It's not to mean anybody's less smart, it's what we're smart in.
Because I'm really impressed with the speakers here and some of the people I'm hearing discussing
things, technology and such.
I learn a lot from these things.
So I'm not claiming to be like the number one hacker, I think someone else tried that
and let's not go there.
Actually I think I checked my number for hacker, it's an irrational number.
Moving along.
Okay, we're ready.
Cool.
Alright, basically working title, when domain names look like spaghetti or whatever.
Now, this is an emerging issue.
So if you haven't seen some of the stuff I'm talking about, don't worry.
You haven't missed things.
It's something that may be a little ahead of the curve in the United States.
But you're likely to see it if you're dealing with anything crossing the globe, international
stuff.
Okay, introductions about me, about the presentation.
Okay, one of the big things I do is open source intelligence.
I do some of that at work and also I do it as a, if you will, professional avocation
and hobby.
I'll dig into stuff, like something hits the tech press, the news, and I don't like just
taking what they say.
Like there are things being about certain hacker tools or criminal hacking tools.
You know, say in Russia or such, and the press might say one thing, I try to find out a little
bit more what's going on.
Is this something that's being hyped or whatever?
So it's open source intelligence in the network world and the alphabet soup reference, if
you notice that bowl has some interesting acronyms.
You know, TCPIP, SNA, et cetera, et cetera.
Because I dabble in languages.
I love languages.
I grew up with Latvian as my first language, then learned English, a bit of French, German,
a bit of Yiddish, Hebrew, working on Arabic and Russian.
I'm not fluent in them.
There's a five-year-old kid from Lebanon or from St. Petersburg will outtalk me any day
of the week.
I'm hoping to get really good at it.
But for navigating my way around the network world, I can deal with it.
The one hazard is that a couple of things happen.
One, alphabet soup sometimes is just a meal.
There's a classic Frank and Ernest cartoon showing the two characters in a CIA cafeteria,
one staring intensely at his bowl of soup.
The other's going, Ernest, it's alphabet soup, not a code to crack.
But that's an occupational hazard.
Now, you haven't seen my keyboard.
You're welcome to come and look at it afterwards.
But this is a little snippet of my keyboard.
I don't know how clearly you can see it.
But it's equipped to do Hebrew, Arabic, as well as Latin alphabet.
And I can also do Cyrillic.
I just don't have room to put extra characters on my keyboard.
I call it the keyboard that's going to get me in trouble when I travel internationally.
One border or another's going to say, you have what on there?
Now, this presentation is the outgrowth of an article I wrote for Digital Forensics Investigator
News back in July.
And that article actually was an outgrowth of my interest in languages, my interest in
information security, and the network world.
Because I see a lot of things going on across borders, transcending borders, be it good
things.
There's some great projects going on across the world.
So it's not all bad.
In fact, there's a lot more good out there.
But there's also some bad stuff.
And there are some new developments where certain assumptions we've had all these years,
comfortable assumptions for us in the English speaking world.
You know, like, oh, everybody uses a standard QWERTY keyboard.
Careful with that.
United States, UK, you're OK with that.
You start to get into certain parts of the world, and it gets interesting, quite interesting.
So the overview, I'm going to show some information about internationalized domain names in the
wild after explaining what that means.
ASCII compatible encoding, such as PANIC code.
That's very useful to know about.
Going to look at some of the challenges of IDN for investigators and analysts.
By the way, investigators can also be people just trying to check out some things that
are coming in on spam or something I found in this programming code.
It looks like obfuscation.
But I'm not sure.
You might encounter it that way.
I'm going to look at how some of the common net tools handle IDN or don't handle it.
Finding who is info for domain names with IDN.
And at the end, the issue I found, the most discussion about IDNs in the security field
has been something called homograph attacks, using lookalike characters.
Interesting enough, the biggest volume of IDN discussion is marketing.
When I go looking online, I go to various forums.
Most of the people are talking about how to use these non-English, non-standard ASCII
domain names for marketing overseas.
Quickie terms.
Labels.
If I refer to a label, it's a part of a domain name or a URL.
Like the www.dojocon.org is a label.
The dojocon is another label.
.org is a label.
The.org is a top-level domain.
Then we have country code top-level domains.
For right now, most people have seen things like.uk,.ru,.de,.us.
We're very comfortable with those.
It's easy telling what country is associated with that domain name.
