[Fwd: Re: Day 6 of 10: IG Discussions, Legal Issues]

18 Aug 2008

      And more on DNS security

http://blog.wired.com/27bstroke6/2008/08/experts-accuse.html

 Experts Accuse Bush Administration of Foot-Dragging on DNS Security Hole

By Ryan Singel Email <mailto:ryan@ryansingel.net>August 13, 2008 | 
3:44:24 PMCategories: Hacks and Cracks 
<http://blog.wired.com/27bstroke6/hacks_and_cracks/index.html>, Threats 
<http://blog.wired.com/27bstroke6/threats/index.html>  

Roots

Despite a recent high-profile vulnerability that showed the net could be 
hacked in minutes, the domain name system -- a key internet 
infrastructure -- continues to suffer from a serious security weakness, 
thanks to bureaucratic inertia at the U.S. government agency in charge, 
security experts say.

If the complicated politics of internet governance continue to get in 
the way of upgrading the security of the net's core technology, the 
internet could turn into a carnival house of mirrors, where no URL or 
e-mail address could be trusted to be genuine, according to Bill 
Woodcock, research director at the nonprofit Packet Clearing House 
<http://www.pch.net/home/index.php>.

"The National Telecommunications and Information Administration, an 
agency of the Department of Commerce, is the show-stopper here," 
Woodcock said.

At issue is the trustworthiness of the domain name system, or DNS, which 
serves as the internet's phone book 
<http://www.wired.com/science/discoveries/news/2008/06/dayintech_0623>, 
translating queries such as wikipedia.org into the numeric IP address 
where the site's server lives.

Just weeks ago, security researcher Dan Kaminsky announced he'd 
discovered a way for hackers to feed fake info into DNS listings, which 
would allow hackers to redirect web traffic at will -- for example, 
routing every person attempting to log in to the Bank of America to a 
fake site controlled by the attacker.

Kaminsky quietly worked with large tech companies to build patches for 
the net's name servers to make the attack more difficult. But security 
experts, and even the NTIA, say those patches are just temporary fixes; 
the only known complete fix is DNSSEC 
<http://www.dnssec-deployment.org/> -- a set of security extensions 
<http://www.dnssec-tools.org/> for name servers.

Those extensions cryptographically sign DNS records, ensuring their 
authenticity like a wax seal on an letter. The push for DNSSEC has been 
ramping up over the last few years, with four regions -- including 
Sweden (.SE) and Puerto Rico (.PR) -- already securing their own domains 
with DNSSEC. Four of the largest top-level domains -- .org, .gov, .uk 
and .mil, are not far behind.

But because DNS servers work in a giant hierarchy, deploying DNSSEC 
successfully also requires having someone trustworthy sign the so-called 
"root file" with a public-private key. Otherwise, an attacker can 
undermine the entire system at the root level, like cutting down a tree 
at the trunk. That's where the politics comes in. The DNS root is 
controlled by the Commerce Department's NTIA, which thus far has refused 
to implement DNSSEC.

The NTIA brokers the contracts that divide the governance and top-level 
operations of the internet between the nonprofit ICANN and the 
for-profit VeriSign, which also runs the .com domain.

"They're the only department of the government that isn't on board with 
securing the Domain Name System, and unfortunately, they're also the 
ones who Commerce deputized to oversee ICANN," Woodcock said.

"The biggest difference is that once the root is signed and the public 
key is out, it will be put in every operating system and will be on all 
CDs from Apple, Microsoft, SUSE, Freebsd, etc," says Russ Mundy, 
principal networking scientist at Sparta, Inc, which has been developing 
open-source DNSSEC tools for years with government funding,  He says the 
top-level key is "the only one you have to have, to go down the tree."

A European networking group known as RIPE called in June 2007 for the 
root to be signed, with Swedish and British representatives echoing the 
call in October. But NTIA is not moving quickly enough to sign the root, 
given the looming threat, even after the final technical problems have 
been resolved, according to Woodcock and others.

