Welcome to the United Nations | Department of Economic and Social Affairs



23 OCTOBER 2013
1630 CET

The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.


   >> BILL WOODCOCK:  Okay.  So all three of us are here now.  And the other folks are all out of the room.  So I think we can begin.  My name is Bill Woodcock I am with Packet Clearing House and we are NGO supported by the Internet industry to provide support services to critical Internet infrastructure.  To my right is Sam Dickenson who is most famous for having the reigns for APNIC and it is one of the many acronyms that we will be explaining over the next 45 minutes.  Run the Internet exchange, one of the three Internet Exchange Points and a piece of terminal low gee, that we will be defining in the next 45 minutes.  Our plan is to rip through a whole bunch of related jargon and give you very quick sort of definitions of things and then save 45 minutes a the end for Q and A and open discussion of sort of what you guys may have been hearing about that needs a little bit more explanation, you know, controversies that you caught a whiff and couldn't figure out what the fight was about and so on and so forth.  We come from three different kinds of Internet organizations and between the three of us we should be able to answer pretty much any basic question that you guys have and many more, you know, complicated ones.  This is a session that happens at every IGF.  Normally it is at the beginning of IGF which is more helpful for an introductory session.  But this time it is in the middle.  With that we will get started.  So over here I will be putting up the terms that we will be trying to define for you and if there are things that catch your eye just make a note and, you know, in the discussion half we can go in to more detail on anything that you are particularly interested in.  And the three of us will be sharing duties.  Sam will be covering more of the political and governance and we be covering more of the technical.  Domain Name System, you are probably all familiar with domain names that's the thing on the right‑hand side of an e‑mail address or a web address in the middle.  Domain name server is the computer that's out there on the Internet that answers a question about a domain name.  So whenever you send a pees of e‑mail or go to a website that e‑mail that the domain name in that e‑mail mass to be converted in to an IP address Internet protocol address that the computer understands.  This is exactly like in the old days would open up a paper telephone book look up a name and find a number.  The Domain Name System does exactly that it converts names to numbers or numbers to names.  So that computers can find things that you know the name of but they need the address of. 
    A recursive resolver is a dough name server that doesn't have answers yet.  You can ask a question and it will go out on your behalf and ask all the other name servers that it needs to ask in order to find out the information that you want and then it will reply back to you.  So on your computer if you are configuring your computer somewhere there is a place where it says IP address and net mask and default gateway and DNS server.  Those four pieces of information are what a computer needs to be able ‑‑ any device needs to be able to talk on the Internet.  So the recoursesive resolving is the DNS server that your phone or your laptop or your desktop computer uses to go get DNS answers from other DNS servers so you computer durnt have to do all the work.  And authoritative server is one of those big servers out there that knows all about a big domain.  Dot.com has many tens of millions of domains within it.  So Ford.com is within the dot COM domain.  So is Philips.com.  So the big authorizetive dot com domain servers ‑‑ they are sitting there ready to answer as opposed to the recurse sif servers that are waiting for you to ask them something so they can go out and get the answer for them.  Root name server is knows where dot krm.com and didn't in for India and.us and it knows about all the top level dough neans.  When the recursive ver ser drer goes out to get information it goes to the root name server to find address for dot com and go to the dot com server to find an address and then goes to Philips.com to get www.Philips.com.  GTLD is Generic Top Level Domain.  It is like dot com, dot net and these are dough mains that are available globally and were set up early in the domain name system form mass.  CcTLDs are two letter domains that use the ISO country codes and are associated with specific countries.  So here in Indonesia it is .i di.  In Canada it with be .ca and in South Africa it would be .za.  So these national domains are not oened by the country they are associated with the country.  ( .id) but they can be Delegated to someone and under someone's control. 
    So some ccTLDs, some Country Code Top Level Domains are operated by the national Governments.  Some of them are Delegated to say the communications ministry in a national Government which in turn asks someone in the country to do the work.  An IDN is an Internationalized Domain Name.  That means that a domain name that doesn't use ASCII characters.  It uses a different script.  Script with accents or arabic script or a Chinese script.  So these can be right to left reading instead of left to right.  They can use completely different character sets.  The four most recent new gTLD new generic Top‑Level Domains that were aproffered by ICANN two days ago happen to be IDNTLDs.  Four new domains.  One was in Chinese and one was in Sirlic Russian and I don't remember what the other two were.  In etor dot arpa and inator.arpa domain is a backwards domain.  You use to find the name associateded with the number.  If you know an IP address and you want to figure out who if belongs to you can look up the form of that I pishgs address to find the domain name associated with it.  So if you had a logs file from a web server, for instance, if you put up a Web page and (lost Skype connection.  No audio).

   >> So we start off by having defining what IPv4 addresses.  Running out doesn't mean it goes to 0 but basically we are down to the last slash block of address.  So two particular stands out.  One is ripe in Europe and the other is APNIC in Asia pak.  That's where you see we are actively pushing to deploy IPv6 addresses.  If you have IPv6 addresses you can run in to how many billions? 

   >> BILL WOODCOCK:  Actually IPv addresses the number is very large, it is 2 to the 128th addresses.  This is people try and find an analogy.  It is far more than there are stars in our galaxy and more than grains of sand in all the beaches in the whole world but 2 to the 128th is a large number.  It is much large than 2 to the 32nd which is how many IPv4 addresses there are which is only 4 billion.  The slash that C cat is talking about that is a block of IP addresses that is 4 million addresses. 

   >> Okay.  So that gives us a magnitude of are we dealing with good IPv6.  Essentially everything on the planet can be IP rated and run.  Okay?  So that leads to the LANNed skeaP ‑‑ so what happens when you are going from V4 to V 6.  So you have two Networks.  So that's why you see a lot of implementations for, for example, when Singapore international exchange started out four years ago we did a (inaudible) where if you have V4 or V 6 rating you can simply connect and it will talk.  The two Networks will interact with each other so you don't get anything that is missing in between.  So this is in anticipation that everyone even tally will move to IPv6.  The issue of moving is not as simple.  Networks can be ready but the devices that all of us carry in this room, for example, laptops, mobile phones they may not be IPv6 ready.  Still work to be done at the client site which is, for example, the WiFi routers you have at home are IPv6 ready and mobile phones are they IPv6 ready.  You see a lot of Networks today deploying dual stack allowing them to exist at the same time so there is no breakages in Internet access. 

