Sandia National Labs: DNS Filtering In SOPA/PIPA Won't Stop Piracy, But Will Hurt Online Security
from the more-experts-weigh-in dept
We’ve covered at great length the problems with DNS filtering in SOPA and PROTECT IP (PIPA) and how it will harm internet security. These concerns were first highlighted by a group of folks who are considered to be some of the foremost experts (and original architects) on DNS. The MPAA and other SOPA/PIPA startups have been trying for months to diminish these points, but have yet to find any kind of argument that makes sense. The argument they fall back on is “well, if this law breaks DNSSEC, just change the code and fix it.” This represents a fundamental misunderstanding of the technoloy. That’s not too surprising, coming from the MPAA, frankly. However, now, Sandia National Labs, which is a part of the Department of Energy, has sent a letter to Rep. Zoe Lofgren confirming most of the problems with the idea of DNS filtering, noting that it would make the internet less secure… and would do nothing to actually stop piracy.
It is not likely DNS filtering would be effective in blocking U.S. access to targeted foreign websites….
On the question of DNSSEC, the letter notes that slowing the adoption of DNSSEC would have significant “negative consequences” for US online security. While DNSSEC may not be fully rolled out yet, nearly everyone who understands this stuff knows that it’s needed to fix key flaws in DNS. And while it takes time, simply breaking it and waiting for the next generation to rewrite it from scratch would be a mistake. Many years of careful work has gone into DNSSEC. Scrapping it for something else random is not going to help.
At this point, I don’t see how any SOPA/PIPA supporters can still claim that the concerns over DNS blocking are unfounded. When you even have a major national lab saying that it’s a bad idea, won’t work and will be bad for online security… can the MPAA still respond with nothing more detailed than “we disagree” (which was the MPAA’s actual statement at the hearing when challenged about the security problems associated with DNS blocking).
Filed Under: censorship, department of energy, dns, filtering, sopa
Companies: sandia national labs
Comments on “Sandia National Labs: DNS Filtering In SOPA/PIPA Won't Stop Piracy, But Will Hurt Online Security”
I am still trying to figure out who sold them on the idea of DNS censoring to begin with. Seriously, someone had to understand it well enough to tell them what it is but not well enough to understand how it works.
It baffles me. What kind of engineers do they work with? Which incompetent consultants told them this would work?
Oh well, their entire internet campaign has been riddled with incompetence so it’s not that surprising.
Consultants
Perhaps it was the same guys who made the New York Times paywall…
Like this
Sandia National Labs obviously profits from the proliferation of massive pirating. We can’t trust anyone whose business plan requires the massive theft of content.
SOPA/PIPA is tearing families apart
So Leonard Napolitano is dead set against it, while his sister Janet is in favor of it (I presume, based on her leadership of DHS & ICE).
Here’s Hoping that they get together for Thanksgiving and Leonard helps her understand a thing or two.
Well, China manages DNS blocking...
And if DNS is fatally flawed, there goes your “Internet repairs damage” riff.
I’ve given you empirical example and a logical counter to a prior line of argument. You’re basically just using a “fear of change” line here. — Most things never get fixed until they are broken, so could be just the impetus needed for DNS, eh?
A key point
The redirect requirements in SOPA are not a problem because they make DNSSEC insecure, that is incidental. The problem is that the requirements themselves are unsound. Saying “well the geeks can just fix it” is idiotic, dismissive and condescending.
Well, China manages DNS blocking...
You really are mentally retarded.
So if the bill were to only mandate foreign pirate sites be blocked, how would that harm DNS? Don’t they already do that with child porn?
Credibility
Yeah right, like they have any credibility. Who’s going to believe that a watermelon research facility has any idea what they’re talking about? Might as well be the corn farmers.
Re:
it mandates anything that content owners report be blocked, foreign and domestic
The issue of DNSSEC is that it requires almost every piece of network gear to either be entirely replaced, or patched with software upgrades is possible. On many routers, this is not possible.
Currently, most networks are upgrading to allow for IPv6. Upgrades for DNSSEC may not or may not be possible on all of this equipment. It is likely that until the current equipment reaches it’s EOL and is taken down that DNSSEC will not be any more complete than IPv6 currently is.
Further, a full implimentation of DNSSEC requires replacement of eveything right down to your local router at home. The time frame for that to happen is “years”, if not a decade or more at all levels.
