Fort N.O.C.'s Security in Obscurity

penciling_in writes "Brock N. Meeks of MSNBC reports on his recent visit to VeriSign's secret location: 'The unassuming building that houses the "A" root sits in a cluster of three others; the architecture looks as if it were lifted directly from a free clip art library. No signs or markers give a hint that the Internet's most precious computer is inside humming happily away in a hermetically sealed room. This building complex could be any of a 100,000 mini office parks littering middle class America.' The report goes on to say: 'Access to the Network Operations Center, the "NORAD" of the Internet's traffic monitoring, requires the electronic badge and then a double biometric hand print scan.' And here are Karl Auerbach and Robert Alberti offering their interesting analysis of this report on CircleID."

sigh

[jap]

Sigh. Deep Sigh.

There's more than the 'A' root server. Taking "it" down leaves a whole hurd of other root servers alive. Located all around the world.

The above linked articles are full of that which promoteth growth.

Re:sigh

[jayhawk88]

Which the article actually states.

Why one place?

Are we talking about the .com/.net verisign DNS or the main root DNS. DNS is distributed. If one goes down, there are more to take its place. With the root DNS (gtld-servers.net), there are many servers located in many different places. It would be impossible to bring them all down. If we're talking about the .com/.net DNS, why have one central location? Couldn't multiple DNS servers mirror each other... some in obscure locations, others in highly protected facilities?

LINUX Analogy

[YukioMishima]

This story is news, but I kept expecting some point of contention in the article, rather than some musings on decorating schemes that were compared to clip art.

I found my point here:

The root server operators "have no contract with anyone, no guarantee of level of service, they could turn [the root servers] off tomorrow with no consequences at all because they are doing it out of the kindness of their heart," said Internet consultant Ambler. "ICANN needs contracts with the root server operators that specify minimum levels of service and minimum levels of security and the root servers need to be paid for that," he said.

Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money? I understand the legal protections associated with contracts, but I think there's a chance that the root server operator system, as it stands, could alternatively be viewed as something successful - something, much like the open source software movement, that works, not because of contracts or restrictive covenants, but because people enjoy contributing to something useful for their own and others' use.

nobody cared about security two years ago?

[kilbo]

"But Ambler nearly chokes on the word 'defense' noting that 'up until two years ago nobody gave a rat's ass for security of the root servers because if the Internet went down it would have been an annoyance to some researchers and nerds.'"

I guess amazon.com which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.

Re:In the case of a nuclear attack?

[gordyf]

Not much. There's a bunch of other root servers scattered around the world; this just happens to be the first one.

Re:Good for verisign..

Thank goodness. Goatse.cx wasn't funny the first time.

How much physical security is necessary?

[Wingchild]

I'd like to see some statistics on how many people attempt to invade/evade the physical security checks at Netsol's NOC that require and necessitate facilties on that level. The same goes for most any datacenter - your physical security is awesome, but why?

Aren't most attacks against servers launched over that intarweb thing?

I can't recall the last time someone tried to suicide bomb a root server. :)

Backhoes don't respect biometric hand prints

[G4from128k]

I can only hope that their NOC has multiple fibers coming to the building and that those fibers aren't in the same trench.

The other potential source for a single-point of failure is the OS that the root server uses. If Verisign uses any kind of monoculture, they will not be as secure as we might hope. A hacker or botched OS patch could hose the thing.

Why do people keep repeating that myth?

[Medievalist]

The design documentation of the Internet is globally available... wait for it.. on the Internet!

If you examine it, you will notice that
a) DNS is not part of the original design
b) as designed, it WON'T survive a nuke
c) nobody intended it to.

What it *was* designed for was a limited fault tolerance - based on the idea that phone companies suck and the guy that runs the next node is an idiot who can't be trusted to tie his own shoes.

Turns out they were right about those last two points, incidentally.

Re: "A" is in Dulles, VA

[Black+Parrot]

Oh, great. Now we have to kill everybody that reads Slashdot.

Re:Good for verisign..

[mobby_6kl]

Do the right thing, help the community by signing the petition here to bring back goatse.cx. Thank You.

Re:Good

[Call+Me+Black+Cloud]

so if you don't like it, it should be taken down. free expression be damned ?

Where did I say any of those things? There are plenty of sites I don't like but I don't care if they're up or not. I'm all for free expression. But with freedom comes responsibility. Let's say all speed limits were abolished and you could drive as fast as you wanted anywhere and any time you wanted. Would that make it ok to blow past the local school at 75 when kids are about? Of course not. The point is this: just because it is legal to do something doesn't mean it should be done.

Re:Good for verisign..

[grub]

Why are you pissed?

Why? Because a self-important turd who may have seen it once or twice decided "Ohh that's terrible!" and complained without appreciating the shock value or the humour of having been fooled into staring into that gaping thing.

Rhonda Clarke is no better than having Tipper Gore or Laura Bush deciding what's appropriate for the internet. She's a desk clerk with an unimportant job in an relatively unheard of part of the world yet with her one gripe she can take down what has become a virtual institution on the net.

Certainly it wasn't considered funny by all, but who is she to dictate what is and isn't funny? "But.. but.. Christmas Island can decide what's appropriate for their TLD!" Fine. Goatsecx may move on to other pastures for its home but it won't be the same.

Rhonda Clarke is a self-righteous cunt.

Re:Good

[sosegumu]

Philosophically, I guess the whole issue boils down to this: is there anything that *cannot* be posted or restricted on the internet?

If you say that there are *some* standards, then we can have a dialog about what those standards are and how (and by whom) they are decided.

If you're answer is that nothing can be censored, quite frankly, there's nothing left to discuss. I just can't see a world or ethical system that embraces a *total* freedom of information as its highest virtue at the cost of unnecessary pain and chaos. Obvious examples would be step-by-step instructions on building WMD, video images of your sister being gang-raped, etc...

This week, I was one of the uninitiated dolts who finally looked to see what this goatse.cx was all about. I know that I'm stupid for looking, but I have to tell you that I wish that I had never seen it. And out of curiosity, if you're one of the people spending time and effort trying to trick people into looking at it, why do you do that?