.ORG the most secure domain?

The .ORG, Public Interest Registry (PIR) gTLD (generic top level domain) is perhaps best known as the non-profit registry for millions of organizations. It could also soon be known as a more secure domain space too, as .ORG adopts the DNSSEC (DNS Security Extensions), a set of extensions used to add an additional layer of security to the Domain Name System (DNS).

The move by .ORG to improve security for its DNS (which usually stands for Domain Name System, or Service or Server, the service that translates domain names into IP addresses) comes at a critical time for the world's DNS infrastructure.

Security researcher Dan Kaminsky recently exposed a critical flaw in the DNS system, for which DNSSEC may well be the best long term solution for protecting the integrity of Internet and its traffic flow.

"The argument we're trying to make is that there is a very real problem that DNSSEC solves and once we implement it within .org, it will be secure," .ORG's CEO Alexa Raad told InternetNews.com. " There are other security issues, but DNSSEC solves a very specific problem which is highjacking traffic that could be unknown to the user."
DNSSEC provides a form of signed verification for DNS information, which is intended to assure DNS authenticity. The Kaminsky flaw in DNS highlighted how without a form of DNS security a DNS server's traffic could be highjacked in a cache poisoning attack redirecting users to arbitrary addresses without a users knowledge.

DNS vendors, including ISC, the lead sponsor behind the open source BIND DNS server, as well as Microsoft and others have patched their DNS implementation in order to make a potential cache poisoning attack more difficult to achieve.

Kaminsky, ISC and others have argued that DNSSEC is the best long term solution to solving the issue.

PIR first announced that it was launching an initiative to implement DNSSEC across .ORG in July several weeks after Kaminsky first disclosed his DNS flaw. Raad noted that the decision to move to DNSSEC was not a 'knee jerk' reaction to Kaminsky and that PIR had actually been involved in DNSSEC effort for the past two years. Radd argued that what Kaminsky's disclosue did however was create awareness around the issue to give it the broader attention that it deserves.

That said just because PIR announced that .ORG was going to implement DNSSEC doesn't mean that all of .ORG today is actually secured by DNSSEC today. In fact the road towards full adoption will take time and effort.

"Efforts are going really well, this is not a product launch but an iterative rollout," Raad said. "We're the first gTLD to implement DNSSEC and we are breaking it out into several phases, with the first phase being friends and family. So far we have been able to talk to a number of registrars that are interested a number of whom are large hosting vendors. "

Raad added that she expects to have the friends and family phase completed by early 2009. After which the plan is to expand it further to bring in more registrars and registrants.

Ram Mohan CTO of Afilias which is PIR’s technology provider for the .ORG registry explained that at the top of the Internet chain are the root servers and inside of that is the entry for .org, which is what Afilias manages for PIR.

Mohan explained that with DNSSEC in place what will happen is a .org domain owner will first create a signature and then submit the signed domain to their registrar. The registrar then will have a secure interface that they can send into PIR. What PIR will do is it will marry the name server information with the security keys and in the DNS zone file that they publish, the zone file will have the key information provided right there.

"What that means is that all across the world when you send your key across, within seconds your domain name is validated and it will be propagated across PIR's authoritative name servers," Mohan said.

Getting all the various moving parts of the global DNS system to line up behind DNSSEC to date has been a challenge, though Raad noted that the Kaminsky flaw has made it easier with more awareness. Beyond awareness Raad added that there is also a technical challenge to face as well. In her view the development of applications and tools that enable all the participants to enable DNSSEC and to be able to test it and then offer it to customers is also an ongoing effort.

Though the initial rollout of DNSSEC at .ORG will not include all domain holders, Raad argued that they don't have to have everyone participating, at least at the beginning. In her view PIR can take the lessons learned from the initial friends and family deployment and use them in an iterative model as the deployment expands.

"There are a lot of folks that are involved in the chain ultimately and nothing can be done in a day, Rome wasn't build in a day" Raad said. "We think that the end result being a secure DNS is ultimately worth it because of all the applications that ride on the DNS infrastructure and will continue to. How do we get there from here? The smart way is an iterative process and then isolate where you can accelerate adoption. We feel that getting root signed is an important first step."

VeriSign which manages the .COM registry is also exploring DNSSEC however in an interview with InternetNews.com earlier this year, VeriSign CTO Ken Silva SSL (define) certificates play a key role in securing domain name information.

Mohan does not disagree that SSL is a good technology to have however in his view it solves a different problem then the one that DNSSEC will ultimately provide.

"SSL is the wrong hammer because this is not a nail," Mohan stated.

