Latest news of the domain name industry

Recent Posts

“Horrifying” Zoombombing attack on ICANN meeting, again

Kevin Murphy, June 22, 2020, Domain Policy

ICANN’s eleventh-hour decision to remove password requirements for ICANN 68 was proved wrong almost immediately after the meeting got underway on Zoom today.

According to participants and ICANN itself, several sessions were “zoombombed” this morning, with apparently pornographic content.

Zoombombing is where trolls disrupt public, open Zoom meetings with content designed to offend.

ICANN 68 is taking place on Zoom, but on Kuala Lumpur time. I was asleep during the attacks and ICANN has yet to post the recordings of any of today’s sessions, so I can’t give you any of the details first-hand.

But judging by a handful of social media posts that reference the attack, it seems to have been pornographic in nature. ICANN said it comprised “audio, images and video”.

One participant described it as “funny at first…until it was not”, while another said it was “horrifying” and left her feeling “completely vulnerable”.

ICANN said in a blog post that the trolls were swiftly removed from the sessions.

It added that it has changed the format of the remainder of ICANN 68, unplugging certain interactive components and requiring passwords to be entered before access is granted.

This means you’re going to have to register for each session and click emailed confirmation links, it appears.

Only the Governmental Advisory Committee is staying on the platform with its original vulnerable configuration.

ICANN had been planning to require passwords since a similar attack at an inter-sessional meeting in March, but changed its mind last week after security upgrades made by Zoom gave leaders a greater sense of confidence in the platform.

It appears that confidence was misplaced.

Coronavirus is saving ICANN millions of your money, but will it use the cash wisely?

Kevin Murphy, June 21, 2020, Domain Policy

ICANN is saving millions this year due to the coronavirus-related shift to online-only public meetings.

But it’s thinking about using some of the cash to do things like pay for broadband upgrades and hotel rooms for some of its community volunteers.

During a conference call on Thursday, CFO Xavier Calvez gave out figures suggesting that the switch from in-person to Zoom meetings could save as much as $8 million of your money in 2020.

Calvez said that ICANN meetings usually cost an average of $4 million, but that the virtual ICANN 67 in March only cost the org $1.5 million to $2 million.

Because the face-to-face component was canceled only at the last minute, ICANN had already incurred some costs associated with a physical meeting.

The ICANN 68 meeting, which begins tomorrow, is expected to cost $1 million to $1.5 million, Calvez said.

If we assume that October’s ICANN 69, recently moved from Hamburg to Zoom, will see similar savings, then the total 2020 meetings bill could be down by between $6 million and $8 million.

Calvez added that ICANN’s funding during the coronavirus crisis has so far been holding steady.

No sooner had Calvez finished speaking than a pre-submitted community member question was read out wondering whether some of this cash could be redistributed to participants who are usually travel-subsidized.

Intellectual property expert Jonathan Zuck said that money could be handed out to volunteers in order to pay for things such as broadband upgrades and “finding quiet places to participate in the middle of the night”.

Perhaps surprisingly, Calvez and senior VP of global stakeholder engagement Sally Costerton did not rule this out.

In fact, she said such ideas are currently under active discussion and may be floated for public comment after ICANN 68.

One idea, I suggest, might be to compensate the 200-odd people who tuned into Thursday’s “Q&A” session for their time.

The session was scheduled to be an hour long, but the first 45 minutes were devoted to the 12 members of the ICANN executive team introducing themselves and patting themselves on the back for all the awesome work they’ve been doing.

ICANN decision to cancel Hamburg was NOT unanimous

Kevin Murphy, June 19, 2020, Domain Policy

Surprisingly, ICANN’s decision last week to cancel its Hamburg annual general meeting in favor of Zoom did not receive the unanimous support of its board of directors.

Two directors — Ihab Osman and Ron da Silva — voted against the majority in the June 11 resolution, minutes published last night show.

The resolution noted that the global path of the coronavirus pandemic is currently too unpredictable to ensure that an in-person ICANN 69 could go ahead safely or legally in October.

But the two directors dissented, pushing instead for a “hybrid” model meeting, with a greatly reduced in-person attendance propped up with online participation.

