Security

Noteworthy

 IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges.

Security / Recently Commented

Proceedings of Name Collisions Workshop Available

Keynote speaker, and noted security industry commentator, Bruce Schneier (Co3 Systems ) set the tone for the two days with a discussion on how humans name things and the shortcomings of computers in doing the same. Names require context, he observed, and "computers are really bad at this" because "everything defaults to global." Referring to the potential that new gTLDs could conflict with internal names in installed systems, he commented, "It would be great if we could go back 20 years and say 'Don't do that'," but concluded that policymakers have to work with DNS the way it is today. more»

Taking Back the DNS

Most new domain names are malicious. I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse. more»

Keynote Speaker for Name Collisions Workshop: Bruce Schneier

There may still be a few security practitioners working in the field who didn't have a copy of Bruce Schneier's Applied Cryptography on their bookshelf the day they started their careers. Bruce's practical guide to cryptographic algorithms, key management techniques and security protocols, first published in 1993, was a landmark volume for the newly emerging field, and has been a reference to developers ever since. more»

Extreme Vulnerability at the Edge of the Internet - A Fresh New Universal Human-Rights Problem

By design, the Internet core is stupid, and the edge is smart. This design decision has enabled the Internet's wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means we're at the mercy of scale when it comes to the quality of the Internet's aggregate traffic load. Not all device and software builders have the skills - and the quality assurance budgets - that something the size of the Internet deserves. more»

More Problems Crop Up With Universal Acceptance of Top Level Domains

I've often found truth in the famous George Santayana quote, "Those that cannot remember the past are doomed to repeat it." That's an apt warning for what is currently happening - again - with the hundreds of new generic Top Level Domains (gTLDs) that are launching ... and failing to work as expected on the Internet. First, a quick refresher: As most CircleID readers know, in the early 2000s, seven new gTLDs were launched: .AERO, .BIZ, .COOP, .INFO, .MUSEUM, .NAME and .PRO. Aside from Country Code TLDs (ccTLDs), these were the first top-level changes to the DNS since the early days of the Internet. more»

Colloquium on Collisions: Expert Panelists to Select Papers, Award $50K First Prize

According to the Online Etymology Dictionary, the verb collide is derived from the Latin verb collidere, which means, literally, "to strike together": com- "together" + l├Ždere "to strike, injure by striking." Combined instead with loquium, or "speaking," the com- prefix produces the Latin-derived noun colloquy: "a speaking together." So consider WPNC 14 - the upcoming namecollisions.net workshop - a colloquium on collisions: speaking together to keep name spaces from striking together. more»

The Economy, Not Surveillance or Weapons Systems, Is the Real Source of National Security

The worldwide public discussion about surveillance produced by the Snowden revelations has so far largely missed a major strategic fault with national security arguments for continued mass surveillance: that economic damage to the technology sector but more fundamentally to the wider economy is a likely result. This damage is also likely to undermine security far more than any potential gains from continuing as we are - or continuing but with some transparency or narrowing that leaves the existing industrial scale surveillance system largely unchecked. more»

On Mandated Content Blocking in the Domain Name System

COICA (Combating Online Infringement and Counterfeits Act) is a legislative bill introduced in the United States Senate during 2010 that has been the topic of considerable debate. After my name was mentioned during some testimony before a Senate committee last year I dug into the details and I am alarmed. I wrote recently about interactions between DNS blocking and Secure DNS and in this article I will expand on the reasons why COICA as proposed last year should not be pursued further in any similar form. more»

Global Technical Internet Related Issues That Need Fixing

Given its engineering background, many positive contributions can be made by the engineering community in the broader ICT world to assist in addressing some of the broader internet issues, often addressed within the more limited telecoms environment.. Of course some of this is already happening; however much more work would be needed to strengthen the technical foundations of the internet. Just as an example, the type of issues that could be addressed by a broader ICT engineering foundation could include... more»

We Have a Paradigm for Surveillance That's Broken, Fit Only for the Analogue Past

As each day brings new revelations about surveillance online, we are starting to see increasing activity in national legislatures intended either to establish more control over what the security services can do to their nationals (in countries like the US), or to limit access by foreign secret services to the personal information of their citizens (countries like Brazil). Unfortunately, neither of these approaches address the underlying problem: we have a paradigm for surveillance that's fit for the analogue past, not the digital present, let alone the future. more»

IETF Looking at Technical Changes to Raise the Bar for Monitoring

During a speech last week at the Internet Governance Forum in Bali, Jari Arkko, IETF's chair, re-emphasized it's efforts to ramp up online security in light of recent revelations of mass internet surveillance. "Perhaps the notion that internet is by default insecure needs to change," Arkko said. Significant technical fixes "just might be possible." more»

Bruce Schneier to Speak About Internet Surveillance at IETF 88 Technical Plenary Next Week

How do we harden the Internet against the kinds of pervasive monitoring and surveillance that has been in recent news? While full solutions may require political and legal actions, are there technical improvements that can be made to underlying Internet infrastructure? As discussed by IETF Chair Jari Arkko in a recent post on the IETF blog, "Plenary on Internet Hardening", the Technical Plenary at next weeks IETF 88 meeting in Vancouver, BC, Canada, will focus on this incredibly critical issue. more»

Google's Project Shield May Actually Be A Double-Edged Sword

Google has received a lot of press regarding their Project Shield announcement at the Google Ideas Summit. The effort is being applauded as a milestone in social consciousness. While on the surface the endeavor appears admirable, the long-term impact of the service may manifest more than Google had hoped for. Project Shield is an invite-only service that combines Google's DDoS mitigation technology and Page Speed service... more»

Most Abusive Domain Registrations are Preventable

As the WHOIS debate rages and the Top-Level Domain (TLD) space prepares to scale up the problem of rogue domain registration persists. These are set to be topics of discussion in Costa Rica. While the ICANN contract requires verification, in practice this has been dismissed as impossible. However, in reviewing nearly one million spammed domain registrations from 2011 KnujOn has found upwards of 90% of the purely abusive registrations could have been blocked. more»

Rodney Joffe on Security Vulnerabilities of Modern Automobiles

Rodney Joffe, Senior Technologist at Neustar, explaines that vehicles (beginning with 1998 models) are vulnerable to hacking, but manufacturers have been unable to fix the problem. In the video below, Joffe explains the challenge to cars and the possible threats that exist for other machines connected to a network. more»