One of ICANN’s Seven Secret Key-Holders To The Internet got taken out as part of an elaborate heist or something on American TV this week.
In tense scenes, a couple of secret agents or something with guns were forced to break into one of ICANN’s quarterly root zone key signing ceremonies to prevent a hacker or terrorist or something from something something, something something.
The stand-off came after the secret agents or whatever discovered that a hacker called Mayhew had poisoned a guy named Adler, causing a heart attack, in order to secure his position as a replacement ICANN key-holder and hijack the ceremony.
This all happened on a TV show called Blacklist: Redemption that aired in the US March 16.
I’d be lying if I said I fully understood what was supposed to be going on in the episode, not being a regular viewer of the series, but here’s the exposition from the beginning of the second act.
Botox Boss Lady: Seven keys control the internet? That can’t be possible.
Neck Beard Exposition Guy: They don’t control what’s on it, just how to secure it. All domain names have an assigned number. But who assigns the numbers?
Soap Opera Secret Agent: Key holders?
Neck Beard Exposition Guy: Seven security experts randomly selected by ICANN, the Internet Corporation for Assigned Names and Numbers.
Bored Secret Agent: Max Adler’s wife mentioned a key ceremony.
Neck Beard Exposition Guy: Yeah, four times a year the key holders meet to generate a master key and to assign new numbers, to make life difficult for hackers who want to direct folks to malicious sites or steal their credit card information.
Botox Boss Lady: But by being at the ceremony, Mayhew gets around those precautions?
Neck Beard Exposition Guy: Oh, he does more than that. He can route any domain name to him.
That’s the genuine dialogue. ICANN, jarringly, isn’t fictionalized in the way one might usually expect from US TV drama.
The scene carries on to explain the elaborate security precautions ICANN has put in place around its key-signing ceremonies, including biometrics, smart cards and the like.
The fast-moving show then cuts to the aforementioned heist situation, in which our villain of the week takes an ICANN staffer hostage before using the root’s DNSSEC keys to somehow compromise a government data drop and download a McGuffin.
Earlier this week I begged Matt Larson, ICANN’s VP of research and a regular participant in the ceremonies (which are real) to watch the show and explain to me what bits reflect reality and what was plainly bogus.
“There are some points about it that are quite close to how the how the root KSK administration works,” he said, describing the depiction as “kind of surreal”.
“But then they take it not one but two steps further. The way the ceremony happens is not accurate, the consequences of what happens at the ceremony are not accurate,” he added.
“They talk about how at the ceremony we generate a key, well that’s not true. It’s used for signing a new key. And then they talk about how as a result of the ceremony anyone can intercept any domain name anywhere and of course that’s not true.”
The ceremonies are used to sign the keys that make end-to-end DNSSEC possible. By signing the root, DNSSEC resolvers have a “chain of trust” that goes all the way to the top of the DNS hierarchy.
The root keys just secure the bit between the root at the TLDs. Compromising them would not enable a hacker to immediately start downloading data from the site of his choosing, as depicted in the show. He’d then have to go on to compromise the rest of the chain.
“You’d have to create an entire path of spoofed zones to who you wanted to impersonate,” Larson said. “Your fake root zone would have to delegate to a fake TLD zone to a fake SLD zone and so on so you could finally convince someone they were going to the address that you wanted.”
“If you could somehow compromise the processes at the root, that alone doesn’t give you anything,” he said.
But the show did present a somewhat realistic description of how the ceremony rooms (located in Virginia and California, not Manhattan as seen on TV) are secured.
Among other precautions, the facilities are secured with smart cards and PINs, retina scans for ICANN staff, and have reinforced walls to prevent somebody coming in with a sledgehammer, Larson said.
Blacklist: Redemption airs on Thursday nights on NBC in the US, but I wouldn’t bother if I were you.
A British Member of Parliament has been forced to deny he was behind the registration of several domain names promoting him as a future leader of the Labour party.
Clive Lewis, until recently a member of the shadow cabinet, told the Guardian yesterday that he did not register the batch of domains, which included cliveforleader.org.uk, cliveforlabour.org.uk and their matching .org, .uk and .co.uk domains.
“None of this is true: I haven’t done this,” he told the paper, following a Huffington Post article revealing the names had been registered June 29 last year, just a couple of days after he was appointed shadow defence secretary.
Lewis resigned from the shadow cabinet three weeks ago after refusing to vote in favor of triggering the Article 50 process that will take the UK out of the European Union.
The Labour Party has been dogged by stories about potential leadership challenges ever since Jeremy Corbyn — popular among grassroots party members, unpopular with voters — took over.
Questions about Corbyn’s leadership reemerged last week after a disastrous by-election defeat for the party.
