Paul Walsh, the Irish Opportunist

The world’s most heavily trafficked web domain, .COM, is now the riskiest, according to McAfee’s fourth annual Mapping the Mal Web report released today. Fifty-six percent of all risky sites end in .COM.

McAfee analyzed more than 27 million websites to uncover which domains are the most dangerous. While .COM is the riskiest top-level domain, the riskiest country domain is Vietnam (.VN). Japan’s .JP ranks as the safest country domain for the second year in a row. The report also found that 6.2 percent of the 27 million websites analyzed pose a security risk — up from 5.8 percent last year.

This report underscores how quickly cybercriminals change tactics to lure in victims and avoid being caught,” said Paula Greve, director of web security research for McAfee Labs(TM). “Last year Vietnam’s .VN was a relatively safe domain, and this year it jumped to the third most dangerous domain. Cybercriminals target regions where registering sites is cheap and convenient and pose the least risk of being caught. A domain that’s safe one year can be dangerous the next.

A top-level domain, also known as a “TLD,” is the letter code at the end of a website that indicates where the site is registered. Most people do not pay attention to the TLD suffix when they search, and many click on the first result that looks interesting. This leaves the surfer vulnerable to criminals who optimize sites for search engines and take advantages of typos such as .CM (Cameroon) instead of .COM.

Country Domain Comparisons

The report reveals drastic changes in country domain rankings with .VN (Vietnam) skyrocketing to third place, up from 39th in 2009. In fact, 58 percent of the country’s registered sites are ranked as risky. By contrast, .SG (Singapore) became safer this year, dropping to the 81st most risky domain from 10th in last year’s report. Singapore’s registration process now requires appropriate documentation when seeking to register any .SG site, which helped to improve its safety levels, according to the Singapore Network Information Center. Click here to see an interactive map of the most dangerous domains.

Top Five Riskiest Country Web Domains   Overall Risk   Overall Risk
(ranked in most                             2010           2009
risky order)

Vietnam (.VN)                            29.4%           .9%
Cameroon (.CM)                        22.2%          36.7%
Armenia (.AM)                           12.1%          2.0%
Cocos (.CC)                                 10.5%          3.3%
Russia (.RU)                               10.1%          4.6%

Top Five Safest Country Web Domains     Overall Risk   Overall Risk
(ranked in least                            2010           2009
risky order)

Japan (.JP)                                  .1%            .1%
Catalan (.CAT)                            .1%            .1%
Guernsey (.GG)                           .1%            .6%
Croatia (.HR)                               .1%            .1%
Ireland (.IE)                                 .1%            .1%

Key Findings from the 2010 Mapping the Mal Web Report

Cybercriminals are opportunistic: Domain registrars set the guidelines for anyone who wants to register a site. As rules evolve each year, cybercriminals sniff out loopholes and create new ways to set up dangerous sites quickly. A clean domain deters cybercriminals: Cybercriminals move away from domains that have tougher restrictions. This year, Singapore (.SG) showed significant improvement. Safest domains: .TRAVEL and .EDU are the safest top-level domains with less than .05 percent of sites infected, which is one in 2,000 sites.

Tips for Consumers, Businesses and Domain Operators

What online surfers may not know is that simply viewing a page can return much more than they bargained for,” said Greve.

Cybercriminals lay invisible traps all over the Internet that are intended to steal consumers’ passwords, bank information or even identities.

Web surfers can stay protected from quickly evolving threats on the Web by using reputable, actively updated security software with advanced malware detection and prevention. Security suites like McAfee Total Protection(TM) keep users’ personal information and computers safe with several tools and technologies to protect against every facet of online risks.

Businesses can help users navigate Web risks by adding Web reputation functionality to their other defenses. Operators of risky TLDs can learn from the report as well. It is possible to turn around a risky reputation or maintain a good one.