If anything, DNSSEC turned on too early could break the internet. So DNSSEC at this point is just not really an issue, even those who created it admit that it is not widely in use and unlikely to be there any time soon.
Re:
http://www.shinkuro.com/PROTECT%20IP%20Technical%20Whitepaper%20Final.pdf
Quote:
Source: http://www.pcworld.com/businesscenter/article/235742/engineers_protect_ip_act_would_break_dns.html
When things break people go after solutions, if you believe any American will seat idle and allow censorship you are just an idiot.
Well, China manages DNS blocking...
China doesn’t have ICANN. China doesn’t have the backbone of the world’s internet reside within its borders. Therefore, what China does to DNS pretty much affects only China.
The situation is completely different with regards to the US. Because so many Internet-related and Internet using companies are based/headquartered in the US, SOPA is bad news for them. SOPA isn’t a bill being discussed in my country, but if it passes, some of my favourite websites will have to redesign themselves completely (i.e., forgo user participation entirely) even though I am accessing the site from a country where SOPA isn’t a law.
What if I want to upload a video to Youtube? Sorry, someone just accused them and Youtube’s been blocked from receiving income through its payment processors! Therefore, I can’t upload video and expect it to be watched.
Well, China manages DNS blocking...
In addition, the tech companies that will be impacted by SOPA the most will have to make a choice: either censor themselves completely…or leave the US. While not totally practical, that is what these companies are debating amongst themselves. Google, Facebook et al bring in billions to the US economy: what if they shut up shop and opened their new global headquarters somewhere else? Now suddenly, Silicon Valley is deserted, the US loses out on taxes, thousands of people are without jobs…and people still haven’t been convinced to pay for a song/movie/book/whatever.
I wonder how the fools from the industry will do “whois” searches on databases that have content blocked.
ARIN probably will be forced to remove contact information and IP address from its database, meaning not even them will be able to find out who is who LoL
That is just marvelous.
Re:
DNS blocking doesn’t remove a site from the internet. That is your first mistake. That is also why DNS blocking will never work.
I don’t know what they do with child porn sites but I assume it involves getting local authorities involved to remove the content from the servers and track down the perpetrators.
You see, other countries will track down citizens whom engage in the vile and disgusting act of abusing children and spreading that abuse around the internet for fun and profit.
On the other hand, governments of other countries care a lot less that some guy in Hollywood or an already rich artist claims they aren’t making enough money off their population.
You see, any reasonable person sees that these two things are nothing alike and anyone that compares the sexual exploitation of defenseless children to not making enough money can probably go fuck themselves.
The Internet itself is IP
Isn’t the Internet full of Intellectual Property? Wasn’t it created using the creative minds of thousands of people? If the House and Senate were so interested in protecting IP wouldn’t they protect the Internet?
(self deluded individual who believes that government is “of the people, for the people by the people” )
You could also just skip DNS altogether.
Just make entries in your hosts file for TPB or What.cd. Circumvented.
Your pop quiz du jour
Your task is to answer these questions without resorting to any resources other than your own brain. If you can, then you might be competent to discuss this issue. If you can’t, then you should probably defer to people who actually have a reasonable grasp of the technical issues. Let’s begin:
1. What is the difference between an authoritative resolver and a recursive resolver?
2. How does DNS cache poisoning work?
3. What does NXDOMAIN mean, and when does it mean it?
4. What are the DNS requirements for a mail server?
5. What is the relationship between the TTL value and DNS caching?
6. Presuming you’re using the ISC BIND distribution, what is the best command-line program to use in order to find out DNS information?
7. What is a lame delegation?
8. What would one expect to see in the DNS A records for a multi-homed host?
9. What command-line tools do you use to trace the hierarchy of reverse DNS assignment?
10. What does “fast flux” mean, and why do we care?
Re:
Hey, a new species of troll at Techdirt: The Concern Troll
Your pop quiz du jour
So we should listen to people like David Ulevitch
how can a company that has so little knowledge of the internet and how it works, be so scared of it, say that ‘they disagree’ when told by actual experts in not only the use of the internet but the makers of it, be believed and those experts be discounted? i know money talks louder than anything, but surely even the bought and paid for advocates of SOPA/PROTECT IP have enough intelligence to realise who’s right and who’s just really clueless and wanting to safeguard their own interests above all else.
SOPA/PIPA is tearing families apart
Wait, what? They’re related? How the hell did I miss that? Hmmmm… I feel stupid.
