United States Feed

17 November 2011

J.D. Falk - In Memoriam

DSC_0161

Jesse David “J.D.” Falk - May 24, 1974 - November 16, 2011

It is with the heaviest of hearts that CAUCE must make note of the passing of one of our own. J.D. Falk was a founder of CAUCE, and one of the nicest people in the anti-spam community.

Besides being a board member of CAUCE U.S. since its inception in 1997, he went on to support the organization as a member of the CAUCE North America Executive. His tireless efforts helped to make CAUCE what it is today.

During his career, J.D. worked at Erols, Priori, Critical Path, MAPS, Yahoo!, Microsoft, and Return Path, but perhaps his most important contributions in fighting online abuse were to the Messaging Anti-abuse Working Group, wherein his tireless efforts organizing the MAAWG meetings were literally immeasurable.

J.D. was a prolific author, his writing published on CircleID, at his employer Return Path’s website, and in the RFC process at the Internet Engineering Task Force (IETF). His contributions went far towards making the Internet a better, safer place for us all.

J.D. was one of a kind,” said CAUCE President John Levine. “Everyone knew him, everyone trusted him, and everyone knew they could count on him to see the real issues.”

J.D. was so very well respected that a professional standards organization, the Internet Engineering Task Force, pulled out all the stops to honor him in his last days. His friends and colleagues Dave Crocker and Murray Kucherawy explain:

The IETF publishes technical specifications and related documents through a series that was started with the beginning of the Internet, called Request for Comments (RFC); the name reflects the Internet's origins as a research body more than 40 years ago.

JD had a document in the approval process (see notice below). J.D.'s document had already been approved by the IETF and it was in the last stages of document editing by the RFC staff.  A small group of us asked whether they could expedite the process, more quickly than the expected two months. The IETF staff recruited a technical editor at 1:30am, her time, in New York and she completed the work by the end of the day. J.D. was shown this final draft for his approval, hours before he passed away.

Although the reason was extraordinary, this sort of willingness to help has always been at the core of this small Internet community that JD had joined, and contributed to, throughout his professional life.

J.D. died before his time from cancer. His intelligence, gravitas, good humor and considered opinions were invaluable, CAUCE, and the Internet community, are the poorer for his passing.

CAUCE extends our most heartfelt of condolences to his family and his friends.

Please feel free to share your memories of J.D. Falk at http://jdfalkmemorial.org/

Please read these tributes as well:

Return Path

MAAWG

CircleID

A collection of J.D.'s technical writing can be found at Return Path's Received: Blog

 

From: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>

Subject: RFC 6449 on Complaint Feedback Loop Operational Recommendations

Date: 16 November, 2011 11:58:54 PM EST

To: "ietf-announce@ietf.org" <ietf-announce@ietf.org>, "rfc-dist@rfc-editor.org" <rfc-dist@rfc-editor.org>

Cc: "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>

A new Request for Comments is now available in online RFC libraries. 

       RFC 6449

       Title:      Complaint Feedback Loop Operational Recommendations 

       Author:     J. Falk, Ed.

       Status:     Informational

       Stream:     IETF

       Date:       November 2011

       Mailbox:    ietf@cybernothing.org

       Pages:      31

       Characters: 75139

       Updates/Obsoletes/SeeAlso:   None

 

       I-D Tag:    draft-jdfalk-maawg-cfblbcp-03.txt

       URL:        http://www.rfc-editor.org/rfc/rfc6449.txt

 

Complaint Feedback Loops similar to those described herein have

existed for more than a decade, resulting in many de facto standards

and best practices.  This document is an attempt to codify, and thus

clarify, the ways that both providers and consumers of these feedback

mechanisms intend to use the feedback, describing some already common

industry practices.

 

This document is the result of cooperative efforts within the

Messaging Anti-Abuse Working Group, a trade organization separate

from the IETF.  The original MAAWG document upon which this document

is based was published in April, 2010.  This document does not

represent the consensus of the IETF; rather it is being published as

an Informational RFC to make it widely available to the Internet

community and simplify reference to this material from IETF work.

This document is not an Internet Standards Track specification; it is

published for informational purposes.

 

INFORMATIONAL: This memo provides information for the Internet community.

It does not specify an Internet standard of any kind. Distribution of

this memo is unlimited.

 

This announcement is sent to the IETF-Announce and rfc-dist lists.

To subscribe or unsubscribe, see

 http://www.ietf.org/mailman/listinfo/ietf-announce

 http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

 

For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html.

For downloading RFCs, see http://www.rfc-editor.org/rfc.html.

 

Requests for special distribution should be addressed to either the

author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless

specifically noted otherwise on the RFC itself, all RFCs are for

unlimited distribution.

 

The RFC Editor Team

Association Management Solutions, LLC

Posted by on 17 November 2011 in Canada, United States, World | | Comments (0) | TrackBack (0)

| | | |

11 August 2011

Facebook has stolen all the contents of mobile address books, including private telephone numbers

As you know, Facebook have a long, storied history, including several ongoing brushes with the Privacy Commissioner of Canada, and despite repeat warnings against abuse of end-user rights, they recently deployed facial recognition software with no notice given their 500,000,000 users.

Today, however was the straw that broke the camel's back. Unbeknowst to me, perhaps by way of their new 'Facebook messanger' [update: actually, by way of Facebook's iPhone app.] they have uploaded the address books of hundreds of millions of users' mobile phones.

I found the home, private, business and mobile telephone numbers of 700 friends, colleagues, co-workers, and associates (Facebook users or not) published on their site [update: on my account only - at least, for the moment, but nonetheless up on Facebook] - I never agreed to this, I never knew about this, and it was only by way of the Sophos blog post below that I discovered this.

