Collaborative approach to cyber-safety best policy

In December last year, the Modica Group published its official Vulnerability Disclosure Policy to encourage people to report any system security breaches they may find in our online systems.

This policy supports our commitment to making our online systems as safe and secure as possible, and resolving any security issues in a way that minimises risk and disruption for our customers.
Recognising that our services run in endless configurations and with countless applications, we believe the best approach is to work in a collaborative and co-ordinated way with whoever discovers the flaw.

We ask the security research community to give us the opportunity to correct any vulnerabilities they may find before disclosing it, as we do when we discover breaches in other systems.
In return for people acting in good faith and following our guidelines, we promise the information disclosed to us will not be shared with others without the security researcher’s permission.  We also pledge not to take legal action against people who adhere to our policies.
In fact, if a security researcher were to report a vulnerability that affects our services and infrastructure, we’d publicly give thanks, and in some cases, offer a monetary reward.

Google routinely pay out cash rewards from $100 – $20,000 to security researchers as part of their Vulnerability Reward Programme.

For decades research has shown the important role that researchers can play in keeping systems secure, and a collaborative approach is more beneficial than treating everyone with suspicion.
However, some companies have stuck to the tradition of treating security research activity as criminal.
In this article, a 16-year-old found a basic security hole, that allowed him to access the personal details of 600,000 people.
But after reporting the flaw, instead of a thank you, the researcher received a visit from the police.
In the United States Andrew Auerheimer, aka “weev”, is serving three-and-a-half years in prison for identity theft and hacking after discovering a hole in a website that allowed anyone to obtain email addresses of iPad users.

Google’s Vulnerability Reward Programme tries to prevent would-be samaritans from getting into trouble, with a clause stating they will often pay more to people who report faults early on, to prevent them digging around further.

Last year the New Zealand Internet Task Force released the first draft of the Responsible Disclosure Guidelines to provide guidance for people who discover vulnerabilities, and organisations who have the weakness.  They believe clear boundaries and outlining all parties’ responsibilities will make it easier for security professionals to work together and help improve cyber security in New Zealand, something of benefit to suppliers and consumers alike.

Modica staff profile: Elaine Waters

You can’t help getting caught up with Elaine Waters’ enthusiasm and energy.
Speaking to her over the phone, you wouldn’t know she’s legally blind unless she tells you.
Not that her lack of vision impacts her ability to do her job.  Confident and breezy-mannered, the self-confessed socialite loves nothing more than a good chat, which makes her the perfect candidate as Modica’s research assistant.

ElaineBefore working for Modica, the 42-year-old mother of two worked for L’Oreal for 10 years, travelling the country as a makeup artist and product developer.
At the age of 38, she starting experiencing some worrying symptoms, including sore eyes and anxiety.  Eventually she was diagnosed with Grave’s Disease, a rare autoimmune disease that most commonly affects the thyroid.
Despite two major operations to try and repair her optic nerves, she lost her eyesight just three weeks after the symptoms began, and over the past four years has had to adjust to living life in the dark.

“It was a really awful, dark time,” she says of the months immediately after losing her sight.
“I basically lost everything that made me, who I am, up until that point in time.  I had to rebuild my life to live in the same world, but as a person that couldn’t see.  It was a tremendous struggle.”

Elaine describes her vision as “kaleidoscopic” – she can see a blurry six or seven of everything.

With time and a steadfast determination to live as independently as possible, she’s learned to adapt.

Remastering each ordinarily simple task – dressing, applying makeup, navigating her house, walking down the street, crossing the road, shopping – was a triumph, and a gradual step towards independence, she says.
But after a few months, she began wondering what she was going to do with her life.

An accomplished artist, Elaine took up pottery classes and abstract painting, and organised exhibitions to display her works. Kina
But it wasn’t enough.

“It was the social side I missed.  I missed getting up and going to work, being part of a team and adding value to society.”
“But I’d lost all my confidence, I thought who’s going to employ me?  I couldn’t have walked into a job interview and sold my skill set, because I didn’t know my limits any more.”

Last year she was offered an opportunity to assist with a short term marketing project for
Modica.  She did such a great job and got such positive feedback from customers that we’ve kept her on as a contracted research assistant.

Elaine’s new role involves researching target markets including collecting information about the
competition and potential partners, and establishing useful contacts. She is regularly under
pressure to get that information quickly, and respond to the ever changing face of Modica’s business.

Elaine works from home or Modica’s Auckland office, with an enlarged computer screen so she can read and input information as required.
“I’m probably a bit slower than others, but at the end of the day I get the job done, and I’ve gone from strength to strength in the past few months since I started working again.”

Modica founder Stuart Wilson says Elaine’s positive, hardworking attitude was a perfect match for the role, which required a smart, motivated, mature person with life skills to be able to communicate with senior executives.
After providing some basic equipment and assistance for Elaine when she first started, there have been no ongoing challenges, he says.
“The only thing we need to consider is access and ease of participation at company activities, and ensure we provide her with information in such a way to enable her to do her job.”

Elaine says working again has returned a sense of independence and empowerment to her life.
“I appreciate so much their taking a chance on me, I thought I’d never work again.”