Mohan argued that SSL secured sites, even those that use EV-SSL (extended validation) could be hijacked. He noted that most users just click through to a domain and that if the DNS information has been compromised they will still be at risk.

"SSL doesn't solve the hijacking problem it solves a different problem," Mohan commented. "At this point it’s the only tech we know of that does it in an effective and reliable way."

While SSL certificates are a revenue stream for VeriSign, the move toward DNSSEC for .ORG does not have a revenue component.

"Our motivation for implementing DNSSEC within .ORG is not commercially driven, we have no other product and this is not a money maker for us," Raad said. " We're a non-profit registry, the motivation for us is something more long term and that is to help in the upgrade of the Internet overall. So even though we look forward to .org being signed, we're looking forward to sharing the results of our experience so we can encourage other registries to upgrade their infrastructure."

Source: InternetNews

Digg.com digs up over 28 million

Digg, the news site with the nerve to substitute the votes of the unwashed, unpaid masses for the refined talent of professional editors, has raised a new round of venture financing, the company said Wednesday.

Four-year-old Digg, based in San Francisco, raised $28.7 million from existing venture backers Greylock Partners, Silicon Valley Bank and the Omidyar Network. The round was led by the newcomer, Highland Capital Partners, whose partner Richard de Silva will join the Digg.com board. That brings the total amount of money raised by the still-unprofitable company to around $40 million.

Jay Adelson, Digg’s chief executive, says the company will use the money to double its 75-member staff over the next year and to expand internationally. Digg will create localized versions of itself for other countries, so that users in Britain., for example, won’t be subjected to the outsize interest of American Digg users in Sarah Palin and Scientology. Digg says that 40 percent of its 30 million unique visitors each month already come from foreign countries.

Digg will also use the cash to develop analytic tools for its publishing partners who use Digg buttons on their sites (like The New York Times), so that those publishers can see what kinds of stories resonate with Digg users. The company will also move to larger headquarters in the Potrero Hill neighborhood of San Francisco.

The financing round comes at what appears to be a sensitive time for Digg. Over the last year, Digg was reported to be in ultimately unfruitful acquisition talks with companies like Google and Microsoft. But it now appears to be settling into life as an independent company on a mission to create a level news media playing field, where posts from small blogs can garner just as much attention as articles from large media organizations.

“From my perspective, neutrality and conflict of interest are real sensitive points to me,” Mr. Adelson said, discussing why the company has not yet been acquired. “There are very few players that could qualify as not spoiling the level playing field we’ve created. I think our users and our publishers need to have that comfort zone.”

“As an independent player, we have a lot to gain. We can grow very large. We definitely think this is an important, international opportunity,” he said.

Source: NY Times

Avoid Internet Scams

Thousands of new users log on to the Internet everyday, expecting quality information, easier communication and up-to-date notifications. What they don't expect however, are hundreds and thousands of scammers who're out there trying to snatch hold of some innocent user's money. And why just new users? Even folks who've been around a while have fallen prey to the lure of a quick buck.

To remain safe and scam-free, it's important to know what's real and what isn't. More importantly, don't be taken in for “once in a lifetime” opportunities. If it sounds too good to be true, it probably is. Here are some of the latest scams on the Internet that people are regularly falling for.

The Nigerian (419) Scam
There was a lot of heated discussion and numerous news reports on this one last year, but it still continues to grow. Basically, an “official” from Nigeria or some other country sends you an email telling you a sob story and offering a large sum of money to open up a bank account. He asks for your help in transferring some money (usually in millions) from his country to yours and offers a generous percentage of that money to you. You end up paying endless fees to the scammer, and sometimes even going to the person's country, and getting stranded there!

What to do: If you receive emails for assistance, simply ignore them. The more you get involved, the harder they'll make it for you to walk away.

“Phishing” acts
Ever received an email from your bank asking you to log on their secure sit and re-enter all your personal information? Delete it now! It's a scam. Banks, financial entities or any companies that have access to your personal information will rarely ask you to verify it by email. What is actually happening is that scammers set up websites, very much like the actual ones to convince you that they're real. Once they get all your information, it can be used to make payments in your name or even steal your identity.

What to do: If you're unsure about the origins of the email, call your bank and ask them.

Cyber Blackmail
Even extortion threats these days are getting new-agey! Another cyber crime that's been concerning officials lately starts out with an office worker receiving emails that threaten to take over his or her PC and install child pornography images, unless a fee is paid. This fee is usually modest—in the range of $20-30. Many workers panic and assume they'll get into trouble or lose their jobs. But this only brings the fraudsters back for more.