This report is very reason I welcome the new .xxx TLD from ICM Registry following six long years of ICANN fence-sitting. Site owners that buy a .xxx domain sign up to a code of conduct that includes the automatic labeling of their website as ‘for adults only’. This will enable browsers and search engines exclude .xxx sites to help protect minors from inappropriate content on the Web in the future. ICANN is expected to sign the ICM contract this Thursday - my fingers are well and truly crossed.

I’m guessing McAfee are producing such reports about .com because its biggest competitor, Symantec, acquired VeriSign’s security business for $1.28bn earlier this year. In case you didn’t know, VeriSign own the .com TLD. McAfee was acquired by Intel for $7.6bn recently. Looks like the trust industry is consolidating. The market conditions are ripe for a newcomer* to take the helm. Watch this space!

Does this image provide you with more trust in how Facebook manages and shares your personal information? Do you trust this ’site validation’ assertion?

I read an interesting article regarding Facebook’s most recent privacy breaches on the Wall Street Journal site yesterday. It’s well known that Facebook has a complete disregard for users’ privacy by sharing personal information with third-party applications and making assumptions about the type of information they want to share with friends and the general public. Most readers of this blog are well versed on this subject, so I won’t bore you with the details or even talk about Facebook itself. Instead, I’d like to comment on the lack of solutions that help encourage companies like Facebook improve their privacy policies.

In particular, I’d like to comment on TRUSTe and how I don’t think the company is doing itself any justice when it comes to providing confidence in its own brand and its seal programme. Instead of launching new products that support mobile, TRUSTe should focus on getting its main product right. Trust is fragile and when lost, it’s almost impossible to win back.

TRUSTe is one of the most widely recognized seals used by organisations that want to demonstrate their conformance and commitment to privacy policy best practices. To demonstrate this commitment, organizations place a TRUSTe privacy seal on their Web site. Users can click on the seal to authenticate the trustmark and find out more information about the best practices. Check out Facebook’s authenticated seal.

According to Fran Maier, TRUSTe Chair

While TRUSTe certifies the privacy practices of Facebook.com, we do not certify the privacy practices of third party applications on the site like those referenced in the WSJ’s article.

Here’s TRUSTe’s biggest shortfall and something they must address if it is to be taken seriously long term. By asserting that Facebook.com lives up to the TRUSTe code of conduct, it is asserting that all applications and content live up to the same standard.  Companies are responsible for content and applications that users access through their site if it is perceived that they control or own that content. That is, according to legislation in countries such as the UK. Even if this didn’t fall under country-specific legislation, it’s quite obvious that TRUSTe’s seal should cover this aspect when almost everyone on the planet is unhappy with Facebook’s approach to privacy.

According to Chris Babel, CEO of TRUSTe in a post by ZDNet

Facebook has complied with TRUSTe’s policies in that it has quickly responded to the data leak and it suspended some of the applications. “That’s exactly what we want to see.”

Chris’ statement tells me that TRUSTe is now allowing big corporations to break the rules as long as they “have a process”. Sounds like ISO9000 to me - it’s a ‘get out of jail free’ card - it’s ok not to documented processes as long as you have a process for documenting them in the future. Shouldn’t TRUSTe revoke the seal until they have fixed the actual problem?

Either Facebook should live up to the code that the TRUSTe seal asserts, or TRUSTe should remove the seal.

If you look again at the TRUSTe page above which validates Facebook’s privacy seal, you can ‘Positively Endorse’ the assertion with one click of a button. Don’t do what I did and click the button to see what happens - or you’ll give the wrong impression by increasing the number of endorsements. To file a complaint however is a different story. You must first contact the site owner and then complete a form on TRUSTe’s Web site. I understand why they have this process, but why not allow the community to counter the endorsement also, so we can see a balance? I’m guessing it’s because the vast majority would vote against Facebook. If you’d like to file a complaint about Facebook’s use of your personal information please do so using this form.

