It seems obivous that ICANN was willfully ignoring reality. Various passages from The Register's coverage of the years' long unfolding:
ICANN has done its best to ignore [GDPR] for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.
But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.
So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.
The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.
They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.
Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.
When ICANN's staff and board realized it was going to be impossible to hit the May 25 deadline, it decided – by itself – that the best solution was simply to ask the DPAs for a delay.
And somehow – despite those authorities giving no indication that such an approach was even possible – the idea of a moratorium became the central component of ICANN's efforts to become compliant with the law.
In its summary of the subsequent meeting with WP29 earlier this week, US-based ICANN makes no mention of its core request for a moratorium and when we asked the organization whether it had made the request and what response it had received, it responded that it was "provided feedback from the DPAs and agreed there remain open questions."
What we now know is that the DPAs were much more blunt in their response: "The GDPR does not allow national supervisory authorities to create an 'enforcement moratorium' for individual data controllers."
Amazingly, it isn't just this concept of a moratorium where ICANN has deluded itself into believing a different version of reality.
Despite the clear guidance of the DPAs and even of its own external legal counsel that it specifically hired to advise it on how to become GDPR compliant, ICANN has also persuaded itself that it was going to be able to publish people's email addresses.
Importantly, Slashdot's editors failed, IMO, to maintain a key point in this submission, that ICANN has been basically negligent and delusional in ignoring this pending law and failing to take any action in the TWO YEARS since the law was passed. And then at the last minute they asked for a moratorium and said otherwise they won't be able to adhere to the law. If you read the many months worth of coverage that The Register has published on this, it is a mindblowing story of incompetence and irresponsibility by ICANN. (Read the Register link in the OP, and the related articles will guide you.)
Submitted:
In a letter sent to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.
ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.
ICANN has already acknowledged it has no chance of doing so. The company warns that without being granted a special temporary exemption from the law, the system will fracture, perhaps even resulting in the Whois service being turned off completely while a replacement was developed.
Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.
European agencies responded and tore ICANN's plan to shreds, pointing out that it needs to be much more precise and to include both compliance and auditing functions. Critically, however, it did not address ICANN's request for a moratorium.
Even the idea of a moratorium appears to have been invented by ICANN. This is no evidence of a similar request from any other industry, and the GDPR is, after all, a globally applicable law that affects everyone.
As the "submitter" I have to agree. The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains. So I guess they editorialized it extensively, which is fine. But it still bears my name, which is weird.
Definitely a 100 times better than answering honestly! This was also my technique until I went to full random responses that rely on a password safe. A few funny, memorable, nonsequitir questions and answers that only I would likely ever guess. The problem of course is backend compromise, reuse, etc.
I haven't seen that yet, but if I did I would be forced to recognize that this institution has no sense of security and make sure I have minimal financial exposure there. 33% random chance of successfully guessing the "secret security" response?! Laughable, Bush League stuff.:D
A good point for potential disaster scenarios. Honestly, it caused me to reflect, and I was reassured by the following:
1) In my experience, my bank(s) use a different authentication process on the phone. They don't use my online security questions. I guess that definitely could be different for other people. (I actually would prefer they had stronger phone auth, but oh well.)
2) I suppose it's a tradeoff between guarding against the rather more likely event of a phishing/bruteforce/etc online attack that could result in extremeley inconvenient financial consequences versus a (thankfully) very rare life disaster scenario. In the latter, I'm also inclined to believe I will be able to leverage other resources to assist. For example, why not have the above mentioned friend just send some money *for you* to the hotel until you can get to a computer and pay him back? I'm fairly optimistic that if I have been the victim of a crime or disaster, I will likely be able to get the assistance of authorities to access my financial resources.
3) I have layers of disaster recovery such that I should never be theoretically too far from full access to my passwords. Even if I lost my phone, my PC, and any other mechanism to access to my encrypted cloud backups, there are a few key passwords that I have committed to memory (diceware style). If I can find a device I trust enough, then with one memorized password I can access a publicly hosted but encrypted one time use 2FA token for Google. With this and a memorized password for Google, I can access Google Drive where I have a copy of my password safe data file. My password safe software is open source and I can download and use it on an Android, Mac, or Windows device. With a final memorized password I now have access to ***all my passwords, security questions, account numbers, PIN's, etc.*** again.
What city were you born in? su86wzr65u39h1z45f352q19u
Yes, you probably shouldn't answer those questionnaires, but you shouldn't be answering "security questions" either!!! Good opsec has always been to use a randomly generated response and treat as a secondary password. (I.e., Store in your password safe.)
