J.D., if nothing else, was all about the best practices, and standards. Today marks five years since he ambled off this mortal coil, leaving a hole in the hearts of friends and family, some published documents that bear his name, others his imprimatur, and a lasting impression upon we, his colleagues in the anti-abuse community. In other words, he made the difference we all aspire to.
[Author’s note: As I write this (October 23), the second massive denial of service attacks in two weeks, threatening to take down significant sections of the Internet has just ended. Could full implementation of Operation Safety net have prevented this? While technology on both sides, attackers and victims is constantly evolving, I am forced to say yes, OSN could readily have helped. – ns]
Cutting through the complicated techno-jargon too often bandied around in our industry, which serves to befuddle the audiences we must influence are we to affect the foundational changes needed to secure the net infrastructure, the 76-page report written by security experts from around the world was originally requested by the Organization for Economic Co-operation and Development in 2012, then updated in 2015.
As the lead author and shepherd André Leduc noted recently, "Translating our technical and engineering way of talking into plain language was probably the most important part of this work. We wanted to create a report that a security officer or an engineer could give to colleagues and management to help them understand cyber-attacks and why their organizations might be targeted. We also wanted to make it easy for government policy makers in both the developed and developing countries, where they may not have much technical experience, to take action."
André Leduc recently won the 2016 J.D. Falk Award, deservedly, for his work on this remarkable project.
I was on the small team along with former M3 Co-chair Alex Bobotek, and my long-time cohort CAUCE President John Levine who presented the first iteration to the OECD Consumer Safety Working Group in Paris.
After that, the real work began. While everyone at M3 knew about the document, that was kind of like preaching to the converted, and we needed to get the document out into the rest of the world, who were (and still are) blissfully unaware of the steps we all must take to batten down the hatches.
To make the best practice information more accessible, the report, originally published in English, has been translated into French and Spanish, as well as localized in summary form in Japanese and Thai. That’s where I come in.
One of the most delightful things I get to do these days is speak and train in various parts of the world, and OSN has been a foundational part of my materials since it was first published. I had the opportunity to facilitate inclusion of the document into the IGF’s Antispam Toolkit (although OSN deals with issues far more broadband than ‘mere’ spam) at the meeting in Joao Pessoa, Brazil. As well, through the help of the M3Anti-Abuse Foundation I presented the work to the African ISP association in Tunis, Tunisia, well as to a group of law enforcement officials in Thailand.
Working with M3AAWG organization Team Cymru, CAUCE sent me to present in Santiago Chile, again to law enforcement, and with partner organization World Hosting Days I put our work in from of hundreds of new and established hosting companies and registrars, in Singapore, and Bangalore, India.
This month I travel to Japan, to lay out the ground work to protectorates of critical infrastructure – Japanese (atomic) power companies want to know more, and better, how to protect themselves from simple vandalism, or, what could be far, far worse, to the point of being catastrophic.
As my colleague, friend, and CAUCE board member Kelly Molloy quipped ‘this is why spam matters’. Spam is a conveyance. Operation Safetynet, the solution
Sanford Wallace has been sending spam for over 20 years. Despite losing innumerable lawsuits, he's managed to stay out of jail until now. His luck finally ran out, in a case where he was convicted of contempt of court and hacking many Facebook users.
The Canadian Radio-television and Telecommunications Commission (CRTC) used Canada's Anti-Spam law to take down a control and command server in Toronto for the Dorbot botnet.
The CRTC's press release is here. They worked with industry and government in many countries. Microsoft sent out a release with more details on the way Dorkbot works.
In addition to its anti-spam provisions, CASL sets rules for downloaded installable software, which ranges from benign smartphone apps and browser plugins to malicious botnets and password stealing malware. The CRTC investigation is ongoing so they haven't disclosed the details, but the authority to take down the C&C server appears to come from the prohibition against unauthorized downloads and installs. CAUCE congratulates the CRTC on this sophisticated and effective use of its new enforcement authority.
Today the Canadian Radio-television and Telecommunications Commission (CRTC) announced that Rogers Media, one of the largest mobile phone and cable companies in Canada, had agreed to pay $200,000 to resolve long running violations of Canada's Anti-Spam Law. For over a year, July 2014 to July 2015, Rogers sent e-mail with opt-out links that didn't work, or if they did work Rogers continued to send mail anyway. The details of the undertaking Rogers agreed to are here.
Rogers is a big sophisticated company, and there's no good reason they can't manage their mail to stop sending ads when people ask them to. This kind of spam is particularly hard to filter, since the same message might be sent to a Rogers customer who'd agreed to receive it, and to someone else who't told them to stop.