Former DHS Assistant Secretary Stewart Baker On SOPA 2.0: Still A Disaster For Cybersecurity

from the no-surprise-there dept

One of the most credible critics of SOPA -- and one whose concerns certainly got the interest of Congress during the November Judiciary Committee hearings -- is Stewart Baker, the former Homeland Security Assistant Secretary and former NSA General Counsel, who argued that it would be a disaster for online security. So now that Lamar Smith has updated the bill to supposedly take into account the concerns of experts like Baker, how does he feel about the bill? Apparently, he still thinks it's a total disaster for online security:
Unfortunately, the new version would still do great damage to Internet security, mainly by putting obstacles in the way of DNSSEC, a protocol designed to limit certain kinds of Internet crime.
Baker lays out, in plain English, the problem here:
Today, it’s not uncommon for crooks to take over Internet connections in hotels, coffee shops and airports -- and then to direct users to fake websites. Users sent to a fake banking site are prompted to enter account and password data, which is used to loot the account. DNSSEC prevents such attacks by giving each website a signed credential that must be shown to the browser by the domain name system server before the connection can be completed.

That’s a great idea, but crooks will predictably try to override it. Their best bet is to claim that the website doesn’t have a signed credential – a claim that will be plausible at least during the transition to DNSSEC. What should a browser do if a website says it doesn’t have a signed credential yet? The site might be telling the truth, or it might be a fake site backed by a DNS server that’s been tampered with. To find out, the browser needs to ask a second DNS server, and if that server doesn’t give an answer, a third and a fourth server until it gets an answer. That’s the only way to keep criminals from blocking the real DNS credentials and offering their own.

Unfortunately, the things a browser does to bypass a criminal site will also defeat SOPA’s scheme for blocking pirate sites. SOPA envisions the AG telling ISPs to block the address of www.piracy.com. So the browsers get no information about www.piracy.com from the ISP’s DNS server. Faced with silence from that server, the browser will go into fraud-prevention mode, casting about to find another DNS server that can give it the address. Eventually, it will find a server in, say, Canada. Free from the Attorney' General’s jurisdiction, the server will provide a signed address for piracy.com, and the browser will take its user to the authenticated site.

That’s what the browser should do if it’s dealing with a hijacked DNS server. But browser code can’t tell the Attorney General from a hijacker, so it will end up treating them both the same. And from the AG’s point of view, the browser’s efforts to find an authoritative DNS server will look like a deliberate effort to evade his blocking order.
This is a pretty big problem, because SOPA has that nasty anti-circumvention clause in it. And just the very act of fraud detection is a form of circumvention, which will violate SOPA. Think about that for a second. Basically a browser that does the most secure and reasonable thing in the face of a possible man-in-the-middle attack... is now liable for breaking the anti-circumvention clause. This is pretty scary.
It’s hard to escape the conclusion that this provision is aimed squarely at the browser companies. Browsers implementing DNSSEC will have to circumvent and bypass criminal blocking, and in the process, they will also circumvent and bypass SOPA orders. The new bill allows the AG to sue the browsers if he decides he cares more about enforcing his blocking orders than about the security risks faced by Internet users. Indeed, the opaque language about “another in concert with such entity” makes perfect sense in the context of browser extensions. It allows the AG to sue not just browsers but also add-ons with this feature.
The end result, of course, is that companies will avoid implementing DNSSEC -- an important standard that's been under careful development for over a decade:
Now imagine you are Microsoft, or Google, or Apple, or Mozilla. The DNSSEC guys come to you and ask you to implement DNSSEC. It won’t increase your revenue, they admit, but it will make the Internet much safer for your users. You want to be a good internet citizen, so you think maybe you should devote some precious code-writing resources to the cause. But first you ask your lawyers whether they foresee any problems.

“Well, yes,” they’d have to say. “If you add code to the browser that implements DNSSEC, you’ll have to add code that circumvents criminal hijackings of the DNS system. And that code can be declared illegal by the Attorney General pretty much whenever he likes. You can litigate about it, of course, but if you lose, the AG can shut down all shipments of your browser until it’s been revised to the satisfaction of his staff and their advisers in Hollywood.”

Faced with that advice, would you implement DNSSEC?

Neither would I.
Yeah. Basically, sixteen years of hard work to build a system that will prevent man-in-the-middle attacks and keep the internet much safer... washed completely down the drain because Hollywood still can't understand basic economics of how to make money online. And folks in Congress actually think this is a good idea?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    John Doe, Dec 15th, 2011 @ 10:28am

    So when will DNSSEC be available?

    Ignoring SOPA for a minute, at what time was DNSSEC suppose to be available? Why has it taken 16 years to implement a feature that sounds like it should be easy to implement?

