Slashdot Mirror
The Canadian Who Holds the Key To the Internet
drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."
The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.
The internet is supposed to be able to repair itself. You know, route around damage and stuff? This all sounds as fragile as our transportation system when merely threatened with an explosive device, bringing it to a complete halt. Is our entire food supply this flimsy?
For justice, we must go to Don Corleone
the *crypto signing* of the zone, not the *contents of the zone*, which are, of course, all over the place.
That would mean that any successful attack on the system would have to include the kidnapping/assassination of at least six of these people. Plan for seven hits--the attackers could completely botch one attempt and still be successful. Pretty good odds.
Nice of them to provide names.
Or do they summon Captain Planet? ...or Wilford Brimley?
In a world of the blind, the one-eyed man is king--and the two-eyed man is a heretic.
When your powers combine, I am Captain Internet!
Wait. That's not right.
Also, a question, which key holder is Ma-Ti?
Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions).
I thought the dwarves got seven cards. And, the humans got nine... and the elves three. Or, am I mixing something up?
I just heard a pretty good talk on DNSSEC at Blackhat and it wasn't quite like this... I'll leave it at that.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
I see a new James Bond movie in the making here...
-- Cheers!
I have that same combination on my luggage!
The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake. The likelihood of someone blowing up both facilities and kidnapping the people who hold the cards just to try and take down DNSSEC is pretty unlikely. I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.
Please remember that vast kidnapping conspiracies and so on require a lot of people acting in concert. That is hard to keep hidden. What's more in this case you'd be talking about something all over the world. You are also talking about something that would draw the wrath of the most powerful nations out there. The US (who holds the facilities), the UK, China, etc. It doesn't work like in James Bond where the baddies contact the government and they have to knuckle in unless a lone agent can bring them down. What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.
The idea here seems to more be a final redundancy against a systems failure, but one where a single person can't go rogue and cause a problem.
So please, stop with the paranoid movie plots.
Really tired of these summaries which assume we're morons and don't know what DNS/DNSSEC are.
I sure hope these guys have a good reputation
For justice, we must go to Don Corleone
but this reads like an intro to a bad cyberpunk novel/movie....
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Haven't I seen this before somewhere?
http://www.zeldawiki.org/Sage
When people ask if I'm an optimist, I say "I hope so". --Bill Bailey
One Card to rule them all, One Card to find them,
One Card to bring them all and in the darkness bind them
The truth is, these keys are really just a safe guard in case /. ever posts Article Omega, bringing about the systematic slashdotting of the ENTIRE INTERNET!!!
Maybe the seven combine to form the soul of Lord Voldemort.
I eat only the real part of complex carbohydrates.
I thought the whole point of the Internet was that there was no "there", there.
Forget this high tech stuff, I am gonna order some cheap knives and canned goods while the Internet still works.
Jen: What is it?
Moss: This, Jen, is the Internet.
Jen: What?
Moss: That's right.
Jen: This is the Internet?
[Moss is nodding his head]
Jen: (suspiciously) The whole Internet?
Moss: (agreeably) Yep. I asked for a loan of it, so that you could use it in your speech.
[Roy enters the room.]
Roy: (irritated) Hey! What is Jen doing with the Internet?
Jen: Moss said I could use it for my speech.
[Roy speaks to Moss in an edgy way.]
Roy: Are you insane? What if she drops it?
Jen: I won't drop it, I'll look after it.
Roy: No. No, no, no, no, Jen. [Takes the box back from Jen.] No, this needs to go straight back to Big Ben.
Jen: Big Ben?
Moss: Yep. It goes on top of Big Ben. That's where you get the best reception.
Jen: I promise I won't let anything happen to it.
Roy: No, Jen, I'm sorry. [Jen becomes woeful.] The elders of the Internet would never stand for it.
... and then they built the supercollider.
So Al Gore has a key! :D
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Earth! Fire! Wind! Water! Heart!
It'd be awesome if they yelled that out as they each scanned their cards.
Look eye Daniel-son, Look eye!
...but there can be only one.
Proud member of the Weirdo-American community.
Here are the first three things I though after reading this. None are good...
It must have been something you assimilated. . . .
One secure sight in Culpeper, VA; the other site in El Segundo, CA. These sites both seem rather exposed to attack, compared to the vast interior of America. Why no secure site in the empty, hard-to-bomb middle of the country?
Also, check out the googlemap of El Segundo -- it's right next door to a buttload of chemical (gasoline?) storage tanks. I've heard there's a risk of those things going "boom" in a real real nasty way, if some smallish explosion sets them off. Seems like a kinda shitty spot to locate critical internet infrastructure.
The key holders are the Elders of the Internet.
The real question is why we would trust a dirty Canadian with a key! They don't even lock their doors! All the more evidence that Canadians are really giant mutated beavers bent on world domination.
It rivals even that of the Sword of a Thousand Truths. Did Salzman in Accounting also foretell this prophecy? Is this person in fact his heir?
Or do they summon Captain Planet? ...or Wilford Brimley?
Gozer of course. "Are you the keymaster ?"
If all else fails, immortality can always be assured by spectacular error.
(But in secret, another smart-card was made - one that could rule all the others...)
Some of us like to remain informed.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
http://www.bbc.co.uk/news/uk-10781240 Not the best interview, but relevant.
This doesn't strike me as a smart backup solution... First, both facilities are in the US... Second thing is that in case one of them gets destroyed due to the terrorist attack, there would be no air travel... Also, what happens if both of them are destroyed? Since they both are in the USA there's no borders to cross which makes planning and coordinating attacks easier... If one one of them were, for example, in Europe or Puerto Rico (in case the US needs to control them both) it would be much harder to coordinate the attacks as the international lines are more heavily monitored and usually there are less legal hurdles to snoop on other countries... Of course if one of them gets destroyed in a terrorist attack this guy from Canada will hardly be able to help since the borders are likely to be closed...
Seems I've heard something like this before.
== First cross river, then insult alligator.
The one from Trinidad & Tobago, duh.
Gi is from China, Kwame is from Burkina Faso, Linka is from Czech Republic and Wheeler is from USA.
But, adding Paul from UK and Ritchie from Canada is a bit Anglo-centric and ridiculous.
Those are not even two different countries, let alone continents.
Mit der Dummheit kämpfen Götter selbst vergebens
Sorry, only got a partial here.
I used to work with/under Norm (he was my boss) and he's a great guy! When I worked with him he wasn't a Keeper of the Key but he was still pretty cool
dinosaur comics
So, if DNS breaks we can blame Canada?
Perhaps I don't have a grasp on how the Internet, TCP/IP, etc. work.
But it seems to me, if you turned loose a spider that wandered around (from 000.000.0000 to 999.999.9999) and queried EVERY IP out there ... wouldn't you end up with a complete structure of which IPs were active, which were not, and some sort of identification for each and every one of them? And what was connected to what (to rebuild routing tables. Especially if the IP host actually responded with some sort of ID?
For that matter, that identification could be done after the fact, ne? "Dude, if you're an active IP, send an email to this site with your IP and this completed DNS form. You won't be on the active list until you do."
Bidda boom, bidda bing.
Besides, this is just a plain old database anyway, isn't it? Just back up the damned thing.
I foresee going badly as each card holder systematically tries to kill the other 6. THERE CAN BE ONLY ONE!
The press gets this wrong on so many levels it's not even funny.
The Recovery Key Share Holders (RKSHes) hold crypto cards for decrypting the backup of the hardware security module. HSMs are deliberately de-ruggedized, and if they even *think* they're being messed with (brownout, temperature extremes, being jostled a little bit), they'll lose their memory. So this is insurance against all four HSMs losing their cookies at the same time. It is not insurance against nuclear armageddon, simultaneous destruction of both sites, Cthulu ascendant, rampaging /b/tards, or Godzilla.
They do not hold fractions of the root KSK. Stealing the cards from 5 of the 7 RKSHes doesn't gain a bad guy anything, since they still need to (without detection) get to the encrypted backup of the root KSK, which is inside a safe, inside a cage, inside a vault, on the far side of a mantrap, in a secure building, on a secure campus.
If you do not understand how M of N crypto works, please do not post comments saying "if the right two" or anything like that, because you're wrong.
You're invited to read https://www.iana.org/dnssec/icann-dps.txt as well as data at http://www.root-dnssec.org/ and join the group of us boggling at how badly the press mangled the story.
Well, it IS rather obvious for most of us that Canada is just pretending to be a separate country from the rest of the British Empire just to keep the pea soup eaters from revolting.
Ridiculous I know, but stranger and more pointless things have been done by British monarchs before.
Like that time they decided to just give up on the entire lower part of the North America - over a couple of cups of tea.
And despite that old saying that the Sun never sets on the British Empire, that does not make it a continent.
A time zone maybe, but not a continent.
Mit der Dummheit kämpfen Götter selbst vergebens
This is a Really Stupid Idea. 5 people from 5 different countries have to all get together in the same place to restore the signing key to restart a trusted Internet. If civilization has truly gone down the tubes otherwise, just getting to the next town, let alone across an ocean, just isn't likely. This is all just a PR puff-piece of something unlikely to ever actually work out as intended in practice.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
One Card to rule them all, One Card to find them,
One Card to bring them all and in the darkness bind them
In the Land of Canada where the Shadows lie.
I had just been handed the assignment, from the World Domination Society, to plan the covert murders of all seven. Now I realize it won't be necessary.....at least not at this time.
[Amerika is Skynet]
...no one will ever find it there. (Czech Republic has the best looking women!)
Some of us like to remain informed.
Except this is only "information" in so far as it is the latest plot device made real by the idiots in charge. That means this is a social engineering exercise, (a variation on basic propaganda).
Learn to spot the difference. It's important.
In any case, the delivery needn't be couched in endless, pedantic terms of "Terrorist Attack". I can hardly believe people haven't figured out yet that they're being manipulated. How stupid does a person have to be to not get that simple fact at this late date?
-FL
Five of seven required to recover means three of seven to block recovery of the key.
Help stamp out iliturcy.
Have you noticed the all the movie trailers for the last nine years that ended with a big bold font displaying something like "04.07.06"? It's the Universally Ambiguous Date Format. Of course GP couldn't even get that right....
Information is information, and given a choice of it being repressed and being made available, I'll almost always choose the latter. This is a real decision made by "the idiots in charge", and if nothing else, the information that this decision was made is information about the quality of leadership.
They couch their delivery in pedantic terms of "Terrorist Attack" for the same reason that you couch your delivery in pedantic terms of "Government Attack". Think about it.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Why so few???? And why is it secret???? Why not have 3000 copies? Don't we have that many trustworthy people?
Information is information, and given a choice of it being repressed and being made available, I'll almost always choose the latter. This is a real decision made by "the idiots in charge", and if nothing else, the information that this decision was made is information about the quality of leadership.
This is certainly a valid approach, but it's not where we started from and it's not what I was complaining about. I don't want silence from the media. I want responsible reporting, but above all, I want a cessation of manipulative tactics designed to keep a population fearful. Fear and anxiety are the keys to population control; they are incredibly effective. And now we are told the following. . .
A. That the entire internet is in danger of being destroyed by bad people. (Even a small and unlikely danger noted registers deeply in the brain; for instance, "birthday serial killers" scare populations far out of proportion with the actual threat level because the subconscious isn't good at probability maths. This is why we can spend hours worrying about things which never happen. This is well understood in the persuasion sciences. Also understood, is that when jolted by fear or anxiety, the associated message lodges far more deeply in the brain than otherwise. There is SO much understood about how to manipulate humans and this article is dripping with it. Journalists, of all people, should have at least a passing understanding of this stuff.)
B. That our fearless leaders have taken spy-thriller steps to ensure our safety rather than opting for far less dramatic redundant back-up systems. This is due to our having been programmed by films and television. Even while consciously aware that a Bruce Willis film is fundamentally silly, the emotional programming remains, so when we are presented with similar patterns in the real world, we have the same gut level reactions. It's very hard to prevent that. Again, more psych science.
C. By extension, the world is full of awful things, that there is the real danger that our lives might be interrupted by terrorism at any moment. I don't know what you think of the whole 9/11 fiasco, but the digging and examination of the facts and events of that day hasn't stopped, and the picture is today more clear than ever. Thinking people who make the effort to inform themselves rather than believe the sanctioned media and elected representatives have come to the conclusion that it was a giant sham event driven by manipulative forces for political purposes. It's well-worth reading everything you can get on that subject, weeding out the junk and doing comparative analysis to determine the key features. Essentially, the whole charade was perpetrated by Nixon era psychopaths and their proteges, and pushed over the top by Israel.
D. By unspoken extension, when a further power grab and erosion of civil liberties comes around every two weeks, we all understand that it is just a small step with good reason. After all, Bad People could attack us at any moment, right? I mean, as proof we only need to look at our leadership; they carry spy-movie key cards to re-boot the internet in case of spy-movie attack! And if that's a real possibility then we really MUST be in the middle of the new cold war! It's self perpetuating "truth"; a fiction created at the top and sold to us through the media, duly reported on Slashdot and defended by ignorant hobbits who don't realize that they are fighting to protect the very forces keeping them under thumb in some population-wide expression of Stockholm Syndrome.
And THAT whole menu is the bullshit I reject. The psychology is well-understood. We know who has studied the mind-game mechanics of it, who endorsed and invested in it as policy. We know many of the names, the places, the dates. Why? Because THAT is information. Real information. By contrast, the newspaper informing us of the next stupid thing to be afraid of is not the same kind of thing. A lie is technically 'information', bu
This sounds like something from Lord of the Rings or Silmarillion. I hope they don't have the same corrupting power.
So, what, the crazy sect of the libertarian movement got jealous, and decided to muzzle in on the action? People are going to be afraid of what they fear. Any government not seen to be addressing those fears is seen as weak and unfit to rule. It's really not a difficult concept to grasp.
The danger is unlikely, but the danger is critical. Minimising chances of death is typically a healthy and rational response. Then there's the opportunity cost: negative infinity times by a vanishingly small probability equals negative infinity.
Hmm. I'm withholding judgement until I actually see the given reason for using this system, rather than just assume someone I hate did something for a stupid reason. That's how stupid, one-eyed outlooks are born.
And that's how stupid one-eyed outlooks grow and thrive. There are far easier, far safer ways to control a population. Besides, did the population really need controlling? Was there about to be a revolution before 9/11?
Ah, it's starting to fall into place now. You want "responsi
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
There are two types of people who question authority. Those who question authority, listen to what they say, and make a judgement accordingly, and those who question, and simply ignore the answer, believe exactly what they want to believe, and remain terminally ignorant and uninformed. Did ever even occur to you that there might be an alternative reason behind the implementation of this scheme, aside from the one you cooked up about the movies?
Has it occurred to you that I might actually know what I am talking about? When I question things, I listen exceptionally well. I ask a lot of questions and I listen to everything I can get my ears on. If my resulting judgments seem odd to you, then perhaps that is only because you haven't got enough information.
And that's how stupid one-eyed outlooks grow and thrive. There are far easier, far safer ways to control a population. Besides, did the population really need controlling? Was there about to be a revolution before 9/11?
Wow. Those are some very ignorant questions. You really are in the dark, aren't you? This isn't the forum to try to educate you on such huge, basic realities; it's a big, deep subject, and frankly, I'm not convinced you're worth the effort. -A common belief people labor under is that they are somehow entitled to knowledge without having to work for it. You have eyes and a brain, but you have chosen not to use them to explore. Why should I labor to put material in front of your nose when it has been freely available for years? It sounds very much to me that you are already invested in rejecting it without thinking anyway. Sounds like a big waste of time to me.
Yeah, I go for quality rather than quantity when it comes to a topic. A hundred hours of this B-movie dreck passing through your head is probably worth about half an hour's consideration by just about anyone else here on slashdot. Myself included.
Translation: "I am uninformed and proud of it."
You say, "probably worth"? Exactly. You don't know. Yet you call something dreck without having the knowledge necessary to render such a judgment.
THINK: How can you possibly know high quality information from a hole in the ground if you don't bother to explore enough samples to establish pattern? Pretending that you know based on doing as little research as possible is common laziness.
You know what really strikes me about your post? The complete failure to use logic, or make a convincing argument. I mean, you really haven't made a single convincing point. Not even one. You try to couch your post in logic, and you use the phrases "proof" and "by extension", but you show no indication that you actually understand what they mean. All you do is string together a bunch of absurd claims holding little to no basis in reality.
You say I have not made a single convincing argument? It only seems that way to you because you are unfamiliar with the material I am referencing. I've referred to objective realities which any responsible individual will have already taken the time to become informed regarding. Many of these items are no longer even points of debate; they are established facts and I'm not going to waste my time bringing you up to speed.
Your level of awareness is your problem, not mine.
Now go away and do some reading and some critical analysis and stop wasting my time.
Bye now.
-FL
The article does state that you need 5 of 7 to restore.
So if three of them should happen to suffer an unfortunate "accident", everything is totally screwed?
YES! But I say we get all seven, just to be sure!
/.ers that know something about those other six loose-loafer poseurs, track 'em down respectively. And let's do the job RIGHT this time.
And, perhaps Al Gore also, for starting this jimcrackery in the first place.
Frankly, I'm tired of this interweb nonsense with all its tubes.
I would like to get back to my productive REAL-WORLD job. (Fashioning grapplegrommets out of laminated chickenfat)
Hey- the interweb was fun, but it (and this slashdot jibber-jabber) has gone on long enough, don't you think?
Time to get back to work, ladies!
I'm buying a plane ticket to Ottawa shortly. I suggest that any of you
.
- aqk
F U
5% of all monitors in the US would fall over.
(based on actual observation)
He uses a CRT monitor?
Eh, I was going to ignore you, but I'm going to respond out of boredom.
Not once. Still no.
Yet another claim that doesn't seem to hold up to the slightest scrutiny. Out of all the actual content in my largely content-free post, you've seemed to avoid the actual points I made, or at least dismissed them ("Wow. Those are some very ignorant questions.") in a fashion that tells me either you haven't actually understood them, or you are deliberately trying to avoid actually answering them.
Plus, you've arrived at some absurd conclusions. I have talked to informed, uninformed, intelligent, stupid, informed, and thoroughly ignorant people in my time, and in a vast majority of cases, there is something in their arguments that is food for thought, has some basis in reality, or at least managed to have some kind of pseudo-logical structure. I am bewildered that you've managed to provide me an argument lacking in all three.
Basically, you've managed to cobble together some kind of argument from bravado, put-downs, and abundant claims of superior knowledge and information. But, extraordinary claims require extraordinary evidence, and, unfortunately, having one does not put you half way there.
Oh that is priceless! You think that if you don't sound absolutely certain on all points, your arguments will be seen as weak. This pretty much explains your entire style of argument, and also why it actually doesn't work on people who are remotely intelligent.
Oh, and I call it dreck, because it's dreck directly out of movie. Evil government comes up with yet another absurd scheme to enslave the masses for no clear reason (typically something about power, but no reason what benefits such power actually provides). Now, it's really quite funny that you pull me up on "...call[ing] something dreck without having the knowledge necessary to render such a judgment," if you think about it. I observed that your opinions sound a lot like a cliched movie plot, and concluded (fallaciously) that you ripped the scheme off a movie. This was done deliberately to draw parallels to your own original argument, when you noticed that the "internet key" scheme, invented by the politicians, is suspiciously like a different cliched movie plot. You made the same fallacious argument, except with deadpan sincerity.
I wasn't anticipating you'd get it. It was more for my own personal amusement, plus for any smart and observant /. readers who might stumble across this thread while perusing the archives. I am, however, anticipating that you'll now claim that you do get it after all, and that the reason why I did not realise this is that I haven't done enough research to claim that you haven't. I'm only kind of joking.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.