Dear Registrar, This message is intended to explain how certain decisions that were made by the ICANN Board of Directors at its meeting in Paris last week may affect your registrar. Specifically, the Board adopted GNSO recommendations on domain tasting that included both budget and non-budget provisions designed to restrict the applicability of the Add Grace Period (AGP). Please note that this message is a summary of changes that affect registrars. You should refer to the adopted budget document and adopted motions for further information. Summary of Important Timing Issues After several months of discussion and public comment on both the budget and the GNSO recommendations, the Board has approved the proposed budget containing a provision for collecting transaction fees above a threshold during the AGP. Effective 1 July 2008, the registrar-level transaction fee will be collected on transactions, including names added on or after 1 July 2008 and deleted during the Add Grace Period above a certain minimum threshold. Each "transaction" will continue to be defined as a one-year domain registration increment caused by a successful add, renewal or transfer command, but this year any domain names deleted during the AGP (if offered) will be included as transactions if they exceed the maximum of (i) 10% of that registrar's net new registrations in that month (defined as total new registrations less domains deleted during AGP), or (ii) fifty (50) domain names, whichever is greater. The budget assumes the transaction fee rate will remain at US ./send.20. The second change prohibits registries from issuing refunds above a similar threshold for names registered and deleted during the AGP (although some registries have made plans to charge for such transactions independent of this motion). The implementation timing of this change has not been set, but should be expected to take place over a period of some months. ICANN staff will solicit public comments and post a registrar advisory prior to implementation of this aspect of the GNSO recommendation. Budget - Registrar Fees Effective 1 July 2008 The Operating Plan and Budget details for 2008-2009 fiscal year can be found at: http://www.icann.org/en/financials/proposed-opplan-budget-v3-fy09-25jun0 8-en.pdf Relevant section from the approved budget: * Registrar-Level Transaction Fees In FY08 the per transaction-year rate was ./send.20 (or a 5 cent discount from the established ./send.25 rate). The draft FY09 budget assumes that the ./send.20 rate will continue for registrar transaction fees. As in past years, each transaction will be defined as one-year domain registration increment caused by a successful add renewal or transfer command. FY09 revenue is estimated to be .4 million for registrar-level transaction fees. Each "transaction" will continue to be defined as a one-year domain registration increment caused by a successful add, renewal or transfer command, but this year any domain names deleted during the AGP (if offered) will be included as transactions if they exceed the maximum of (i) 10% of that registrar's net new registrations in that month (defined as total new registrations less domains deleted during AGP), or (ii) fifty (50) domain names, whichever is greater. Therefore per-transaction fee will continue to be charged for each one-year increment of every transaction (e.g. at a ./send.20 fee level, the fee for a three-year renewal will be US ./send.60), and registrars will continue to have the option to "defer" payment of the fees for the years beyond one for each transaction. n Note, as in previous years, ICANN can collect such fees directly from the registrars only if they are "expressly approved by registrars who account, in the aggregate, for payment of two-thirds of all registrar-level fees collected by ICANN." ICANN will shortly undertake the process of requesting such approval for the 2008-09 fiscal year. While ICANN is grateful for consistent approval by registrars of fee levels in prior years, and is optimistic about such approval this year, if for some reason the necessary approval is not achieved, the fees will be collected by ICANN, as permitted under the registry agreements through the registries. (Note that the amount of such fees varies by registry, but in no case exceeds US ./send.25.) Registries will then be able to collect those payments from registrars to the extent permitted under the relevant contracts. It is expected that the same transaction increments (including AGP) will be covered, whether collected directly by ICANN or in! directly by the registries, so registrars should anticipate this liability under either scenario. ICANN Board Resolution Whereas, ICANN community stakeholders are increasingly