Nominet finally goes to court

Nominet Logo

If you’ve never heard of Nominet, you should have. It’s the organisation that manages most of the domain names ending in .uk. It was set up in 1996 as a company when the previous arrangements (known as the Naming Committee) became overwhelmed. The Naming Committee granted the use of domain names to their rightful owners for no charge, but only their rightful owners. Nominet charged, and was more relaxed about who it sold things to – being too picky meant less income, and it needed income to cope with the increased demand for Internet services.

The snag with this new arrangement was that it allowed speculators to register as many domain names as they wished, with a view to charging end users money to use something they’d pre-registered. This is known as cyber-squatting, although people in this business prefer to call themselves “domainers”.

Nominet was created for the benefit of Internet users in the UK, not cyber-squatters. Unfortunately, cyber-squatters register more domain names than anyone else (as they would), and started to get an undue influence based on their size. Cyber-squatters make various claims about how they’re important for a “vibrant market” in domain names, but there’s no benefit to society in such a market. You could say they’re trading in something that should be free to legitimate users. Some would go as far as to call them parasites. If any cyber-squatters or domainers wish to explain exactly why the label is unfair, please enlighten me.

Anyway, the Nominet board isn’t stupid and has, in recent years, done a lot to skew things in favour of UK Internet users. Not enough as far as I’m concerned, but they’re trying to look after the majority. The cyber-squatters don’t like this, and have started personal attacks on Nominet’s CEO, Lesley Cowley in an attempt to get rid of her with a view to installing someone more of their liking. What’s really upset them was a consultation to allow people to register names directly under .uk, without a .co.uk or .org.uk. For example, Tesco could have been tesco.uk, as is often the case in other countries. Legitimate UK ownership would have been verified, like in the old days, but they would also have cost more. Cyber-squatters hated the idea, because their current stock-pile of .co.uk names would have been somewhat devalued! They had to defeat Nominet in order to preserve their “investment”. The rest of us would have quite like to see the speculators clobbered, although I’ve never had the feeling that was Nominet’s intention.

Nominet has finally had enough, and late this afternoon launched a High Court action against Graeme Wingate and his company That Internet Ltd, citing “[unacceptable] harassment and victimisation of our staff”. What this is really about is whether Nominet is run for the benefit of everyone, or the cyber-squatters.

 

Vauxhall Helicopter Crash





I wouldn’t normally want to pre judge the reasons for an Air Accident but I’m getting a bit fed up with the twaddle appearing on the BBC and radio about the incident today where a helicopter appears to have hit a crane. Listening to Kate Hoey, MP for Vauxhall, making political points over it on the BBC just now is too much. Checking the NOTAMs for London, the following is in force between 07 Jan 2013 17:00 GMT and 15 Mar 2013 23:59 GMT.

HIGH RISE JIB CRANE (LIT AT NIGHT) OPR WI 1NM 5129N 00007W, HGT 
770FT AMSL (VAUXHALL, CENTRAL LONDON), OPS CTC 020 7820 ####
12-10-0429/AS 2.

A NOTAM, or notice to Airman, is issued to all pilots and they’re required to check them against their flight plan in case there’s anything important they need to know about. In my day it was done on paper – now it’s on-line and really easy to check. This is basically saying there’s a crane erected that’s 770′ high at this location in Vauxhall. It’s lit at night (but not during the day). Keep at least a mile away.

It was clearly foggy, so the pilot should have given it a wide berth. On the face of it, it appears he didn’t. Eyewitnesses don’t report anything unusual about the helicopter.

Helicopters are supposed to be flying in to London over the Thames in order to provide a “safe” landing area in the event of trouble. (That’s safe to the people on the ground, at least). It appears to have been broadly in the right place. Ms Hoey is being populist, but then again, that’s her job.

 

Update 13:30

News reports now say that the helicopter had diverted; this might explain why the pilot wasn’t aware of the crane it the original route went nowhere near it, although flight plans should have diversion plans and NOTAMs for diversions should also be checked.

