Family isolation protocols: don’t judge

Posted on by
9

In this time of sheltering-in-place and self-imposed isolation, we have to learn to be kinder and less judgmental to each other. One of the biggest issues for families is agreeing on your own “isolation protocol,” for lack of a better description. Most of the stuff that I have read include suggestions such as from Britain’s NHS here. Or articles on what activities to do now that the kids are home. But I haven’t seen that much discussion about how you formulate your own protocol. Given my interest in Internet protocols, this seems a natural point for me.

It is just my wife and me at home. You would think that the two of us would be able to figure out some common ground for exactly how much isolation we should be doing. But it is a harder problem than that. There are two dimensions to this. First is that the ground is shifting. As the virus spreads, scientists are learning more about its transmission and its lethality and changing their own recommendations. That means building into the family protocol the ability to be updated to reflect these changing conditions. Or if one of you becomes more concerned about a particular activity, for example. As I said, things are changing rapidly.

The second dimension is that all of us, even long-married couples, come to this virus from different perspectives. What we need is to make some consensus decisions. We do this all the time, and it part of our daily lives. Only, instead of what are we having for dinner or who is going to clean the bathroom, they become decisions that involve the potential life and death of the family members themselves. Maybe that is too dire a description, but you see what I mean.

Let me give you some examples of the potential points around assembling your own protocol:

  • When should we wear a mask, if at all? (See the link above for the latest CDC recommendation.
  • Is takeout food acceptable under specific circumstances?
  • How often do we shop for groceries and other supplies? Do they require delivery?
  • When one of us returns from being outside our apartment, what is the cleansing and transition process?
  • How often should we go to the office?
  • What about continuing or beginning any volunteer activities?
  • Do we have a cellphone cleansing policy, and who enforces it?
  • What about how to disinfect the mail and newspapers?
  • Is anyone other than the family allowed inside our apartment and if so under what circumstances?

These all seem like pretty petty issues, but in the time of Covid, they could be life and death, quite literally. If you want your family to survive this crisis, you need to come to agreement on these policies and be willing to concede to your spouse’s POV. I have heard stories about those medical workers who have to sleep over the garage or in someone’s RV rather that spend their time inside the family manse.

I was talking to a friend of mine who has a father who is in his late 70s and still goes to work at his office. She tried talking to her dad and getting him to stay home but was unsuccessful. Another friend who is 80 had all of his grandchildren over to their house for dinner not too long ago. This person recently had heart bypass surgery.

Here is the thing. You can’t judge what someone else’s protocol may be, however inelegantly expressed or however much you disagree with their position. Everyone has to come to terms with this pandemic on their own terms and reach their own comfort level. Now I realize how frustrating it can be to deal with a family or friend who has a different position on what social isolation means, and perhaps doesn’t disinfect as much (or as more) as you do. It isn’t up to us to judge. You have to be you, to quote a common phrase. But you and your family should have some discussion about this and at least agree on some of the basic principles as I listed above.

Maximizing the benefits to your family of web conferencing and video chat

Posted on by
3

More of us are now working from home, and more of our kids are having to finish their school year from home too. That presents all sorts of opportunities and problems, and at the center of both are web conferencing and video chat technologies. Understanding how they are used and setting up basic rules, figuring out your collection of tools, and setting up separate work/school areas in your house will determine if your family will be productive and if you can survive your “sheltering in place” during this COVID crisis.

Even Bill Gates is spending most of his time on video conferencing (check out this interview with TED’s head honcho where he plugs Microsoft Teams several times during the first few minutes).

I have been using a variety of conferencing systems over the years, and help produce a several-hundred person webinar for the American Red Cross monthly. Here are some tips from these experiences.

 1. Each family member needs to establish their own “broadcasting protocol,” for lack of a better term. If Mom is online, does that mean that Dad can’t interrupt the call? Or that the kids can’t wander in for a visit? The old rules of not having a child interrupt your work meeting no longer apply. I put together a podcast with Paul Gillin about some of these old rules last fall here.)

The number of memes showing various family members caught in states of undress have certainly proliferated. Clearly, set some ground rules about what, when, and what to wear when on a video call, or when video is and isn’t appropriate. Figure out where each family member is going to be using as their “studio” so that everyone can have their own space. A friend of mine has noticed that all the professional news anchors who are now broadcasting from their homes has given him a chance to view their room designs. It certainly isn’t “design on a dime” but it at least injects some new interest in their broadcasts.

Another thing that I have seen in the past couple of weeks is a more relaxed use of the video conference. “Sharing” dinner over a conference call link in lieu of being at the same dining table. Celebrating a work milestone with drinks from everyone’s home office, rather than in person at the local bar or conference room. Doing homework together over a conference line. You get the idea. Be creative and figure out what works for your situation.

2. Video is nice, but having solid audio is key. That brings up my next point. I don’t want to minimize the importance of video. As you know, I mostly work alone in my office. In the past weeks I have wanted to connect more via video, to see my family and friends. Video is an important connector in these times of crisis. But if your audio gear is subpar, you need to address that now. No one wants to listen to bad audio. Your laptop’s audio gear might not cut it, and if you are going to be doing a lot of conferences, invest $50 to $100 in a decent external USB mic.

3. Understand you’ll need some minimal production values, for both personal and work purposes. Have an agenda, have a conference call leader, prepare the presentation ahead of time, set up a call sheet of who speaks when. And check your audio setup to make sure folks can hear you clearly. These things are also important for calls to family and friends too. While having a “coffee talk” freestyle type of meeting is nice, once the novelty of seeing everyone wears off, you should make the calls more structured. Also, if you are going to share your screen, prepare it ahead of time: don’t have everyone looking at your email inbox or have your messaging client pop-ups enabled during your session.

4. Use calendar invites with care. Google’s calendar invite automatically adds its own Hangout link: that is great if that is what you want to use, but it is confusing if you have some other tool in mind. Remember that some other automatically generated invites (such as from Zoom) don’t automatically adjust for time zone differences. And speaking of which, start your meetings on time, please.

5. No single tool will work for every family member, or even every situation. We are fortunate that we have so many products that are available, and many of them are free of charge: Zoom, Webex, Facebook Messenger, Facetime, Google Hangouts/Meet/Duo, WhatsApp and Skype are just a few of the services. If you look at this list (and there are dozens more products that I didn’t mention), they come to the party from different places: video telephones designed for 1-on-1 calls, video-enhanced text messaging, video collaboration tools designed for supporting sharing stuff (files, URLs and chats), video-enhanced social networking and video training tools that are designed for a somewhat different collaboration.

Figure out what works for you, based on your prior experience, what your contacts/peer groups are using and if your business already supports one of these for work-related calls. Zoom has been in the news a lot because it is very easy to setup (including these simple recording features shown here) and because a lot of schools are setting up distance learning classes using it. But if you want to run meeting longer than 40 minutes with more than two people, you’ll need the paid version, or try out Webex, which has a free tier for this situation. Also, if you are concerned about Zoom’s cavalier attitude towards privacy, you may want to choose something else.

So it is possible that your kids might use Facebook Messenger/Whats App, you will use Zoom and your spouse will use the office’s Microsoft Teams. That’s okay. Realize that each family member is coming from a different experience and comfort level with these tools. Remember that our kids have grown up with various digital products but may not be used to using them productively under present circumstances. You may want to monitor their use, depending on their age and what kind of parent you are too.

Video calls now have a heavy lift and have to support your work life and your family’s social life. As we spend more time at home, we need to stay connected with loved ones and work colleagues and figure out how to become more productive.

Support your local restaurant

Posted on by
9

I live in a very urban part of St. Louis for a reason: it is walkable, it is vibrant, it is near a wonderful park and transit. All of that has changed in the past two weeks.All of these advantages now have to be examined under a different lens.

Like many of you, we are staying home. When we do go out for a walk, it is a bit eerie: the streets are empty. Street parking — which used to be an issue especially weekend evenings — is copiously now available. Meeting other pedestrians used to be under the midwest code: you nod and say hello as you pass. Now we hold our breath and hope that we have enough room on the sidewalk to “socially distance” ourselves.