concerned about domain tasting, which is the practice of using the add grace period (AGP) to register domain names in bulk in order to test their profitability. Whereas, on 17 April 2008, the GNSO Council approved, by a Supermajority vote, a motion to prohibit any gTLD operator that has implemented an AGP from offering a refund for any domain name deleted during the AGP that exceeds 10% of its net new registrations in that month, or fifty domain names, whichever is greater. Whereas, on 25 April 2008, the GNSO Council forwarded its formal "Report to the ICANN Board - Recommendation for Domain Tasting" , which outlines the full text of the motion and the full context and procedural history of this proceeding. Whereas, the Board is also considering the Proposed FY 09 Operating Plan and Budget , which includes (at the encouragement of the GNSO Council) a proposal similar to the GNSO policy recommendation to expand the applicability of the ICANN transaction fee in order to limit domain tasting. Resolved (2008.06.26.06), the Board adopts the GNSO policy recommendation on domain tasting, and directs staff to implement the policy following appropriate comment and notice periods on the implementation documents. Domain tasting motion approved by the GNSO Council 17 April 2008 Whereas, the GNSO Council has discussed the Issues Report on Domain Tasting and the Final Outcomes Report of the ad hoc group on Domain Tasting; Whereas, the GNSO Council resolved on 31 October 2007 to launch a PDP on Domain Tasting; Whereas, the GNSO Council authorized on 17 January 2008 the formation of a small design team to develop a plan for the deliberations on the Domain Tasting PDP (the "Design Team"), the principal volunteers to which had been members of the Ad Hoc Group on Domain Tasting and were well-informed of both the Final Outcomes Report of the Ad Hoc Group on Domain Tasting and the GNSO Initial Report on Domain Tasting (collectively with the Issues Report, the "Reports on Domain Tasting"); Whereas, the GNSO Council has received the Draft Final Report on Domain Tasting; Whereas, PIR, the .org registry operator, has amended its Registry Agreement to charge an Excess Deletion Fee; and both NeuStar, the .biz registry operator, and Afilias, the .info registry operator, are seeking amendments to their respective Registry Agreements to modify the existing AGP; The GNSO Council recommends to the ICANN Board of Directors that: 1. The applicability of the Add Grace Period shall be restricted for any gTLD which has implemented an AGP ("Applicable gTLD Operator"). Specifically, for each Applicable gTLD Operator: a. During any given month, an Applicable gTLD Operator may not offer any refund to a registrar for any domain names deleted during the AGP that exceed (i) 10% of that registrar's net new registrations in that month (defined as total new registrations less domains deleted during AGP), or (ii) fifty (50) domain names, whichever is greater. b. A Registrar may seek an exemption from the application of such restriction in a specific month, upon the documented showing of extraordinary circumstances. For any Registrar requesting such an exemption, the Registrar must confirm in writing to the Registry Operator how, at the time the names were deleted, these extraordinary circumstances were not known, reasonably could not have been known, and were outside of the Registrar's control. Acceptance of any exemption will be at the sole reasonable discretion of the Registry Operator, however "extraordinary circumstances" which reoccur regularly will not be deemed extraordinary. c. In addition to all other reporting requirements to ICANN, each Applicable gTLD Operator shall identify each Registrar that has sought an exemption, along with a brief descriptive identification of the type of extraordinary circumstance and the action (if any) that was taken by the Applicable gTLD Operator. 2. Implementation and execution of these recommendations shall be monitored by the GNSO. Specifically; a. ICANN Staff shall analyze and report to the GNSO at six month intervals for two years after implementation, until such time as the GNSO resolves otherwise, with the goal of determining; i. How effectively and to what extent the policies have been implemented and followed by Registries and Registrars, and ii. Whether or not modifications to these policies should be considered by the GNSO as a result of the experiences gained during the implementation and monitoring stages, b. The purpose of these monitoring and reporting requirements are to allow the GNSO to determine when, if ever, these recommendations and any ensuing policy require additional clarification or attention based on the results of the reports prepared by ICANN Staff.

