Monthly Archives: April 2006

DNS Perils Popularized

Interesting paper here:

The primary contribution of this paper is to expose the inherent risks involved in a basic Internet service.

Perils of Transitive Trust in the Domain Name System, Venugopalan Ramasubramanian and Emin Gun Sirer, In Proceedings of Internet Measurement Conference (IMC), Berkeley, California, October, 2005.

Well, no, not really. All the risks mentioned in the paper are common knowledge among people who deal with these things.

These risks create an artificial dilemma between failure resilience, which argues for more geographically distributed nameservers, and security, which argues for fewer centralized trusted nodes.

Well, no, not really. Fewer centralized trusted nodes wouldn’t necessarily increase security; they’d just reduce the number of targets that would be worth attacking. While a smaller trusted computing base may be better for security within a single organization, it’s not clear it is better for security of a distributed service such as DNS across the distributed Internet.

The paper further expresses surprise to find that many DNS servers are run by gasp academic institutions! The paper says such institutions do not have a financial relationship with the domains they serve and thus no fiduciary incentives to do it right. That’s true, but fiduciary incentives are not the only incentives, and the more diverse the administrators of DNS servers the less likely they are all to be simultaneously compromised by commercial or political pressures.

The paper goes on to document specific numbers of vulnerable nameservers. This information could be used to help fix the problem.

Continue reading

Wireless Security Mandated for PR Reasons

Westchester County, New York (perhaps not coincidentally one of the richest counties in the U.S), has just passed a law requiring businesses to turn on security on wireless Internet networks if "they are used to access financial information for their customers."

Calling it the first law of its kind, Westchester County Executive Andrew Spano said the new law would cut down on identity theft while allowing businesses to avoid the "public relations disasters" that accompany data breaches.

New law requires some businesses  secure their WiFi networks by Eric Bangeman, Arstechnica, 4/21/2006 11:12:47 AM,

I find the PR reason even more interesting than this method of attempting to stamp out unauthorized access. Citing the Cardsystems case of last year, the article  notes that the bad press in that case resulted in lost business.

That connection should help businesses get serious about securing networks, regardless of how well this particular law works.

-jsq

PS: See on Digg.

Net Neutrality, Not Telconet

Here’s an article that sums up the net neutrality argument as far as I’m concerned:
The desire of AT&T, Verizon, et al to end network neutrality and assert fees for access to connected customers represents a death wish. Imagine the prospects of an info tech industry without “software neutrality” where Intel charged a fee to enhance software performance. Pay Intel and your applications run faster. The incentives driving Moore’s Law disappear in this pay-to-play model. Intel’s profit maximizing incentives become serving the interests of software companies willing to spend the most on “enhancing software performance” not the end users of computers. The meritocracy driving competition between software companies disappears as Intel picks winners and losers based on willingness to pay. Innovation becomes permission based at Intel’s discretion.

The Internet does not exist without net neutrality.

Net Neutrality Not An Optional Feature of Internet Posted in Wired + Guest Columns, By Daniel Berninger, 6 Feb 2006

We’re not tallking an HOV lane, where certain classes of service would get faster access; we already have those; users and servers can buy various speeds of access, and companies such as Akamai make a business out of picking the fastest routes. We’re talking charges for specific types of applications. Continue reading

Internet Crackdown in Oceania and Eurasia

In the news in Oceania:

“The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers,” he said. “This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time.

“Unfortunately, the failure of some Internet service providers to keep records has hampered our ability to conduct investigations in this area,” he added.

ISPs Urged to Fight Child Porn, U.S. Attorney General Alberto Gonzales says Internet service providers are being too lax. Red Herring, April 21, 2006

He also proposed mandatory government-issued labels on any "obscene" web pages. We’ve been through this argument before, several times.

Continue reading

Metricon

Internet security with rivets: Metricon 1.0 is scheduled for 1 August 2006 in Vancouver, "to change security from an artistic "matter of opinion" into an objective, quantifiable science. "

Yes, but I think they should invite Bill Gibson, too; he lives there.

-jsq

PS: Seen on at least three blogs run by the organizing committee.

Full Circle

Two men were just convicted of peddling drugs over the Internet. This is ironic, considering the first commerce on the ARPANET, the predecessor of the Internet, was marijuana sales.

The penalty has changed over the years, from nothing to federal convictions. And the drugs this time were prescription.

This case shows us how the Internet has opened the door to an unregulated universe from which anyone with access to a computer can purchase just about anything,” U.S. Attorney Patrick Meehan said. “It’s a dangerous way to bypass the safeguards that are in place to protect the public.”

Men convicted in international Internet drug ring Associated Press, 18 April 2006

Somehow I doubt that FUD will work to fix this problem.

-jsq

PS: Seen on Fergie’s Tech Blog

An Iranian Import from the U.S.

In a story about how the president of Iran couldn’t take a joke and cracked down on SMS:
The clampdown is in line with the authorities’ uncompromising stance on the internet and bloggers. Wary of modern communications as a means of spreading political dissent, Iran is second only to China in the number of websites it filters – using technology made in America.

Heard the one about the president? Robert Tait in Tehran, ndFriday April 14, 2006, The Guardian

I wonder if it’s the same U.S. technology China is using?

-jsq

Decentralization for Security

John Robb cites a paper The topology of covert conflict, by Shishir Nagaraja and Ross Anderson, July 2005, and notes the ongoing decentralization of guerrila and organized crime networks and their increased attacks on the networks of the larger society. He adds:

As a result of this shift, we need to think about security in terms of network dynamics. One of the few papers on this topic comes from Shishir Nagaraja and Ross Anderson (University of Cambridge) entitled "The Topology of Covert Conflict." In this paper, the authors apply game theory and various offensive (decapitation of highly connected or central nodes) and defensive (rapid replenishment, cliques, and delegation) strategies to determine potential outcomes. They found that decentralization (specifically cliques and delegation, see paper for descriptions of what these terms mean) provides a good means of defense against all types of decapitation attacks (against critical leadership targets or important infrastructure nodes).

Depending on ISPs alone to determine whether a given business’s connectivity is sufficiently redundant and interconnected isn’t sufficient, because ISPs don’t know that much beyond their own networks. Increasingly centralizing ISP ownership in fewer companies is even worse. This is true not only for the Internet itself, but also for all the other networks it increasingly connects, from food to electricity.

Crooks and terrorists are rapidly adopting decentralized networking for their own security and leverage. The only way to defeat them is by using that same leverage for collective action, ranging from reputation systems to holistic and synoptic monitoring to insurance.

-jsq

Chinese Mail Licenses

James Seng notes that China has enacted an anti-spam regulation. Taking a radical stance, the Chinese government will now require a license to run any electronic mail service. No, I’m not making a joke; it’s part of the regulation. James quotes the announcement, and then paraphrases:
They are asking anyone who runs Lotus Notes, Microsoft Outlook Service or just Linux+Sendmail/Qmail to have a license before they are allowed to have one.

The licensing is also not a “class license” or automatically granted. It say specifically you are not allowed to run one unless you got an explicit license.

I predict that on the one hand not even China can pull this off without a lot of scofflaws running such software anyway, but on the other hand, a lot of people will go to jail before the regulation changes. I wonder how this new regulation will interact with Yahoo! mail or Google’s gmail?

-jsq