It gets interesting now.
IDN, internationalized domain name, is a means of making domain names that can have letters
that are not your usual standard ASCII.
This is to suit local languages and scripts.
Unicode, I'm not going to go into detail, but Unicode made a lot of things possible
for working across languages.
What was it?
Late 80s, early 90s for Hebrew studies, for studying the Hebrew scriptures.
I had to get special software for the PC, had to use code pages.
It got very crazy.
When you tried to work with multiple languages, you want to do Hebrew, Arabic, Russian, and
English, you had to juggle a lot of things.
Unicode came along and it gave away for encoding characters, code points for all kinds of scripts.
You have, most obvious, of course, a regular ASCII for Latin alphabet, extended ASCII for
different characters, Cyrillic, Arabic, Greek, and so on.
AC, ASCII compatible encoding.
Because not everything we use for connecting the networks, much of it doesn't understand
Unicode.
It's built in the days of ASCII.
So AC was a method to make encodings that could be turned back into Unicode.
You could take Unicode, turn it into an AC and come back to Unicode.
Honeycode RFC 3492 describes the process.
I'm not even going to try to describe how it's done.
It's rather arcane.
There's probably some savant out there.
You can throw them anything and they go, oh, yeah, this is XN dash blah, blah, blah.
So these are the terms.
Now, I'm going to take a little simplifying step back.
Phone books.
I know they're disappearing.
A few years from now, people are going to go, what's a phone book?
I just used a computer.
I used my mobile device.
But phone books, those quaint paper items.
Even if you had a phone book that had the usual English.
But the phone company decided to extend it more, make it more user friendly for ethnic
communities, for emigre communities.
And so Ivana Petrov could have her entry not only in English or Latin characters, but also
in Cyrillic.
Ahmed Youssef could have it in Arabic and so on.
Someone could have it in Korean.
The Chinese restaurant not only has an entry in the Latin alphabet, but also to help Chinese
people find that restaurant, has it in Chinese, both simplified and traditional.
Chinese gets very interesting for encodings.
And some people might go, oh, man, what's going on?
I'm getting confused.
Well, first of all, you have the phenomena that a lot of people would have entries in
Latin as well as a foreign language.
But the biggest item is they're still united by the phone numbers.
The number does not change.
Now coming to the network world, on the machine level, Unicode is there.
It's the same Unicode.
When you're dealing with binary, the hexadecimal, it's the same things you've been dealing all
along, as long as you know about Unicode.
For internet communications, you still got the IP, TCPIP and all that.
Your biggest factor is going to be IPv6, but that's independent of all this going on.
Domain names now come in many sizes and shapes.
There was some interesting place called dojocon.org.
That's a very typical.com Latin alphabet domain.
The register.co.uk is a good example of something that has a country code.uk.
The next one, gindi.com.
Gindi.com belongs to an Israeli land real estate firm.
There's a good example.
.com Latin alphabet.
The first part, first label is favorite in Hebrew.
The next one I'm not even going to try to pronounce.
My Korean does not go beyond food names and things like onion, casale.
Then you have a site about beer.
What is it?
Pitnaya.erev in Russia.
Totally in Cyrillic.
Next one is an Arabic IDN.
Both the top level domain and the site itself are in Arabic.
Now if you got something like that, you found on a slip of paper, say, dealing with some
sort of thing going on, someone had it in a text, you might be going, what is this?
This looks like spaghetti.
What country is it associated?
You might know it's Arabic.
But if you don't read Arabic, where does it go?
How do you even use it?
I mean, first freak out might be, how do I type it in?
We'll get to it.
Or people will contact me, hey John, John, what's going on with that?
As to.edu.cn is a Chinese, I forget which university, something like Shantung University.
I showed that because the next one is in Chinese.
That's a live domain name for that university.
And the last one is an example of Pony code.
How many of you have seen a Pony code?
The XN dash dash followed by what might look like, I don't know, you might have tried it
out, you might have trouble seeing it, but it's like XN dash dash followed by letters
like P, SS, C, etc., etc.
Okay, no one's seen them yet.
Okay.
Maybe either very early on this or maybe fortunate in some ways.
But that is a rendition.
That's a Nasky compatible encoding of that Chinese domain name.
This is just to show that these things aren't just like somewhere in the esoteric networking.
The lighting's poor, but the arrows are pointing to that Hebrew.com, that gindi.com web address
on a billboard in Israel.
