see below .. and happy holidays .. On Wed, Mar 31, 2010 at 11:40 PM, McTim <dogwallah@gmail.com> wrote:
On Thu, Apr 1, 2010 at 6:34 AM, Joe Baptista <baptista@publicroot.org> wrote:
On Wed, Mar 31, 2010 at 2:21 PM, McTim <dogwallah@gmail.com> wrote:
I should have specified the questions I'm asking are to ICANN. And the I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack.
You must be an ICANN apologist - or else you must not understand ICANNs role in this.
I totally understand ICANNs role, it seems u do not.
Oh but I do. Let me educate you. ICANNs role is defined in the Green Paper issued by the Clinton administration - here's a history lesson http://bit.ly/9wYQq1 one of ICANNs basic roles is stability. Obviously what happened violated the privacy and security of users in the continental United States and Chile - potentially this may have been a world wide phenomena. Does that sound like a stable situation to you? Not to me.
First of all I have no idea if it is a MitM attack.
IF ICANN serves the zone to L and L serves the zone as they say they do (and knowing them personally, I take them at their word) then what else would it be?? Clearly someone was rewriting DNS replies from L node in Beijing.
you mean "I". or are you telling me "L" was also involved? I don't think the root operators are involved in this. I believe them too. And I don't know if "someone" was rewriting DNS replies. I do know DNS replies were being rewritten. I don't yet know if the "someone" you reference is a MitM attack - or just a glitch in routing - or some other error. I also know the Great Firewall of China is in between "I" root server and the rest of the Internet. Basically the Great Firewall of China firewalls the "I" root in Beijing. Now I can tell you who knows what happened here. The Chinese. Those boys keep a very close eye on their network. By now they should of debugged the problem and "I" root should be back online. I'm not impressed the "I" root is still down. It shows me ICANN can't get priority with the Chinese and are being given the bureaucratic run around. This tells me there is a failure to communicate between ICANN - the Chinese - CNNIC and the "I" root boys. This problem should of been fixed by now.
a "misconfigured gateway" is a nonsensical notion.
It could be any silly thing that caused this. Don't play the ignoramus with me. You know systems. Your in the atlarge tech club. You know one wrong character in the wrong place can can cause little bugs to develop here and there on a network. The silliest nonsensical thing can cause havoc or mild annoyance (bugs). You know that. Thats why ICANN needs to pick up the phone (which it has already done I'm sure) and call the Chinese and ask them the simple question - whats going on - and then get the Chinese to fix it. I think ICANN has failed in managing it's relationship with the Chinese. The fact this networking error continues and the "I" root is still offline leads me to conclude the Chinese are ignoring ICANN. But again thats just speculation. We need to stop all this silly speculation coming from you and me and get down to the FACTs. Only ICANN has the power to do this and tell us what happened or happening. Seriously - a major component of the IANA root system is offline and no one can get the Chinese governments attention?
That implies intend. So
far from what I can see this was a technical error. I know your eager to implicate China in this but so far all I see is a misconfiguration of a gateway. But your MitM attack and my misconfiguration are nothing more then good guess work a.k.a. speculation. We need the speculation to stop and the responsible party to stand up and take a bow. Thats ICANN.
I contend that it is not ICANN. L has made their claim, CNNIC has made theirs (they aren't responsible for the rewriting).
Good. They are acting responsibly in issuing denials. They should not of been placed in the situation where they have to issue denials. ICANN should of made a statement advising the world the "I" root in Beijing was taken offline and why and then told us they were investigating. I find it embarrassing that the CNNIC and "I" root operator is reduced to making denials in light of ICANNs continued silence. This is like a technical who done it novel. So far we know the "I" root didn't do it. We also know the CNNIC didn't do it. Incidentally the CNNIC spoke on it's own behalf - I do not believe the CNNIC was speaking on behalf the Chinese Government. The Chinese won't make a public denial or not any statement - nor will they even acknowledge what happened. That leaves ICANN the only party to respond. So I don't support your position that ICANN has the right to remain silent. We need to know why the "I" root flew south. And ICANN is in a much better position to get at the facts. Also if this was criminal behavior as your MitM speculation would have us believe then we need to find those people, prosecute them, and put them in jail. The Chinese could be very helpful in this sort of investigation.
It seems you want to make ICANN responsible for everything that ppl do with the DNS.
No. I do know ICANN has a duty to report when Internet stability and security flies south.
It's just no so.
It is so :)
Over the years I have seen a lot of bullshit from ICANN about security
and
stability. I know it's all mainly bullshit because I have always said security on the Internet is more an act of faith and has very little to do with reality or common sense. But were stuck with it. You people embraced it, you placed blind reliance on it. We have no other option we must make it work. And that includes dumping old methods of serving root - i.e. IANA.
We have seen how much luck you have had with that over the years.
What are you talking about - the project was a massive success. I helped build a good replacement to ICANN. ICANN was shitting bricks as we took over DNS services in Turkey and most of Europe. Soon to be followed by Saudi Arabia and the UAE. The only luck here was ICANN's luck. On investigation I found the corporate structure which was to have looked something like this - http://bit.ly/atUfZw - in fact looked something like this http://bit.ly/aKyVFy - so i shut it down. Very lucky for ICANN.
i.e. China - is a good idea. The fact thus far show it not. Maybe time to shutdown the China servers and prevent further episodes from that source. Thats the call I would make.
I do not accept the pass the buck attitude when it's inconvenient which is the sorry excuse your making for ICANN. Thats not right. In fact ICANN should publish something like a CERT anytime it gets MitMed or whatever. Thats sort of behavior is reponsible - passing the buck is not.
ICANN also needs to examine if operating root servers censored countries
ICANN does not have this level of control over rootops, not should they IMHO.
I know. In the final analysis ICANN has very little control over anything. When ICANN started this adventure they labeled themselves a monopoly. Today the Chinese incident shows they in fact are a paper tiger.
The Chinese people are a very lovely advanced people with great national pride. But the ruling elite is retarded and corrupt. The only way I would maintain an IANA root in China is if the Government of China provided assurances it would mind it's own business.
The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways.
I know the DNSSEC make work project very well. It's not a solution and is just as prone to MitM attacks. The encryption is juvenile, the economic costs are enormous and it's a bandwidth hog that fails to fix the Kaminsky bug while re-engineering the Internet in ICANNs favor. No thanks. 1% of Internet users use OpenDNS and they support DNScurve. That more people
then
there are DNSSEC domains in the wild.
http://opendns.jobscore.com/job_seeker/jobs/job_posting?job_id=b7pSvUn3ir37a...
I know about the job listing. Of course they are going to hire DNSSEC capable people. They are in the DNS business and like everyone else in the DNS business they are being forced to bear the economic cost of the DNSSEC make work project.
I'm off on safari for Easter, so fire back with all the nonsense in your arsenal, I won't be replying.
Enjoy your Easter and thank God you won't be replying. regards joe baptista