Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
DNSSEC: the internet's International Criminal Court?
05-10-2010, 02:35 AM,
#1
DNSSEC: the internet's International Criminal Court?
Original URL: http://www.theregister.co.uk/2010/05/07/dnssec_and_geo_political_implications/
DNSSEC: the internet's International Criminal Court?

Trust and confidence in the domain name system

By Kieren McCarthy in San Francisco

Posted in Networks, 7th May 2010 23:03 GMT

INET The DNSSEC protocol could have some very interesting geo-political implications, including erosion of the scope of state sovereign powers, according to policy and security experts.

“We will have to handle the geo-political element of DNSSEC very carefully,” explained Peter Dengate Thrush, a New Zealand patent attorney and chairman of ICANN, at the INET conference in San Francisco.

“The Internet has the capacity to dilute some aspects of sovereignty,” he said, “and we may find that the power to rewrite Internet traffic may need to be tempered against some other international standard.”

Dengate Thrush then referenced other examples from history where national sovereignty has yielded to a higher international standard, such as the Nuremberg Trials, where Nazi war criminals were tried against a new standard of international law, and the International Criminal Court, which can try people outside of one country’s jurisdiction, as examples of where inter-governmental treaties can produce a higher standard that people are held to.

Other experts agreed that the DNSSEC standard – which allows Internet servers to confirm that data sent over the Internet came from a specific source – could make it more difficult for countries that wish to alter or censor information to do so without being noticed.

Jim Galvin of Afilias, an expert in DNSSEC, warned that a “split DNS” – where a country effectively sets up its own Internet within its borders and controls access to the global Internet - and the DNSSEC protocol “do not match very well”. However, he said that technically it was possible for someone at the interface of the global Internet and a country-wide Internet to strip electronic certificates attached to data and repackage the data with a new one. “But that’s a political issue,” Galvin added.

The discussion came on the back of the news this week that the first tests on applying DNSSEC at the “root” had been completed and were successful. Now it is a matter of slowly rolling out the technology to registries (such as dot-com), then registrars (such as GoDaddy) and finally registrants (the end user).

Galvin explained that to be successful, DNSSEC would have to be implemented at first at the center of the Internet and kept away from the average consumer until it was sufficiently simple. He accepted that this went against the usual pattern of placing Internet security systems as close to the end-user as possible, but identified it as the only way that the “next generation of the Internet” will be achieved.

Alex Deacon, the director of technology strategy at VeriSign, confirmed that the company was working first with ICANN and the US Department of Commerce to apply DNSSEC to the Internet’s root, with an expansion out to dot-edu, then dot-net and finally to the dot-com registry in the first quarter of 2011.

Eventually, as the security standard cascades down toward the end-user, it will become the “cornerstone of what security will be in future” said Galvin, and from there “will change the Internet in ways we can not yet imagine.”

Whether one of those ways will be to make it harder for countries to control or censor the content their citizens see is something we will have to see. ®
Related stories

* Email 2.0: Trying to catch up with the web (9 May 2010)

http://www.theregister.co.uk/2010/05/09/email_and_trust/
* Will DNSSEC kill your internet? (13 April 2010)

http://www.theregister.co.uk/2010/04/13/dnssec/
* Comcast (finally) brings security extensions to DNS (24 February 2010)

http://www.theregister.co.uk/2010/02/24/comcast_dnssec/
* 80% of fed sites miss DNS Security deadline (23 January 2010)

http://www.theregister.co.uk/2010/01/23/dnssec_deadline_failure/
* Targeted attacks replace botnet floods in telco nightmares (21 January 2010)

http://www.theregister.co.uk/2010/01/21/arbor_teleco_security_survey/
* Bug puts net's most popular DNS app in Bind (24 November 2009)

http://www.theregister.co.uk/2009/11/24/bind_dns_security_bug/
* DNSSec update deadline penciled in for 2011 (16 November 2009)

http://www.theregister.co.uk/2009/11/16/dnssec_roll_ou/
* Kaminsky calls for DNSSEC deployment (21 February 2009)

http://www.theregister.co.uk/2009/02/21/kaminsky_dnssec_call/
[Image: conspiracy_theory.jpg]
Reply
12-10-2010, 12:45 PM,
#2
RE: DNSSEC: the internet's International Criminal Court?
A bunch of disinfo / scam is floating around on creating a workaround by forming a new root server as an alternative DNS root to bypass ICANN which they say is US COntrolled (false - since Sept 2010 - see below).