1. S&M. Coax makes for great bondage or whipping. 2. Committing suicide - only for the angst ridden rock star who is also on prescription drugs. 3. Tying up small children - like ones who can't keep their hands off of your computer. 4. Whipping small children - see above 5. Self-defense. Gimme a piece of coax and I'm the wave-guide Nija! 6, Scamming audiophiles or guitar players - "This is THE best cable you could EVAR use! You'll sound just like Van Halen and Steve Vai COMBINED!" 7. As a bandana - and it'll help you to intercept the communications between the NSA, CIA and the space aliens they are conspiring with to get rid of Trump. Must still have Mercury fillings for it to work:( 8. For those kinky anal "experiments". The list goes on and on....
True. Open Whisper apparently partnered with WhatsApp on the implementation though. Other than the dubious decision regarding handling of key changes, there hasn't been any discussion of problems in the implementation of WhatsApp for end-to-end encryption. So this new finding is troubling!
Oh, so that's not just me? I always wondered why sometimes I would open WhatsApp and it was on the backup settings page. I always figured I had fat fingered it. ANNOYING!
Lookup information on Open Whisper end-to-end encryption, which is what WhatsApp uses. You will see that the whole point of the system is to prevent police from "simply" doing what you have said. There are no unencrypted temporary files, caches, etc.
Getting the contents from the recipient is a valid possibility however without defeating the technology.
1) Protecting individuals and society from the harms of shoddy IOT devices. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware? At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet. The greater good is served in any case by society as a whole being protected from weaponized IOT devices.
2) Creating economic imperatives for the companies producing them to design in security. The immediate impact of brickerbot would hopefully be that companies face immediate PR blowback that kills sales when they release shoddy devices that are vulnerable. And over time such products that suffer widespread vulnerabilites to brickage will be tarnished by consumers on the marketplace, and the manufacturers will learn that to make any money they need to pay attention to implementing security precautions.
... for the greater good: 1) protect individuals and society from the harms of shoddy IOT devices. 2) punish the companies producing them and create economic imperatives to design in security.
The security researcher calls this nasty?! It's genius!
It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?
At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet.
Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.
It's not actually as bad as all that luckily. From the blog post, the attack can only be performed by another peer on the same wifi network. So at least if you are on a secure, private network, you are safe.
Lastly, as we’ll see later on, triggering these two vulnerabilities can be done by any peer on the Wi-Fi network, without requiring any action on the part of the device being attacked (and with no indication that such an attack is taking place).
Not exactly. From the blog post, you can see that the attack can only be performed by another peer on the same wifi network. So at least if you are on a secure, private network, you are safe.
Lastly, as we’ll see later on, triggering these two vulnerabilities can be done by any peer on the Wi-Fi network, without requiring any action on the part of the device being attacked (and with no indication that such an attack is taking place).
Karma is a bitch, eh? How shitty must this corporate culture be for all these people with great positions at an innovative, cutting edge, and super fast growing company to leave? These departures apparently validate all the coverage about what a soul-less, morally bankrupt company it is.
Slashdot Mirror
It seems obivous that ICANN was willfully ignoring reality. Various passages from The Register's coverage of the years' long unfolding:
ICANN has done its best to ignore [GDPR] for a number of years, relying on the fact it is a US corporation and that the American government is strongly supportive of the Whois system.
But then the companies that fund the organization started explaining that it was a real problem. Many have their headquarters or subsidiaries in Europe and GDPR imposes fines of up to €20 million or 4 per cent of turnover, whichever is larger, if companies are not in compliance.
So in response ICANN decided to commission a third-party to put everyone's minds at rest. But that expert came back and told ICANN the same thing: you have to sort this out now.
The problem really hit home when registries under contract with ICANN started rejecting the organization's authority. ICANN's legal department sent threatening letters to two internet registries based in Europe that said they won't run a Whois service. ICANN informed them it was in their contract.
They got back: that part of the contract is "null and void" because it conflicts with European law. It's safe to say that woke the Californian organization up.
Several months later, ICANN came up with a quick fudge: it would not impose its contractual obligations if companies sent it a letter explaining what they intended to do to fulfill the new European regulations. The idea was that ICANN would then use these models to devise its own system, which it would then ask everyone to apply.
When ICANN's staff and board realized it was going to be impossible to hit the May 25 deadline, it decided – by itself – that the best solution was simply to ask the DPAs for a delay.
And somehow – despite those authorities giving no indication that such an approach was even possible – the idea of a moratorium became the central component of ICANN's efforts to become compliant with the law.