To check to see if you have had the same unfortunate thing happened to you:

  1. Log into Facebook
  2. Click on Account (upper RH corner)
  3. Click 'edit friends'
  4. Click 'contacts' (LH side)


(There is the option to disable this feature. Turn OFF synching on your mobile phone, then go here)

update: CAUCE Director Matt Sergeant had this to say on his blog - he nails exactly what is wrong with this:

Addressing the latest Facebook privacy issue

(This is a non-work post, but Disclaimer: I work for Symantec and regularly talk publicly about security issues)

There’s been lots of talk today online about the latest Facebook privacy debacle whereby they have all your cell phone contacts listed on your “Contacts” page.

Facebook have been trying to quiet the storm, as people are posting to their status updates for people to disable this.

First, to combat some FUD: Facebook is not sharing this information from you with your friends. Your buddies aren’t going to be able to call up your Grandma.

But what Facebook have entirely ignored, and why this is again an issue, is the question of permission.

I have two phones. One is a work phone (BlackBerry), and one is my personal iPhone. The only phone the contacts I had listed on Facebook came from is my BlackBerry, which is good, because I have a lot of random old numbers in my iPhone (don’t ask!).

So what happened here? I believe that the latest BlackBerry Facebook app (which recently underwent a major upgrade) automatically set the preference to sync contacts with Facebook. Now it may very well have been in the multi-page user agreement that I accepted, but yes I admit, I don’t read those things. And those agreements don’t even appear on the iPhone version, because, and here’s the fundamental difference I guess: the iPhone version doesn’t transparently change your preferences.

Facebook needs to stop that. I don’t care if it’s useful, or if you’re not sharing it with anyone else. I don’t want you uploading my contacts to your servers without ASKING me first.

It’s that simple. And this is why there are laws against what they have done in various countries, and why this will probably result in yet another lawsuit against them.

Rant over.

CAUCE are stunned by this move, it is beyond the ken. We will be calling upon Facebook to remove this facility immediately (it should always bo opt-in by default, as should ALL end-user options) and failing that, filing complaints with the proper authorities.

See more: http://nakedsecurity.sophos.com/2011/08/11/has-facebook-got-your-mobile-number-now-your-friends-do-too

--
Neil Schwartzman
Executive Director
CAUCE : The Coalition Against Unsolicited Commercial Email

Posted by on 11 August 2011 in Canada, Technology, United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

30 June 2011

CRTC Publishes Regulations, another step towards CASL coming into Force

Happy Canada Day from the CRTC

As anticipated, the CRTC took a long-awaited step towards Canada's Anti-spam Law coming into force; regulations designed to help define the scope and impact of the law were published late afternoon, June 30. They are available in their full form here: http://www.crtc.gc.ca/eng/archive/2011/2011-400.htm

They are quite terse, coming in at less than 440 words. CAUCE will comment here in due course, but for your instant gratification, here they are:

The proposed regulations prescribe the form and certain information to be included in a CEM. They establish that a CEM must set out information that identifies the sender of the message and, if different, the person on whose behalf the message is sent, as well as, if applicable, the names of those persons’ businesses. The CEM is also to include information that would enable the recipient to readily contact such persons. Further, the proposed regulations prescribe that this information, as well as the unsubscribe mechanism, be set out clearly and prominently.

The proposed regulations also specify a particular form by which information relating to the sender of the message and the unsubscribe mechanism may be accessed, in circumstances where it is not practicable to include such information in a CEM, for instance, because of character limitations.

Section 6 of the Act prohibits the sending of a CEM unless there is express or implied consent from the recipient of that message. Section 7 of the Act prohibits, absent express consent, the alteration of transmission data in an electronic message which results in the message being delivered to a different destination. Section 8 of the Act prohibits the installation of a computer program unless express consent has been obtained. The Commission’s proposed regulations prescribe the form of a request for express consent for the purposes of subsections 10(1) and 10(3) of the Act. More specifically, the proposed regulations stipulate that any request for express consent must clearly identify the person seeking consent and, if different, the person on whose behalf consent is sought, and, if applicable, the names of those persons’ businesses. In addition, it is proposed that contact information be included for such persons, and further, that there be a requirement to include a statement which states that consent may be withdrawn using the contact information provided.

The focus of the final segment of the proposed regulations is the installation of computer programs in the course of a commercial activity, which, as noted above, is addressed in section 8 of the Act. The proposed provisions prescribe that additional information be provided when requesting express consent if a computer program that performs a function set out in subsection 10(5) of the Act is to be installed. In such circumstances, the proposed regulations prescribe the manner in which the computer program’s material elements must be brought to the attention of the person from whom consent is being sought, and further establish that the person seeking consent must obtain a written acknowledgement from the person from whom consent is sought that they understand and agree that the program performs the specified functions.

Posted by on 30 June 2011 in Canada, United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

09 June 2011

CAUCE Director Neil Schwartzman Wins Prestigious MAAWG Award

CAUCE Executive Director Neil Schwartzman won the prestigious Mary Litynski award on June 08, 2011 for his contributions to Internet anti-abuse efforts, including the passage of Canada's Anti-Spam Law. Here is his acceptance speech.

This is not the first award I've received from the MAAWG community. A few years ago, at a meeting in Washington, D.C., I received an honorary doctorate when recognized me as Dr. Evil. At the past meeting, at Disney, you honored me with a t-shirt branding me as Grumpy, from the Seven Dwarves.

As much as I treasure those memories, this award is very special to me.

Mary Lytinski was a warm, helpful, friendly person. It is nice to see that MAAWG is applying these criteria when deciding a suitable winner of the award in her name.

Seeing Mary at the registration desk was our opening ritual three times a year, and her greeting -- no matter how busy -- told every attendee that this was going to be a good meeting. Mary's contribution to our community and our cause cannot be measured.

I can’t begin to express my gratitude for this award, named in honor of our old friend; I am profoundly humbled, particularly when we consider the roster of others in our community undeniably as deserving of recognition.

