Slashdot Mirror
DHS Wants Master Key for DNS
An anonymous reader writes "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"
No. It secures DNS. So you cant spoof domain names. It secures that the DNS Server is authorative so the DNS query was answered right. If somebody spoofes an IP in your network, you won't be saved.
... and then they came for you!
This should ( rightly so ) piss off external entities ( ie: foriegn nations ) enough to have them setup alternative roots. And I, for one, will be using those as apposed to the "secure" ones.
Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
"and be able to break into computers connected to the Internet without much effort"
Didnt know that spoofing an IP what all it took to break into a computer.....
http://www.intellipool.se/ - Intellipool Network Monitor
The mental picture that first struck me:
A farmer giving the fox the keys to the henhouse.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
All your IP are belong to us. You are on the way to being rooted. You have no chance to 200 make your time.
When you pry if from my cold dead hands!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
Does Secure DNS allow multiple keys to be required before a query is trusted? That is, would it be possible with the protocol as defined for a foreign root server (e.g. the servers authoritative for .nl) to sign its responses with its own self-signed or trusted-organization-signed key as well as with the IANA-signed key, and have savvy clients trust such servers only if both keys are present?
I'm surprised the US Government is doing this; I'd have expected them to obtain the key through back channels rather than out-and-out demanding it.
How feasible is it for we in the rest of the world to create "another Internet" and leave the current one with the US government? I can see major powers like China and Russia in support of this measure. But is it even possible?
No where in that article did it say that DNSSEC would prevent spoofed IP Addresses. This is about DNS, not about IP addresses. Also, the fact that the DHS wants they master keys does not mean they'll be able to hack into your computer without any problem. It boggles my mind that this Summary was allowed to hit the main page. wow...just wow.
The fact that the US Government wants this key, or the fact that it has requested it publicly?
Honestly...
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C1 bottles of beer on the wall. Take one down, pass it round... Oh, umm...
The truly powerful signing key is for Windows Update. If you have that key, you can take over every Microsoft computer in the world . Change the operating system. Install anything, including a new key. Reboot the machine.
Who has that key? Do we know?
Whoever has both the DNS root key and the Windows Update signing key rules the Internet. Or at least all the Microsoft client systems. They can redirect Windows Update requests to themselves, then download their own update and have it accepted.
Unfortunately, this isn't a joke.
hmmm, will other countries trust US goverment managment on something as critical as DNS security?
We are denied the key.
We deny having the key.
The only thing new in this world is the history that you don't know.[Harry Truman]
I think this is horrible news, if only because it provides more potential sources for unauthorized personnel to access the key. DHS has no real use for the key, which has as its only purpose the prevention of man-in-the-middle attacks against legitimate websites. DHS has the power to subpoena the owners of those sites for communications details, and terrorists' communications will use other forms of secure handshaking to verify legitimacy if they don't already. The only reason DHS would need these keys is if they wanted the ability to immediately tap into communications w/ legitimate sites, without delaying for a court order or other oversight. Giving them this power would only allow them to fly further out of control.
I've always thought IP spoofing is a weak attack due to routing and ingress filters. Any network worth its salt will block its own addresses from coming in from the outside, but nevertheless routing has to return the TCP ack back to the proper AS#. How does DNSSec override these precautions?
In any case my boxes don't give access to just the IP address, they give access based on private keys, DNS, and the IP address. Another case of government technical cluelessness thinking that the master key unlocks ALL DA COMPUTORS IN DA VERLD?
"Granted, I won't be fully trusting the information from either set, so it's not as if my system security is dependant on it."
P2P DNS. You can trust us. Right?
>Unfortunately, this isn't a joke.
Other than it won't work because all the important *.microsoft.com sites are hardcoded into Windows.
He who holds the keys, has all the power. This would mean that USA still can generate signatures for anybody and sign their identity.
I say EU needs their own master keys.
