<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I agree with Maria that this is a most unfortunate thing to have happen, and the level of schadenfreude is unreasonably high.<div><br></div><div>As a member of SSR Review Team, I am interested to know details of how ICANN dropped the ball so badly on security of its own application process. </div><div><br></div><div>Regards</div><div><br></div><div>David<br><div><br><div><div>On 19/04/2012, at 1:27 AM, Maria Farrell wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Not that there is ever a good time for such a failure!<div><br></div><div>m<br><br><div class="gmail_quote">On 18 April 2012 18:26, Maria Farrell <span dir="ltr"><<a href="mailto:maria.farrell@gmail.com">maria.farrell@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Klaus,<div><br></div><div>I'm not close enough to the specifics of this situation to suggest where it went wrong, but I do appreciate your approach of criticism from someone who ultimately wants ICANN to work rather than to fail. </div>
<div><br></div><div>Clearly, something (things?) has gone horribly wrong, but there is a lot more schadenfreude from various quarters than is consistent with detailed knowledge or concern for the new gTLD programme more broadly. It really is a terrible year - IGF etc - for ICANN to have massively dropped the ball. </div>
<span class="HOEnZb"><font color="#888888">
<div><br></div></font></span><div><span class="HOEnZb"><font color="#888888">Maria</font></span><div><div class="h5"><br><br><div class="gmail_quote">On 18 April 2012 16:01, klaus.stoll <span dir="ltr"><<a href="mailto:klaus.stoll@chasquinet.org" target="_blank">klaus.stoll@chasquinet.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Dear Friends<br>
<br>
Unfortunately all of the below is true. Many questions but little answers. It seems to me the time has come to start a comprehensive re-thinking and re-planning process. If things go on as they are the damage will increase and increase. ICANN is not perfect, ICANN has a lot of problems, ICANN at times is a madhouse of interests and egos, BUT ICANN is the best system for Internet Governance we have, we should be proud for the way it worked so well so far, everything else is even worse. Now it seems that ICANN is under real pressure we need to work twice as hard to protect ICANN and at he same time think twice as hard about possible solutions. Now is the time for self-confidence and innovation, everything else is counter productive. Thinking back over the years we need to look where things started to get seriously wrong and correct the basic mistakes made. Any suggestions where it all went wrong?<br>
<br>
Does anybody know where the reset button is on that one?<br>
<br>
Yours<br>
<br>
Klaus<br>
<br>
-----Original Message----- From: Carlos A. Afonso<br>
Sent: Tuesday, April 17, 2012 2:18 PM<br>
To: <a href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU" target="_blank">NCSG-DISCUSS@LISTSERV.SYR.EDU</a><br>
Subject: Fwd: [governance] ICANNLeaks - Loosing Trust to Maintain the Secrecy<br>
<br>
Imram pretty much summarizes the extension of the incredible blunder,<br>
especially in its liability aspects.<br>
<br>
At a minimum ICANN will need to hire independent specialist auditors to<br>
do a full check on the damage and on who has been affected (although I<br>
do not believe in the tale that just a few have been affected). But<br>
these auditors would be chosen by staff, so the blunder might rise to<br>
new levels. Could the applicants participate in this choice?<br>
<br>
This is going to escalate, the question now is how far it will go.<br>
<br>
What should NCSG do about it? I frankly do not know what to propose<br>
right now. The IOC/RC process, the refusal by the NTIA to renew the IANA<br>
contract, and now this incredible TAS blunder, all in a few months... it<br>
seems ICANN is trying hard to burn itself out.<br>
<br>
I wonder who are the "four candidates" for the post of Beck Rodstrom<br>
(sic on purpose :)), the brave individuals who wish to come to ICANN and<br>
try and clean up this mess?<br>
<br>
frt rgds<br>
<br>
--c.a.<br>
<br>
-------- Original Message --------<br>
Subject: [governance] ICANNLeaks - Loosing Trust to Maintain the Secrecy<br>
Date: Tue, 17 Apr 2012 04:29:17 -0700 (PDT)<br>
From: Imran Ahmed Shah <<a href="mailto:ias_pk@yahoo.com" target="_blank">ias_pk@yahoo.com</a>><br>
Reply-To: <a href="mailto:governance@lists.igcaucus.org" target="_blank">governance@lists.igcaucus.org</a>,<u></u>Imran Ahmed Shah <<a href="mailto:ias_pk@yahoo.com" target="_blank">ias_pk@yahoo.com</a>><br>
To: <a href="mailto:governance@lists.igcaucus.org" target="_blank">governance@lists.igcaucus.org</a> <<a href="mailto:governance@lists.igcaucus.org" target="_blank">governance@lists.igcaucus.org</a><u></u>><br>
CC: Imran @IGFPak.org <<a href="mailto:imran@igfpak.org" target="_blank">imran@igfpak.org</a>><br>
<br>
Dear<br>
All,<br>
Security, Stability and Resiliency of the Internet layers was the prime<br>
responsibility of the ICANN, but the organization<br>
couldn't protect/ secure its latest online application submission system<br>
of new<br>
gTLDs (TAS). Would it be fair to say the best practices were not followed to<br>
design the system which was built to keep the information secure,<br>
confidential<br>
and protected. This<br>
application supported the collection of 850+ applications and over $150m<br>
funds.<br>
<br>
ICANN<br>
has been informed about this the glitch on 19th but ICANN did not taken it<br>
seriously, decision making took about 23 days.<br>
ICANN took its TAS Application<br>
offline on 12th April which was the last date when it has to be closed<br>
automatically. ICANN has its plan to reopen this TAS system to the<br>
public that<br>
mean Expansion the 90days window by extension of closing<br>
date.<br>
"We have learned of a possible glitch in the TLD application system<br>
software that has allowed a limited number of users to view some other<br>
users' file names and user names in certain scenarios."<br>
<br>
Technically it was necessary to use the secure method<br>
and variables should not be displayed in the URL. According to the<br>
policy the<br>
information of the applicants will not be disclosed however, the<br>
applicant name<br>
and the applied for string has to publically announced at a later stage.<br>
Many of them may have lost their<br>
secrecy& confidentiality. It is next to impossible to discover that who is<br>
the beneficiary and who is the looser? However, it will raise the conflicts<br>
and bidding values.<br>
In<br>
short ICANN has lost its trust for maintaining the confidentiality,<br>
Integrity and Information Security. ICANN has to re-define its policy or<br>
call public comments that how to deal with this scenario.<br>
<br>
Thanks<br>
<br>
Imran Ahmed Shah<br>
. </blockquote></div><br></div></div></div>
</blockquote></div><br></div>
</blockquote></div><br></div></div></body></html>