Day: April 17, 2020

The Internet Corporation for Assigned Names and Numbers (ICANN) has delayed a decision on whether to allow the sale of the organization that controls .org registrations to a band of private equity ghouls after the California attorney general’s office issued a warning

Domain names with .org suffix are used by countless nonprofits, in part because the nonprofit selected by ICANN to run the .org top-level domain—the Internet Society’s Public Interest Registry (ISOC/PIR)—has kept the cost of registration very low year after year. In theory, though, running that .org registry could be a cash cow to anyone who bought it and jacked up the prices, as nonprofits seeking the renewal of .org domains would be a captive market. Such an opportunity would be especially alluring as ICANN removed price caps on .org registration fees in 2019.

That egregious scenario appears to be in the cards with Ethos Capital, a private equity firm that came out of nowhere to offer ISOC $1.1 billion for control of the PIR, which would be converted to a for-profit firm. (While Ethos appears to only have two employees, it is backed by the tight-fisted goons at Perot Holdings, Fidelity Investments owner FMR LLC, and Solamere Capital, which was started by Mitt Romney’s son.) Ethos has sought to allay concerns with a series of meaningless commitments, such as limiting price increase to 10 percent per year for the first eight years, or approximately 214 percent in under a decade.

ISOC has more or less admitted that it considered the $1.1 billion offer out of greed, with officials telling the L.A. Times the number was so huge “we couldn’t just say no without considering.” ISOC has cleared the sale to move forward, despite the opposition of its own Chapters Advisory Council and the troubling arrangement that PIR would take on $300 million in debt as part of the deal, putting it under immense pressure to rapidly increase revenue. But one big catch is ICANN has to approve the deal or it might fall through. As Ars Technica noted, ICANN’s governance structure allows only limited influence from the internet community and it is subject to only lax regulation from the feds, while the Ethos deal involves several former ICANN officials, so any approval would immediately come under suspicion.

In a letter dated April 15, state A.G. Xavier Becerra—whose office demanded to see confidential documents in January—put everyone involved on blast. Becerra’s letter opens by citing his authority to regulate California-based charitable trusts and public benefits organizations, then cites elements of ICANN’s charter to warn the org that it “must exercise its authority to withhold approval”:

ICANN selected PIR as the registry operator for the .ORG top level domain because of PIR’s commitment to “institute mechanisms for promoting the registry’s operation in a manner that is responsive to the needs, concerns, and views of the non-commercial Internet user community.” If, as proposed, Ethos Capital is permitted to purchase PIR, it will no longer have the unique characteristics that ICANN valued at the time that it selected PIR as the nonprofit to be responsible for the .ORG registry. In effect, what is at stake is the transfer of the world’s second largest registry to a for-profit private equity firm that, by design, exists to profit from millions of nonprofit and non-commercial organizations.

According to the Register, sources with knowledge of the matter said that the letter had unnerved ICANN enough to delay a planned decision on the sale from April 17 to May 4. The California Attorney General’s office declined to comment on whether its investigation into the deal has turned up new information, citing the inquiry’s ongoing nature. But the letter makes clear that the AG has identified particularly troubling elements of an already suspicious arrangement.

“PIR and Ethos have failed to respond to ICANN’s questions regarding PIR’s financial picture after the sale,” Becerra wrote in the letter. “PIR maintains that its anticipated income will be sufficient to service the $300 million loan necessary to complete this purchase and maintain its level of operation. Additionally, as a for-profit entity, PIR will now incur tax liabilities, and its loan will be due in five years.”

“It is, therefore, disturbing that Ethos has failed to identify the new services it contends will generate the necessary revenue to cover those expenses,” he added. “While PIR currently has sufficient income for its operations, as a nonprofit it pays no taxes and is not saddled with a $300 million loan and investors who expect a rate of return.”

Becerra then questioned whether ISOC actually has a legitimate reason to sell the PIR, how the Ethos deal would actually solve those problems, and whether the process by which it agreed to the sale was in good faith:

There has been too little information provided about the sale process by which the proposed transfer sale was agreed to by ISOC. If ISOC was concerned about diversifying its revenue streams, what did ISOC do, if anything, before deciding to sell the .ORG registry agreement? Why did ISOC not conduct a competitive bid process for a new registry operator if it wanted a change in the registry operator? Did ISOC explore options other than a sale to a private equity firm, given that its nonprofit status was key to PIR becoming the .ORG registrar? What consultation, if any, did ISOC conduct with its stakeholders prior to proceeding with the proposed sale?

Furthermore, Becerra warned that ICANN’s arrangement with ISOC to handle the .org registry through PIR “contains a presumption in favor of renewing the agreement following its expiration,” stating that section “makes no sense” if PIR is converted to a for-profit entity.

“Empowering a for-profit entity that could undermine the accessibility and affordability of the .org domain, which serves nonprofits, should concern all of us,” Becerra told Gizmodo in a statement. “We’re urging ICANN to deny the request to transfer control of the .org domain to a for-profit private equity firm. In California, we’re committed to an Internet that serves everyone and we’re simply concerned that this transfer puts profits above the public interest.”

According to the Register, ICANN’s founding CEO Mike Roberts and founding chairman Esther Dyson wrote a letter to Becerra earlier this month accusing ICANN of hypocrisy and urging him to delay the deal by six months.

Becerra didn’t explicitly threaten ICANN or ISOC in the letter, but he did end the letter by reiterating that his office has jurisdiction to intervene.

“ISOC and PIR are charitable organizations that are accountable to their community stakeholders and to the public at large,” Becerra concluded. “… This office will continue to evaluate this matter, and will take whatever action necessary to protect Californians and the nonprofit community.”

In a statement on its website, ICANN acknowledged the letter but disputed that the deal would make PIR beholden only to the demands of its new private equity overlords.

“The Attorney General’s letter does not take into account the recent work that PIR has done to make the entity more responsible to the community,” ICANN wrote. “ICANN requested that PIR strengthen the Public Interest Commitments to ensure meaningful enforceability; a draft of the revised PICs has been provided to the ICANN Board.”

Last week saw the U.S. Senate join the ever-growing chorus of federal officials advising staff against using Zoom, with one top official calling the video software a “privacy and security concern.” And while there are myriad reasons to be concerned about the video-call platform—from the potential for foreign snooping to its issues with encryption, to, well, everything else—it looks like the turning point for some federal officials boils down to one thing: shitty teens.

But what, exactly, is allowing these shitty teens to troll members of Congress and others around the country? Turns out, in many cases at least, it’s just a bit of clever googling. More worrisome: The same search tactics for finding Zoom calls can apply to the company’s product specifically built for government use.

The “Zoom-bombing” problem hit a new apex last week when Ohio Republican Rep. Jim Jordan sent a memo to the House Oversight Committee, asking Chairwoman Caroline Maloney, a New York Democrat, to shut down the committee’s ties to Zoom. Jordan’s letter came less than a day after the Senate’s seargeant at arms warned the chamber’s members and staff to not use the service. The reason? Pranksters on the platform interrupting a congressional meeting. As Jordan wrote:

“[I]n spite of the warnings by the FBI and media outlets, on April 3, 2020, you held a Zoom-hosted Member briefing on women’s rights in Afghanistan with the Special Inspector General for Afghanistan Reconstruction (SIGAR),” Jordan wrote. During this important briefing, the session was ‘Zoom-bombed’ at least three times.

Jordan added that the impact of potential “hacking and malware” on the devices of meeting attendees is “still being determined.” But as most of the kiddie culprits behind these sorts of attacks will tell you, it’s ridiculously easy to find Zoom meetings to trash. And from a little bit of analysis, I found that the adage this doesn’t just go for the calls held in classrooms and among recovering alcoholics, but also for those held on Capitol Hill.

The case Jordan complained about is the first publicized instance of these attacks reaching the federal level, but attacks on local government have been happening for weeks. Trolls have reportedly descended on city council meetings happening across pretty much every state you can name, to shitpost porn, Nazi memorabilia, and presumably, Nazi-themed porn.

In response to these attacks (and others), Zoom beefed up its security practices, giving each meeting a virtual waiting room by default, allowing hosts to pre-screen potential participants and boot out any obvious trolls with names like “Ben Dover” and “Hugh Jass.” Though the threat of these pre-screenings—not to mention potential jail time—deterred a chunk of these trolls, just as many went and…. adopted benign names to sneak into these rooms the same way that they always had.

I’m not pretending to be a zoom-bombing scholar, but after kicking it with zoom bombers for about a day, I was able to figure out how a lot of these kids were finding these codes to begin with. The overwhelming majority come from tween and teenage students just passing their own class’s codes amongst themselves to screw with their teachers. A few of the more enterprising types created scrapers or bots to mine any invites to Zoom meetings off of major social platforms.