Finally, a way to give the net.kooks at ORSN et al -- and other purveyors of alternative DNS roots -- some sort of credibility... prove that the kooks were right all along! The cabal does exist, and they're running the US government. What a stroke of genius! This single act could be the single most harmful thing to hit the net since Cantor and Seigel :(
Everything I needed to know about life, I learnt from Blake's Seven
It must be renewed and to do that it must be burned to the ground.
the US government will be the only OTHER institution that is able to spoof IP addresses.
whoever is the creator (icann?) of the master keys is also able to spoof DNSsec.
-- these are only opinions and they might not be mine.
That would be the slashdot moderation system.
One Key to Rule them all,
One key to find them,
One Key to bring them all,
and in the darkness bind them
In land of Bush, where the shadows lie...
If you can force a Windows Update cycle, you can change the hard-coded values. Microsoft Update can patch any part of the OS and can force a reboot. (A reboot can be forced on any machine with updates turned on, even if auto reboot is supposedly turned off.)
If you can make changes to DNS, you can change the IP address for "the important *.microsoft.com sites", redirecting the updates to an attack site.
So possession of both of those keys gives full control of all Windows Update enabled clients.
Imagine if there were 2 or more sets of "root" servers which were by and large identical. One under the thumb of the USA and one run by the international community, and maybe one set run by each repressive regime on the planet, e.g. China. All would get authoritative data from domain registrars just like the current root. All would be open to "controlled poisoning" by those who held the keys.
Now, imagine if ISPs or countries worldwide could choose which set of root servers to use. Imagine if ISPs and governments in freer countries could allow their customers to choose their own root if they so desired.
Now imagine a world where ISPs and customers in totally free countries compare results from all available sets of root servers, look for inconsistencies, and if there is an inconsistency, check with the authoritative nameserver for the domain as reported by whois. If the DNS lookup for the whois server was not consistent then it will be handled as an exceptional case: The end-user will get a result that might or might not be correct and technicians will be alerted so they can figure out what the real IP addresses of the whois server are.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
DHS: we want the key to the internet please. Everyone Else: ORLY?
Even if DNSSEC ever gets widespread usage, they only get the ability to spoof every other domain in the world. Right. First, maybe some non-US ISPs could keep their own hard-coded copies of public keys for relevant non-US TLDs, so the US cannot spoof them. But in practice, the trust level in DNS is low anyway. It's as bad as the ability to emit any spoof Verisign server x509 certificate (which the US might quite possibly do as well, but nobody will discuss this).
Remi Denis
I'm beginning to wonder if this is really something I should worry about anymore.
I've been through the whole anti-US thing, the amount of things the US does wrong are phenomenal, but as a Brit, after seeing the Russians poison Litvinenko in our very own capital city, after seeing how utterly childish the Iranians are over the kidnapping of our service personnel and the fact the Russians veto'd at the UN the request by the British for a UN demand to release the hostage immediately. All that coupled with China unwilling to deal with North Korea in a way that would force them to give up their nuclear ambitions (i.e. cutting off all their cross border electricity supplies) I'm really beginning to question if the US having this kind of power, in that it would be the only nation to carry out DNS spoofing attacks is honestly such a bad thing.
Better the devil you know and all that, and frankly, if something like this does go ahead I'll be stood alongside the yanks laughing in the face of any Russian, Iranian, Chinese or North Korean leader that starts crying about America's dominance of the cyber warzone, and I'll tell them "Maybe if you'd not been so utterly arrogant towards the rest of the world then people like me would've supported an even battleground". Until the rest of the world grows up, please, Americans, go ahead, support your DHS in having this power.
When the story first broke about other nations wanting an independent international body to oversee the root servers and such, I was completely against it. It sounded to me like another pointless stance by the U.N., compounded by the fact that the ARPANet was invented and fleshed out here in the U.S. Not to mention the few unsavory members of the U.N. that would end up with some say as to the future of the Internet.
Now, though, I'm starting to see where I went wrong. I was assuming that the government of the United States could never be as fucked up as the one in, say, China. I was being horribly short-sighted. I should have known that this kind of shit was only a matter of time.
