Ex-boss of ICANN shifts from 'advisor' to co-CEO of private equity biz that tried to buy .org for $1bn+ The former head of DNS regulator ICANN has been named as co-CEO of a company that launched a controversial attempt to purchase the .org internet registry earlier this year. The news has again raised concerns over the revolving doors between regulators and those who need regulation. In the past week, the website of Ethos …
Bit OT but, long ago there was a childrens TV program called The Tomorrow People (sometimes credited with showing what now would be called a Tablet for the first time).
In one episode a character says "One law for the rich, another law for the poor" but he gets corrected
"The correct saying is "One law for both rich and poor, to prevent either from stealing bread, or sleeping under bridges"."
Which to my mind is a much more subtle and truthful way to put it.
What has happened to ICANN, IANA and the Internet Society over the last 10+ years is horrible.
For example, because WHOIS records are now virtually useless due to so-called privacy provisions which are largely used by shady organizations trying to escape responsibility for their online activities, it takes me 5 or 10 minutes per domain to do research every time I see some questionable javascript that I'm trying to decide whether to let run in my browser or not.
"For example, because WHOIS records are now virtually useless due to so-called privacy provisions which are largely used by shady organizations trying to escape responsibility for their online activities, it takes me 5 or 10 minutes per domain to do research every time I see some questionable javascript that I'm trying to decide whether to let run in my browser or not."
Which really breaks things up from all the people who would just put in information that isn't at all connected to who they are. Which has been happening for years. It isn't new; when people realized that putting real contact information led to scammers, they started to avoid giving that out. I know of a friend who set up a site in 1998 and put in the wrong phone numbers to avoid scammers. Companies that let you replace your info with theres were easily available in the early 2000s.
Actually, what information are you hoping for to determine whether JS is safe? All whois contains is address, phone, and email. That doesn't tell you anything about whether code is trustworthy. While you might decide to ban any code coming from a domain associated with an address in Russia, do you necessarily trust any code coming from some other country?
I registered my first domain in 1998 as well and the information there is complete and correct as of this day.
Mind you, I don't put data in there that could directly endanger me or subject me to stalkers. Never had a single problem with it, maybe a dumb domain-switch solicitation mail or fax every once in a blue moon, that's about it.
I see basically ZERO reason for any legitimate business to hide behind a 100% redacted WHOIS record. If you are a legitimate business and not a scammer, you owe it to the public who may be roped into "doing business with you" simply because you're serving some dodgy JS on thousands of webpages that people encounter every day without any warning in advance that your lousy dodgy JS is going to be trying to get into their browser.
At the VERY least they should have their f'ing COMPANY NAME there. Would you buy stuff from an entity on Amazon that won't even tell you what the name of their company is or where they're based?? Would you buy a car or a pork loin from a reseller that won't even tell you who they are?? This is absurd.
For individuals of course it's different, if they don't have a business or mailing service address or a phone # that doesn't ring at their house or on their mobile then yes, I understand all that. I'm not talking about such people. I'm talking about companies who you are forced to "do business with" in the form of active online code, but which REFUSE TO IDENTIFY THEMSELVES.
As it stands today, the whole idea of WHOIS has been completely destroyed for all practical purposes. It seems that almost every new domain registered today is completely redacted by default.
I view this as just one example of how various parasitic entities have twisted the domain and IP address-space management bureaucracy in recent years towards their own profit interests and against the interests of the public at large.
Just like the subject of the article we are commenting upon.
You may not have that options. In some countries back in the early days of the Internet you had to supply your full details - including a copy of an ID document to verify them - because there were strict rules for domain assignments.
So, if you were a company you could of course supply the company address, telephone number, etc. - but if you were an individual you had to supply your very own details - including your own complete address and personal telephone number. Not everybody is lucky enough to own more than one house and be free to register one address and live at the other, nor in those days you could get multiple SIMs and numbers easily.
WHOIS never made a difference between the two types of users - so inevitably you're talking about them too. Meanwhile those willingly to pay *could hide already* their WHOIS details behind services built for that purpose - so spammers and other illegal activities were able to hide already.
But would you really trust a javascript because it has a seemingly credible WHOIS record? In some countries not requiring proof of identity was very simple to fake them. Or even to use the data of someone else using stolen documents.
I've had a domain name (a .com, though it's not actually commercial) for several years. For a while, my real contact info was in the WHOIS - and even though I fixed that several years ago, I *STILL* occasionally get unsolicited offers for SEO and other services for my website. I've never, not one single time, had someone legitimate contact me using the WHOIS record, nor have I had one single contact forwarded from the domain registration company. (No idea how many outright scams I've gotten from it; I foolishly used my personal email and phone number.)