With one in five New Zealanders living with a disability, Stuart encourages other employers to give people with disabilities a go.
He recommends employers be clear about what the role entails and the attributes required, before judging whether a person’s disability will affect their ability to deliver the results.
“Her gratefulness and enthusiasm for this role brings home to other employees and myself, just how good a company we are.”
“Sighted or not, Elaine is perfect for this role.”

Opportunities and pitfalls of .nz domain names at the 2nd level

The opening up of registrations at the second level in the .nz domain name space presents both opportunities and risks to existing and future domain name registrants.  

In the previous two articles in the series Modica’s Chief Operating Officer Simon Stokes has reviewed the impending changes and looked at the potential downsides of InternetNZ’s decision. In this third and final article Simon focuses on what you can do to maximise the opportunities and minimise the risks.


For existing registrants of a domain name at the 3rd level the opportunity exists to register or reserve the shorter version of their name during a Preferential Registration Period proposed to last six months. To qualify as an existing registrant and therefore be eligible to register or reserve the new shorter version, the registrant must fit into one of the following two categories:

  • Those with a unique third level domain name that was registered before 9am 30 May 2012 (and which has been continuously registered).
  • Those with a unique third level domain name that was registered between 9am 30 May 2012 and 12:30pm on 11 October 2013 (and which has been continuously registered).

Where competing eligible registrants both want the same 2nd level name, the name will be considered to be ‘conflicted’. In this instance-each has the opportunity to surrender their rights in return for a payment. If a name is unregistered and unreserved at the end of the Preferential Registration Period, it will be available to any registrant on a first come, first served basis.

For new registrants, the opportunity exists once the Preferential Registration Period is over, to register their choice of name at the 2nd level without having to choose from the existing 2ld categories.

Avoiding the risks

  1. The key to avoiding the pitfalls associated with this new development is knowledge. The DNC will be launching an awareness campaign once the final policy has been determined, and existing registrants can expect to be kept informed by their registrars as the policy is brought into effect.
  2. Existing registrants should start thinking now about what actions they might take. Do you want your name registered at the second level? If so, check out whether you’re likely to be in competition with another qualifying registrant and decide what your criteria might be for surrendering your domain name to them.
  3. If it’s likely that neither party will want to relinquish the rights to the domain name, the 2nd level name will remain ‘conflicted’ and therefore be unavailable for registration by anyone including either of the existing registrants of the qualifying 3rd level name.
  4. When looking for new domains for new projects, only ever register through an authorised .nz registrar such as Modica. That way you’ll know that you are registering a real domain name rather than an unregulated subdomain.  Also, sticking with real 2ld domain names will ensure you are protected by .nz’s excellent policy framework and disputes resolution process.
  5. You’ll find the full list of authorised New Zealand domain name providers here.

If you plan on rebranding to use the 2ld version of your name, plan your moves carefully to avoid link rot. Redirection of your old domain to point to your new one can be easily achieved and will avoid emails and website clicks going astray.

The domain name scene is one that’s constantly changing. The large number of new gTLDs coming on stream at the moment and the proposed release of names at the second level within the .nz space represent a significant shift in the landscape.

If you’re wondering how this affects you and what you should do, ask your registrar for help. Forewarned is forearmed.

Any questions?  As an authorised registrar of New Zealand domain names, you’re welcome to contact us any time.

SMS still best to connect via mobile

Traditional text messaging will continue to play an important role in the way the world communicates and conducts business for years to come, according to a recently-released report.

According to Deloitte’s report; Technology, Media and Telecommunications Predictions 2014, the rate of Instant Messaging (IM) services, such as SnapChat and iMessage will continue to grow this year.

However with 3.2 billion unique phone subscribers worldwide with the ability to text, SMS is far from dead, and is expected to generate more than $100 billion in revenue, 50 x the total revenue of all IM services combined, says the report.

Kiwi-based software as a service company The Modica Group has been a leading SMS marketing and business messaging provider for more than 10 years.  Modica provides a suite of SMS and Mobile applications, including SMS marketing, enterprise mobile customer service, brand engagement, and global gateway solutions, via their cloud-based enterprise platform.
The growing volume and breadth of their markets and client base, is consistent with the findings of the Deloitte report, which predicts that SMS will continue to grow in coming years.

According to Deloitte, the superior revenue-generating ability of SMS is due to its ubiquity, the infrequency with which it is used, and its price.

IM applications, on the other hand, typically require access to a smartphone or tablet, a mobile data plan or a connection to a Wi-Fi network, plus a huge marketing effort to convince you to download it and use it.

“Both are ubiquitous in some regions of the world, but in some markets, such as most of the African region, Central/South America and parts of Asia, only a minority has mobile broadband, and even fewer have fixed broadband.”

During the past few years, Modica has successfully landed deals in some pretty far-flung places, such as Qatar and the Dominican Republic, with a number of others in current negotiation.  

While these may not be traditional markets for Kiwi companies, they offer the most potential, says founder and director Stuart Wilson.

“Modica’s platform fits well with mobile operators and enterprise customers in markets where there is a limited postal system, no home or fixed internet, and where mobile operators are desperate to add value on their networks in a competitive environment,” Stuart says.

