Steve Goodbarn

ICANN has elected Rod Beckstrom as its new chief, replacing Paul Twomey who is retiring after 6 years in the post.

Beckstrom has a strong IT security and technology background. His web site reflects a keen intellect and communications/political skills that should serve him well in this role with ICANN, the Internet Corporation for Assigned Names and Numbers. It is worth visiting Rod's site and listening to some of his interviews.

I've written before about the importance of ICANN and a free internet, something the general media has failed to appreciate, with a few exceptions. Created by the Clinton Administration to move control of the Internet to a world body that was not controlled by governments or the United Nations, ICANN is incredibly important to individual freedom around the world.

Beckstrom resigned from his post as US Cybersecurity Director in March amid some controversy over funding and NSA control. He seems to be an independent thinker. I am encouraged by his security background and stated goal of understanding DNSSEC in greater depth.

The overriding weakness in Internet security is its inability to scale across organizational boundaries. The DNS is the only thing that provides that scaling. Yet without the Trust and Authentication enabled by DNSSEC we can never escape the current extremely expensive, limiting and ineffective security we have today. Dan Kaminsky, security researcher with IOActive and discoverer of the "Kaminsky Vulnerability" in the DNS  over a year ago, spoke about this in a recent interview with Michael Mimoso, Editor of Information Security Magazine.

The primary challenges facing Beckstrom in his new position are political. International politics are the only remaining challenge to DNSSEC deployment now that the technical issues have been resolved. See this article by William Jackson in GCN for more on that topic. Failure to deploy DNSSEC is not an option.

I wish Rod the best of luck and success.

In an outstanding example of "faster, better, cheaper" it was announced that the first batch (100,000 doses) of swine flu vaccine have shipped. The vaccine was developed by Protein Sciences Corporation using gene-based technology that avoids the use of eggs or live virus. It should be a much safer and faster way to develop vaccines. 

I was mesmerized reading their chain of press releases. Talk about moving quickly.

The Company's products have a wide range of uses in addition to vaccines, ranging from anti-cancer, gene therapy (Muscular Dystrophy, Alzheimer's), auto-immune disorders (arthritis), and Hepatitis C. This is a company with game-changing technology that can greatly benefit the world.

Protein Sciences is a very small 50 employee private company with cumulative revenue to date of just $75 million over 26 years, with $45 million in invested capital. It does not fit an American style VC model. I wish I could buy some stock.

But guess what? According to a Bloomberg article, one of its creditors filed a petition to force it into Chapter 7 bankruptcy. See more here. I don't have an update but it looks like the DHS contract will enable the company to dodge this bullet.

We need more companies like Protein Sciences that address fundamental needs with breakthrough technology. These types of developments always seem to come from small, focused companies that need to be creative. Getting there is a struggle with lots of risk and a lot of setbacks.

This is a good example of effective public-private partnerships. The company is working with the FDA, Homeland Security, the Department of Defense, and the Institute of Allergy and Infectious Diseases. It is very gratifying for me to see this process work and wealth creation in action.

Clear, with the Airport Clear card that allowed users to bypass security lines filled with passengers in steerage, bit the dust on Monday. Verified Identity Pass, the parent company, was unable to come up with additional funding from their venture investors.

This is hardly a tragedy to most of us but a real inconvenience to the tens of thousands of people who bought and paid for the service. Clear never quite recovered from a suspension last year resulting from a loss of identity data. The bankruptcy raises concern about what happens to the extensive personal data that Clear gathered from their customers. But that may be the least of our worries.

Bankruptcies are are at record levels and expose consumers to yet another potential loss of credit and personal data. Do a search on "mortgage files in dumpster" to see what I mean - there are lot's of examples from now-bankrupt mortgage originators. Many bankrupt companies have a lot of personal data on customers. There is no way to obtain protection from an entity that has no resources.

