Should Internet domain owners be allowed to hide their identity?

When you buy a new domain name, one of the first choices that you have to make is whether or not to hide whom you are. Every registrar has the ability to mask your contact information, what they call a proxy or private domain service. Typically, these services carry additional monthly fees to the annual domain registration itself. Examples include GoDaddy’s Domains by Proxy, Network Solutions’ Private Domain Registration and’s Whois Privacy, just to name a few.

The idea is that public disclosure of this information, usually available through the Whois protocol, can provide a target for unsolicited sales calls or spam. Of course, the proxy services can be also be used to protect potential criminal activity such as identity theft, cybersquatting, trademark infringements or to threaten the domain owner for blackmail. If someone needs to get in touch with the actual domain owner, they can apply for a court order or subpoena these services to divulge the contact information.

But as these services have blossomed, they have created a series of issues. There is no common oversight or governance of the proxies and none of them have any accreditation with any national or international Internet standards bodies. On top of this, notification of when a challenge to the proxy varies widely and there aren’t even a set of published best practices. Ideally, it would be nice if domain ownership could be discovered with something other than a subpoena in circumstances where a business is at risk, versus having a very motivated individual that is just trying to track down a specific domain for personal reasons (such as cyber-harassment).

Even the subpoena process isn’t predictable: the domain owner can drag their feet in responding to it, or can lawyer up and try to quash the motion. Or the proxied domain owner can abandon their original domain and open up a new domain that will require a new discovery process. Like many other things, on the Internet no one knows you are a dog, but they can’t easily find out if you are a cat either.

Here is where ICANN comes into play. Earlier this summer ICANN proposed a change to its rules on how domain proxy information can be used. A big change to the current rules is that commercial businesses that own domains won’t be eligible for these proxy services. While nothing has been finalized yet, as you might imagine ICANN has gotten numerous comments. Certainly, having a protected domain registration can be useful in certain circumstances, as the Electronic Frontier Foundation has mentioned here: ”The ability to speak anonymously protects people with unpopular or marginalized opinions, allowing them to speak and be heard without fear of harm. It also protects whistleblowers who expose crime, waste, and corruption.”

That may be true, but still it might be difficult to distinguish when a business or an individual registers a domain with any sort of accuracy. Let’s say I register my domain to my business, which is called David Strom Inc. (a legitimate corporation registered in Missouri), and want to obscure my contact details. Is that for my own personal purposes or do I have a legit business reason for doing so? If my business is in tech publishing, perhaps obscurity may protect me from harm if a vendor didn’t like my article and wanted to come visit my office and do me harm. Or perhaps it could be a personal reason; such as I don’t want someone who has harassed me in the past to know my current address.

ICANN’s final ruling can take months or years, since they rely on consensus and there are still unresolved issues. In the meantime, you need to do some homework if your business wants to make use of these proxy services. First, you should understand what your domain proxy service is actually promising, what they charge and what information they actually obscure from the standard Whois query. Second, you should know what happens if they receive a subpoena and how they will respond to releasing your contact information. In certain circumstance, the proxy service will put your information in the Whois data after someone sues them if it looks like your business is questionable or if the service might be liable financially. Third, this might be a good time to review all of your domain ownerships and see if any of the contact information is still accurate or any of the employees listed are no longer with your company. Finally, review the ICANN report that is linked above and make sure you understand the various nuances of the proxy world.

The tale of the ProxyHam project

If you are trying to exfiltrate some data from a location and don’t want anyone to capture your source IP address, the best way to do that is to have an anonymous proxy router that can disguise your real IP address behind its own. Such devices have existed for many years, but Ben Caudill has come along with a new version that he calls ProxyHam.

It works by connecting your network to the router’s Wi-Fi bridge, and in turn, it routes your data over a 900 MHz radio to a distant computer with a hi-gain antenna. The antenna picks up the signal and masks your IP address, keeping you at a distance, supposedly safe from detection.

Caudill was scheduled to speak at the DEF CON security conference earlier this month to show off his innovation, under the heading called the Anonymous Proxy Router Project. The presentation was supposed to demonstrate how to build an anonymous proxy router for a couple hundred bucks out of commonly available parts. Sadly, the session was canceled in July; the principles are mum as to the cause. Units that were built by Caudill’s company Rhino Security have been destroyed and aren’t for sale, and the source code is no longer available.

One reasonable explanation for why the talk was canceled is because it’s likely that ProxyHam breaks the law. First, FCC Part 97 has a prohibition against using encryption — such as the SSH or HTTPS protocols that you most certainly would be using with ProxyHam — over the 900 MHz band radio signals. Then, depending on where you place your ProxyHam or its equivalent, you could be doing something unauthorized on the target network, which comes under the Computer Fraud and Abuse Act.

Speculation about the router and the talk has run rampant, and some have noted that this mysterious cancellation all but ensures that Caudill and his anonymous proxy router will be the star of DEF CON — without ever even being demonstrated. “Ben Caudill used some routers and a Raspberry Pi to hack the media,” Brian Benchoff wrote on Hackaday. “If that doesn’t deserve respect, nothing does.”

Enterprise Impact of the Router

Certainly, the idea behind ProxyHam isn’t going away, and various folks around the Internet have stepped up to the challenge. I found three sources on how to build a similar version of the router. Benchoff covered the task for Hackaday, and an alternative anonymous proxy router was suggested by Samy Kamkar via TechWorm. And there is a third post from Robert Graham of Errata Security that shows yet another way to construct the device. All three versions cost about the same and have about the same minimal level of skill required to assemble the various parts.

This means that no matter what the motivations behind ProxyHam and its peers, enterprise IT managers should be on notice. They must be aware that these kinds of devices could be operating over their networks; it is only a matter of time.

The best defense is to make sure you tune your intrusion prevention filters. You can also use other tools to monitor what kinds of data leave your network. If you don’t have any outbound networking monitoring in place, now is the time to consider implementing such a tool. The ProxyHam router isn’t the only way data can be sent off-site: A simple connection to a personal Google Drive account is a lot less work and may be just as effective. But this issue is certainly worth more consideration because of the sheer impact it could have.

Defaulting to transparency

I came across an interesting series of blog posts from employees at the company called Buffer. They make an app that allows you to concurrently post to various social media accounts. (I know, a crowded market space). What caught my attention was the use of the term “defaulting to transparency” — meaning that the corporate credo is to be as open as possible in all of its operations. I first thought, they can’t be serious. But they are and they do practice what they preach and so should you.

buff1Buffer shares its formula for calculating every employee’s salary, and even publishes and updates the spreadsheet showing you who makes what. All of their SaaS metrics are public (see the dashboard at right). While the company is private, they share which investor paid for what piece of equity, the number of customers, what their annual revenues are, and so forth. That is pretty impressive.

Transparency isn’t a new thing: Google has had its transparency report since 2010, and even links to other companies’ reports here. But that is mainly how they respond to subpoenas and other government requests for information, although there is a great report showing you how much of Gmail is encrypted to other providers. But what Buffer and others are doing is a more personal nature, more directly tied to their corporate ethos and culture. They use transparency as an asset to recruit and retain the best people working for them all over the world. Another example of their transparent culture: emails between two or more staffers get cc’ed to a special departmental group inbox, where anyone can examine their content. Each employee gets a Jawbone fitness monitor and the results are available for anyone to see how you literally live your life, including how much sleep you get every night. They have other tools that allow anyone to track other kinds of progress reports on a daily basis too.

Certainly, they aren’t alone in doing this. I asked my friend Gabe Lozano, the CEO of Lockerdome, what he thought of these ideas. He is fully on board. He told me, “In terms of transparency models, there is no one size fits all for any organization. We have found that transparency drives accountability, which drives results.” They have set up a series of reporting processes that gets communicated through a regular morning stand-up meeting (meaning no one has time to sit down, which moves things along) and a weekly meeting where written reports and product demos are shared with everyone.

The co-founder of Buffer said this a few years ago in a post: “Transparency isn’t all rainbows and unicorns. It was actually incredibly nerve-wracking to make the company more transparent. Before we made all salaries public knowledge in the company, I was terrified.” But he got over that, and now, “the power of transparency is that it drives us to be better—to create a company that’s both great and good.” You can’t argue with that.

While I wish more companies were as transparent as Buffer and Lockerdome, you can’t force it, especially if you have a CEO who isn’t a believer or who has problems with trust issues. But it certainly is a worthwhile goal.

Looking back: the art of the interview

We are gearing up, here at Strom Galactic HQ, for a massive anniversary celebration next month. I am sure you have all marked your calendars for when Web Informant turns 20. It is hard to believe that I have been writing these columns/blog posts/whatever for so long.

This week I wanted to talk about a few of the influential people that I have met down through the years. They were the industry luminaries that played pivotal roles in the development of the tech industry. In those early days, it was quite easy to call someone up to get a quick quote, but I am talking about people that I had more of a relationship of mutual respect and understanding, people who had big ideas and shaped the course of products that we use today, and people who I have interviewed over the course of time.

One resource I want to point out is the nearly 100 MediaBlather podcasts that Paul Gillin and I produced during the late 2000’s. We interviewed many of the leading marketing and social media experts of the time and had a lot of fun producing these programs. Paul worked for many years at Computerworld and started Techtarget before striking out on his own and writing several books.

Here are some of my favorite interviews, in no particular order.

Mark Cuban is better known today as the owner of the Dallas Mavericks and his time on Shark Tank, but he was quite influential in the early days of the PC networking world. Here is an interview that I did with him in 2007, where he talks about his HDnet project.

Vint Cerf was one of the most refined gentlemen in our industry, always impeccably turned out and always managed to be both serious and playful and being able to say in a few words what many of us couldn’t articulate in whole paragraphs. I have met him at various times down through the years, while he was inventing key Internet technologies. This interview is from 2005 when he was just starting at Google.

Adrian Lamo was one of the key players in the Wikileaks/Manning case. Before that happened, he was in trouble with breaking into the proxy servers of numerous businesses. He actually stayed with me back before couch-surfing was a thing in 2002, here is a recorded interview I did with him in 2011.

I first met Professor Tom Schelling of Harvard back in the early 80s when I worked with on a project way before I was in the tech industry. I wrote about my experience here after he won the Nobel in Economics. If you haven’t read his book The Strategy of Conflict it is well worth your time.

Phil Dunkelberger has been around email and encryption for decades and I have spoken to him numerous times. Always a fountain of wisdom. Right now he is leading the FIDO authentication effort. Here is an interview that I did in 2005.

John Patrick helped build IBM’s Internet business and now serves on numerous tech company boards.  Here is a story from a visit to his house, one of the first very “smart homes” that I saw back in 2004. People are still figuring out how to implement things that he first thought of then.

Here are a few of the people that have been taken from us: There was my remembrance of Ray Noorda, the head of Novell, who died in 2006. Ray was far from a perfect leader but someone who moved mountains and was a key player in getting local area networks established in businesses in the late 1980s. And Garry Betty, who died in 2007 from liver cancer and was a key player in Earthlink, DCA, and Hayes modems. Another early cancer victim was Ed Iacobucci, who died in 2013 and was behind the early IBM PC, Citrix, and NetJets. I was very lucky to have spent the time that I did interviewing each of these guys, and learning about their products, passions, and people that they mentored in our business.

So yes, it has been nearly one Web Informant every week. Many of you have been readers from those early days, and I thank you for sticking with me. I would encourage you to put in the comments your memories of your favorite column or moment when we’ve met.

ITworld: A get-up-to-speed guide on hyper-converged infrastructure

The market for hyper-converged systems is quickly evolving. Traditional storage infrastructure vendors remain the largest installed base, but software-defined and hyper-converged storage providers represent the fastest growing market segment, with some of the latter vendors rapidly increasing their market share.

ITworld: A get-up-to-speed guide on VDI

Virtual desktop infrastructure, better known as VDI, is undergoing a new life. A few years ago, it was plagued by lackluster user experiences and cost overruns. Now, thanks to an injection of new technology and better implementations, there’s a lot to like. Faster, cheaper technology has made it an interesting option for companies seeking a way to support flexible, work-from-anywhere environments.

How does this transformation happen? This get-up-to-speed guide posted on ITworld explores how VDI can help organizations navigate shifts in business, and user needs.

ITworld: A get-up-to-speed guide on moving legacy apps to the cloud

Making a case for moving legacy apps to the cloud is becoming easier, with the biggest driver being the ability to shift costs from capital to operating expenses, which can save money. Also, renting capacity rather than owning servers and network infrastructure allows more flexibility in how computing resources are provisioned, enabling workloads to be matched to demand. Quick provisioning is key: New servers can be brought up in the cloud in just minutes, not only making it easier to improve availability but also enabling more flexible disaster recovery mechanisms.

This get-up-to-speed guide explores the key approaches to migrating legacy apps to the cloud, and the value each can bring to your business. You can download my guide here.

Using Seagate Hybrid Cloud Data Protection

The Seagate Hybrid Cloud Data Protection is a comprehensive portfolio, designed to make it easy for data protection to scale with the unstoppable demands of today’s data growth. The full-service data protection portfolio consists of agents, backup appliances, software tools and application-aware plug-ins that connect to each other and to the cloud.

We tested the product in July and August 2015 with a PNP600 appliance.

Prices start at under $5000

Windows XP just can’t get to its end-of-life fast enough

What does an electronic safe and a undersea fiber optic cable-laying ship have in common? Both are still using Windows XP as their underlying operating system. As Microsoft releases Windows 10 this week and we start getting those annoying upgrade messages, it might be amusing to note exactly how hard it is to rid XP from the entire world. Killing off kudzu is probably easier.

The ship is the Rene Descartes and is laying the latest high-speed fiber on behalf of Google and a consortium of telecoms between Japan and Oregon. It promises to carry traffic at 60 Tbps when it is lit up next year. The ship uses Windows XP to drive its very sensitive GPS systems to lay the cable very precisely on the seabed. In shallower waters, the cable is buried by robotic shovels so that commercial fishing boats and sea life don’t accidentally cut the cord. My guess is that these systems were designed a long time ago when XP was the current OS and it isn’t easy to update them. The French mathematician Descartes would agree, after all he once said: “It is only prudent never to place complete confidence in that by which we have even once been deceived.” Also, with all the dough at stake does anyone want to try to mess with a newer OS?

Okay, you can see why XP is used there. But how about a Brinks safe? Most of the safes that I have seen are room-plus sized things that have very heavy doors and very little to do with computers. Brinks also sells a model called the CompuSafe Galileo, which runs software that keeps track of the money that is inserted into it over the course of the day. The notion is that having this software can make it easier for businesses to manage their cash deposits and make sure that no one has their hand in the till, so to speak. Think of this as the industrial-sized version of your banking smartphone app, where you don’t have to actually deposit a check and wait for it to clear but still get credit to your account. The Brinks safe (pictured below) does the same, and can free up time that a business would normally spend on counting the cash and reconciling it with its bank deposits.

However, the safe also runs Windows XP and what is worse, sports a USB port on the outside. At the DefCon conference this week, security researchers showed how they could reboot the safe and take control of its systems, and mess with its underlying Microsoft Access database to open its door and steal the money inside. Yes, you are reading this correctly. All it took was 100 lines of code to make this happen.

And while most of you know the Italian astronomer Galileo, you might not recall one of his more pity quotes: “I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forgo their use.” Great words to live by, as Brinks struggles to remove those USB drives and make XP really operate in Safe Mode.

ITworld: Five ways to save money on your cloud costs

Keeping track of your monthly cloud computing bills isn’t easy. While it is great that cloud providers usually charge you on the resources you consume, the various elements of your bill are very complex and made up of dozens of different factors, such as CPU core, storage units, RAM size and data transfers. Fortunately, there are a number of online services (see chart below) that can help you save money by using a series of clever choices. In this article for ITworld (email reg. req.), I will look at five questions that you can ask to try to reduce your monthly cloud computing bill.

Service, link Number of Cloud Providers Expertise Free or paid?
Cloudability AWS Cost monitoring Paid
Cloudorado Cloud Hosting Comparison 27 CPU benchmarks Free (paid by participating vendors)
Cloudyn AWS, Azure, Google Costing trends Both
CloudHarmony CloudSquare 101 Uptime status Free
CloudSpectator Varies Custom analytics Both; paid reports are $400 each
CloudHealth Technologies AWS, Google Costing, performance and security analytics Paid services start at $250/mo
Datapipe Analytics AWS, Azure Management tools Paid services start at $3500/mo
RightScale PlanForCloud 6 Deployment scenarios Both; paid services start at $6000/mo