Commerce has approved the contractual amendments as required by Section 1 of the MoU, as amended.

On the substance of WLS implementation, ICANN accepts Verisign's proposal for implementing registrant notification, and suggests an alternative to condition (c), the registrar "black-out" provision. The alternative proposal is to introduce penalties for registrar abuse of "insider knowledge" into the RRA, review enforcement of that provision in the VeriSign neutrality audit, and to introduce a general blackout period for WLS subscriptions which would start 10 days prior to the scheduled expiration date of a domain name, and would continue through the duration of the auto-renew grace period.

Assuming that GNSO's deletes policy becomes effective, this approach will adress the concern I had raised about this last year.

Bruce Tonkin on US Patent Application 2002/0145992 A1: In my view this is a straight forward application of database technology.

Some reactions to the recent WHOIS hearings from the registrars list: Mike Palage and Rob Hall attended the hearing; Elana Broitman suggested to send a letter to the subcommittee in order to add the registrars' perspective to the congressional record. That letter won't be sent on behalf of the registrars' constituency, though.

From Congressman Lamar Smith's opening statement of last week's WHOIS hearings: Mr. Berman and I wrote Secretary Evans on August 8 requesting that, among other things, any succeeding MOU: (1) be limited to one-year, (2) preserve public access to online systems, like "Whois," and (3) take steps to improve the integrity of registrant contact information. ... In response, we will hear testimony that Commerce: (1) intends to extend the MOU with ICANN for more than one year, (2) "recognize[s]" the value of public access to online systems, like "Whois," and (3) intends to include no affirmative steps in the MOU in an effort to improve ICANN's underwhelming enforcement record. While Commerce intends to add a laundry list of seven "milestones" to assess ICANN's future performance, not one of these deals principally with Whois, contract enforcement, or intellectual property protections. This, too, is inexcusable.

Is it just me, or does the Copyright Office's favicon (the small version, in red) look amazingly like a "don't write" sign?

According to Kevin Murphy (pointer from Bret Fausett), Verisign is internally testing a mechanism that would return resource records in response to queries for non-existing domain names; if the query comes from a web browser, the effect would be that users are redirected to a web page that presents existing sites to them.

Users and developers are deprived of the ability to choose themselves how to deal with such a situation -- by choosing web browsers that do smart things about non-existing domain names, by configuring their web browser to feed the bad address into their favorite search engine, or by just fixing their typo.

If the query does not come from a web browser, the behaviour described just means returning wrong error diagnostics, and creating another problem to route around.

What Verisign is testing here (and Neustar has "tested" in May, in a live registry) is a fundamental breach of the Internet's most fundamental design principle. And it certainly won't improve users' surfing experience.

If Verisign was actually striving to improve user experience, then it would not overload existing query types with new and bad semantics, but would suggest a new "fuzzy" DNS query type to which a name server can respond with records that point to possibly corrected query strings -- if the user's browser chooses to ask for them.

Elana Broitman has posted a presentation on what she calls Interim Whois Solutions. I'd rather talk about dirty hacks; some of the proposed steps -- like returning GIFs over port 43 WHOIS -- simply don't look feasible.

Representatives of the US government are going to have a conference call on WHOIS with members of the registrars' constituency on 17 September. Government-side participants: Lader, Sene, Layton (NTIA); Mithal (FTC); LoGalbo (DOJ); Larsen (IRS); Cotton (USPTO).

... or: When is a hyperlink a hyperlink?

Alexander Svensson continues to cover the development of .kids.us, and has a close look at the first site established there. Particularly fascinating -- with regard to policies in place that forbid hyperlinks that take a user outside of the kids.us domain-- is a links page Alexander has found -- it points to web sites outside .kids.us with content about American presidents. Instead of using actual hyperlinks, the URLs are simply listed there, as part of the page text.

Update: Jeff Neumann responds (thanks) that listing web sites in the way it's done on the Smithsonian's page is perfectly acceptable in .kids.us. Fascinating.

We spent quite some time today tracking down an obscure Linux problem: With the commonly-used user space NFS daemon, quota doesn't seem to propagate over NFS. In theory, quota is enforced on the server-side.

