Slashdot Mirror
The Canadian Who Holds the Key To the Internet
drbutts writes "The Toronto Star has an interesting story on how they are securing DNS: 'It's housed in two high-security facilities separated by the North American landmass. The one authenticated map of the Internet. Were it to be lost — either through a catastrophic physical or cyber attack — it could be recreated by seven individuals spread around the globe. One of them is Ottawa's Norm Ritchie. Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions). In essence, these seven can rebuild the architecture that allows users to know for certain where they are and where they are going when navigating the Web."
The story I read said that any four of these seven must get together at one of these bases. That seems to indicate that each one has half of the key. Two of them, if they were the right two, could do it. But having four out of seven guarantees that you have at least one copy of both halves.
The internet is supposed to be able to repair itself. You know, route around damage and stuff? This all sounds as fragile as our transportation system when merely threatened with an explosive device, bringing it to a complete halt. Is our entire food supply this flimsy?
For justice, we must go to Don Corleone
the *crypto signing* of the zone, not the *contents of the zone*, which are, of course, all over the place.
That would mean that any successful attack on the system would have to include the kidnapping/assassination of at least six of these people. Plan for seven hits--the attackers could completely botch one attempt and still be successful. Pretty good odds.
Nice of them to provide names.
wouldn't it be easy enough to just kill each of them and then launch an attack? I dont suppose these card holders wander around wearing body armor and drive in armored limos.
Or do they summon Captain Planet? ...or Wilford Brimley?
In a world of the blind, the one-eyed man is king--and the two-eyed man is a heretic.
When your powers combine, I am Captain Internet!
Wait. That's not right.
Also, a question, which key holder is Ma-Ti?
Ritchie was recently chosen to hold one of seven smartcards that can rebuild the root key that underpins this system' called DNSSEC (Domain Name System Security Extensions).
I thought the dwarves got seven cards. And, the humans got nine... and the elves three. Or, am I mixing something up?
I just heard a pretty good talk on DNSSEC at Blackhat and it wasn't quite like this... I'll leave it at that.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
I see a new James Bond movie in the making here...
-- Cheers!
I have that same combination on my luggage!
The world is not full of evil organizations who are thoroughly evil, yet well funded, that run around doing evil for its own sake. The likelihood of someone blowing up both facilities and kidnapping the people who hold the cards just to try and take down DNSSEC is pretty unlikely. I think this is more likely protection against hacking (which is much safer) or a gigantic mistake. Always good to ask the question "If everything fails, how are we going to rebuild it?" That's what this is.
Please remember that vast kidnapping conspiracies and so on require a lot of people acting in concert. That is hard to keep hidden. What's more in this case you'd be talking about something all over the world. You are also talking about something that would draw the wrath of the most powerful nations out there. The US (who holds the facilities), the UK, China, etc. It doesn't work like in James Bond where the baddies contact the government and they have to knuckle in unless a lone agent can bring them down. What happens is the governments send in hundreds of heavily armed, highly trained, soldiers that will kill or capture anyone who is involved, or perhaps just as likely simply destroys the building they are in with a well placed smart bomb from a bomber you cannot see.
The idea here seems to more be a final redundancy against a systems failure, but one where a single person can't go rogue and cause a problem.
So please, stop with the paranoid movie plots.
Really tired of these summaries which assume we're morons and don't know what DNS/DNSSEC are.
I sure hope these guys have a good reputation
For justice, we must go to Don Corleone
but this reads like an intro to a bad cyberpunk novel/movie....
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Haven't I seen this before somewhere?
http://www.zeldawiki.org/Sage
When people ask if I'm an optimist, I say "I hope so". --Bill Bailey
One Card to rule them all, One Card to find them,
One Card to bring them all and in the darkness bind them
The truth is, these keys are really just a safe guard in case /. ever posts Article Omega, bringing about the systematic slashdotting of the ENTIRE INTERNET!!!
Maybe the seven combine to form the soul of Lord Voldemort.
I eat only the real part of complex carbohydrates.
I thought the whole point of the Internet was that there was no "there", there.
Forget this high tech stuff, I am gonna order some cheap knives and canned goods while the Internet still works.
Jen: What is it?
Moss: This, Jen, is the Internet.
Jen: What?
Moss: That's right.
Jen: This is the Internet?
[Moss is nodding his head]
Jen: (suspiciously) The whole Internet?
Moss: (agreeably) Yep. I asked for a loan of it, so that you could use it in your speech.
[Roy enters the room.]
Roy: (irritated) Hey! What is Jen doing with the Internet?
Jen: Moss said I could use it for my speech.
[Roy speaks to Moss in an edgy way.]
Roy: Are you insane? What if she drops it?
Jen: I won't drop it, I'll look after it.
Roy: No. No, no, no, no, Jen. [Takes the box back from Jen.] No, this needs to go straight back to Big Ben.
Jen: Big Ben?
Moss: Yep. It goes on top of Big Ben. That's where you get the best reception.
Jen: I promise I won't let anything happen to it.
Roy: No, Jen, I'm sorry. [Jen becomes woeful.] The elders of the Internet would never stand for it.
... and then they built the supercollider.
So Al Gore has a key! :D
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Earth! Fire! Wind! Water! Heart!
It'd be awesome if they yelled that out as they each scanned their cards.
Look eye Daniel-son, Look eye!
...but there can be only one.
Proud member of the Weirdo-American community.
Why didn't they choose a Mexican as a TCR (Trusted Community Representative).
That exclusion is highly discriminative...
Here are the first three things I though after reading this. None are good...
It must have been something you assimilated. . . .
I've been seeing this idiotic story floating around now for a couple of days.
What kind of retarded system is this? They don't have tape back-ups? Why would it have to be a "Everybody turn your super-secret key on five, four, three. . ."
Fuck this.
I'm REALLY getting tired of having the fear button punched in my brain. Fuck off. The internet is vulnerable. The planet is vulnerable. Everything is vulnerable. Oooooh. I'm really scared now. I'll let you scan my retinas at airports and x-ray my kidneys and I won't complain when you blow 1.4 billion dollars on police for a fake burning cop-car G20 bullshit summit. Just fuck off already.
Key cards to re-boot the internet? FUCK OFF!!! That's the dumbest TV movie plot device I've ever heard. It's as fucking retarded as that Lone-Gunmen plot where they flew planes into the world trade center. You know? The one with Bruce Willis. Do they think we're all trailer-park retards who can't tell reality from bad scripting?
So please, for the love of all that is good, FUCK OFFFFFFFF!
-FL
One secure sight in Culpeper, VA; the other site in El Segundo, CA. These sites both seem rather exposed to attack, compared to the vast interior of America. Why no secure site in the empty, hard-to-bomb middle of the country?
Also, check out the googlemap of El Segundo -- it's right next door to a buttload of chemical (gasoline?) storage tanks. I've heard there's a risk of those things going "boom" in a real real nasty way, if some smallish explosion sets them off. Seems like a kinda shitty spot to locate critical internet infrastructure.
The key holders are the Elders of the Internet.
The real question is why we would trust a dirty Canadian with a key! They don't even lock their doors! All the more evidence that Canadians are really giant mutated beavers bent on world domination.
It rivals even that of the Sword of a Thousand Truths. Did Salzman in Accounting also foretell this prophecy? Is this person in fact his heir?
Or do they summon Captain Planet? ...or Wilford Brimley?
Gozer of course. "Are you the keymaster ?"
If all else fails, immortality can always be assured by spectacular error.
(But in secret, another smart-card was made - one that could rule all the others...)
http://www.bbc.co.uk/news/uk-10781240 Not the best interview, but relevant.
This doesn't strike me as a smart backup solution... First, both facilities are in the US... Second thing is that in case one of them gets destroyed due to the terrorist attack, there would be no air travel... Also, what happens if both of them are destroyed? Since they both are in the USA there's no borders to cross which makes planning and coordinating attacks easier... If one one of them were, for example, in Europe or Puerto Rico (in case the US needs to control them both) it would be much harder to coordinate the attacks as the international lines are more heavily monitored and usually there are less legal hurdles to snoop on other countries... Of course if one of them gets destroyed in a terrorist attack this guy from Canada will hardly be able to help since the borders are likely to be closed...
Seems I've heard something like this before.
== First cross river, then insult alligator.
The one from Trinidad & Tobago, duh.
Gi is from China, Kwame is from Burkina Faso, Linka is from Czech Republic and Wheeler is from USA.
But, adding Paul from UK and Ritchie from Canada is a bit Anglo-centric and ridiculous.
Those are not even two different countries, let alone continents.
Mit der Dummheit kämpfen Götter selbst vergebens
Sorry, only got a partial here.
I used to work with/under Norm (he was my boss) and he's a great guy! When I worked with him he wasn't a Keeper of the Key but he was still pretty cool
dinosaur comics
So, if DNS breaks we can blame Canada?
Perhaps I don't have a grasp on how the Internet, TCP/IP, etc. work.
But it seems to me, if you turned loose a spider that wandered around (from 000.000.0000 to 999.999.9999) and queried EVERY IP out there ... wouldn't you end up with a complete structure of which IPs were active, which were not, and some sort of identification for each and every one of them? And what was connected to what (to rebuild routing tables. Especially if the IP host actually responded with some sort of ID?
For that matter, that identification could be done after the fact, ne? "Dude, if you're an active IP, send an email to this site with your IP and this completed DNS form. You won't be on the active list until you do."
Bidda boom, bidda bing.
Besides, this is just a plain old database anyway, isn't it? Just back up the damned thing.
I foresee going badly as each card holder systematically tries to kill the other 6. THERE CAN BE ONLY ONE!
12-21-2012
What the HELL kind of date format is that? The only one I'm familiar with that uses hyphens is ISO 8601 (yyyy-MM-dd). To be sure, year 12 never had 21 months, and the nonexistent 21st month did not have 2012 or more days.
Odometers don't put the decimal wheel in the middle. Thermometers don't put the fractions of temperatures in the middle of the thermometer (only to be read between 69 & 70 f or 19 & 20 C). Even actual physical calendars display the days as a sub-element of the month and the month as a sub-element of the year. Who would rationally put the day in between the month and the year? I mean really.
Even Arabic, which reads right to left, uses the numerals in a left to right positional notation. It's 10 years since Y2K and we've apparently learned nothing.
The press gets this wrong on so many levels it's not even funny.
The Recovery Key Share Holders (RKSHes) hold crypto cards for decrypting the backup of the hardware security module. HSMs are deliberately de-ruggedized, and if they even *think* they're being messed with (brownout, temperature extremes, being jostled a little bit), they'll lose their memory. So this is insurance against all four HSMs losing their cookies at the same time. It is not insurance against nuclear armageddon, simultaneous destruction of both sites, Cthulu ascendant, rampaging /b/tards, or Godzilla.
They do not hold fractions of the root KSK. Stealing the cards from 5 of the 7 RKSHes doesn't gain a bad guy anything, since they still need to (without detection) get to the encrypted backup of the root KSK, which is inside a safe, inside a cage, inside a vault, on the far side of a mantrap, in a secure building, on a secure campus.
If you do not understand how M of N crypto works, please do not post comments saying "if the right two" or anything like that, because you're wrong.
You're invited to read https://www.iana.org/dnssec/icann-dps.txt as well as data at http://www.root-dnssec.org/ and join the group of us boggling at how badly the press mangled the story.
Well, it IS rather obvious for most of us that Canada is just pretending to be a separate country from the rest of the British Empire just to keep the pea soup eaters from revolting.
Ridiculous I know, but stranger and more pointless things have been done by British monarchs before.
Like that time they decided to just give up on the entire lower part of the North America - over a couple of cups of tea.
And despite that old saying that the Sun never sets on the British Empire, that does not make it a continent.
A time zone maybe, but not a continent.
Mit der Dummheit kämpfen Götter selbst vergebens
This is a Really Stupid Idea. 5 people from 5 different countries have to all get together in the same place to restore the signing key to restart a trusted Internet. If civilization has truly gone down the tubes otherwise, just getting to the next town, let alone across an ocean, just isn't likely. This is all just a PR puff-piece of something unlikely to ever actually work out as intended in practice.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
One Card to rule them all, One Card to find them,
One Card to bring them all and in the darkness bind them
In the Land of Canada where the Shadows lie.
I had just been handed the assignment, from the World Domination Society, to plan the covert murders of all seven. Now I realize it won't be necessary.....at least not at this time.
[Amerika is Skynet]
...no one will ever find it there. (Czech Republic has the best looking women!)
Five of seven required to recover means three of seven to block recovery of the key.
Help stamp out iliturcy.
Have you noticed the all the movie trailers for the last nine years that ended with a big bold font displaying something like "04.07.06"? It's the Universally Ambiguous Date Format. Of course GP couldn't even get that right....
Why so few???? And why is it secret???? Why not have 3000 copies? Don't we have that many trustworthy people?
This sounds like something from Lord of the Rings or Silmarillion. I hope they don't have the same corrupting power.
The article does state that you need 5 of 7 to restore.
So if three of them should happen to suffer an unfortunate "accident", everything is totally screwed?
YES! But I say we get all seven, just to be sure!
/.ers that know something about those other six loose-loafer poseurs, track 'em down respectively. And let's do the job RIGHT this time.
And, perhaps Al Gore also, for starting this jimcrackery in the first place.
Frankly, I'm tired of this interweb nonsense with all its tubes.
I would like to get back to my productive REAL-WORLD job. (Fashioning grapplegrommets out of laminated chickenfat)
Hey- the interweb was fun, but it (and this slashdot jibber-jabber) has gone on long enough, don't you think?
Time to get back to work, ladies!
I'm buying a plane ticket to Ottawa shortly. I suggest that any of you
.
- aqk
F U
5% of all monitors in the US would fall over.
(based on actual observation)
He uses a CRT monitor?