Linked by Thom Holwerda on Fri 21st Jun 2013 19:08 UTC
Legal "Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency. The sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate." Woah.
Thread beginning with comment 565406
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Enough already
by Alfman on Mon 24th Jun 2013 00:28 UTC in reply to "RE[4]: Enough already"
Alfman
Member since:
2011-01-28

Lennie,


"The only advantage DNS has is there are more parties involved with DNS. It is easier to choose a different branch (.com can't sign stuff from .org)."

I'm really not too familiar with DNSSEC, but my understanding is that the root zone, which operates one layer above .com or .org, is still vulnerable to the kind of adversaries that we're talking about:

https://www.icann.org/en/about/learning/factsheets/dnssec-qaa-09oct0...

In particular see section #7.

"i) ICANN, an International not-for-profit Corporation under contract from United States Department of Commerce, performs the 'IANA' function. IANA stand for Internet Assigned Numbers Authority. ICANN receives and vets information from the top level domain (TLD) operators (e.g. 'com')"

"ii) National Telecommunications and Information Administration (NTIA) - which is an office within the United States Department of Commerce - authorizes changes to the root"

"iii) VeriSign a United States based for profit company is contracted by the US Government to edit the root zone with the changed information supplied and authenticated by ICANN and authorized by the Department of Commerce and distributes the root zone file containing information on where to find info on TLDs (e.g. 'com')"


It seems extremely probable that DNSSEC is already compromised by the government. Who were also responsible for provisioning it.

Reply Parent Score: 2

RE[6]: Enough already
by Lennie on Mon 24th Jun 2013 09:00 in reply to "RE[5]: Enough already"
Lennie Member since:
2007-09-22

If you think it is ICANN that has the final say, then you are probably wrong.

The root operators are multiple independent organisations.

The root operators actually can refuse to accept changes.

There is no reason for the root operators to accept a change that would allow the US to block or do something else stupid.

Have to admit the US is at an advantage 10 out of 12 of these organizations are associated with the US.

I don't know if the other 2 have the guts to stand up to the rest. And maybe with DNSSEC in widespread use, it doesn't matter.

The sole purpose of the root operators is to allow for pointers to TLDs.

Even if they might be convinced to remove a TLD I really doubt they would accept anything else so traffic could be redirected.

Reply Parent Score: 2

RE[7]: Enough already
by Alfman on Mon 24th Jun 2013 12:54 in reply to "RE[6]: Enough already"
Alfman Member since:
2011-01-28

Lennie,

"The root operators actually can refuse to accept changes."

The root keys aren't intended to be changed, if they were it would be a big deal.

"The root operators are multiple independent organisations."

We need to distinguish between the TLDs and the DNSSEC root key. In theory either could be compromised, but it's the private component of the static root key that would give an attacker the capability to subvert DNSSEC in it's entirety.

It's said that the root key was divided by ICANN unto 7 individuals residing in different countries: Britain, the U.S., Burkina Faso, Trinidad and Tobago, Canada, China, and the Czech Republic. The official procedure is for five to be present on US soil to reveal the root key. (I'm learning some of this right now, so feel free to cite corrections if I'm mistaken on something)

https://www.schneier.com/blog/archives/2010/07/dnssec_root_key.html

Edit: I'm not sure how difficult it would be for the NSA to obtain the keys from these individuals. They might bug the computers being used (hardware or software), they might copy the keys while the individuals are sleeping, some might be hired by the NSA, there's blackmail/threats, etc. I can only speculate here since I have no actual experience with espionage ;)

Edited 2013-06-24 13:11 UTC

Reply Parent Score: 2