   >> BILL WOODCOCK:  Let me break in a second.  IPv4 and IPv6 are two different versions of the Internet addressing system.  They are exactly the same except in how large the address space is.  So the IPv4 addresses only 4 billion addresses, 2 to the 32nd.  That wasn't enough for all the people in the world to be connected to the Internet plus having two phones a tablet and a refrigerator that wants to talk on the Internet.  IPv6, the larger address space has already been ind way for 15 years and probably will be for another 15 before we are completely done with the conversion.  So that's why dual stack.  Dual stack means you are using both IPv4 and IPv6 addresses on the same machine simultaneously.  So if you want to talk to something that has an IPv6 address you use your IPv6 address and if you want to talk to something that has an IPv4 address you use your IPv4 address.  That's dual stack.  To do dual stack you have to have an IPv4 address.  That means that people who are starting now have a much harder time doing dual stack because they don't have the V4 address.  All they have is the V 6 address and that leads in to four to six address translation which is when you have a dual stack machine and a machine on one side that only has say V4, and a machine on the other side that only has V 6, the machine that is seating in between and has both, translate for them.  It can take a packet in using IPv4 on one side and convert it to IPv6 and send it out the other side.  The conversion is very easy because everything inside the pack kets of data is exactly the same.  Only the addressing changes.  And then when a reply comes back it brings it back in on the V 6 and sends it out on the V4 side.  Sounds nice and easy and simple but in fact, because the Internet wasn't designed to work with something sitting in the middle it was designed for everything to talk directly to ‑‑ at one end point to talk directly to another end point NATs network address translation devices tend to break a lot of software. 
    Okay.  So the next thing next area that we want to talk about is routing.  Routing is the process of getting data from one place to another place on the Internet.  So once you have found the thing you want to talk to, now you need to actually talk to it actually go and ged a Web page to look at, for instance.  Routing the process of figuring out what route a packet will take across the Internet decided by a whole lot of routers, routers are the computers that have very specialized computers that have circuits, fiber optic cables coming in to them.  Many circuits coming in to some of these routers and they decide when a packet comes in which path it will take out in order to get it closer to its destination.  So each router is like the cross roads between some highways and when you get to that cross roads you have to decide which outbound direction you are going to take. 
    All of these routers talk to their neighbors in order to form a model of the Internet.  Topology so they know kwhat shortest path to the destination is.  Every point in the Internet has to develop its own map by talking to its neighbors.  So border gateway protocol, BGP is the language that is used between routers to develop that map.  A lot of people talks about BGP because it is the protocol that is used to develop that map.  It is the sort of key proto kol if figure out the topology and adjacentsies in the Internet.  This is something as end users you never have to deal with at all.  It is key to the Internet to function. 

   >> If I may add on sims you notice it takes a little bit longer to get to the same Web page compared to say one week ago, for example.  So this is where the routing protocol if implemented correctly it would automatically route to the next nearest point to pick you the packet of data that you want to collect.  So that Internet will still function even though there is just a signal breakage.  So if we look at Internet as a very big network of Networks very big mesh Networks multi points of connections, a one cut in single point should not cause a failure unless efk we are talking about a massive destruction of submarine cables connecting to Asia, for example, then everything is down.  So let's say, for example, between Asia and U.S. the cables get cut all the cables get cut and then routing will take a longer path.  You will go from U.S. to Europe to Middle East to Asia.  But still it works.  So that's where the implementation of routing protocols are actually very critical. 

   >> BILL WOODCOCK:  Yes, it is what keeps the Internet up during the constant failures that happen.  Nothing is perfect.  So these devices and the cables and the people are always failing or making mistakes or breaking and having to be repaired.  Any huge system is like that.  But the fact that most of the time most people are still able to talk to each other across the Internet is because of this self‑healing property that BGP remapping of the Internet between the nodes gives you. 
    So peering and transit are the two kinds of interconnections between Networks and the interket net.  The Internet is the network of Networks. S it is the aggregate all of little network out in the world.  If you work in some company that company that has a network and if you want to talk to somebody in a university somewhere else that university has a network.  The Internet is written with a capital I.  It is to distinguish it from an inter network which is any network.  Peering is the connection between two large Networks which are kind of similar in size.  It occurs at no cost and it only gives each network access to the customers of the other network.  Transit is a commercial relationship between two Networks where one network pays the other and gets in exchange the guarantee of delivery of packets to anywhere in the world.  So if you were to draw the Internet as a hierarchy the peering relationships or the horizontal relationships between nodes in that tree and the transit relationships are the vertical ones.  So the network doesn't exist unless it has both peering and transit relationships.  But transit is the service that is sold whereas peering is the cost free interconnection between similar size Networks. 

   >> So this is where the next point we mention about Internet Exchange Points and if stick to the strictest definition, that is location where Networks actually exchange their traffic or they have peering relationships in the traffic between the that traffic and between equal sizes.  Typically you will find content providers likes of Microsoft and Googles will be more than happy to peer with any of the operator Networks ha have the eyeballs whereas the guy that owns the eyeballs want to sell something to the content providers.  So there is always this tug of war who needs more, the eyeballs or the content.  So in IXP it is a place where Networks get to peer each other and exchange traffic.  So that's the important consideration.  And when we move on to multilateral and bilateral interconnection essentially we are talking about the way Networks talk to each other.  So this ties in with the point on route servers.  So what happens in Internet exchange, typically Internet exchange will run a route server and members of the exchange will connect to the route server.  So that means whenever you are connected to route server you will actually establish peering automatically with any other members that are on the same route server.  So this will actually achieve the effect of having a multilateral peering arrangement.  So it is an all to all kind of arrangement but there will be some operators like what Bill had mentioned where they simply want to be selective, to do ‑‑ to peer who they want to peer with and this is where we get in to a bilateral relationship one to one.  So they will have a more difficult task of establishing a one to one.  I have to talk to ten of in ten separate locations to establish a one‑to‑one relationship.  If I connect a route server I do it once and I automatically talk to anyone who comes on line to the route server. 