Recently I spent one week at a customer in a hotel where the staff obviously was hosting nightly parties down at my end of the hall- from about 2:00am - 5:30am each (yes- every) night I was there. The hotel I’m in tonight has no elevator. Yeah. @#$! That’s what I said. Twice in the past 10 days or so, I’ve been in really nice resort-hotels, so I’ve had the whole spectrum this month and last.

For me, sometimes it’s the little things… I really like it when hotels have conditioner, instead of just shampoo. I like space- so a nice work area is important to me. Of course a big soft bed and plenty-o-pillows is a key ingredient. A whirlpool or jetted tub (in the room) is icing on the cake. Exercise rooms are good, although half the time I’m too tired when traveling or have work to do (I know- excuses, excuses ;). Convenience is also a biggie- I had a run in Las Vegas where *every* room I had felt like it was a 10-minute walk just to the elevators. When I’m on-site for a customer, I also love the hotels with the do-it-yourself breakfast- I can go when I want and grab something before heading out for the day. I love the little lighted makeup mirrors… and of course a full-length for checking out the wardrobe. Plugs! I love lots of plugs. I like hotels that secure the outer doors early and require a key for access to various parts of the building.

Sometimes it’s the bigger things… Hotels with outside-facing doors make me paranoid, and obviously those in neighborhoods where your rims may disappear is not good either. I hate hotels that MAKE me valet park my car. It’s my car, my keys, I park it and I keep the keys- that’s my rule. (My Dad taught me a little trick of telling the valet boys that it’s a company car and against corporate policy for valet- it works!)

Traveling techies sometimes have unique needs or requests, and many of the ‘good list’ is universal for all traveler types.

So, those are some items from my little list… What about you- what do YOU look for in a good hotel?

# # #

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.

Weldon, who is currently being investigated by the FBI over alleged corruption during his time in office, visited Libya in March to discuss a possible military deal, according to a letter describing the trip from Weldon to Defense Solutions CEO Timothy Ringgold. In May, Weldon, together with Ringgold and another company representative, traveled to Moscow to discuss working with Russia's weapons-export agency on arms sales to the Middle East.

Both trips were part of the company's effort to tap into the growing -- and often legally murky -- market for selling weapons from former Eastern Bloc countries to the Middle East and Afghanistan.

Ex-Rep. Curt Weldon, R-Penn., is helping broker deals between Russian weapons suppliers and the Iraqi and Libyan governments through his company, Defense Solutions.
Photo: H. Rumph Jr/AP

The Russians want to sell weapons to Iraq directly, but "must go slow on Iraq because of political reasons" and want to work with an "intermediary" like Defense Solutions, CEO Ringgold subsequently wrote to colleagues. "They have not spoken with any American company that can offer the quid pro quo that we can or that has the connections in Russia that we have," he boasted.

A few years ago, an American company proposing to sell weapons to Libya might have triggered a congressional hearing. So, too, would have a proposal to conduct arms deals with Russia, which the United States has accused of selling high-tech weapons to Syria and Iran.

However, U.S. government efforts to rapidly equip countries like Afghanistan and Iraq -- which have largely Soviet-origin weapons -- have created legal ambiguities and loopholes in export controls that didn't exist in years past and given rise to a new class of arms trade middlemen. So, even though both Libya and the Russian arms export agency are on official U.S. blacklists, government officials and analysts involved in weapons sales say the rules have become unclear as the push to equip allies in the global war on terror has blazed new but uncertain legal ground.

Eagerly stepping into that virgin territory is Defense Solutions, a Pennsylvania-based company that is carving out a small but lucrative niche in a new international arms bazaar. The firm boasts as its advisors a number of influential Washington insiders, such as retired General Barry McCaffrey, the former White House drug czar.

Helping the firm make key connections is Curt Weldon, a former Republican congressman from Pennsylvania at the center of an FBI investigation into alleged conflicts of interest during his time in office. Weldon, now a key executive at Defense Solutions, is working with the company to set up these weapons deals.

Defense Solutions has also proposed refurbishing Libya's BTR-60 armored personnel carriers, according to a sales proposal seen by Wired.com. Defense Solutions denies drafting a sales proposal to Libya.

It's an unusual, if not an entirely unexpected chapter for Weldon, whose time in office included frequent trips to Russia. As an influential member of the House Armed Services Committee, Weldon pushed for multibillion-dollar defense programs, like ballistic missile defense, and earned a reputation as a foreign policy gadfly, boasting of his contacts with officials in nations labeled by the administration as "rogue states" such as Libya and North Korea. Weldon's wild claims about a 9/11 cover-up and his sensationalist book warning of an Iranian terror plot, sometimes earned him official scorn and public ridicule, but it was accusations that he steered contracts to Eastern European businesses linked to his daughter's lobbying firm that drew the government's attention.

Weldon was voted out of office in 2006 just weeks after the FBI raided his daughter's home, and that of one of her associates.