My contributions to the Internet community, like that of so many others, began as a volunteer. To some, that might be a puzzling thing, to do something without financial recompense. To others, most in this room, it is the most natural thing of all.

There are a number of reasons why I try to embody a spirit of volunteerism. For one, my mother volunteered her time throughout her life. She undoubtedly passed this aspect on to me.

When I got online in 1992, the net was largely non-commercial. There was no world wide web. It was all about text, and community spirit, and volunteered contributions. Even when employees of a commercial entity worked on standards or software, it was with humility and a sense of collaboration, of building the Internet together.

The commercialization of the net has brought with it some astounding, wonderful new technologies and contributions to our global society. I am able to write to my friend, one of the happiest people I’ve ever met, a peasant girl named Shandy, who lives in rural China, because she has a Hotmail account. A far-flung community was able to express our love and support for our friend and colleague J.D. Falk, by way of Facebook, and email, and AOL Instant Messaging. Perhaps most profoundly, an offshoot of Google, 23andme, allowed me to reconcile with my biological mother, sister and brother, this past weekend after 50 years.

These are the things that motivate me to voluntarily advocate for the anti-abuse community. Because along with all these commercial offerings, there is still a fundamental, precious human element, a drawing together of the global village that criminals, if we let them, would rend asunder. There is still real, honest human communication -- that abusers sully. This human element is the magic intrinsic to the Internet, and something that must be protected. It isn’t just about email systems being spammed, and websites under ddos. It is what they represent -- the people, the data, and the ability to communicate -- that we strive to protect.

The DNA of the Internet, the vast majority of underlying technologies and protocols, were dreamt up and realized by volunteers. Grassroots, volunteer anti-abuse efforts such as my organization, CAUCE, many of the DNSBLs, discussion groups -- all manner of efforts to stave off the wolves at the door, nearly all done on a voluntary basis or as a contribution to the community.

And then there’s MAAWG.

While most of us are paid to be here, involvement in MAAWG can take up a tremendous amount of time. It often encroaches into one’s personal life, or one’s ability to accomplish the balance of our paid work, in effect, MAAWG is very much run by people volunteering of their time, expertise and brilliance.

And so, I accept this award on behalf of all the volunteers past, present and future, my peers and my betters, with the hopes that our work is properly honouring the person for whom this award is named, our dear departed Mary Litynski.

Thank you.

Posted by on 09 June 2011 in Canada, Press Releases, United States, World | | Comments (0) | TrackBack (0)

| | | |

01 June 2011

Introducing the Inbox Project

For many years, the Cornell Legal Information Institute (LII) has been a premier source of reference information about laws in the US and elsewhere. One day last year, LII director Tom Bruce and CAUCE president John Levine were talking over breakfast, and noted that there was no authoritative online source of legal information about spam and e-mail, something that the LII and CAUCE are, together, uniquely qualified to create. The Inbox Project is a new section of the LII web site, meeting that need.

We intend for it to be comprehensive, growing to cover not just spam-related state and US law in the United States, but laws in countries around the world, since spam is a global problem. It will be authoritative, researched and written by well-qualified students at the Cornell Law School, with advice from CAUCE. And it will be stable, with an ongoing process to keep it accurate and up to date. The project currently covers US and Canadian law, with case law and laws from other countries added as the students research and analyze them.

This work is funded independently from CAUCE and the LII's regular budget by several generous organizational sponsors. We'll have more to say about them when we formally announce the project next week.

But in the meantime, point your browser at http://www.inboxproject.org where there's already a lot to see.

Posted by on 01 June 2011 in Canada, Technology, United States | | Comments (0) | TrackBack (0)

| | | |

28 April 2011

Continued Data Leaks: The Game is Rigged

Earlier this week, gigantic technology company Sony admitted that "an illegal and unauthorized person" had accessed their database of 77,000,000 PlayStation Network users, obtaining names, addresses, gaming profiles, and possibly credit card numbers.  Their response upon discovering the breach was decidedly old-school: they turned everything off while investigating.

If the ESP breaches we've been reporting are Godzilla, Gamera, and other residents of Monster Island, then the PlayStation breach is the larger and more powerful MechaGodzilla.  If the ESP breaches are planets in the solar system, the PlayStation breach is Jupiter — and the New York Yankees' mistaken exposure of 20,000 ticketholders is poor, downgraded Pluto.

As if size alone wasn't enough, the PlayStation breach may require an even more radical response from the victims whose information was stolen.  As The Globe and Mail explained yesterday afternoon, you should start by changing your password — especially if you've used that same password anywhere else.  But since Sony admits that credit card numbers might have been stolen too, you'll need to call your bank and get a new card with a new number — which some banks charge for.  You'll also need to change all the billing info associated with the old card number.  Oh, and if you don't want game-related spam and phishing attacks, you'll need to change your email address too.

Inconvenient? Annoying? Absolutely. Unfair? No question. But when the big companies to whom you've entrusted your information can't keep it secure, you're stuck having to find ways to stay safe on your own.

To be sure, the companies whose data was stolen (these, Sony, and more) are victims too — but they're all big enough to weather the storm.  How about you?

Posted by on 28 April 2011 in United States, Warnings | | Comments (0) | TrackBack (0)

| | | |

20 April 2011

Oh, Poo! Diapers.com & Optivo GmbH the latest victim of the ESP Adobe Gang

Diapers.com is the latest in a long series of ESP breaches by way of optivo.de. Optivo were alerted to this breach on April 14.

UPDATE: While Responsys is the current ESP of record for Diapers.com according to their website (and have been since 11/2009, according to company officials); this may indicate the tagged address was taken from Responsys, another ESP (some companies use more than one ESP), their previous ESP Silverpop, or from diapers.com directly.

Thanks to REDACTED for the report.