Another popular method, as it turns out, is “google dorking”—essentially using certain keywords in Google’s search bar to dredge up vulnerable intel from the web. Dorks (as these keywords are called) aren’t just the bread and butter of hacking aficionados or cybercriminals, but of certain investigative journalists, including myself—which means that I could theoretically “hack” into the same congressional meetings these teens were a part of.

So I decided to give it a try—not to bomb any meetings myself, but just to see if I could find where these asshats were digging them up.

Unless you take a few extra steps to bury stuff from search engines like Google, just about everything you post online is indexed and stored in a searchable, digital record. When it comes to sites run by folks that are a tinge less tech-savvy—like, say, the website of a given local government—knowing the right words to search can turn up anything from the site’s entire history, even if it’s hidden behind some sort of password protector. And as I’d found previously, all public-facing Zoom links share a similar searchable string—making it easy to find an endless buffet of upcoming meetings that have been posted somewhere online.

Gizmodo first reached out to Zoom about its Google dorking problem two weeks ago, but those inquiries went unanswered until today when we tipped them off to the fact that the same issue applies to Zoom For Government meetings.

“Zoom takes security extremely seriously,” a spokesperson for the company said. “Zoom is aware that in some instances where users have shared links to meetings publicly, they may be indexed by search engines—and we are working hard to de-index those links and have the results taken down.”

The spokesperson added, “We strongly encourage all users to not post links to sensitive meetings on public websites, and we recommend the use of password protection and virtual waiting rooms to ensure uninvited users are not able to join.”

To be fair, the reason that more than a few city municipalities had their meetings crop up in my search results was because they were using plain, vanilla Zoom. For the folks that have a bit more cash to burn—or a few more state secrets to keep under wraps—it’s more likely they’re using Zoom For Government, the elite offshoot that was endorsed by the Department of Homeland Security last year as a “secure cloud solution.” According to publicly available documentation, this branch of Zoom also counts other notable partners like the Centers for Disease Control, Customs and Border Patrol, and the Department of Agriculture.

Naturally, I assumed that the teleconferencing software of choice for the Pentagon and ICE would make its meetings a bit more difficult to find, but just like before, these meetings were only a few clicks away. Five minutes in, I’d found a few links for meetings held at the USDA, the NSF, and a handful of coronavirus conference calls hosted by the CDC.

It’s worth noting that none of these links were particularly juicy, so to speak—you’re (probably, hopefully) not going to be finding any internal meetings between the top brass in the U.S. military by poking around at Google search. But you will find calls aimed at the public: think USDA calls with local farmers, CDC calls with local hospitals, or NSF calls with local universities. In cases like these, the waiting room feature doesn’t do jack shit—if a Zoom bomber can fudge their name to sneak into AA meetings under the guise of a fake alcoholic, they can damn well do the same to sneak into a CDC meeting under the guise of a fake hospital employee, or a fake federal contractor.

In Zoom’s defense, a lot of this is out of their hands, since it’s the federal authority that’s putting these links out into the world for all search engines to see. But if the company can completely revamp its data center structure in the name of national security, the least it can do is tip off its clientele about what they might be accidentally airing on the open web.

It’s a good week to own one of Nvidia’s RTX graphics cards, especially with the ray-tracing showcase that is Minecraft RTX going into open beta. The RTX range and its AI computing capabilities can be used for a lot more than just games though, and RTX Voice is a good example of that.

In beta now, RTX Voice is a new plugin that leverages the AI processing power of the RTX line to accurately remove background noise from any microphone recordings. This can be something as subtle as your keyboard strokes to more prominent ambient noise present in your computing space. While useful for streaming games, RTX Voice is also compatible with productivity and video conferencing software, making it more broadly appealing during the COVID-19 pandemic.

The plugin creates a virtual audio device in Windows that can then be set as your primary input device. RTX Voice processes the audio from your microphone and removes noise in real time, injecting it into whatever app points to the new virtual source. While apps like Discord, OBS, and XSplit work with the plugin already, Nvidia says compatibility with Slack, Zoom, and more is possible. They’re supported for now, but might still have a few issues.

For RTX Voice to work, you need an RTX GPU of course (the cheapest of which is an RTX 2060.) From there you’ll need to have driver 410.18 or newer and download the official plugin from Nvidia. A short setup process later, which is well-documented on Nvidia’s website, and you’re good to go.

If you’re looking for more ways to spice up your Zoom meetings, check out a bunch of gaming and pop culture backgrounds you can grab for free here. And if you have an RTX card, you can download Minecraft RTX’s beta right now.

Got a news tip or want to contact us directly? Email news@gamespot.com