Weldon did not respond to e-mails and phone requests to be interviewed or comment for this article. But in a 2006 interview, before the FBI probe was public, Weldon spoke enthusiastically about setting up a "front company" to work with the Russian arms agency, Rosoboronexport. Weldon hoped this company could sell weapons to the Middle East, and other regions, particularly to countries where the U.S. has strained relations. He claimed the director of Rosoboronexport approached him to work with "an American company that would act as a front for weapons these nations want to buy."

Weldon called the proposal an "unbelievable offer."

The administration, he acknowledged at the time, did not welcome the idea of an American company selling Russian weapons to potentially unfriendly countries. But two years later, Weldon, now a private citizen and chief strategic officer for Defense Solutions, appears to be working on precisely that sort of deal. And whether illegal or not, Defense Solutions' business represents a new phenomenon in the international arms trade business.

In years past arms brokers -- firms or individuals who serve as middlemen to facilitate weapons sales between countries -- were largely the stuff of spy thrillers. Unlike traditional American defense companies, like Lockheed Martin or Boeing, which typically sell weapons directly to NATO countries or other governments regarded as friendly to the United States, brokers are often small outfits run by people with sometimes questionable experience and reputations they will sell to anyone. One of the most infamous arms brokers, a Russian named Viktor Bout, is charged by the United States, United Nations, Interpol and others of funneling arms to terrorists and rebels around the world. He was recently arrested in Thailand. The United States is requesting his extradition on charges of supplying arms to a terrorist organization.

Two Marines lower the trim vane on the front of an Iraqi BMP-1 mechanized infantry combat vehicle that was captured during Operation Desert Storm. The American defense consulting firm Defense Solutions has proposed refurbishing Libya's aging fleet of BMP-1s. Defense Solutions denies drafting a sales proposal to Libya.

But ironically, Iraq has fueled a new market for these professional middlemen; the United States is funneling billions of dollars into modernizing Iraq's army so that the country's government can fend for itself after coalition troops withdraw. And Iraq's largely Soviet-equipped military is a natural market for Eastern European countries brimming with old or out-of-date equipment they would like to unload. The middlemen, in these cases, serve a key role by allowing the U.S. government to do business with an American company, which in turn buys equipment from Eastern Bloc countries in deals worth hundreds of millions of dollars, much of it financed with U.S. taxpayer dollars.

One of Defense Solutions' sales -- a deal to sell Hungarian-owed T-72 tanks to Iraq in 2005 -- was typical of these new foreign military sales. But on the more questionable side is the company's plans to work with Rosoboronexport, which is barred from doing business with the U.S. government, and Libya, which is still on the State Department's arms embargo list.

The Eastern European-Middle East arms-brokering business, while in some cases sanctioned by the U.S. government, has run into problems, including outright corruption and quality. Defense contractor Dale Stoffel, the president of Wye Oak Technology, and another American were gunned down in Iraq in December 2004 after Stoffel alleged that the Iraqi Ministry of Defense was involved in a kickback scheme. Like Defense Solutions, the company Stoffel worked for was refurbishing the Iraq's army Eastern Bloc equipment.

Another problem is quality. Weapons from the former Soviet Bloc, which the U.S. military euphemistically calls "nonstandard equipment," have been flagged as substandard, acknowledges Brigadier General Charles Luckey, who is in charge of security assistance at Multi-National Security Transition Command-Iraq. In an interview from Iraq, Brigadier General Luckey said: "One of the frustrating things about buying nonstandard [weapons], is that I'm the guy who has to deal with the fact that some broker I've never heard of allowed weapons to get to Iraq before they were inspected."

Defense Solutions is carving a new niche in the arms trade, selling Soviet-made weapons to Middle Eastern countries like Afghanistan and Iraq. Defense Solutions sold Hungarian-owed T-72 tanks to Iraq in 2005.

In one high-profile case, Iraqi officials alleged that a corrupt firm sold them $400 million in shoddy helicopters from Poland. More recently, a company led by a 21-year-old and a former masseur was offered a U.S. government contract worth nearly $300 million to sell ammunition to Afghanistan. The ammunition turned out to be outdated and of dubious origin and several people connected with the company have been indicted. A congressional investigation concluded that the company, which was on a State Department watch list, was able to take advantage of regulatory loopholes by using middlemen.

