First published: 30th June 2008
The Hong Kong Domain Name Registration Company (HKDNR) has reacted to McAfee's damning and flawed report (discussed in this newsletter) with a hastily-prepared press release that is also stuffed with dubious claims and unverifiable statistics. Chief among these is the claim that there was a daily average of 38 cases of spamvertised and phishing .hk domains during 2007, and that this dropped to 3 cases (presumably per day, the wording is a little unclear on this) for January to May 2007. Therefore, there were about 456 cases in the first five months of this year, however, later in the release it states,"more than 14,000 ‘.hk’ domain names were suspended by HKDNR this year by the end of May" for spamvertising or phishing activities. Why did only 456 cases result in 14,000 suspensions?
Of course, it must be considered that a reduction in the number of cases does not, necessarily, indicate a reduction in the size of the problem. HKDNR's recent efforts, with OFTA, the Police and HKCERT, in clearing up the problem date from the implementation of the Unsolicitied Electronic Messages Ordinance, when OFTA started accepting spam reports. OFTA soon found they were receiving many reports of phishing and spamvertising, which, strictly speaking, did not fall under their powers under the UEMO. Laudably, they decided to do something about it anyway, resulting in the cooperation, and the domain suspensions. So, before there was a contact point for reports, there were no reports and, therefore, no cases. Does this mean that there was a precipitous increase in the problem when the UEMO came into force? Of course not. The headline, "Drastic Decline Proves Stringent Measures Taking Effect" is wrong, the figures prove nothing of the sort.
Proof would require an independent measure of the size of the problem to start with, and further evidence to demonstrate a causal relationship.
All this is a criticism of the press release: an ill-advised, knee-jerk reaction to a dubious research report published by McAfee. The cooperation between the relevant authorities: HKDNR, OFTA, HKCERT, the Police, and their overseas counterparts, has had positive results in cleaning up many dodgy sites, and should be encouraged and further developed.
One area for further improvement is touched upon in the press release: "document verification for suspicious applications of second-level ‘.hk’ domain names". This is covered by changes to paragraph 2.4 of the HKDNR's Rules, made February 2008:
All interested individuals and entities are eligible to register a Second Level Domain Name, except during the Soft Launch Period where the criteria set out in the Soft Launch Period Rules apply. We may, however, request the submission of any documentary evidence that we consider necessary to verifiy(sic) your identify in determining whether to accept your application for the registration of a Second Level Domain Name.
According to HKDNR's Customer Service Department, this involves a human vetting applications for suspicious features (including, but not limited to, the domain name using words like 'bank', '銀行', 'banco', 'banque', 'banca', 'b-a-n-k', etc.), and asking the applicant for additional documentation when suspicions are raised. Failure to produce the documentation would result in rejection of the application, before payment was made. Improvements to this would include:
- Receive the payment before the vetting is performed, no refund for rejected applications. This is reasonable because the fee covers processing the application, so processing should only start after the fee is paid, and it severely discourages cyber-criminals trying repeated applications until one gets through.
- Demand an explanation and documentation for ALL applications This avoids the possibility of the vetting staff missing brand names or words in an unfamiliar language. Ordinary applicants will have no trouble explaining their chosen name ("yuikee is our company name") and, in most cases, documentation will be available (birth certificate, business or trademark registration etc.). The rest can be scrutinised more closely ("I'm an individual, my nickname is Banco").
Those interested in discussing this topic further should note a public forum being held on Saturday, 14th June. As this is a topic that affects the trust and confidence in Hong Kong as an international business hub and financial centre, the organisers have wisely chosen to avoid using the most common language of international business, and one of Hong Kong's official languages: English, instead choosing to hold the forum in another of Hong Kong's official languages, Cantonese. This will, naturally, maximise the coverage in the international media that the fair and reasoned arguments presented during the forum receive. The forum details are:
| Organisers | Internet Society Hong Kong Chapter (ISO-HK)
Office of Sin Chung-kai, Legislative Councilor
Professional Information Security Association (PISA)
Hong Kong Internet Service Providers Association (HKISPA) |
|---|
| Date | 14 June 2008 (Sat) |
|---|
| Time | 2:15pm – 5:00pm (2:15pm-2:30pm Registration) |
|---|
| Venue | Room 202, Duke of Windsor Social Service Building, 15 Hennessy Road, Wanchai, Hong Kong |
|---|
| Language | Cantonese |
|---|
| Participants | Members of the organizers and supporting organizations First-come-first-served and Free-of-charge |
|---|
| Moderator | Charles Mok (ISOC-HK) |
|---|
| Panelists: |
Mr. Leo Chan (information security industry),
Mr. Jonathan Shea (HKDNR),
Mr. Roy Ko (HKCERT),
Mr. York Mok (HKISPA),
Mr. Bernard Kan (PISA),
Mr. SC Leung (IT Voice)
|
|---|
| Registration & Enquiry | Email to rsvp@isoc.hk with the following information: Name,
Organisation, Company Name, Contact Email, Contact Phone # |
|---|