According to the minutes:

Ron expressed concerns that the decision to conduct ICANN69 as a purely virtual meeting is premature and indicated a preference for the President and CEO to explore with the SO and AC leadership the implications, costs and logistics around a hybrid approach for ICANN69. Ihab expressed concerns that the proposed resolution does not allow for the possibility of some sort of physical hybrid model for ICANN69.

Osman went further, arguing that ICANN should set an example by going ahead with Hamburg:

Ihab Osman pointed out that large parts of the world are moving towards opening up, and that ICANN, as global community and global player, has a responsibility to do its part to bring the world back to some level of normalcy.

While CEO Göran Marby came back with a bunch of reasons a physical meeting would be impractical and potentially unsafe, both directors were unconvinced and voted against the 13-person majority anyway.

Notes released alongside the minutes reveal that ICANN stands to save a lot of money by remaining online-only.

Not only will it not have to pay for hundreds of flights and hotel rooms for staff and subsidized community members, but it had not yet signed contracts with the venue or local hotels, so it won’t be losing any deposits either.

Virtual cocktails coming to ICANN meetings. Really.

Kevin Murphy, June 18, 2020, Domain Policy

Fancy a virtual coffee? How about a virtual cocktail? These are both real events coming to ICANN’s public meetings, which for the rest of the year are online-only due to coronavirus restrictions.

It’s part of an effort to better capture the sense of socializing and community-building found at normal, in-person ICANN meetings.

The schedule for ICANN 68, which kicks off on Monday, has just been updated to include several 30-minute “virtual coffee” sessions, which of course will be conducted over Zoom.

ICANN’s calling these “Fika” sessions.

It’s not an acronym, but rather a reference to the Swedish workplace tradition of taking a break to drink coffee, eat cake, and chat with colleagues. I’m guessing Swedish CEO Göran Marby had a hand in the naming.

Each Fika session comes with a number of sub-rooms, in which participants can discuss issues such as “Bingeworthy: My Favorite Shows and Movies During Quarantine” or “I’ve Got the Time Now: Quarantine DIY Projects”.

It’s all very sweet and cuddly.

There’s no confirmed “virtual cocktail” sessions (which strike me as an exceptional excuse for day-drinking, depending on your time zone) on the ICANN 68 schedule yet, but the idea has been floated as part of ICANN org’s plan for enhancing its virtual meetings.

This plan is part of a draft four-phase plan to eventually re-open physical meetings when it becomes safe and permitted.

In the current Phase 0, ICANN’s going to encourage greater use of remote video — by all participants, not just the ICANN hosts — and sponsorship opportunities in a virtual “exhibition hall”.

ICANN’s even thinking about arranging for the shipping of schwag bags filled with sponsor loot.

Phase 1 would see the return of in-person meetings, but only at the local or regional level, Phase 2 would see a return to in-person ICANN public meetings, but with a “hybrid” approach that would retain the current online components.

Phase 3 would be essentially a return to business as usual.

The decision to enter a new phase would be guided by issues such as pandemic status, government guidelines, venue safety, and so on.

There’s no chance of up-phasing public meetings this year. ICANN has already confirmed that ICANN 69, originally set for Hamburg, will also be online-only.

But it does seem that this year’s meetings will be slightly friendlier affairs.

Fortunately for female participants, haptic technology has not sufficiently advanced to accurately replicate the experience of being sexually harassed in a hotel bar by a bearded middle-aged man who stinks of virtual vodka.

You won’t need a password for ICANN 68 after all

Kevin Murphy, June 17, 2020, Domain Policy

ICANN has ditched plans to require all ICANN 68 participants to enter a password whenever they enter one of the Zoom sessions at the meeting next week.

The org said today that it will use URLs with embedded passwords, removing the need for user input, after reviewing changes Zoom made last month.

These included features such as a waiting room that enables meeting hosts to vet participants manually before allowing them to enter the meeting proper.

ICANN said: “Please use these links cautiously, only share them on secure channels such as encrypted chat or encrypted e-mail, and never post them publicly.”