We think we have found the bug; it's in the 2.4 kernel (but we couldn't test that, yet): The user space NFS daemon runs as root, and protects system calls that affect the file system by calling setfsuid(2) in order to drop privileges. setfsuid(2) to a non-root user will clear all capability bits in CAP_FS_MASK. The CAP_SYS_RESOURCE bit (1 << 24) is not included in that mask, and it controls (besides no less than 7 actual capabilities) whether or not quota is enforced.

It's amazing how the complexity introduced by the capability system leads to new bugs, instead of increasing system security.

Sobig.F has recently deactivated itself. The impact on e-mail bandwidth is amazing -- green for spam + virus bandwidth, blue for legitimate e-mail bandwidth.

Germany's new copyright law has been published in the official journal today, and becomes applicable tomorrow.

Here's an updated version of my debbugs tools. cli.pl is now able to interactively spamassassinate bug logs; also, there is a script named fix-utimes.pl that will adjust log files' modification times according to the date of the last message received with respect to a specific bug report. (This is important to prevent done bugs from staying in the system forever just because of spam.)

White papers on the mechanisms that Verisign apparently plans to implement for resolving unregistered domain names are available here.

The service seems to have gone live now, at least for .net. Concerns here, here, and here. Discussion at ICANNWatch.

Here's an illustration of what I mean when I complain about corrupting error diagnostics: During the past 20 minutes or so (it's now 1:38 a.m. GMT+0200), the address which is returned by the registry in response to queries for unregistered domain names was unreachable. The result? Instead of a quick message that I've mistyped the domain name, I get a timeout after waiting for quite some time. That's a highly misleading error diagnostic, and it's making the user experience much worse.

Which brings us to another problem with this: Verisign has been careful to put work-arounds in place that are supposed to mitigate the effects of the DNS change for individual protocols. These work-arounds depend on the availability of Verisign's infrastructure in order to work, though. Once this infrastructure is unreachable, users have no possibility to discern a non-existing domain name from an unreachable host.

Talking about user experience, I'm also sure that users of Asian localized software will very much appreciate getting English-language error messages from Verisign instead of localized and translated error messages from the software they are running.

SiteFinder is now also active in .com.

Meanwhile I haven't seen a single mailing list posting anywhere that would welcome this change -- but a lot of furor across the board, and some thought on how this can be stopped: People are modifying name servers that serve as resolvers to replace Verisign's sitefinder A records by the correct NXDOMAIN response.

Mike Palage (now an ICANN board member) on some mailing lists: Some Wild-Card Questions, about the specific impact of the Sitefinder service.

This AP story makes it sound as if sitefinder helps against porn typosquatting à la Zuccarini. Of course, it doesn't.

The At-Large Advisory Committee has released a Statement on Sitefinder. The statement explains why sitefinder is bad for individual Internet users, and urges ICANN to stop it.

Ross Rader on Jeff Neumann: On a day when half of the internet's smartest engineers are pointing out dozens of different applications and processes that have been broken by Verisign's actions, its hard to believe a lawyer that is arguing the opposite.

See also: Tim Ruiz' response.

Bruce Tonkin has posted notes from the WHOIS discussion that was held in Marina del Rey a week ago. The registrars' priorities according to these notes seem to be (in this order) restricting data mining, changing the amount of data that must be displayed to the general public, and further addressing accuracy issues raised by the IP and law enforcement communities.

BIND 9.2.2-p1 now supports tagging zones as "delegation-only". This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

This effectively means that sitefinder-type records can now be blocked in ISPs' name servers.

ICANN has just announced that its new MoU with the US Department of Commerce will last until September 30, 2006.

Thinking about specific problems with sitefinder, here's a mail loss scenario: A site (a.net) is using a server in a different domain (b.net) as its backup MX. That server's domain expires and goes into the redemption grace period, or does not have any explicit name servers listed in the TLD zone for some other reason.

Image a.net's mail server is unreachable for a short period of time, because of maintenance. In the pre-Sitefinder world, e-mail for a.net would be queued up, since the backup MX can't be found. In the world according to Sitefinder, e-mail to a.net is directed to Verisign's "Snubby Mail Rejector Daemon", and (to the extent that Snubby works as intended) discarded.

