Cybersecurity |
Sponsored by |
|
Seems that DNSSEC is being subjected to what an old boss of mine used to call the "fatal flaw seeking missiles" which try to explain the technical reasons that DNSSEC is not being implemented. First it was zone walking, then the complexity of Proof of Non-Existence (PNE), next week ... one shudders to think. While there is still some modest technical work outstanding on DNSSEC, NSEC3 and the mechanics of key rollover being examples, that work, of itself, does not explain the stunning lack of implementation or aggressive planning being undertaken within the DNS community. more
While travelling home from Geneva, I was thinking quite a lot on the relationship between a ccTLD (registry) and a Country. This is because many countries are starting to talk louder and louder about the responsibilities Countries have on critical infrastructure, or (possibly more important) the management of the critical infrastructure. Will for example any (none?) of ccTLD operators (servers) sustain a denial of service attack of a scale similar to the attack on the root servers? What can ccTLD operators do to resist the malicious attacks? Should this be discussed? more
Wednesday was the open public consultation preparing for the second meeting of the Internet Governance Forum, which will take place in Rio de Janaeiro on 12th-15th November. Although the inaugural Athens meeting was widely deemed a success, having largely stayed off the dread topics of wresting control of DNS from ICANN and IP addressing from the RIRs, the usual suspects were back demanding that these topics be added to the agenda. more
On the face of it, Kieren McCarthy's Sex.com was a book that could have written itself: a notorious, well-publicised feud over the most valuable domain name in existence, between two charismatic men -- one a serial entrepreneur with a weakness for hard drugs (Gary Kremen), the other a gifted con-man with delusions of grandeur (Stephen Cohen). It's a story replete with vicious acrimony, multi-million dollar lawsuits, and rumours of gunfights between bounty hunters in the streets of Tijuana. Thankfully, McCarthy wasn't content to just bundle together all the articles he's written about Sex.com over the years and slap a cover on the front... more
The ICANN Board voted today 9-5, with Paul Twomey abstaining, to reject a proposal to open .xxx. This is my statement in connection with that vote. I found the resolution adopted by the Board (rejecting xxx) both weak and unprincipled... I am troubled by the path the Board has followed on this issue since I joined the Board in December of 2005. I would like to make two points. First, ICANN only creates problems for itself when it acts in an ad hoc fashion in response to political pressures. Second, ICANN should take itself seriously as a private governance institution with a limited mandate and should resist efforts by governments to veto what it does. more
Isn't security as important to discuss as .XSS? The DNS has become an abuse infrastructure, it is no longer just a functional infrastructure. It is not being used by malware, phishing and other Bad Things [TM], it facilitates them. Operational needs require the policy and governance folks to start taking notice. It's high time security got where it needs to be on the agenda, not just because it is important to consider security, but rather because lack of security controls made it a necessity. more
Many in the technical community attribute the rapid growth and spread of the Internet to innovation that took place at the "edge" of the network, while its "core" was left largely application neutral to provide a universal and predictable building block for innovation. It is this core neutrality that provides a basis for the security and stability of the Internet as a whole. And it is this same core neutrality that is critical to the continued spread of the Internet across the Digital Divide. Unfortunately, when the politics of censorship rather than solely technical concerns drive the coordination of these "core" Internet resources, it threatens the future security and stability of the Internet. This paper proposes a paradigm upon which all the governments of the world have equal access to these core Internet resources to empower them and their citizens with the rights acknowledged in the WSIS Declaration of Principles. more
The fallout from the failure of RegisterFly has been largely addressed as an issue of regulation and enforcement. ...ICANN has not historically enforced the escrow obligation, and in any case, if a company has failed, who exactly is going to take responsibility for updating the escrowed data? It seems to me that the problems that have arisen as a result of RegisterFly's collapse have more to do with the design of the "shared registry system" for the .COM and .NET TLDs than they do with ICANN's failure to enforce the RAA. more
There is a current ongoing Internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated. This incident is currently being handled by several operational groups. This past February, I sent an email to the Reg-Ops (Registrar Operations) mailing list. The email, which is quoted below, states how DNS abuse (not the DNS infrastructure) is the biggest unmitigated current vulnerability in day-to-day Internet security operations, not to mention abuse. more
Today, the ITU launched a new survey asking member states, ccTLDs and other ITU member organizations to provide answers to a specialized questionnaire asking for their experiences on the use of IDNs. The ITU states that it is reaching out to ccTLDs to "collect information and experiences on Internationalized Domain Names under ccTLD (country code Top Level Domain) around the globe." One of the goals of this survey is to collate information on the "needs and practices" of each ccTLD that is surveyed -- so as to compile a report from the ITU that speaks to the implementation of IDNs around the world... more
I have long been intrigued by the question of how do we turn the internet into a lifeline grade infrastructure... My hope that this will occur soon or even within decades is diminishing. Most of us observe, almost daily, how even well established infrastructures tend to crumble when stressed, even slightly... I was at the O'Reilly Etel conference last week. The content was impressive and the people there were frequently the primary actors in the creation and deployment of VOIP. However, not once during the three days did I hear a serious discussion by a speaker or in the hallways about how this evolving system would be managed, monitored, diagnosed, or repaired. more
We touched on this subject in the past, but recently Rich Kulawiek wrote a very interesting email to NANOG to which I replied, and decided to share my answer here as well: I stopped really counting bots a while back. I insisted, along with many friends, that counting botnets was what matters. When we reached thousands we gave that up. We often quoted anti-nuclear weapons proliferation sentiments from the Cold War, such as: "why be able to destroy the world a thousand times over if once is more than enough?" we often also changed it to say "3 times" as redundancy could be important... more
As Antonios Broumas has correctly observed, the Internet Governance Forum (IGF) begins life in Athens next week without the means for its participants to agree upon any substantive documents such as resolutions or declarations. Indeed, according to Nitin Desai, the Chairman of its Advisory Group, it is impossible for the IGF to make any decisions, as it "is not a decision-making body. We have no members so we have no power to make decision."... more
Internet domain names are truly bizarre. There is nothing especially remarkable about them from a technical perspective, but from a social and political perspective they are all sorts of fun. We can have arguments over control of the DNS root, arguments over whether names are property, arguments over innate rights to specific names, arguments over a registrar's right (or lack thereof) to exploit unregistered names for private gain, and many more arguments besides. In this article, I'd like to explore the argument-space rather than defend any particular position in it. In so doing, I hope to illuminate some novel (or under-emphasised) perspectives on the matter. more
Are file inclusion vulnerabilitiess equivalent to remote code execution? Are servers (both Linux and Windows) now the lower hanging fruit rather than desktop systems? In the February edition of the Virus Bulletin magazine, we (Kfir Damari, Noam Rathaus and Gadi Evron (me) of Beyond Security) wrote an article on cross platform web server malware and their massive use as botnets, spam bots and generally as attack platforms. Web security papers deal mostly with secure coding and application security. In this paper we describe how these are taken to the next level with live attacks and operational problems service providers deal with daily. more
A World-Renowned Source for Internet Developments. Serving Since 2002.