For those concerned about illicit arms trade, this new wave of weapons deals is rife with the potential for corruption and abuse, but for companies eager to pursue markets once regarded as dubious, it represents a lucrative business opportunity. The problem in these cases, according to those familiar with arms sales, is that it's no longer clear what's legal and what's not.

Rachel Stohl, an expert on international arms trade and a senior analyst at Center for Defense Information, says that in many ways, the rush to equip Iraq has led the United States to throw caution to the wind. She points to a report by the Government Accountability Office last year that found that some 190,000 weapons sold to Iraq have gone missing. "I think the reality is we won't know, until way after the fact, about all of these irregularities with the Iraq weapons provision program," she said. "We were providing them all these assault rifles that have gone missing. Why? They were not following the standard procedures that were in place."

But Iraq and Afghanistan aren't the only markets available to arms brokers like Defense Solutions. The gradual normalization of relations with Libya opens another door into a quasi-legal area of sales.

Like Iraq, Libya has a substantial arsenal of Soviet-origin military weapons, offering a potential market for brokers working with Russia and other former Soviet states. But even when there's not an outright ban, sales to the Middle East are often fraught with controversy, particularly to countries like Libya, which was under international sanction for more than a decade. Even as sanctions against it have been lifted, European companies proposing to sell arms to Libya have faced steep criticism, particularly since the country is still ruled by dictator Muammar Gaddafi, who took power in a military coup in 1969.

While the United States lifted Libya's "state sponsor of terrorism" designation in 2006, other restrictions, such as on the sale of arms, remain in place. A State Department spokesperson confirmed that exports of "lethal munitions" to Libya, such as tanks or related equipment, are still banned, although sales of nonlethal equipment are now allowed on a case-by-case basis.

In late March, Weldon traveled to Libya for a weeklong trip at the invitation of the Gaddafi Foundation, a group run by the son of Libya's leader, and the chairman of Libya's foreign affairs committee, according to the report he sent to Defense Solutions (.pdf), a copy of which was obtained by Wired.com. The trip reports states: "Agreement reached for Weldon to quickly return to Libya for meetings with son [of Libyan leader Gaddafi] Morti regarding defense and security cooperation."

A document dated April 16, just two weeks after Weldon's trip, outlines Defense Solutions' proposal to Libya to refurbish the country's fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles, and BTR-60 armored personnel carriers. A copy of the sales proposal, also provided to Wired.com, is on Defense Solutions' letterhead, appears to bear the signature of company CEO Timothy Ringgold, and is addressed to Libya's defense procurement council. "Defense Solutions is committed to delivering a full end-to-end solution to its clients," the proposal states. "Besides refurbishing these vehicles, we are capable of providing a full logistics support package, including a two year supply of spare parts, maintenance and repair services, and operator, maintenance, and repair training."

In an interview with Wired.com, Ringgold admitted that he's interested in doing business in Libya and confirms receiving Weldon's trip report from Libya, but denies drafting or signing an arms-sale proposal. "I've never made such a document to Libya," Ringgold insisted, after being read the proposal, and told that his signature is on it.

In addition to the Libyan arms-deal document, Wired.com has also reviewed copies of e-mails from Ringgold discussing the Libyan deal.

While Ringgold denies proposing an arms sale to Libya, he is open about speaking with Rosoboronexport, which has been on a U.S. government sanctions list since 2006, after the Russian state agency allegedly violated the Iran and Syria Nonproliferation Act. An April e-mail provided to Wired.com describes Ringgold, Weldon and Stephan Minikes, a senior advisor to Defense Solutions and a former ambassador, meeting with Rosoboronexport. The conversations included a number of potential deals, including supplying Mi-17 helicopters to Afghanistan and spare parts for Iraq's infantry fighting vehicles. Ringgold wrote to colleagues following the visit, describing the meetings as a "spectacular success," saying the Russian agency "has the ability to undercut all cost proposals from brokers."

Ringgold confirmed those discussions and said that his company has sought to do business with Rosoboronexport. Asked whether Ringgold considers his dealings with Russia to be legal, he argued that U.S. companies could work with Rosoboronexport on a "case-by-case" basis. "The particular purpose of the meeting we had -- and I want to be crystal clear -- was in response to a U.S. government requirement," he said.

A number of officials at the State Department and in the Pentagon, when contacted for this article, could not say whether working with Rosoboronexport is legal or not. A Pentagon spokeswoman said she was familiar with the issue, but deferred the question to the State Department. When asked about Rosoboronexport's status on the blacklist, John Herzberg, a State Department spokesman replied: "What's on there is on there."

Asked whether, given the ban, there was any way a company could legally work with Rosoboronexport, as Ringgold suggested, Herzberg provided an equivocal answer. "At the stage of the process we're at, I'm unable to give you an answer," he said. "You can try elsewhere in government, and maybe they'll be braver than me."

In an interview from Iraq, General Luckey conceded it was a murky area, but said, "My understanding is they are currently on our no-go list."

The confusion over debarred parties has even led the U.S. government into its own legal tangles, according to Jim McAleese, a Washington attorney who specializes in government contracting and foreign military sales. Because the Russian government violated U.S. nonproliferation laws, even NASA had to go to Congress to ensure it could work with Russia on Soyuz flights to the international space station. "What I'm warning you about is, don't be surprised by the confusion," McAleese said. "There are a whole bunch of different statutes that were adopted piecemeal and were never intended to be reconciled."

But it's the very ambiguity of the law that troubles those who monitor export control. "It's highly unusual to do anything with the Russians, particularly Rosoboronexport," said Scott Jones, director of Export Control Programs at the Center for International Trade and Security at the University of Georgia.

Legal or not, reputable American companies simply don't want to work with banned entities, Jones said, for fear of risking their reputations and business. "Even if it's not an outright prohibition, most companies don't want to put themselves in a liability situation that has really bad PR … and they stay away from it," Jones said. "But if that's your business, pimping out arms from the U.S. or Russia, that's the way it works, and you push as much as possible."

Finding any U.S. defense company working with the Russian government at this point would be "remarkable," Jones added.

In the meantime, the future for Weldon is unclear. The FBI investigation continues and Weldon's former chief of staff recently pleaded guilty to a conspiracy charge and is cooperating with the government, notes Melanie Sloan, the executive director of Citizens for Responsibility and Ethics in Washington, which filed a complaint against Weldon in 2004. Sloan speculated that Weldon may be charged with "honest service fraud" for misusing his office for personal gain. "It's an easier standard than bribery," she said. "I wouldn't be surprised [if he's charged] with bribery, but I think it will be honest services fraud."

Ringgold insists that he and Weldon are on the right side of the law. "Everything we do is in strict compliance with international and U.S. law and we operate only in the best interests of the U.S. government," he said. "I didn't serve 30 years in the United States Army to throw that away on a whim."

Asked if Weldon is still working for the company, Ringgold replied: "Absolutely, proudly so."

I went to the salon today to ‘get my nails did’ and was greeted with quite a ruckus. The entire staff is Vietnamese- no big surprise there- but the owners and most employees speak English extremely well and so everyone is always chit-chatting throughout the salon.

The wife side of the husband-wife team was especially giddy as she shared a little gem of a story with me today… and I didn’t feel I’d be doing you justice to keep it to myself. 

They (the salon staff) all live in one of the larger cities here in NC. One of their friends (a middle-aged guy) was out shopping Monday and was sitting in his car in a parking lot during a coming- or going- to a store. A young girl (mid-20’s) came up to his car and motioned to ask for use of his cell phone.

Now, at this point in the story, I could have told you the rest…

He opened the window a bit and the young lady asked to borrow his phone for a moment to call a family member. Turns out she had some car troubles and needed a ride. Being the nice gentleman that he is, he lent her the phone and she took a couple of steps away to make the call. Only… she didn’t stop. Evidently she got about 4 cars down the row before our chivalrous guy got out of the car and gave chase.

When he got in reach, she pushed him down to the ground and - yep - ran back to his car, phone still in hand… and drove away.

He now has no car and no phone. So, ironically enough, he then had to approach a stranger and politely ask for the use of their cell to phone home and let the group know he was bamboozled. A few tears were shed, but his wife assured him it would be fine and he shouldn’t be scared. (No, I’m not making that up).

I was giggling right along with her (and the guy’s wife, who happened to be there).