So how much worse could letting the U.N. have control of ICANN be than something like this? I say fuck it. Let them have it, and give it some independent oversight. For the life of me, I cannot believe that I am actually looking to foreign nations to ensure the neutrality and openness of the Internet, but there you have it.
"We may face a scorched and lifeless earth, but they're accountable to their shareholders first."
I'm glad the US government decided to answer themselves the very short-sighted people who are almost in the majority in every ICANN-shouldn't-be-controlled-by-the-US article who ask something like "Who would you trust more to control the Internet, the US government or a body where countries with poor human rights record have a say".
Maybe it's time to start working up an alternative to DNS zones?
It's either that or coming up with a way of keeping such information outside of the hands of a foreign power (the USA is a foreign power from my country. Not an enemy by any hands at this time... but it has been).
And so even the next generations in non-US nations will hate America with same furiousness :)
Yet another reason why gTLDs were a fundamentally bad idea.
.co.us and similar domains and discontinue the old domains, when the Internet became commercial and international.
Well, yes, just keep in mind: when they started out, they weren't "generic", they were effectively US TLDs.
The mistake was failure to either declare those domains to be US domains, or to migrate them to
Me and most of my friends hate David Hasslehoff. You could say Americans love Hasslehoff since you like watching his naked body on Baywatch so much (American TV show, no?)
This is actually from an SNL skit from years ago. It always made me crack up, and I have yet to figure out why exactly. I've since been meaning to change it to reflect something significant or deep, but have yet to come up with anything beyond random political BS of one sort or another.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Control over the internet needs to be taken away from the Americans. We need to assure that nobody has "control" over the internet.
What?
Right now, Verisign (or any of the widely-trusted X.509/SSL certificate authorities) can generate fake certificates for arbitrary sites, and your ISP can poison the DNS (from your perspective).
Incompetent government employees (or corrupt or foreign governments) are not the only adversaries we need to deal with. DNSSEC, like the current HTTPS trust system, reduces the number of potential attackers, but it doesn't eliminate them all. We know this, and we deal with it by only vesting a limited amount of trust in these systems.
The discussion should not be about whether or not the US DHS specifically should be given access to the keys; The discussion should be about the importance of minimizing the number of points where the system can be attacked: Only those entities who strictly need the keys in order to administer the DNSSEC system should be given access. The DHS doesn't need DNSSEC keys in order to make DNSSEC work, so the DHS should not get the keys. It's as simple as that.
http://outcampaign.org/
" By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort."
All you need to do is "spoof" an IP and you're in? Wow..
Karma means nothing to me, so suck it...
The solution to trusting the root is for trusted institutions to maintain sets of alternate public keys that are used to sign the TLDs, and designing DNSSEC software so you can use your cached version of those keys if you don't trust the root.
There are two reasons for alternate roots, as opposed to alternate trust keys. A theoretical reason would be a political move by somebody, probably the CCTLD owners jointly with the ITU or maybe the UN, to take over the root so the US government would stop annoying them. That might be good. But the real reason was because people wanted to sell alternate TLDs, like .sex and .whateverIfeltlike, back when there were only the original TLDs and CCTLDs; I forget if the early ones dated back to Jon Postel's time or if they were mainly in the period of chaos after he died.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
DNS primarily lets you look up the IP address corresponding to a domain name, and DNSSEC prevents this from being spoofed. Spoofing the routing protocols so that IP packets go to the bad guy's machine is obviously not DNS's problem.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Anybody --- not just the DHS --- can spoof the DNS today. And yet, by all available evidence, DNS spoofing is vanishingly rare. Mutual authentication over the untrusted Internet is a solved problem: TLS provides an end-to-end guarantee that your connection to your banking web application terminates with someone who can vouch for your bank's crypto keys. And you don't simply trust SSL certificates to the government: you also trust a myriad of commercial entitities as well.