   >> BILL WOODCOCK:  This brings up something that you probably haven't noticed but may give you some insilgt in to the economics of the Internet, small Internet service providers have a big incentive to connect to as many other Networks as they can and so small Networks are more likely to have what's called an open peering policy.  They will peer with anyone who wants to talk to them and they are also more likely to use multilateral peering and route servers to automatically connect to anyone who is willing.  By contrast big Networks the big incouple bant phone companies tend to be very restrictive in who they are willing to exchange traffic with and peer with and they typically only use bilateral agreements and they tend to be selectedtive in their peering.  They tend to only agree to peer with other Networks that are as large as they are or larger and so what this means is that this the little tiny Internet service providers tend to grow very, very fast whereas the big ones tend to stagnate.  So big incouple bant tend to not over much faster services at lower prices as time goes on and the little ones tend to grow very quickly until they become big and market dominate.  The next thing hot potato routing and the symmetry of the way things get paid for we have got a diagram to help explain this.  If you look up here, what ‑‑ sorry.  So what you you will see is that we have got two Internet service providers diagrammed here.  One is colored red and the other is colored green and we have two Internet Exchange Points.  The Internet Exchange Points again are the places where the two Internet service provider Networks interconnect with each other.  So you can see that these two ISPs, the two Internet service providers have two ways of talking to each other.  They can go to two ways around this path between them.  So the user which in ISP language is the eyeballs because the eyeballs are the people looking at Web pages, wants to get to the content which is sitting on a server.  That's a Web page, something like that.  So the user sends a query this is a packet that is requesting information and they send it to the their Internet service provider.  They are buying transit from their Internet service provider and they pay their Internet service provider for the service of delivering that query to wherever it needs to go.  The user doesn't want too have to care where that server is in the world.  So they are paying their Internet service provider to take care of that.  So here you see a little red arrow showing the progress of that packet from the user to the red ISP. 
    Then the red ISP has a decision to make.  He can either send it to the this Internet Exchange Point in the west or to the Internet Exchange Point in the east.  But the further you send a packet or the faster you send a packet the more expensive it is.  Speed times distance equals cost.  So the red ISP is always going to do what's called hot potato routing of it is this children's game where you have a stone and you are throwing it from kid to kid and you are always trying to get rid of it as quickly as possible.  You don't want to be the one caught holding it.  Hot potato routing means any time someone dwifrs you a packet you try to get it out your network as quickly as you can on the shortest possible path and that's the one that incurs the least cost and is going to be the highest performance.  The red network is always going to select the he can change point that's nearest to it so hand off to the packet to the green network.  So then the green Networks receives the packet at the exchange point and brings it in to their network but that's going to be a longer distance for them.  So they get stuck with a higher cost.  Or a lower performance to move the packet in to their network.  And then they deliver it to the server and whoever is operating that server pays them, right?  They are paying a monthly bill for the privilege of having packets delivered to them.  Now the server is going to reply back towards the user and they send the Web page up to the green ISP and it make the same decision as the red did.  So now the red ISP has to haul long inbound, right at a higher E pence or a lower performance to get it back in to their network and they then give it to the user and the user pays them.  Now we have complete transaction and user has requested a Web page and the Web page has come back to the user and the user is happy and the people who had the Web page are happy.  This is called bill and keep because the red ISP here has billed their user and they have kept all the money.  That's how the Internet works. 
    Phone companies with voice calls use something called settlement.  Settlement means that the person who play places the call pays a lot of money and the person who receives the call doesn't pay any money.  This creates a huge amount of business friction between phone companies.  In the interflet we don't have any of that.  We are peering rather than using transit.  Sorry.  At the top, of any connection we are always peering.  Which has no friction.  But below that where you are using transit you have a predefined business arrangement that you have already ais heeded to and you can go shopping for a different one at any time you want.  So the other useful thing about this is we have symmetry.  If you draw a dotted line through these two exchange points the red ISP is billing their customer and paying for all of the infrastructure on their half of that ‑‑ on their side of that line.  The green ISP does exactly the same thing on their side.  The red and green ISPs never have to come to any business arrangement between each other.  They never have to negotiate anything.  Each one if they do a good job is going to be profitable.  So now moving on to some security stuff.  Security is very topical right now.  Everyone is kwind of interested because of the NSA stuff and so forth.  Some really basic security concepts these are kind of the keystones to understanding what people are talking about when they talk about security and crypto graphy and the first one is confidentiality.  You can think of that as privacy.  It means that if you are talking to someone else third parties can't tell what you are saying.  Integrity means when you talk to someone else they can be certain that the message they receive is the same one that you sent.  Availability means that you are able to talk to the other person.  Someone else can't prevent you from talking to that other person.  You a then at thises at this it means when you talk to someone else they are certain that you are who you are.  Nonrepeed put teags means when you talk to someone else you cannot deny you were the person hoo said it.  You didn't falsely claim that someone else was pretending to be and anonymity means being able to talk to someone else without revealing your identity.  You can't have autheciity and anonymity.  You kind of can.  You can speak anonymously with someone on one dawn and then come back a year later and speak with the same person again and they can know they were speaking to the same person they talked to a year ago even without knowing who you were.  You can see how these basic concepts can be put together in different ways to achieve different goals.  A lot of people, for instance, are interested in anom mouse payment.  They want to be able to purchase things on the Internet without revealing their identity which means that using credit cards is kind of out because credit card company knows who you are and you have to reveal your name and so forth.  Threats. 

   >> With security implement angs end of the day there will be a bunch of threats that hamper the implementation of a secure network.  First one is probably the most popular and most of you in the room have probably heard of it what we call DDOS.  Distributed denial service attacks.  So we start off with a simple DOS attack many years ago.  And over time the hackers got smart and said let's do a distributeded attack.  When DDOS plus a network gets really terrible.  On our exchange if any of our members get a DDOS attack we will call the member up and say can I pull the plug and take you off the network.  That is the only sure way of stopping the problem and pulling the plug and taking it off the network and solve it before we plug it back in.  Domain name highjacking is getting popular as well where a company basically just falsely take the domain name that does not belong or keep registering domain names in the this part of the world. 