"A few years ago, there were still technical hurdles to actually signing 
and using DNSSEC, but in the past few years, a lot of software tools, 
both commercial and open-source, have come out, and now it's a 
completely solved problem," Woodcock said. "All that's left is the far 
less tractable, purely political problem."

"Arguing over who gets to hold the cryptographic keys in the long run 
[should] wait until we're not facing a critical threat," Woodcock said.

But the NTIA insists it is moving at just the right pace.

"We are committed to taking no action that would have the potential to 
adversely affect the operational stability of the DNS," says spokesman 
Bart Forbes. "While there is increasing pressure to secure the DNS, NTIA 
must work with all stakeholders and consider all possible solutions."

Olaf Kolkman, a Dutch networking export, says there's no time to waste. 
The only way for DNSSEC to work is for the top-level zone file -- which 
lists the specifics for top-level domains like .gov -- to be signed by a 
trusted authority.

"Currently DNSSEC is the only mechanism known to protect against the 
Kaminsky attack," Kolkman said. "It is not clear that other solutions 
will provide the same level of protection as DNSSEC."

Without such extensions, a hacker eager for trade secrets could hijack 
the DNS listing for Apple's e-mail server and insert the number for a 
server he controls instead. He could then keep a copy of every message 
sent to the company and forward them all. No one would likely to be any 
wiser until a human looked closely at the mail headers.

Still, even DNSSEC's most fervent backers admit that signing the root 
won't instantly secure the net. Installing the extensions internet-wide 
will be costly and time-intensive, but proponents say that getting the 
root signed will turbocharge the process.

The Internet Assigned Numbers Authority -- which coordinates the 
internet -- has been prototyping a system to sign the root-zone file for 
the last year, but they can't do the same for the internet's top servers 
without approval from the Department of Commerce.

That's where the rub is, according to Kolkman.

"Then the issue becomes political because there seems to be the 
perception that the introduction of a key guardian changes the current 
policies," Kolkman said

That could also simplify how top-level zone files are created, according 
to Richard Lamb, a technical expert at IANA. Currently companies that 
manage top-level domains like .com submit changes to ICANN, which then 
sends them to NTIA for approval, before they're forwarded to VeriSign. 
VeriSign actually edits the root file and publishes it to the 13 root 
servers around the world.

"We would want to bring the editing, creation and signing of the root 
zone file here," to IANA, Lamb said, noting that VeriSign would likely 
still control distribution of the file to the root servers, and there 
would be a public consultation process that the change was right for the 
net.

But changing that system could be perceived as reducing U.S. control 
over the net -- a touchy geopolitical issue. ICANN is often considered 
by Washington politicians to be akin to the United Nations, and its push 
to control the root-zone file could push the U.S. to give more control 
to VeriSign, experts say.

VeriSign did not respond to a request for comment, but its CTO said 
earlier this year that it was creating its own root-zone file-signing 
test bed.

The root-zone file, which contains entries for the 300 or so top-level 
domains such as .gov and .com, changes almost every day, but the number 
of changes to the file will likely increase radically in the near 
future, since ICANN decided in June to allow an explosion of new 
top-level domain names.

Woodcock isn't buying the assurances of NTIA that it is simply moving 
deliberatively.

"If the root isn't signed, then no amount of work that responsible 
individuals and companies do to protect their domains will be 
effective," Woodcock said. "You have to follow the chain of signatures 
down from the root to the top-level domain to the user's domain. If all 
three pieces aren't there, the user isn't protected."

