Fort N.O.C.'s Security in Obscurity 297
penciling_in writes "Brock N. Meeks of MSNBC reports
on his recent visit to VeriSign's secret location: 'The unassuming building
that houses the "A" root sits in a cluster of three others; the architecture
looks as if it were lifted directly from a free clip art library. No signs or
markers give a hint that the Internet's most precious computer is inside
humming happily away in a hermetically sealed room. This building complex could
be any of a 100,000 mini office parks littering middle class America.' The
report goes on to say: 'Access to the Network Operations Center, the "NORAD"
of the Internet's traffic monitoring, requires the electronic badge and then a
double biometric hand print scan.' And here are Karl
Auerbach and Robert
Alberti offering their interesting analysis of this report on CircleID."
Good for verisign.. (Score:5, Funny)
Sure, the
I'm still fuming about that.
if its any consolation (Score:2, Funny)
and im not sure which is worse to look at... the goatse man, or rhonda...
Good (Score:2, Offtopic)
Just because you can post something doesn't mean you should post something. Redeeming value of that picture? None.
Yeah, baby, I'm using my real nick...unlike all the cowards who will doubtlessly reply.
Re:Good (Score:2, Interesting)
It's everywhere. After I got home from work tonight I sat at my wife's computer and started typing in google's URL. In the autocomplete bar I was surprised to see goatse.cx. I asked her about it and she didn't know what I was talking about. She generally hangs around in the parenting mes
Re:Good (Score:3, Insightful)
Where did I say any of those things? There are plenty of sites I don't like but I don't care if they're up or not. I'm all for free expression. But with freedom comes responsibility. Let's say all speed limits were abolished and you could drive as fast as you wanted anywhere and any time you wanted. Would that make it ok to blow past the local school at 75 when kids are about? Of course not. The point is this: just becau
Re:Good for verisign.. (Score:5, Funny)
An ode to goatse (2.73 / 19) (#59)
by komet on Sun Jan 18th, 2004 at 05:25:25 AM EST
(my user id @ the domain of my homepage) http://4you.ch
To the tune of "American Pie" by Don McLean
I can still remember how that image used to burn my eyes
And I knew if I had my chance
I could hide a link in a rant
and maybe they'd be pissed off for a while.
But January made me shiver
with every link-troll I deliver
Bad links on the doorstep, I couldn't take one more step.
I can't remember if I cried
when I heard about his orphaned site
But something touched me deep inside
the day the goatse died.
So bye bye to the goatse site
Put his fingers up his asshole and his asshole was wide.
Yeah these old trolls were on Slashdot and K5
Singing this will be the day the Net dies
This will be the day the Net dies.
Re:Good for verisign.. (Score:2, Funny)
goes from we're safe to who do we sue .. (Score:2)
A hidden danger. (Score:2, Funny)
Re:A hidden danger. (Score:2, Funny)
Re:A hidden danger. (Score:5, Funny)
Re:A hidden danger. (Score:2)
Re:A hidden danger. (Score:2, Informative)
"A" is in Dulles, VA (Score:5, Interesting)
Re:"A" is in Dulles, VA (Score:2, Funny)
Re:"A" is in Dulles, VA (Score:2)
Nah. Remember the old adage: Security through obscurity, isn't.
Re:"A" is in Dulles, VA (Score:3, Funny)
Re: "A" is in Dulles, VA (Score:2, Insightful)
Oh, great. Now we have to kill everybody that reads Slashdot.
Re: "A" is in Dulles, VA (Score:5, Interesting)
Re:"A" is in Dulles, VA (Score:2, Informative)
The address in that whois is actually where the A root resides. Not a terribly big secret, even though the building is unmarked.
I've been there (Score:4, Interesting)
"oh, you'll want to see this"
"what is it"
"A-ROOT"
"THAT tiny little thing?"
"Yup. Go ahead and touch it, everybody that comes here wants to do that. See where the paint has worn off the case?".
"Uh, ok"
"You use this thing Dave"
"Nah, I download the root zone from you [open-rsc.org]".
"Cool, for that you can buy me lunch".
"Good idea. Thai okay?"
