Re: [ga] an interesting article that shows people know very little about the Internet. especially the history

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

<HEAD>
<STYLE>body{font-family: 
Geneva,Arial,Helvetica,sans-serif;font-size:10pt;font-family:arial,sans-serif;background-color:
 #ffffff;color: black;}p{margin:0px}</STYLE>

<META content="MSHTML 6.00.6000.16825" name=GENERATOR></HEAD>
<BODY id=compText>
<P>Dr. Joe and all,</P>
<P>&nbsp;</P>
<P>&nbsp; I agree for the most part with everything you stated regarding this 
article, Dr. Joe.&nbsp; I also</P>
<P>agree that DNScurve is a far better solution than DNSSEC.&nbsp; However, 
DNSSEC can be </P>
<P>adapted to do most but not all of what DNScurve can and does do, but it is 
much more</P>
<P>difficult in the doing and/or providing for and as currently being 
implimented, relies to</P>
<P>heavely upon "Trusted Anchors" for some DNS resolutions as well as relies 
too much </P>
<P>upon a weak crypto standard recently decided upon by NIST.&nbsp; Ergo if 
DNSSEC implimentations</P>
<P>are not nearly&nbsp;good enough&nbsp;and well maintained over time, I again 
predict that DNSSEC implimentations</P>
<P>will be obsolete in 2 years and no longer adaquately protect against cache 
poisoning or for that</P>
<P>matter much of anything else.</P>
<P>&nbsp;</P>
<P>&nbsp; This all again re-stated it is clear that DNSSEC vs DNScurve was more 
of a political solution</P>
<P>rather than a sound technical one.&nbsp; Such decision making prerogatives 
that do not meet the</P>
<P>need/demand almost always have a mid to long side bad result. As such, 
public exposer</P>
<P>to further IT dangers lingers but is not well percieved or recognized and 
therefore sets up</P>
<P>even further future political wrangling in order to address the likely mid 
term&nbsp;eventuality </P>
<P>accordingly.&nbsp; </P>
<P>&nbsp;</P>
<P><BR><BR><BR>&nbsp;</P>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff 
2px solid">-----Original Message----- <BR>From: Joe Baptista 
<BAPTISTA@xxxxxxxxxxxxxx><BR>Sent: Dec 31, 2009 10:21 AM <BR>To: 
"ga@xxxxxxxxxxxxxx &gt;&gt; GA" <GA@xxxxxxxxxxxxxx><BR>Subject: [ga] an 
interesting article that shows people know very little about the Internet. 
especially the history <BR><BR><BR>
<DIV class=gmail_quote>The article is titled "PC Worlds Top 10 Security 
Nightmares of the Decade" can be found at the following URL: <BR><BR><A 
href="http://bit.ly/7nxeD4"; target=_blank>http://bit.ly/7nxeD4</A><BR><BR>It's 
worth a read.There is nothing spectacular about this article. But it is an 
excellent example of how little experts know on the subjects they are experts 
on.<BR><BR>The author restates common truths. Robert Siciliano tells us the 
"last decade has seen technological breakthroughs unlike any other". This is 
true. But Siciliano also reminds us our technological success has result in a 
tremendous rise in fraud. I completely agree with him. The reason he argues in 
his article is that the "speed of the conveniences technology" provides has 
"far outpaced the security" measure in place today. Again very bang 
on.<BR><BR>But this claim could be subject to some interpretation that at one 
time our security outpaced or was even better then the available technology. 
The historical truth is that security has alway lagged behind technology. And 
much of that is due to a lack of education amongst the masses. But the simple 
truth of it is that much of the insecurity in the Internet is due to a lot of 
twits who run the Internet and have an interest in maintaining and controlling 
the status quo.<BR><BR>Mr. Siciliano provides an excellent example of this in 
his article when he discusses the DNS vulnerability alleged to have been 
discovered by IOActive researcher Dan Kaminisky. Kaminisky is credited with the 
identification in 2008 of a DNS vulnerability to various forms of attack 
including cache poisoning.<BR><BR>This is a false allegation that the press has 
repeated without any investigation of the facts. Kaminisky never discovered 
anything he simply repackaged an existing well known problem as his own. Also 
the DNS protocol is not vulnerable in itself nor is it a security risk. The 
security problem is not in the DNS protocol but in the transport protocol used 
for DNS transactions. In this case it is the UDP protocol that is vulnerable to 
attack.<BR><BR>This problem has existed for at least 15 years. I remember it 
existed in the 1990's when I was commissioned to investigate vulnerabilities in 
military DNS servers. So the Kaminisky claim he discovered anything significant 
is simply untrue. The Kaminisky affair was more a co-ordinated effort to scare 
business into adopting a protocol that reverse engineers the Internet in a 
effort to centralize control of the DNS protocol in the root servers operated 
by the U.S. government through ICANN its contractor.<BR><BR>That protocol 
DNSSEC has been actively marketed as the solution to the Kaminisky cache 
poisoning problem. DNSSEC addresses the problem by inserting encryption keys 
into the DNS that establish a chain of trust from domain names to the root 
servers operated by the U.S. government. This places a significant amount of 
control in the hands of one government authority. It also will cost business a 
fortune to adopt. And Internet DNS traffic is also expected to increase 
exponentially as every DNS answer must contain encryption key information. 
<BR><BR>Furthermore DNSSEC does not actually fix the problem. The issue as 
mentioned above is a problem with the UDP protocol and verifying that the DNS 
information your system requested actually coming from the machine you 
requested it from. The centralization of DNS encryption keys in the root is a 
very expensive process that is simply not needed.<BR><BR>To fix the UDP problem 
one only has to ensure that the answers come from the server we are 
communicating with. Since UDP unlike the TCP protocol has no handshaking 
capabilities one simply fixes the problem by incorporating a handshaking 
protocol within UDP and DNS that confirms the server we are getting answer from 
is the server we originally communicated with.<BR><BR>A solution to this 
problem is available and was developed a few years ago by Dr. Bernstein at the 
University of Illinois at Chicago. It's called DNSCurve and fixes the problem 
through a simple key exchange between DNS servers without having to hand over 
control of the DNS to a central authority.<BR><BR>regards<BR><FONT 
color=#888888>joe baptista<BR></FONT></DIV><BR>Respectful 
regards,<BR><BR>Jeffrey A. Williams<BR>Spokesman for INEGroup LLA. - (Over 294k 
members/stakeholders and growing, strong!)<BR>"Obedience of the law is the 
greatest freedom" -<BR>&nbsp;&nbsp; Abraham Lincoln<BR><BR>"Credit should go 
with the performance of duty and not with what is very<BR>often the accident of 
glory" - Theodore Roosevelt<BR><BR>"If the probability be called P; the injury, 
L; and the burden, B; liability<BR>depends upon whether B is less than L 
multiplied by<BR>P: i.e., whether B is less than PL."<BR>United States v. 
Carroll Towing&nbsp; (159 F.2d 169 [2d Cir. 
1947]<BR>===============================================================<BR>Updated
 1/26/04<BR>CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. 
div. of<BR>Information Network Eng.&nbsp; INEG. INC.<BR>ABA member in good 
standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx<BR>Phone: 
214-244-4827<BR><BR></BLOCKQUOTE></BODY>