The dozens of restaurants that were at the core of our community are mostly under lockdown. The ones that are closed have small signs in their windows, hastily printed. The few that are open are only for carryout, under orders of the city. I want to support the ones that are still doing business, even though it is a risk: do I trust the sanitation and health protocols that the restaurateur has adopted in these post-COVID times? Many of these places are run by people I have gotten to know over the years living here. My wife and I eat out frequently. Not anymore.

Still, I feel that I need to do something. So I started looking into how to make it easier for customers to get their meals from the local restaurants. If you are willing to take this risk — and there are many of you that might not even go here — there are three main issues:

First, many local restaurants have terrible websites. One of our favorite places has been in business for decades and is about a three-minute walk from our apartment. It has a single page website with a phone number. No online menu. No online anything, really. Others just have Facebook pages, which aren’t much better. I realize that there are many places which are not tech-savvy. But still, there are many restaurants who are. Take for example this group of local places (none of which sadly is in my neighborhood). They have a very nice website. But that is just first hurdle.

Second, I want to be able to purchase my carryout food online. Here is a complicating factor. There are two typical ways that a restaurant does this: either through a food delivery provider (you can select a pickup option if you don’t want the food delivered) or via the restaurant’s point-of-sale (POS) vendor. In our neighborhood, there are at least five different delivery vendors:  DoorDash, UberEasts, Postmates, GrubHub and FoodPedaler (the latter being a hyper-local St. Louis startup that has concentrated in our neighborhood and downtown). Some restaurants have setup accounts with multiple delivery vendors. But many of the places don’t have any accounts with any of these services.

The problem isn’t just technology. The restaurant has to be setup with a place for the pickup orders, or have the workflow for how the delivery provider is going to interact with its staff. These days where interpersonal interaction is scrutinized, that means being extra careful with sanitation.

One way to simplify matters in these dire times is to present just a few choices. That is what Grace Meat + Three has done with their online ordering. You just have two menu choices.

Third, I want to purchase a gift card to provide an interest-free loan to my favorite places. This can be done in one of several ways. The easier way is to use a gift card with one of the food delivery vendors mentioned above. The second method is by using gift cards that are associated with a POS vendor. Clover (shown here), Toast and Square are the three POS vendors that are most often found around here. The rub is that the restaurant has to enable this option, and not everyone has set this up.

Another method of obtaining gift cards is to make use of one of the E-Gift service providers. (Everything is a service nowadays, so why not gift cards?) There are two that I found: Yiftee and TheGiftCardCafe. The latter vendor is waiving its setup fee for new accounts, which is a nice gesture.

Some restaurant websites have direct links to gift card purchases, but most don’t. Usually they are found on the bigger national chains’ websites, which is not where I want to go at the moment. And one local chain listed gift cards on their website home page, but the link brought me to a page saying that it hasn’t been setup yet. FAIL!

One effort has already begun, called CurbSideSTL. It is a good first attempt and does a decent job of listing who is still open and how to order and obtain food. But it lacks direct links to gift cards and online delivery services. I realize that involves a lot more work, but given how quickly things are evolving, it would be more helpful with these links.

So, where does that leave us? If you own a local restaurant, I will give you some help to at least get your carryout menu posted online. If you have a POS system and haven’t gotten online ordering or gift cards setup, I can do this for you. My price is a free meal. Now more than ever, we have to make it easier to do business online.

RSA blog: Renaissance of the OTP hardware token

Posted on by
Reply

Few things in infosec can date back to the early 1990s and still be in demand today, but such is the case with RSA’s long history of its SecurID one-time password (OTP) hardware key-fob tokens. Despite numerous security analysts predicting their death, hardware OTPs have been a great business for RSA and lately are undergoing a renaissance with a newfound interest among security managers. In this month’s blog, I take a look at this evolution, why the hardware token is coming back, and what are some of the current trends in multi-factor authentication (MFA) too.

Today’s hardware token has gotten more sophisticated than that original fob that just displayed a series of those OTP random digits. This was partly a necessity, since their use always has been somewhat cumbersome for both end users and security managers alike. (I mentioned this drawback in one of my reviews of MFA tools in Network World in 2013, when I said that “toting around tokens means that they can get taken, and in a large enterprise, hardware tokens are a pain to manage, provision and track.” Still, this review in 2012 mentioned this attraction for using hardware tokens: “They don’t require app developers to rewrite their apps from scratch, and the hardware token provides us with the level of security assurance we want and need. We’ve been carrying tokens around for 25 years; I wonder if they’ll make 50?” I think we can safely say that tokens will have this longevity.

In 2016, several vendors released smarter hardware tokens that came with encryption keys or encryption engines embedded. This made them easier to use, because of push authentication methods that eliminated a few steps. More recently, there have been other vendors who have released hardware tokens that support the Fast Identity Online (FIDO) protocols, so a single token can work with a variety of authentication servers. In the past, each fob was married to a particular server, which meant users had to cart around a collection of tokens if they needed to login to multiple servers and cloud-based services.

As the tokens were getting more capable, the demand for better MFA security was also increasing. Remote workers were on the rise, and earlier this year travel restrictions and flight cancellations because of the coronavirus made remote work more necessary and acceptable. That in turn drove increased demand for better authentication methods such as both hardware and smartphone-based tokens. A good case study is the US Army, which is expanding its MFA coverage to National Guard members and first responders to use hardware and smartphone tokens.

At the same time, this increased demand didn’t escape the criminal world, who began to focus on ways to exploit MFA weak points, especially SMS-based MFA methods. The FBI issued warnings last fall that documented various techniques to bypass MFA methods, including swapping out cellphone SIM cards, using specialty-designed malware to automate MFA phishing schemes and employing social engineering methods to fool users into providing the OTP digits in real time. At the RSA Conference last month, researchers documented new methods to get around the MFA smartphone apps by using outdated phone operating systems, attacks called Android screen overlays that fool users into entering the OTP codes or other compromises to the kernel mobile phone OS itself.

Where do we go from here with deploying MFA? Here are a few thoughts. First, you need to take a step back and craft a solid access and authentication management strategy for your entire enterprise out of whole cloth. You should examine whether every user needs a hardware token and for all their access methods. Instead, focus on the relative risks. For example, tokens are a good idea for those users who handle money transactions, but perhaps not if their jobs are on the factory floor. Next, think about how you handle your partners and customers’ transactions, and how to beef up their logins. Getting hardware tokens registered and eventually revoked to anyone who isn’t a full-time employee is still painful. And also consider whether you should mix and match hardware and smartphone MFA apps, especially when the application circumstances and risk profiles dictate.

Finally, consider how to authenticate cloud apps. Some clouds support standards that make integrating smartphone MFA apps easier, so that might be a better solution. At the end of the day, having more MFA is usually better than no MFA, but it should be deployed intelligently and carefully.

Beating the odds: how STEM women succeed

Posted on by
2

I recently read Kelly Simmons and Patty Rowland Burke’s Beating the Odds: Winning Strategies of Women in STEM. I have known Patty for decades, first meeting her when she worked at Regis McKenna back in the go-go days when PCs were first coming into businesses. They have written a business book for everyone, especially those men that have filled tech companies with their toxic “good ole boy” bro culture. It takes the unusual approach of talking to several dozen women who have succeeded in STEM careers and studied the common elements of why they have done well while others have failed. Spoiler alert: it mostly isn’t their fault, and the hard part will be fighting this culture to affect real change.

Many younger people, both women and men, don’t remember how bad things were in the 1980s and 1990s, when corporate events included pretty raunchy moments. (I will spare you the details, but you can probably imagine.) Unfortunately, we haven’t really progressed much from these days. I remember when I was in engineering school in the 1970s, having a woman in any of my classes was a rarity. Having more than one per class didn’t happen. Sadly, while there are more women in STEM now, it still isn’t anywhere near where it could be. And where it should be.

One tech CEO — presumably male — told a female engineering manager this: “every company needs someone who is the API between the business and the technical. That’s really hard to find, and not often valued in Silicon Valley.” That is a good point, and I have often found myself in this API role in many of my writing and consulting efforts.

“One woman jokingly described the anxiety she felt in the workplace as ‘like being Jamie Lee Curtis in a Halloween movie, you never know when the guy in the mask with the knife will show up.”

Granted, many women appear at first glance to be less technical and suffer from impostor syndrome. This is usually defined at paranoia that you are a fraud and don’t deserve to be in a position or credited any of your accomplishments. But this isn’t exclusive to women. When I took my first job as the Editor-in-chief at CMP to start Network Computing magazine, I suffered from impostor syndrome myself. I had never started a publication, never held the EIC position, and hadn’t hired many staffers or even knew how to produce a publication. Fortunately, I had a great set of mentors at CMP to help me learn these things and the magazine is still around today, albeit in an online format. I went on to run several other publications as a result of this training.

This reminds me of another Jamie Lee Curtis movie — True Lies — where she doesn’t have impostor syndrome but manages to save the day and win Arnold back (who plays her spying, lying husband). Anyway, back to the book.

It dives into a very important area that I haven’t seen much of in other business books. “We have learned what makes successful women tick, why some of them persevere to lead major technical organizations and teams, and why others drop out in frustration. A senior technical women should not be an astonishing exception.”

The book is also filled with plenty of suggestions to help technical women succeed. One important aspect is to develop male allies and role models. The lack of these prevents many women from pursuing STEM careers. These include men who aren’t enlisted in the “boys club” network and  can support technical women in the company. This can also counter the feelings of aloneness and feeling of “otherness” that can cause frustration and lead many women to resign their positions.

Another helpful idea is to set up a form of reverse mentoring, where younger women are mentors to senior managers to help them better understand their experience and points of view. This is particularly helpful to root out work processes and routines that were designed for all-male environments, and have become so embedded in tech companies. Just search for Uber’s early history if you need further convincing.

So read this book. Send a copy to your manager, and make him read it as well. Only by changing one dinosaur at a time can we evolve as a species. And perhaps be more inclusive to not just women but other under-represented people in STEM too.

FIR B2B podcast #135: TIPS FOR TRANSITIONING TO A HOME-BASED WORKFORCE

Posted on by
1

As the coronavirus spreads throughout the world, businesses are being faced with setting up policies and procedures to enable everyone to work from home (WFH). Doing this presents several challenges, some of them brought on by new demands on your IT department and some by demands of a new way of working that you may not have anticipated. A good reference point for the complexities involved is this Twitter thread about what Slack did to move to 100% WFH model. In this podcast, Paul and I draw upon their own decades-long experience as sole business owners. Among our advice:

  1. Think about printing, email and sharing files and the IT services that will be needed to support that activity. Be careful about SaaS services such as Dropbox; if users aren’t trained property they could expose your corporate data unintentionally.
  2. Make sure your infosec is up to par. A VPN isn’t just the only thing you need to worry about it. Is your home router secured with an appropriate password? Do you encrypt your network traffic across the Internet? Has your laptop been screened for malware? These and other questions need to be addressed before rolling out any work-from-home solution.
  3. Does your staff have the right tools? Just because everyone has a laptop doesn’t mean anything, particularly they’re used to having multiple monitors and great audio/video gear. You may have to purchase additional accessories to make your staff productive.
  4. Make sure your staff has a separate workspace that is isolated from the rest of the house. You want to minimize distractions and unplanned family “visits” during the workday.
  5. Get a good mic (I use the Blue Snowball, Paul uses a Logitech wireless). You should be able to get something decent for $50-$100.
  6. Standardize on a video conferencing supplier (we both like Zoom at the moment, although there are privacy issues you might want to consider) and make sure all your gear provides solid audio quality when you use it.
  7. Make sure your home bandwidth is sufficient. Pay attention to upload speeds, because these can impact your latency and video quality.
  8. Learn new video conferencing etiquette, review our previous podcast on some of our tips here.
  9. Set up a shared scheduling tool for everyone to use and standardize on a corporate instant messaging tool, too.

Listen to our 15 min. podcast now:

Avast blog: Primary update: Voting issues in Los Angeles and Iowa

Posted on by
Reply

Last week Super Tuesday brought many of us to the polls to vote for our favorite candidate for President. And while voting went smoothly in most places, there was one major tech failure in Los Angeles, which saw the debut of new voting machines. Let’s compare what went wrong in LA with the earlier problems seen during the Iowa caucuses.