   >> BILL WOODCOCK:  If you own a domain name or Delegated to you or company someone else might forge a document pretending to be you in order to get the domain name re‑Dell gealted to them.  If someone forged a transfer of title document saying they had bought your house from you.  They created a document that looked you a thennic and got the document.  We have seen a few big instances about it recently.  About a month ago the New York Times website was hit by a domain name highjacking by the sire ran yan Army.  Last week or maybe three or four days ago the whole country of Katar got taken offline.  I have pnt qa got taken off line by the sear yan domain Army.  They use the same tek nek that they had on the New York Times a month earlier.  Data ex‑fill yeags is when they remotely access your dput computers without authorization in order to steal data to take a copy of data off your computer.  So a spy who wanted to do industrial espionage would hack in to a system and steal copies of documents.  Website defacement is when someone hacks in to your web server and puts up a different Web page.  This is much more like vandalism and less like spying.  Identity theft is something that you have probably all heard quite a lot about in conjunction in say credit carteds number or people taking out checking accounts in your name.  It's a big problem on the Internet because people are dealing with people who they can't see face to face and they don't already know and you are having to disclose a lot of information about yourself to relatively unknown parties when you transact business with people a they will store that data in a database that is not protected.  Phiishing, spear phishing trojans these are all things that people can send you in an e‑mail as to an entre to hacking in to your system.  Phishing e‑mail is e‑mail that I says you have just won a million dollars click on this link open this attachmentment it comes from somebody who you don't know and may have some bogus explanation and it is trying to get you to take an action that will then compromise your computer in such a way that they can get back in to your computer. 
    Spear phishing is the same thing but where they have know who you are specifically before they start.  So they didn't just Spam this out to a billion people.  They were trying to get you specifically.  And spear phishing will probably look like it is coming from one of your friends or one of your colleagues.  So spear phishing message is tailored specifically to you as an individual to get you to click on that link.  Spear phishing is much much more rare.  It is mostly only used by intelligence agencies or people who are targeting somebody very specific.  So really wealthy people get spear phished a lot because there are criminals trying to get at the bank accounts of those very wealthy people. 
    Political activists get spear phished a lot by Governmental intelligence services that are trying to crack in to their e‑mail when tle use encrypted e‑mail to talk with their friends.  Spoofing of IP addresses and Mac addresses, Internet protocol addresses are used to reach other things on the Internet.  But in order for the reply to come back there has to be a return address.  It is just like on an envelope in the postal mail you put the address that you are sending and has the address that you are sending from.  If put a false return address and send something to somebody and they look at it and say I don't know what this is, I don't want it.  It doesn't seem to be for me.  And they send it back, it will now go to the wrong place.  It will go to the place the forged return addressed instead of where you actually sent it from.  Where the bad person actually sent it from.  So this is what is used to do DDOSs a distributed denial service attack often uses what is called a reflection attack.  Reflection attack is when you send out a packet that has a return address of a victim on it.  You send that packet to a whole bunch of people and each of them send something back to a victim because thi think the victim send it to them by accident.  Mac addresses are sort of underneath an IP address.  The Mac address if you use WiFi or you are connected to an Ethernet network this is the layer 2 Ethernet address of your computer.  It travels with the computer.  It is a unique address that's hard coded in to your computer.  Or your telephone.  Your cell phone.  It is not like your IP address that changes as you move around.  When you are on a wireless network, a WiFi network, someone can spoof the address of your computer in order to highjack your WiFi connection.  Why would somebody want to do that?  For instance, if you were in a hotel and you paid for that WiFi connection, if you had to pay $6 to connect to the Internet for the evening, someone could highjack that and they and you would both be using connection that you paid for and also if you had opened up say a connection to Facebook and already authenticated yourself to Facebook they could use that highjack your connection to Facebook and already be logged in as you.  That's a much more complicated kind of attack but it does occur sometimes. 
    And the problem is that when you have these complicated attacks people will often automate them.  They will write a tool that exploits that attack and then anybody who gets that tool can do the attack even though it would otherwise be very difficult. 
    Botnets are zombie computers.  Big herds of zombie computers that have been taken over by a bad person who exploited vulnerabilities in those computers in order to get control of them.  Not because they wanted that computer or data on that computer but because they wanted to use that computer to attack other dput computers.  So I said reflection attack depends upon unwitting third parties to reflect attack packets back to a victim.  A more common way of doing things is using a Botnet where the bot master or the bot herder controls this huge batch of machines that they have already taken over and they use those machines to send packets directly to the victims.  A lot of people who run Windows are already botted.  That means their computer has already been included in somebody's Botnet without them even knowing about it.  So if your computer when you plug it in to the network starts sending a lot of traffic to places that you don't think you are actually talking to it could well be that your machine has become infected and being used to attack some other machines.  You wo have to have expertise in order to figure out that was happening.  Last on this list is anonymous.  It is probably the best known hacker collective but they are not a collective in the sense of being very organized.  It is sort 6 a flag of convenience that anybody can fly if they really want to.  We mention here only because the organization of hackers that is best known and shows up in the press now.  And they tend to be a very loose knit group with a lot of kids at one end of the spectrum who are having fun and hacking other kids that they don't like or, you know, doing prangs and at the other end of the spectrum is older more politically more motivated people who are doing things specifically to advance some political cause. 
    So computer emergency response teams are the agencies kind of like a police force that help deal with computer threats.  Deal with attacks on computers.  Because all of this is kind of new still, this is not just a function that your police department already knows how to do.  Certs or specialized agency often funded by the private sector rather than funded by Government and they have a close relationship with law enforcement but they don't actually have any law enforcement prerogatives themselves.  Not every country has a cert and some places there are industry specific certs over and both what may exist for a country.  For instance, the automotive industry has a cert globally that spans all countries.  Likewise the aviation industry has a cert of their own.  Active defense and hacking back this is a very recent trend.  This is mostly sort of ‑‑ do you guys remember black water, the contractor private company in the U.S. that did a lot of military operations in Iraq for the U.S. Government?  This is these kinds of people but operating in cyberspace.  Private companies that want to do kind of military stuff.  They argue that if somebody is attacked on the Internet, if someone gets hacked they should have the right to hack back.  They should have the right to counter attack whoever attacked them despite the first attack was a crime.  The argument if a crime is done to you it should not be a crime to retaliate.  In fact, under law almost everywhere in the world it is actually a crime to do the same crime to somebody even if they have done it to you.  So this is very controversial. 
    Firewalls and access control are devices that can be put in the network or rules that can be put in the network that are designed to prevent hacking, that prevent certain kinds of packets or certain kinds of transactions from going through the network. 
    DMZs are obvious lis just refers to demilitaryized zone.  This is a kind of old concept that still hangs on in enterprise Networks where in your network you have what is inside the firewall, what's behind the firewall and is protected but you have a separate part that's outside your firewall but still under your control.  And you are supposed to put your outward facing servers in the DMZ.  We only mention it because it is a fairly common fairly common thing.  It is just not a best practice and there are much better and more sophisticated ways of protecting an enterprise server at this point. 

   >> Okay.  So the other hot topic right now would be privacy.  And, of course, we feed anonymity and essentially I think after all the NSA stuff anonymous attacks everyone gets weary of the Internet.  There are now various options out there available to end users to enterprises who want to have a better safety and precaution when they access the Web.  Anonymous web browsing where you browse the Web anonymously and nobody knows where you are from.  Host of e‑mail services, services like hash e‑mail that give us an e‑mail aaccount that you can subscribe to and not traceable.  Unless, of course, they actually hand over the data.  PGSP has been around in the Internet compunt where you use it to protect your e‑mail communications.  Little bit tough to use. 

   >> BILL WOODCOCK:  PGP is pretty good privacy.  The name is kind of a joke.  It is actually pretty good privacy.  It is an encryption protocol that's used for file the and e‑mail that doesn't conceal who you are talking to.  So you can't use it to communicate with someone anonymously but everything that you say to them is protected.  And PGP uses asemi trick public key encryption and it is most commonly found in e‑mail.  You, use it to encrypt a file and put the file on a server and send it to someone.  But it is mostly just used for e‑mail.  PGP is available on essentially every platform that there is no computer that or phone or anything that any of you guys have that you couldn't use PGP on but again like any kind of encryption it is a little tricky to use.  The one downside of using encryption although it is private now all of these intelligence agencies store everything forever.  If they see your encrypted message go by they will record it and save it and 15 years from now when their computers are much faster they will go back through all of those encrypted e‑mails from today and decrypt then and then your docie will have what you said 15 years in it.  So none of these systems are perfect.  Right?  You have got to always kind of be remembering that regardless of how good the encryption seems right now it will seem very trivial 15 or 20 years from now. 
    Tor the onion router is the most comonly known circumvention method.  Circumvention means if you are sitting on a network that does not have end end access to the rest of the network dr to, for instance, if you were in main land China behind the great firewall of China and you want to access a Web site about Fela no goning which is religion that is outlawed in China and you just tried to use your web browse to do it would fail.  By if you use toro a VPN or you could actually circumvent the Great Wall of China.  And there are many different methods of doing circumvention. 

