Slashdot Mirror
Ex-NSA Chief Supports Separate Secure Internet
Hugh Pickens writes "Nextgove reports that Michael Hayden, former director of both the NSA and the CIA, says the United States may seriously want to consider creating a new Internet infrastructure to reduce the threat of cyberattacks and several current federal officials, including U.S. Cyber Command chief Gen. Keith Alexander, also have floated the concept of a '.secure' network for critical services such as financial institutions, sensitive infrastructure, government contractors, and the government itself that would be walled off from the public web. Unlike .com, .xxx and other new domains now proliferating the Internet, .secure would require visitors to use certified credentials for entry and would do away with users' Fourth Amendment rights to privacy. 'I think what Keith is trying to suggest is that we need a more hardened enterprise structure for some activities and we need to go build it,' says Hayden. 'All those people who want to violate their privacy on Facebook — let them continue to play.' Clay Dillow writes that on the existing internet everyone does everything online anonymously, and while that's great for liberties, it's also dangerous when cyber criminals/foreign hackers are roaming the cyber countryside. Under the proposed .secure internet 'you may not be able to go to certain neighborhoods of the Web without showing your papers at a checkpoint — and perhaps subjecting yourself to one of those humiliating electronic pat-downs as well,' writes Dillow. 'Those who want to remain anonymous on the Web can still frolic about in the world of dot-com, but in the dot-secure realm you would have to prove you are you.'"
He learned everything from his time there.
Your security is not the issue.
"Flyin' in just a sweet place,
Never been known to fail..."
Well goodie then, bit by bit they will demand more and more services to be moved to new "secure", until all is left on the old internet is unlawful sites. And by then it will be easy to argue for the prohibition of it and if that anyone is using it, then this person is a criminal. So thanks, but no thanks.
It's funny how hard it is to let go of past models. The heart of the Internet model is, as the saying goes "a sphere", where every node has equal access to every other node. No clients, no servers, just equal connectors. Society as a whole (when weighted by money rather than head-count) keeps trying to reject that in favour of it being a fancy way to broadcast: a few large hosts running Wal-Mart-sized data centres, many clients on as dumb a terminal as possible. Efforts to democratize information flow are opposed as either unserious utopianism or outright crime. (They can't seem to find a statute forbidding Wikileaks that doesn't forbid the Times, but from the rhetoric, you'd never guess.)
When Hayden says that "users" 4th-amendment rights would be abrogated, he isn't thinking of all the users, not the big ones. Just the little ones. Which I think just models how Hayden sees society itself. Little folks don't have rights, just privileges.
Yup. This is just Clipper chip / Trusted Computing / HDMI / 'show us your papers' all over again, in new clothing.
"Core elements of our electric grid, of our financial, transportation and communications infrastructure would be obvious candidates. But we simply cannot leave that core infrastructure on which the life and death of Americans depends without better security."
Here's an idea, if a service being infiltrated can result in deaths, DON'T CONNECT IT TO THE FUCKING INTERNET
This is my signature. There are many like it, but this one is mine.
It doesn't take a separate TLD to require signed TLS client certificates, and that is not the same as having separate wires.
Canada has separate wires for military, RCMP, and federal cabinet. Probably requires TLS client certs too, but I don't know for sure about that one.
Many banks run some variant of the "electronic body cavity search" before your computer can connect. It really only works if everyone who needs to connect has exactly the same hardware and software... not a problem for mortgage brokers who are issued a standard kit, but big problem for people from multiple different beaurocracies at different levels of government.
Prove you are you: Absolutely identifying a computer or other mobile device in no way proves who was using the device. That is, until we're all chipped and hard-wired into the internet. I think even the supreme court ruled recently that IP != a person. Neither is a login/password combo and for the same reasons. This is just another frivolous demand for cash from an already bankrupt government.
Seven puppies were harmed during the making of this post.
Ignore the privacy bit for a moment, because that seems to garner knee-jerk reactions around these parts, and look at the security bit.