Now, that makes it a lot easier.
Now, someone might wonder, well, if they can do the WW and the.com, why have the Hebrew
or whatever?
Well, one of the reasons can be you might connect the name more easily to typing it
out in Hebrew than thinking, how do I transliterate the name?
Good example in Arabic.
Oh, thank you.
Is it Jamal or Gamal?
It's like there's certain letters and things transliteration can be very interesting.
All right.
Where things got really interesting, up to May of 2010, you could do the.com,.org type
of IDNs where the other label was in a non-Nasky form.
What happened is in May 2010, after ICANN went through a whole process, first four countries
came on board where they could register domains under top-level country code domains in their
own native script, United Arab Emirates, Saudi Arabia, Egypt, and the Russian Federation.
One of the reasons for three Arabic countries was that there's a big interest in getting
Arabic as the first type of script covered because it covers a lot of countries in the
world.
Russia is also a big country, but it's pretty much one country.
The Russian Cyrillic does open the way for other countries that use Cyrillic.
For example, Serbia is coming on board.
It's got its own Cyrillic top-level domain.
John, I have a question.
Sure.
Are the Arabic PLDs, are they written in reverse like languages?
I noticed you have the name and dot.
Oh yes, good point.
I'm glad you asked that.
There's a slide later on that shows it.
This is one of the things that can really confound things because there's the beginning.
That's Amarat.
You read it from here this way.
Same thing for Saudi Arabia.
This is Asaoud.
Russia reads just like regular Latin languages and Masa for Egypt.
This is part of the thing that can make it really fun, and we'll get to it.
By the way, thank you for asking questions.
I was concerned that at this late hour in the day, I would hear the thumping of heads
hitting the back of the chair in front of them.
Good audience.
This summer has been a busy summer.
Chinese country code top-level domains are on the fast track, and some of them are live.
PRC got two.
Oh, Chinese is an interesting one because Chinese characters can be encoded two ways
on computers.
Traditional, which is a little more fancy scripted and more modern, simplified.
I'm not an expert in Oriental, Far Eastern languages, so don't ask me further on it.
One thing I will answer.
I have heard that before IDNs came out that some students in Chinese universities along
with sysadmins had set up private IDN-type networks because you can do the DNS, you can
set it up and route it.
It was just not accessible to the world, but among the university folks, it worked very
nicely.
More Arabic IDNs came up.
Another script that's a little more exotic for many people in the West, Thai script.
For Thailand, Sri Lanka has its own writing.
This is not any disparagement.
My first glance at the writing for Sri Lanka, I thought, oh, this reminded me of Klingon
writing, being a Star Trek fan.
It's more a reflection of my geekdom than on Sri Lanka.
I looked at the database this morning and I counted with my bleary eyes 15 IDN top level
country codes listed.
There are also test ones too.
I'm taking a quick look, showing some things from Google's search.
You can do copy and paste, but you have to be careful how copy and paste works.
With right to left languages like Hebrew and Arabic, what happens is you start highlighting
the cursor moving.
If there's another type of character, like a period, left to right type of character
system, the highlighting suddenly goes weird.
You have to make sure you got everything.
I did a few searches.
One of the things I was looking at is how many hits I got by doing a site and then the
top level domain.
For Egypt right now, it's about 7.5,000, 7,500 hits.
Okay, it's a start.
China, this is a people's republic of China using, what is that?
I'm not sure if simplified or traditional, got 113,000 results.
Russia is very interesting.
That's been a fast growth.
It actually was a little surprising because many Russians I had heard from were sort of
skeptical like we don't want to be backwatered from the rest of the world.
There was a worry that if people were locked into a Russian only type of network that they'd
be more isolated.
It's picked up, especially November 11th, the Russian domain registry allowed people,
non-governmental entities to register.
I think within three hours, 100,000 registrations were done.
By November 18th, it was as I recollect, half a million.
People have registered things for advertising.
The second hit is actually for one of the major petroleum and gas, natural gas.
Gazprom is a biggie there.
That's not supposed to happen.
That's known as hit the wrong key.
My life is flashing before me at least in the past few minutes.
This is without the after hours belts of vodka and such.
Just if anyone is heading up 95, I will be driving up that road to go back to New Jersey,
but I'll be sober.
Okay, I was there, and Pony code.
