Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Internet's Biggest Security Hole Revealed

Posted by kdawson on from the kaminsky-was-a-warmup dept.

At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.

37 of 330 comments (clear)

  1. The man in the middle by symbolset · · Score: 3, Funny

    Must have the world's largest collection of online porn.

    Which would figure, actually.

    --
    Help stamp out iliturcy.
    1. Re:The man in the middle by gnick · · Score: 5, Funny

      How can a title including 'The Internet's Biggest ... Hole' not be kicked off with a goatse joke?

      --
      He's getting rather old, but he's a good mouse.
    2. Re:The man in the middle by newr00tic · · Score: 1, Funny

      that wouldn't have gotten +5

      No, +11 !

      --
      A horse can't be sick, you know, even if he wants to.
    3. Re:The man in the middle by Bill+Hayden · · Score: 5, Funny

      He said he doesn't want to see duplicates... why are you sending him to Slashdot's main page?

      --
      Protect your browser with the Force Safe Search add-on
    4. Re:The man in the middle by Achromatic1978 · · Score: 5, Funny

      Not the good looking, sweet smelling, celebrity vagina.

      Having seen (or been subjected to), as we all have, to upskirts of Britney, Paris, etc, I gotta say that "celebrity vagina" is by no means universally "good looking, sweet smelling"...

    5. Re:The man in the middle by Anonymous Coward · · Score: 5, Funny

      Over +9000!!!

    6. Re:The man in the middle by symbolset · · Score: 3, Funny

      plus goatse has fewer gaping assholes

      So you've never actually seen coverage of the DNC and RNC then? Between the reporters, the candidates and the delegates I doubt a greater mass of gaping assholes was ever assembled.

      --
      Help stamp out iliturcy.
    7. Re:The man in the middle by symbolset · · Score: 3, Funny

      Oops. Sign error. Never mind.

      --
      Help stamp out iliturcy.
    8. Re:The man in the middle by karbyn-aceous · · Score: 1, Funny

      No matter how much I scratched and sniffed those pictures, they never smelled :-(

    9. Re:The man in the middle by Anonymous Coward · · Score: 1, Funny

      You got a link to that?

  2. Re:Scary Much? by Anonymous Coward · · Score: 1, Funny

    I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.

    Hell, lets 'fix' SMTP while we're at it... ;)

  3. Re:Fun fun fud by Kingrames · · Score: 5, Funny

    Depends on how much you value your privacy, Mr. Stephen P Wallagher of 4242 Green Leafy Forest Terrace, Springfield, Ohio 55538, Phone number 1-900-Hot Dude, alias "Lovestospooge."

    fixed.

    --
    If you can read this, I forgot to post anonymously.
  4. Re:Fun fun fud by Anonymous Coward · · Score: 5, Funny

    Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?

    Note, I've also given you the hint to prevent this bullshit from being a problem.

    So we need to destroy the White House?

  5. Re:Fun fun fud by RuBLed · · Score: 4, Funny

    Anyone have any insight as to how serious this ACTUALLY is?

    Yes. Someone had managed to re-open the goatse.cx site again.

    if you don't believe me, you know there is only one way to find out

  6. Flaw revealed years ago by sleeponthemic · · Score: 3, Funny

    A hacker marauding by the name "Goatse" exposed it quite effectively some years back.

    --
    I record my sleeptalking
  7. Government is on it. by Anonymous Coward · · Score: 1, Funny

    ... testified to Congress... disclosed privately to government agents... described this to intelligence agencies and to the National Security Council

    So in other words, the US government knows about the issue. This is the United States government, people! Obviously there is nothing to worry about. Like, come on, as if the US government would allow eavesdropping on the information highways to even be possible. Like come on, srsly.

  8. Re:Scary Much? by jd · · Score: 3, Funny

    Fixed SMTP is called X.400.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  9. Re:Fun fun fud by Z34107 · · Score: 4, Funny

    Monoculture is bad? Good thing Internet Explorer offers a different take on W3C standards...

    I kid, I kid.

    --
    DATABASE WOW WOW
  10. Re:Fun fun fud by jd · · Score: 5, Funny

    Heh. Standards should be the starting point, not the end goal (or, in IE's case, the work of fiction based on the screenplay based on a True Story of one man and his chair).

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  11. Re:Fun fun fud by Anonymous Coward · · Score: 5, Funny

    No, it gets sent through Dick Cheney's hotmail account.

  12. Re:You can bet good money... by KPU · · Score: 4, Funny

    Home Depot? The store that sells wood is spying on my Internet access?

  13. Let the Rickrolls begin! by randall77 · · Score: 2, Funny

    Enterprising hacker hijacks BGP and Rickrolls the whole world in 3... 2... 1...

  14. Re:Fun fun fud by Anonymous Coward · · Score: 4, Funny

    What, you didn't get your secret decoder server?

  15. Re:Scary Much? by Randle_Revar · · Score: 2, Funny

    XMPP

    --
    Climate Progress - Hell and High Water
  16. Re:You can bet good money... by Randle_Revar · · Score: 4, Funny

    If that's the British DHS, the American counterpart is Home Depot, and it should be obvious why they'd want to spy on people.

    So they can tell if you have been going to Lowe's?

    --
    Climate Progress - Hell and High Water
  17. Re:Fun fun fud by Zwicky · · Score: 2, Funny

    if you don't believe me, you know there is only one way to find out

    I believe you! I BELIEVE YOU!!

    --
    "Three eyes are better than one" -- Lieutenant Columbo
  18. Re:You can bet good money... by florescent_beige · · Score: 4, Funny

    He meant the Department of Homeland Depot. It's the privatization of government, don't you know.

    --
    Equine Mammals Are Considerably Smaller
  19. Re:You can bet good money... by florescent_beige · · Score: 2, Funny

    The one we all want to know more about is Victoria's Secret Service. I demand congressional hearings on, you know, that! Etcetera!

    --
    Equine Mammals Are Considerably Smaller
  20. SLASHDOT SUX0RZ by Anonymous Coward · · Score: 5, Funny

    You called? Sorry I'm late

    The Internet's Biggest Hole Revealed at http://goatse.cz/

  21. Re:You can bet good money... by rabiddeity · · Score: 2, Funny

    Home Depot? The store that sells wood is spying on my Internet access?

    Yeah, they really know how to put the thumbscrews on.

  22. Re:Fun fun fud by edalytical · · Score: 2, Funny

    I'll be right on that dude. I've been looking for a way to escape NAT, moving to Japan is the perfect solution!

    --
    Win a signed Stephen Carpenter ESP Guitar from the Deftones: http://def-tag.com/?r=0008781
  23. Re:Fun fun fud by Alsee · · Score: 3, Funny

    Heay! That's my private info!

    I am now sending a federal law DMCA notice demanding you take my information down.
    BTW, please don't run a Slashdot front page story on my DMCA takedown notice & info.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  24. Re:Fun fun fud by Alsee · · Score: 5, Funny

    Whew! Good thing you clicked the "Anonymous Coward" box when you posted that!

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  25. Re:Fun fun fud by rbanffy · · Score: 3, Funny

    Why can't I mod something "tragic"?

    --
    http://www.dieblinkenlights.com
  26. Re:Fun fun fud by Critical+Facilities · · Score: 2, Funny

    "Be sure to drink your Ovaltine".

  27. Re:Fun fun fud by houghi · · Score: 3, Funny

    Or so you would think, but they probably monitoring traffic to /. as well, so now they have his IP. Probably he is now at work, but with his login, they will be able to link it to the times he logged in at home.

    Then some more cross referencing and he is on his way to Gitmo.

    --
    Don't fight for your country, if your country does not fight for you.
  28. Re:Fun fun fud by Palshife · · Score: 3, Funny

    Yes. Definitely a good idea on my part.

    Shit.

    --
    Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!