Brian Munyao Longwe wrote:
...
So does Cyber War bring out any legal issues? This is a slightly 
chilling summary of the current crisis in Georgia and the central role 
that the internet had before the hostilities escalated.
*Longtime Battle Lines Are Recast In Russia and Georgia's Cyberwar*
By Kim Hart
Washington Post Staff Writer
Thursday, August 14, 2008; D01
As the violence unfolded between Russia and Georgia during the past 
week, hackers waged war on another front: the Internet.
The Georgian government accused Russia of engaging in cyberwarfare by 
disabling many government Web sites, making it difficult to inform 
citizens quickly of important updates. Russia said that it was not 
involved and that its own media and official Web sites had suffered 
similar attacks. Although a cease-fire has been ordered, major 
Georgian servers are still down, hindering communication in the country.
Some Georgian officials, bloggers and citizens were able to work 
around the disruptions, sending text messages to friends in other 
countries using Web sites hosted by servers in the United States, 
Poland and Estonia that are less likely to fall victim to a cyberattack.
Concerted online attacks have been a threat for years. But security 
experts say the "cyberwar" between Russia and Georgia underscores the 
havoc that can spread on a digital battlefield. It also highlights how 
vulnerable Web-reliant countries are to assaults that could cripple 
military communications or a national banking industry.
The attacks against Georgia's Internet infrastructure began nearly two 
months before the first shots were fired, according to security 
researchers who track Internet traffic into and out of the countries. 
Such attacks, known as "denial of service" attacks, are triggered when 
computers in a network are simultaneously ordered to bombard a site 
with millions of requests, which overloads a server and causes it to 
shut down.
"In terms of the scope and international dimension of this attack, 
it's a landmark," said Ronald J. Deibert, director of the University 
of Toronto's Citizen Lab, which has nearly 100 researchers mapping Web 
traffic through several countries, including Russia and Georgia. He 
said small-scale attacks have occurred between the countries since 
June. "International laws are very poorly developed, so it really 
crosses a line into murky territory . . . Is an information blockade 
an act of war?"
Cyberattacks can be launched cheaply and easily, with a few hundred 
computers and a couple of skilled hackers. Simpler tactics are even 
easier to mount by hacking into a server and deleting files, 
reconfiguring settings and altering photos. Compared with expensive 
military attacks, cyberwar tactics "seems like the kind of thing that 
a sophisticated military would want to experiment with," said Ben 
Edelman, assistant professor at Harvard Business School who has 
studied cyberattacks.
"Imagine how devastating it would be to a military commander to lose 
access to a server that tells him where his troops are stationed and 
where he has resources," he said, adding that "this is the first time 
we've had such strong evidence of cyberwarfare."
Instructions on how to mount such attacks are readily available on 
blogs, making it easy for a grass-roots effort to quickly escalate 
into a crippling assault, said Evgeny Morozov, a technology consultant 
based in Berlin who has tracked blogs in Georgia and Russia.
Figuring out who is behind the attacks has been difficult, Deibert 
said, because of complex routing methods and a multitude of connection 
exchanges. The Internet's infrastructure is a maze of lines laid by 
different service providers traversing many countries, masking how 
information is traveling -- or blocked.
"It's an ongoing battle in documenting where it's coming from and 
helping people get around it," he said.
In Georgia, which is not as dependent on the Internet as other 
nations, the cyberattack mainly hindered the government's ability to 
communicate with its citizens and others during the fighting. The 
Georgian Foreign Ministry's Web site, for example, was disabled except 
for a collage that compared Georgian President Mikheil Saakashvili to 
Adolf Hitler.
"Battles today are as much about ideas and images as they are 
territories," Deibert said. "If you're a military and intelligence 
agency, you're going to take down information that is in opposition 
and control the message."
To get around the blockade, Georgian officials relocated national Web 
sites to addresses hosted by Google's Blogspot, whose U.S. servers are 
more immune to attack. Citizens used blogging platforms such as 
LiveJournal -- the dominant platform in Russia and Georgia -- to post 
their own reactions during the fighting.
For example, a Georgian refugee from Abkhazia who blogs under the name 
Cyxymu on LiveJournal posted photos of Russian troops entering the 
Georgian town of Gori. The blogger said the photos were taken after 
Russia had announced its withdrawal, proving, he said, that fighting 
continued.
Morozov said only a few hundred Georgians used blogs to communicate 
with people outside the country. Even that tool was threatened, he 
said, when a group of Russian bloggers sent a letter asking Sup, the 
Russian company that owns and manages LiveJournal, to censor posts 
with pro-Georgian sentiment. Sup did not comply.
Givi Bitsadze, in Tbilisi, used microblogging site Twitter to share 
updates about the fighting in English and Russian.
"Tbilisi is still safe, but other cities are under attack, bombs kinda 
stopped, but Russian soldiers are breaking in a houses," one post read 
yesterday. He also noted an Olympic victory: "Georgia beats Russia in 
beach volleyball."
The cyberwar will most likely serve as a Web security wake-up call, 
Morozov said.
"Georgia was completely unprepared to the fact that all this 
information was on the Internet," he said. "I think it taught them -- 
and a lot of people -- a lesson."
On Aug 18, 2008, at 9:00 AM, John Walubengo wrote:
...
Hi all,
Hpe u had a good weekend.  Today is day 6 of 10, but the theme is 
still on legal issues.
I still cant believe the learned friends have not spoken and left 
everything to Alex and Mike.  If any of you runs into Evelyn R., 
Kihanya J., Omo J. or Clara R. just to mention a few, ask them if 
they can give us a shout without us having to 'open a file'
We have only today for this since tomorrow we move into the Economic 
Issues to be facilitated by a renowned IG expert to be unveiled in 
due course.
walu.
--- On Sat, 8/16/08, Alex Gakuru <alex.gakuru@yahoo.com 
<mailto:alex.gakuru@yahoo.com>> wrote:
...
From: Alex Gakuru <alex.gakuru@yahoo.com <mailto:alex.gakuru@yahoo.com>>
Subject: Re: [kictanet] Day 5 of 10: IG Discussions, Legal Issues
To: jwalu@yahoo.com <mailto:jwalu@yahoo.com>
Cc: "KICTAnet ICT Policy Discussions" <kictanet@lists.kictanet.or.ke 
<mailto:kictanet@lists.kictanet.or.ke>>
Date: Saturday, August 16, 2008, 11:17 AM
G8 links!
The introduction to this topic was on the presumption that
consumers were the criminals proceeding to outline law
enforcement challenges. The most convenient and common form
of misrepresenting cyber crimes and law -- first take away
all their rights then they struggle to regain one after the
other... It is good that Mike presents both sides of the
story.
Telecommunication companies hold massive data on all
individuals and they ensure that their on their "Terms
of Use" and contracts users are "guilty until
proven innocent" and the companies are at liberty to do
whatever they please with our personal data.
Consider below extract from a local telecommunication
company's Terms of Use: -
------------
5. Use of your information
(The Company) may hold and use information provided by you
for a number of purposes, which may include:
(a) Carrying out any activity in connection with a legal,
governmental or regulatory requirement on (The Company) in
connection with legal proceedings or in respect of crime or
fraud prevention, detection or prosecution.
(b) Monitoring or recording of your communications for (The
Company)’s business purposes such as marketing, quality
control and training, prevention of unauthorised use of 
(The Company)’s telecommunications system and ensuring
effective systems operation in order to prevent or detect
crime.
---------
"May include" does not mean "limited
to" - implying that they are allowed, for example, to
share, sell, etc private data to their partners... Exactly
what Mike points out to on the Business Week link.
Framed in ways suggestive of company "law
enforcer" (illegal roles) onto "guilty"
users. Notice how "Intellectual Property" is
conveniently repeated. Or is it be assumed that consumers do
not have any "intellectual property" they would
wish protected? the companies should abide to also protect.
BTW, There is an IGF Dynamic Coalition movement calling for