In its summary of the subsequent meeting with WP29 earlier this week, US-based ICANN makes no mention of its core request for a moratorium and when we asked the organization whether it had made the request and what response it had received, it responded that it was "provided feedback from the DPAs and agreed there remain open questions."
What we now know is that the DPAs were much more blunt in their response: "The GDPR does not allow national supervisory authorities to create an 'enforcement moratorium' for individual data controllers."
Amazingly, it isn't just this concept of a moratorium where ICANN has deluded itself into believing a different version of reality.
Despite the clear guidance of the DPAs and even of its own external legal counsel that it specifically hired to advise it on how to become GDPR compliant, ICANN has also persuaded itself that it was going to be able to publish people's email addresses.
Importantly, Slashdot's editors failed, IMO, to maintain a key point in this submission, that ICANN has been basically negligent and delusional in ignoring this pending law and failing to take any action in the TWO YEARS since the law was passed. And then at the last minute they asked for a moratorium and said otherwise they won't be able to adhere to the law. If you read the many months worth of coverage that The Register has published on this, it is a mindblowing story of incompetence and irresponsibility by ICANN. (Read the Register link in the OP, and the related articles will guide you.)
Submitted:
In a letter sent to DNS overseer ICANN, Europe's data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.
ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.
ICANN has already acknowledged it has no chance of doing so. The company warns that without being granted a special temporary exemption from the law, the system will fracture, perhaps even resulting in the Whois service being turned off completely while a replacement was developed.
Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.
European agencies responded and tore ICANN's plan to shreds, pointing out that it needs to be much more precise and to include both compliance and auditing functions. Critically, however, it did not address ICANN's request for a moratorium.
Even the idea of a moratorium appears to have been invented by ICANN. This is no evidence of a similar request from any other industry, and the GDPR is, after all, a globally applicable law that affects everyone.
---
ICANN gives domain souks permission to tell it the answer to Whois privacy law debacle
https://www.theregister.co.uk/...
As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy pains
https://www.theregister.co.uk/...
Whois is dead as Europe hands DNS overlord ICANN its arse
https://www.theregister.co.uk/...
US government weighs in on GDPR-Whois debacle, orders ICANN to go probe GoDaddy
https://www.theregister.co.uk/...
ICANN takes Whois begging bowl to Europe, comes back empty
https://www.theregister.co.uk/...
Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year
https://www.theregister.co.uk/...
https://www.icann.org/en/syste...
https://www.icann.org/news/ann...
As the "submitter" I have to agree. The summary published actually doesn't contain anything I submitted, nor did I submit anything that it contains. So I guess they editorialized it extensively, which is fine. But it still bears my name, which is weird.
Again?!
The Classic Ether Wallet version of My Ether Wallet also had a domain attack that ripped people off last year...
https://www.ccn.com/classic-et...
Why people would trust a web interface for this instead of running a local javascript version I don't know. :/
Definitely a 100 times better than answering honestly!
This was also my technique until I went to full random responses that rely on a password safe.
A few funny, memorable, nonsequitir questions and answers that only I would likely ever guess. The problem of course is backend compromise, reuse, etc.
favorite color? blue.. no black..
cast into the bottomless chasm
AHHHHHHHHHHHHHHHHHHHHHHHHHH!
"Blue.. no black!" would be a pretty damn secure answer! :D :D
I haven't seen that yet, but if I did I would be forced to recognize that this institution has no sense of security and make sure I have minimal financial exposure there. :D
33% random chance of successfully guessing the "secret security" response?!
Laughable, Bush League stuff.
Thank you! :)
Hopefully they'll be worth something again someday.
A good point for potential disaster scenarios. Honestly, it caused me to reflect, and I was reassured by the following:
1) In my experience, my bank(s) use a different authentication process on the phone. They don't use my online security questions. I guess that definitely could be different for other people. (I actually would prefer they had stronger phone auth, but oh well.)
2) I suppose it's a tradeoff between guarding against the rather more likely event of a phishing/bruteforce/etc online attack that could result in extremeley inconvenient financial consequences versus a (thankfully) very rare life disaster scenario. In the latter, I'm also inclined to believe I will be able to leverage other resources to assist. For example, why not have the above mentioned friend just send some money *for you* to the hotel until you can get to a computer and pay him back? I'm fairly optimistic that if I have been the victim of a crime or disaster, I will likely be able to get the assistance of authorities to access my financial resources.