NSI was fun once and there's lots of good stories. When the FNCAC made the NSF tell NSI to start charging for domain names none of the freaks working at NSI could believe you could charge for this and lots of checks were just pinned up to a bulletin board in a "wait and see" holding pattern for a few months. There weren't so many domains back then.
Karl Aurbach also downloads the root zone from me and you should too. Or use OpenNIC [unrated.net]'s root or even *cough*ICANNs*cough* (ftp://internic.net/domain/root.zone.gz [internic.net], or any root.zone you want but if you know what's good for you you won't rely any anybody but yourself to serve up the root zone so your computer can find pointers to the various TLD servers: primary the root for yourself and don't worry about DOS attacks on other peoples computers taking your machine off the air.
That really was the dumbest part of the change from hosts.txt to the DNS - it changed the paradigm from your computer knowing where everything was to making your computer rely on the "." zone to be able to find the computers that know where all names can be found and there's really no reason for it.
Certainly it does not scale for everybody to grab a copy of the root from one place, and Dan Bernstein has suggested [cr.yp.to] a cryptographically signed root be distributed via usenet. To this end I've created news:alt.root.orsc and will begin doing just that this quarter.
Re:"A" is in Dulles, VA (Score:2)
So, I guess (Score:2)
I can't imagine having all my domain requests going to Slashdot.org......I'd have sensory overload!
sigh (Score:4, Insightful)
There's more than the 'A' root server. Taking "it" down leaves a whole hurd of other root servers alive. Located all around the world.
The above linked articles are full of that which promoteth growth.
Re:sigh (Score:4, Insightful)
Re:sigh (Score:5, Informative)
In theory the B..M roots are fed from the A root so if they loose their update for 24 hours or so they could start shutting down. In practice the admins would soon clue up and they would just republish the last good update file they had received.
The problem comes with a bunch of pathological issues to do with what deployed DNS servers do if they cannot see root. It is not at all pretty.
Re:sigh (Score:3, Interesting)
Re:sigh (Score:5, Funny)
Shouldn't that be "a whole GNU/hurd"?
SiteFinder (Score:5, Funny)
Cool... (Score:5, Interesting)
When 9/11 happened, we were not allowed back into the building for a couple of days, but all they had to stand up as barriers were road cones. Luckily, they're finally moving to a location that isn't just obscure and secure, but armored, as I hear their Mountain View, CA location is.
How much physical security is necessary? (Score:4, Insightful)
Aren't most attacks against servers launched over that intarweb thing?
I can't recall the last time someone tried to suicide bomb a root server.
Re:How much physical security is necessary? (Score:5, Informative)
So it does happen.
I still have to test every 5-pin simplex lock for important rooms to make sure that it's not a simple combination, because when I had access to a datacenter, it was a damn simple lock.
Re:How much physical security is necessary? (Score:2)
Besides, I don't think they're worried about terrorists, but more of the Kevin Mitnick types who are willing to mix "social engineering" with computer hacking. Tell me there's not a hacker out there
Root server DDOS was October 2002 (Score:2)
Re:How much physical security is necessary? (Score:2)
Because some resources are so important that even a single breach can be devastating. It's a tough thing to engineer around. For resources like that, you calculate the cost of failure, identify a reasonable relative cost to invest to prevent that failur
In the case of a nuclear attack? (Score:5, Interesting)
If this building were destroyed by a nuclear weapon, what would be the impact on the Internet?
Re:In the case of a nuclear attack? (Score:2)
Re:In the case of a nuclear attack? (Score:4, Insightful)
Re:In the case of a nuclear attack? (Score:2)
If this building went down, then you wouldn't notice anything. IIRC, (and the article says so, I belive), all DNS info is cached at your local ISP. That's why it takes a few days to propagate across the any IP address changes to your domain...
Re:In the case of a nuclear attack? (Score:5, Interesting)
DARPA was running a research project to build a networking system capable of intelligent self re-routing in the case of points of failure, so that a single network outage couldn't prevent traffic from flowing through. The extended concept for ARPANet was that if a major segment of the network vanished it might still be possible for data to be routed, hence the `it can get nuked and still survive` quotes people toss around.
Most unfortunately the internet itself is not always as robust; if certain routers are knocked out, large segments of the networks behind them stay unreachable for long periods of time, mainly because of serious network mismanagement on the part of the people who really ought to know better.