   >> Yes, and just let me add on, a more real example when you want to use Internet in comi na I guess more than half of you have a gmail aaccount.  When you go in to China you can access gmail. 

   >> BILL WOODCOCK:  Lawful interception versus intelligences it the phrase udzed to mean global lay what it is the police do.  If the police Acting under law get permission to do a wire tap, this is what is called lawful interception.  If somebody does a wire tap outside of that legal framework, that would be spying, right?  So most countries reserve to themselves the right to spy.  But most countries criminallyize other people spying on them.  So countries kind of fluid definitions what what is okay we is dependent on perspective.  Encryption simply means taking clear text, clear data, data that can be hoou man read and modifying it in such a way that people just looking at it won't be able to tell what it is.  Only someone who has a specific key can get at that data again.  There are a bunch of different kinds of encryption, semi trick, asy mi trek encryption and public key encryption.  All of these different variants just use different kinds of math and different ways of handling the keys.  The important thing is that you use encryption that meets your security requirements and that's something that is sort of beyond the scope of what we are going to be aible to talk about in the remaining half hour and change. 
    Back doors are when you use a piece of software or a piece of hardware that has coded in to it a way for someone other than you to access it.  And unfortunately many many devices have these kinds of back doors coded in to them.  So if you get a WiFi hot spot from your phone company along with your DSL or cable access, almost certainly it has a back door for your phone company to log in and reconfigure it if it gets screwed up.  Problem is the phone company is not going to bother to have a secure password on there.  They are going to have the same password on all 5 million of those that they ever distributed to air customer and the password is going to be admin or password or 1234 and hackers figure this sort of thing out very quickly.  Devooiss kind of appliance devices like hot spot and Ethernet switches tend to be very easy for hackers to get in to.  The last item on this page big data.  Big data refers to this notion that there are huge amounts of data about everything that we do that are being generated all the time.  And when people store a lot of data about things that other people are doing often the law says that they have to anonize it or they have to protect the PII personally identifiable information in those datasets.  If go to the grocery store and there is a pharmacy there and you fill a prescription and you get some medicine, in theory when you go to check out there shouldn't be a record saying that, you know, you with your full name bought this particular medicine.  But in reality the anone miization tends to be weak.  So hackers when they get ahold of these different dataset can often put them together in ways that tell a lot about a person.  This is big controversial topic that there are a lot of people talking about here at the IGF and in general is the problem with big data and privacy and deanonemiization and the cross correlation of datasets.

   >> Last part where this brings us with security and V 6 and everything we see today is over IP.  Whether it is a voice call you make to your home country, something that you are doing e‑mails that you are checking everything is a packet.  So everything over IP and everyone is familiar with IP and we have been using for a long time and operators are pushing for them because bandwidth is cheap.  IM is most popular.  For example, in sing ‑‑ operators today are giving away free SMS like there is no tomorrow.  They will give you a thousand free SMS where they are making tons of money over SMS.  Twitter, for example.  So you get a lot of different kinds of communications, platform available now over IP and all these actually possible because there is a lot of capacity, a lot of bandwidth and when we start moving in to things like IPv6 and so where you get more and more devices on the network you essentially are able to go to what we call Internet of Things.  So imagine every single glass, every single bottle, refrigerator in your home is Internet able.  Today the first things you see Internet enabled is the TV screens because that's where operatedors get you and they hook you up.  And last things with so many things connected is a method of ‑‑ things on agents being representative of yourself on the Web comes to life, so, you know, we could simply get assignments on the agents, for example, to do things to do things on your behalf because everything is Internet enabled.  So that's how we think this will actually move towards.

   >> BILL WOODCOCK:  To give an example of what we are talking about there about agents as IPv6 addresses become prevalent things like refrigerators start to get IP address.  My refrigerator has an IP address and when its water filter needs to be changed it will contacts its manufacturer who sends me an e‑mail telling me to change the water filter in my refringe rater.  That's a convenience and also a little bit of a privacy issue maybe but going in to the future, for instance, in hotels now there are hotel bar refrigerators in rooms that have little sensors that tell any time you take something out of the refrigerator it has got a little sensor for each spot in the refrigerator and if you take a little bottle out it knows that and it tells their accounting system what was taken out.  A personal refrigerator might have an RF I.D. wireless reader inside it that would know what products had been put in it the refrigerator and so when you ran out of something and threw it your milk carton was empty and you threw it away it would know there was no longer a milk carton in there and it could order another milk carton for delivery to you.  So this is what we are talking about with Internet of Things and agents and Avatars.  Agent is a your refrigerator that would have access to your bank account in order to buy you milk because it noticed you were out of milk.  You can notice a million things that would be wlong with it.  You might have thrown it away because you are going on a trip.  This is the direction that companies are thinking about how to sell people things. 
    And now over to Sam.  Oh, I am doing the first one.  I am doing the first one.  Okay.  Defining Internet protocol now we are going to talk not about the technology but about the governance of the Internet.  So Internet protocols the languages that are spoken between the devices on the Internet are defined by the Internet Engineering Task Force.  The engineering task force is like essentially all other Internet Governance organizations multi‑stakeholder.  That means anyone who shows up ready to do work has the authority to do the work.  No one is going to tell you no, you are not the right person.  No, you are not authorized.  Anybody who does the work gets to claim responsibility for it and move forward.  This is part of the way the Internet is able to progress as fast as it is.  There is not a lot of waiting around for the right person to come and do something.  The IE SGthe Internet engineering steering group is the subset of the IETF that keeps all the documents moving forward and does all of the grunt work.  So if you are really well respected and you seem to have a lot of free time and you show up at the IETF you will get drafted in to the IE SGand told you have a promotion.  The Internet Architecture board is people who have been around the IETF for a long time and have done useful work and are seen as authorities and they form kind of a board of people who provide overall policy advice for people working in the IETF.  You will notice that the IAB the interin the architecture board recently released a statement on the evils of spying on the Internet after the NSA was revealed to have been spying a lot.  (Internet).  In addition to these intersnet protoll kols there are other protocols that the Internet ke pends that are not Internet protocols but at other layers of the network.  IEEE the international institute for electrical ‑‑ institute for election kal and electronic engineering, exactly.  They standardize layer 1 and layer 2 which are eye they are net and WiFi and how signals get transmitted over a piece of fiber.  So without that of course we couldn't have the Internet because we need all of these lower level protocols in order to carry the packets.  The ITU standardized how telephone companies interoperate with each other.  A lot of the Internet ran over telephone Networks with modems used to be and the ITU because that's no longer the case and in fact, the voice stuff that the ITU depended on now is almost all running over top of the Internet.  The ITU is trying to figure out how to make themselves relevant in the future.  So they have been struggling with the Internet governance organizations over who should be able to steer the course of the Internet.  So they are very relevant to everything that goes on with Internet Governance. 