Delivered-To: REDACTED
Received: by 10.229.107.19 with SMTP id z19cs52292qco;
        Tue, 12 Apr 2011 21:47:45 -0700 (PDT)
Received: by 10.204.74.167 with SMTP id u39mr326019bkj.144.1302670065088;
        Tue, 12 Apr 2011 21:47:45 -0700 (PDT)
Return-Path: <return@demo.srv2.de>
Received: from mail17-54.srv2.de (mail17-54.srv2.de [193.169.180.54])
        by mx.google.com with ESMTP id c1si470386bky.10.2011.04.12.21.47.44;
        Tue, 12 Apr 2011 21:47:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of return@demo.srv2.de designates 193.169.180.54 as permitted sender) client-ip=193.169.180.54;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of return@demo.srv2.de designates 193.169.180.54 as permitted sender) smtp.mail=return@demo.srv2.de; dkim=pass header.i=Adobe@demo.srv2.de
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mailing; d=demo.srv2.de;
 h=Message-ID:Date:From:Reply-To:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; i=Adobe@demo.srv2.de;
 bh=Ob9u6TxtQqwyE0MTiwnn5kGewhc=;
 b=YXkzQAJ1/oHetfZxTPgwT35YL3se7xFVZitbg/bQwO5O4gqMSsU89Q3Wo5oJVSRy2P9mH0M+wm62
   2G75INYa+RsiLp9qQ2rtCUyXYQ24v7CEEs1ggg06Pj5giRymB1uS+ySNfuDTkh2eYifyKg7F9lx/
   dlKHvahHPVa5U6m6+wY=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mailing; d=demo.srv2.de;
 b=deGmdf/mVGx8f7o9EcPDZl4uaoxzLXPDR9jc2ILr9g9IgkAY1urF8dnGE9ydx7hrXiMckon1o7NI
   mJdGspev4TuPwWvY1jNldcUX93xrqYAcMGr4v4VM4rGGvXmxPFM7VTaJjnjMy9++N6n8BvC/zQuO
   BngpUpwys6rmeOEyu68=;
Received: by mail17-54.srv2.de id hkklf20farcr for <REDACTED>; Wed, 13 Apr 2011 06:47:43 +0200 (envelope-from <return@demo.srv2.de>)
Message-ID: <re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHI4W55-1UZ8D6Y-UUQ14MG@demo.srv2.de>
Date: Wed, 13 Apr 2011 06:47:43 +0200 (CEST)
From: Adobe Systerm Incorporated <Adobe@demo.srv2.de>
Reply-To: re-EHI4W55-1UZ8D6Y-13HAPU9@demo.srv2.de
To: REDACTED
Subject: =?ISO-8859-1?Q?Adobe_Acrobat_Reader_10x_:_all_?= =?ISO-8859-1?Q?new,_all_powerful_!_Upgrade_Now=3F?=
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ulpe: re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHI4W55-1UZ8D6Y-UUQ14MG@demo.srv2.de

GETTING MORE DONE AT WORK NOW COMES IN A CONVENIENT BOX

See how Adobe Acrobat Reader is a step above anything you've experienced before, so you can be even more productive.

Upgrade Adobe Acrobat Reader

Just how much faster can you work with Adobe Acrobat PDF Reader
software? Fast enough to stay on top of last-minute changes, connect
with key decision makers, and share updates with co-workers.

You'll discover how easy it is to reuse content by exporting PDF files
to Microsoft Word or Excel formats. And how quickly you can automate
multi-step tasks with new, guided Actions. No wonder PC Magazine
says, "There's a lot to like in Acrobat X PDF Reader."

Download Now To Try Us Out

Copyright 2011 Adobe Systems Incorporated. All rights reserved.

Adobe Systems Incorporated
343 Preston Street
Ottawa, ON K1S 1N4
Canada  

*************

Delivered-To: REDACTED
Received: by 10.229.107.19 with SMTP id z19cs53998qco;
        Tue, 12 Apr 2011 22:29:46 -0700 (PDT)
Received: by 10.223.27.14 with SMTP id g14mr73129fac.129.1302672585540;
        Tue, 12 Apr 2011 22:29:45 -0700 (PDT)
Return-Path: <return@demo.srv2.de>
Received: from mail17-45.srv2.de
 
 (mail17-45.srv2.de
 
 [193.169.180.45])
        by mx.google.com with ESMTP id l25si86220fah.191.2011.04.12.22.29.45;
        Tue, 12 Apr 2011 22:29:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of return@demo.srv2.de designates 193.169.180.45 as permitted sender) client-ip=193.169.180.45;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of return@demo.srv2.de designates 193.169.180.45 as permitted sender) smtp.mail=return@demo.srv2.de; dkim=pass header.i=Skype@demo.srv2.de
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mailing; d=demo.srv2.de
 
;
 h=Message-ID:Date:From:Reply-To:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding; i=Skype@demo.srv2.de;
 bh=lF+2G6Rq1lrcc66z2TQZb33J6eQ=;
 b=GadElK40VNPm/e12VYpQLZai3O/5IRkfLTDOu6tYSuTaFGs27w76Azhu3SIgU5H4ixgP8O5BeN34
   9qn/8S1djO0khRgjeyISbKWddAOzOFYIsgBO6HIFgeqhfPBXlSd4030HF5WHTiIhuHEUr1aNhv9L
   UpL8c6x64PGnrvNU5Ow=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mailing; d=demo.srv2.de
 