One can also never understimate the power and prevalence of Backhoe Fade [petting-zoo.net].
Why do people keep repeating that myth? (Score:5, Insightful)
The design documentation of the Internet is globally available... wait for it.. on the Internet!
If you examine it, you will notice that
a) DNS is not part of the original design
b) as designed, it WON'T survive a nuke
c) nobody intended it to.
What it *was* designed for was a limited fault tolerance - based on the idea that phone companies suck and the guy that runs the next node is an idiot who can't be trusted to tie his own shoes.
Turns out they were right about those last two points, incidentally.
Re:In the case of a nuclear attack? (Score:4, Funny)
Oh, there's lots of things that would happen:
Mutants would crawl the Earth, CHUDs would be in the sewers, thalidomide babies would get super strong ESP and take over satellites to tell us they don't like cigarrettes and brandy, we'd have to go back to pr0n in the magazine form (but bukkake would thankfully disappear), and the Omega Man would kill zombies. There's plenty of others, but I don't want to give away the ending (but it sounds like oylent-say een-gray is eople-pay).
What were they expecting? (Score:5, Funny)
Approch, Program, and speak to your User...
Re:What were they expecting? (Score:2)
LINUX Analogy (Score:5, Insightful)
This story is news, but I kept expecting some point of contention in the article, rather than some musings on decorating schemes that were compared to clip art.
I found my point here:
The root server operators "have no contract with anyone, no guarantee of level of service, they could turn [the root servers] off tomorrow with no consequences at all because they are doing it out of the kindness of their heart," said Internet consultant Ambler. "ICANN needs contracts with the root server operators that specify minimum levels of service and minimum levels of security and the root servers need to be paid for that," he said.
Why is it so confusing to imagine that (a) People do like to do things out of the "kindness" of their collective hearts, and (b) security is not always "secured" by either contracts or money? I understand the legal protections associated with contracts, but I think there's a chance that the root server operator system, as it stands, could alternatively be viewed as something successful - something, much like the open source software movement, that works, not because of contracts or restrictive covenants, but because people enjoy contributing to something useful for their own and others' use.
Re:LINUX Analogy (Score:2)
Because unlike software, bandwidth is never free.
Re:LINUX Analogy (Score:2)
Probably because if something like this goes down, there is no one that will step up and accept responsibility. But if they were all under contract then there would be someone responsible for the failures. Its not just some project anymore, it is the heart and lungs of the entire system and it needs to give guarantees.
it only takes one (Score:2)
It only takes one bad apple...just one.
Re:LINUX Analogy (Score:5, Interesting)
Nor is there anything that prevents root server operators from giving preference to queries coming from paying IP addresses.
All of that is hypothetical, but without legally enforceable obligations, we're just hoping that nothing changes for the worse.
And things *do* change - for example, back in the 1980's SCO was a fun company here in Santa Cruz.
Re:LINUX Analogy (Score:2)
This comment goes to the heart of the matter; I hope we never see it proven correct. I also hope for universal peace and brotherhood, and you can see what good THAT does me.
Remeber Google before Google-bombing? Remember USENET before spam? Remember the World Wide Web before popups? Remember email before viruses? Remember the internet before the Morris worm? Remember all those things that didn't need to be secured because we were all pure of hear
Re:LINUX Analogy (Score:2)
You think Verisign does anything out of the "kindness" of their heart? They do it so they can control some aspect of the Internet. Do you not remember SiteFinder?
Re:LINUX Analogy (Score:2)
The people who worry about that are people who worry about maybe upsetting their current friends sometime in the future. Right now, they are friends, but what happens if in the future the different parties no longer share common goals for the DNS?
The relationship may be friendly today, but maybe not tomorrow, so the
Re:LINUX Analogy (Score:2)
Only in Verisign would the ability to sue someone be more important than a stable root-DNS server...
Re: (Score:2)
Very impressive (Score:2)
I'll say. Did you see that photo? It looks like something out of WarGames. God help us if those computers decide to play games.
nobody cared about security two years ago? (Score:5, Insightful)
I guess amazon.com [corporate-ir.net] which went public in 1997 must have been frequented only be researches and nerds for the first 5 years of operation.