This is a red herring on multiple levels. There are lots of places that intelligence agencies can step in to violate your privacy on the Internet; you "trust" an access-layer providers, a number of backbone providers, the owners of the DNS roots, the certificate authorities, Google, and probably 10 more entities. But more importantly, DNSSEC is irrelevant. Nobody depends on it now (it doesn't "exist"now: tell me how my Mac does a secure lookup for Google.com on Speakeasy). It's likely that nobody ever will depend on it. And that's OK, because we have better mechanisms in place. We should spend more effort on adding negotiated opt-in SSL for things besides web and mail, and less on huge infrastructure projects to "secure" one tiny link in the connectivity chain.
why does a master key even exist? if a system is to be secure, make it secure. don't allow some organization with a master key to be able to do stuff. if a master key exists to anything, it will be leaked in due time, if people want it.
.com/.net/.org were shared by the entire world and are not specifically "US" domain names. why is the US government trying to claim any sort of rights to them? what gives the US government the right to spoof and hack? especially if i am not even in the US? just because i have a .com domain name?
second, why does the US government get rights? the organization in question should just relocate to another country where the US government has no jurisdiction.
finally, i thought
Clearly, the author has no idea what BIND is, what it does, or how it works. BTW, there are root servers in Europe too.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
There is no Lumber Cartel.
The way the story is written the key is presumably "CTEC ASTRONOMY". Getting the key will not make it easy to break into people's computers if the security is done properly (not unless they have some quantum computers brute forcing various keys), but it would make it easy to pretend to be part of someone's network.
DHS about as clueless and irresponsible as govt agencies get. They can't be trusted to safeguard their own data and are now asking for the keys to the root DNS servers. Why don't we just give them to Iran, China and Russia up front so we don't waste our time feeling like we are MORE secure. And no, I'm not trolling or laying flame bait. I know some people. ;)
"Nobody shoots anybody in the face unless you're a hit man or a video gamer"- Jack Thompson
Right, let's give the DHS the key so that only they can spoof their addresses. How is this good?
Why isn't is given to a group to control and enforce that has some balance, other than just 'trusting' that government should have this power?
"The Internet is free, oh except we hold the keys . . . " doesn't sound quite right to me.
- Kal`Goblez
Give the key to Google, we all know they can be trusted *(waits for the +5 insightful)*
If, as a foreign power, your security could be defeated by IP spoofing then, honestly, your security issues are not going to be solved by managing your own root. In fact, if your so inept, then you probably should leave DNS security in the hands of the Russian or Chinese governments because because, frankly, that DNS root of yours is going to be hacked by script kiddies and spammers in no time flat and trash your whole infrastructure impacting your economy. Honestly, having the Chinese or Russian governments spy on you is probably preferable, and their going to do it anyway, root or no root.
... is that better now? All the parent was saying is that any nation whose security is dependent upon a computing resource that is owned and operated by an inimical foreign power is asking for trouble. Whether you consider the United States to be such a foreign power is a separate topic for discussion, and one in which I'm not particularly interested in pursuing.
... we don't own or control the network hardware in your country ... you do.) There are plenty of other things about United States foreign (and domestic!) policies that you could legitimately bitch about (I do, all the time) but our handling of DNS just isn't one of them at this point.
... quite a stretch. Now, if Bush & Co. were to threaten to use our military against any country tried to set up its own Domain Name System or equivalent, you might have a point. You might. But you don't.
There
In any event, I didn't perceive his remarks as being particularly U.S.-centric, although it's popular hereabouts to redirect any commentary about Internet infrastructure into criticisms of U.S. policies. Odd that, of all the various services and protocols that traverse the Internet, we get heat for one that has always been run rather well. We are the ones that have, like it or not, run the roots with more even-handedness than most countries around the world would have. Hell, we even let a bunch of hardline Communist states on board, although none of them seem particularly grateful.
Maybe that bothers you, that you don't really have any valid criticisms of our policies towards "Internet governance". Maybe you'd like to invent some reason to "wrest control of the Internet away from the United States" (whatever that means
China's attitude towards the Internet is one that is, unfortunately, becoming more popular with governments of various stripes. They day will come the people of this planet will wish someone were still managing the global DNS infrastructure with something resembling the United States' largely hands-off approach. Don't count on that though.
God, it sounds like the exact same ideas that the USSR had running puppet governments in the other Soviet States.
I don't know what to do with this one. Comparing 13 or so server banks around the world with a nation that annexed multiple countries by main strength and created a true Empire
The higher the technology, the sharper that two-edged sword.
Spoofed IP addresses work on Raw Sockets at the IP level. So they will bypass most firewalls, routers transparent pf'in bridges etc... or can be used for smurf attacks where your IP routes incomming traffic to a pre-defined ip for say denial of service attacks. Arp runs on IP level so man in the middle attacks (overwrite arp cache) may be possible. Read Wright/Stevens it is pretty scary. PCB Raw IP not good. for DNS i'm going back to Hosts file block all udp non http tcp.
public class GlobalPanOpticon extends Internetworking{} The versatility of this machine is awesome init. Theres no doubt we're living in interesting times.
Don't set your machine up so that you can't pull the plug.
nslookup abc.com
rootusa returns 1.2.3.4, authority 11.22.33.44
rootworld returns 5.6.7.8, authority 11.22.33.44
Check 11.22.33.44 to arbitrate, whatever 11.22.33.44 says is what we use.
nslookup abc.com
rootusa returns 1.2.3.4, authority name server 11.22.33.44
rootworld returns 5.6.7.8, authority name server 55.66.77.88
Conflict, return something to the requester and get a human's attention at the ISP level and reports this back to rootusa, rootworld, 11.22.33.44, and 55.66.77.88.
Human makes a few phone calls and determines that 11.22.33.44 is the proper authority record.
customer marks 1.2.3.4's authority record as 11.22.33.44.
You, rootusa, rootworld, 11.22.33.44, and 55.66.77.88 may or may not make public announcements claiming that their information is authoritative and/or that they corrected a clerical error. If a conflict persists, ISPs will have to choose manually based on "who do we trust the most."
If a particular root server manager gets a reputation for fudging the numbers, it will lose out in future disputes based on reputation.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Would it be too much trouble to have all clients cross verify against multiple root servers?
On yer bike.
No really, what more can we say? You've betrayed our trust. We were told you'd make us safer, you've just made us jumpy and soon, indifferent.
You were invented to solve a problem you can't accurately describe, and you've scotched much of what you passed off as a solution.
You have airports full of marginally-literate former supermarket clerks with badges, lax judgement, their own private X-Ray-Specs so they can see our privates, and nowhere near the training required.
Your partners FBI got their head handed to them this week on Capitol Hill, you've scared the bejeezus out of innocent people to no demonstrable benefit.
We can't wash up at the end of a trip without an extra trip to the store.
You've doubled (sometimes tripled) the time it takes to get from point A to point B in the US. I took me 2h + 2 hr to get to Florida last time. It takes 2hr + 1 hr to get to DC.
Find out what actually works, and do it. "24" is a fictional drama, not a training film.
Don't they get it? There is no key. The in'ernet isn't a truck. It's a series of tubes!
...you nailed it. That's all this terrorism nonsense is, bigbro actions camouflaged -> "you are either with us, or with the terrorists".
Q-"Who is a terrorist?"
A-"Anyone we say so, and especially the people we kill or imprison"
9-11 was a successful coup d'etat, and it wasn't by any dudes wearing robes sitting in a cave someplace
Someday, we will have the Nuhremberg trials version two, as a followup to this second reichstagg fire conjob, and "just following orders" won't cut it as a defense then, either.
Firefox has 44 groups of certification authorities!
Each group seems to be a company which holds (in the case of Verisign) 15 individual certificates.
Each of these certificates can be used to set up a 'trusted' HTTPS connection.
If you don't know what that means, google for "verisign microsoft fake certificate"
I'm as paranoid as the next guy, but I think that haing companies with stellar security track-records like verisign issuing browser certificates is much more of a problem that DHS messing with DNS.
If you're worried about DNS/CAs/??? don't use them. Set up an SSH tunnel or a VPN, exchange keys securely (i.e. off-line, in person, verifying signatures) and live happily ever after.
Honestly, given the general state of computer security this is like complaining that someone might mess with your street-directory while driving a Pinto with "USA forever" stickers through Baghdad in rush-hour.....
"for DNS i'm going back to Hosts file block all udp non http tcp." - by CrazzyFingerz (1082443) on Saturday March 31, @05:20PM (#18559077)
c ePorts TCP/IP parameters to let NICS that can perform this task take over those duties from the system mainboard CPU, a good move imo! apk
I have been doing the same thing on my rigs since the year 1999 (Win2k introduction) really. Nice to see others that do this!
I do it by using IP level tcp & udp filtrations on my connections in addition to Windows Firewall + a LinkSys/CISCO NAT true firewalling router/switch, & also using HOSTS files to block out adbanners that may harbor malicious code (for better security on this note) & there have been quite a few spotted the past 3-5 years now that have!
(and, of course, for better speed of not loading them & not calling out to their servers AND my dns servers, after I alter the dns resolution order to be, more or less, local dnscache, hosts file, isp/bsp dns (and I do not run dns server/client OR dhcp server/client services here either)).
* Do you, or rather, HAVE YOU, seen ANY downsides to this system you & I both use?
(See, I really have yet to! And, on dialup, cablemodem, or DSL to date, since 1999 doing this on Windows 2000, thru XP, into Windows Server 2003 here now currently)...
APK
P.S.=> Running Windows Server 2003 SP #2 currently with the new TcpChimney OffloadIncludeDestinationPorts/OffloadIncludeSour
WOW, I can hardly figure out where to start here.
:-) ... the American way. Fingers in ears -la-la-la-la-la-la-la-la.
... China is building cyber warfare units. The Chinese general said publicly that if we get into hostilities with the United States, we will reach out through cyber space and turn off the American electric power grid. From what I can tell and what I learned when I was in government, that's possible. ... think about it.
HOSTS?
"When was the last time terrorists killed someone over the internet?!"
That feature is in beta - coming soon !!!
"It isn't about terrorism at all. It is about control and about policing the rest of the world."
If you repeat a word over and over enough (terrorism), it loses meaning, is trivialized.
It IS about control.
DNS is part of that control. (think bypass, sieve)
What if you HAD to pull the plugs?
Think about that, I'll wait.
http://www.youtube.com/watch?v=EYGKV1MaIaY
(God, I love the internet
"Should U.S. DHS be trusted?"
Better question is about the policies of the Bush (v2.1b) administration.
Question authority. Talk to power, carry a big stick, etc.
Ummmm, what was the topic?
DNS (Mockapetris-Postel), right.
Defeat? With your own invention? (ARPANET)
http://www.dei.isep.ipp.pt/~acc/docs/arpa.html
Talk about shooting yourself in the foot and having a name such as "Smith" or "Wesson".
Apathy, lack of awareness and naivety is the greatest enemy.
We're (U.S.) so good at picking up the pieces.
Education, prevention, awareness - not so good.
Some need to understand you can use the internet to harm people - physically.
It's called a malicious Logic Bomb.
It IS rocket science.
Ask your ex SysAdmin about them.
Bios, Firmware, Flash memory, chip crowding, reconfigure with malice, and watch it burn.
Been there, seen that. Do that on a National scale and you have a society meltdown right in front of your eyes, wait two days - stir.
People were writing these things for hardware in the 80's and 90's, X-platform.
Remember all that talk of "hardware eating viruses" that would crop up occasionally, and how that person would be flamed out of the thread?
Ridicule and denial
There are no unbelievers on the battlefield.
"The truly powerful signing key is for Windows Update"
Why would you want any of that when you own the hardware?
Think (rouge) Eastereggs:
Microcode:
Disguised Bugs:
http://en.wikipedia.org/wiki/Easter_egg_(media)
http://en.wikipedia.org/wiki/Hidden_track
http://www.acm.org/classics/sep95/
Really, people have no idea what's going on now.
I've been banging this drum since 1997.
The NSA/CIA/DHS is starting to trickle out awareness of this very thing.
Joel Brenner - The National Counterintelligence Strategy of the United States 2007, speaking last Thursday at the American Bar Association.
(He speaks about the hardware problem near the end)
http://www.abanet.org/natsecurity/multimedia/2007/ breakfasts/joel_brenner_transcript.pdf
http://www.abanet.org/natsecurity/multimedia/2007/ breakfasts/joel_brenner.mp3
http://www.abanet.org/natsecurity/
Richard Clarke on Countdown with Keith Olbermann
Jan 22, 2007
http://www.msnbc.msn.com/id/16771741/
CLARKE:
Not just China.
I'll play Chicken Little, you
I'll wait.
~hylas
That's what it ultimately gets down to.
You are being MICROattacked, from various angles, in a SOFT manner.
Why the hell does the US government need control over any aspect of the internet ? The only thing they should have control over is www.whitehouse.gov... and I'd even motion to change that to www.whitehouse.gov.us. They're not the global government!
If ultimately there is no way around this master key bullshit, let's turn it inside out and give it to EVERY government. After all, the internet "belongs" to everyone, that's what makes it so great. If the internet were restricted to what the US government wants, it would be just a giant pentecostal worship site with idiots babbling in tongues and homophobic banter.
-Billco, Fnarg.com
I'm not a big fan of the US Government having a lot of control over anything, but as far as the complaints of them controlling the internet go, I'd like to point out two things:
1) Everybody here seems to rally behind the net neutrality bills, but that at is core is the government placing some control over the internet.
2) Didn't the US government play a significant role in the original developing of the internet? If so, then wouldn't it make sense that the government responsible for building it have a little bit of control over it?
Just some food for thought.
Nathan Friedly
I'm a corpse, you insensitive clod!
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
I'm sorry but if the security of the worlds DNS system (In terms of spoofability over the deployed technology) depends on the avaliability of a single master key that system is itself a joke and worthless regardless who does or does not actually have the "key".
The added pressure in terms of cpu and bandwidth on the root servers would IMHO clearly *NOT* be worth while.
DNS and anything without pre-arranged end to end signatures can be spoofed by *active* MITM attacks. Passive attacks which are the most prevelent for DNS depend on predictability of sequence numbers to inject valid responses to pre-arranged queries (cache poisioning..etc) into the network.
This can be effectivly resolved by following best pratices and with fairly trivial changes to the existing system.
The bottom line is that by definition an "Internet" will never be secure. All of the engineering efforts to improve the network need to go into scalability and DOS prevention. Those in the DFZ need to make a best effort to secure their BGP sessions and infustructure.
Internet users must always assume that every single byte of data they send over the network is wrong and collected by bad actors.
welcome our DNSSEC root-zone master-key IANA-requesting overlords.
*blinks*
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
You know what?
This is one of many cases that show that the US government is really messed up.
They want the keys to something the whole world depends on, and the ability to disrupt it, but deny that to anyone else.
The same goes for the militarization of space: they want to be able to do it, and deny anyone else from doing the same.
The same goes for weapons of mass destruction: they want to keep it, and allow current allies to keep it, yet selectively deny certain current enemies (real or perceived) from having the same.
This double standard, coupled with unilateral actions against the advice and objections of the most of the world, is what makes the current US government so scary.
Indeed this feels like the saying: Gods may do what cattle can't.
Americans can do better than that. You guys used to admired, and yes, envied, but in a good way. The rest of the world looked up to you.
Now this admiration has turned to resentment, and resignation. The rest of the world cannot vote in US presidential elections, yet we are affected by that decision without having a say at all. Sort of like when you rebelled against a king that taxed you without representation.
It is beyond most of the world why you reelected the same administration again, despite of all its short comings, and their continued heavy handed meddling.
The Democrat taking over congress is a good sign.