   >> Sam:  Okay I will do this quickly so I you have time to ask questions but historical background because it helps to understand why we have this weird and wonder ecosystem acronyms that run the daily aspects of the Internet.  Steve crockor, has he appeared in one of the main sessions?  He is the Chair of ICANN and he was one of the really early pioneers of Internet.  He was there in the pre‑Internet days, the preinter ‑‑ when first developing the app net it was a bunch of grade wait students.  They were waiting for teacher to come in and tell them what to do and then they realize no one was going to do that.  They were going to have to do it them Stefs.  That has influenced the way the Internet has developed.  Very bottom‑up process from the days that the Internet was, you know, an embryo was the oper net.  A part of that school kids running the network concept was how do you get information out.  How do you discuss what are we going to do.  So this is a story I was told not actually by Steve crockor by but someone else the story was he was staying over at girlfriend's parents place and had this brilliant idea we should kind of write documents that request comments on the Internet.  This was back in the late '60s, '70s.  So he couldn't sleep with his girlfriend.  He was sleeping elsewhere and not anywhere to write stuff.  He end up in the bathroom his girl frenld's parents house writing the first request for comment about how should we develop the intersnet and how can we organize how we do this.  So the still call for requests for comments but they are like standards documents.  I mean that's two looems for requests for comments.  But they have become more formalized and they original concepts of a request for comment is now performed by something called an Internet draft. 
    Okay.  Trying to explain how it went from this as we all know originally Government funded network.  Originally ‑‑ I don't flow if anyone has heard of John Pastell kind of a like a God of the Internet.  In the early days of Internet he was very ordered and he was the person who if he wanted to IP address to connect to the network he had an pad and a pencil and you would call him up and say look I want to connect to this Internet.  So he would say okay cool.  I will give you a range of address and write it down in a pad of paper.  He realized this was not a sustainable way of managing a growing Internet.  So he developed this ‑‑ it was still him to begin with.  The concept of the Internet assigned numbers authority, IANA.  As the U.S. Government realized that this Internet thing was really sik is hesful they wanted to release it so it could be managed by the community and other kind of liberal small Government concept.  Let's give it out to private industry.  Alongside that there was as domain names were happening what should we do with this.  So there was a Committees that was looking at how we should go forward with the internet and they come up a number of recommendations which is to include ITU being responsible for international domain name and the U.S. government was not quite sure about the recommendations of this ad hoc Committee and came up with a concept of ICANN.  So that's how we ended up with ICANN it was tightly bound with the U.S. dwovt at the time.  But as many of you are probably aware there is a move to internationalize ICANN now. 
    Okay.  Sorry.  Order of slides was trying to understand.  One of the ways that the Internet I suppose governed or managed is network operators.  So people like the network operators of AT&T, France Telecom, they all have common interests.  So there are these brouPs called network operation operator groups, NOGs.  Most countries now I would say would have NOGs.

   >> BILL WOODCOCK:  So there are NOGs in many major countries.  There is NZ NOG but many them are regional.  JANOG is just for Japan but North American operators group is U.S. and Canada centric but people come from it all over the world.  In Europe, RIP which handles the IP address dealigation hosts a network operators group for Europe and likewise in Latin American and ka rye bee yan host the Latin American network group. 

   >> Savm:  They are discussing problems that they face every day.  They generally have mailing lists and will discuss things that matter to them on a day lay basis.  Trends that they say how are other Networks coping with these things.  There are Associations of exchanges.  Particularly important are the regional IXP Associations.  Something like Euro IX, I think is pretty cool.  They what they call have a twinning programme.  Because IXPs are really important way of keeping traffic local and not needing to send traffic internationally unnecessarily, they are very important in developing regions, particularly in like continents like Africa.  So what you Euro IX does it has a programme that twins with emerging IXs in Africa.  So and IX some in Europe, lifrng the London Internet exchange point will have a twin perhaps in Kenya.  That's maybe starting up and the links operators will help the Kenyan IXP on operational matters.  They may send them equipment they are no longer using and have stuck in the back cupboard.  They are very valuable for interchanges to exchange information. 

   >> BILL WOODCOCK:  A group of network operators who meet at IETF meetings so meeted alongside the IETF meetings some it is like the NOGs but it is global in scope and it just occurs in conjunction with the IETF meetings. 

   >> Sam:  Okay.  So before I mention IANA which was John Pots le and his notebook and it became a bit more formalized.  IANA function is performed by ICANN.  ICANN is ‑‑ it attempts to ab multi‑stakeholder organization.  Like any organization in it Internet Governance system it is not perfect but a process toward gets better.  In the early days as the Internet has got more complex more people have been added to it, more issues have emerged and the Internet Governance system of organizations has also bm more complex.  But it has become complex to suit the emerging environment.  So within the ICANN system there was originally what they call a domain name supporting organization.  All domain name registries, registrars would participate in ICANN through this system.  As the ccTLDs, the country code TLDs started to realize we have got more in common with each other than we do with say dot com we are bounded within countries, there are many of us are actually run by Government related institutes, why don't we create our own separate organization to discuss our particular cases.  Because the CCs separated from the DNS, DNS sort of ended up become the GNS, the generic name supporting organization and within the GNSO because that covers all other types of domain name, dot com, dot net, dot info, everything else.  But a lot of different stakeholders in that.  You can break that down in to different groups, different constituencies.  You have registries and registrars and as we bring on the new gTLDs and I don't think they saw this but many of them brands so they have a very distinct interest.  It is quite possible that we will end up with a new constituency that represents brands.  So if you look at it just from the outside the number of constituencies it looks really confused but also within the ICANN model there is the go GAC, that's where ‑‑ that has existed since ICANN was formed.  The idea is that's a way for Governments to be able to input advice in to ICANN policy processes.  It is not always perfect but if you look at other Government systems they are also not perfect.  So ICANN or IANA deals with both IP addresses and domain name and it manages the overall registry.  Domain names are directly managed in terms of policy processes within ICANN.  IP addresses are Delegated to regional Internet registries.  There are five Internet regional Internet registries at the moment.  The one in the Asia Pacific region is the Asia Pacific information centre, rip NCC I am not going to try it in French the is European one.  ARIN, American registry of Internet numbers that was the third RIA to be formed.  Latin American and Caribbean centre information centre and the African information centre.  It was felt that different regions have kifrn needs in terms of IP addressing.  So perhaps say in Africa which is still a very developing region the policies surrounding how you get IP addresses may need to be more relaxed than somewhere in a developed region, perhaps say ARIN where business competition may mean that people are more likely to request more address than they have really need.  So you need to have more rigorous procedures. 
    Within the RI community ‑‑ sorry step back again.  Originally there was RIP was the first RI.  There was originally inter‑NIC and then the Europeans decided we want something that kind.  Deals with us.  So they broke off and then the Asia Pacific broke off and then ARIN took on everything else.  And then Latin America developed its own regional registry and then Africa.  After developing and splitting off they thought we need to coordinate.  They developed as a way of trying to get some cohesion.  On top of that because of the ICANN struck is it you're the way it was structured in its bylaws it needs to have supporting organization and it hasn't addressed supporting organization and that did exist.  But kind of more ‑‑ it didn't do that much.  It was kind of very ‑‑ it would monitor what the RIs were doing.  But with the NRO it became much more structured process but because of the ICANN by laws if you look at it from the ICANN side it is the ASO but if you look at it from the RI side it is the NRO.  Sometimes you will see things like that the ASOAC the address supporting organization advisory council.  But if you are looking at it from the ARIA side it is the number of resource organization numbers council.  This complexity it seems strange but there are reasons why it is developed that way. 
    One of the other interesting issues if you are looking at the complexity here a number of years ago APNIC ‑‑ if you were writing a book about how to configure routers what happening was that people were using random IP address ranges in books.  So if you had someone that used that book and you used that IP address range for real, you could have all sorts of problems happening.  So the APNIC community thought hang on let's come up with and reserve one of our blocks tore address that's for documentation.  We will never give this to anyone in the world.  If anyone using one of these manual about how to configure a router using there IP address it won't damage anything.  Its like in American movies they use 555 for telephone numbers.  As it turns out the RIs are only supposed to Delegate addresses to Networks.  They have no right to make special types of IP addresses.  That's something that IETF.  The IETF was was like no, this is our responsibility.  We sorted out the IEFT and then went to emerging RFC that did it.  This is example of the fact that all hoe though the technical community does work together but we do step on each other's toes.  So when you see the larger debate of Internet Governance and the discussion about the ITU going too far, is it stepping in to territories that are already being performed by existing Internet organizations, this is not new.  This has happened on a smaller scale within the Internet community.  It is a matter it of give and take and discussion and reestablishing this is what I do and this is what you do and here is how we can coordinate. 
    In terms of operational support, one of the key organizations that has been very ifrm porn in the developing regions is the network startup resource centre and now Google has is recently doing 3.2 million dollars I think to support this.  The idea is that they ‑‑ the startup centre provides training and technical resources to Networks that are starting up in the developing region.  One of the problems if you are a developing country is quite frequently it is quite expensive to import routers in to the country that's a very high tax rate.  So initiatives like these are really important.  PCH I am going to hand over to you because that is you. 

