ICANN and Power Auctions have completed December’s mini-batch of “last resort” new gTLD auctions, adding a total of $6.4 million to its mysterious auction cash pile.
Johnson & Johnson won .baby, fighting off five portfolio applicants and paying a winning bid of $3,088,888.
Meanwhile, the Canadian Real Estate Association beat Afilias to .mls, paying $3,359,000.
I called it for CREA earlier this week, noting that the organization wanted .mls enough that it filed two applications, a failed Community Priority Evaluation, and an unsuccessful Legal Rights Objection against Afilias.
ICANN has now raised over $34 million selling off 10 strings at last resort auctions, with prices ranging from $600,000 (.信息) to $6.7 million (.tech).
The money has been set aside for purposes currently undecided. At least one applicant wants ICANN to redistribute the cash to losing bidders, which I don’t think is particularly likely.
It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.
As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.
ICANN’s fifth set of last-resort new gTLD auctions is set for tomorrow and it’s another small batch.
Just two contention sets — .baby and .mls — are set to be resolved, with ICANN stashing the winning bids into its special fund.
.baby is hotly contested with no fewer than six applicants — five portfolio applicants and one big brand.
Will Johnson & Johnson get what was once a single-registrant “closed generic”, or will Donuts, Google, Radix, Famous Four or Minds & Machines prevail?
Meanwhile, .mls (for “multiple listing service”, a type of real estate listings aggregation service popular in North America) is a two-horse race between Afilias and the Canadian Real Estate Association.
I’m tempted to call this one for CREA. The organization is so desperate for the .mls gTLD that it filed two applications, one “community” and one vanilla.
The community application was withdrawn earlier this year when CREA scored 11 out of 16 points on its Community Priority Evaluation, failing to pass the 14-point threshold.
The organization even filed a Legal Rights Objection against Afilias in attempt to kill off the competition, which also failed.
Having fought off these challenges, Afilias is either going to get the gTLD or walk away empty-handed. The last resort auction does not compensate unsuccessful bidders for their investments.
Amazon is now the proud owner of the .secure new gTLD, after much smaller competing applicant Artemis Internet withdrew its bid.
Coincidentally, the settlement of the contention set came just yesterday, the day before Artemis took its .trust — which I’ve described as a “backup plan” — to sunrise.
I assume .secure was settled with a private deal. I’ve long suspected Artemis — affiliated with data escrow provider NCC Group — had its work cut out to win an auction against Amazon.
It’s a shame, in a way. Artemis was one of the few new gTLD applicants that had actually sketched out plans for something quite technologically innovative.
Artemis’ .secure was to be a “trust mark” for a high-priced managed security service. It wasn’t really about selling domain names in volume at all.
The company had done a fair bit of outreach work, too. As long ago as July 2013, around 30 companies had expressed their interest in signing up as anchor tenants.
But, after ICANN gave Amazon a get-out-of-jail-free card by allowing it to amend its “closed generic” gTLD applications, it looked increasingly unlikely Artemis would wind up owning the gTLD it was essentially already pre-selling.
In February this year, it emerged that it had acquired the rights to .trust from Deutsche Post, which had applied for the gTLD unopposed.
This Plan B was realized today when .trust began its contractually mandated sunrise period.
Don’t expect many brands to apply for their names during sunrise, however — .trust’s standard registration policies are going to make cybersquatting non-existent.
Not only will .trust registrants have their identities manually vetted, but there’s also a hefty set of security standards — 123 pages (pdf) of them at the current count — that registrants will have to abide by on an ongoing basis in order to keep their names.
As for Amazon, its .secure application, as amended, is just as vague as all of its other former bids for closed, single-registrant generic strings (to the point where I often wonder if they’re basically still just closed generics).
It’s planning to deploy a small number of names to start with, managed by its own intellectually property department. After that, its application all gets a bit hand-wavey.
An unsuccessful new gTLD applicant wants ICANN to share the proceeds of its “last resort” auction with itself and the other losing applicants.
Aesthetics Practitioners Advisory Network had applied for .salon, but found itself in a contention set with three other applicants and was ultimately beaten at auction by a winning bid of over $5 million from Donuts.
Now, the company has written to ICANN to ask for the money from the ICANN-run auction to be shared out among the losing bidders in much the same way as it is when a contention set goes to private auction.
APAN CEO Tina Viney wrote (pdf):
On the basis that ICANN received such a large amount ($5.175million) for the bidding of this auction it would be fair and equitable for the losing parties to be considered in the distribution of the winning financial bid. We believe that ICANN should review this consideration for losing parties who have had to incur numerous costs, not just the application fee, but also toward the preparation of documents so that we could meet with ICANN’s requirements. These include, but are not limited to registry fees, solicitor’s fees, financial services, not to mention the enormous amount of time that is required of an applicant in preparing for their application.
As a result, we respectfully request ICANN as part of their funds distribution policy to consider the applicants who did not win at the auction, BUT WERE SUCCESSFUL IN PASSING THE EVALUATION PROCESS.
She said that private auctions, which allow losing applicants to recoup some or all of their costs, should be mandatory when a majority of the applicants in a contention set want one.
In .salon’s case, one of the four applicants didn’t agree to a private auction, according to Viney. As Donuts is the enthusiastic pioneer of the private auction concept, that means the holdout was either DaySmart Software or L’Oreal.