Slashdot Mirror
Fort N.O.C.'s Security in Obscurity
penciling_in writes "Brock N. Meeks of MSNBC reports
on his recent visit to VeriSign's secret location: 'The unassuming building
that houses the "A" root sits in a cluster of three others; the architecture
looks as if it were lifted directly from a free clip art library. No signs or
markers give a hint that the Internet's most precious computer is inside
humming happily away in a hermetically sealed room. This building complex could
be any of a 100,000 mini office parks littering middle class America.' The
report goes on to say: 'Access to the Network Operations Center, the "NORAD"
of the Internet's traffic monitoring, requires the electronic badge and then a
double biometric hand print scan.' And here are Karl
Auerbach and Robert
Alberti offering their interesting analysis of this report on CircleID."
Isn't this "secret location" in Palo Alto? Seems to me there are probably thousands of people (e.g. telco employees) that know where it is...
Although the article says that the location is a secret, a link from the article to www.root-servers.org happily tells you that server A is in Dulles.
It's cool to see someone write about the building you used to work in! I worked in this building, a bit more than 2 years ago. I was in Network Solutions' consulting arm, whose DC office was in that building, two floors under the NOC. The security really is as spectacular (and low-key) as you'd expect. You would NOT believe the camera surveillance they have facing outwards...you can see some of it, but you can't see some of them at all. And the cameras themselves are startlingly cool...there's a small strip mall across a major highway from the facility, with a clear line of sight. One of the security guys showed me how far the zoom worked, as he zoomed in on a guy smoking in front of a bookstore in the strip mall...about half a mile away. It was still a clear picture.
When 9/11 happened, we were not allowed back into the building for a couple of days, but all they had to stand up as barriers were road cones. Luckily, they're finally moving to a location that isn't just obscure and secure, but armored, as I hear their Mountain View, CA location is.
For your security, this post has been encrypted with ROT-13, twice.
If this building were destroyed by a nuclear weapon, what would be the impact on the Internet?
Digex, along with other major hosting and co-lo facilities, has had these kinds of systems in place for their datacenters for many a year. And yeah, most of them look like very non-descript office buildings - a great many I've seen are in warehouse-style industrial complexes, far off the beaten path of regular office space and retail properties.
You have to wonder if they're a little overboard, though; the military doesn't typically have checks that secure to get into specific rooms - not even TS/SCI environments. Though, to be fair, the military certainly has an edge on physical security.
I guess if you're really concerned about your data being physically secure, you could always co-lo out at Sealand, too.
Back in the good old days, if you had a recent copy of hosts.txt all this was irrelevant :-).
But it's been most of a decade since just anyone could download it.
I've had a few guys point it out to me before. Many DC / Dulles Toll Road-types know where it is.
Now, there are other buildings in DC that's are much more cool. Like the one on the Toll Road with green "windows" that are merely for appearances as the entire building is solid concrete. Or the stuff in Crystal City that is bathed in electronic white noise to prevent eavesdropping.
Microsoft - or SCO (if it had the cash) - could go out and try to buy all the root servers. There is nothing to stop the root operators from selling out.
Nor is there anything that prevents root server operators from giving preference to queries coming from paying IP addresses.
All of that is hypothetical, but without legally enforceable obligations, we're just hoping that nothing changes for the worse.
And things *do* change - for example, back in the 1980's SCO was a fun company here in Santa Cruz.
"From our perspective, I think that clearly we are the leader in that particular area, that we provide more back-ups than anyone else does," says Ken Silva, vice president of Network Security for VeriSign. "The advantage of us running the root servers that we run is that we do invest in this infrastructure," said Silva, a 20 year veteran of the nation's top spy agency, the National Security Agency.
seems like there's nothing to stop the government from censoring a website it really doesn't like with a spook so close to the "A" root server.
On a side note, I'd like to know exactly where she clicked such a link, if in fact she did. The native range of goatse links is /. and K5, and she just doesn't seem like the type you'd find in either of those places.
It's everywhere. After I got home from work tonight I sat at my wife's computer and started typing in google's URL. In the autocomplete bar I was surprised to see goatse.cx. I asked her about it and she didn't know what I was talking about. She generally hangs around in the parenting message boards at various sites (like about.com). She asked what it was so I brought up the goatse "mirror". She didn't thank me for that.
I have no doubt my wife does not visit slashdot or k5, but somewhere she came across that link...so it is possible.
Close, but still slightly wrong. "A" is not the master for the others. "A" and all the others are actually slaves off of a "hidden master." The hidden master only accepts connections from the root servers, which makes the system just that little bit harder to attack (rather than just having to DoS A to take down everything, you have to find the master, then DoS it, and hope that they don't move it in the meantime).
