Ah yes, "Security by obscurity”:
"Many people believe that 'security through obscurity' is flawed because… secrets are hard to keep."
I'm glad the guys guarding the A Root Servers are up on the latest security trends. Of course, you could hide the A Root Servers at the heart of the Minotaur's maze, but they're still going to be "right over there" in cyberspace, at 126.96.36.199,
7 so1-3-0-2488M.ar1.DCA3.gblx.net (188.8.131.52) 52.274 ms
8 InterNAP-Ken-Schmid-Ashburn-3.ge-2-3-0.ar1.DCA3.gblx.net (184.108.40.206) 50.903 ms
9 border12.ge2-0-bbnet1.wdc.pnap.net (220.127.116.11) 50.888 ms
10 verisign-9.border12.wdc.pnap.net (18.104.22.168) 50.227 ms
11 22.214.171.124 (126.96.36.199) 51.598 ms
12 188.8.131.52 (184.108.40.206) 52.234 ms
13 220.127.116.11 (18.104.22.168) 70.563 ms
Reminds me of a local ISP, "Glasspath" (a casualty of the DotCom Crash), which bragged that it was safer from hackers because it was situated inside an old bank vault.
Once you run that fiber through the wall of the vault, you're letting in a lot of the world.
"'...If this site just vanished off the Internet, it would automatically [switch] over to one or two other locations,' Silva said. These are the so-called 'warm back-ups' that VeriSign has on stand-by at all times. The Internet never sees them, Silva says, but they can be up and running within 15 minutes and in that time Internet users wouldn’t even notice a hiccup in traffic."
And this process is tested… how? when? This testing is independently audited… when? by whom? These audit results are compared against what criteria? These criteria are set by what body?
Or are we playing fast and loose and depending on the word of a fellow who could be laid off tomorrow at the whim of a "volunteer" corporation?
I'm sure that Sean Gorman would have something to say about the security value of "security by obscurity"…
"Using mathematical formulas, he probes for critical links, trying to answer the question: "If I were Osama bin Laden, where would I want to attack?" In the background, he plays the Beastie Boys.
For this, Gorman has become part of an expanding field of researchers whose work is coming under scrutiny for national security reasons. His story illustrates new ripples in the old tension between an open society and a secure society."
So while we can rest easy that the VeriSign A Root Server is protected by "obscurity", the Internet itself remains vulnerable to network-based attacks and well-placed backhoes. And the organization that's supposed to be "managing" the Internet? Too busy playing politics, consolidating power, and forging Afghani ccTLD contracts…
By Robert Alberti, CISSP, Founder and President
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»