Wietse Venema has just announced a new snapshot of his excellent Postfix mail transport agent. One of the two changes: Support to black-list domains by their mail servers or by their name servers. This can also be used to block mail from domains that resolve to Verisign's mail dump for non-existent domains.

Heise News reports that the district court in Frankfurt/Main has found that there was no base in law for an earlier order from a lower court that had required the JAP anonymizing proxy to implement a "crime detection feature." This feature would lift the anonymity of those who would use the service to access a specific web site.

When the district court had suspended enforcement of that order earlier this month, police searched the anonymization service; the data collected while the (illegal) surveillance measures were in place were turned over. This search is the topic of separate court proceedings.

Press release.

Vote now.

Stratton Sclavos (the CEO that brought us Sitefinder) is one of the "candidates" in the Internet category.

James Grimmelmann, at LawMeme: Attention so far has been focusing on the ethics of the move (positive satanic), its effects on DNS and non-Web applications (Considered Harmful), and on possible technical responses .... On the legal side of the fence, though, we're not just talking about a can of worms. We're talking about an oil drum of Arcturan Flesh-Eating Tapeworms.

(Ross Rader reports that the first Arcturan Flesh-Eating Tapeworm has crawled out of the oil drum.)

Ross Rader points to a theory that Verisign's sitefinder may be experiencing something like a denial of service attack due to, among others, side effects from the Blaster worm's attempted attack on windowsupdate.com.

Florian Weimer rebuts that theory: The NS record continued to exist for windowsupdate.com, and that is enough to keep the wildcard from kicking in and synthesizing A records.

Via the GNSO council list comes a pointer to two presentations on Sitefinder that were given yesterday at the CENTR GA: CENTR's Kim Davies; Verisign's Scott Hollenbeck.

ICANN has published an advisory about sitefinder.

In a nutshell, ICANN is examining the situation (including the contractual questions that arise with respect to the registry agreement), and has requested input from the IAB and from the security and stability advisory committee. The latter committee is expected to deliver advice later today.

ICANN also has asked Verisign to voluntarily suspend the service until review is completed.

The Internet Architecture Board has released a commentary entitled Architectural Concerns on the use of DNS Wildcards.

The commentary gives both an explanation of some fundamental design issues that are created by the use of DNS wildcards, and an account of problems encountered in a recent experiment with wildcards.

Besides recommending strongly against the use of wildcards in TLDs (and most other situations), the IAB suggests a simple, but powerful guideline: If you want to use wildcards in your zone and understand the risks, go ahead, but only do so with the informed consent of the entities that are delegate within your zone.

The document concludes with the recommendation that any and all TLDs which use wildcards in a manner inconsistent with this guideline remove such wildcards at the earliest opportunity.

In a somewhat ironic move, Verisign has retired its "snubby mail rejector daemon" and has replaced it by postfix.

In related news, there's now an updated BIND patch for dealing with Sitefinder.

From an anonymous comment in response to the ALAC's statement on sitefinder:

In a recent Cnet article, Verisign is quoted as saying, "We're fully compliant with every RFC". ... If that's true, it just kills the argument against Verisign as it then becomes "geeks v. users" with Verisign on the side of the users.

That's a dangerous misconception, in several ways.

Reuters reports that Verisign will ask outside experts for advice about Sitefinder: They are going to create a committee of "Internet leaders" to advise it on technical matters. Recommendations on what to do, though, are apparently not welcome.

Of course, the necessary expert advice has been readily available for several days now. It's telling that Verisign convenes a committee (and wastes more time) instead of listening to what's out there.

I'd respectfully suggest that whoever is asked to join this group decline the invitation.

ICANN's Security and Stability Advisory Committee has issued some recommendations on sitefinder: Recognizing the concerns about the wildcard service, we call on VeriSign to voluntarily suspend the service and participate in the various review processes now underway. We call on ICANN to examine the procedures for changes in service, including provisions to protect users from abrupt changes in service.

Also, the committee is soliciting input on practical security and stability implications, to be sent to secsac-comments@icann.org.