Please continue to fix this. You indeed can, and you deserve better. The rest of the world deserves better too.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
There is a subset of protections that may apply to those not in uniform: Protocol 1 of the Conventions refers to: "(a) the principle of distinction, i.e., that combatants must distinguish between other combatants and civilians, and that combatants must neither deliberately target nor indiscriminately or disproportionately harm civilians." I think it's safe to say that most of those in Gitmo, and those who have been attacking Iraqi civilians and everyone else in Iraq these last few years fall short of that standard as well. The fact is, the report I linked to shows that Gitmo is lawful according to international law.
Nope, even by the generous standards of international law, such as it is, those at Gitmo do not have protections provided by the Conventions. And yet the United States respects their mode of worship (even though that right would not be accorded to innocent non-Muslims if the prisoners had their way) and gives them their holy texts, prepares their food in accordance with their dietary laws, and treats them humanely in general. Yes, there have been abuses of prisoners, but these are people who officially have no rights, who would but for the charity of the United States, be marched in front of completely legal firing squads.
The US should maintain oversight of the Internet, but that does not mean the feds should get new and unnecessary powers. An international body controlling things would be far worse than what we have now, if not for the simple reason that what we have now works fine. Let's hope things stay that way.Part of the hardcore faithful who believed in Apple long before it was cool again to do so
No, you are wrong. It doesn't matter whether any national or international law requires to treat them in any way. There are simply no people that have "no rights". Who you are to decide whether someone deserves a right and someone does not? A reason like not being uniformed is one of the dumbest arguments I've ever heard. You are not better than the kidnappers, the murderers, the terrorists, because you behave in the very same way. They also accept the rights for themselves, but not for their declared victims. And, by the way, I don't see a sentence in the American Constitution that restricts the expressed freedom to American people only.
That an international body would do it worse is, by the way, a completely unfounded accusation. Any proofs, any examples?
Microsoft hardcodes the *IP addresses* of the addresses used for Windows Update into the OS. When you hit those sites it goes to the hardcoded IP address REGARDLESS of where the DNS query would have sent it.
Microsoft has been scorned on Slashdot before for having that feature. But it does prevent hijacked DNS from taking over Windows Update.
DNSSEC provides the ability for the data to be signed. The politics have come in, of course, as to who has those keys. (Now mind you, right now the US government or anyone at all can already spoof DNS responses today and interestingly enough when politics get involved, it takes longer for deployment of secure protocols to happen. whee....)
.com's key, because they're the one with all the data you need. The roots hold all the information about the TLDs, so you need to trust the roots to be able to get information about .com's servers. If someone controlled the keys for the roots and you trusted those keys (had them configured as "trust anchors") then they could spoof (signed) .com record, the .com keys, etc down until example.com so you'd trust the results for example.com as secure.
.com key instead. You don't have to trust the root zone keys, it just makes it easier to trust only one. Paranoid people are certainly welcome to maintain a list of trusted keys for any zones they deem to be "importantly" critical. If you had a trust anchor configured for .com, then it wouldn't matter what someone with the real root zone key could do with it... You wouldn't trust the eventual results from a fake .com server a root had told you about because the cryptography would warn you that it didn't match up to your expected trust anchor for .com. I suspect that most country TLDs will already do this for their own government results (IE, .se, who already runs a secured zone, will configure the .se keys as trust anchors in its government systems).
But, DNSSEC does provide every zone owner with the ability to hold a very special key so that no one else may be able to spoof stuff in their zone. Everyone would want to trust
But here's the secret: if you don't trust the root zone owners, then instead you can choose to set trust anchors tied to the
Here's an interesting proposal for the root zone: pick two countries that hate each other and are likely to never have the same agenda. Let's call them X and Y. Give each of these countries a root key, and make the root zone use and publish results from both of them. Then, you could configure trust anchors pointing to both the X and Y keys. You could configure your system to make sure to check the DNSSEC results to validate the information up to both of these keys. That way you could ensure that since you trusted X and Y to never conspire against you together, and you would know that neither X or Y alone could have spoofed DNS data then you suddenly find yourself safe. Because of the distrust. I love the irony.
(now: you don't want to have a zillion keys for the roots... The packet sizes get larger as you add more keys, and it turns out you probably don't want more than 3 at most).
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!