Sharing is caring!


    on April 20, 2018 at 7:00 am

    As you know, the ICANN organization took down its Adobe Connect service midway through the ICANN61 meeting in response to reported issues with this service. Concurrently, we began to conduct our own forensic analysis of the reported incident and began working with our Adobe cloud service provider, CoSo Cloud LLC, and through them with Adobe to learn more. Shortly thereafter, we rolled out instances of Zoom and WebEx for the community to support remote participation (RP) and collaboration. Here's where we are now: The Forensics Investigation With respect to our forensics work, we received application logfiles from CoSo Cloud, going back for a period of one year. ICANN Engineering and Security teams have examined these application log files and the results of our investigation clearly show "fingerprints of incursion" by the researcher who reported the issue. We were unable to find any other indication that anyone else either identified or exploited this issue. Thanks to the person who found the bug again. Working closely with CoSo Cloud, we were able to recreate the reported issue, and understand the conditions required to trigger it. This information has been communicated to Adobe, and Adobe is working on a software fix to address the root cause of the issue. We have also been working with CoSo on options to re-enable Adobe Connect in the shorter term. We have determined there are two viable paths to accomplish this goal. They are: Deploy a hardened configuration to eliminate "man-in-the-middle" exploitations by encrypting relevant traffic, or Implement a programmatic fix from CoSo Cloud to substantially reduce the window during which the issue can be exploited. With respect to the first option, we attempted to hack the hardened configuration in a test environment last week, and were not able to do so over the course of 7 hours. Separately, CoSo Cloud and Adobe conducted similar tests and confirmed that this configuration is protected from exploitation of the issue. Community Feedback and Next Steps For the last three weeks, we have been gathering limited feedback regarding users' experiences with WebEx and Zoom. So far, we have input from about 200 people, including ICANN org meeting organizers and the ICANN community. Our analysis of this feedback indicates a desire to revert back to an Adobe Connect, providing the security of the service is ensured. Accordingly, we would like to propose the following plan to the broader community for consideration: We would like to restore Adobe Connect services with both the new hardened configuration and the programmatic fix discussed above. Our intent would be to restore service by 3 May. This would allow us to use Adobe Connect during several upcoming events including the Board Workshop, the GDD Industry Summit, and ICANN62. Once Adobe releases a new version of the software with a fix for this issue from their perspective, and provides assurance the update has been adequately tested, we will move toward that release of Adobe Connect in a prudent manner, with the help of CoSo Cloud. We believe that this approach will ensure the security of our content, and of our community interactions, while also enabling our community to use the collaboration tools of their choice. Before we make these changes, we want to hear from you. What do you think? Please submit your thoughts on this contemplated move before May 2nd here: RP-tool@icann.org Meanwhile, we will continue to offer WebEx and Zoom for RP and collaboration purposes. We will also continue to follow industry developments, including the research ALAC is doing on the RP and collaboration space, to ensure we are using secure and cost-effective tools that are appropriate for our needs. I look forward to your comments! […]

  • What I’ve Learned in a Year of Complaints
    on April 18, 2018 at 7:00 am

    In March 2017, the ICANN Complaints Office was established, and I was named the ICANN org Complaints Officer. Since we started accepting submissions in May 2017, we have received 858 from around the globe. Of those 858, 22 were complaints regarding the ICANN org, and 836 were submissions related to other processes. It’s been a really interesting and rewarding year. I spent a lot of time establishing the process, navigating the submissions, and, of course, addressing the complaints and issues underlying them. The 22 complaints about the org led to improved processes, and truly added opportunity and value for the org to research, analyze, and improve upon its work, all in a transparent manner. Above all, this has been a learning experience, and I’ve gained additional insight into how the org and the community can work together to improve ICANN. The org made improvements to several processes as a result of complaints that were filed. For example, processes such as the public comment submissions and amendments to contracts between registries and registrars were improved upon, to name a few. The first Complaints Office Semi-Annual Report describes the key activities and metrics for the reporting period, and has my observations and recommendations, all of which have been reviewed by and discussed with the ICANN President and CEO, Göran Marby. Göran will be acting on them to varying degrees, and I expect we’ll hear more on that in the coming months. As you can tell by the numbers, there were many complaints outside of my scope, and several related to issues the org is not permitted to change – such as requests to override consensus policy or to re-architect the Domain Name System. One of my major focuses for the next six-months is clarifying the complaints process across the ICANN org so we are more efficient, the paths for various complaints are more clear, and we can ensure we are not wasting anyone’s time or efforts. I will also be continuing my engagement efforts to raise awareness about the office and its importance to improving processes within the org, working to improve the office’s reporting capabilities, and establishing process timing expectations. This new role has given me the opportunity to work with some incredibly passionate, engaged community members. Their input is a critical pillar of the org’s transparency and accountability efforts, and I encourage anyone who has an issue they’d like to discuss to reach out to me. I’m here to help in any way I can. […]

  • Data Protection/Privacy Issues Update: Soliciting Community Input on Article 29 Guidance
    on April 13, 2018 at 7:00 am