Re:nobody cared about security two years ago? (Score:2)
Well, let's see...
1997, loss of $31 million
1998, loss of $125 million
1999, losss of $719 million
2000, loss of over $1 billion
2001, loss of $567 million
2002, loss of $149 million
Yeah. I'd say the statement is more or less correct.
Surprised? (Score:3, Interesting)
You have to wonder if they're a little overboard, though; the military doesn't typically have checks that secure to get into specific rooms - not even TS/SCI environments. Though, to be fair, the military certainly has an edge on physical [af.mil] security [fas.org].
I guess if you're really concerned about your data being physically secure, you could always co-lo out at Sealand [havenco.com], too.
Re:Surprised? (Score:2)
Do you trust them?
Re:Surprised? (Score:2)
They go a little overboard because they have two things the military doesn't... Insurance companies they are answerable to and lawyers that advise them.
That being said; The barriers to entry depended on what kinds of TS/SCI are being gaurded. (SIOP or crypto material for example both have their own special handling, storage, and acess
I thought the internet was decentralized? (Score:2)
And if it really is that bad, then why aren't we working on making stuff more redundant? All I know is somebody needs to spend money on this, just like the power grid. It's not glamorous, so no politician will run with it, but I think we should have some kinda dialup internet tax to pay for it.
Oh, for the days of hosts.txt (Score:5, Interesting)
BitTorrent and hosts.txt (Score:3, Interesting)
The equivalent for .com is obviously much bigger - I think there are ~35 million names (maybe that includes .net). But that's still about 5GB of highly compressible data - probably about 1GB if you sort it appropriately first. That's about the size of a Linux distribution - use BitTorrent [216.239.41.104]. That's about 3 hours on
Anyone Know What Hardware/OS It's Running? (Score:3, Funny)
Re:Anyone Know What Hardware/OS It's Running? (Score:2)
I don't know about A, but C is a Dell PowerEdge running I think FreeBSD.
Root servers don't actually do all that much, they just have to be ready to do it 24/7.
Re:Anyone Know What Hardware/OS It's Running? (Score:2)
There was much unhappy buzz at Sun when they switched from Sun (presumably Solaris on Sparc) to IBM. My guess is AIX on a big PPC box, being that IBM was not a Linux company at the time and Linux didn't/doesn't exactly take advantage of that kind of hardware either.
Re:Anyone Know What Hardware/OS It's Running? (Score:3, Interesting)
I'm not sure if your question was serious or not but I was curious about the OS used for this.
The best I could do was this [icann.org] document referencing Y2K from ICANN's site.
From the page:
I would not be surprise
Re:Anyone Know What Hardware/OS It's Running? (Score:3, Informative)
http://www.nlnetlabs.nl/nsd/index.html
Paul
Backhoes don't respect biometric hand prints (Score:5, Insightful)
The other potential source for a single-point of failure is the OS that the root server uses. If Verisign uses any kind of monoculture, they will not be as secure as we might hope. A hacker or botched OS patch could hose the thing.
Re:Backhoes don't respect biometric hand prints (Score:4, Funny)
I think we can be reasonably certain that VeriSign (a) only runs as much of an OS on their root server as is absolutely necessary, and (b) only patches it when it's thoroughly tested and approved by people who know what they're working on.
The way you talk, it's like you think the employees use the server for gathering Unreal Tournament games after hours or something.
Fallibility of testing and monocultures. (Score:2)
I agree that Verisign is extremely careful in exactly the ways that you suggest. But I also remember the MCI Frame Relay outage of 1999 [findarticles.com] and Therac-25 Accidents [vt.edu]. The point is that any regime of tests and analyses will only eliminate a percentage (admittedly a high perc
posting from root developer maillist (Score:2)
[DNS-Root-Developers] Need help setting up with 2.6.0_test3 and alsa on A root.
Dewie Cheatem dcheatem at verisign.com [mailto]
Mon Jan 05 06:27:14 EST 2004
---
Hey guys. I've just reinstalled the A Root with Lindows and thought I'd try p
From the article (Score:2)
Hi, I'm stupid (Score:2, Flamebait)
And I think that more government interference with the Internet is Good.
And I believe FUD.
And that Al Gore is pretty technical guy.
And I use AOL on my 'puter.