a balance between Intellectual Property and development
which includes Access to Knwoledge
(A2K).<http://www.ipjustice.org>. Very resourceful!
Supposing earlier proposed M-Medicine went ahead in East
Africa? Sold ailments data to pharmaceutical companies, that
would hike medicines prices in outbreak zones at selected
locations... You go to a bank with a water-tight business
proposals and all bank turn you down. Reason? They have
shared your medical history and they think you will soon
"sleep in the shamba" your excellent business
proposals notwithstanding.
In summary, unless Data Protection and Privacy Laws are
enacted, the default should be to deny all telecommunication
companies legal loophole to trade with personal information.
And it should be seen to be enforced.
On a lighter note, should I sue a WiFi company for
trespassing when their signals enter my laptop, or should
they sue me for illegally access of their signal? Over to
Ben Shihanya.
Thanks again Mike!
--- On Fri, 8/15/08, Mike Theuri
<mike.theuri@gmail.com <mailto:mike.theuri@gmail.com>> wrote:
...
From: Mike Theuri <mike.theuri@gmail.com 
<mailto:mike.theuri@gmail.com>>
Subject: Re: [kictanet] Day 5 of 10: IG Discussions,
Legal Issues
To: alex.gakuru@yahoo.com <mailto:alex.gakuru@yahoo.com>
Cc: "KICTAnet ICT Policy Discussions"
<kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>>
Date: Friday, August 15, 2008, 2:11 PM
Not a legal opinion: It would be very difficult to
apply
existing common law
(analogous to jurisprudence) to electronic crimes
committed
in a new era,
atleast within the local context.
For these reasons it is necessary to define the crimes
under distinct and
separate legislation. Due to the borderless nature of
the
Internet (see
shared link), it is necessary for such legislation to
take
a broad
approach into account.
For instance there ought to be provisions that allow
local
authorities to
seek the arrest and extradition of foreign based
suspects
from other
jurisdictions for electronic crimes committed against
citizens or local
infrastructure owned by individuals or entities even
though
the suspects at
the time of commission of the crime were present in
other
jurisdictions.
The same provision can allow private parties to pursue
civil remedies in a
similar matter and give them the basis where possible
to
enforce the
judgement in the defendant's jurisdiction.
This for example would close the possible
jurisdictional
loophole
of individuals crossing borders so as to commit
electronic
crimes from a
country that lacks electronic crime laws. Current law
is
ill equipped in
ensuring civil remedies, prosecution or arrest of
local or
international
cyber criminals, 419ers, lurers of minors, harassers,
electronically
transmitted or created threats (threats to a person,
threats to
infrastructure by way of viruses, malaware, DoS etc)
etc
neither is it
likely to be in a position to ensure serious
consequences
or deterents for
the same or allow for the definition of crimes as
distinguished here for an
international gang of culprits:
http://www.secretservice.gov/press/GPA15-08_CyberIndictments_Final.pdf
...
It was recently reported that a bill or regulations to
protect the data of
consumers would be brought about as a means of
...
the CRBs. This
could be model legislation/regulations to adopt to
ensure
that the public
has a say in the manner in which their private
information
is used.
At the same time consumers ought to be able to
instruct
companies with whom
they have business relationships with not to share
regulating
that
...
same information
with 3rd parties without their prior consent (ie
opt-in/out). This is only
effective if there are laws or regulations to provide
for
consequences when
businesses violate the same.
As CRBs take root, there will be a likelihood that
similar
bureaus or
entities will eventually start sharing information in
real
time, for example
an underwriter of an insurance policy might want to
check
an individual's
claim history across the industry to determine the
level of
risk the insured
poses in determining policy premiums. Similarly an
organization may want to
conduct background checks for prospective employees in
privately maintained
electronic databases.
It is important that instead of regulations or laws
being
formed for sectors
of the economy, that national data privacy laws and
regulations be defined
(or ammended) and on that basis refinement of specific
regulations/laws
could be made for sectors that require specific data