An alternative internet exists already and it has for decades. The alternative DNS since it is out of (easy) reach since it is putting a bit of distance between the US located though ICANN root servers to switch off. NSA has a private root server (gee maybe take nukes, vital communication and infrastructure offline or at least migrate them to a closed loop or root server and we wouldn't have this CYBERCOM mess.

The Joint Project Agreement (JPA), in effect since 1998, had bound ICANN -- officially known as the Internet Corporation for Assigned Names and Numbers -- to the Department of Commerce, giving the government direct control over the group.

The "Affirmation of Commitments" agreement has replaced The Joint Project Agreement (JPA). ICANN is now operated under multilateral global oversight. The U.S. government is one nation among many that govern the Internet.

ICANN is officially an NPO under global multi-lateral control
http://www.internetnews.com/infra/article.php/3841671/US+Cedes+ICANN+Control+to+the+World.htm

The current legislation in S3804 is not limited to ICANN servers or even domains and gets into trademark law as well but includes a provision for "fair use" a SCOTUS ruling will set the precedent for interpretation.

S3804 Text excerpt:
`(i) a service provider, as that term is defined in section 512(k)(1) * of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name's Internet protocol address;

So the ISP has the onus to monitor under US law and provide DNS level filters.

.. and this cover P2P and much much more for instance repeating a trademarked catch phrase.

`(i) goods or services in violation of title 17, United States Code, or enable or facilitate a violation of title 17, United States Code, including by offering or providing access to, without the authorization of the copyright owner or otherwise by operation of law, copies of, or public performance or display of, works protected by title 17, in complete or substantially complete form, by any means, including by means of download, transmission, or otherwise, including the provision of a link or aggregated links to other sites or Internet resources for obtaining such copies for accessing such performance or displays

More Breakdown of S3804 Here:
http://concen.org/forum/showthread.php?tid=35119&pid=201429#pid201429

http://thomas.loc.gov/cgi-bin/query/z?c111:s3804:

Alternative DNS Roots

http://www.opennicproject.org/

Quote:OpenNIC Project Mission
1. To offer free/open access to DNS services to everyone by establishing new domain hierarchies external to the existing ICANN-controlled domain infrastructure using current DNS protocols.
2. To provide a foundation for further research and experimentation in areas related to DNS and the Internet.
3. To promote the benefits of a DNS that provides for global access to services regardless of geographical, political, ideological, or economic constraints.
4. To encourage the establishment of non-revenue-generating domain hierarchies in order to ensure continued freedom of access to the Internet.

http://opennicproject.org/opennic-charter

Other alternative DNS options:
http://www.dnsadvantage.com/
http://www.cesidianroot.net/
http://www.public-root.com/
http://www.open-rsc.org/
http://www.unifiedroot.com/ ($$)

A much tougher hurdle to mount would be the ACTA bill (UN/WIPO legislation) and the rollout of the DNSSEC protocol (being tested) which acts as a traffic source verification via public key server for authenticating source content.

http://www.theregister.co.uk/2010/05/07/dnssec_and_geo_political_implications/
http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

DNSSEC is currently facing a lot of issues, both legal and technical, but it could evolve to function as a monitoring and censorship switchboard pending its deployment.

I was exploring the I2P protocol (no tracker) this bypasses DNS and any root server altogether. Anyone got good information on this - maybe an open source project? Would UDP only transfers be a workaround? eMule NZB? IRC DCC?

Related:

Is there only one internet?
http://concen.org/forum/showthread.php?tid=193

Stop the Internet Blacklist! (S3804)
http://concen.org/forum/showthread.php?tid=35119

Alternatives to the internet
http://concen.org/forum/showthread.php?tid=30313

US Cedes Control ICANN, Internet
http://concen.org/forum/showthread.php?tid=694
There are no others, there is only us.
http://FastTadpole.com/
Reply
05-26-2011, 12:13 PM,
#3
RE: DNSSEC: the internet's International Criminal Court?
Quote:DNS Filtering Threatens the Security and Stability of the Internet
May 26, 2011
By Dan Kaminsky

The DNS works. It creates the shared namespace that allows applications to interoperate across LANs, organizations, and even countries. With the advent of DNSSEC, it’s our best opportunity to finally address the authentication flaws that are implicated in over half of all data breaches.

