Slashdot Mirror
Feds Plot Massive Internet Router Security Upgrade
BobB-nw writes "The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications. DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.)
Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009."
This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?
For those of who aren't experts on this sort of thing, will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.
I don't know much about security and cost, but the 600k does indeed seem fairly small to me for something like this. Even 2.x million seems like a sizzle in the pan. Can anyone speak to the costs involved?
put all the top workers under full secret service protection and don't fire any one or will may see a under siege 2.
[tinfoil] Sure, and adding signatures to all routers couldn't possibly be trying to make Thomas Paine roll over in his grave, now, could it? [/tinfoil]
[
You're failing to take into account the 2-3 times the project will be extended and the quadrupling in cost. That's just SOP for a government contract. Sad, but true.
That costs a lot less than rolling out new hardware/software.
Engineering is the art of compromise.
Most troubling is that problems like these were basically known about for years but nothing is done until after threats are displayed at sec conferences.
> A few short years ago we managed to live without the DHS...
I have no love for the DHS, but it was created by smushing a bunch of existing agencies together. They do little that wasn't being done before. In their absence this work would probably be being funded by one of the agencies that was destroyed to create them.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
In the grand scheme of things a million a year isn't something to bitch about. I mean the... 'defense acquisition university' gets 120million... We spend 16billion dollars to fight IEDs. We spend 430million for 'polar research' ... The office on violence against women gets 280million. Oh and my favourite 9.7Billion freaking dollars for air traffic control. Honestly that could be done by computers for several million dollars.
Really we should pay everyone there a million dollars a year just because their plan hasn't ballooned into something silly yet.
When you're $10.6 trillion dollars in debt, even $600 k shouldn't be considered trivial. That's real money our grandkids will be paying off...
--- Thousands are enslaved every day.
Still peanuts. If you want to really spend other people's money the Dept of the Treasury is the place to be.
The U.S. federal government is accelerating its efforts to secure the Internet's routing system
Did I miss something?
I thought China had all the control.
Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!
I wouldn't do it (I don't even have an AS to play with anymore), and it's rather more complicated than my explination made out...
I think a possible way to implement this would be a Hierarchical model where IANA has a top-level certificate for the trust and then it signs each regional NICs certificate, and they sign AS's which sign their subnets, then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things (like advertise subnets that aren't theirs), still it would require alot more overheads in terms of processing and memory than BGP currently requires.
I should also mention, I haven't worked with BGP in around 7 years now.
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.
That's the name of a set of protocols that predates the DHS, not their effort.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This is what we need. I am glad that action is being taken on the router and DNS vulnerabilities. These are very serious issues that are a danger to everyones security and privacy. Especially rerouting attacks for download and software is a perfect way to redirect users into downloading virus loaded software, and into giving confidential information to fake websites. Its about time something is done to improve the security of these systems, and they are doing the right things it appears by addressing true threats in ways that improve and protect the users rights and freedoms rather than take them away. Its clear that there are IT experts involved with this rather than politicians. What australia has done is an example of what NOT to do.
we really want to use new protocols from the government. They may put "warrantless wiretap" capabilities in...
That might pay for a requirements analysis, but that's about it. A real system is going to be much more expensive.
Mea navis aericumbens anguillis abundat
So does that mean we are going to buy MORE fake routers from china with hardwired security issues?
Its a trap! SSBB reference
Had to sorry regulars.
Ease off that hair trigger a bit, eh?
I think you missed something rather fundamental - in the case of PP "dodgy" behavior meant doing illogical things with routing paths, not publishing unpopular or dissenting content!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Reads made in China Laughs
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Keeping track of and navigating a few million planes could be done on one server if it was well coded. Which would really cost like 500,000. I'm sure there are a bunch of other things that need doing but i'm so far off of 10billion that i've no idea how they got it that high.
Keeping track of and navigating a few million planes could be done on one server if it was well coded. Which would really cost like 500,000. I'm sure there are a bunch of other things that need doing but i'm so far off of 10billion that i've no idea how they got it that high.
You're living up to your name?
Let's talk about some of the issues:
- Radar is an inexact medium of information. Transponders help a lot, but they only have 4 digits and can be disabled or break. GPS transponders (where the aircraft reports its position) would help, but not every plan has that.
- Communication between the air/ground is not assured.
- Weather, visibility, winds aloft, precipitation, fog are all unpredictable elements that have to be accounted for. You need sensors for all that, or figure out how to do voice interpretation of a pilot's report of bad weather.
- You also need to know the status of the runways. Are they clear of ice, snow, debris or other incursions?
ATC only seems simple on the surface, during good weather, clear skis and everything running on schedules.
Wolde you bothe eate your cake, and have your cake?
Are you serious? You want one, crash prone, computer to manage all air traffic in the skies of the United States? You realize that this computer would be tracking millions of objects a second, in a three dimensional space, analyzing all of their current courses for collisions in the next say 5-10 minutes (you wouldn't want to cut it closer than that and honestly even more warning that that would be good), scheduling take-offs and landing from thousands of airstrips, accepting interrupts for emergency requests at ALL of those airstrips, processing voice inputs and outputs from thousands of (still human) pilots a second, and making judgment calls when conflicting requests come in (Do you let the plane with low fuel land first, or the one with engine trouble? How bad is the engine trouble, how low is the the fuel? etc.) I'm quite sure I haven't even scratched the surface of what air traffic control for the ENTIRE COUNTRY would involve, but that alone is more load than even the most powerful computers in the world could handle.
Ignoring the fact that you'd need at least two for redundancy (probably more, these are hundreds of thousands of lives an hour we're talking about, failure is NOT an option). Ignoring the fact that voice to data interfaces are only partially reliable, especially if the user has an accent ("Air Rus 13654, this is the tower, I did not understand your last transmission, please say again" - "Ai says, 'Ve have vuel leek. Reqvest immideet landing'" - "Air Rus 13654, this is the tower, I did not understand your last transmission, please say again" - "Ahhhhhh!" - "Air Rus 13654, this is the tower...."). Ignoring the fact that computers are terrible at judgment calls. Ignoring all of that you'd have to have a HUGE data pipe going into this mythical computer, capable of accepting data from EVERY radar station in the country, ALL of the tower control frequencies in the country, and transmitting back out to ALL of the traffic control frequencies, plus sending messages to various EMS and law enforcement agencies local to air ports (who do you think calls the cops when a flight attendant wants to eject a drunk passenger? The tower. Calls the ambulance for the lady who goes into birth or the guy who has a heart attack? The tower. Requests emergency services on site in the unlikely but occasional event of an incident? The tower.) It needs to talk to all of this stuff with little or no latency.
What do you think air traffic controller DO? Sit and watch their little radar screens hoping that no little dots cross each other? It's considered one of the most stressful jobs in the world. These guys are constantly making decisions that might result in or prevent any number of major and minor disasters.
I have serious doubts as to whether it would even be technically possible to implement the kind of system you envision at an acceptable level of safety, but if it were it would be more like hundreds of billions of dollars to put in not a couple of million. I don't think you even begin to comprehend what the requirements documentation for something like this would look like. Hell, I don't begin to comprehend such a thing, and I've already posted about a dozen problems you didn't even start to think of. Imagine if I were someone that actually knew something about this.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Now all they have to do is upgrade that damn firewall protecting our air traffic, water distribution, and electrical generation control systems. It's only a matter of time before terroraxxors take over our country and crash planes into each other!
https://www.eff.org/https-everywhere
Lol well obviously It'd be redundant but keep in mind the price tag is still .005% of what is currently being spent. Make the system as big and redundant as you want 10x what i said.... .05%. And the processing isn't that bad, they are just paths in 3d space which computers are very well equipped at figuring out. Especially GPUs and such. .1% for 100 employees. .15% now that we have enough employees.
For emergency situations they have coded numbers for situations like cops and everyone else. If there is a misunderstanding then it can be bumped instantly to a human (if computer is only 60% sure of what it heard). The same way a phone company works. Make that up to
Judgment calls are fairly rare. Aside from what impression movies might give you emergencies like fuel leaks and such are rare. Also they are determined by the planes computer sensors so having that interact with another computer is no problem. Add a button on the plane for unusual situations then like terrirists lol. So we can also add a bureaucracy bringing us up to
I know, we've all seen pushing tin. But directing the actual path of planes as i've said could be done by computer without any issues at all.
How is hundereds of humans doing calculations any better than a computer? This is the exact type of problems computers excel at. And I had thought of these but originally I was just referring to actually directing the planes.
Computers already track the planes. Most airports past "decent" sized and even a lot of small ones have computer assistance for the air traffic controllers. Planes can be tracked based on transponders and even GPS in some cases. People are still necessary for everything else though. Not all planes (especially small personal planes) are equipped with transponders, and fairly few are equipped with GPS transponders. Radar at most airports is not sensitive enough for exact locations, so eye balls are still needed. Most of all while you're right that true "emergencies" of the "Oh my God we're all going die!" type are fairly rare, most large airports field several to several dozen small emergencies everyday. Some of those would become serious emergencies if not expeditiously dealt with by trained controllers.
Tracking planes is a fairly small (though doubtless critical) part of the job of the tower, you can possibly reduce some of that load with more computing power. I doubt you could reduce it all that much though, certainly not eliminating it.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Or maybe they want the protocol done in a way that NSA CAN subvert any router detouring it's packets through their own computers, sniffing and injecting (cocaine & herion?) to their hearts content.
Just because I'm paranoid doesn't mean they aren't out to get you.
(He says, from his satellite connected hide-away in rural Alberta, 500 km from the nearest chunk of American soil)
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
I was wondering when they were going to start this. There was a lot of discussion about this a coupl years ago. One of the best ways to upgrade security on the net is to upgrade the routers. You can actually do a lot there, including an easier method to track and stop attacks at their source, as well as identify the originating machines. I hope there is more to the upgrade then stated there. It would be expensive, and some would probably say that there may be some constitutional issues. Hopefully they are including hardware/software to trace the point of origin for these attacks and shut down their proliferation by at least dropping them off the system.
Open Source: Eroding the Digital Divide