Roundtable on (Cyber)Security for stakeholder inputs to GCCS2017

Roundtable on security
Internet Society India Chennai Roundtable for stakeholder inputs to cybersecurity policy

The Internet Society India Chennai  Round Table for Stakeholder inputs was held on the on October 22 at The Raj, Residency Towers, Chennai during 6-9 pm. This event on 22nd gains added importance as an event that was  organised as a Preparatory event to the Global Conference on Cyberspace to be held at New Delhi, as a High Level global diplomaticand policy event later this year.

The Round Table topic goes well beyond Internet Security, and broadly and loosely examined how Internet Security measures spill over to everyday life and how various security concerns, valid and real, sometimes translate into restrictions that alter the way we live our lives. The intention has been to see if diverse view points could contribute to Security design and help evolve good Security policies. The session was open for remote participation and recorded. The recording of the session is accessed from the link below:

Roundtable for stakeholder inputs to Cyber(Security)

This Roundtable event was in follow up an earlier Roundtable event during an ISOC Chennai DNSSEC/KSK rollover policy session at GRT Grand Hotel aur earlier event during June at Chennai. The Report on July 9, 2017.  A writeup based on the June event was sent to the Internet Governance Forum (IGF) Best Practices on Cybersecurity as inputs and attached below for context.

Reference Documents from the earlier (July9) event: (links below)

Internet Society India Chennai Response to the Questionairre from the IGF Best Practices Forum on Cyber Security

Report on Internet Society India Chennai Roundtable on the policy aspects of Cybersecurity:

ISOC Chennai – ICANN DNSSEC KSK event at Chennai

To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other.

ICANN coordinates these unique identifiers ( Names and Numbers) across the world.

When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like https://wikipedia.org into the numbers. These numbers are called Internet Protocol (IP) addresses.

ICANN coordinates the addressing system to ensure all the addresses are unique. Without that coordination we wouldn’t have one global Internet.

Recently vulnerabilities in the DNS were discovered that allow an attacker to hijack this process of looking some one up or looking a site up on the Internet using their name. The purpose of the attack is to take control of the session to, for example, send the user to the hijacker’s own deceptive web site for account and password collection.

A technology called DNS Security Extensions (DNSSEC) secures this part of the Internet’s infrastructure. You can read more about DNSSEC here:

https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

ICANN organises DNSSEC Training and Events worldwide. The Internet Society India Chennai Chapter would co-organize a DNSSEC event at Chennai on July 9, 2017. ICANN would host this event.

This would be a half-day session on DNSSEC with particular attention to the KSK rollover for the technical community in Chennai.  The event is open for ISPs, Network Operators, DNS Administrators and other Interested parties, preferably for those whose line of work relates to DNSSEC. Please reach out to the companies / organizations including educational institutions, Law and Order Agencies, Banks, ISPs, IT Companies and independent professionals you may know to be likely to have an interest in this topic.

The session would cover the following topics during 9 30 am – 1 pm, followed by Lunch

dnssec
Domain Name System Security Extensions

 

DNS and DNS Security Overview
Why DNSSEC?
Root Zone DNSSEC KSK Rollover

 

There is no Admission fee. However,  pre-registration is required as seats are limited to 30. The form is at page https://goo.gl/forms/YQO2KxCfTaVWul1X2 (short link)

( The above link points to: https://docs.google.com/forms/d/e/1FAIpQLSeT88T3jM5gn0Oyjk_cXTMI98xLwOa3jVbFNfN0rvkc7Ozlpw/viewform?usp=sf_link  )

After Lunch we will have an hour of discussions on the policy aspects of DNS.  This session would be for Business and Community Leaders who have an interest in Internet Policy, who would join us on invitation. If wish to recommend names of Business / Community Leaders whom you might have expertise and interest in the security aspects of DNS, please pass on the names by email to isocindiachennai AT gmail DOT com The invitees would join other participants for Lunch at 1 pm which would be followed by about 60 minutes or round table discussions on the policy aspects of DNS.

Y2K20: Opportunities in design and testing for freelance application developers, small IT companies, medium, large and huge.