Please send more informative articles like this. I use them to line the insides of my tinfoil hats.
Thank you very much.
Wrong (Score:2, Funny)
Ummm...it's not really that secret (Score:4, Interesting)
Now, there are other buildings in DC that's are much more cool. Like the one on the Toll Road with green "windows" that are merely for appearances as the entire building is solid concrete. Or the stuff in Crystal City that is bathed in electronic white noise to prevent eavesdropping.
Re: (Score:2)
Sod it. (Score:5, Funny)
Unless the NOC was ordered at this [villainsupply.com] place, I'm not impressed.
Seen on the sidewalk the next day... Oh Shit (Score:5, Funny)
--\
)(
--/ \--
20 MBs
Not exactly a dupe.... (Score:4, Informative)
To be honest it is kind of embarassing that I immediately thought- "I just saw something just like this on slashdot not long ago" to find out it was almost 2 years ago. I didn't look at the new article close enough to see if there were any big differences over the years. To be honest the articles are spooky similar. Hmmmmm.
Woah (Score:2)
Almost.
Really tight security... (Score:2, Funny)
Visitors are "tagged and bagged" and made to sign de facto non-disclosure agreements before being lead to an elevator.
"Tagged and bagged"? Really? Visitors are killed, inventoried, and their remains placed into a body bag? And then they're asked to sign an NDA?
That really is tight security!
Wrong Architecture = More Fragile (Score:5, Informative)
- Distributing the database to major servers (at least one machine from each of the 13 often-virtual root servers, plus the master DNS servers at the Tier 1 ISPs, the CCTLD servers, and some small number of other sites
- Answering DNS queries from the major servers
- Answering DNS queries from any random machine on the Internet
The system becomes performance-critical to lots of people because too many machines send queries to the root servers (or theThe root zone itself is probably under 10KB of data that doesn't change every day - if you provide a separate server for zone transfers and let 1000 other DNS servers have access to it (firewalled to prevent any other IP traffic), that's about half an hour on a 56kbps modem. Remember that all it's doing is answering good questions like "Where are .com's name servers?" "Where are .za's name servers", bad questions like "Where are .example,com's name servers?", "Where is 10.in-addr.arpa?" and ugly questions like "Where is Ping of Death?". Let the major servers handle most of the work, absorb the ugly packets and do some queries for bad packets, and let the general public query those anycast machines - they should be querying their ISPs' servers, or their upstreams', which cache the real information, and even when their queries aren't bogus, they shouldn't be blocking the internet-stability-critical traffic.
The .net, .com, and .org domains are a similar problem, except of course they aren't served by the root servers. The zones are much bigger, a few gigabytes size, but probably only 10% of it changes in any given month, or 99.9999% of the existing domains, which ought to be enough to call the Internet stable, using about 1 Mbps (10GB * 1%/day * 8 bits/byte / 24*60*60 ), and again, keep the public query traffic separate from the zone transfer traffic, and maybe offer a third set of DNS servers to answer queries from the big ISPs to handle things like newly created domain names. The reason to keep that kind of query traffic separate is to avoid attacks like "query bogus00001.com" "query bogus00002.com" ... etc.
Obvious flame-attracting discussion points:
Thumbs Both Ways (Score:2)
Thumbs up to consultant Christopher Ambler for getting them to print "rat's ass."
"From our perspective, I think that clearly we are the leader in that particular area..." says Ken Silva... He believes that none of the other root server operators can match VeriSign's investment. etc, etc, etc. Abruptly he pulls his hand away, like a small child sensing the heat radiating from a stove burner. "Can you pull that door closed? I didn't hear
I know where it is! (Score:2)
98% of Root Server Queries are Unnecessary (Score:5, Informative)
$150 million, $0 of which went to the doors (Score:4, Funny)
A bit later
"Can you pull that door closed? I didn't hear it click," he asks of the person standing nearest to the first door.
"Click."
Sheesh, for $150 million you'd think a robot would double check the door for them.
Re:Ahhh... So Surveillance Is Easy (Score:2)
Didja not read the article? Do you not know how DNS works? Are you being sarcastic? Paranoid? Stupid?