There are efforts afoot to manipulate the DNS on a remarkably large scale. The American PROTECT IP act contains several reasonable and well targeted remedies to copyright infringement. One of these remedies, however, is to leverage the millions of recursive DNS servers that act as accelerators for Internet traffic, and convert them into censors for domain names in an effort to block content.

Filtering DNS traffic will not work, and in its failure, will harm both the security and stability of the Internet at large.

...
http://twitter.com/FastTadpole/status/73706728562241536
http://digg.com/news/technology/protect_ip_act_dnssec_dns_filtering_threatens_the_security_and_stability_of_the_internet
Full Article: http://dankaminsky.com/2011/05/26/filtering/

Dan Co-Authored a paper addressing the concerns of the PROTECT IP Act and DNSSEC.

Quote:Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill

This paper describes technical problems raised by the DNS filtering requirements in the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 ("PROTECT IP Act" pdf). Its authors come from the technical, operational, academic, and research communities. We are leading domain name system (DNS) designers, operators, and researchers, who have created numerous "RFCs" (technical design documents) for DNS, published many peer-reviewed academic studies relating to architecture and security of the DNS, and operate important DNS infrastructure on the Internet.

PROTECT-IP-Technical-Whitepaper-Final.pdf 765.31 KB
http://www.redbarn.org/node/6

Related:

Mininova, Torrent-finder, Bite the Dust. ISOhunt, Demonoid and TPB under Fire by ICE
http://concen.org/forum/showthread.php?tid=30496

Anti-Counterfeiting Trade Agreement (ACTA)
http://concen.org/forum/showthread.php?tid=81

Net Neutrality
http://concen.org/forum/showthread.php?tid=342

NSA Creating Spy System to Monitor Domestic Infrastructure
http://concen.org/forum/showthread.php?tid=33834
There are no others, there is only us.
http://FastTadpole.com/
Reply
04-27-2012, 10:10 AM,
#4
RE: DNSSEC: the internet's International Criminal Court?
Noticed that many SSL Certification authorities like godaddy.com are acting as infrastructural pillars to erect the DNSSEC protocol in combination with their secure signed encryption offerings. A piggyback install to implement first round adoption which is likely planned to wiggle its way into default internet protocol in eventuality.

The gateway browsers (IE, Firefox, Chrome, Safari and those in compliance) in combination with Root Certification Authorities (RSAs) adopt a preferred list of SSL providers to deliver content without a pronounced warning to encourage subscription of their issue service under their approved encryption algorithms and issued keys. Establishing and purporting a trust network cartel.

It appears that the first volley of DNSSEC is building atop this scheme to entrench itself. RSA approved ecommerce is the standard and it is attempting to encapsulate DNSSEC into the security model which can then be scaled to all sites to mitigate the perceived and manufactured security fears wrought (intentionally?) poor OS security, highlighted threats (NASA ISS hacks, Annonymous, Wikileaks, STUXNET, Chip and PIN Card Fraud Exploits, Cyberterrorism ..), poor network topolology to critical systems that could have easily been implemented in a closed circuit intranet model and the inherent flaws of wireless.

This is to install increased database referential integrity and verification by the end user (biometric-ID no doubt administered centrally), to weave a the red tape to qualify and continue to participate on the entrenched medium, monopolistically control cost of admission to interact not only in commerce but simple communication on the grid and forcefully apply an interjecting centralized filter (and monitor and cloud of coordination and control) hub to selectively serve as judge jury and executioner for access, publication and/or any interaction in a system that was initially designed to be redundant.

The shift to DNSSEC combined with IPV6 opens the possibility to install new standards, transfer/consolidate cyber-governance and IP bloc assignment and eliminate legacy devices' ability to interface across all layers encompassing the Link, Transport, Internet, and by extension from the transport layer the application layer. This enables the enforcement of a global closed app and closed device environment (see Apple's Business Model). In short, a controlled filter enables, by extension a controlled gateway interface to any interaction read, write, modify, delete, volume, copy, toolset, time, speed, interaction to other people, devices, datasets etc...