ICANN had said last month, before the Zoom changes, that it would require passwords in order to limit the risk of Zoombombing — where trolls show up and spam the meeting with offensive content. One ICANN Zoom session had been trolled in this way in March.

The org also said today that participants will be asked to give their consent to be recorded upon entry to a session.

“It is our hope that this small change empowers attendees by providing quick access and more control over the acceptance of our policies as it relates to attending virtual meetings,” ICANN lied, to cover for the obvious piece of legal ass-covering.

Refuse consent and see how far you get.

After Zoom trolling, ICANN 68 will be password-protected

Kevin Murphy, May 6, 2020, Domain Policy

If you want to show up to ICANN 68, which will be held online next month, you’re going to need a password.

ICANN said this week that it’s updating its Zoom software and standard configuration to require passwords. In a blog post outlining a number of changes to its Zoom instance, ICANN said:

The most impactful change is the new requirement that all meetings be secured with a password. This is the first step recommended by security professionals to keep meetings secure, and one which we had largely adopted org-wide prior to making it a requirement for all. We will make another announcement in the coming weeks regarding how this may impact joining meetings during ICANN68, as we work towards the best overall solution.

Quite how this could work while maintaining the usual openness of ICANN’s public meetings — which have always been free to attend basically anonymously — remains to be seen.

At ICANN 67, Zoom sessions that were open to the public simply required you to enter a name. Any name. At in-person public meetings, I don’t think you even need to show ID to get a hall pass.

The changes come in the wake of a “Zoombombing” incident during a minor meeting in March, during which trolls showed up via a publicly-posted link and flooded the session with “inappropriate and offensive” audio and imagery.

ICANN meeting got “Zoombombed” with offensive material

Kevin Murphy, April 27, 2020, Domain Policy

An ICANN meeting held over the Zoom conferencing service got “Zoombombed” by trolls last month.

According to the organization, two trolls entered an ICANN 67 roundup session for Spanish and Portuguese speakers on March 27 and “shared inappropriate and offensive audio and one still image” with the legitimate participants.

The session was not password protected (rightly) but the room had (wrongly) not been configured to mute participants or disable screen-sharing, which enabled the offensive material to be shared.

The trolls were quickly kicked and the loopholes closed, ICANN said in its incident report.

ICANN appears to have purged the meeting entirely from its calendar and there does not appear to be an archive or recording, so I sadly can’t share with you the gist of the shared content.

Zoombombing has become an increasingly common prank recently, as the platform sees many more users due to the coronavirus-related lockdowns worldwide.

Kuala Lumpur meeting cancelled and ICANN 68 could be even trickier online

Kevin Murphy, April 9, 2020, Domain Policy

ICANN has as expected cancelled its in-person ICANN 68 meeting, which had been due to take place in Kuala Lumpur in June, due to the coronavirus pandemic.

The decision, which was never really in any doubt, was taken by its board of directors yesterday. The board considered:

Globally, a high number of people are under some form of a “stay at home” or lock-down order, directed to avoid contact with others except to receive essential services such as medical care or to purchase supplies. Schools and offices are closed, gatherings are prohibited, and international travel is largely on pause. We do not know when travel or in-person meetings will be authorized or possible. As it relates to Kuala Lumpur, Malaysia has a Movement Control Order in force at least until 14 April 2020 that prohibits meetings such as ICANN68. The duration of the Movement Control Order has already been extended once.

It appears that the four-day meeting, which will instead go ahead virtually (presumably on the Zoom conferencing service) might be even more disjointed than ICANN 67.

ICANN 67, which took place online in March, did have a centralized component — a bunch of ICANN staffers on location at its headquarters in Los Angeles — but that may not be possible this time around.

The board said that “due to current social distancing requirements, ICANN org is unable to execute a virtual meeting from a single location, and that a decentralized execution model might necessitate changes to the format.”

It added that there is support for “a flexible, modified virtual meeting format that focuses on cross-community dialogues on key policy topics, supplemented by a program of topical webinars and regular online working meetings scheduled around the key sessions.”

While there has been a lot of criticism of the Zoom platform in recent weeks due to security and privacy concerns, ICANN indicated this week that it’s not particularly concerned and will carry on using the service.