Do you now trust Facebook given that you know it’s trusted by TRUSTe and now that you know it complies with its privacy seal?

As some of you know, I deleted my personal twitter account recently. It was great timing as the market conditions for MetaCert (my real work passion) started to blossom after about five years under the radar, meaning I needed more time to focus on what’s most likely to change the world. We’re in fundraising and partnership building mode at present, so there isn’t much else to say.

I will always update the company twitter account and promise never to hire a PR company or get someone else on the team to update it on behalf of the company. I won’t talk at you about the company, but I’m not likely to provide personal updates either, unless of course they’re related to the company. I’m not sure if that’s the right approach, so we’ll see how it goes - let me know if you have an opinion (even if it’s to tell me to stay away after enjoying the quiet time).

If you’re a marketing agency, registrar, hosting provider, security software or anti-malware reseller, get in touch as you’re a potential partner! If you’re a provider of trust in the form of a seal, we have a platform for you to help increase adoption of your own product.

Now… time to upset VeriSign, TRUSTe and others with low-cost products that are more scalable and based on the Open Web

The organization responsible for approving new extensions, the Internet Corporation for Assigned Names and Numbers (ICANN), first approved ICM Registry’s plans for a new .xxx extension in June 2005 (the application having been made more than a year earlier in March 2004).

At that time, the two sides entered contractual discussions about how the registry would be run technically and commercially (it is much harder to run a piece of the Internet’s basic infrastructure than you would think).

The contract went through several steps and was due to be approved. But as it drew close to completion, the idea of an Internet extension for the adult industry started getting widespread attention and soon a concerted campaign against the extension was launched. Despite a number of surveys showing broad support for what .xxx hoped to achieve, the application came under criticism from certain special interest groups.

The ICANN Board, for a number of stated reasons, then rejected the application in March 2007. ICM Registry felt it has been unfairly treated and so used the various mechanisms put in place to ensure that ICANN remained an objective guardian of the domain name system to question the decision.

In February 2010, an independent panel of three eminent jurists decided in ICM Registry’s favour, saying that ICANN’s decision has been against its own rules as well as local and international law.

The Independent Review Panel declared that ICANN should have entered into contract with ICM and, at the time of writing, it currently rests with the Board to decide how to proceed.

ICM Registry expects to be able to move forward with the contract negotiated during 2005-2007, and so have .xxx domains on the Internet before the end of 2010. ICANN is currently reviewing all comments from the Internet community, so I will post my comment on the official ICANN site - as I strongly feel that the .xxx domain is a great way to protect minors from inappropriate content. I would like to appeal to you, to do the same. I have explained how you can leave a formal comment at the end of this blog post - it will take you less than 1 minute using the automated process provided by ICM.

About the ICM Registry

ICM Registry is a financially stable and completely independent entity with no affiliation, current or historic, with the adult entertainment industry. As a registry operator, ICM Registry will provide management, supporting infrastructure and back-end functionality.

The .xxx extension will be one of a very small number of sponsored Internet extensions and members of the sponsoring community will be able to register domains with the new ending.

However, while most Internet extensions are used for just about everything you can imagine, .xxx will be focused on providing an online home for those members of the adult industry who wish to self-identify and responsibly self-regulate.

The International Foundation for Online Responsibility (IFFOR) is the sponsoring organization. IFFOR is a non-profit entity that will serve as the policy-making body for the .xxx extension.

IFFOR is and will remain independent from ICM Registry and will have its own board of directors representing all stakeholders, including child safety representatives, members of the free speech community and adult entertainment industry leaders.

IFFOR’s mission includes contributing programs and tools to make a difference in the continuing battle against child pornography and establishing a forum for the online adult-entertainment community to communicate and proactively respond to the needs and concerns of the broader Internet community.

About ICANN

To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet.

ICANN was formed in 1998. It is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet (I disagree!). It cannot stop spam and it doesn’t deal with access to the Internet. But through its coordination role of the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.