The domains were taken as an indication that Lewis had been plotting a coup for many months, which he has denied.
The Whois records do not support a conclusion one way or another.
Under Nominet rules, individuals are allowed to keep their phone number, postal and email addresses out of Whois if the domains are to be used for non-commercial purposes, a right the registrant of the names in question chose to exercise.
Public Whois records show the .uk names registered to “Clive Lewis”, but contain no contact information.
They do contain the intriguing statement “Nominet was able to match the registrant’s name and address against a 3rd party data source on 29-Jun-2016”, a standard notice under Nominet’s Whois validation program.
But Nominet does not validate the identity of registrants, nor does it attempt to link the registrant’s name to their purported address.
The statement in the Whois records translates merely that Nominet was able to discover that a person called Clive Lewis exists somewhere in the world, and that the postal address given is a real address.
The .org and .com domains, registered the same day by the same registrar, use a Whois privacy service and contain no information about the registrant whatsoever.
Lewis himself suspects the batch of names may have been registered by a political opponent in order to force him to deny that he registered them, noting that fellow MP Lisa Nandy had a similar experience last July.
His initial statement to HuffPo, on which he reportedly declined to elaborate, was:
A lesson from LBJ [US President Lyndon B Johnson] in how to smash an opponent. Legend has it that LBJ, in one of his early congressional campaigns, told one of his aides to spread the story that Johnson’s opponent f*cked pigs. The aide responded: ‘Christ, Lyndon, we can’t call the guy a pigf*cker. It isn’t true.’ To which LBJ supposedly replied: ‘Of course it ain’t true, but I want to make the son-of-a-bitch deny it.’
Since then, along with his denial to the Guardian, he’s told his local Norwich newspaper that he’s tasked his lawyers with finding out who registered the names.
“I have instructed a solicitor to go away and look at this. They can try and make sure we find the identity, the IP address and the payment details,” he told the Eastern Daily Press.
US civil rights group the National Association for the Advancement of Colored People has reclaimed the domain name nigger.com after it expired and went to auction.
The names nigger.org and nigger.net were also affected, but according to Whois records the NAACP restored all three yesterday.
The names had been in pending renewal/delete status for three weeks, during which time the registrant was listed as Perfect Privacy, Web.com’s proxy/privacy provider.
While expired, the .com had been placed (presumably automatically) in a NameJet auction, as first reported by Raymond Hackney at The Domains.
At time of writing, the auction had attracted 72 bids and a high offer of $10,000.
It was a “Wish List Auction”, indicating that the domain’s prior registrant had not yet exhausted all options to have the name restored.
As Hackney noted, if these domains fell into the wrong hands it could have a negative impact on race relations in the US.
But the NAACP, which first got hold of the domains almost 20 years ago, seems to have had a remarkably lackadaisical attitude to them over the last few years.
Not only did it accidentally allow the names to expire, but DomainTools and Archive.org captures show that the associated web sites had been compromised repeatedly since late 2014.
Every capture since late 2014 shows taunting, racist messages from the hackers, at least one of which associated himself with troll group the “Gay Nigger Association of America”.
I’m not going to NamesCon this year. Scheduling conflicts, personal life, blah blah blah. You don’t need to know.
It’s a shame, as I’ve enjoyed the show in previous years and there’s usually plenty to be learned even if, like me, you’re not a domain investor.
So while I won’t be there, I thought I’d put together a list of sessions that I’d be likely to attend in my capacity as a non-domainer, if I were attending. Which I’m not.
Don’t get me wrong, I usually find the domainer-focused stuff interesting. It’s just less interesting to me because DI is not an investment tip sheet and I personally have no pony in the race.
In agenda order…
The Evolution of Domaining
This is Frank Schilling’s seemingly annual keynote, this year subtitled “A vision for the future of domaining and how we’re going to get there. The next wave of passive income generation for the savvy domainer.”
While it’s certainly got a domainer-leaning theme, the Uniregistry CEO’s speeches are often must-listen events. Schilling is usually a candid and amiable speaker.
Plus, he’s made a shedload of cash out of domains so many people hang on his every word. That’s why he’s been on the Domain Name Wire podcast 86 times.
It’s on at 10am on Monday.
Dominate the Drop: Best Practices for Successfully Acquiring Deleting Domains
Michael White from SnapNames and Jonathan Tenenbaum from Namejet promise to spill the beans about the crazy competitive drop-catching market.
I find this aspect of the industry fascinating, especially given the arms race going on between SnapNames/Namejet and its rivals at the moment.
Over half of all ICANN-accredited registrars are currently shell companies created to bulk up the dropnets of the two aforementioned companies, as well as TurnCommerce and Pheenix.
There’s clearly money in it, so I regret I’ll be missing this session.