Taking it even further the control of the application layer allows control of the content, delivery, format, access and interface into it.

The DNSSEC is part of a larger animal of law, ownership and privy access but it is the centrepiece of the project. A project to accomplish what the Printing Press, the telephone or even the television could not do even with all the control it gained over leveraged distribution to the masses. A project that incorporates exclusive multilateral communication and feedback through a single juncture (or a cartel administered protocol) selectively routed to privy and prey at the speed of light to and from the masses and anything and everything they can interact with, be it by proxy or directly interfaced.

With IPV6 anything and everything can be indexed via a uniquely assigned IP address.

The internet in its current state can be leveraged in our favour but that is a seductive bribe to gain adoption, entrench use, dangle carrots of hopium for a truly free medium, some of us feel we can stay a step or two ahead but it is their pipes and AI is evolving at a faster rate than our ability to infiltrate, bypass, stack overflow or outsmart (see big blue); particularity so because it is has a bigger gun (processing power)is augmented with our best and brightest sellouts, it learns and adapts to tactics via neural network. AI is on its home turf it was spawned there and binary is its native tongue.

Eventuality dictates a head on confrontation is a tangent unworthy of our time and talents. I believe we're being sucked in and in the current situation there are a lot of obvious openings left undefended on purpose to sell the next evolution of secure telecommunication ingeniously built on a unique combination of biological identifiers in DNA, fingerprints and live retinal scans. This verification protocol is already built into some drone systems augmented by password and single point of access safeguards, on a closed system to boot and the access sequence itself is a honeypot cloaked with false positive feedback mechanisms to the would be hacker.

So what is the solution? Well we've already fed the development of this system with our time and talent but smart grid (or internet 3.0, internet of things, the cloud...) tech needs input to react to.

* We could pollute the uplink with loads false information rendering it useless.
* We could starve the system of data by not interacting with it or its proxy components.
* We could infiltrate it and modify it keep an open web by removing nefarious components
* We could build (and vigilantly) an alternative route of telecom
* We could watch the watchers and attempt to keep it honest
* We could resort to being honest so security isn't necessary since we all trust and respect eachother
* Take off the masks and anonymity so our actions on the internet are subject to the same scrutiny and consequence as they would be in the meatspace. Say and do what you want but stand by it and own the feedback.

Some of these measures would require that at least most people have a moral backbone and a sense of responsibility enforced not by mindless drones or a a self appropriated conglomerate and that really is the key to take us from tribal and plutocratic --> to that next phase of sentient life that we have sometimes teased at, individually and compartmentally in a limited capacity, in our human imprint of existence.

Whatever the case, for best results, reach the children.
There are no others, there is only us.
http://FastTadpole.com/
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Alternatives to the internet shortwave 32 10,710 04-23-2014, 08:58 PM
Last Post: CharliePrime
Exclamation Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet temp9 7 3,206 04-10-2014, 03:36 PM
Last Post: temp9
  Free Google internet access Orwell63 4 1,678 12-17-2013, 12:17 AM
Last Post: Watchdog
  Internet Storm Center Status JFK 0 1,394 09-24-2013, 01:26 PM
Last Post: JFK
  Get rid of Internet Explorer (again) - It’s more like an exploit than a browser h3rm35 6 1,849 04-20-2013, 04:06 PM
Last Post: CharliePrime
  Web wipeout: Syria suffers nationwide internet blackout zoverload 1 935 11-29-2012, 06:46 PM
Last Post: FastTadpole
  Malware may knock thousands off the internet on Monday zoverload 0 799 07-06-2012, 04:03 PM
Last Post: zoverload
  Security slackers risk Internet blackout on March 8 Frank2 0 1,004 02-23-2012, 09:55 PM
Last Post: Frank2
  Eolas patent trial: Relax! The Internet is saved yeti 1 920 02-10-2012, 10:22 PM
Last Post: h3rm35
Information Internet Censorship In India FastTadpole 0 1,380 12-09-2011, 12:30 PM
Last Post: FastTadpole

Forum Jump:


Users browsing this thread: 1 Guest(s)