;
 b=eEKJOR6eX0npHpBOmJPiHfkopOggjkq13StcWwuWK7LoNebJha4z8OXbFCKN2TxFKh/HaF5wlppd
   zyzYzoevuAgWJPNmpabtyOk6om7JJn1/moYlEERevNE2IA917NV2R9kDFEB7nfmcopy28XA5FSEr
   Bb1dZ6jQEr/hvgud7mQ=;
Received: by mail17-45.srv2.de
 
 id hkkqci0farc7 for <REDACTED>; Wed, 13 Apr 2011 07:29:44 +0200 (envelope-from <return@demo.srv2.de>)
Message-ID: <re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHPDGH2-1UZ8D7F-8KIZFU@demo.srv2.de>
Date: Wed, 13 Apr 2011 07:29:44 +0200 (CEST)
From: Skype Support <Skype@demo.srv2.de>
Reply-To: re-EHPDGH2-1UZ8D7F-BX918B1@demo.srv2.de
To: REDACTED
Subject: Download New VOIP Addons For More Skype Free Talks
MIME-Version: 1.0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-ulpe: re-pOaX3BUQnds72BhAcj4J1wrgwTrlqCM5OetY-EHPDGH2-1UZ8D7F-8KIZFU@demo.srv2.de

SKYPE VoIP ADDONS UPDATES

This is to notify that new updates have been released for Skype
 
. Following are major new features:
 
- Talk more for free via Voice Over IP (VoIP).
- Lower cost when connecting to landlines (much cheaper than Calling Card).
- Record your conversation (better than telephone quality).
- Instant messaging& file-sharing, video calls.
- Now available on PSP !
 
To check and upgrade, go to Skype Updates Center
 
 
Skype has changed the way we think of telecommunications.
 
Thank you for choosing us.
 
With best regards,
 
Skype Support

Posted by on 20 April 2011 in United States, Warnings, World | | Comments (0)

| | | |

16 April 2011

Tough Day for Online Scum

The 3rd Friday in April 2011 wasn't the 13th, but it probably felt that way for a number of online scammers.

Gambling

Operators of several gambling sites,  Pokerstars.com, Fulltiltpoker.com and Absolutepoker.com and their online payment processors were charged with money laundering and fraud. Site domains and billions of dollars were siezed. It has long been known that these sites are dodgy, Joseph Menn laid much of it out in his book Fatal System Error (2010), with allegations of organized crime involvement, rigged gaming, and so on, and Journalist Brian Krebs made mention of money-laundering-by-gambling in 2007.

What Krebs alleges had been confirmed to CAUCE by federal investigators in private discussions years prior to that. The scam is easy, the perpetrators take a large amount of cash (usually stolen), and lose it to associates in online gambling games. Online thieves aren't the only people who avail themselves of this, terrorists use the scheme too, which may go some ways to explain the United States' stance on online gambling.

Online fora and Twitter went wild soon after these closures, with many noting that money they had in accounts on these sites was frozen and seemingly lost. The (big) house always wins.

Acai Berry "News" Reports

You've probably seen the spam, where you click through a link, and end up with what looks like a news reporter, extolling the virtues of Acai berry as a cure-all.The FTC put an end to some of that, charging 5 different companies behind this ubiquitous scam. Some of the domains the spammer/scammers used were

breakingNewsAt6.com
channel2local.com
channel6reports.com
channel9healthbeat.com
bhannel9NewsReports.com
consumernewspick.com
consumertipsdaily6.com
healthnews10.com
news4daily.com
theconsumerweeklydigest.com
usahealthnewstoday.com
usahealthreportstoday.com

(While CAUCE thinks Acai Bery is a yummy drink, your local supermarket is a cheaper alternative to buying the stuff online from spammers)

Good riddance to bad garbage. We should take a moment to note that just because a site has the word 'consumer' in its domain name doesn't mean it has your best interests at mind. Caveat emptor, always, and especially online.

 

Posted by on 16 April 2011 in United States, Warnings, World | | Comments (0) | TrackBack (0)

| | | |

15 April 2011

Submission to ICANN WHOIS Team review

 

CAUCE North America
PO Box 727
Trumansburg NY 14886
E-Mail: secretary@cauce.org

13. Apr. 2011

ICANN
by electronic mail

We appreciate the chance to comment on the ICANN WHOIS Review Team Plan as announced at http://www.icann.org/en/announcements/announcement-04mar11-en.htm

CAUCE NA, as an all-volunteer Internet end-user advocacy organization established in 1998 has moved beyond its original narrow mission of encouraging the creation and  adoption of anti-spam laws to a broader stance of defending the interests of individual Internet users.  CAUCE NA is led by a combined Board with a cumulative century of experience in the field of Internet advocacy and technology.

Based on that experience, including experience directly engaging with ICANN in a variety of capacities, we would like to offer the following comments on your proposed whois policy review activities.

1. Whois Is A Critical Anti-Abuse Resource

Combatting Internet abuse without access to whois data would, in most cases, be difficult if not impossible. To paraphrase a common cliché, IP addresses and domains don't attack Internet assets, people attack Internet assets. We cannot pierce the veil and map IP addresses and domain names to those people without routine access to the crucial information whois data contains.

If whois were to cease to be routinely available, targets of serious Internet abuse will have no alternative but to employ lengthy legal process to compel disclosure of resource assignment and allocation information. This process is cumbersome, time-consuming and expensive, and benefits no one except the attorneys who will be involved in pressing or defending these actions, and the miscreants who will enjoy weeks, months, sometimes even years of anonymity in which to continue to conduct their abuse with impunity. This abuse happens at internet speed; a slow response is effectively no response at all.

2. Whois Needs To Be A True Production Service Offering

Currently whois is offered on something of a "hobbyist" basis, particularly in TLDs that use the “thin” whois model. At one provider it will use one format, while at other times and at other providers, it will use another. This lack of consistent formatting, along with restrictive access policies, makes whois access something that's only suitable for small scale interactive "craft" access rather than being a production-ready and robust service that's appropriate for the volume of domains and other resources involved in today's domain name ecosystem.

If Internet abusers can script the creation of domains at arbitrary scale, but security teams and anti-abuse researchers are limited to some small number of manual whois queries per day, the abusers can obviously simply out-automate and out-scale us. This enforced handicap represents bad public policy.