It was not uncommon to find the earliest of the Web Application Developers to assume that all domain names would end in .com, all email addresses would follow the format @xyz.com. While developers took into account newer domain names such as .info in due course, most continued to design applications to accept Domain names and email addresses in ASCII just as software developers in the 80s assumed that it would be unnecessary to have any more than two digits to denote the year, which led to the famous Y2K issue towards the year 2000.

y2k20
Imaginary logo of y2k20, a name that does not exist

Now there are new Top Level Domain Names (such as .family and .game) and Internationalized Domain Names (in various native non-ascii scripts of India and the world, such as .??????? and .???? (I typed India in Tamil and Devanagiri, displays here as ???) as well as Internationalized email Internet Domain Names that would allow users to have addresses in their native scripts.

If a browser or a form in a webpage limits acceptance of domain names or email addresses with a rule such as “a domain name must be in English and end with .com, or .net or .org” or “an email address must be in English or numerals” then it is archaic.

It is a problem far larger in its dimensions than the Y2K problem of year 2000 which kept the IT community of the entire world talking. On this problem of “Universal Acceptance” there appears to be inadequate attention to the problem in global public interest as well as to the commercial opportunities it presents for enterprising Developers and Corporations. This might emerge to be a huge commercial vertical in itself in view of the Design changes to be brought about and in terms of the testing requirements. #Deity #NASSCOM #WIPRO #TiE #TCS #Cognizant (If you are from a different country, please feel free to rewrite this post to suit your country and publish it. This post is not copyrighted.)

For more information, follow the publicly archived, transparent discussions in the IETF forum, at ICANN and at the Internet Society on this issue. You could also write to isocindiachennai (At) gmail (dot) com for additional pointers or any clarification. Or ask your Executives at a higher level to take part in ICANN meetings that are open and held as multi-stakeholder global meetings. And also join the Internet Society India Chennai Chapter. Such participation would lead you to positive involvement in the global Internet and also connect you to business opportunities not only in the y2k20 (there is no such term, the term is coined to describe the issue and the opportunity) but also in DNSSEC, IPv6 transition, Internet of Things (IoT) and new gTLDs.

What does the phrase “Universal Acceptance” mean?

“Universal Acceptance of domain names and email addresses” (or just “Universal Acceptance”, or even “UA”, for short) means that all apps and online services should accept all Internet domain names and email addresses equally.

Universal Acceptance is an important concept these days because the Internet is changing. One way that it is changing is that addresses no longer need to be composed of ASCII characters. (ASCII characters are the 127 Latin-script letters, numerals and punctuation marks that are dominant on the Internet today. All the characters in this document so far have been ASCII characters.)

Most people on earth are not native speakers of languages which use the ASCII characters, so moving from a character set limited to 127 characters to an alternate which can support more than one million characters is essential for those people to fully use and benefit from the Internet. This alternate is called Unicode.

Another way that the Internet is changing is by allowing lots of new domain names. Not only are there simply more of them, but some are longer than any of the older domain names and many of them use the same Unicode system mentioned above.

Note: “Universal Acceptance” is sometimes confused with “Universal Access” or “Universal Accessibility”; those phrases refer to connecting everyone on earth to the Internet, and to building Internet-connected systems for all differently-abled people on earth, respectively. Universal acceptance is limited to domain names and email addresses.

A special group called “Universal Acceptance Steering group (UASG) has been created to work on issues related to Universal Acceptance. UASG doesn’t work on anything else (e.g. Universal Access or Universal Accessibility).

How does an app or an online service support Universal Acceptance?

Software and online services support Universal Acceptance when they offer the following capabilities:

A. Can accept any domain name or email name as an input from a user interface, from a document, or from another app or service

B. Can validate and process any domain name or email name

C. Can store any domain name or email name

D. Can output any domain name or email name to a user interface, to a document, or to another app or service

Unfortunately, older apps and online services don’t always offer those capabilities. Sometimes they lack support for Unicode; sometimes they make wrong assumptions about new domain names, or even assume they don’t exist. Sometimes they support Universal Acceptance in some features but not in all.