Re:
I don’t think the people who wrote SOPA (MPAA, etc.) are idiots. Given that, since it’s obvious that SOPA won’t do anything to stop piracy, I think that it’s reasonable to assume that’s not the goal of the legislation.
What SOPA will do is to make it easy for big companies to outright kill innovative noninfringing startups on the net. It’s very clear from their actions as well as their words that the **AAs are terrified that they are losing control of the distribution channel. SOPA is a powerful tool to let them forcibly take control of the internet as such a channel.
I think that this is the real purpose of the law. If so, then there’s nothing wrong with it, technically. It can easily accomplish that goal.
Re:
+1 Scary, but probably true…
Your pop quiz du jour
1-10) vi /etc/hosts
Yeah? Did I win?
Your pop quiz du jour
Cool I know 8 of those off the top of my head.
Do i win anything? 😉
Funny, the Internet didn’t break when Google blocked the Public Knowledge site:
“SOPA supporters question Google’s blocking of website
By Jennifer Martinez
11/18/11 5:18 PM EST
Google and Public Knowledge are both opposed to online copyright legislation in Congress, but the search engine?s blocking of the public interest group?s website this week gave supporters of the bills some new ammunition.
For part of Friday, visitors who attempted to access Public Knowledge?s site via the Mozilla Firefox browser were greeted with a bold warning message that said visiting the site may harm their computers. Public Knowledge spokesman Art Brodsky said that the organization found a piece of malicious code was slipped onto the site and Google blocked access to the site because of this security threat.
The malware has since been scrubbed from Public Knowledge?s site. But the incident has motivated supporters of the two bills ? the PROTECT IP Act in the Senate and Stop Online Piracy Act in the House ? to ask why the search giant is objecting to taking the same action against so-called rogue sites that offer illicit copies of entertainment content and counterfeit goods when served with a court order.
?It does beg the question, if they do this on their own to prevent malware, couldn?t they do the same when a court tells them a domain name is being used to sell counterfeits or pirated works?? a Senate aide for a member who supports the PROTECT IP Act told POLITICO.
In response, Google pointed to the testimony of the company?s copyright counsel Katherine Oyama this week at the House Judiciary Committee hearing on the Stop Online Piracy Act.
?Google takes the problem of online piracy and counterfeiting very seriously, devoting our best engineering talent and tens of millions of dollars every year to fight it,? Oyama said.
She also noted that the search company has spent more than $60 million to remove online pirates from its ad services and processed Digital Millennium Copyright Act takedown requests for nearly five million items so far this year.
Public Knowledge?s site was accessible via Microsoft?s Internet Explorer and Apple?s Safari browsers, Brodsky said. The site became available via Firefox Friday afternoon.
Brodsky lauded Google for taking action to prevent Web visitors from picking up a virus.
Both Google and Public Knowledge are staunch opponents of the House and Senate bills. They have argued the bills would threaten constitutionally protected speech on the Web, discourage online innovation and ultimately not solve the problem of online piracy.
Google?s blocking of sites infected with malware and its objection to domain name blocking and filtering in the copyright legislation are ?not analogous at all,? according to Brodsky.
?The situations are very different,? he said.”
https://www.politicopro.com/go/?id=7428
Re:
it mandates anything that content owners report be blocked, foreign and domestic
Wrong FUDpacker. Only the US Attorney can bring an action that would lead to site blocking. I guess when you have no answer you simply invent a new lie.
Re:
it mandates anything that content owners report be blocked, foreign and domestic
Wrong FUDpacker. Only the US Attorney can bring an action that would lead to site blocking. I guess when you have no answer you simply invent a new lie.
Your pop quiz du jour
8 for me too.
I say anyone who can think of one easy way to bypass this proposed regime and realizes the importance of a single root DNS for commerce and internet stability has every right to comment.
Re:
That’s right, because Google didn’t censor the DNS or take actions that would fragment the root DNS. They control a list that users of certain browsers may choose to use to avoid malware.
That’s right, because Google didn’t censor the DNS or take actions that would fragment the root DNS. They control a list that users of certain browsers may choose to use to avoid malware.
Oh good, then they should have no problem applying this to infringing content.
Re:
I was thinking the same thing. However, rather than engage them on “I think this is what you are trying to do and if it is this seems wrong”
I thought I’d engage them on “this is what you say, it is silly and will not work”
Re:
That would be acceptable to everyone except copyright holders I think.
A voluntary list that users may or may not use and may or may not ignore based upon their choice. That is weaker than a DMCA notice.