Other technical ways that whois data access can and should be improved include:

  • Whois data should be available via authenticated channels (or in a standardized bulk format) so that legitimate uses aren't thwarted by restrictive rate limits. (Authenticated access can and should be logged and audited to ensure that abuse is not occuring)
  • Whois data should be structured in a consistent, standard format amenable to machine parsing. We believe that the tag:value form used by thick whois servers meets this requirement, so long as they continue to use a restricted and consistent tag vocabulary, and the definitions of each tag are available to the public — perhaps as an IETF RFC.
  • Whois data should be aggregated and distributed from a central location using the “thick” model, rather than being distributed across hundreds or thousands of providers on a distributed "thin" model. This ensures both consistency and availability.

3. Whois Is a Community Resource

While law enforcement officers play a critical role in mitigating online crime, they are too few in number and too poorly funded to mitigate all online abuse. Much online abuse is handled by other entities, ranging from non-sworn government administrative agencies (such as the Federal Trade Commission here in the United States), to non-governmental organizations such as CAUCE NA or Spamhaus, to agents of aggrieved private parties seeking to protect their company's assets (including facilities, trademarks and intellectual property being used online in illegal ways).

If whois access were narrowly restricted to sworn law enforcement officers only, the "thin blue line" of law enforcement, important though it may be, will not be sufficient to maintain the status quo. The security and stability of the Internet will be negatively impacted, with an associated loss of public trust and transparency.

That said, we would not object if sworn law enforcement officers or civil investigators were offered expanded access to whois data, such as a routine ability to view an unfiltered version of whois data that is not encumbered by obfuscating private or proxy registration mechanisms — provided such access is authenticated, logged and audited to protect against arbitrary abuse and misuse.

4. Whois Data Must Be Meaningful

We have seen examples of whois data services that are present in name, but effectively of no value. For example, consider the data for chase-online-banking.com:

Domain: chase-online-banking.com
Registrar: Eurodns S.A.

Registrant:
Company:
Name: I P Freely
Address: 123 blowme lane
City: tacoma
Country: UNITED STATES
Postal Code: 98409

 

Administrative Contact:
Company:
Name: I P Freely
Address: 123 blowme lane
City: tacoma
Country: UNITED STATES
Postal Code: 98409
Phone: +012589636541
Fax:
Email: maiybs@gma.com

Technical Contact:
Company:
Name: I P Freely
Address: 123 blowme lane
City: tacoma
Country: UNITED STATES
Postal Code: 98409
Phone: +012589636541
Fax:
Email: maiybs@gma.com


Original Creation Date: 2011-04-04
Expiration Date: 2012-04-03


Status:
clientTransferProhibited

This entire WHOIS entry is transparently fraudulent. There is no “blowme lane” in Tacoma WA, no North American phone number starts with 01, and even if the zero were corrected as a typo, there is no 258 area code. The e-mail address is invalid, and even the simplest attempt to send a confirmation message would have revealed that mail to it is rejected.

If we see abuse involving that domain, which we have, there is no way to find an appropriate security or abuse contact.

It is nominally whois data, but it provides no information whatsoever about who or what that domain actually is. This shows what whois can devolve to, if we as a community allow it to degrade without objection.

We acknowledge that whois data, like any data, can potentially be abused. Not all whois data is equally at risk, however. For instance, we do not believe that an entity engaged in Internet commerce should have the same right to anonymity online that a political or religious dissident might require, and in fact, the customers of the Internet have a compelling right to know with whom they're doing business. We therefore urge ICANN to eliminate whois anonymity as an option for corporations and other non-natural persons controlling Internet resources.

5. Improvements To WDPRS and Whois Accuracy

When missing or inaccurate whois information is detected, users have the option of reporting that inaccuracy via the Whois Data Problem Reporting System (http://wdprs.internic.net/).

Unfortunately that system is operationally cumbersome, requiring domain-by-domain reporting via a web form, followed by email confirmations, even in cases where hundreds or thousands of domains share the same inaccuracies and the same registrar.

We understand that ICANN has a bulk WDPRS submission facility currently used by only a small number of high-volume reporters. That service should be made available, with suitable registration or other safeguards to deter abuse, to any entity submitting multiple WDPRS reports.

We also believe that the information WDPRS receives is not being appropriately leveraged to identify and address ongoing abuse. While WDPRS complaints may result in the correction of individual erroneous whois records, ICANN does not use that data to identify systematic problems, including potentially rogue ("bulletproof") registrars who make no effort at maintaining accurate whois data whatsoever — and may even treat whois inaccuracy and other violations of ICANN's rules as a competitive advantage.

Moreover, why is ICANN not sharing the substance of the community WDPRS reports it receives with community stakeholders? If there was more transparency about the reports received, consumer confidence in whois data accuracy would improve and we could even imagine a "PhishTank"-like model where community members could help to verify the reports that have been made via WDPRS.

We also believe that the costs associated with correcting erroneous whois data, particularly in the case of grossly and obviously inaccurate whois data, should be passed along to the registrar that has allowed that data to be accepted. Even the simplest of automated screening would easily allow many bogus point of contact data elements to be flagged at the time of domain registration; other types of online businesses have been doing this for years. Currently some registrars do not care if they accept bogus whois point of contact data, but if there were financial consequences to large amounts of invalid WHOIS, that could change.

Registrars that exhibit a clear and ongoing pattern of routinely accepting or failing to correct obviously bogus whois information should be subject to notice and breach proceedings under the registration agreement.

6. Adequacy of the "Key Definitions"

The Review Team also asked for feedback on the adequacy of the definitions it proposed at http://www.icann.org/en/announcements/announcement-04mar11-en.htm

In our opinion, the following adjustments would strengthen those definitions.