The Clear bankruptcy got me thinking about just how many companies are going belly up or "reorganizing" today. Formerly blue chip names like GM, Chrysler, Bear Sterns, Lehman Brothers and Nortel are shocking enough. Throw in Eddie Bauer, Red Roof Inn, Visteon (the largest parts supplier for Ford), Washington Mutual, Extended Stay America, Sea Launch (the rocket launch company), Bally Total Fitness, TXCO Resources, Six Flags, Pilgrim's Pride, Philadelphia media Holdings (owner of the Philadelphia Inquirer and Daily News), the Rocky Mountain News, Debt Relief USA (I guess they couldn't help themselves), and of course Trump Entertainment Resorts. I could go on and on. And the outlook is grim.

According to BusinessWeek, just 18% of business bankruptcies are chapter 11, with the remainder facing liquidation. And this even before one considers consumer debt (thankfully declining) and bankruptcy, which is soaring.

Thank goodness the credit rating of the United States is "safe" according to Moodys. That is in contrast to State and Municipal Governments. See "Moodys Downgrades the Entire Country". Considering rating agencies track record it's more like caveat emptor when evaluating credit risk: If you invest or buy a service (e.g. Clear) do your homework. All of our many regulations failed to prevent or to forecast the current meltdown. So the solution is more regulation?

Despite all of the stimulus efforts there is no getting away from the fact that business production and profit is the only way we can get out of this mess. We need to be more efficient but we seem to be moving to a regulated economy and stagnation. Wall Street continues to be a gambling mecca and not a reliable marketplace for raising capital, which is its real purpose.

Risk is unavoidable in business. No amount of regulation can eliminate risk but the illusion that regulation will protect us can fool people into complacency. Ask a Madoff investor. 

The recent open letter to Google urging an improvement in security, particularly for Gmail, has received relatively little publicity. But it is gratifying that Google appears to be responsive (see Google responds to call for more security). This does not help with SPAM (but DNSSEC can be used to authenticate email and thereby effectively stop SPAM) but it does help protect data and identity information.

Lack of encryption and authentication have made malware a high growth criminal business, hackers are so successful at obtaining financial and identity data that prices for such data keep falling. The Related Articles and Related Links sidebars to the two SC Magazine articles I have linked above illustrate the problem.

Yet the fact that Google must be petitioned to help customers use its existing HTTPS tools (ones that Microsoft and others to not offer for email) indicates how little business seems to care about Internet security. Cloud computing puts your data into the Internet. One would think that encryption and authentication would be required to offer cloud based services to consumers and businesses. Yet cloud security seems to be an afterthought:  See Cloud security concerns don't register with many businesses.

It's only a matter of time until we see more legislation and regulation unless business gets a clue on authentication and security.

Patrick Thibodeau reported in NetworkWorld on Vinton Cerf's speech at aTechAmerica conference Wednesday (see The Internet is Incomplete).

Vint is one of the designers of the Internet, the former head of ICANN (the governing body of the DNS), and is currently Chief Internet Evangelist for Google. He is not only technically smart but also people savvy as he guided ICANN from inception through choppy world-wide political waters.

When he talks we should listen. The article states:

One of the most critical needs is authentication, Cerf said, and he told the crowd at a TechAmerica gathering Wednesday that anyone who performs transactions over the Internet - which is everyone - should "should be deeply concerned about that technology."

The lack of authentication is pervasive and is even a problem in simple cases, such as authenticating entries in the domain name system, he said.

"Authentication isn't available on an end-to-end basis at all layers of the architecture," Cerrf said. While users are good "at building concrete tunnels" using simple SSL (Secure Sockets Layer) techniques, they don't identify the end points and just secure the channel, he said. You can have an e-mail with an attached virus, thoroughly encrypted, and send it through an encrypted tunnel, and once it gets to the other end "it gets decrypted and then, of course, does its damage," he said.