Re:
Their merely evoking the “executive prerogative”–the right to completely ignore reality and facts solely in favor of their own “intuition”, and force their underlings (and the the rest of humanity) to deal with the details.
Re:
Did you really just cut and past an entire behind-the-paywall article on my site in *defense* of stricter copyright laws?
Under SOPA I would need to start blocking you as an infringer, or risk having Techdirt shut down.
Re:
What are you an idiot, where do you think those lists come from?
The US Attorney don’t even bother checking those list apparently since they seized a lot of things that are not even infringing or against the law.
Re:
Actually for infringing content one doesn’t need DNS at all, you can just type what you want in the embedded search engine that many P2P applications has an bam! there you go.
But others would not do that, they would simply configure their DNS servers to be foreigner servers that the US has no control off of it, which can expose people to problems.
Basically we are going back 30 years to a time when there was no authoritative DNS system and people where still developing the solutions they use today, but this time it will be decentralized so you muppets can’t meddle with it.
Re:
Yes because counterfeit and illegal filesharing are so easy to spot right, what idiot try to compare malware that is cut and clear to something that not even people versed on that fucking shit understands.
Re:
And lets not forget that I can’t see any judge applying any reasonable standard to a list with thousands of entries in it anytime soon.
Frankly, and without discussing the technical merits of the letter’s contents, I am shocked beyond words that someone from Sandia would “officially” correspond with a member of Congress.
Sandia is what is known as a GOCO, which stands for Government Owned Contractor Operated, that manages the Sandia National Laboratories for the Department of Energy, the latter, of course, being an executive agency. Having worked closely with Oak Ridge, Sandia, and other labs that have managed these various DOE facilities, it is nothing short of amazing that this letter appears to have bypassed the DOE. I rather suspect that both Lockheed Martin and the DOE are about to have some very interesting conversations (what I call “bonding sessions”) with Mr. Napolitano. He may know a lot about technical matters, but does appear to be a bit naive about political matters.
Re:
I think you’ve misconstrued the issue with routers. The only way in which DNSSEC will affect most provider devices (including true layer 3 routers) is by increasing the size of DNS packets. For almost all devices that shouldn’t be a problem. ISPs, then, shouldn’t have to upgrade their infrastructure much beyond their nameservers.
Where DNSSEC could become a problem is the ALG in NAT gateways (including home routers), which is responsible for parsing DNS responses to determine which masked computer they’re intended for. Poorly implemented ALGs may be confused by DNSSEC packets. I suppose it’s also possible that some gateway devices include a caching DNS resolver or some sort of DNS proxy that would need to be updated, but I’ve personally never seen one. DNSSEC is not exactly a new protocol, however. Most reasonably new hardware should support it.
Turning on DNSSEC too early won’t break the Internet. Legacy clients will simply continue to use regular, unsecured DNS. Rolling out DNSSEC won’t do anything to change that. While it is true that clients configured to require validation will fail if the recursive resolver doesn’t support it, that’s a per-client setting and can easily be disabled.
All of that is largely irrelevant to the discussion of SOPA. Your post seems to be insinuating that DNSSEC is not ready and thus we have time to fix it. Unfortunately, SOPA doesn’t just break some implementation detail of DNSSEC as the MPAA seems to think. It breaks the very idea of DNSSEC. It enshrines in law the idea that the recursive resolver must lie to the client, which is exactly what DNSSEC was designed to prevent.
Well, China manages DNS blocking...
Google, Facebook et al bring in billions to the US economy: what if they shut up shop and opened their new global headquarters somewhere else? Now suddenly, Silicon Valley is deserted, the US loses out on taxes, thousands of people are without jobs…and people still haven’t been convinced to pay for a song/movie/book/whatever.
What you fail to understand is that only the entertainment companies matter. They are single-handedly keeping the world’s economy afloat. Without them, the economy would be doomed, the governments would fall and the world would descend into chaos! Also, the planet would probably stop turning and the sun would go out.
Do you really want to be the cause of the extinction of the entire human race???
Re:
Here’s the net with child porn sites blocked;
…………………#…………………#……………….
Here’s the net after SOPA passes;
..#..#.##…###…##.###….####..#.###.###.##.
Any questions?
Re:
“I am still trying to figure out who sold them on the idea of DNS censoring to begin with. “
It was probably the same idiot that told them IPv6 would be the, end all and be all, of IP infringement tracking, and prevention.
Well, China manages DNS blocking...
I like using the word Idiot to describe him or her.
Your pop quiz du jour
Very nice, you just posted several copyrighted questions from a DNS exam … you fucking pirate!! 🙂
The most frustrating thing about this whole mess is being able to see how easily these bills could be killed, but knowing it will never happen.
If every ISP in the country agreed to shut down their network and show each user a page urging them to contact their congressmen demanding the end of net censorship bills, SOPA & PROTECT IP would be going through the shredder by the end of the day.
I don’t think the government can legally force any private company to do business, can they? If every ISP did this, they wouldn’t lose any customers to the competition, and unless I’m mistaken, it wouldn’t cost them anything to not use their network for a few days. Of course there’s always the risk that some people will cancel their accounts in protest, but would that really be an option for most people, especially if they have nowhere else to turn?
Sure, it’s nice to say that the government doesn’t give in to blackmail, but what choice would they have? They wouldn’t have the resources to take over every ISP, and even if they did, how would that even be legal?
If a few web sites blacking out part of their pages (which I never even saw) can get half a million protest letters (or so I read) to congress, think what having every consumer level internet account shut down would do.
SOPA/PIPA is tearing families apart
Janet’s probably the black sheep of the family given how DHS is nothing more than a theater troupe.
Re:
Sadly, many routers used today in the field are unable to handle oversized DNS packets, and specifically filter for them to avoid what use to be a rudimentary type of DoS attack. Combining something like a Fraggle attack with oversized packets, and you would get all sorts of amusing and unintended results.
As a result, each of those routers along the way have to be at minimum reprogrammed not to filter oversized packets, and in many cases, may not be able to handle oversized UDP packets (which they handle seperate from other traffic to speed them up).
Safe to say that DNSSEC, even without SOPA, wouldn’t be here much before 2020.
It would also appear that DNSSEC was designed with the intent of hurting the ability for anyone to control or filter the net in any manner, and that itself may be enough of a reason not to go down that road.
Re:
?The situations are very different?
What a lying piece of shit slimeball.
Yeah, they’re different alright: with piracy Google makes money.
Fuck off and die Google.
Re:
“It would also appear that DNSSEC was designed with the intent of hurting the ability for anyone to control or filter the net in any manner, and that itself may be enough of a reason not to go down that road.”
If that’s the design in intention of DNSSEC then I want to go down that road as fast as we can.
On the other hand if SOPA/PIPA wants to break that road then it’s better avoided. The statement from Sandia Labs is anything to go by the proposal is not only easily circumvented but may also have commercial and military consequences for the United States.
Europe won’t follow suit, Canada won’t, Japan won’t, China doesn’t care and, in fact, the only country I can think of that might is that already dangerously censorious country known as Australia.
In the age of the Internet the United States isn’t an island and can’t be. Doing things like this hurts the US more than it does anyone else. Consequently it doesn’t help the *AA’s one bit as it’s inconsequential to work around what they propose.
Ironic, don’t you think?
Because scribd is annoying
PDF copy of the Sandia response mirrored on S3 for your viewing pleasure.
Re:
“What SOPA will do is to make it easy for big companies to outright kill innovative noninfringing startups on the net. It’s very clear from their actions as well as their words that the **AAs are terrified that they are losing control of the distribution channel. SOPA is a powerful tool to let them forcibly take control of the internet as such a channel.”
I suspect you are dead on in your analysis of this. The people who want this are so paranoid that someone is going to get something without their getting a big chunk of money for it, that they would – so to speak – burn the entire barn (the Internet) to the ground to get rid of a few pesky rats.
Stupid.
Like this
Prove it.
Re:
Still, I see much potential for abuse if this is implemented.
Re:
Like I said earlier, the people who want DNS blocking are so paranoid of anyone getting anything without their getting a big chunk of money out of it, they’re willing to burn the barn to the ground to get rid of a few rats.
Barn-the Internet
Rats-infringers
Get it?
We’re gonna make our own DNS! With hookers and blackjack!
Re: Re:
good news everyone!
DNS filtering
I think they really did think it up themselves. They are technological children. Most of them probably don’t know how to use a computer, but the ones that do just know that you either click a link or you type in a domain name. So, they figure that if you can stop those two things, then a site is unreachable. They don’t think beyond that. That is all they can understand.
The sad thing is that incompetent fools like this are allowed to dictate tech policy.
More to the point, SOPA/PIPA are harshing my mellow.