He agrees there is a change in the nature of messaging, but raw volumes are increasing month-on-month rather than reducing, as has been widely reported.

“What we’re experiencing is that after making initial contact via SMS, people are encouraged to engage on a variety of channels,” he says.

For example, in the past people who entered a competition via text, would receive a SMS reply “thanks for entering”. Now, the reply path also includes advertising, links to the brand’s social network pages, and vouchers delivered to the handset as confirmation.

With 3.2 billion unique mobile phones, each capable of sending and receiving text messages, SMS remains the simplest way for brands and businesses to enter into conversation with customers.
As enterprise continues to embrace the channel, SMS can only continue to grow.

Implications of opening .nz at the second level

Change is coming to the New Zealand domain name landscape with the recent decision of the Domain Name Commissioner (DNC) to allow registrations of domain names at the ‘second level’.

In our last blog post, Modica Group Chief Operating Officer Simon Stokes explained what these changes will mean, how they will affect you and your brand and a brief overview of how the DNC is likely to resolve issues arising from parties competing for domain names.

In this post Simon explains how .nz at the 2ld is likely to be more expensive, be more difficult to regulate and the increased risk of falling prey to phishing schemes.

Cost for registrants
As many suspected, making yet another domain name type available will probably result in increased costs for registrants. Of course, no-one will be forced to register the new version of their domain name but for anyone seeking to protect and build their brand online, not doing so runs the risk of someone else registering it for their own purposes. The current proposal does contain provision for a domain ‘reservation’ at no cost for at least two years, to be made available to existing registrants who wish to protect their name or brand but don’t wish to register (and pay for) the 2ld name. Given that this free reservation would only last two years, we suspect most businesses will opt for ‘defensive’ registrations.

Cynics have suggested that the extra revenue InternetNZ (as the owner of New Zealand Registry Services) will derive from a new wave of registrations, is one of the drivers behind the move. While we don’t believe this to be true, it can’t be denied that the overall spend on .nz domain names will increase.

Registrant rights
One of the great things about the New Zealand domain name space is how well regulated it is. The existing policies are robust and sensible, and an affordable and workable dispute resolution policy works well to prevent costly legal disputes. By contrast, gTLD domain names such as those ending in .com, .org and so on, represent the ‘Wild West’ of the domain landscape with far less provision for the rights of the registrant, and a costly and often dysfunctional disputes process.

Unfortunately, one of the consequences of the opening of .nz at the 2ld, is New Zealand may well end up with its own Wild West in the form of unregulated subdomains at the third level.

Let’s say for example, that someone registers the domain name ‘’, then advertise the following supposed domain names for sale:

What they’re doing is selling subdomains, rather than actual domain names.  There would be nothing to stop the registrant of cancelling the subdomains or pointing them at a totally different website and email destination, leaving the purchasers of the hen and stag subdomains with what they thought was their domain pointing at someone else’s website.

Part of the current consultation being carried out by the DNC contemplates an extension of the disputes resolution process for an initial period of two years to try to address this, but what will happen after that two year extension is not yet clear.

The opening of the 2ld looks likely to prove a boon for criminals. For years, we’ve been told to ‘look for the padlock’ in a browser window whenever we are doing things like logging into a website or providing credit card details for an online purchase.

Now we also have to be ever-more vigilant to avoid being trapped by typo domains.

Let’s use a fictional bank called CNZ as an example. CNZ Bank uses the domain name A criminally minded person then registers the domain, obtains a digital certificate for the new domain and makes a website that looks suspiciously like the legitimate CNZ website complete with a login form to get into internet banking. The dodgy website then harvests the banking details of hapless users who missed the extra dot in the domain name. Far fetched?  Far from it. This style of phishing attack has been around for years. The opening of .nz at the 2LD merely opens up a whole fresh new phishing ground for the  unscrupulous.

Link Rot
The availability of a new, shorter domain name will inevitably lead many organisations to move their online presence to the 2ld version of their domain. While there’s nothing wrong with that, if it is not done carefully, link rot can easily result as visitors to the site click on bookmarked links which no longer exist, resulting in frustration for the visitor and a potential loss of business for the site owner.

What about trademarks?
As with the existing .nz policy, the current proposal takes no account of trademark ownership. It is expected that the dispute resolution process, will also determine the question of a trademark’s relevance.
This is in stark contrast to the approach taken for the roll-out of new gTLDs by ICANN who established the trademark Clearinghouse to safeguard the interests of registered trademark owners.

Of those submissions against the introduction of 2ld registrations, a good number raised the issue that no provisions were made for trademark holdings. In our view, where two competing registrants want the same 2ld name, some priority should be given to the one holding a relevant trademark because the process of obtaining it is subject to cost and external scrutiny, and usually has some legitimate commercial purpose.         

In the final article in the series we will look at what you can do to avoid the hidden pitfalls inherent in the introduction of .nz registrations at the second level.

Thanks for reading – have we missed anything? If there’s anything you’d like to add, or know more about, please talk to us on Facebook, Linkedin, Google+, or Twitter.