As written, definition 4.1 (Law Enforcement) does not distinguish between sworn law enforcement officers with criminal law enforcement powers (such as sworn federal law enforcement officers, sworn state police officers, sworn county sheriffs, and sworn municipal police officers here in the United States), and other entities incidentally included in an overly broad definition, including judges, lawyers, prosecutors, private security officers, administrative investigators and even parking enforcement officers (so-called "meter maids") whose responsibilities include "maintenance, co-ordination, or enforcement of laws, multi-national treaty or government-imposed legal obligations."

We believe "law enforcement officers" should be defined more narrowly to be only those individuals who have:

  1. been sworn or commissioned as a law enforcement officer by a government agency of competent authority;
  2. who are charged with upholding the general criminal laws of  an applicable jurisdiction, including having power of arrest;
  3. typically have received specialized peace officer training (e.g., here in the United States such courses are typically offered by the Federal Law Enforcement Training Center ("FLETEC") or a similar program offered by one of the individual states, such as as Oregon's Department of PublicSafety Standards and Training Academy ("the DPSST Academy");
  4. and who normally receive tangible official signs of their role such as a police uniform or official credentials (a badge and/or ID card).

In adjusting this definition, we do not mean to imply that ICANN should exclude non-sworn government officials from the scope of its work -- even though those government officials are non-sworn, they play an important role in enforcing applicable law via civil processes. They simply require a different label (such as "civil enforcement officer" or "administrative enforcement agent").

For example, here in the United States, while FTC investigators are not sworn law enforcement officers, they play an important role in compelling fair business practices using the civil enforcement powers at their disposal. They're just "investigators" and not "law enforcement officers" within the customary meaning of that term of art.

We also believe that ICANN should explicitly consider whether "law enforcement" includes those who may be members of national intelligence services, or a country or multinational organization's military services, recognizing that in some countries (such as the United States), there may be as many as seventeen agencies and organizations involved in collecting and processing national security-related intelligence information (see http://www.intelligence.gov/about-the-intelligence-community/ ).

Definition 4.2 (Applicable Laws) appears to concentrate primarily on laws related to "the collection, use, access, and disclosure of personally identifiable information." That focus would be appropriate if whois policy issues turned solely on matters related to registrant privacy.

CAUCE NA believes that any whois study must recognize the applicability of all criminal and civil laws on whois policy, and the impact of whois policy on those laws in turn.

Such laws would include, but not be limited to:

  • laws against child exploitation and online "child pornography"
  • laws making it illegal to attempt to obtain financial information without authorization by means of deceit or artifice ("phishing")
  • laws forbidding the creation and distribution of viruses and other malicious computer software
  • laws prohibiting the online sale and distribution of narcotics and other controlled drugs
  • laws forbidding the advertising and delivery of copyright and trademark infringing products such as "knock-off" watches and pirated software, music and movies
  • laws forbidding fraudulent schemes such as advance fee fraud schemes, penny stock "pump-and-dump" scams, products making baseless promises of weight loss or body enhancement
  • laws regulating the collection of email addresses and distribution of bulk commercial email

Only when personal privacy rights are weighed against the full set of criminal and civil laws designed to protect a jurisdiction's citizens, can we achieve an appropriate balance between protecting privacy and protecting citizen's property and persons from all applicable risks.

In many cases the protection of property and persons from malicious actors is best served by access to whois information, rather than by withholding that information from interested parties.

Thus, that balancing process requires a more inclusive definition of "applicable laws" in CAUCE's opinion.

Defintion 4.3 ("Producers and Maintainers of WHOIS DATA") comingles a variety of parties and roles in ways that fail to adequately recognize important differences in perspectives and interests. For example, 4.3.A, "Producers" is defined as "The individuals or organizations supplying contact data for inclusion into WHOIS data." While that's seemingly a simple entity -- typically the person registering a domain -- in reality, things are less clear.

For example, whois data producers may include:

  • the true or ultimate registrant
  • a proxy registrant acting on behalf of the true or ultimate registrant
  • a registrar or hosting company, perhaps listed as a default "technical" point of contact for all domains they register on behalf of the true or ultimate registrant
  • a registration services provider acting on behalf of a registrar as an independent contractor or as the registrar's agent

These roles may change over time as well. For example, an engineer who may have initially registered a domain on behalf of an employer may change roles or change employers, yet still be carried on a registration as the point of contact for that domain, simply because the relevant data has never been verified and updated.

We might attempt to clarify all this by referring to an "initial producer" of whois data, or a "primary producer" of whois data, or a whois data "producer of record," depending on our emphasis, but any of those titles are only an approximation given the actual underlying practice.

We are also confused by the definition of "Data Controllers," particularly the trailing sentence fragment: "May or may not be directly involved in these functions." While that tautologically covers all possible cases, and in fact all persons, it does little to illuminate what's intended in this case, and is so overly inclusive as to render the definition of "Data Controllers" effectively meaningless.

More substantively, the sundry roles lumped into the "definition" of "Data Controllers" should be explicitly teased apart unless there is some compelling reason to throw them all into the same vague stew. Those who may work in the IETF to define the whois protocol (thus defining what data may be collected), have little to do with those who may work in ICANN to "govern" how that data may be used, or the judges who may "require its release." Don't lump them all together.

7. Determining The Extent to Which Whois Policy Is Effective, and Meets the "Legitimate Needs of Law Enforcement," and Assessing The Extent to Which "Consumer Trust" Is Being Promoted

Finally, we are not persuaded that the articulated program of work will substantively meet the defined purposes of:

  • assessing the extent to which WHOIS Policy is effective,
  • meeting the legitimate needs of law enforcement, and
  • promoting consumer trust.

If you have a grand program of work, but it doesn't meet those goals, you're wasting your time.

If ICANN wants to know these things, we recommend that it collect hard data on these topics using generally accepted technical market research and statistical methods. Simply asking for comments from the "usual suspects" (particularly when scant feedback is often provided) will not give a true understanding of what's happening in the real world.