In our earlier blog, I brought you up to date with what happened with the Russians hacking our 2016 and 2018 elections. But the problems witnessed in Iowa and LA are strictly our own fault, the result of a perfect storm of different computing errors. For Iowa, the culprit was a poorly implemented mobile vote count smartphone app from the vendor Shadow Inc. For LA, it was a series of both tech and non-tech circumstances.

I go into details about each situation and what we’ve learned in this post for Avast’s blog.

In search of better browser privacy options

Posted on by
1

A new browser privacy study by Professor Doug Leith, the Computer Science department chair at Trinity College is worth reading carefully. Leith instruments the Mac versions of six popular browsers (Chrome, Firefox, Safari, Edge, Yandex and Brave) to see what happens when they “phone home.” All six make non-obvious connections to various backend servers, with Brave connecting the least and Edge and Yandex (a Russian language browser) the most. How they connect and what information they transmit is worth understanding, particularly if you are paranoid about your privacy and want to know the details.

If you aren’t familiar with Brave, it is built on the same Chromium engine that Google uses for its browser, but it does have a more logical grouping of privacy settings that can be found under a “Shields” tab as you can see in this screenshot. It also comes with several extensions for an Ethereum wallet and support for Chromecast and Tor. This is why Brave is marketed as a privacy-enhanced browser.

Brave scored the best in Leith’s tests. It didn’t track originating IP addresses and didn’t share any details of its browsing history. The others tagged data with identifiers that could be linked to an enduser’s computer along with sharing browsing history with backend servers. Edge and Yandex also saved data that persisted across a fresh browser installation on the same computer. That isn’t nice, because this correlated data could be used to link different apps running on that computer to build an overall user profile.

One problem is the search bar autocomplete function. This is a big time saver for users, but it also a big privacy invasion depending on what data is transmitted back to the vendor’s own servers. Safari generated 32 requests to search servers and these requests persist across browser restarts. Leith proposed adding a function to both Chrome and Firefox to disable this autocomplete function upon startup for those who have privacy concerns. He also has proposed to Apple that Safari’s default start page be reconfigured and an option to avoid unnecessary network connections. He has not heard back from any of the vendors on his suggestions.

So if you are a privacy-concerned user, what are your options? First, you should probably audit your browser extensions and get rid of ones that you don’t use or that have security issues, as Brian Krebs wrote recently. Second, if you feel like switching browsers, you could experiment with Brave or Authentic8’s Silo browser or Dooble. I reviewed two of them many years ago; here is a more updated review on some other alternative browsers done by the folks at ProtonMail.

If you want to stick with your current browser, you could depend on your laptop vendor’s privacy additions, such as what HP provides. However, those periodically crash and don’t deliver the best experience. I am not picking on HP, it is just what I currently use, and perhaps other vendors may have more reliable privacy add-ons. You could also run a VPN all the time to protect your IP address, but you will still have issues with the leaked backend collections. And if you are using a mobile device, there is Jumbo, which helps you assemble a better privacy profile. What Jumbo illustrates though is that  privacy shouldn’t be this hard. You shouldn’t have to track down numerous menus scattered across your desktop or mobile device.

Sadly, we still have a lot of room to improve our browser privacy.

So you wanna buy a used IP address block?

Posted on by
21

For the past 27 years, I have owned a class C block of IPv4 addresses. I don’t recall what prompted me back then to apply to Jon Postel for my block: I didn’t really have any way to run a network online, and back then the Internet was just catching on. Postel had the unique position to personally attend to the care and growth of the Internet.

Earlier this year I got a call from the editor of the Internet Protocol Journal asking me to write about the used address marketplace, and I remembered that I still owned this block. Not only would he pay me to write the article, but I could make some quick cash by selling my block.

It was a good block, perhaps a perfect block: in all the time that I owned it, I had never set up any computers using any of the 256 IP addresses associated with it. In used car terms, it was in mint condition. Virgin cyberspace territory. So began my journey into the used marketplace that began just before the start of the new year.

If you want to know more about the historical context about how addresses were assigned back in those early days and how they are done today, you’ll have to wait for my article to come out. If you don’t understand the difference between IPv4 and IPv6, you probably just want to skip this column. But for those of you that want to know more, let me give you a couple of pointers, just in case you want to do this yourself or for your company. Beware that it isn’t easy or quick money by any means. It will take a lot of work and a lot of your time.