ICANN’s new conferencing software has a webcam security bug

Kevin Murphy, July 10, 2019, Domain Tech

ICANN can’t catch a break when it comes to remote participation security, it seems.

Having just recently made the community-wide switch away from Adobe Connect to Zoom, partly for security reasons, now Zoom has been hit by what many consider to be a critical zero-day vulnerability.

Zoom (which, irrelevantly, uses a .us domain) pushed out an emergency patch for the vulnerability yesterday, which would have allowed malicious web sites to automatically turn on visitors’ webcams without their consent.

Only users of the installable Mac client were affected.

According to security researcher Jonathan Leitschuh, who discovered the problem, Zoom’s Mac client was installing a web server on users’ machines in order to bypass an Apple security feature that requires a confirmatory click before the webcam turns on.

This meant a web site owner could trick a user into a Zoom session, with their camera turned on by default, without their knowledge or consent.

If you’re in the habit of keeping your webcam lens uncovered, that’s potentially a big privacy problem, especially if you do most of your remote coverage of ICANN meetings from the toilet.

It appears that Leitschuh, who reported the problem to Zoom three months ago, took issue with what he saw as the company’s ambivalent attitude to fixing it in a timely fashion.

When he finally blogged about it on Monday, after giving Zoom a 90-day “responsible disclosure” period to issue a patch, the problem still hadn’t been fully resolved, he wrote.

But, following media coverage, Zoom’s new patch apparently removes the covert web server completely. This removes the vulnerability but means Apple users will have to click a confirmation button before joining Zoom meetings in future.

Zoom is used now for all of ICANN’s remote participation, from sessions of its public meetings to discussions of its policy-making working groups.

I really like it. It feels a lot less clunky than Adobe, and it’s got some nifty extra features such as the ability to skip around in recordings based on an often-hilarious machine-transcription sidebar, which makes my life much easier.

One of the reasons ICANN made the switch was due to a bug found in Adobe Connect last year that could have been used to steal confidential information from closed meetings.

ICANN actually turned off Adobe Rooms for remote participants halfway through its public meeting in Puerto Rico due to the bug.

The switch to Zoom was hoped to save ICANN $100,000 a year.

ICANN waves goodbye to Adobe Connect over security, pricing

Kevin Murphy, April 4, 2019, Domain Policy

ICANN has decided to dump its longstanding web conferencing service provider, Adobe Connect, in favor of rival Zoom.

The organization reckons it could save as much as $100,000 a year, and mitigate some security fears, by making the switch.

Adobe has been the standard remote participation tool for not only ICANN’s public meetings, but also its policy-development working groups, for at least seven or eight years.

It enables video, audio, screen-sharing, public and private chat, voting and so on. ICANN says that Zoom has “nearly all of the same features”.

But some of ICANN’s more secretive bodies — including the Security and Stability Advisory Committee and Board Operations — have been using Zoom for a little over a year, after an SSAC member discovered a vulnerability in Adobe that allowed potentially sensitive information to be stolen.

A clincher appears to be Zoom’s voice over IP functionality, which ICANN says will enable it to drop Premiere Global Services Inc (PGi), its current, $500,000-a-year teleconferencing provider, which participants use if they dial in from on the road.

“Based on feedback, Zoom’s voice connectivity and overall experience seem to be superior to equivalent Adobe Connect experiences,” ICANN said.

As somebody who has lurked on more than his fair share of Adobe Connect rooms, I’ve noticed that people losing their voice connection is a very common occurrence, which can delay and break the flow of discussions, though it’s not usually clear where the blame lies.

According to a Zoom feature list (pdf) provided by ICANN, Zoom currently lacks many features on its web client, but updates are expected to bring the feature set in line with the mobile apps and PC/Mac executables by the end of the year.

ICANN expects to use Zoom exclusively by ICANN 65, in Marrakech this June. In the meantime, it will provide training to community members.

The cynic in me wants to say “expect teething troubles”, but the ICANN meetings team runs a pretty tight ship. The switch might be surprisingly smooth.