<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Just read the interruption updates and it still doesn't say much
about how this was discovered other than "some applicants were able
to see file names and user names that belonged to other applicants"
and that "We also want to inform all applicants, before we reopen,
whether they have been affected by the glitch."<br>
<br>
The thing about the March 19th date is this [and is hardly
incriminating]: <br>
<br>
"As part of that process[of inquiring, deeply, after the fact,
inquisitively, with great minutia and one could even suggest
paranoia], we are sifting through the thousands of customer service
inquiries received since the opening of the application submission
period [doing some plain old police work]. This preliminary review
has identified a user report on 19 March that appears to be the
first report related to this technical issue."<br>
<br>
So we know it is, officially, a 'glitch'. We also know that ICANN
has been open about some crucial part of its findings (that
knowledge of the glitch could have been had by potential glitch
victims, as well as by potential beneficiaries, and by ICANN itself,
for that matter). There doesn't appear to be secrecy or scheming,
and that is good.<br>
<br>
<br>
I'm impressed (neither in a good or in a bad way) by how little has
leaked so far though, and also somewhat by the absence of any
comment by Jeff Moss.<br>
<br>
However it was discovered the important thing is that it has, from
then, been handled properly.<br>
<br>
If so there is no blunder. Just yet some other grounds on which
ICANN will need to defend itself against in the legal aftermaths
that are sure to follow expansion.<br>
<br>
Nicolas<br>
<br>
On 4/18/2012 4:05 PM, David Cake wrote:
<blockquote
cite="mid:94CF3A66-E4C0-4F15-A948-2CB6DE7332DB@difference.com.au"
type="cite">I agree with Maria that this is a most unfortunate
thing to have happen, and the level of schadenfreude is
unreasonably high.
<div><br>
</div>
<div>As a member of SSR Review Team, I am interested to know
details of how ICANN dropped the ball so badly on security of
its own application process. </div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div>David<br>
<div><br>
<div>
<div>On 19/04/2012, at 1:27 AM, Maria Farrell wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">Not that there is ever a good time
for such a failure!
<div><br>
</div>
<div>m<br>
<br>
<div class="gmail_quote">On 18 April 2012 18:26, Maria
Farrell <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:maria.farrell@gmail.com">maria.farrell@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Dear
Klaus,
<div><br>
</div>
<div>I'm not close enough to the specifics of this
situation to suggest where it went wrong, but I do
appreciate your approach of criticism from someone
who ultimately wants ICANN to work rather than to
fail. </div>
<div><br>
</div>
<div>Clearly, something (things?) has gone horribly
wrong, but there is a lot more schadenfreude from
various quarters than is consistent with detailed
knowledge or concern for the new gTLD programme
more broadly. It really is a terrible year - IGF
etc - for ICANN to have massively dropped the
ball. </div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
</font></span>
<div><span class="HOEnZb"><font color="#888888">Maria</font></span>
<div>
<div class="h5"><br>
<br>
<div class="gmail_quote">On 18 April 2012
16:01, klaus.stoll <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:klaus.stoll@chasquinet.org"
target="_blank">klaus.stoll@chasquinet.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> Dear Friends<br>
<br>
Unfortunately all of the below is true.
Many questions but little answers. It
seems to me the time has come to start a
comprehensive re-thinking and re-planning
process. If things go on as they are the
damage will increase and increase. ICANN
is not perfect, ICANN has a lot of
problems, ICANN at times is a madhouse of
interests and egos, BUT ICANN is the best
system for Internet Governance we have, we
should be proud for the way it worked so
well so far, everything else is even
worse. Now it seems that ICANN is under
real pressure we need to work twice as
hard to protect ICANN and at he same time
think twice as hard about possible
solutions. Now is the time for
self-confidence and innovation, everything
else is counter productive. Thinking back
over the years we need to look where
things started to get seriously wrong and
correct the basic mistakes made. Any
suggestions where it all went wrong?<br>
<br>
Does anybody know where the reset button
is on that one?<br>
<br>
Yours<br>
<br>
Klaus<br>
<br>
-----Original Message----- From: Carlos A.