In a letter to ICANN, the Public Interest Registry supports a suspension of VeriSign DNS wildcard service, and commits not to implement such a service for .org.

Some rather interesting remarks come close to the end of the letter: We are informed that other domain registries may be exploring services similar to the VeriSign Site Finder. ... If this is the case, our comments concerning Site Finder apply with equal force to those other services. ... Therefore, we urge ICANN to take whatever remedial action is needed to remove all "wildcard" DNS systems, including VeriSign's Site Finder, from the DNS. Such action, emphasizing the central responsibility of all service providers, would be an important step in preserving the openness and accessibility of the Internet.

It will be interesting to see what position the gTLD registry constituency's representatives on the GNSO Council will take tomorrow.

The new .au WHOIS policy (background materials) in a nutshell: The names and e-mail addresses of the registrant and the technical contact are the only personal data disclosed. There are restrictions on the number of queries that a user can send to the WHOIS service. Law enforcement requests are dealt with on a case-by-case basis.

Seems like we're living in bad times for the open, end-to-end Internet.

First, Verisign believes it is a smart idea to move error handling away from the network's edges towards its center, and to limit it to a single application-level protocol. Now David Isenberg and Cory Doctorow point to a company named CloudShield. This company believes that the notion that the network should remain "dumb" and simply perform transport is outdated, and develops the tools to make that notion enforceable.

On the Council's agenda for today: Actions from the last meeting, i.e., WIPO2 committee, UDRP issue prioritization, number of representatives per constituency, new gTLDs; TLD wildcard entries; WHOIS steering group update; UDRP issue prioritization.

The GNSO Council's resolution on Sitefinder, as adopted today with the votes of all constituencies, except the registries (who abstained), and the IPC (which didn't attend) has just been posted by the GNSO Secretariat.

Commentary from Karl Auerbach is here.

Alexander Svensson takes a look at the WSIS process, and notes that the ongoing Prepcom-3 is probably a good example of what internet governance in a government-led ICANN replacement could look like: Governments negotiate behind closed doors, large parts of industry and civil society are permitted to wait on the hallway. That perspective doesn't look terribly promising -- unofficial reports coming in from prepcom-3 quite frankly sound a lot more bizarre than any ICANN meeting I've experienced so far.

ICANN has started to put incoming correspondence regarding sitefinder on its web site.

.au's Chris Disspain writes to Paul Twomey to echo many of the concerns with Sitefinder that have been raised by the SecSAC, and adds a specific focus on the process used (or, rather, not used) when introducing the service.

Register.com copies ICANN on a letter its law firm has sent to Verisign's chief litigation counsel, to protest Verisign's recently established SiteFinder service and to call upon VeriSign to immediately cease operation of the same. ... [T]he SiteFinder service consitutes an abuse of Verisign's power as the .com and .net registry, deceives the Internet community, confuses domain name registrants, and interferes with the business relation between Register.com and its registrants by means of deceptive acts and practices. The letter then focuses on the impact sitefinder has on registered domain names that have no name servers listed.

ICANN has posted an Information Page on Verisign's Wildcard Service Deployment on its web site.

It strikes me that this kind of content would greatly profit from being provided as an RSS feed.

Bret Fausett is moving to .org. Welcome to the wildcard-free part of the DNS!

One of the more interesting slashdot stories of the week-end dealt with the suspected relationship between the sobig worms and the recent series of denial of service attacks against various spam-blocking services.

The slashdot item was triggered by this article from the register; in a comment, Kristian Köhntopp points to some interesting analysis of the various Sobig variants.

Memo to anyone who ever sets up a mailing list: Never, ever let the envelope sender for list messages point back to the list.

The GNSO secretariat points to some updated travel information for participants in ICANN's Carthage meetings at http://www.icanncarthage.tn/.

Escapable Logic has a piece named "Publicize the Internet" that looks at the Internet as an important tool for democracy, and hopes that a president named Dean might help rescue it from losing its end-to-end character even further.

Elliot Noss is more optimistic and suggests that it's all, in fact, quite easy: Just make sure that you get most of your services from "competitive service providers," i.e., from those who innovate and offer services at the net's edges -- and have a natural incentive to defend the net's end-to-end character, as it enables their business models.