   >> BILL WOODCOCK:  PCH is an organization I work for we are also a non‑profit.  We are supported by the Internet industry for the last 20 years to provide operational support to Internet Exchange Points, to the core of the Domain Name System.  We do regulatory and policy work and we do cybersecurity coordination work. 

   >> Sam:  First before we were hearing about security and the concept of certs, first is an Association of certs.  It is kind of like the NOGs.  It is a way of sharing information but in this case it is a way of sharing information between network security experts.  If they are noticing a trend in particular types of attacks they can share it with other Certs to stop it propagating throughout the world.  In terms of user advocacy is the Internet Society.  It was originally created to the be the organization home for the IETF that members of of the ber net community could be members of the Internet Society and provide finances to support the IETF.  These days ISOC is funded by PIR which runs the dot org registry but ISOC has chapters in many countries and sometimes in cities.  If you are a member of a chapter you can be on a mailing list and contribute to discussions on policy and positions that ISOC then prents at various Forums such as this one in IGF the open net initiative is quite relevant these days.  It is a consortium it is three organizations work together to monitor and evaluate what's happening in terms of ‑‑ in filtering and surveillance on the Internet which given recent revelations is very timely.  Since the IETF has started to be aware that they need to consider the surveillance implications in future I am wondering there may be more coordination between the open net initiative and IETF. 
    In terms of business input in to how Internet technical management procedures are developing, there is the ICC, ICC basis sh the Internet chamber of commerce and I don't know what basis stands for but it is the way that the business community feeds information in to technical Internet discussions. 
    And finally these are newer comers to the Internet Governance world.  I am not sure how many of you have been following the many many processes in the UN that discuss Internet Governance.  There is the IGF, there is the ITU.  They have a currently closed body.  It is Member States only called the council Working Group on public policy ‑‑ international public policy Internet issues something like that.  Is there is a lot of discussion about opening it up to other stakeholders that group will be discussing the Brazil draft opinion that's being discussed in some of the earlier sessions.  They had an IPv6 group because at one point some of the Member States wanted the ITU to manage IP allocations.  I am sure many of you heard about WCIT last year in December.  That was the big event in Dubai where the Member States were renegotiating the international telecommunications treaties and a lot of discussion whether to mention the Internet or not in the ITRs.  In the end many countries decided not to sign it because it did mention the Internet.  Within the UN itself there is the General Assembly.  Within the General Assembly it has different Committees that look at different issues.  Committee one looks at security.  Anything related to sigh intersecurity, cybercrime that may come up in Committee 1.  Traditionally that was the committee that would discuss things about the Cold War but things have moved on and that's where cybersecurity issues will be discussed.  Committee 3 they call social and cultural issues are discussed.  What feeds in to Committee 3 is the discussion that has happened at the CS TDthe commission on science and technology for development.  So CS TDmay discuss things related to Internet and then feed draft Resolution in to ECOSOC had will pass them as resolution and that feeds in to UN General Assembly Committee 3.  This kind of comif Kated process.  And then, of course, there is UNESCO, they are more interested in issues like Internationalized Domain Names and multi lingualism and there is the over all WSIS process which is includes a few other UN bodies like UNCTAD.  So one of the hard things these days is as the Internet has got bigger more people are interested in it and that's fantastic. 
    But the more people that are interested in it the more venues they are discussing it and the harder it is to track.  I don't know what the solution is.  But that is one of the difficulties that we are having today and if people doement like what's happens in one venue they will often do what is called Forum shopping and try raising the issue somewhere else.  So this is a challenge that we face in the Internet Governance world and that's something that IGF is very good at mitigating in many ways because you get different people from a whole range of Internet Governance related organizations coming together and those issues can perhaps be addressed.  So I think that's all from me. 

   >> BILL WOODCOCK:  So we have done this workshop at every prior IGF and we had a set of slides that was getting kind of stale and so we started over this time.  And I am afraid we overestimated or underestimated the amount of time that these slides would take to run through.  However it is the end of the day nobody is going to kick us out of this room.  I know many of you want to go off to dinner but if there are people who have questions, I for one will happily stick around and answer questions as long as need be.  So let's start, questions who has something that they want more detail on? 

   >> Can you speak in the mic for the remote participants? 

   >> Hi.  Can you repeat what the bill and keep was? 