Afonso<br>
Sent: Tuesday, April 17, 2012 2:18 PM<br>
To: <a moz-do-not-send="true"
href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU"
target="_blank">NCSG-DISCUSS@LISTSERV.SYR.EDU</a><br>
Subject: Fwd: [governance] ICANNLeaks -
Loosing Trust to Maintain the Secrecy<br>
<br>
Imram pretty much summarizes the extension
of the incredible blunder,<br>
especially in its liability aspects.<br>
<br>
At a minimum ICANN will need to hire
independent specialist auditors to<br>
do a full check on the damage and on who
has been affected (although I<br>
do not believe in the tale that just a few
have been affected). But<br>
these auditors would be chosen by staff,
so the blunder might rise to<br>
new levels. Could the applicants
participate in this choice?<br>
<br>
This is going to escalate, the question
now is how far it will go.<br>
<br>
What should NCSG do about it? I frankly do
not know what to propose<br>
right now. The IOC/RC process, the refusal
by the NTIA to renew the IANA<br>
contract, and now this incredible TAS
blunder, all in a few months... it<br>
seems ICANN is trying hard to burn itself
out.<br>
<br>
I wonder who are the "four candidates" for
the post of Beck Rodstrom<br>
(sic on purpose :)), the brave individuals
who wish to come to ICANN and<br>
try and clean up this mess?<br>
<br>
frt rgds<br>
<br>
--c.a.<br>
<br>
-------- Original Message --------<br>
Subject: [governance] ICANNLeaks - Loosing
Trust to Maintain the Secrecy<br>
Date: Tue, 17 Apr 2012 04:29:17 -0700
(PDT)<br>
From: Imran Ahmed Shah <<a
moz-do-not-send="true"
href="mailto:ias_pk@yahoo.com"
target="_blank">ias_pk@yahoo.com</a>><br>
Reply-To: <a moz-do-not-send="true"
href="mailto:governance@lists.igcaucus.org"
target="_blank">governance@lists.igcaucus.org</a>,Imran
Ahmed Shah <<a moz-do-not-send="true"
href="mailto:ias_pk@yahoo.com"
target="_blank">ias_pk@yahoo.com</a>><br>
To: <a moz-do-not-send="true"
href="mailto:governance@lists.igcaucus.org"
target="_blank">governance@lists.igcaucus.org</a>
<<a moz-do-not-send="true"
href="mailto:governance@lists.igcaucus.org"
target="_blank">governance@lists.igcaucus.org</a>><br>
CC: Imran @IGFPak.org <<a
moz-do-not-send="true"
href="mailto:imran@igfpak.org"
target="_blank">imran@igfpak.org</a>><br>
<br>
Dear<br>
All,<br>
Security, Stability and Resiliency of the
Internet layers was the prime<br>
responsibility of the ICANN, but the
organization<br>
couldn't protect/ secure its latest online
application submission system<br>
of new<br>
gTLDs (TAS). Would it be fair to say the
best practices were not followed to<br>
design the system which was built to keep
the information secure,<br>
confidential<br>
and protected. This<br>
application supported the collection of
850+ applications and over $150m<br>
funds.<br>
<br>
ICANN<br>
has been informed about this the glitch on
19th but ICANN did not taken it<br>
seriously, decision making took about 23
days.<br>
ICANN took its TAS Application<br>
offline on 12th April which was the last
date when it has to be closed<br>
automatically. ICANN has its plan to
reopen this TAS system to the<br>
public that<br>
mean Expansion the 90days window by
extension of closing<br>
date.<br>
"We have learned of a possible glitch in
the TLD application system<br>
software that has allowed a limited number
of users to view some other<br>
users' file names and user names in
certain scenarios."<br>
<br>
Technically it was necessary to use the
secure method<br>
and variables should not be displayed in
the URL. According to the<br>
policy the<br>
information of the applicants will not be
disclosed however, the<br>
applicant name<br>
and the applied for string has to
publically announced at a later stage.<br>
Many of them may have lost their<br>
secrecy& confidentiality. It is next
to impossible to discover that who is<br>
the beneficiary and who is the looser?
However, it will raise the conflicts<br>
and bidding values.<br>
In<br>
short ICANN has lost its trust for
maintaining the confidentiality,<br>
Integrity and Information Security. ICANN
has to re-define its policy or<br>
call public comments that how to deal with
this scenario.<br>
<br>
Thanks<br>
<br>
Imran Ahmed Shah<br>
. </blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</body>
</html>