Previous month:
August 2009
Next month:
October 2009

September 2009

National Cyber Leap Year Summit 2009 - Reports Available

In August I participated in the National Cyber Leap Year Summit 2009. The summit was sponsored by the Federal Networking and IT Research and Development Program, the US DOD, and the White House Office of Science and Technology Policy.  150 experts from the industry, academia, and government considered strategies for initiating fundamental or "game" changes in cyber security in five subject areas:
  • Basing trust decisions on verified assertions (Digital Provenance)
  • Attacks only work once if at all (Moving-target Defense)
  • Knowing when we have been had (Hardware-enabled Trust)
  • Move from forensics to real-time diagnosis (Nature-inspired Cyber Health)
  • Crime does not pay (Cyber Economics)
The reports are now available from the conference chairpersons and the Summit participants.

I participated in the Cyber Economics group (you'll no doubt see my fingerprints on this participants' report). I also spent time in the Digital Provenance and Hardware enabled Trust groups, and experts in these groups have proposed some fascinating proposals. The participant reports can't do justice to the real-time sharing and high speed deliberation of technological and operational possibilities. Despite this, I think you can find enough in the reports to search deeper in subject areas you find most interesting.

Some of the ideas proposed in the reports are very forward looking (endpoint hardware that verifies system integrity and monitors for anomalous user behavior). Some proposals do not offer new ideas but encourage continued investment or sustained activity in areas that have demonstrated promise (collaborative response a la Conficker Response WG, broader adoption of admission controls). Other proposals will take many years and considerable funding to bring to maturity (Centers for Cyber Disease Control and Prevention). Still others were proposed primarily for their 10 word sound bite value (Cyber Insurance, 911 Cyber).

US Federal Chief Technology Officer US Aneesh Chopra indicated in his address to the summit that these reports will be considered by the Obama Administration as it builds its cybersecurity research and development agenda. One expected outcome from the Summit and reports is a series of calls to the technical community to undertake projects inspired by the summit ideas.

Internationalizing WHOIS

Whois is an Internet application (service) that discloses registration information associated with a domain name. Typically included in a Whois response are the sponsoring registrar (GoDaddy, Network Solutions, Mark Monitor, etc.), the names and contact information for the registrant and the domain’s web and technical administrators, and DNS configuration information. This information is publicly available for all generic Top Level Domains (com, net, org, info, biz, …).

Historically, registration information has been submitted and displayed using the US-ASCII7 character set. However, the characters that comprise the Arabic, Chinese, Cyrillic, Japanese and other scripts cannot be displayed using US-ASCII7 but require that other character sets such as UNICODE-8, -16, and ISO-8859 be used. Internet applications such as email and web are increasingly sensitive to and accommodating of the fact that many if not the majority of Internet users write and type using characters from local scripts.

Whois must evolve to accommodate this internationalization and ideally should do so without creating a Babel effect. On behalf of the ICANN SSAC, I wrote a report laying out the issues relating to the need to internationalize Whois (SAC037). Recently, I gave a webinar on this topic. An MP3 recording and the webinar presentation are available if you want to learn more about the issues and what ICANN – and you – can do to identify a solution.