Sorry, but wrong and being intentionally offensive to boot. If you need to contact me, you know how - use the contact info in the WHOIS, which is for my domain registrar, to ask to contact me. Or, you know, visit the website (which has minimal JS, mostly just to stop email-scrapers, and nothing else hinky) and use the contact link. Which works even with JS disabled, as it takes you to a page explaining why it didn't work and has an IMAGE of my email address. And no, it's not a company at all, just a tiny server running a few webpages.
Cool, so you are just fine with people trolling through the WHOIS databases to build spamming lists, then? Or send you unsolicited junk mail? (or much, much worse)
That's the main reason why my WHOIS info is blatently false. (I mean, my name is in there, but the email listed is fake, the physical address is also a non-resolvable, although the state and country names are correct. If someone needs to get a hold of me, there are plenty of other ways to find my legit email address if one takes a few seconds and looks at my web page...)
"so you are just fine with people trolling through the WHOIS databases to build spamming lists, then? Or send you unsolicited junk mail?"
The contents of the WHOIS database has never appreciably added to my SPAM and junk snail mail load, to the best of my knowledge. All of my contact info is legit, and has lead to some rather lucrative cont(r)acts over the years.
Somebody once said something about babys and bathwater ...
My domain contact info is legit. It's just hidden.
I don't want to find out if it can lead to spam, junk mail, and 3am phone calls trying to sell me insurance. Why? Because it's a single click to make the information private. It's a hell of a lot more effort to deal with fallout if the information does get abused.
"If you are a legitimate business and not a scammer, you owe it to the public who may be roped into "doing business with you" simply because you're serving some dodgy JS on thousands of webpages that people encounter every day without any warning in advance that your lousy dodgy JS is going to be trying to get into their browser."
I completely agree. The problem is that Whois doesn't help. I don't trust code any more if it's a company name rather than a privacy organization stored there, because a) I have no proof the information in there is correct even if it looks possible, b) dodgy JS can come from any place and can be owned by any company, and c) any company can create other companies to make their origins look different, and they do that all the time. Consider what you would think if you saw this in a Whois record:
Registrant Name: Siculus, Inc.
Registrant Organization: Siculus, Inc.
Registrant Street: 1700 34th Ave NW
Registrant City: Altoona
Registrant State/Province: Iowa
Registrant Postal Code: 50009
Registrant Phone: (515) 306-8507
Do you trust this company? We can do some research and determine that that company does exist, they are at that address, etc. Do you trust them now? Well, whether or not you trust them should be the same as whether or not you trust Facebook, because this is Facebook. You wouldn't know that from Whois though. Nor would you know whether Facebook/Siculus actually registered this domain--if I was a scammer and I thought you'd trust that, maybe I put that information in when registering my domain. It wasn't hard to find, after all. Nor do you know basically anything else about the system or the people from that contact info.
Regarding your last paragraph, I simply want to know what entity I am dealing with.
If Google or Microsoft sees the need to create a slew of brand-new domains like awer9u8sdlfkjsdkfjhdf.com to serve web content, I view such a decision as inherently hostile, because they are a well-known organization that has no reason to do such a thing unless they're trying to hide something.
If I have a company name I can look up the company and decide whether their content has any use to me, is just useless/unneeded or is an actual potential threat.
So eg if I find out that their business is "behavioural tracking", their code goes to the bitbucket. If I find out that they are providing something actually useful like a web chat client that the calling domain (a known and legitimate company that I have an existing business relationship with) uses for a legitimate purpose like customer support, then I might not send it to the bitbucket, I might enable it on a day I actually need to use their support chat. Etc.
Ahhh ....
We're finally starting to see the fallout of that outrageous scam.
Sooner than I expected and there's probably more to come, just have to keep tabs on all those involved in it and see what they're up to.
Makes me wonder what the Attorney General of California has to say about this new development.
I wager that there's a good part of the book that can be thrown at this asshole to then string him up in some hot cell for a few years.
I sincerely hope so, the proof is or can/will eventually be in plain view for everyone to see.
O.
Though I share your sentiment, I am almost certain that none of this behaviour was illegal and even if it was, there will be no consequences.
Steal a bread, because your hungry gets punished right away. Using your position to extract millions from unsuspecting punters is 'good business acumen'.