Much is now being made of people who said the lighting wasn’t good enough. Lighting in daylight isn’t normal (or useful) anyway, and neither is it any good in fog (day or night).

However, having seen aerial shots (they’re all up there with helicopters) the crane doesn’t appear to be at the location specified in the NOTAM. That could turn out to be a story, but I’m not on the ground to check it.

The NOTAM (reproduced above) doesn’t actually give an accurate Lat and Long – it actually puts the crane next to the Kennington Oval. Normally NOTAMs in central London are a lot more precise – a couple more digits of accuracy. This is starting to look like a story, and you saw it here first.

 

Red October or Red Herring





Kaspersky Labs has announced that someone had been conducting a hitherto unknown campaign wide-scale international espionage, dubbed Red October, for many years. Except it that I don’t think it has.

The story broke quietly on Friday in the Washington Post and has been repeated over some Internet news sites and blogs, almost verbatim, yesterday and today. Although keen for breaking news (especially where international intrigue is concerned), one should really take a step back and match the claims with the substance.

You can find the report here, although not the the Kaspersky site. It’s not the subject of any press release I’ve seen. No one could be contacted at Kaspersky for comment. Hmm. Specialist IT security sites, like Steve Gold’s IT Security Pro, aren’t treating this as a top story either. The only reason I’m hitting the keyboard is that people keep drawing it to my attention.

The report (assuming it isn’t a hoax) does contain a good analysis of what appears to be a new-ish botnet, although one that’s not very widespread (we’re not talking about Flame V2 here). Kaspersky has a lot of smart cookies working for them, and they do some very valuable research, but reading the posts on the subject you’d think they’d uncovered the next Watergate or similar. Perhaps they have, but all I’m seeing details so far  is of another botnet.

If their analysis is correct, the perpetrators do seem to be targeting government and diplomatic sites in particular, but this isn’t actually novel. They’ve identified targets in most of the developed world, with the interesting exception of England and China. As the code appears to be of Russian origin, and not particularly well obfuscated, it’s also noteworthy that the majority of the attacks have been launched against Russian targets.

So, as it stands, this looks like a competent investigations of a botnet. Well done Kaspersky. Now lets get some sleep.

 

New Java exploit in the wild

Today AlienVault reported yet another vulnerability in Java, similar to CVE-2012-4681. Their head of Labs Jaime Blasco got hold of it and has been playing with it on a fully patched Java installation, and according to them, it works. If you fancy trying  it yourself, here are the details.

With Java embedded in to most web browsers (and if you don’t know about yours, it’s probably is), this is serious stuff. All you need do is go to a web page with some nasty embedded Java on it (by following a link in an email) and your machine is vulnerable to takeover. If you want to check whether Java is enabled on your browser, click here and check the version. If it returns “”No working Java was detected on your system…” then you’re okay. Right now, the only good Java is a dead one.

When Java first appeared as a cross-platform application language, much play was made of it being “sandboxed”, so a Java application was insulated from other applications and the host operating system. It didn’t take long for features to be added to allow it to manipulate files on the local system, providing obvious ways to break out. Security consists of guessing the ways this may occur and blocking them. This is a recipe for disaster unless the code is very taught. Opening the gates and then screening is the opposite of secure system design.

I realised something was wrong when a Sun evangelist tried to sell me on the idea of embedded Java – “We’ve reduced the footprint to 4Mb”. This was back in 1998, and 4Mb of ROM  on an embedded system was a hell of a lot. And it’s not just the size – 4Mb of code for doing what should be pretty straightforward stuff rang alarm bells. I don’t know about embedded Java, but the current JVM running on PCs is now talking in Gb. It’s hugely inefficient, which is a price you might choose to pay, but from a security point of view there’s no way you’re going to have that much code without all sorts of nasty stuff lurking away forgotten. Which explains why it keeps on coming out to bite us.

The only way to avoid your PC (or Macintosh or Linux box) being compromised is to disable the JVM until Oracle issue a patch for it.