Re:Ahhh... So Surveillance Is Easy (Score:2)
Re:Ahhh... So Surveillance Is Easy (Score:2, Informative)
The Domain Name System works by sending out a verified master list to other servers on a graduated time scale. This way no one, two, or twelve servers gets nailed with lookups from THE ENTIRE INTERNET....
Those Primary and Secondary DNS number you're asked to enter when doing network setups are for the partial copies stored on the (insert any number of levels) nth server from the master.
If it can't find the match on one of those, it'll ask others, until a timeout occurs.
There is nothing to stop
Re:Ahhh... So Surveillance Is Easy (Score:2)
Ready?
1...
2...
3.[End of Line].
Re:Is this really a secret? (Score:5, Funny)
The hookers and the johns could really be Verisign employees running the root server.
In case a real customer showed up and was unfazed by the police station next door, tell him that most of the girls are at the doctors office for their tuberculosis test and the rest are being treated for various venereal diseases.
Or you could disguise it as a crack house. The neighbors would assume that everyone running around with machine guns were drug smugglers.
Or just disguise it as a police station. When someone comes in seeking assistance, tell them "We don't handle those kind of cases any more."
Re:Is this really a secret? (Score:2)
>
> The hookers and the johns could really be Verisign employees running the root server.
>
>In case a real customer showed up and was unfazed by the police station next door, tell him that most of the girls are at the doctors office for their tuberculosis test and the rest are being treated for various venereal diseases.
The problem here is that the dot-com boom thre
Re:Is this really a secret? (Score:5, Interesting)
Nope, VeriSign was never in Palo Alto. It was dotCom era, rents in Palo Alto were way high by that time. VeriSign started in Redwood Shores and then moved to Mountain View. These days they own the old Netscape campus.
The operations center is another matter, those are in unmarked buildings at several locations. If you look at some of the displays of root server locations you will see blobs in the San Francisco and Washington D.C. areas. Well duhh! Who would have guessed that the DNS servers would be so close physically to MAE West and MAE East?
The Circle ID stories are both slashdotted. So we can't hear if Karl and co are saying 'nah, we don't need high bandwidth roots capable of a good slashdotting' which if they were would be somewhat ironic.
The point that the article does not really mention is that at the moment running the DNS roots is done on a voluntary basis. ICANN is getting a free ride here. After the DDoS event in 2002 it was clear that 1) the roots were a major target 2) There was a big difference in the quality of service.
Given the importance of the roots shouldn't we actually invest something so the people running them can afford to do the job well? VeriSign can afford to run its systems the way it does because it has revenue from other sources. How do you justify the cost of a high end four way server to be dedicated to root ops if you are a non-profit? ICANN could at least pay for hardware and bandwidth.
Re:Not so impressive (Score:4, Funny)
Re:Why one place? (Score:5, Informative)
Anycast is a way of using routing information so that a single IP address appears at many locations on the net. Packets flowing to an anycast IP address tend to go to the nearest instance of such an address.
Physical security isn't the risk that the roots face - the issue is damaged connectivity to those 13 addresses on which those root machines are to be found.
As I mentioned in my note on Circle-ID, the biggest risk isn't to root servers but rather to the set of servers that deliver
I've suggested a "DNS on a CDROM" (which I guess should be updated to "DNS on a DVD") in which all the stuff needed to get a local but limited DNS running in cases when a community has been cut off from the main body of DNS services.
DNS on a CDROM/DVD (Score:2)
I'd like to hear if anybody has tried loading the come zone on a PC running DJBDNS. By my seat of the pants reckoning it ought to work.
Re:Why one place? (Score:3, Interesting)
Let's see if I can deal with at least some of 'em.
First, regarding use of data on a CD/DVD to recover locally - this is for use when a community is cut off, as happened here in Santa Cruz in 1989 when we have a medium sized earthquke. There were enough folks here with enough gear that we could rebuild a local, usable net to assist with recovery even though the links over the mountain to the rest of the world took a while to be restorred. In that situation the fo
Re:Big Deal (Score:2)
Technically, they are not very powerful at all - they can't do anything which you couldn't work around by tweaking a configuration file or two. The only problem is that not many people know that, and that tweaking a configuration file or two on billions of systems is a minor logistical problem, so you fixes are effectively only possible for those who care enough.
Re:Thier editors ... (Score:2)