The shadiness over this issue also brings into question all of the previous TLD domain sales ICANN have done.
How long has this been going on for inside the walls of ICANN?
How many of ICANN's staff and board members, current or former have been involved in the selling of TLDs who also have undeniable links to and vested interests in the registrars who purchased those TLDs?
I'd say a full audit by the AG is in order and long overdue to ascertain whether ICANN is fit for purpose, whether any other shady deals have been done with insider information, how intertwined the staff & board members are with registrars, and whether they even are a non-profit anymore.
Take for example their recent licence amendment deal with Verisign, the .COM registrar, where from 1/1/2021 Verisign will pay ICANN $4mil USD for five years, totalling $20mil, and gain the ability to increase .COM prices by 7% / year in the last 4 years out of each six-year extension, how is that non-profit? how is that in the interests of the internet as a whole?
Without an audit there will forever be a cloud of doubt hanging over ICANN's ability to act independently, without prejudice and not for-profit.
I feel like having the management of the global utility that is the Internet based in
a. a single country
b. a country with an unstable internal political situation
c. a country wherein the profit-seeking motive has been allowed to run rampant, to the point it has become a part of the culture and drives the political system
is essentially a dead-end. I would see the management of the TLDs brought under the control of a supranational organisation, or at the very least based in a country nominated after a supranational vetting process.
Too many people are getting away with too much corruption. It seems that not a day goes by without someone being caught with their hands in the till. What's worse is that it seems to be becoming the accepted norm. Yes, it has always happened, and yes I do understand that people will always be tempted to steal when confronted by huge piles of money, but succumbing to that temptation should always be punished. So far as I can tell, most people can't be bothered to hold elected and appointed officials to account for their actions and are quite happy to elect thieves, liars and con-artists to political office. :-(
I'm just curious, how does one get on the Board of the Internet Society or PIR for that matter?
I have a desire to "serve" the community. For an appropriate fee of course...
More seriously, if these are actual society's with members and a voting structure to get people on to the board, then the voting community needs to take a good long look at themselves, and maybe actually pay attention at the next board election. Or if everyone is suitably outraged, then a recall ballot to sack the entire board and start over from scratch sounds like it should definitely be on the cards...
how does one get on the Board of the Internet Society or PIR for that matter?
There will be several methods...
1. Careful selection of ancestors. If you are careless and do not share at least one grandparent with someone on the board, no use for this method.
2. Go to school/college/University who will end up on the board but don't let them remember just how much more intelligent you are than them!
3. Sleep with one (or more) of them and record things. Whether you get financial secrets or X-Rated home movies is variable.
4. Make an 8 to 10 figure contribution to their favourite charity or pension scheme.
I believe you are correct and that there is some community involvement in choosing the board members in this particular case. I haven't looked that hard yet, and don't know for certain. However, the boards of charities and nonprofits are very powerful and very unaccountable. The reason for this is that a charity (most countries) is not owned by anyone. It's just controlled. There is therefore no check on the board other than laws governing what a charity is and isn't allowed to do.
I have never worked at a charity for my main job, but I have some close friends who have and I've volunteered for one small enough that I have met their board. These people are volunteers who get to decide lots of things. Their decisions cannot be appealed. If someone leaves the board, the existing board members get to replace them. The only way to get rid of someone on the board is for the rest of the board to vote them out. The board doesn't get any money for doing this, but of course you can always find a way to get use out of some money without paying yourself, and given that the board decides who runs the charity, they have a lot of power. If it is necessary to completely remove and change the board, it can be done only by suing the charity and board for violations of some law, which are pretty forgiving in most locations. The charity is allowed to use their resources to defend themselves in that lawsuit. So unless you already have a bunch of money or are a government, you face a tremendously difficult uphill battle.
Only in the USA could this be taken as a normal state of affairs. In most countries there are laws mandating disclosure of directorships. Yes, there's a lot of fiddling (witness some of the more interesting entries in the UK companies register), but the principle stands and mostly works.
I hate to burst your bubble there, but the USA learn that from the UK. Just look at places like the Cayman Islands, Isle of Mann, Gibraltar (almost every British Over Seas territory) have quite favourable company laws from either 0% corporate tax to hidden ownership.
Twenty years ago when this sort of thing was happening at Nominet, I couldn't get anybody interested.
I'd paid the fee to be a registrar.
But they didn't like what I was saying, so they just deleted my account and tag, lied about what I'd said, and kept the fee.
Four hundred quid I think it was, was back then.
I bet I still have the emails somewhere.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