My open letter to ICANN

Dear Board of Directors

I am writing to urge the ICANN Board to abide by the declaration of the Independent Review Panel and to enter into a registry agreement with ICM without further delay.

Regardless of the nature of the sTLD, ICANN must respect the procedures it has established to ensure accountability to the wider Internet community. Failing to fully abide by the decision of the IRP will demonstrate that ICANN has no meaningful commitment to accountability, and will seriously damage ICANN’s legitimacy and authority.

Therefore, ICANN has only one option if it wishes to preserve the integrity of its procedures and its long-term credibility as the manager of the DNS: immediately execute a registry agreement with ICM and allow ICM to proceed with the launch of the sTLD.

Tim Berners-Lee invented the Web so people could share hyperlinked documents online. He didn’t invent it to have it policed by extremists who are unable to accept opposing views and opinions to their own. Furthermore, I don’t believe in anonymity in comments when it comes to such important topics (as supported by your Web site), as it enables the same people to leave more than one comment - it also enables people from the same organizations/circles to support each other without having to put their name to it.

The debate about the .xxx domain is completely skewed by religion and politics in my opinion - that is wrong. I have not seen one piece of evidence to support ICANN’s right to refused the .xxx application.

Every technology enables bad people to do bad things, just like it allows good people to do good things - the Web is a perfect platform that demonstrates this point. What we must do, is use technology that empowers people to find what they want, whilst protecting them from what they deem to be inappropriate. This however, must not come at the expense of hampering freedom of speech.

The W3C is the global standards consortium responsible for the creation of standards such as HTML and Accessibility development guidelines to help developers build websites that are accessible to disabled people - founded and managed today, by Tim Berners-Lee. It is also responsible for the creation of a standard called PICS. PICS is the old and outdated method used by Microsoft Internet Explorer’s filter - used to help protect minors from inappropriate content on the Web today.

To address comments on your site regarding the use of .xxx to increase the number of adult orientated websites… pornographic websites make up for the vast majority of sites that use PICS, to help protect minors from adult orientated content. So, whether people like it or not, IE is reading labels from porn sites TODAY. As I stated earlier, IE uses a method that is based on an old and outdated W3C standard called PICS - it’s not flexible and it doesn’t do what today’s technology can support - hence why most people don’t use the filter.

The Family Online Safety Institute, an international, non-profit organization of internet leaders working to develop a safer internet, continues to support the outdated method of labelling content - BUT, it no longer actively encourages developers to use it - its strategy is now focused on lobbing governments and big orginazations around the world. That means, very few, if any, new websites are being labelled so that IE can filter out inappropriate content.

There is good news, in December 2009, PICS was replaced by a new method called POWDER (AKA Content Labels) that is much easier to use and it’s much more advanced technology wise.

Every person who registers a .xxx domain will be forced to use the new standard to label their content as adult oriented - this will enable IE and other browsers to filter out .xxx domains for people who find them inappropriate. This demonstrates the ICM Registry’s commitment to protecting people from inappropriate content. This is the opposite to what most unqualified opinions believe - as they haven’t properly understood this fact.

As I said earlier, regardless of the nature of the sTLD, ICANN must respect the procedures it has established to ensure accountability to the wider Internet community.

Warm regards,

Dear reader, click here to leave a formal comment for ICANN in less than one minute

[update: 22nd April 2009 after reading this post, a friend of mine reminded me of the following point "the promotion of MetaCert Content Labels by .xxx will lead the way for all other .tld domain sites to follow suit and therefore lead to (at last) a solution to block all porn sites from access to kids via a content label that has widespread adoption.]

I decided recently, to be more focused on what’s important in life and in business. So, not only did I delete my twitter account with 6,000 followers, I deactivated my Facebook account with just under 2,000 connections and gave up many of my business interests.

I can’t say more about what I’m focused on - that will become more apparent in the coming months.