First you will want to acquaint yourself with getting your ownership documents in order. In my case, I was fortunate that I had old corporate tax returns that documented that I owned the business that was on the ownership records since the 1990s. It also helped that I was the same person that was communicating with the regional Internet registry ARIN that was responsible for the block now. Then I had to transfer the ownership to my current corporation (yes, you have to be a business and fortunately for me I have had my own sub-S corps to handle this) before I could then sell the block to any potential buyer or renter. This was a very cumbersome process, and I get why: ARIN wants to ensure that I am not some address scammer, and that they are selling legitimate goods. But during the entire process my existing point of contact on my block, someone who wasn’t ever part of my business yet listed on my record from the 1990s, was never contacted about his legitimacy. I found that curious.

That brings up my next point which is whether to rent or to sell a block outright. It isn’t like deciding on a buying or leasing a car. In that marketplace, there are some generally accepted guidelines as to which way to go. But in the used IP address marketplace, you are pretty much on your own. If you are a buyer, how long do you need the new block – days, months, or forever? Can you migrate your legacy equipment to use IPv6 addresses eventually (in which cases you probably won’t need the used v4 addresses very long) or do you have legacy equipment that has to remain running on IPv4 for the foreseeable future?

If you want to dispose of a block that you own, do you want to make some cash for this year’s balance sheet, or are you looking for a steady income stream for the future? What makes this complicated is trying to have a discussion with your CFO how this will work, and I doubt that many CFOs understand the various subtleties about IP address assignments. So be prepared for a lot of education here.

Part of the choice of whether to rent or buy should be based on the size of the block involved. Some brokers specialize in larger blocks, some won’t sell or lease anything less than a /24 for example. “If you are selling a large block (say a /16 or larger) you would need to use a broker who can be an effective intermediary with the larger buyers,” said Geoff Huston, who has written extensively on the used IP address marketplace.

Why use a broker? When you think about this, it makes sense. I mean, I have bought and sold many houses — all of which were done with real estate brokers. You want someone that both buyer and seller can trust, that can referee and resolve issues, and (eventually) close the deal. Having this mediator can also help in the escrow of funds while the transfer is completed — like a title company. Also the broker can work with the regional registry staff and help prepare all the supporting ownership documentation. They do charge a commission, which can vary from several hundred to several thousand dollars, depending on the size of the block and other circumstances. One big difference between IP address and real estate brokers is that you don’t know what the fees are before you select the broker – which prevents you from shopping based on price.

So now I had to find an address broker. ARIN has this list of brokers who have registered with them. They show 29 different brokers, along with contact names and phone numbers and the date that the broker registered with ARIN. Note this is not their recommendation for the reputation of any of these businesses. There is no vetting of whether they are still in business, or whether they are conducting themselves in any honorable fashion. As the old saying goes, on the Internet, no one knows if you could become a dog.

Vetting a broker could easily be the subject of another column (and indeed, I take some effort in my upcoming article for IPJ to go into these details). The problem is that there are no rules, no overall supervision and no general agreement on what constitutes block quality or condition. IPv4MarketGroup has a list of questions to ask a potential broker, including if they will only represent one side of the transaction (most handle both buyer and seller) and if they have appropriate legal and insurance coverage. I found that a useful starting point.

I picked Hilco’s IPv4.Global brokerage to sell my block. They came recommended and I liked that they listed all their auctions right from their home page, so you could spot pricing trends easily. For example, last month other /24 blocks were selling for $20-24 per IP address. Rental prices varied from 20 cents to US$1.20 per month per address, which means at best a two-year payback when rentals are compared to sales and at worst a ten-year payback. I decided to sell my block at $23 per address: I wanted the cash and didn’t like the idea of being a landlord of my block any more than I liked being a physical landlord of an apartment that I once owned. It took several weeks to sell my block and about ten weeks overall from when I first began the process to when I finally got the funds wired to my bank account from the sale.

If all that seems like a lot of work to you, then perhaps you just want to steer clear of the used marketplace for now. But if you like the challenge of doing the research, you could be a hero at your company for taking this task on.