Given the technical nature of the questions involved, ICANN should formally poll experts knowledgeable in the areas involved, as well as law enforcement agencies with officers who specialize in cyber crime, and organizations that represent consumer interests. This engagement needs to be proactive on ICANN's part, and not merely represent a willingness to listen to comments that may happen to trickle in from particularly motivated respondents who happen to comment.

Thank you for the opportunity to comment on this work, and we stand ready to address any points about which you may have questions or need further information.

Sincerely,

CAUCE North America

Posted by on 15 April 2011 in Canada, Press Releases, United States, Warnings, World | | Comments (0)

| | | |

13 April 2011

CAUCE News, Volume 13, Number 1 April 2011

Welcome

Welcome to the thirteenth year of CAUCE News. CAUCE was involved in an unprecedented number of important initiatives in 2010, which we would like to take a moment to tell you about.

CAUCE participated in the Digital Phishnet meetings in Montreal, Canada, was represented at the Anti-Phishing Working Group meetings in Dallas, the Team Cymru Cybercrime meetings in Lyon, France, attended all meetings of the Messaging Anti-abuse Working Group, was present at Toronto's ARIN (American Registry for Internet Numbers) meeting, several IETF (Internet Engineering Task Force) meetings, and countless hours advocating for the passage of Canada's Anti-spam Law, C-28, now known as CASL.

CAUCE was instrumental in the development by the U.S. FCC's Communications Security, Reliability and Interoperability Council (CSRIC) its ISP Network Protect BCP document, providing substantial input to the final product.

We thank all our CAUCE supporting and organizational members, whose yearly membership fees allow CAUCE to function, to attend these conferences, and to advocate on behalf of computer users who want to see the fight against malicious online abuse come to a succesful end. All CAUCE directors and officers are volunteers who give generously of their time.

Facts and Tips for Consumers about the Epsilon Breach

Epsilon Interactive, who sends commercial email on behalf of hundreds of companies, admitted to a security breach that they detected some time in March. Journalists covering the story have collected notifications sent by about 70 companies, including many financial institutions.

If you received a notification from one of Epsilon's clients, the thieves know your name and email address. Depending on which company had your information, the thieves may also be know the hotels you may stay at, which credit cards you may use, or where you buy stuff online. If your email address shows up on several of these lists, the criminals can draw together a pretty accurate profile of who you are, and what you typically do, and can guess your income level. Ironically, that is what companies like Epsilon do with the data, too.

There has been a lot of talk, blogging, tweeting and press reportage about the Epsilon breach, but little in the way of concrete information to consumers as to where they stand, if their personal information (PII) such as their name and email address has been lost to criminals. The CAUCE Board of Directors have developed the following FAQ that provides facts and guidance for those affected by the breach

Read more

 

Impenetrable Processes and Fool's Gold at ICANN
By: J.D. Falk, Director-at-large

A couple of weeks ago, I attended part of the ICANN meeting in San Francisco. I've been watching ICANN and been peripherally aware of their issues since the organization began, but this was my first chance to attend a meeting.

What I learned is that ICANN is a crazy behemoth of a bureaucracy, steeped in impenetrable acronyms and processes that make it nearly impossible for someone new to get up to speed.

The best example of this is the recent approval of the .XXX top-level domain. There are already top-level domains for specific types of companies or organizations: .MUSEUM for museums, .COOP for co-ops. None of them have been very successful ? there are only a few hundred museums in .MUSEUM and 6000 co-ops in .COOP ? but they've been mostly harmless. So okay, the adult entertainment industry wants a top-level domain, why not let them have it?

Read more

 

C-28 Anti-Spam Law Receives Royal Assent
By: Shaun Brown, Counsel & Director-at-large

It's been a long time coming, but Canada finally has an anti-spam law. Bill C-28, the law with no name, was passed in December, 2010

First introduced in April 2009 as C-27, the Electronic Commerce Protection Act, it died when parliament was prorogued in December 2009, only to be resurrected in May of 2010.

Having been involved since the beginning, and eagerly awaiting its passage, CAUCE is excited and relieved to see Bill C-28 become law; it provides Canada with the tools to do its part in the global fight against spam and related threats.

Read more

 

Yes, People Still Care About Email Spam

Just over a month ago, we posted an article entitled "Do People Still Care About Email Spam Anymore?". Part of the reason why people might not care anymore, according to this article, is that email has become pass?. With so many other new ways to communicate, why even bother with email?

Not only did a few readers take the time to post some compelling counter-arguments to our article, even muckraking marketing columnist Ken Magill has weighed in on the debate. Citing a few recent studies ? including a finding by the Pew Internet & American Life Project that email is still the No. 1 online activity across all age groups of internet users ? Magill goes so far as to advocate a pretty hefty dose of harassment for the next person who states in public that email is dead.

According to The Radicati Group, there are currently 1.4 billion email users. A study by Nielsen found that 25 minutes out of every hour spent on a mobile device is on email. And so on.

Read more

 

Consider supporting CAUCE by becoming a free or supporting individual Member or an organizational Sponsor: Join Here. Organizations can support CAUCE at several levels, starting at $5,000 per year. Sponsors may enjoy a range of benefits, including logo placement and recognition in our periodic newsletter. Please contact us via e-mail at support@cauce.org for additional information.

We encourage redistribution of this message, as long as they are not spammed anywhere, are on-topic for any forum to which you send them, and include our copyright notice. When in doubt, post the URL of our site (http://www.cauce.org) instead, or put it in your signature. Press, broadcast, and Internet media may treat this material as they would a press release.

Posted by on 13 April 2011 in Canada, United States, World | | Comments (0) | TrackBack (0)

| | | |

« Newer | Older »

CAUCE North America is financially supported by our organizational and individual members.

REPORT SPAM

Recommended Resources
On Guard Online (United States)

Get Cyber Safe (Canada)

Categories

Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported