Gandi Stands in Opposition to CISPA

Thomas — Tue, 17 Apr 2012 13:45:00 -0700

Some of you may have heard about the Stop Online Piracy Act, or SOPA. Gandi took a position against this legislation for good reasons. The US Congress is once again considering acts that abrogate existing privacy law on the Internet, this time in the name of stopping cyber attacks. One particularly heinous act is called CISPA, the Cyber Intelligence Sharing and Protection Act.

The problem is, CISPA is worse than SOPA. Here is a breakdown of some of what CISPA would do:

Extend the National Security Act to cover "cybersecurity" threats, loosely defined.
Allow US intelligence services and private companies to monitor and collect information we users place on the Internet, including emails, text messages, VOIP calls, web sites we visit, etc.
Allow US intelligence services to legally share the data gathered with private companies, and allow private companies to share data they collect with US intelligence services.
Allow private companies and/or US intelligence services to block or even modify data sent over the Internet.

Given these powers, the US government would have unprecedented power to snoop on data from any site they do not like, in the name of “cybersecurity”. Oversight is minimal; in fact, even with recent amendments, the bill explicitly limits public oversight of enforcement of its provisions. The data they snoop can then be used in the prosecution of "cybercrime", presumably in an effort to shut down such sites. They just need a "significant" purpose. Sound vague to you? It is.

Originally CISPA included “theft of intellectual property” in its definition of cybersecurity threats. That made it an effective tool for the US government to go after file-sharing sites and copyright violators. That language was removed under pressure from advocacy groups, but the remaining language is so vague that it leaves open the possibility of defining at least some violations of IP law as "cybersecurity related".

It is interesting to consider that a site such as Wikileaks might fall under the definition of a cybersecurity threat in CISPA. One wonders if that is what the US government really wants to shut down: the exposure of embarrassing truths on the Internet?

We at Gandi are a multi-cultural, multi-opinionated team of Internet experts. Unlike the bill's sponsors (which include AT&T, Facebook, and Google) we do not think that CISPA is the right approach to stopping cyber attacks on government agencies and private companies. We get our fair share of attacks, and trust us, we don’t like it, but what is the real price of fighting these bad actors with laws? We feel the comprehensive nature of the CISPA legislation offers a bazooka-to-swat-a-horsefly approach, and bazookas always cause collateral damage. We know what that phrase means from the Bush era: innocent people getting hurt. That price is too high. Try again, US lawmakers. You can do better (See Cybersecurity's 7-Step Plan for Internet Freedom, from the Center for Democracy and Technology, for example).

Read the bill! Form your own opinion and share it! Do you agree with us? Take action with the EFF, or Avaaz.

UPDATE: 5/17/2012: CISPA Passes the House of Representatives, heads to an uncertain future in the senate, and a veto threat from Obama. See this link.

UPDATE: 8/9/2012: CISPA has been rejected by the Senate 52-49, on August second. We expect it will return, possibly with another name, in the next session, so our work in opposing legislation that restricts our rights to free speech is far from over.

We want to hear your thoughts. Do you care what your registrar and web host has to say about these repeated legislative assaults on internet users? How important are these issues to you? Let us know in the comments.

8 Things a Domain Thief Loves

Joe — Sun, 15 Feb 2009 21:19:00 +0000

We all put a lot of effort into securing the domain names we purchase. It may be creative energy finding the perfect name for your blog in an increasingly crowded landscape; or waiting patiently for your company name to be released back into the wild by someone who's owned it for 5 years but never used it.

Regardless, your domains can be stolen or sniped from right under your nose. We thought we'd take a light hearted look at how to keep your domains safe from potential domain thieves:

1. Unlocked Domain Names

The thief does not like a locked domain name, it means they have to go through another layer of protection to steal it. Lock all your domains by default.

Do you realise how easy it is for a thief to crack your free email compared to pop3. C'mon now, get serious.

Solution: Lock all your domains by default.

2. Domain name front running (also called domain sniffing)

Just because that domain you searched for three months ago is now with someone using it to promote a Nigerian Strip Poker site, does not mean that it was sniffed and then stolen. However, enough evidence does exist to suggest the practice does exist.

http://www.gandibar.net/post/2008/10/22/Why-domain-name-services-are-not-all-equal

What more can a domain thief hope for than to know the domain name you want.

Solution: search for your name on reputable domain registrar's site (not to blow our own trumpet but you won't catch anyone 'sniffing' here)

3. Weak Passwords

You may think that having a password like "123abc" is an ironic way to fool password crackers, but you wont be laughing when your domain name is used to promote a One Legged Albanian Car wash service.

Solution, make it long and hard. the password that is.

4. Non Variant password implementation

Yes I know it's easier to have the same password for every online account you own. Not wise, if you lose one, you lose them all. Think about that for a minute.

Solution: Keep a hard copy of your accounts and respective passwords handy.

5. Shady, Not to be Trusted Domain registrars

I'm not naming names here, but there are some places you should not be registering your domain. Your neighbourhood domain name thief knows the weak registrars. When you're a vulture you hang where the meat is.

Solution: Read up on the registrar, make sure they have a good rep.

6. Industrial Password Cracking software

If you have a free email service, or you are with a registrar whose security is weak, then the domain name thief will be bringing out his favourite password cracking software.

Solution: Chose a long password and include non dictionary letters.

7. Downloads of Dodgy Software

If you want to spend hours downloading all six series of T. J. Hooker using Bit Torrent I'm not going to judge you, even though Shatner will be losing the royalties. But, are you really sure that download isn't letting some hairy-assed keylogging software onto your pristine machine.

Once the domain thief has a keylogger installed he can open a can of rampant destruction on your security and as you say goodbye to that domain name at least Shatner can comfort you.

8. Naive people who cannot spot a Phishing scam

I've never met someone who has had their details phished, but who would admit it? If your registrar has sent you an email to confirm personal details or to confirm your password, it is most probably a phishing exercise.

If in doubt, email or call the registrar.

So there you have it. It's impossible to guarantee 100% security, but if you make it so hard that even the hardened domain thief cannot work up the enthusiasm, it's job done.

Gandi Bar - Tag - Security

Gandi Stands in Opposition to CISPA

8 Things a Domain Thief Loves