Moments later I thought to myself, “I hope that doesn’t happen to me!” Almost in the same instant I realized… it probably wouldn’t. I’ve been a bit of a paranoid freak since I was little, thanks probably in most part to having two ex-military intelligence parents. For all my life I’ve been raised with ‘the security mindset’ as Schneier refers to it.

Always suspicious… always calculating… always aware… and certainly never underestimating a situation.

And so then I had to muse… WHAT WAS HE THINKING leaving the car running and unlocked to go after the siren with the cell? For the sake of politeness, I kept my question to my ‘inside voice’, but I do have to wonder why you’d sacrifice the security of a vehicle for a $50 cell phone.

The moral of the story…  There are two. 1) Involve someone with a ‘security mindset’ and 2) Your security is only as strong as your people. A sweet damsel in distress… social engineering at it’s finest…

# # #

1. What product(s) & version(s) should I use?
2. How much should I plan to spend?

The simplest answer of course is “it depends”. I’ve seen implementations range from a thousand bucks to over several million. Ideally, your virtualization project needs & goals should drive your product selection. The bells & whistles you chose will determine your spending.

10 Basic questions that will help you determine product & cost:

1. Will your Virtual Infrastructure (VI) host production Virtual Machines (VM)?
2. What servers do you already have that can be used as hosts (32bit, 64bit, Mem, Disk, Network)?
3. Do you have a need for High Availability (HA)?
4. Do you have the need to manage SLA’s on your VMs?
5. What will a typical VM in your VI look like (OS, Disk, Mem, Network, CPU)?
6. What other IT resources do you have that can be used (SAN, NAS, Switches, etc…)?
7. What level of comfort does your existing staff have with the various IT resources?
8. Do you have existing hardware/software support agreements with Vendors you could leverage?
9. What tools do you already own that are “virtualization aware” and what new tools will you need?
10. How many VM’s do you plan to scale to?

Please, please, please, don’t make the mistake of implementing features that you don’t need and over-engineering just because the product lets you do so.

If you plan it right your product & cost, questions will be answered with no unpleasant surprises.

ShareThis

Now the interesting thing to me is that NIST is working with some other players (DNI comes to mind) on reference implementations of 800-53A.  This is big, so big that I can’t add enough hyperbole to it.

Why do they need to do reference implementations?  Well, because by itself, SP 800-53A is dangerous if it’s given to people who “don’t get it”.  By that what I mean is this:

• SP 800-53 needs tailoring to distill into actual requirements.
• SP 800-53A needs a huge amount of tailoring to distill into test cases/procedures that match the tailoring that you did with 800-53.
• Taken at face value, 800-53 and 800-53A become the source of “death by compliance”.
• If you think the auditors could grill you to death with 800-53, 800-53A gives them tons more material.

Now time for a war story: I worked on a project where the contractor was having a hard time building a security program, mostly because they didn’t have the right staff to get the job done.  The government told the contractor to use 800-53A as a starting point, and 6 months of insanity followed with 13 “security engineers” in a conference room cranking out documentation that had no basis in reality.  At the end of it all, the contractor handed the Government a bill for $1M.

Now don’t get me wrong, I like the ideas behind 800-53A, but the first thing you need to know when you start using it is when you shouldn’t use it:

• Don’t run test procedures on every computer you have, use an automated tool and do spot-checks to validate that the automated tool works.
• Use less test procedures on low-criticality systems.
• “This procedure is conducted as part of the hardening validation process.”
• Common controls are even more important because you do not want the repetition of effort.

And whatever you do, don’t let 800-53A turn your risk management into a compliance activity.  It has all the potential to do that.

US Government Doc’s photo by Manchester Library.

Bookmark to:

OK, the database cluster is back up and playing nice after its petulant episode.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. MoD implements new data security measures | PC Advisor
2. Do natural human traits make us more vulnerable to computer malware? | Hexus
3. The staff, the thief, the device and its data | Network World
4. Credit card firms wave stick at retailers | The Australian
5. Merchants call credit card industry’s bluff on compliance | The Register
6. Chairman: Computer Hacking ‘Much More Widespread’ | WYFF 4
7. Fired Houston organ bank worker accused of hacking into system | Houston Chronicle
8. PCI standard ‘ignores’ insider threat | vnunet
9. Student suspended after hacking emails | Stuff NZ

Tags: News, Daily Links, Security Blog, Information Security, Security News