DNS, as I mentioned before, uses Pony code.
It translates those Unicode characters.
If it encounters things that aren't your traditional ASCII, for lack of a better term, it will
translate them into Pony code, which you see that XN below.
By the way, for knowing where the domain's top level domain is, one of the advantages
of Pony code is that it reads just like a regular Western text from left to right.
You look at the first label, okay, there's a dot.
You see an XN again.
Okay, that is the top level domain.
Even if you don't know which one of these two labels here is top level domain, you've
got this.
Very important.
The distinctive trait of Pony code is that XN and two dashes.
Very important.
And I emphasize this.
This is one thing I wish I had thought of when I wrote my article back this summer,
is if you're doing any investigations or documenting anything involving IDN, get a copy of the
Pony code and I'll tell you in a moment how to do it.
But get the Pony code and keep that on hand, because that is less likely to get mangled
by our applications, by our tools and such.
And let's see, there it is.
Pony code, here we go.
There are several tools out there.
I found one in Germany I liked, but this one, very side, domain name services, has a nice
converter and in fact you see me having done a little bit of work there.
I plugged in some Chinese domain name and let it convert and there's a Pony code.
They say you can do a whois query, it might not work.
If it's an IDN with a dot com, it might work.
But some of these will not work.
But at least this way you got both.
Or the other way around.
You got a Pony code, I'm wondering what it is, plug it in and you'll be able to use it.
By the way for web addresses and such, contact me via contact info, I'll give at the end.
And I'll be glad to send you more info on it.
There we go.
There's a picture of that same tool I was showing a moment ago.
Problems and challenges.
First realizing it's a domain name.
It's like you might see it somewhere like the Arabic or the Thai or others and you're
not sure, is it a domain name or what?
If you see an HTTP colon slash slash, at least you know, okay, this is a URL.
Or you might see an at sign, email addresses are coming.
The big challenge is email clients.
They're not ready to handle IDN quite yet.
But that's going to come.
So someday you may see an email from overseas that might be totally Cyrillic except for
the at sign and the period.
So but the other problem as we saw with the Arabic ones, which end is the CCTLD?
Which one is the country code?
There's a cartoon, it's a little gross, someone picks up one of these furry dogs that looks
like a big ball of hair and is about to bring it to face and here's a barking from the other
end.
It's like oops, didn't know which way it goes.
It can be messy at times.
Okay and there's a little Arabic English pun.
Well in what country of registry?
Same problem.
Like you don't have the nice.ru,.de and so on.
And sad because I couldn't find the sod key.
It's an Arabic English pun with that letter.
Which is how do I enter that Unicode?
I have a computer set up, I can do several languages.
But if I had Chinese before me, I can't do it.
You know that can be a big hurdle in some cases.
It's, if you have it in electronic form, little friends known as copy and paste can be of
help.
But if you do that, make sure you have highlighted the whole thing.
Especially with certain languages because the highlighting can go very weird.
And that's where the next item comes in.
Many tools don't work correctly with some IDNs.
And at the end I'll be covering homograph attacks.
That's been a big concern among the people.
Although there's others say it might be hype, a bit of fud.
This is a fun with right to left URLs.
All right, this is a live URL.
Okay, there's a protocol.
All right.
It's a TTP protocol.
All right, that's easy enough.
Go from left to right.
Oh, wait, what happens here?
Oh, we start here and go this way.
We go right to left.
Oh, their file structure on the server has naming in Latin.
And you now go left to right.
By the way, a little hint.
If you ever deal with trying to figure out some of the foreign websites, like how they're
set up, because the language of technology is still dominated by English.
Look at the links.
Look at the URLs they point to.
Like you might not, which link is for a forum?
You can't figure it out.
Then you look at the URL being displayed in the status bar.
Oh, it's slash forum.asp or PHP.
No problem.
Downloads.
Sometimes I find that happens.
You can figure out how these sites work.
Again.
Yeah, in the dark.
So you're getting a slight preview.
Okay, come on.
The computer is running slow.
Good.
All right.
That looks like where we were.
Not all our tools are IDN ready.
I have a question for the IDNs, I guess.
So you said that when you go from one of the Chinese or any of the Nuggets, then the DNS
translates that into the Punicode.
Exactly.
I don't know if it's XN dot something dash dash XN and then like five or six characters.
Now is there a converter?
Yes.
The converter I showed.