3) I have layers of disaster recovery such that I should never be theoretically too far from full access to my passwords. Even if I lost my phone, my PC, and any other mechanism to access to my encrypted cloud backups, there are a few key passwords that I have committed to memory (diceware style). If I can find a device I trust enough, then with one memorized password I can access a publicly hosted but encrypted one time use 2FA token for Google. With this and a memorized password for Google, I can access Google Drive where I have a copy of my password safe data file. My password safe software is open source and I can download and use it on an Android, Mac, or Windows device. With a final memorized password I now have access to ***all my passwords, security questions, account numbers, PIN's, etc.*** again.
Favorite color?
ch2zi656pf0u66ob089y0xu84
Mother's maiden name?
7zrhotbw9rx5ul6v029647371
What city were you born in?
su86wzr65u39h1z45f352q19u
Yes, you probably shouldn't answer those questionnaires, but you shouldn't be answering "security questions" either!!! Good opsec has always been to use a randomly generated response and treat as a secondary password. (I.e., Store in your password safe.)
1. S&M. Coax makes for great bondage or whipping. :(
2. Committing suicide - only for the angst ridden rock star who is also on prescription drugs.
3. Tying up small children - like ones who can't keep their hands off of your computer.
4. Whipping small children - see above
5. Self-defense. Gimme a piece of coax and I'm the wave-guide Nija!
6, Scamming audiophiles or guitar players - "This is THE best cable you could EVAR use! You'll sound just like Van Halen and Steve Vai COMBINED!"
7. As a bandana - and it'll help you to intercept the communications between the NSA, CIA and the space aliens they are conspiring with to get rid of Trump. Must still have Mercury fillings for it to work
8. For those kinky anal "experiments".
The list goes on and on....
I mean really! Why do you have to ask?
Wish I had mod points!
True. Open Whisper apparently partnered with WhatsApp on the implementation though. Other than the dubious decision regarding handling of key changes, there hasn't been any discussion of problems in the implementation of WhatsApp for end-to-end encryption. So this new finding is troubling!
Oh, so that's not just me? I always wondered why sometimes I would open WhatsApp and it was on the backup settings page. I always figured I had fat fingered it. ANNOYING!
LOL! Maybe the meant the victim of the hacking. :-D
Lookup information on Open Whisper end-to-end encryption, which is what WhatsApp uses. You will see that the whole point of the system is to prevent police from "simply" doing what you have said. There are no unencrypted temporary files, caches, etc.
Getting the contents from the recipient is a valid possibility however without defeating the technology.
WTF Open Whisper?
Securing them for good before they can secured for evil.
Definitely righteous work:
1) Protecting individuals and society from the harms of shoddy IOT devices. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware? At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet. The greater good is served in any case by society as a whole being protected from weaponized IOT devices.
2) Creating economic imperatives for the companies producing them to design in security. The immediate impact of brickerbot would hopefully be that companies face immediate PR blowback that kills sales when they release shoddy devices that are vulnerable. And over time such products that suffer widespread vulnerabilites to brickage will be tarnished by consumers on the marketplace, and the manufacturers will learn that to make any money they need to pay attention to implementing security precautions.
How exactly do you change the SSID on a wifi dildo camera?
Wi-Fi sex toy with built-in camera fails penetration test
https://www.theregister.co.uk/...
Increased sales!
Users will just go out and buy another one.
Not from the same manufacturer though. ;-)
At least eventually once they have a reputation for having their devices bricked.
... for the greater good:
1) protect individuals and society from the harms of shoddy IOT devices.
2) punish the companies producing them and create economic imperatives to design in security.
The security researcher calls this nasty?! It's genius!
It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?
At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet.
Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.
Carry on soldier!
It's not actually as bad as all that luckily. From the blog post, the attack can only be performed by another peer on the same wifi network. So at least if you are on a secure, private network, you are safe.
Lastly, as we’ll see later on, triggering these two vulnerabilities can be done by any peer on the Wi-Fi network, without requiring any action on the part of the device being attacked (and with no indication that such an attack is taking place).
Not exactly. From the blog post, you can see that the attack can only be performed by another peer on the same wifi network. So at least if you are on a secure, private network, you are safe.
Lastly, as we’ll see later on, triggering these two vulnerabilities can be done by any peer on the Wi-Fi network, without requiring any action on the part of the device being attacked (and with no indication that such an attack is taking place).
Karma is a bitch, eh?
How shitty must this corporate culture be for all these people with great positions at an innovative, cutting edge, and super fast growing company to leave?
These departures apparently validate all the coverage about what a soul-less, morally bankrupt company it is.