    Following another busy week for our team focused on the European Union's General Data Protection Regulation (GDPR), we are writing to recap the latest milestones. On Thursday, we a received a letter [PDF, 400 KB] from the Article 29 Working Party where they provided recommendations on ICANN org's Interim Model for Compliance [PDF, 922 KB] with ICANN's agreements and the GDPR. In my reply [PDF, 313 KB] to Article 29 I again emphasize the need for additional time to further develop and implement the model, including a moratorium on enforcement until our model is in place. Allow me to reiterate that ICANN recognizes the importance of the GDPR and its goal of protecting personal data, but also notes the importance of balancing the right to privacy with the need for information. While we continue our work to understand, clarify and address the Article 29 Working Party's recommendations and make any necessary adjustments to the model, we encourage and request the community's involvement and input on each of the proposed recommendations. We have accepted an invitation to meet with the WP 29 Technology Subgroup on 23 April in Brussels. Please share your input with Article 29 and the relevant European member state data protection authorities, as well as with us at gdpr@icann.org. We continue to welcome the dialogue and your time and input. […]

  • Accountability Indicators Feedback - January to March 2018
    on April 11, 2018 at 7:00 am

    We launched the Accountability Indicators seven months ago demonstrating ICANN Organization's continuing commitment to improve accountability and transparency. It is a dynamic and interactive web page that helps you track our progress against our strategic objectives by exploring various dimensions of our activities. In previous blog posts we talked about the feedback from the community and how we are engaging through regular use of social media with the community about these accountability measurements. Feedback in FY18 Q3 In the most recent quarter, we received feedback on the metric we published in Goal 1.1 relating to remote participation usage for ICANN Public Meetings. The feedback is about whether we could show the breakdown of on-site and off-site participation. Our Meeting Planning Operations team appreciates the feedback and is planning to look into the feasibility of generating this breakdown to help further improvements. New Version (v1) in May 2018 Next month, we are working towards a version update of the Accountability Indicators. In addition to data and display improvements, v1 includes new charts to increase our accountability and transparency to the community. These new improve our transparency in two Strategic Goals so far, with more to come. Strategic Goal 3.3 "Develop a globally diverse culture of knowledge and expertise available to ICANN's Board, organization, and stakeholders" has a new chart showing Nominating Committee regional and stakeholder diversity. Upcoming improvements include: Strategic Goal 3.2 "Ensure structured coordination of ICANN's technical resources" has several new charts: ICANN's readiness for Universal Acceptance of domain names. The proportion of anycast instances of the Root Server operated by ICANN with IPv6 enabled. The proportion of domains in ICANN's portfolio signed with DNSSEC. The proportion of ICANN org services with IPv6 enabled. Our annual assessment score against the Center for Internet Security Controls (CIS20) framework. We have also been automating our data collection to further improve data integrity and reduce resource requirements. We have started planning for the next version of Accountability Indicators. A key focus is to further improve our accountability and transparency. We look forward to sharing more with you soon. Your Feedback We hope you find the new information useful. Your feedback is essential to help us better meet your needs. Please click on the feedback link at the top of each page to tell us what you like and where you'd like to see improvements. […]

  • Data Protection/Privacy Issues Update: An ICANN Update & Most Frequently Asked Questions
    on April 10, 2018 at 7:00 am

    Since my last blog, we've heard from many, both inside and outside our community, about the European Union's General Data Protection Regulation (GDPR) and its impact on WHOIS. I have received questions from many of you and I think these topics may be interesting for a wider audience. As I write this, I'm eagerly awaiting information from the Article 29 Working Party. The GDPR's impact on the domain name space remains a hot topic and here [PDF, 22 KB] are answers to some of the more frequently asked questions. It is also important to remember that the changes ICANN has proposed to WHOIS are meant to make ICANN and our contracted parties compliant with the new laws on a temporary basis. Ultimately, it will be the ICANN community policy development processes that recommend the necessary changes to policies guiding registration directory services. Some recent news reports indicate that ICANN is taking arbitrary or unilateral action to change WHOIS. Far from it. We've been working with the community for nine months to discuss how we may change the existing WHOIS system and ICANN's practices to ensure compliance with the law while preserving the current information contained in WHOIS to the greatest extent possible. To do this, we have requested feedback from the European Data Protection Authorities (DPAs) on whether our Proposed Interim Model [PDF, 922 KB] is compliant with the GDPR. We've heard from many of you who wonder what happens if that feedback is not received soon, or at all. At a high level, this could, at least temporarily, jeopardize a common, implementable solution with access to registration data for legitimate purposes. Furthermore WHOIS, as it exists today, could become fragmented if sufficient advice is not received and an action plan is not adopted. Contracted parties might employ their own methods and processes for displaying, partially displaying or not displaying registration data, which may not match ICANN's model, possibly putting them out of compliance with ICANN contracts. We continue to reach out and work in consultation with the Governmental Advisory Committee (GAC), DPAs and contracted parties to make the appropriate adjustments to our model. In parallel, we have offered [PDF, 464 KB] secretariat support to a community initiative drafting recommendations for the accreditation process to provide access to non-public WHOIS data to users with a legitimate basis for access. Let me reiterate here that ICANN remains fully committed to complying with the GDPR and following the law and maintaining the existing WHOIS to the greatest extent possible. We have confirmed that ICANN is on the upcoming Article 29 Working Party plenary's agenda for 11 April 2018. We hope to receive the necessary guidance from the DPAs subsequent to that meeting so that we may move forward. We also remain hopeful of the possibility for a moratorium on enforcement that would allow sufficient time to implement the model and build the appropriate accreditation system together with the community. As always, you can follow the latest updates on our Data Protection/Privacy Issues page including the recently posted FAQ. We invite you to email your thoughts to gdpr@icann.org. […]

(Visited 5 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *