uncompiled.com

The Web threat landscape is becoming increasingly dynamic and opportunistic as hackers continue to adapt to new online functionality and trends, according to a report on online security from Zscaler, a security firm that specializes in cloud computing.

“While the goals have not changed, the techniques continue to evolve,” wrote Michael Sutton, the company’s vice president of security research, in the “State of the Web” report for the second quarter of 2010. “The attacks that we’re seeing are increasingly dynamic in nature, continually shifting locations and swapping out payloads to avoid detection.”

Attackers are using social networking functionality, exploiting current events and using techniques such as fast flux to quickly change the Domain Name System resolution for IP addresses, a tactic that allows them to evade blacklists that block malicious sites. The trends are not new, but they illustrate the continued threat posed by increasingly professional criminals with access to a growing kit of malicious tools available in the underground market.

“Attackers are quickly moving content to different locations in order to ensure that enterprises cannot simply protect themselves by blocking a specific range of IP addresses,” the report concludes. “It is clear that security vendors must be able to quickly adapt and inspect Web-based content on-the-fly in order to identify and secure against emerging threats in this continually evolving environment.”

Legal inroads are being made against organized online crime. The Secret Service announced last week that Vladislav Anatolieviech Horohorin, known online as BadB, had been arrested by French authorities on U.S. federal indictments for access-device fraud, aggravated identity theft, and aiding and abetting. According to Secret Service officials, Horohorin was one of the founders of CarderPlanet, which the agency called “one of the most sophisticated organizations of online financial criminals in the world.” The site allegedly is operated by cyber criminal organizations to traffic counterfeit credit cards and false ID information and documents. The site provides a forum for purchasing stolen data and credentials as well as attack tools.

But criminals are resilient and continue to take advantage of current events, such as the recent World Cup tournament and Apple’s release of the iPad, and of new functionality, such as Facebook’s “Like” button. Zscaler described Likejacking schemes in which invisible buttons use clicks anywhere on a Web page to drive advertising by raising its Facebook profile.

The increasingly popular Twitter is also a rich target for phishing attacks as malicious third parties solicit Twitter account information with offers to increase the number of the account’s followers.

In addition, criminals are using search engine optimization techniques to drive malicious Web sites to the top of search results on major search engines, including Google, Bing and Yahoo, Zscaler found.

The United States remains by far the top country for malicious IP addresses identified by Zscaler in the second quarter, despite dropping from 62 percent of malicious addresses in April to 48 percent in June. All the other leaders are in the single digits. China and Germany were tied for second place with 7.11 percent each.

However, those figures likely say more about the number of computers and the rate of Internet use in a country than about where attacks originated.

Source

Developers of the 14 semifinalist algorithms for the new SHA-3 Secure Hash Algorithm standard will have a chance to defend their work next week at the second NIST candidate conference, being held at the University of California, Santa Barbara.

“We’re creating a record” on which to base selection of four to six finalists, expected to be named by the end of the year, said Bill Burr, manager of the Cryptographic Technology Group a the National Institute of Standards and Technology. “All in all we’ve got quite a bit of performance data. At this point we have a surprising amount of data on hardware implementation on all 14 candidates.”

Final selection of a new standard hashing algorithm for government is expected by early 2012, although that date could slip if additional analysis is needed, Burr said.

A hashing algorithm is a cryptographic formula for generating a unique, fixed-length numerical digest—or hash—of a message. Because the contents of the message cannot be derived from the hash and because the hash is to a high degree of probability unique for each message, it can be used to securely confirm that a document has not been altered. It also can be used to effectively sign an electronic document and link the signature to the contents.

SHA-3 will augment and eventually replace those algorithms now specified in Federal Information Processing Standard 180-2. The standard now includes SHA-1 as well as SHA-224, SHA-256, SHA-384 and SHA-512, collectively known as SHA-2. The standards undergo regular reviews and the decision was made to open a competition for SHA-3 in 2007 after weaknesses had been discovered in the currently approved algorithms.

Sixty-four algorithms were submitted to NIST in 2008, of which 51 were met minimum criteria for acceptance in the competition. The cryptographic community spent the next year hammering at the candidates, looking for flaws and weaknesses and 14 algorithms advanced to the second round in July 2009. The 14 second-round candidates are BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD and Skein. Candidate algorithms are available online, and NIST has published a status report on the first round of the competition.

Next week’s conference will give the entrants a chance to address the results of analysis and testing over the past year. The conference is being held in conjunction with this week’s overlapping CRYPTO 2010 conference and the workshops on Cryptographic Hardware and Embedded Systems, being held by the International Association for Cryptologic Research at Santa Barbara.

Harnessing the collective brainpower of the cryptographic community to identify strengths and weaknesses of possible hash algorithms is the idea behind the competition. This is the third cryptographic competition conducted by NIST to select a standard algorithm. The first, to select the Digital Encryption Standard in the 1970s, drew just two submissions, only one of which was seriously considered. In the 1990s the competition for the DES replacement, the Advanced Encryption Standard, drew about 15 submissions.

With 14 semifinalists to hear from, the conference schedule will be tight, with each presenter having only about 15 minutes to address results of analysis over the past year and present an argument for moving to the final round. After a second year of testing and analysis by the crypto community, a final candidate conference is expected to be held in the winter of 2012.

Even when the field has been narrowed to about five finalists, doing an analysis of cryptographic tools that are expected to remain in the federal toolkit for years to come takes considerable time and effort, Burr said, and there have been calls to slow down the process and extend it beyond the current 2012 end point.

“I’m not inclined to do that, but I’m open to arguments,” Burr said.

The timeline for selection will depend in part on developments in cryptography and in attacks against existing standards, he said. NIST might have some additional breathing space in selecting a new standard algorithm because there has been little progress toward breaking SHA-2.

“There was a lot of fear about how much progress there would be in attacking SHA-2,” Burr said, but hackers to not appear to be focusing on that. “SHA-2 is falling, although more slowly than we thought.”

Source

After several delays and many months behind schedule, Debian 6.0 appears to be one step closer to release. As of August 6, the testing branch is now frozen except for fixes and translation updates. This puts Final on track to possibly be released by the end of the year.

Neil McGovern, Debian Release Team manager, wrote in from DebCon10 in New York to announce this milestone for Debian 6.0. Freeze had been delayed until Python 2.6 migration and updating Glibc was completed. Now only critical bug fixes, documentation changes, and translation updates will be accepted into the Testing branch as a general rule. This will give developers the opportunity to polish 6.0 for final release. The last two major versions have seen a four month stabilization period before final release, allowing estimates that 6.0 will arrive sometime in December.

It was over a year ago that Debian developers had announced a fixed release schedule much like other popular Linux distributions, but scheduling freeze dates every two years instead of release dates. 6.0 was scheduled to be frozen in December 2009 with final release estimated for Spring of this year. The freeze was delayed at that time due to a large number of critical bugs, and while the number has decreased, it is still quite high at 554 affecting Squeeze. That number could very well delay release until early Spring 2011.

The upcoming release will bring some exciting changes. Startup, Debian’s version of Upstart, is a parallel booting system that will bring faster system starts. GNOME 2.30, KDE 4.4.5, Linux 2.6.32, X.org 7.5, GCC 4.4, and OpenOffice 3.2.1 are on the menu as well.

Live Squeeze Alpha2 was released July 22.

Source

Oracle has finally announced their plans for Solaris operating system and OpenSolaris platform and it’s not good. OpenSolaris is now effectively dead and there will not be anymore OpenSolaris releases — including the long-delayed 2010 release. Solaris will still live-on and Oracle is busy working on Solaris 11 for a release next year and there will be a “Solaris 11 Express” as being a similar product to OpenSolaris, but it will only ship after Oracle’s enterprise release.

After being quiet for months in regards to their OpenSolaris plans — to the point that the OpenSolaris governing board was going to kill itself off this month if Oracle didn’t come clean about their intentions (but now Oracle has effectively put a bullet in their head instead) and then earlier this month the Illumos project turned its lights on as effectively a fork of OpenSolaris.

This Solaris road-map was done via internal Oracle e-mail communication, but since then it was leaked onto the Internet and can be found on the OpenSolaris mailing list.

Source

Imagine a world where code used by the biggest clouds is freely available to any developer, anywhere. A world where that code was a standard used to build private clouds as well as a variety of new service offers. In this world, workloads could be moved around these clouds easily – you could fire your cloud provider for bad service or lack of features, but not have to rewrite the software to do it. Imagine an open source cloud operating system that lifts IT to the next level of innovation, just as Linux drove the web to new heights.

Today, we at Rackspace launched an ambitious project called OpenStack that aims to make this new world a reality.

I want to lay out the thinking that got us here and why we think this moment will change computing forever.

“The cloud” at its most fundamental level is all about a massive supply increase in computing power. The PC era was all about putting a computer on every desk. The cloud era goes a step further, putting the power of supercomputing at the literal fingertips of every individual at anytime. Whether it’s enabling a youth soccer coach to schedule practice across the online calendars of 18 families, or helping a scientist fold proteins to design new cancer drugs, or encouraging a frontline employee to instantly and cheaply test a new marketing campaign, the exponential growth in computing power and applications is changing every corner of our economy and society. And, this era is truly just beginning. We have seen only a tiny fraction of the potential gains that arise from cheap, ubiquitous computing power.

As this landscape has evolved, some have dismissed cloud computing as just a return to the mainframe era. This view is fundamentally wrong. Mainframes were available to only the smartest employees at the richest companies. The cloud is accessible to all, and usable by anyone, at low cost. Its ubiquity is the source of its power.

However, there is one area where mainframe concepts are intruding into the cloud – the vertically integrated technology stack. As hardware and software merge into services, the danger of locked down proprietary software stacks are emerging in the cloud space. The cloud world changes everything, and that is not good to many entrenched interests of the old guard. Core technologies from operating systems to hypervisors to databases are being used to tie cloud customers into an integrated view of the world.

If the web has taught us anything, it is that open systems, portability, and choice drive innovation. The open Linux system brought us a mountain of software and tools to help accomplish almost any task. And, each component, whether a database or a widget could be moved in and out freely based on the job getting done.

We at Rackspace have long talked about an “open” cloud. And as a service provider built on our Fanatical Support difference, we have never had an interest in creating technical walls around our service. But, given that no standards tools have emerged to build massively scalable clouds, we too have had to build custom software that creates some level of wall around our cloud offerings. For months we have debated how to drive greater standards and increase the velocity of cloud technologies in general. We finally converged on the obvious answer: open source our cloud technology.

Today, we announced a new open source project that includes those core technologies: OpenStack. And, we are not alone. As we looked at all the projects that already existed to drive standards we saw that other efforts were underway that complemented what we have done. We saw a ton of promise in the Nebula computing project built by NASA and are making it a core part of the project. Taking the contributions of Rackspace and NASA as a starting point, OpenStack forms a powerful foundation of technologies including, a scalable compute provisioning engine – OpenStack Compute – and a fully distributed storage engine – OpenStack Object Storage.

The community, which we plan to actively support and drive, is live today at openstack.org with code available for download.

Last week we assembled a strong group of cloud community leaders and developers to meet and review the architecture, engage on technology direction and contribute code. The effort attracted more than 100 participants from 25 companies including hosting companies, telecom providers, hardware manufacturers, cloud ecosystem companies and beyond. This enthusiasm and collaboration around OpenStack has laid the foundation for a vibrant and innovative approach to building the core software to power the future cloud world.

What do we expect OpenStack to mean for the cloud community? Some pretty major things. One, anyone will be able to run this cloud and do it anywhere. Enterprises and governments will be able to build private clouds. Service providers will have the same technology used by Rackspace and NASA to build new offers. Choice and portability are inevitable in this world. Two, the whole tech ecosystem can build around this foundation. With wide adoption, there will be a market for new services all around this core engine. From storage systems to monitoring tools to management systems, there is no end to what can be attached to the core project. Three, the cloud will advance faster than ever. Between just NASA and Rackspace, an army of developers are committed to the continued advancement of OpenStack. With our emerging supporters in the project, we expect to dramatically expand that army. Finally, a core set of standards will be freely available and totally open. New technologies can be attached. Better solutions will be driven into the product. And, the use of this powerful technology will not tie you to the use of any other technologies.

For our customers, we think there are many benefits that flow from these community gains. Not only will this help our offers develop faster and more transparently, but our customers can run private editions of our core systems in house or in our managed hosting operation.

We could not be more excited about the launch of this project and the enthusiasm around it. As a company that has invested a great deal in the development of cloud technologies, we did not take the decision to open source lightly. We think this decision will serve our interests and those of our customers. While we at Rackspace hire top developers and engineers to make sure our technology is second to none, seeking a technology advantage has never been our approach. We have our own vision about how to deploy this technology and serve customers – by giving them seamless access to scalable computing with the trusting partnership that comes through Fanatical Support. But, there will be many approaches and winning formulas. We think by welcoming those approaches and driving standards and more rapid innovation we will all win.

We hope you join us in this cause. We know there are many parties who might want to join us in the effort, please reach out to us.

We look forward to updating you as we make progress.

Source

The dream of bolting security onto the Internet’s Domain Name System takes one step closer to reality Wednesday as Internet policymakers host a ceremony in northern Virginia to generate and store the first cryptographic key that will be used to secure the Internet’s root zone.

This key ceremony is one of the final steps in the deployment of DNS Security Extensions (DNSSEC) on the Internet’s root zone. DNSSEC is an emerging Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

“The key ceremony will generate the master root key, the key that signs all the other keys,” explains Ken Silva, CTO of VeriSign, which operates two of the Internet’s 13 root servers along with the back-end systems that power the .com and .net top-level domains. “This is being done a month before the actual roll-out of DNSSEC so that we have a valid key and that we can test with it.”

DNSSEC is being deployed across the Internet infrastructure, from the root servers at the top of the DNS hierarchy to the servers that run .com and .net and other top-level domains, and then down to the servers that cache content for individual Web sites.

Once it is widely deployed, DNSSEC will prevent cache poisoning attacks, where traffic is redirected from a legitimate Web site to a fake one without the Web site operator or user knowing. Cache poisoning attacks are the result of a serious flaw in the DNS that was disclosed by security researcher Dan Kaminsky in 2008.

Today’s key ceremony is being hosted by the Internet Corporation for Assigned Names and Numbers (ICANN) in a secure data center in Culpeper, Va., outside of Washington, D.C. A similar key ceremony will take place in Los Angeles in early July.

The key ceremony will demonstrate the set of procedures that the Internet engineering community has created to generate and store keys for the root zone in a secure way. Attendees will include ICANN staff and DNS experts from around the world. The key generation and storage process will be audited.

“People from all over the world will be part of the process of creating the key for the top level of the DNS,” explains Steve Crocker, an Internet security expert and CEO of Shinkuro. “They will witness and be able to report that the proper procedure was carried fairly and scrupulously.”

The two key ceremonies are among the last steps before production-scale deployment of DNSSEC on the root zone, which is scheduled for July 15.

Between now and July 15, the root server operators will conduct additional testing of DNSSEC.

“We’re testing as many possible corner cases that we can imagine,” Silva says. “We’re trying to test every permutation of key sizes, key roll-over, key expiration and all those kinds of issues. We’re testing to see how the system responds and whether our monitors and detection can catch those sorts of things.”

Silva says the testing is going well, thanks to new monitoring capabilities that were added to the root servers.

“We’ve very pleased with the additional monitors that we put in the root infrastructure,” Silva says. “There are a lot more parts in the root zone now. We have keys in there. We have trust anchors in there. There’s a lot of new material in the root zone, and the traditional monitors were making sure that names were consistent and the syntax was right. Now we have additional information, so we’ve expanded the monitors to look for expired keys, invalid keys, keys that have not been properly signed and all of those kinds of things.”

Kaminsky bug drives DNSSEC
DNSSEC has gained a groundswell of support since the Kaminsky bug was discovered in 2008.

A handful of countries — including Sweden, the Czech Republic, Puerto Rico, Bulgaria and Brazil — already support DNSSEC on their country-code domains as does the .org domain for non-profit organizations.

The U.S. federal government is in the midst of deploying DNSSEC on the .gov domain. Next up are .edu, which will be cryptographically signed in July, followed by .net in November and .com in March 2011, VeriSign said. Once the root zone is signed, top-level domains that support DNSSEC can offer end-to-end security to their Web site operators.

“We expect a flurry of activity as people in Sweden, Brazil and other countries deploy DNSSEC,” Silva says. He adds that as much as 50% of DNS queries can support the DNSSEC standard due to default settings on popular DNS software.
So far, Internet security experts have seen no technical roadblocks to the deployment of DNSSEC from the root servers on down.

“It’s been pretty smooth,” Crocker says of the DNSSEC roll-out on the root servers. “I haven’t heard of any issues” that would delay deployment of DNSSEC on .com or .net.

Source

Detroit’s first-ever Cloud Camp drew well over 100 attendees to Compuware Corp.’s 15th-floor auditorium Wednesday night to hear the latest trends in putting applications on the Internet instead of in individual computers.

Dozens of Cloud Camps have been held all over the world since the first in Indianapolis, Ind. 18 months ago. They’re billed as an “unconference” where most of the content comes from the participants themselves.

Wednesday night’s event began with “lightning round” five-minute presentations from several cloud computing experts. Kicking off the festivities was Bob McDonough, cloud computing lead architect from the Michigan Department of Technology, Management and Budget.

McDonough said the state excels at offering high-performance, highly available services — but also at a high cost. It’s looking at cloud computing for other applications where there’s a “good enough” service option, and to eliminate rogue cloudsourcing.

Why cloud computing? Simple, McDonough said — “Humans cost money.” Also, he said, it improves the state IT workplace to remove routine scut work from employees and give it to machines, reserving for humans work that is challenging and satisfying. Cloud applications are also fast and easy to deliver.

David Giard of Sogeti gave a brief overview of Microsoft’s Azure cloud application delivery system.

He said cloud computing makes sense financially, because you only pay for what you use, and from a flexibility standpoint, because applications can be rapidly scaled up in giant data centers if there’s a surge in demand — and dialed down just as quickly.

Cheng-Zhong Xu of Wayne State University’s cloud and Internet computing lab gave a presentation on the rising complexity of managing cloud computing, but said virtualization and the ever increasing power of data centers will help.

John Willis of Opscale spoke on the idea of treating an operations infrastructure as if it was code, while Kevin Dangoor of Mozilla Labs presented on Bespin, a Web site that’s a code development environment — essentially you can write your applications anywhere you can get Internet access, easing collaboration. Check it out at http://bespin.mozillalabs.com.

Finally, Compuware demonstrated a very cool application called Cloud Sleuth that measures Web speeds, a key ingredient in the success of Web-offered cloud applications. Research shows any response lag of any online application of more than four seconds frustrates users and costs its owner revenue.

You can put your own cloud applications to the test at http://www.cloudsleuth.net.

The event then continued with an “unpanel.” Leaders asked the crowd who considered themselves a cloud expert — four people raised their hands and were immediately dragooned into serving on the panel. Then the crowd was solicited for 10 questions for the unpanel.

The event was to conclude with breakout sessions on topics created by the crowd at the time, followed by networking.

More at http://www.cloudcamp.org/.

Source

Last month Adrian Lamo, a man once hunted by the FBI, did something contrary to his nature. He picked up a payphone outside a Northern California supermarket and called the cops.

Someone had grabbed Lamo’s backpack containing the prescription anti-depressants he’d been on since 2004, the year he pleaded guilty to hacking The New York Times. He wanted his medication back. But when the police arrived at the Safeway parking lot it was Lamo, not the missing backpack, that interested them. Something about his halting, monotone speech, perhaps slowed by his medication, got the officers’ attention.

An ambulance arrived. “After a few moments of conversation, they just kind of exchanged a look and told me to get on the stretcher,” says Lamo.

Thus began Lamo’s journey through California’s mental health system — and self discovery. He was transported to a local emergency room and put under guard, and then transferred to the Woodland Memorial Hospital near Sacramento, where he was placed on a 72-hour involuntary psychiatric hold under a state law allowing the temporary forced hospitalization of those judged dangerous or unable to care for themselves. As the staff evaluated him and adjusted his medication, a judicial officer extended his stay, and three days became nine.

When Lamo was finally discharged to his parents’ house on May 7, he left the hospital with a new diagnosis. At 29 years old Lamo learned he has Asperger’s Disorder.

Source

The FBI has completed an agency-wide upgrade to its network infrastructure and is six months into deployment of a new Microsoft Office-based PC environment in its field offices. In addition, the FBI’s new case-management system, Sentinel, has begun Phase 2 pilot testing, despite delays that have pushed Sentinel’s completion into 2011.

FBI CIO Chad Fulgham last week outlined the agency’s IT strategy and progress in an interview with InformationWeek at the agency’s Washington, D.C., headquarters. It was the first time that Fulgham has given an overview of the agency’s IT initiatives since he joined the FBI in December 2008, after working as an IT executive in the private sector for Lehman Bros., IBM, and JPMorgan Chase.

As a first step, Fulgham last year reorganized the FBI’s Information and Technology Branch to make it more “business aligned and services oriented.” The IT Branch is comprised of a Management Division of program and project managers that work closely with the agency’s other departments, an Engineering Division that operates the FBI’s various networks, and an IT Services Division that manages everything from 26,000 BlackBerrys to the agency’s data centers.

Last August, the FBI hired a chief marketing officer, Stephanie Derrig, charged with bringing a more common look and feel to its various enterprise applications and facilitating uptake of those apps by agency employees. The IT Branch has created an internal portal, based on Microsoft’s SharePoint, with a page for every new product and service it offers.

The FBI has replaced its ATM/Frame Relay network with a new Cisco-based IP infrastructure that utilizes Multiprotocol Label Switching for higher performance. The new net, dubbed Next Generation Network, serves as a backbone for three FBI networks — the unclassified UNet, classified FBINet, and top secret SCION network — and extends to some 800 FBI locations. The network provides 45 times as much backbone capacity as the one it replaced, as well as doubling access speed at network endpoints.

The network replacement was a necessary precursor to the introduction of upgraded PCs that bring a range of new tools and capabilities to FBI special agents and other employees. The configuration of the FBI’s so-called Next Generation Workstation comprises Office 2007 and Windows XP running on a Dell PC with dual-core processor. As a cost saving measure, the FBI upgraded existing PCs with new hardware where possible.

The Next Generation Workstation brings instant messaging, file transfer, voice over IP, desktop video teleconferencing, presence technology, and Web collaboration to employees who, until now, have gotten by primarily with e-mail, phone service, and standard desktop productivity apps. The new workstations include 24-inch flat screen monitors, video cams, speakers, and headsets. Avocent KVM switches support toggling between classified and unclassified networks.

Fulgham described Next Generation Network and Next Generation Workstation as generational leaps in technology for the agency. The desktop environment is being rolled out initially to the agency’s 56 field offices, in what Fulgham said is a philosophical shift toward putting new tech tools first into the hands of employees in the field. The workstation rollout to field offices began last December and is scheduled for completion in July.

In other advances, the FBI is deploying a new identity management system based on Oracle’s Identity Manager; it’s replacing a bevy of management tools with systems management software from Hewlett-Packard and BigFix; and it’s introducing Cisco NAC (Network Admission Control) in lieu of internally developed network security. Fulgham said he prefers to use commercial software where possible for its built-in integration capabilities and ease of deployment. The FBI will use SharePoint 2010 to create a social networking environment on FBINet.

Fulgham also gave a status report on Sentinel, a $425 million project to replace the agency’s outdated case-management system with a new digital system that incorporates technologies from Adobe, EMC, IBM, Microsoft, and Oracle. In March, the Inspector General for the Department of Justice released a report warning that Sentinel, originally due for completion in 2009 and already behind schedule, was at risk of further delays and cost overruns.

Lockheed Martin is the primary contractor on Sentinel. In response to the Inspector General report, the FBI said it had advised Lockheed Martin to partially stop work on the project and that a new schedule for completing the four-phase project would be forthcoming. FBI director Robert Mueller, in testimony to a Congressional subcommittee last month, characterized the delays to Sentinel as minor and said he was “cautiously optimistic” that Phase 2 would be completed this summer. Mueller said he now expects Sentinel to be completed in 2011.

The FBI has yet to issue a revised time line for Sentinel’s next two phases, but Fulgham said the agency’s Critical Incident Response Group has begun pilot testing Sentinel’s current capabilities. Those capabilities automate about a third of the paperwork and processes associated with the FBI’s current case-management system, Fulgham said. Over the next two weeks, Sentinel pilot testing will be extended to the FBI’s branch office in Richmond, Va., followed by its Tampa office.

Source

In less than 18 months there will be no more big blocks of net addresses to give out, estimates suggest.

Predictions name 9 September 2011 as the date on which the last of those tranches is released for net firms and others to use.

Everything connected to the net needs an “IP address” to ensure data reaches the right person or device.

Experts say that the net’s entire existing address space will be exhausted about a year after that date.

A newer scheme is being rolled out but many firms and countries are being slow to switch, experts warn.

Small pool
The net is built around version four of the Internet Protocol addressing scheme (IPv4) which has space for about four billion addresses. Its successor – IPv6 – has trillions available.

The continued growth of the net is tied to this pool of addresses.

While four billion was enough in the 1970s when the net was being set up, the growth of the world wide web is rapidly depleting this store.

The growth of the web has meant that only about 7% of these addresses, roughly 300 million, are left to allocate. This entire pool is expected to be depleted in April 2012.

In early May, the Internet Assigned Numbers Authority (IANA), which oversees the net address space, handed over two of the big chunks of remaining addresses.

The removal of these 17 million addresses from the global pool meant that the date on which there will be no more big chunks left jumped forward.

“This whole business of forecasting depletion involves a little bit of reading the tea leaves,” said Axel Pawlik, managing director of Ripe NCC, which hands out IP addresses in Europe.

“Ten years ago we said it would happen far in the future,” said Mr Pawlick. “Now we are all running around with iPhones, we’re in that future.”

While the cut off date is 18 months away, some fear it will shrink as the pace at which addresses get used speeds up. Throughout the whole of 2009, IANA handed out eight of the big blocks of IPv4 addresses. In the first 100 days of 2010, it has handed out six.

Early planning
Trefor Davies, chief technology officer at business ISP Timico, said rationing of the remaining IPv4 addresses was already under way.

“You cannot just ask for more IP addresses,” he said. “You have to prove you need them.”

“The registries will not let you have more until your reserves reach a certain threshold,” he said.

While IPv4 and IPv6 can live alongside each other, anecdotal evidence suggests it is not a trouble-free union, said Mr Davies.

The process of translating one address into the format of another introduces a significant delay.

Unless more ISPs and others start to adopt IPv6 those delays could start to hit general web browsing, fears Mr Davies.

“It adds quite a lot of latency onto people accessing your network because it has to go through network address translation,” he said.

Mr Pawlick from Ripe said it had seen significant growth in requests for IPv6 addresses over the last few months.

“What we are not seeing yet is those IPv6 addresses being used on the internet,” he said.

IPv6 tracking services suggest that less than 1% of the net’s top one million websites run IPv6. Another statistic suggests that only 6% of the networks that form the net use IPv6. China is one of the biggest users of the new addressing scheme.

Companies are being urged to get working with IPv6 now, to forestall any problems caused by the shortfall.

“The key thing to focus on is the opportunities IPv6 brings your business before IPv4 runs out,” said Simon McCalla, director of IT at Nominet, which oversees the .uk domain.

Source