It’s on at 11am on Monday.
Domain Monetization for Registries and Registrars
As somebody who writes a blog largely looking at the sell-side of the industry, this session title speaks to me.
It’s being held by Michael Gilmour, CEO of ParkLogic, a company I’m not particularly familiar with.
Even if it just turns out to be a sales pitch for ParkLogic, it might be interesting anyway, due to the promise to “unlock hidden value from data that is readily accessible to you”, which intrigues me as a data nerd.
It’s on at 11am on Monday too, so it clashes with the dropcatching session.
The Most Shocking UDRP Decisions of 2016
This one sounds like fun. There are few things more amusing in the domain industry than listening to domainers moan about crappy UDRP decisions.
In this session, three industry names who are no strangers to UDRP will compete to have a decision of their choice crowned the “most shocking” of the last year.
This is on at noon on Monday.
Investing in New TLDs – Making Money in the Short and Long Term
A panel of experts discuss how to make money out of new gTLDs. I think that is going to be a hard sell to a typically skeptical domainer crowd, so I’d be curious to hear what they have to say at 2pm on Monday.
NamesCon Domain Auction 2017
Live domain auctions are sometimes entertaining, but depending on the auctioneer you may need to bring ear-protectors. It’s on at 3pm.
Uniregistry After Hours Party
If you haven’t fested enough sausage yet, now’s your chance to top up, from 9pm until “late” (which in Vegas could mean midnight, 2am, 6am, or mid-February).
Christian Domainers Breakfast Buffet
I’m slightly flabbergasted that this is a thing. What is a Christian domainer, and how do they differ from non-Christian domainers?
A special prize goes to the first person to send me a photo of themselves at this event reading a hardback copy of “The God Delusion” whilst eating a free Christian pastry.
Building a Business to Last Decades
Despite the dry title, this is Matt Muellenweg, founder of WordPress/Automattic, and I’m interested to hear what he has to say. Plus, it’s the only thing going on at 10am on Tuesday.
Few things have influenced the domain name industry over the last couple of years than China. In this session, four guys who understand the market over there discuss the trends they’re seeing and expecting.
Will Branded TLDs Impact the Marketplace in 2017 and Beyond?
Events promising to spill the beans about how big companies plan to use the dot-brands are rarely very informative in my experience — speakers play their cards far too close to their chests — but I keep going to them anyway.
Let’s hope the Microsoft and MarkMonitor speakers have something new to add to the conversation at 2pm.
Dollars and Sense of .net
Verisign’s Pat Kane pitches .net, which has been stagnating since the launch of new gTLDs. 3pm.
DNS Industry SWOT Analysis, 2017 Edition
The “strengths, weaknesses, opportunities and threats” for the industry according to… ICANN?
Global Domains Division head and occasional CEO Akram Atallah is the only big ICANN name speaking at this year’s NamesCon, so it’s worth checking this session out for that reason alone.
It’s on at 9.30am on Wednesday.
A Look Ahead at New TLDs
Three registries and one registrar discuss the future of new gTLDs at 11am on Wednesday.
Bloggers Broadcast: Dispatches from NamesCon 2017
An opportunity to throw things at my competitors at 12pm on Wednesday.
The Pragmatic Rebel: a Fireside Chat with Elliot Noss
Noss is one of the most engaging speakers in the industry in my view, even if the subject matter of this session is not quite up my alley. 1pm Weds.
Privacy and Your Domains
This review of domain privacy developments is right up my alley, but it also clashes with the Noss interview.
Executive Roundtable: Industry Trends Forecast for 2017
A conference roundup from four registry/registrar bigwigs closes down the conference.
NCC Group, registry for the .trust gTLD and domain data escrow provider, provided several of the supporting stars for a UK reality TV game show that started a few weeks ago.
Hunted is a Channel 4 show in which 10 members of the public turn “fugitive” for a month.
The contestants are pursued on foot and electronically by a team of military, law enforcement and security experts.
Contestants have to keep on the move and are not allowed to leave the UK. Each fugitive team has a covert cameraman recording their escapades.
It’s basically a big televised game of hide-and-seek.
Whoever makes it 28 days without being physically captured by the “hunters” wins a share of £100,000.
NCC provides four of members of the hunter team, all from the firm’s security division.
Here’s the pre-launch trailer.
Two episodes in to the six-episode series, I’d have to say it’s a fun watch, even if you have to take the “cyber” elements slightly with a pinch of salt.
Because the “hunters” don’t actually have legal access to CCTV cameras, phone records, car registration databases and the like, that element is simulated by the show’s makers, overseen by an ex-cop independent adjudicator.
It airs on Channel 4 on Thursday nights in the UK. The first two episodes are currently available on-demand.