How can Universal Acceptance be measured?

Universal Acceptance can be measured in a few ways.

1. Source code reviews and unit testing

2. Manual testing

3. Automated testing

#1 means inspecting the source code and verifying that only the correct programming techniques, software libraries and interfaces (AKA “APIs”) have been used, then verifying that the app or service works by testing against specific test cases for the capabilities A-D listed above. #1 is only practical for app developers and online service providers.

UASG is reaching out directly to the community of app developers and the largest online service providers to encourage them to perform source code reviews and testing to determine the level of Universal Acceptance in their offerings. UASG is also providing a list of criteria which can be used to develop test cases for the capabilities A-D listed above.

#2 can be done by anyone, but it’s labor-intensive. Examples of #2 would include submitting an email address when registering for an online service and verifying that it has been accepted. Since there are lots of potential online services to sign up for, and lots of potential new email address combinations, one must pick and choose which combinations of app, services, email address and/or domain name to test.

UASG is developing a list of top web sites, apps, email addresses and domain names suitable for testing.

#3 requires up-front technical work, but is more scalable to large measuring and monitoring efforts. An example of #3 is the recent gTLD investigation performed by APNIC on behalf of ICANN. <http://www.potaroo.net/reports/Universal-Acceptance/UA-Report.pdf >

UASG is investigating methods of automated testing for Universal Acceptance and will share these as they are developed.

Comments on the TRAI consultation Paper on Regulatory framework for Over the Top services

The Telecom Regulatory Authority of India has called for comments on its consultation paper on regulatory framework for Over the Top services, which is accessible at page http://trai.gov.in/WriteReaddata/ConsultationPaper/Document/OTT-CP-27032015.pdf

I have submitted the following comments:

Comments on the Consultation Paper on Regulatory frameworks for Over the Top Services

The Regulatory framework as proposed by the Telecom Regulatory Authority of India is an alarm. The Members of Parliament and the common man alike needs to be concerned about the implications of TRAI’s sphere or authority expanded to include the Internet which would interfere to alter the fundamental nature of the Internet:

  1. TRAI seeks to favor Telecom companies at the consumer’s expense by this proposal to alter the core architecture of the Internet, and the core values that make the Internet a free, open and universally accessible eco-system. Internet has transformed the way we do business, the way we all communicate and relate to each other – within and beyond borders. Internet has brought the world together by its end-to-end architecture without a centralized form of control. As an eco-system, it is far more advanced than Telegraphs and Telephones, mostly runs on a business model that is benevolent to all, treats all traffic from every person or organization, big or small, irrespective of nationality or ideology equally. With its architecture and its core values, Internet offers the common man’s greatest hope for freedom of expression and civil liberties and offers the greatest hope for participation in Democracy in its fullest form, minimize conflicts, bridge technological gaps as also bring in a certain degree of equity in the World economy. What TRAI proposes to do is to destroy the very foundations on which the Internet eco-system is built.
  2. The Telecom Authority wishes to bring the Internet as part of the Telecom Regulation. This would gradually bring in Telecom-like commercial model to the Internet for the benefit of the Telecom companies which would make the Internet very similar to the Cable TV in terms of the high price the consumer pays for access.
  3. These harmful commercial models would cause net neutrality to erode. Telecom companies would become gatekeepers of Internet Traffic, interfere in Network Traffic which has so far been free of centralized forms of control. Telecom companies would introduce fast-laning for paid traffic which would invariably lead to “throttling” of free traffic, and would lead to situations of extortionist pricing by Telecom companies. Internet would become far more expensive for the common man.
  4. This would invariably lead to an Internet of walled gardens wherein large Internet companies would contain their users within their sphere of services, making it difficult for users to access the major part of the Internet not offered as part of the services they are subscribed to.
  5. There are some security concerns about the way the Internet is abused by a certain section of users. Some of the security threats are real, but politicized by Governments to bring in an excessive framework of surveillance both for legitimate and excessively political reasons. The TRAI proposal would enhance the surveillance capabilities of Telecom Companies in the process of enabling Telecom companies to inspect Internet traffic in packets (Deep Packet Inspection) for commercial reasons. DPI could be the ulterior motive for Governments to favor telecom companies. TRAI’s proposal not only favors the Telecom companies, but unseen, makes it easy for the Law and Order Agencies to legally or otherwise monitor on the common man’s Internet usage.
  6. Regulators dislike the end to end architecture of the Internet with no centralized form of control and wish to alter the architecture in the guise of making the Internet more secure. There have been similar harmful proposals to regulate the Internet in various countries, voted out by public opposition, but these very proposals come back around sometime later by a different name in a different place. The TRAI proposal wraps up elements of such regulatory moves already voted out in other countries. Moreover, in India, Airtel proposed to charge differential rates for different types of traffic, which were withdrawn by overwhelming public opposition. This was a move by a Telecom company that merited TRAI to intervene against the proposal, but it wasn’t TRAI that stopped it. Instead, TRAI brings it back, this time seeking to enable this by Government directive. TRAI’s consultation paper reads like a business case for the Telecom companies printed on Government paper. Rather than look into the regulatory issues concerning how Telcom companies operate, the Regulatory Authority pleads their business case with total disregard to the fact that the Internet has actually brought in newer opportunities for the Telecom companies to enhance their revenues, and these companies are already profitable on the existing Data pricing models. TRAI’s paper misleads the policy makers and common man with the spurious argument that extortive pricing models are necessary to keep telecommunications companies in business. “The worst thing policy makers could do to the Internet would be to allow telecom companies to mess with the Internet.” TRAI appears to argue that the Telecom companies have a right to impose a fanciful pricing model. The paper is partial on Internet companies and misguides the reader with the notion that large Internet companies such as Google and Facebook are profitable at the expense of the cable and phone companies. The Telecom companies do not incur loss on account of OTT traffic, the truth is that the OTT services have opened up the opportunity for Telecom Companies to sell Data plans that have enhanced their revenues. As Deepak Shenoy argues “Data is in fact driving their revenues up, far more than anything else” http://capitalmind.in/2015/04/telecom-companies-are-not-losing-money-to-data-services-the-net-neutrality-debate/ )

Rather than expand its sphere of reach to Internet which requires a completely different thinking, TRAI could focus on the gaps in Telecom regulation:

A. Telecom regulations, even within the Telecom sphere, have restrained consumer experience. For example, sometime ago, TRAI restrained Telecom companies from having peering arrangements among themselves for switching 3G traffic. This affected seamless connectivity for customers on the move.

B. If TRAI is concerned about the cost of communication services to customers, it could work to recommend to the Government to free the Wireless spectrum. After the recent spectrum controversy on spectrum mismanagement and loss of revenues, the Government wanted to be seen being correct, so made the wireless spectrum pricey by auction. The revenues so determined, would serve to increase the cost of communication services to customers. TRAI could recommend that this money is not collected or returned if already collected.

C. TRAI has not looked in the practices of Telecom companies concerning the bandwidth they offer to consumers in India which averages 1 Mbps of nominal connectivity, actually amounting to 256 Kbps of average connectivity which on the mobile phone streams at less than 56 kbps on 3G most of the time in most locations. This is way below the standards of a hundred other countries around the world, while the price charged per connection is almost on par with the rest of the world, TRAI could look into this.

D. One of the reasons why Telecom companies find it relatively less profitable to operate is that even the largest of the Telecom Companies have outsourced Network Management to overseas Telecom / Technology companies. TRAI could assist the Telecom companies in building up the required technical capabilities to manage Networks on their own.

E. International Mobile roaming pricing, both for Voice and Data, by Indian telecom companies is prohibitively expensive are extortionistic. TRAI could look into the reasons and assist the Telecom companies in rationalizing the pricing plans for International roaming.

F. TRAI could look for solutions for 100% connectivity across India with receptiveness.

Sivasubramanian M
President
Internet Society India Chennai
http://isocindiachennai.org
http://twitter.com/shivaindia
6.Internet@gmail.com