What to do: If you receive such an email, notify your boss immediately. That will not only ensure that you stay out of trouble, but will also help your boss take legal action.

Identity Theft
A shocking report by the Federal Trade Commission claims that approximately one in every 50 consumers has been a victim of identity theft! Identity theft is when a fraudster gains access to your personal and confidential information and uses it to commit various kinds of fraud. Of course, since everything's done in your name, you're liable to answer for it. This leaves you to pay enormous bills, take the brunt for crimes or even be left to prove that you're the real you.

What to do: Don't give out your personal information either online or offline without checking who you're giving it to. Also, review your credit card and bank statements carefully.

Fake Third-Party Endorsements
Endorsements are a great way to add credibility to the sales of your product. After all, it's easier to sell a beauty cream, when say Madonna's vouching for it. But on the Net, many endorsements that you find aren't genuine. That's why you'll often come across websites claiming to have products endorsed by the US Small Business Association or Consumer Reports, even though these organizations have a no-endorsement policy.

What to do: To find out whether an endorsement is actually true, call up the endorsing organization and ask. Or you could visit their Website, where you'll find a lot of valuable information.

Feeding on the Unemployed
If a potential employer emailed you for more details—including your Social Security number, bank account number or mother's maiden name— just so that he could do a routine background check, would you give it? If you've recently been laid off, and are desperate for a new job, you probably wouldn't think twice. And that's what scammers are taking advantage of. Because in all likelihood, this prospective “employer” is actually a scammer.

What to do: Employers don't need your personal information before they've recruited you, so you can safely delete the email. If you're still unsure, do a little googling to find out whether such a company even exists or not. If it does, call up the company and confirm it.

The Lottery Scam
Imagine winning the lottery. And then getting ripped off bare for it! That's what happened to many people who fell for the Massachusetts Lottery Scam. This is how it works: you receive an email informing you that you've won the Massachusetts Lottery of $30,000 (the lottery is real; the email isn't). You're asked to click the link to the “official” website. Only, this isn't the official site. After you enter a username and password, you're asked to pay a gaming tax of $500 if you're in the US, $100 if outside. You'll be required to give your credit card number, social security number and other personal information.

What to do: You're not going to be notified by email if you win the lottery. Even more important is the fact that lottery tickets are purchased by cash; there's absolutely no need for the lottery organization to ask for your credit card information.

Bouquets of AOL
Here's a virtual bouquet that's thrown right back in your face. You open your email to find AOL telling you that you've been charged for flowers that you didn't order. But wait, says the email. We're so kind as to let you click on a link and cancel that charge. Great, you think. You didn't order it, so you shouldn't be charged for it. But for that you need to fill in a form stating your screen name, password and of course, credit card information. See where I'm going with this? But clicking on that link could have even more fatal effects. It could cause you to download a virus that'll wipe out your entire hard drive.

What to do: First off, if you've been charged wrongly, you should take up the issue after it appears on your statement. Secondly, unless you're absolutely sure, call up the company and ask them about it.

A little caution is always better than a lot of regret. So when browsing the Internet or checking your mail, remember this rule of thumb: Keep one finger on the delete button. It can be your best friend.

Source: ComputerCompanion

Tribune blames Google for damaging news story

Tribune Co. said Wednesday that the mistaken online publishing of an old news story that cratered UAL Corp.'s stock price earlier this week was because of a repeated technology failure at Google Inc.

In a statement, Tribune said a 2002 story about United Airlines' bankruptcy was unearthed over the past weekend due to, "The inability of Google's automated search agent 'Googlebot' to differentiate between breaking news and frequently viewed stories on the Web sites of its newspapers."
Tribune said that for that reason it had asked Google "months ago" to stop using its Googlebot to crawl newspaper Web sites, including the online version of Ft. Lauderdale, Fla., based Sun Sentinel, where the UAL story was retrieved. Wide distribution of the outdated story led to a 70% plunge in the share price of United Airlines' parent company UAL on Monday.

In its statement, Tribune said the story had been stored in its online database, where it was crawled by Google's technology as recently as Sept. 3, "and apparently treated as old news."
But a single visit to the story in the wee hours of Sunday morning, a period of low traffic to the newspaper's business section, bumped it into a "Popular Stories" section of the newspaper's Web site. A subsequent visit to the story resulted in the Googlebot crawling the story again. It was treated as breaking news and landed on Google's News site, Tribune said. "Despite the company's earlier request and the confusion caused by Googlebot and Google News earlier this week, we believe that Googlebot continues to misclassify stories," Tribune said.

A Google representative did not immediately respond to a request for comment.