There are a lot of transactions that need to be secure, yet would not qualify for the .secure network. For example: you could cram bank systems into the new network, but are you really going to allow every business that uses these financial systems on it (e.g. credit card transactions or trades on the stock market)? Even if you did, you would still end up with 'insecure' connections between the customer and the business. Or are you going to give every citizen a security token too? In that case, the ability to verify the identity of the user drops to nil since identify theft becomes an issue. Or people lending their identity to friends. Or people using loopholes in the system to create new identities.
Even a network which tightly restricts who could access it would face hurdles. Research labs attract all sort of riff-raff scientists and technicians. Some of those people will create bridges between the .secure network and everything else. Even if it is unintentional, because they are using the same systems to access secure databases as they use to access journals (and their goof-off resources). I'm not saying that it is impossible to stop that sort of thing, but it will be awfully difficult given the population involved.
Please, please can we not mention religion on Slashdot?
It's always the same. Religious people flaming atheists, atheists flaming religious people and agnostics flaming both sides. The universal argument? "I'm right because it's obvious and you're stupid for not agreeing".
They would be separate for about an hour. Right away, somebody would figure out a way to connect them together thus defeating the purpose.
I agree, it really is annoying to people like me who actually are right.
So is the article talking about a separate physical network that is firewalled off from what we now call the Internet or is it just talking about a new top level domain that by policy requires domain owners to demand some sort of verifiable credentials for access to services on hosts that are pointed to by DNS entries within the new domain?
Unless it is a separate physical network with firewalls or other edge devices that require authentication and there is a mechanism to securely forward the credentials from the edge device to the internal host, you haven't crated any more real security.
Creating a new TLD on an existing "insecure" network that doesn't require authentication to access the physical network doesn't add any security. In this scenario anyone can still access the machines and it is up the owners of the machines to implement their own security. If the government (and others) can't manage security on their machines now, crating a new naming system for those machines isn't going to help.
This proposal is not for a separate "Internet" as the headline states. It is merely for a separate top-level-domain. And all the servers on this domain would supposedly have super secure firewalls that are impenetrable and unhackable? Riiiiight.
.secure TLD will be any more secure than existing firewalls are just wishful thinking.
If this separate-but-not-really-SEPARATE "internet" is connected to the same wires as the regular internet then the hackers will still get in. Hell, all the servers that were hacked recently were supposedly super secure. Not a lot of good that did them.
If they want a truly secure, truly separate network then it shouldn't even be an "Internet" at all. It should have a completely separate set of wires. The equipment connected to these wires should be able to detect if the wires have been tapped into or if other unauthorized equipment is attached. It should have all new protocols, designed from the ground up for security and authentication rather than anonymity. In fact, every layer in the the entire IP stack should be completely thrown out and replaced with a secure system which, by law, can only be used on this new system. It will only be licensed for very specific purposes and no one else will be allowed to own this equipment or even have software that uses these protocols. Then, when you catch someone with this equipment or software, you know they are up to no good. The only way into the network will be by tapping in, which will be physically traceable, or by gaining physical access to a licensed terminal, which would be partially traceable but far more difficult to do.
Anything less than this is mere theater. Any claims that a
I thought about this a bit. this is MY proposal (from some random internet guy; but one who's been around, online, for quite a few decades).
what we need is true end-to-end encryption and that will get us all the 'secure' we need. it would not be a bad idea to insist that all non-encrypted protocols be aged out and replaced with SSL carried user-protocols (mail, file transfer, remote console, DNS, all the basics).
oh, there's one other tiny little detail. NO one can spy on the end-to-end connections. no MitM, no wiretaps, no opto-sniffing, no none of that [sic]. promise and ensure that all world citizens have protected (as in 'their rights, as human beings') end-to-end private communications. tapless and secure. to me, THIS means secure.
what they want is exactly the opposite. no encryption and nothing BUT tapping us (DPI, etc). they will know the identity of each networked station but this will not add to privacy OR security for anyone.
recognize this, people. do not give them this 'divided internet'! really bad idea. lets, instead, change the debate BACK to private communications and the right to not be listened to, monitored and surveiled.
--
"It is now safe to switch off your computer."