requirements. Such
regulatory foresight can reduce or avert the occurence
of
issues such as
those seen here:
http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm?campai...
...
On Fri, Aug 15, 2008 at 12:21 AM, John Walubengo
<jwalu@yahoo.com <mailto:jwalu@yahoo.com>> wrote:
...
Mornings,
Today and next Monday, we intend to thrash out
...
...
Internet Governance. The typical issues revolve
around:
-Jurisdiction & Arbitration (who resolves
e-disputes)
-Copyright & IPR (are they pro or
anti-development?)
-Privacy and Data Protection (how is the
e-Citizens
data abused/protected?)
I do hope the 'learned' friends will chip
in
since I cannot pretend to be
an expert here as I introduce the general legal
...
dispute resolutions can be done through,
·       Legislation;
·       Social norms (customs);
·       Self-regulation;
·       Regulation through code (software
solution);
·       Jurisprudence (court decisions);
·       International law.
There is however two broad conflicting schools of
...
resolving disputes occasioned by the Internet.
One
group claims that
whatever happens online does have an equivalent
'off-line' characteristics
and as such existing laws can easily be applied. 
E.g
stealing money
electronically is no different from stealing
money
...
charges and subsequent jurisdictional procedures
could
apply.  However, the
second group feels that electronic crimes have a
totally different context
and must have a separate and totally new set of
legislation or methodologies
for resolutions.
The borderless nature of the Internet brings to
fore
legal dimensions of
principals.  Basically,
thought when it comes to
physically and so Robbery
the Challenges of
...
Jurisdiction and Arbitration as in
yesterday's
example, where content in one
country may be illegal but is legal in another.
Copyright and Intellectual
Property Rights issues are also explosive as
demonstrated by the Napster
Case, where some young software engineers created
software that facilitated
sharing of (SONY) Music files across the
Internet.
Also related was the case
of Amazon.com trying to Patent the
'single-click' method of buying goods
online.
Other cases touch on Data Privacy where Business
Companies have been known
to sell customer records to Marketing firms
without
express authority from
the Customers. Other times customer data is
simply
hacked into and
Businesses are unable to own up (going public) to
the
the
...
detriment of the
...
Customer.
Most of these issues are under discussion
internationally at the Internet
Governance Forum (IGF), World Intellectual
Property
Organization (WIPO)
amongst other fora. They present emerging legal
challenges and it would be
interesting to know if stakeholders in the East
African region are/should be
involved in shaping the outcomes of any of these
issues.
2days on this one, today and next Monday and feel
free
to belatedly respond
to Day 1 through Day 5 issues.
References:
http://www.diplomacy.edu/ISL/IG/
http://en.wikipedia.org/wiki/Napster
_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>
http://lists.kictanet.or.ke/mailman/listinfo/kictanet
...
This message was sent to: mike.theuri@gmail.com 
<mailto:mike.theuri@gmail.com>
Unsubscribe or change your options at
http://lists.kictanet.or.ke/mailman/options/kictanet/mike.theuri%40gmail.com
...
...
_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>
http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: alex.gakuru@yahoo.com 
<mailto:alex.gakuru@yahoo.com>
Unsubscribe or change your options at
http://lists.kictanet.or.ke/mailman/options/kictanet/alex.gakuru%40yahoo.com
_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>
http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: jwalu@yahoo.com <mailto:jwalu@yahoo.com>
Unsubscribe or change your options at
http://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke <mailto:kictanet@lists.kictanet.or.ke>
http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: brian@caret.net <mailto:brian@caret.net>
Unsubscribe or change your options at 
http://lists.kictanet.or.ke/mailman/options/kictanet/brian%40caret.net
------------------------------------------------------------------------
_______________________________________________
kictanet mailing list
kictanet@lists.kictanet.or.ke
http://lists.kictanet.or.ke/mailman/listinfo/kictanet
This message was sent to: alice@apc.org
Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/alice%40apc.org

alice

tags

participants (1)