You can put that Punicode into something I can read?
This is a little, oh, okay.
Yes and no.
That very same page and similar tools I showed.
You can put the Punicode in and it will render it back to the Unicode.
But if the Unicode is something you can't read because you're not used to the language,
the closest thing you can do is actually go to Google Translate or any similar translator
and put in at least get an idea of what the name means.
But the Unicode is what the domain name is.
Only thing after that is you can go to things like IP addresses related to that Unicode,
to that domain, to that IDN.
But what they mean, this slide simply was a little foray into Windows CMD CLI, which
I try to avoid when I'm dealing with this type of issue from command line because Windows
command line is not Unicode friendly, this type of thing.
Will render boxes or little question marks if I put a domain name that's in Cyrillic.
You have to give it a change code page command.
You have to change the code page to 65001 for it to handle Unicode.
Oh, and then also you have to change the font because normally the default is Rastro font,
set it to Lucidia console.
So I rather work with this type of stuff in Linux or other operating systems.
And a moment I'll...
Okay.
I have some already prepped into the history rather than trying to type in the dark or
copy and paste.
But I copied and pasted from that earlier Russian site's lookup from Google, the Gosprom.url.
Now here's, I mean, domain name.
I hit enter.
This is a problem.
It can't handle it.
So don't bang my head with a microphone.
That act has already been done.
I'm going to that VeriSign page and I just put in that Gosprom, making sure the type
is clicked for native characters, hit convert.
All right.
It did it.
Now I take the results and make sure I get that whole thing, that XN, dash, dash, et
cetera.
And a copy.
Now we've got something.
It works.
This will also work with other commands like ping, dig.
You can...
And even whois it will work.
I'll get to that in a moment, but I just wanted to show you something with these commands.
Now you know how to complain about the Russian gas bill.
Yeah.
Interesting enough, the one exception with the Unicode I found lately, depending on the
country upon the registry, you can also do it with the Unicode.
But most of the commands we use, dig, NSLocop, ping, traceroute, they really work with the
Pony code.
A few years from now, they might do the conversion on the fly.
They might just realize, oh, this is what you're trying to do, handle it all, and no
problems.
But our tools, it's still young.
This is a new thing for many of us.
And I'm not going to go through all of them, I just showed you the basic principle.
You can use a Pony code with the common tools.
Whois can be tricky at times.
It depends on things like who's handling the registry and other factors.
So if you do have trouble, have options, one of them is you use a Pony code, you can use
NSLocop or other tools, get the IP address associated with it.
And then you can do a whois on that IP address, find out what block it's in, find out the
contacts, et cetera.
So if you do get Russian spam, and that's one of the things I tend to get at work is
Russian spam for some strange reason.
It's like, oh, give it to John, he'll figure out what it's about.
It's good fun.
Some of it, nothing really, no porn spam, interesting enough.
I guess, I don't know what that says about my employer's profile.
Things like selling goods, services, moving stuff.
Another option is the IANA.
It's got a database that is very handy.
This is going to be a little difficult seeing because they love to use this light blue text.
This stores the root zone information.
You have the active IDN CCTLDs listed there.
Oh, it actually shows up better over there.
You can see them, and they are linked.
So let me pick on Russia.
Nothing about Russia per se, it's just I know where it goes.
It's not going to...
Okay.
The surface is...
Okay.
And IANA keeps a delegation record.
By the way, that Pony code up there is the Pony code for the country code top level domain
name.
The label, that's the.RF in Cyrillic, Renner and Pony code.
And you can find out coordination center, administrative contacts, technical contacts,
but you go further, name servers, sub-domain info.
And a sub-domain info can be very useful because it can give you URL for registration services
and the whois server.
By the way, if you use a registration server, registration services, sometimes that's very
handy because they have a whois.
Very often, just like ARIN.net, RIP.net and others, there's a whois field on their page.
If you haven't dealt with foreign language sites, don't...
Some people I know, they first look at it and go, I can't do anything with it.
It's in Russian or whatever.
Take a moment and look carefully at some of these sites, especially for these network
administration sites.
This is rather comforting.
Whois.
It's in Latin alphabet.
It's the standard technical terminology around the world.
And you can plug in the domain name in there.
And they'll give you the whois info.
Some of the text around it will be in their native language, but again, most of the core
information is going to be in Latin alphabet.
That's very helpful.
Someday it might change and we're going to have a very interesting time.
Very interesting time.
I don't think yet anyone's going to send me for Chinese classes to cram.
If they send me to a good Chinese restaurant, I might cram.
More Mugu Gaikon.
Yeah, we saw this already.
And this is where I pulled up the Gosprom information.
I just put a couple together, a clip from their page and the whois is on the right hand
side.
There it is in Latin alphabet.
You know, domain names.
Different information.
No problem.
Okay.
And now we're coming into the last portion, the fun portion.
This is like the optometrist.
Is it better this way or better that way?
Or better, oh, that's better.
Are these character sets, are these sets of characters the same?
By looking at them, unless you're a real font buff and there are font buffs, you know, who
play names that font.
Oh, that's, you know, that's Ariel.
No, that's Verdana.
You know, can you top this font?
The actually, I can't even tell from here.
Sometimes you can.
Yeah, what did you say?
The K?
Good.
Excellent.
You've got better eyesight than I do and that's wonderful.
But those are subtle.
But the average person, if they saw these characters appearing in middle of a name of
a site they consider trustworthy, they wouldn't catch it.
It's not until you remember what I said that the underlying codes really are the things
that you can really find out the truth.
The first set.
Ah, these are rather, this is hexadecimal.
This is rather high.
Zero, four, 10.
This is not your normal characters.
You're asking character values.
The one below.
Okay.
The capital A is zero, zero, four, one.
All right, that's more reasonable.
So that can be one of the ways you can tell.
If you were dealing with an examination, say, of suspect text files and you brought them
up in a hex viewer or other tools, what I would love to see develop is a good plug in
or some sort of function in browsers that could say, hey, you set your computer for
English.
You know that there's a mixture of English and Cyrillic on here.
Maybe it would word it in something more user understandable, but it would warn you when
there's a mixture.
Because this is very easy to do on the computer level.
The way Firefox and some others chose to do it is, oh, it's got Unicode in the URL, it
got Unicode in the domain.
Use punny code.
So people might look up, oh, I thought that was PayPal.
How come I'm getting all this X and the bleep-bleep light?
And I'll give you that.
Yes, Mark?
Oh, oh, yes.
Thank you.
Have you noticed some applications that show the font differently?
Like a while back I was trying to hide stuff in my Twitter post by using Unicode characters.
And I noticed if I put it in Firefox, it came out looking pretty good.
Hard to tell that it wasn't.
But if I put it into Internet Explorer, or at least if I viewed the tweets in Internet
Explorer, it was all jacked up.
Have you noticed some applications that...
I notice they vary.
I'm not sure if that's done as a security feedback, or is it simply variable handling
of Unicode and mixed character sets.
That's a good question.
I'll have to look at it.
The only one I really was aware of is that forced punny code in the address bar for navigation.
But in a moment I'll get to why that might not work as well.
Oh, by the way, I admire these guys for their cleverness.
That URL, I mean that domain name, is all Latin, but they did a visual pun.
The first label is hacker in Russian.
It's simply a translation of the English word hacker.
There's another word for hacker when it's referring to someone who cracks into systems.
What is it, Vizlom or something like that.
But this magazine, it's a little bit like 2600.
It's like an info security and hacking news magazine.
I thought, cool.
They hacked the language and in a good sense.
Homograph attack concerns.
Various people have raised it.
One of them is Eric Johansson who raised it back five years ago at the SchmooCom.
He had done a presentation.
He showed how he registered a PayPal lookalike and how people could be spoofed out.
He has another spoof homograph registration.
You look up his paper, it's at the end of my DFI article.
I have a link to his paper and his site.
He's untied.
You'll find more info.
But a lot of people I knew on various cyber investigator lists, when they were hearing
about the homograph attacks and IDNs, there was an interesting split among Americans and
Europeans and participants on this list.
Some of the Americans go, oh, man, people could do all kinds of horrible things.
This is going to be horrible.
The Europeans tend to be, maybe having omelettes and all the accents and all that, you don't
sweat this as much.
You had to deal with different languages.
But there was such a big worry that substitution of lookalike characters would become common
and how well the registrars would work to prevent obvious fraud.
There was a lot of worry.
But here's an interesting thing.
The anti-phishing working group, Global Phishing Survey, first half of 2010, noted that the
last true homograph attack they saw was in 2009.
And that was a hotmail.net lookalike.
But that's the only one.
Their theory?
Two reasons.
Many fishers did not find it economically worth their while to go for registering IDNs,
going out of their way, when what they were using already was doing quite a fine job.
It's like, why change the bait when you're catching enough fish and you're fishing?
And the other thing, how many people look up at the bar to see things like the Firefox
warning you?
It's like, you could have qcyh.net.
Oh, I'll click on it anyway.
It's giving me the video I want or a download I want, a codex, whatever.
And that brings us to questions.
Any?
Okay, I see one person there.
How do you take directly from the Uniquote itself or is it part of some type of database
that it's pulled from?
It's derived.
It's an algorithm.
And the RFC that I mentioned briefly, if you look at it, it describes the algorithm.
It's not one I can do in my head.
That's why I made that comment about a savant.
But there's a whole algorithm.
I can't compare it to hashing because it's not one-way.
It's a two-way function.
But it works very nicely.
Yes?
When did you say the Russian
The government came on, oh, sorry.
When did they come about?
The government came on, oh, sorry.
When did they come about?
When did they come about?
The government, the Russian government, the Russian Federation started issuing NF, the
Cyrillic top-level domain registrations for its government sites back around May.
But on November 11th, they opened it up for non-governmental entities and that's when
there was a big rush.
My first question is who is the page that shows the 7th grade is the government not
including the 5th grade?
Yeah, I think it's probably just the, oh, I can see another reason.
And thank you for mentioning it because when you start comparing the who is for info and
the IP address, you begin to find that the registration, the IDN, often overlaps its
history with the Latin domain registration, the.ru.
So this is where it gets a little tricky because if you do an NS lookup, say, using the Pani
code like I did elsewhere for that Chinese university, I get an IP address.
I plug it, do an NS lookup on the IP address and I get the Latin version of the domain
name.
So these often are interrelated.
Now, a lot of the IDNs currently are being registered where I'm seeing you have multiple
domain names pointing to the same IP address.
You use either version and you end up at the same place.
They could do something on the server which could detect how you came in, what links you
used and figure, okay, you want it this way or that way.
But there's a lot of overlap.
Eventually we might see some places where someone wants to register a domain name, wants
to set up a website, they'll just go for their local script.
If they're customers, if their audience is local and used to using keyboards of their
type.
The one thing that might slow that down are mobile devices.
Because mobile phones, many of them aren't really built to handle Arabic or Cyrillic.
They have a whole issue with what are called chat alphabets, like there's an Arabic, there's
an Arabic chat alphabet.
It's like transliterating your language.
There's Russian versions of that, but that's a topic for another time.
Any other questions?
Oh, okay, way back there.
You had made a comment that in China they have been using some Chinese domain names
internally.
I just wanted to confirm seeing that as well.
You had actually located some of the DNS servers, you could actually query the DNS servers with
the Chinese characters.
They've been with us for several years internally.
Most of it is just the doc, the doc here.
Right, or the doc.
For example, as a regular idea, Google before it really ran into trouble over there, some
issues, little rivers, little mother spat.
No one from Google here.
If my Gmail gets a little readjusted, I'll know what.
Moving along, looks like...
Yes, Marcus?
Oh, there, okay.
Do you know of any attacks using, I mean, not homo rep effects, not the ones that look
like the same, but any malware using the Russian or Cyrillic or any other language?
Have you ever heard of that?
Not yet.
Although I could see it as another layer of obfuscation for people examining malware,
especially if it's likely that the people examining it will not really know Russian or
they'll have to find someone.
Do I have anybody to see that in here?
Is there anybody who's seen that before?
Cyrillic or Chinese or traditional, nobody?
Have you ever seen malware like that?
No.
Yes or no?
No.
No?
Seen malware using like...
Different charactersets.
Different charactersets.
For the domains.
No, I thought that when Eric made that statement in 2005 that they did something to hinder
you from using different charactersets as an attacking malware, like the next year, I
think it was in 2006.
I'm just thinking that as long as something can do it in a slip up, it can actually...
It looks like there wouldn't be an issue for programs to use it.
That's an interesting question and I would like to see what happens.
One of the things I will mention, Unicode itself has been used to obfuscate in the past
and now it's better known.
Oh, they're trying to do this to shape all the various tools.
But there are a lot of creative people in the world and another thing which could happen
is the implementation of the various network tools, the OS applications might have their
own little glitches.