   >> BILL WOODCOCK:  So bill and keep means that Internet service providers bill their customer and they keep the proceeds of that.  So whatever expenses they have they have to meet from their own profits and whatever remains they get to hang on to as profit or use to reinvest.  So this seems they straight forward.  It seems like any business would be like that except with you compare it to the oel telephony Networks where they instead of making money from their customers they primarily made their money on settlements from other telephony Networks.  One would call their our customers they would dep manned a payment from the network that handled the call from them and the how much they could demend was decided by Intergovernmental negotiation within the ITU.  This became this big back channel of shuffling money between countries under the control of Government without any public oversight.  If one country wanted to send some money to another country but without citizens having any say in it or accounting they would set the settlement rate between the two countries slightly different and suddenly calls going in one direction would come along with payments at a higher rate and that creates so many headaches and people on the Internet said we don't need any of that we are not going to any settlements and everyone is going to bill their own customer and keep the proceeds.  Next question.  Really?  No more questions.  Usually we manage to have like half of ‑‑ yeah. 

   >> Sam:  There were legitimate reasons to be able to change the rate, talking about settlements.  If you are from a developing country you do not have the infrastructure.  So part of the reason for these asemi kal international settlement rates was that if you are calling from America say to Nigeria as an American you are likely to be richer.  So it makes sense that you take more of the cost of that call than if a Nigerian was calling America.  So part of that money as an American that you called Nigeria it would send more money towards Nigeria this could be used to help develop the infrastructure.  That is part of reasoning for the asemi kal rates were there.  If you are user are not sending much data and what you are doing is pulling data.  If you watching you fub and you are nigh joo ya you are paying your ISP a little wit bit a nt mo.  So if you had those asymmetrical rates who going to be paying for that?  America.  Youtube is not going to be making much money.  It really doesn't work so well in the Internet context because of the asymmetries of the data flow. 

   >> BILL WOODCOCK:  Any other questions?  Yes.  Yes.  If you want to use the mic that would be great. 

   >> Good afternoon.  My name Ankar of Ministry of Trade.  I just have one brief questions.  About the your cyber defense explaining but hacking back mechanism.  Doesn't seem right to me as a defense because that probably causing cyber war like that even though there is a statement that best defense is an offense.  But how come a cert have cyber defense mechanism like a hacking back?  Is there any mechanism to defend maybe a country.  Therefore they could be hacked or something like that? 

   >> BILL WOODCOCK:  So there are a lot of different actual defense mechanisms many of them having to do with firewalling and access control lists and there are very dynamic ways of defending against the attacks that only kick in as the attack is observed.  This notion that you can deter an attackers by threatening to attack them back, you know, anybody who is of criminal enough bent of mind to think that they can get away with attacking people, is probably also going to assume that they can evade being counter attacked.  Attribution is very, very difficult on the Internet.  So when someone attacks you it is very difficult to know for certain who it was.  And this is one of the big problems with attack back theory, right?  It is very easy to do what is called a false flag attack an attack that looks like it is coming from someone else.  So if I secretly dchbt like C dat I could attack you but it make it look like the attack was coming from C cat.  If you were to counter attack you would counter attack him and I would stand over there laughing.  This is one of many many problems with this hacking back idea.  Aside from which it is just illegal everywhere basically under current law. 
    So, you know, these military contractors who want to be able to make money doing offensive operations are lobbying Governments all over the place to try and get these exceptions to be allowed to do this kind of viglante justice but it is not good for law and order.  You don't gain law and order by allowing people to have exceptions.  You have law and order if everyone has to follow the law.  And the business community very much needs law and order on the Internet.  We need a lower crime rate and a higher rate of trust in order to be able to conduct business on line.  There are very interesting questions about what the role of military is in cyber attack and cyber defense.  It is very easy for militaries to do offensive operations, offense sif operations are cheap.  They are sort of highly rewarded within the structure of a military usually but defensive operations are very expensive.  And there is not a lot of reward for it.  Even success doesn't get rewarded very much and most of the time nothing is happening.  So militaries are often very confused about what their role should be and they sort of default to going and ataking things randomly.  U.S. military keeps attacking China and Iran and so forth and Iran counter attacks the ‑‑ as long as the U.S. military has been attacking I ran, Iran attacks every Tuesday and Thursday they attack the banking sector in the U.S.  So the banking sector is spending many tens of millions of dollars every Tuesday and Thursday defending themselves and they complain to the U.S. Government say hey cut this out.  Stop attacking Iran.  They are taking it back out on us and the military just keeps right on doing and doesn't pay any attention.  The Chinese likewise do a huge amount of cyber military praegss muchl more aimed at intelligence gathering and then tend to make a lot of enemies that way and they are getting a lot of political repercussions for that.  There are a lot of interesting questions in that area and a lot of very active debate.  Ma'am. 

   >> My name is Sarah and ISOC ambassador and I wanted to ask about Botnet.  Something that we need to worry about and if yes, what can we do to protect ourselves from Botnets.  Thank you. 

   >> BILL WOODCOCK:  I will take that one as well.  So Botnets there can be very small Botnets.  So a small collection of infected mns that are used to do attack and there could be huge ones.  Largest Botnets have huge machines in them.  To give an example there are only 277 machines in the Botnet that Russia used to attack Estonia in 2007.  They were successful at taking a country offline if only very briefly.  That attack came in at 11 p.m. Estonia time and it was completely mitigated by 6, 7 a.m. all though the attack went oent for a month but only 277 machines in that to take a country offline.  The attack that Russia did against the Georgia the next year was a relatively small Botnet and that took Georgia off line for the better part of two months.  A whole country offline.  Barest bit of connectivity left.  Botnets are a huge problem but they are a problem that there is very little political will to deal with.  If there were strong political will to deal with Botnets Microsoft would have a lot to answer for.  Almost all machines that are infected that Act as a part of a Botnet are running Windows.  Many of them are running oeltdor versions of windows.  One of of the huge problems is that because Microsoft makes its money from selling windows they don't provide support for copies of win doughs that have been stolen.  There is many countries that almost every machine is running Windows and almost none have paid for it and almost none of them have security patched because they are all stolen copies the basic business plan that Microsoft has there is causing the problem.  And then Microsoft's answer is often well, you know, go buy antivirus software.  Right?  So this creates a market niche for all of these companies that sell antivirus software where they don't make money if there isn't a problem.  Right?  So if this problem gets cleaned up you got big companies like SYman oe c and mak afee.  They don't have any business interest in the problem getting cleaned up.  So this is a difficult area.  It is one that there needs to be more political will.  In many countries there has been political will exercised to band smoking in a lot of places but good for public health.  So they make the difficult step of banding smoking in restaurants and banding smoking in the workplace and we need to have the similar level of effort like fighting the cigarette companies they are a big company that have the interest in the sta us to quo and will be very unhappy if things get cleaned up. 
    Other questions?  All right.  Why don't we call it an end to the session of the day and I will stick around here if anybody thinks of last minute question before they leave.  Thank you all very much.  And good evening. 

(Session concluded at 1814 CET)