Mobile is another problem. "We do a terrible job serving up mobile," Cerf said, referring to the ever broadening use of the Internet via mobile devices. He said protocol work is needed to address it.

What we are talking about here is the need for DNSSEC, which is the only feasible, near-term and cost effective authentication for the Internet. It is noteworthy to point out that SSL and VPN do not protect you without DNSSEC, as Dan Kaminsky has pointed out.

The business and e-commerce community needs to adopt DNSSEC as soon as possible.

Mac and Windows PC users should have downloaded several security patches this week of tremendous size. As reported in SC Magazine, Microsoft has a record 31 patches, Apple issued a patch for 50 vulnerabilities in Safari, some of them deemed "extremely critical" (and this on top of a huge patch for 10 QuickTime vulnerabilities and an iTunes vulnerability last week). Adobe issued patches for several "critical" vulnerabilities in Reader and Acrobat.

This is all part of the never-ending cycle of vulnerability - exploit - patch that plagues Internet users. Mobile devices are the next frontier. Twitter is an attack vector now.

It's not just the threat of attack that is the problem. The risks of an individual being robbed, having their identity stolen or their privacy compromised is very low. But the cost and complexity to (ineffectively) respond to these threats is a tax that no one needs in the best of times.

It will be very difficult to break this cycle at the device level (PC, Mac or handheld) for some time. But we can do a lot to improve Internet infrastructure so the threat level subsides.

Most of the leadership in Internet security is outside of the business community. How disappointing for a capitalist like myself. The first generic top level domains to be signed with DNSSEC are .gov and .org. This doesn't do much for on-line banking or retail security.

It is time for the business community to get their act together.

One week ago the Public Interest Registry (PIR) announced that it had signed the .org Top Level Domain (TLD) zone using DNSSEC. With over 7.5 million registered domain names, .org is the largest domain to adopt DNSSEC. The other TLD using DNSSEC is .gov, with all agencies implementing DNSSEC by the end of 2009.

Roll-out to individual entities with .org extensions will be gradual this year as ISPs and self hosted entities must adopt DNSSEC for this to be meaningful to users. Afilias, which operates the .org domain and a large number of country code domains, has been one of the leaders in DNS and DNSSEC and they will be providing DNSSEC services to their customers.

PIR is certainly acting within their mission of serving the public interest. DNSSEC authentication addresses a host of vulnerabilities that affect all Internet applications. Adoption of DNSSEC not only addresses these threats, it will lower the cost of Internet operations and improve user trust. And it's green (see below).

People spend a lot of money and time securing their PCs (but not their handhelds-another topic) and entites and service providers spend a lot of money and time securing their networks, but as long as he space between them is the wild west they can never say they are truly secure.

For example, DNSSEC authentication is essential if we are ever going to put medical records on-line - you must authenticate who is getting access to the records. DNSSEC enables email authentication - which would effectively eliminate SPAM and Phishing emails. It has been estimated that SPAM and efforts to fight it consume enough power for a city of 1.5 million.

We are making real progress for a better Internet.

This post is a bit dated as I was vacationing last week. A lot happened in my absence. The first big announcement was that the root zone would be signed in 2009, enabling more simple DNSSEC adoption by the world.

Pause for fireworks and Tchaikovsky!

The announcement was made jointly by ICANN, NIST, the US Department of Commerce and VeriSign and is a compromise of sorts, with the root-signing keys being held by VeriSign, who administers the root, and the key-signing key held by ICANN, who has authority over the root and runs one of the 13 named root servers. This is a very practical solution to implementation.

For internet users this may seem meaningless but it is a major step in enabling DNSSEC to be adopted and facilitate authentication for the internet. Authentication will let you know that you are at the correct web site, will authenticate that sites do not exist, and enables email to be authenticated, which will get rid of SPAM. It's a big deal.

DNSSEC will have to be adopted by businesses, government and associations or their service providers for this to be effective. The cost to do so is not high or complicated as my company has a product that automates the process.