Like, it shouldn't do that.
Oh, yes it can.
Yes?
I guess to tag off of what Marcus just said, wouldn't there be a problem on a Windows system
trying to use another language or by default, can you use Cyrillic on a machine that's already
programmed for an English layout keyboard in the English language?
Yes, I do it all the time.
I can type in.
My menus on my English windows is still English.
But if I want to type in text, I can...
Well, actually, I'm not going to switch to Windows because it's...
But you don't have to make any special changes like on the fly in order to use this, in order
to change your keyboard over to input a Cyrillic character.
It depends on how much you want to do.
The easiest way...
It might be an effective method anyway.
The easiest way, if you just got a short run and you're sort of familiar with the language,
just use a character map.
Like I'm bringing up, this is a Linux character map, but Windows has one under accessory system
tools.
So here is Cyrillic.
So you just double click and build your letters.
You don't want to write your doctoral thesis in Russian using this.
If you do, you're a very patient person.
There's other attitudes.
Yes.
Yeah, that's another issue.
One of the things I can show, just a picture, because I've done this...
Let me bring this...
I have a Windows Ultimate at home, and I can switch languages.
I downloaded the language packs.
What if you don't have a language pack?
You can create a new character.
You can also handle it.
As long as it handles Unicode, it's just how you enter it.
You'd have to also set up keyboards.
You'd have to define if you want to get your keyboard working.
There are settings.
It's a control panel.
There's languages and regional settings.
A little too long to explain here, but here just to quickly show...
Can you also just do ALT and certain numeric keypad sequences to do it?
It's a pain, but...
I haven't really done it for Unicode.
I used to do it a lot for Extended ASCII.
There's a way of doing it for Unicode also.
I don't know enough in the numbers to be able to do anything with it.
By the way, what I brought up is a Russian desktop.
One of the things that's very interesting in Windows of recent Vintages,
when you have it set for another language and you bring up Windows Explorer,
your sections like my music, my downloads, my documents will be in that language.
The interesting thing is underneath, if you went into command line and did a directory,
went under user and went under the person's ID, it's still in Latin alphabet.
It's still...
But to make it easier for the people using it, they sort of put a little translator.
I'll show one more screen because this is both cool, but it can be disorientating to people.
This is why I do it before people have too much to drink.
Okay, this is an Arabic desktop.
Not expecting you to read it, but what's the first thing you notice?
Windows Media Center.
Well, that's because it's a halfway thing.
I didn't buy 100% Arabic.
It's with a language pack, but the start button, the menu comes off on the right-hand side
because it's a right-to-left language and it does the same thing as Russian.
Localize the labels.
And...
That's...
Let me give you the contact...
Oh, yeah.
One more question.
Sure.
Anybody sign a digital certificate with his...
I would imagine that would have to be a case.
Yeah, I think they would have to sign it with the Pani Code.
They would sign it for the Pani Code.
I'd have to see how they handle the Unicode label, but Pani Code would be the way to go.
That was my question.
I think that's interesting.
Yeah, thank you for giving me another thing to look up because that is quite fascinating
because this is adjustment.
We're going through...trying to make it work for people around the world.
By the way, that was a truck I saw when I went to security besides.
Slightly modified graphic, but it was actual company called Trojan Horse,
which delivers on contract U.S. mail.
Yes.
Yes, this was like...I couldn't believe it.
I'm driving up, trying to take a picture, hoping those troopers are coming behind me.
There's my contact info.
You definitely can find me on Twitter.
That's my main medium these days.
You can email me.
Thank you, Marcus.
Applause
I have one more comment.
I was thinking that...I see a lot of people blocking dynamic DNS and all that stuff.
Man, if somebody just started running dynamic DNS like that,
and you just have some random Cyrillic or something, that would be quite interesting to see.
Well, I guess you could block the IP address or whatever,
but that would be kind of interesting to think about dynamic DNS in a different language.
Proxy filter.
What proxy filters?
All right, it was a long day.
I appreciate everybody for coming.
What we're going to do is...9 o'clock is what I think we said.
9 o'clock, so go have some meat out in the community.
I don't know where you're going to eat at.
I've got to take myself somewhere to eat.
So 9 o'clock, make sure you get something in your belly first
before you start drinking all this alcoholic beverages, you know?
All right, so thank you very much for coming.
First day is over with.
And thanks.
Applause