Source: Market Watch

GeoEye Launches Satellite for Google and US Government

GeoEye Inc (GEOY.O: Quote, Profile, Research, Stock Buzz) said it successfully launched into space on Saturday its new GeoEye-1 satellite, which will provide the U.S. government, Google (GOOG.O: Quote, Profile, Research, Stock Buzz) Earth users and others the highest-resolution commercial color satellite imagery on the market.

"It was a picture-perfect launch and we've now gotten confirmation that ... we have commanded the satellite and it has responded," GeoEye Chief Executive Matthew O'Connell told Reuters in a telephone interview from Vandenberg Air Force Base in California, where the satellite was launched at 11:50 a.m. PDT (2:50 p.m. EDT).

"Everybody is now slapping high fives," he said, adding that it would take 30 to 45 days before the company calibrates the camera aboard the satellite and receives imagery.

GeoEye-1 will be able to capture images at .41 meters (16 inches) resolution in black and white and 1.65 meters (5.5 feet) in color, but under current government rules, the company can only offer the public half-meter (1.64 feet) images.

The satellite will take digital images of the Earth from 423 miles and moving at a speed of about 4 1/2 miles per second.

O'Connell said the $502 million satellite, built partly with money from the U.S. National Geospatial-Intelligence Agency, would "open up a lot of opportunities" for the GeoEye, and capped four years of work on the spacecraft.

On hand to watch Saturday's launch of the satellite -- shot into space by a Delta II rocket emblazoned with Google's logo among others -- were Google founders Larry Page and Sergey Brin, Google spokesman Brian O'Shaughnessy said.

GeoEye's other satellites provide images to Google, Microsoft and Yahoo, but Google will be its only online-search mapping customer.

O'Shaughnessy said Page and Brin "look forward to getting some real quality, high-resolution imagery into Google Earth in the months to come."

He said the new color imagery would mean that Google Earth and Google Maps users would have access to more detailed images in about three to four months, after the new imagery had been loaded into Google.

GeoEye's main rival, Digital Globe, which plans an initial public offering this year, launched its new high-resolution satellite, WorldView-1, in late 2007. It offers half-meter resolution in black and white.

GeoEye-1 was built by a unit of General Dynamics (GD.N: Quote, Profile, Research, Stock Buzz) and its imaging system was built by ITT Corp (ITT.N: Quote, Profile, Research, Stock Buzz). The 4,310-pound satellite was launched by United Launch Alliance, a joint venture of Lockheed Martin Corp (LMT.N: Quote, Profile, Research, Stock Buzz) and Boeing (BA.N: Quote, Profile, Research, Stock Buzz).

Source: Reuters

Google Chrome web browser

Google has confirmed that it is launching Google Chrome, a new web browser. Rumors of a Google browser project had been around since 2004, but a posting on the Blogoscoped site has turned those rumours into something much more tangible. It reported on the arrival of a 38 page comic book, drawn by Scott McCloud, which detailed Google's Chrome web browser. Some hours later, Google posted on its official blog, saying that it "hit 'send' a bit early on a comic book", and went on to confirm all the details which were laid out in the book.


Chrome appears to be a radical reworking of a modern browser's internal architecture, with each tabbed session in the browser running as its own process. Plugins are run as separate child processes to the tabbed sessions process. This decoupling, along with a more isolating security model which keeps web page executable content on a tight lead, is designed to give a more reliable browser. One web page locking up does not lock up the entire browser. There is even a task manager for advanced users to identify badly performing processes and selectively stop them.

Chrome uses the Webkit engine, also used by Apple's Safari and Nokia among others, to render web pages. JavaScript execution is handled by V8, yet another new high performance JavaScript engine in the mold of TraceMonkey and SquirrelFish, with dynamic code generation and optimisation and a precise memory management for fast garbage collection. Chrome has also incorporated Google's Gears as standard, giving web applications in Chrome access to database, geolocation and desktop integration.

The most visible changes in Chrome are in its tabs, home page and address bar. The tabs for pages appear to be located at the very top of the window, with the address bar and tools underneath. The home page is dynamically composed of your top nine used sites in a three by three thumbnail view and with your most common searches listed to the right of the thumbnails. The address bar is now "the Omnibox", described as an extra smart autocompleting text field, drawing completion data from your web searches as well as your browser bookmarks and history. For those worried about their privacy, a private browsing mode is also built in so users won't see that surprise gift for a loved one appearing in the Chrome home page.

Google has stated that Chrome will be an open source application, with the terms described indicating a BSD or Apache permissive licence. A beta version for Windows will be released on September 2nd with Mac and Linux versions being developed. The comic book is now available on Google Books.

Source: Heise