Back in the good old days when her serene highness the Dalai Lauren worked there and Dave Holtzman was still VP I took the e-ticket tour. The facility is in a nondescript industrial mall a few miles from the NSI mothership.
"oh, you'll want to see this"
"what is it"
"A-ROOT"
"THAT tiny little thing?"
"Yup. Go ahead and touch it, everybody that comes here wants to do that. See where the paint has worn off the case?".
"Uh, ok"
"You use this thing Dave"
"Nah, I download the root zone from you".
"Cool, for that you can buy me lunch".
"Good idea. Thai okay?"
NSI was fun once and there's lots of good stories. When the FNCAC made the NSF tell NSI to start charging for domain names none of the freaks working at NSI could believe you could charge for this and lots of checks were just pinned up to a bulletin board in a "wait and see" holding pattern for a few months. There weren't so many domains back then.
Karl Aurbach also downloads the root zone from me and you should too. Or use OpenNIC's root or even *cough*ICANNs*cough* (ftp://internic.net/domain/root.zone.gz, or any root.zone you want but if you know what's good for you you won't rely any anybody but yourself to serve up the root zone so your computer can find pointers to the various TLD servers: primary the root for yourself and don't worry about DOS attacks on other peoples computers taking your machine off the air.
That really was the dumbest part of the change from hosts.txt to the DNS - it changed the paradigm from your computer knowing where everything was to making your computer rely on the "." zone to be able to find the computers that know where all names can be found and there's really no reason for it.
Certainly it does not scale for everybody to grab a copy of the root from one place, and Dan Bernstein has suggested a cryptographically signed root be distributed via usenet. To this end I've created news:alt.root.orsc and will begin doing just that this quarter.
Need Mercedes parts ?
You raise a number of really good points.
.biz there was already an operational .biz. I had some machines that were using the ICANN version and some using the pre-existing version. And yes, there were some confusions. The point to draw is not that the idea is thereby necessarily bad, but rather that consistency is important. But DNS never operates with perfect consistency - for example for years Taiwan (.tw) was operating with its own roots that were hacked into the system in a really strange way. I was the only one who noticed. (The situation was corrected last year after we [ICANN] pointed it out to them - it turned out that it was an experiment that they forgot to turn off.)
.com). Well, the folks at Verisign, much as we like to dislike 'em, are smart and have more than a lot of "clue". Yes, for a while two root servers sat in the same room, but things like that are past history. No, I do not know the actual locations (I intentionally chose not to use my position at ICANN to try to learn that information), but I can assure you that the concept of physical separation has become an article of faith. And with the increasing use of anycast, replica servers are getting easier to deploy.
Let's see if I can deal with at least some of 'em.
First, regarding use of data on a CD/DVD to recover locally - this is for use when a community is cut off, as happened here in Santa Cruz in 1989 when we have a medium sized earthquke. There were enough folks here with enough gear that we could rebuild a local, usable net to assist with recovery even though the links over the mountain to the rest of the world took a while to be restorred. In that situation the folks who risked any bad information that might be introduced were those who knowingly changed the hints addresses, and if they knew enough to do that they also probably knew enough to clear things out (i.e. reboot named) when they changed the hints file back to the global values.
I've actually experienced the introduction of bad DNS data. Before ICANN permitted its version of
As for the location of the big TLD servers (such as those for
As for the reputation value of an attack - yup, some perverse folks would feel their reputations enhanced if they brought down DNS. And for that reason I feel that all the armor plating is good. But we need to recognize the gaps in that armor, which are things like routing or mindless belief that there must be one catholic system of DNS root servers. And we have to remember that a lot of bad things are caused by mother nature and Murphy's law rather than folks who have abandoned reasoned discourse and moved to techno-mayhem.
The equivalent for .com is obviously much bigger - I think there are ~35 million names (maybe that includes .net). But that's still about 5GB of highly compressible data - probably about 1GB if you sort it appropriately first. That's about the size of a Linux distribution - use BitTorrent. That's about 3 hours on a T1 line, and most of the people who need it are ISPs anyway (so it's about 10 minutes on a T3.) Probably doesn't change by more than 20% a month, or 1% a day.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm not sure if your question was serious or not but I was curious about the OS used for this.
The best I could do was this document referencing Y2K from ICANN's site.
From the page:I would not be surprised if at least one of those systems is running something from SCO.
The page also mentions they all run BIND. I'd like to see a couple of those things running DJBDNS or any other high availablity DNS service for variety's sake. Pulling from my admittedly n00b-level knowledge of DNS, the DBs for the two packages are incompatible, apparently throwing that option out. Anyone with more experience with the two care to clarify why they run BIND only?
You've got an easy breezy wind at your back...most of the time.