Were these guys asleep in the last couple months? Seems to me that we have all been publicly reminded that computer networks aren't secure, and that some are very not secure because their owners are asleep at the wheel. So what to do about that? Of course! Pretend the problem is people pretending to be whom they are not, and carry on pretending that you can secure a network against that. Give a load of taxpayers money to some buddies to build a new 'secure' network, instead of legislating and regulating the owners of the current network components and asking them why they didn't secure their shit better. Can they not understand that there is no way for a server to tell which person it is communicating with, especially if that person deliberately lies? Only human beings can fairly reliably recognise other human beings. You can't make computers that can do it, they are much less clever than people.
Korma: Good
Hasn't this guy learned anything from his time at the NSA?
There's a difference between privacy through anonymity and privacy in general. Presumably such a network would use well-designed cryptographic algorithms and protocols to exchange information. It could leverage existing technologies, such as SSL/TLS or IPSec. The data, in transit, would still be secure. The difference is twofold:
Honestly, this approach makes a lot of sense to me. Maintain the current anonymous Internet in its full glory. You would continue to use it for most things! However, if you want to bank, purchase, or administer, both you (the client) and the server site (Amazon, Bank of America, etc.) have the option to push that transaction onto an encrypted and attributable infrastructure.
Now, the same suite of Internet problems will still exist on the secure domain, but that extra de-anonymizing information goes a long way towards addressing them. If you are attacked by a bot on the secure network, you know who is infected. You can send them a notification and rapidly suspend or deny their secure network access. If someone is probing your site for vulnerabilities, you also know who it is, which may harm the white-hats (not that solutions couldn't be worked out), but will certainly hinder the black-hats. These are all good capabilities that I want my banking sites to have!
So do I want a completely-deanonymized Internet? Hell no. It'd be inefficient (traffic-wise) and it would cost me several critical rights. However, I would love to elevate all critical and financial assets to an elevated attributable domain. There is no good reason they should inherently have to accept anonymous traffic, nor should each of them be independently responsible for (in their own manner) establishing client identities.
You DO realize that in order to enter the Supreme Court building, or the White House, or the Capitol, you are required to "show us your papers", right?
You DO realize that during the Cold War one of the propaganda points made by the US government was that US citizens could go just about anywhere in their country without some police state thug demanding 'your papers please?' right?
And how exactly is 'showing your papers' supposed to make those buildings secure?
The two internets should never meet. If your machine is set up to use the WWW.net, .com, .org, or whatever - then it should be incapable of connecting to .secure. And, vicey versey.
Have we forgotten that there should be an air gap between infrastructure and the web?
Oh wait, I forgot about all that nonsense about cyberwarfare against our electrical grid, and other infrastructure. Seems we never learned that lesson, so how could we have forgotten it?
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Shin. It is "sh", more than "s".
The letter is symbolic of "shekinah", which is often translated as "Holy Spirit".
Of course, there are those that will sell you Will and Desire - naming it the "spirit's higher calling". Trust me - if something really pertains to the spirit, it is usually a rebuff to one's wishes.
"Flyin' in just a sweet place,
Never been known to fail..."
What's funny about this is that we *already* have this setup. SIPRnet, JWICS, and other networks running on the Defense Information Systems Network (DISN) are already segregated from the public Internet by an air gap. This is actually required for any classified data. Information can sometimes enter a classified network from the outside world, but the mechanisms for doing so are extremely circumscribed and a massive amount of analysis has to go into making such systems "provably secure." In practice, NIPRnet and SIPRnet require different physical terminals. That's why we have things like the presidential Blackberry, which is essentially two Blackberries in the same case with a physical switch to swap between the unclassified and classified systems.
As for utilities and the like, sure, you have two options. One is to airgap the communications network, which is what I'd advise given the shoddy quality and poor security record of SCADA systems. The other is to use secure communications from the transport layer up and using defense in depth principles. Of course, that requires building security into the system from the ground up, and very few companies and people are willing to do that. In light of that, an airgapped network makes sense. If a truly independent network isn't needed, every backbone provider is more than happy to provide MPLS virtual networks for the right price.
In the end, though, I think the problem is that utilities don't want to spend the money on what they feel has no deterministic ROI (cf. trying to get a company to buy a disaster recovery system). This is rational self-interest, especially when you consider the explicit guarantee of insurance and the implicit guarantee of the government for critical infrastructure. The solutions are simple: enforce proper controls through regulation or nationalize the infrastructure so rational self-interest is removed.
The Freelance Wizard
This is what happens when politicians who know nothing about security or network infustructure make high level design decisions.
Securing the wire always has and always will be a lost cause. Just click the little require secure connections only button in all of your operating system (IPSec) and you have yourself your secure private network.
There is no reason to segment traffic. On a large network you can expect someone on the network will eventually be compromised by an insider or determined advasary. Given this reality physically separate network must not be relied on to convey any security at any time.
All it means is you don't see a bunch of botnets launching blind attacks 24x7. It means important infustructure on a "secure" network becomes as complacent and vulnerable as the machines behind corporate firewalls. It is human nature. Without constant pressure it will happen. If you are tired of the random hits use IPv6.
Never trust the wire.. Just don't do it. It is always stupid and you will always be burned by it.
A few other points needing to be made:
If the content of your communication can not be private good luck with your "secure" network.
Federated authentication systems tend to induce weaknesses in server authentication. Imagine everyone on earth was using openid or had the same password file. You could login to any computer you wanted with your credentials.
This means:
The material which authenticates you as a person can not also be used to authenticate the service you are consuming as everyone has access to the authentication system. Even if your credentials are never exposed your authentication provides you with no assurances with regards the service you are consuming beyond an unbound trust anchor.
Simpson's Nelson has some advice here. "Ha Ha". .Gov: "Hi. We'd like a .secure TLD." .Gov: "Sudo give us .secure Now to combat pedophilic terrorists and people who photo people in Apple stores."
US
ICANN : "Sure. $185,000 please."
US
"I can do that, Yes ICANN."
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Anonymous individuals aren't the problem. Anonymous businesses are the problem. Most of the troubles we have on the Internet come from web sites which purport to be from some legitimate business, but aren't. Malware, spam, etc. all eventually involve some online business.
This is a consequence of ICANN's squishy-soft regulation of registrars and weak enforcement of WHOIS data quality rules. More recently, corrupt CAs have become a problem. The companies that collect money registering the identify of web sites are failing in their responsibilities.
All we need on the client side is good ISP ingress filtering, so that corrupted clients can't use an IP address other than their own. (All you can do with a fake IP address is send junk, since you don't get any of the replies.) Then, DDoS attacks can be tracked and blocked.
Internet last time I checked was just a commonly recogised way of routing ip packets.
I think they security is whatever protocol you choose to use on top of that.
I hear that ssl Is a popular choice these days. Does suffer from being 'open source' rather than a nice secure private protocol you can buy but seems to be quite popular.
And now you spend your Saturday alone posting on slashdot.
You can go anywhere in the country without papers. You could, right now, get on a bus and travel 3 states over, then jump on a train and go somewhere.
You cannot, however, enter the pentagon without authorization, and Im not sure when the last time you could was. Nor can you enter a private building where management has decided to hire security and implement metal detectors, without authorization.
And how exactly is 'showing your papers' supposed to make those buildings secure?
Im not a security expert, but I would surmise (knowing some people in that field) that the government has a list of people that it wants to keep close tabs on. For example, if you had escaped from a prison, I imagine that it would be rather difficult to get into a secured location-- you would have to get in without giving your ID, which rather complicates getting in when the elevators are locked down. There is also some screening that takes place in order to get an ID; and if something DOES go down, they have a better idea of who you are.
Regardless, my threshold of "starting to worry about police state" is when they start trying to stick cameras all over DC, or having permenant police checkpoints. Metal detectors and security guards in international trade buildings doesnt really trip my "big government paranoia" alarm.
I decline your offer because you have no idea what you are talking about.
First off, I don't mean to be an ass, you just seem to be ignorant. There is something called DNSSEC that not only exists, but is part of IPv6. Considering that you do not mention DNSSEC, and that both it and our current TLS implementations include "tapless and secure" "end-to-end" encryption facilities supports my first sentence...
DNSSEC isn't just for DNS, it could authenticate and encrypt email, or any other web traffic and can be a replacement for SSL. Please research it before replying to this comment.
Additionally, it doesn't matter how encrypted your connection is to what you see as yourbank.com if you can't verify that your are really connected to the place you think you are connected. Ergo: end-to-end encryption is not all the 'secure' we need, we also need authentication -- The fact that you did not mention authentication also supports my first statement. Now, if there is already a shared secret key between two parties then BOTH authentication and encryption can be performed easily.
Me: "I'm VortexCortex, here is some session salt: NWUyOGVkMWZlMTQw, and here is my encrypted message: "..."
Bank: "Hello VortexCortex, here is some session salt: MTkwMjM4MDE5ODIzM, and here is my encrypted reply: "..."
The shared secret key can be used along with the salts to create a key that decrypts the messages -- no fancy PKI needed... However, how do you first set up the account? With banks, you could visit them in person, but what about online retailers? You would have no pre-shared key, and this means they don't know who you are, and you can't verify who they are because neither have a pre-shared key.
Thus, we need some form of trusted public/private key infrastructure (hierarchical or Web of Trust, etc) in order to first validate an endpoint.
Finally -- WE CAN'T ENCRYPT EVERYTHING. It's not feasible to do this for cached content, high bandwidth video, live streaming, etc because encryption makes distributed content and/or deduplication impractical.
Unfortunately HTML and TLS (security) are designed independently of each-other and no one (but me?) thinks that HTML needs to know about security too... HTTP cookies can be marked as "secure only", why can't HTML tags have secure attributes?
The thing is: We don't need to encrypt something in order to trust it -- we can use hashing / digital fingerprints to ensure data integrity. Here's a post I made concerning the brain-damage that is the lack of security aware HTML. For the link-lazy, here's the pertinent part:
The BIGGEST retardation on the WEB is the fact that we have strong encryption and cryptographic signature technology in our browsers, and yet MIXED content is UNSAFE because (X)HTML standards don't declare facilities to specify fingerprints for the non-encrypted data that the encrypted page pulls in -- thus allowing for privacy of encrypted content, AND caching of plaintext content WITHOUT compromising integrity. /> Now apply this to the .js, .class, flash, .mp3, .avi, etc, and you get the point.
<img src="bkgnd.png" sig="SHA-1/hex;22172a80d89e99d250db62bf71031a23cbac4801" salt="HMAC/Base64;U2VjdXJpdHkgaXMgZWFzeS4K"
in short: You don't seem to know what you are talking about, but fret not, no one else does either or else we would have already solved this problem (because the answers are so apparent to those who do know what they are talking about).
TL;DR: I agree, the current direction the web is going is fine, but we need authentication an
The War on Hacking is the War on Drugs for the 21st Century. A never ending siphon of money into the hands of a few well-connected companies and politicians. There will be some collateral damage, of course, but it will be deemed to be worth it by those who matter. Actually, the collateral damage (loss of privacy, a "locked down" internet) will be considered a feature not a bug.
Waltz, nymph, for quick jigs vex Bud.
Tell that to someone from Hawaii or Alaska. I'm pretty sure both ship and airline passage require ID.
You haven't traveled on any interstate highways that happen to travel by the border with Mexico lately, have you. Try driving from Yuma to Los Angeles on I-8. You will encounter no less than TWO *permanent* US Border Patrol (DHS) checkpoints along the way, where you have to stop and provide identification in the form of a driver's license and submit to a search of your vehicle if they feel like it.
No, this isn't because the US-Mexico border magically moved north a few miles. You didn't cross an international border without realizing it. It's because DHS claims authority over areas 100 miles from all US borders, including sea borders. In this case, you must show papers to travel within the US... and it's not a small case, it's actually a very broadly applicable area.
Seriously man, are you trolling, or are you really THAT ignorant? The noose isn't getting any looser. Start worrying!