ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

[ga] an interesting article that shows people know very little about the Internet. especially the history

  • To: "ga@xxxxxxxxxxxxxx >> GA" <ga@xxxxxxxxxxxxxx>
  • Subject: [ga] an interesting article that shows people know very little about the Internet. especially the history
  • From: Joe Baptista <baptista@xxxxxxxxxxxxxx>
  • Date: Thu, 31 Dec 2009 11:21:12 -0500

The article is titled "PC Worlds Top 10 Security Nightmares of the Decade"
can be found at the following URL:

http://bit.ly/7nxeD4

It's worth a read.There is nothing spectacular about this article. But it is
an excellent example of how little experts know on the subjects they are
experts on.

The author restates common truths. Robert Siciliano tells us the "last
decade has seen technological breakthroughs unlike any other". This is true.
But Siciliano also reminds us our technological success has result in a
tremendous rise in fraud. I completely agree with him. The reason he argues
in his article is that the "speed of the conveniences technology" provides
has "far outpaced the security" measure in place today. Again very bang on.

But this claim could be subject to some interpretation that at one time our
security outpaced or was even better then the available technology. The
historical truth is that security has alway lagged behind technology. And
much of that is due to a lack of education amongst the masses. But the
simple truth of it is that much of the insecurity in the Internet is due to
a lot of twits who run the Internet and have an interest in maintaining and
controlling the status quo.

Mr. Siciliano provides an excellent example of this in his article when he
discusses the DNS vulnerability alleged to have been discovered by IOActive
researcher Dan Kaminisky. Kaminisky is credited with the identification in
2008 of a DNS vulnerability to various forms of attack including cache
poisoning.

This is a false allegation that the press has repeated without any
investigation of the facts. Kaminisky never discovered anything he simply
repackaged an existing well known problem as his own. Also the DNS protocol
is not vulnerable in itself nor is it a security risk. The security problem
is not in the DNS protocol but in the transport protocol used for DNS
transactions. In this case it is the UDP protocol that is vulnerable to
attack.

This problem has existed for at least 15 years. I remember it existed in the
1990's when I was commissioned to investigate vulnerabilities in military
DNS servers. So the Kaminisky claim he discovered anything significant is
simply untrue. The Kaminisky affair was more a co-ordinated effort to scare
business into adopting a protocol that reverse engineers the Internet in a
effort to centralize control of the DNS protocol in the root servers
operated by the U.S. government through ICANN its contractor.

That protocol DNSSEC has been actively marketed as the solution to the
Kaminisky cache poisoning problem. DNSSEC addresses the problem by inserting
encryption keys into the DNS that establish a chain of trust from domain
names to the root servers operated by the U.S. government. This places a
significant amount of control in the hands of one government authority. It
also will cost business a fortune to adopt. And Internet DNS traffic is also
expected to increase exponentially as every DNS answer must contain
encryption key information.

Furthermore DNSSEC does not actually fix the problem. The issue as mentioned
above is a problem with the UDP protocol and verifying that the DNS
information your system requested actually coming from the machine you
requested it from. The centralization of DNS encryption keys in the root is
a very expensive process that is simply not needed.

To fix the UDP problem one only has to ensure that the answers come from the
server we are communicating with. Since UDP unlike the TCP protocol has no
handshaking capabilities one simply fixes the problem by incorporating a
handshaking protocol within UDP and DNS that confirms the server we are
getting answer from is the server we originally communicated with.

A solution to this problem is available and was developed a few years ago by
Dr. Bernstein at the University of Illinois at Chicago. It's called DNSCurve
and fixes the problem through a simple key exchange between DNS servers
without having to hand over control of the DNS to a central authority.

regards
joe baptista


<<< Chronological Index >>>    <<< Thread Index >>>