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Ninja (profile), Dec 15th, 2011 @ 10:29am

    They don't understand SHIT

    That's the problem. I'm following your tweets and a few others and it's a horror show. They have NO CLUE on how the internet works. Actually they don't know how SOPA works either, they just want to pass for the cash.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    John Doe, Dec 15th, 2011 @ 10:32am

    Re: They don't understand SHIT

    Actually they don't know how SOPA works either

    Do they really know how anything works? Or the real effects of the legislation they are passing? I would equate a career politician to a career professor. They may have lots of book smarts, but they really have no understanding of how things work in the real world.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 10:33am

    " Basically, sixteen years of hard work to build a system that will prevent man-in-the-middle attacks and keep the internet much safer... washed completely down the drain because Hollywood still can't understand basic economics of how to make money online."

    The problem? Sixteen years of hard work resulted in a system that few if any actually use, few have implemented, and few have plans to implement in the reasonable time frame future.

    Using DNSSEC to block SOPA is like using the "future flying car in every garage" idea to block fund for roads.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Ninja (profile), Dec 15th, 2011 @ 10:36am

    Re: Re: They don't understand SHIT

    True enough, my best teachers at College were the ones that worked in the industry. Academic staff should be required to have some real life experiences lmao.

    Politicians should be required to spend a day like a common citizen in poor and middle classes, a day trying to understand anything they want to legislate on etc etc

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 10:38am

    Sure it's a good idea, if you want to make a career out of identity theft. Why should identity thieves have to work extra hard to steal your identity, and your money?

    Can you imagine the frustration of hiding behind a door for a couple of hours, ready to steal the wallet/purse of whoever walks through the door, only for everyone to just walk around you and your door? That's exactly what SOPA is met to prevent on the Internet!

    With SOPA everyone will have to walk right through your door and get robbed, rather than go around your ambush! And when anyone goes around your door you can complain to the US AG for their circumvention! If you're feeling generous enough you might even let the AG take a share of your loot from your identity theft!

    And the system will even benefit you the consumer. If you walk through an identity thieves' door (and get your identity and money stolen in the process), the AG won't fine you or throw you in jail for circumvention! Everyone wins!

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 10:39am

    Re: So when will DNSSEC be available?

    Why has it taken 16 years...


    Lmgtfy.

    Andrew Odlyzko: “The myth of Internet time

     

    You should know who Andy Odlyzko is. (Formerly AT&T, now University of Minnesota DTC., very well-respected, and extremely intelligent.)

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Ninja (profile), Dec 15th, 2011 @ 10:40am

    Re:

    It's a system that needs to be implemented slowly. It's like changing from Windows XP to the next version. It's not simple, there are systems that might not run, adjustments that need to be made.

    Your analogy is flawed. Flying cars still need the ground. And they don't adress any security or structural issue like DNSSEC. Please troll harder.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    Ninja (profile), Dec 15th, 2011 @ 10:43am

    Re:

    RT @doctorow: If your bill needs to be amended to ensure you don't sue a refrigerator, it's broken. #SOPA

    Just read this tweet from Public Knowledge and then your post. Priceless.

    It's broken, it shouldn't even be taking them that much time to strike it down.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    BigKeithO (profile), Dec 15th, 2011 @ 10:44am

    Sounds to me like SOPA is just going to lead to a bunch of tech companies moving to Canada or Europe to avoid this crap. The US should start turning into an internet back water any day now. Sad for the US, good for Canada!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 10:49am

    now we know the real backers of this bill

    and they always told me crime doesn't pay

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 10:49am

    Re: So when will DNSSEC be available?

    "sounds like it should be easy to implement"

    Well, John Doe, if it sounds easy to you, it must really be easy.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 10:53am

    SOPA doing what it was designed to do?

    Kill the internet and force us all back to brick and mortar? No more digital downloads... go buy your hardcopy of each media item.

    I jest... right?

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Ninja (profile), Dec 15th, 2011 @ 10:59am

    Re: So when will DNSSEC be available?

    Took 16 years to build it. Implementing should take a few more years. As I said below, M$ is trying to get customers to change their OS from XP to Windows 7. I can see the problem here, we've ran into several issues here in my company when migrating. Can you imagine an internet wide thing? I can't.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 11:00am

    Re: Re:

    Actually, flying cars fix a lot of things. Kids can't get hit at crosswalks (because there wouldn't be any), you don't have to worry about your dog running into the road (because we wouldn't need any), and the bill to maintain the sky would be way lower than it is to maintain roads.

    The point is really that DNSSEC is a great idea that is still a non-implemented pipe dream, and that was admitted by the people who created it. It's not generally in use, and there is little movement towards using it. In fact, outside of the true tech heads around here, most people wouldn't have known what it was until EFF started going off about it during their anti-SOPA campaign.

    Basically, it's "one day we might have this security system for something, so you can ignore all the crime now because one day we will fix something else".

    Further, given the restrictions of SOPA, I am confident that a modified DNSSEC style protocol will exist that will allow for local exclusions, while maintaining security.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 11:03am

    Once the American people wake up to find the Internet censored I think that even though there a lot of "mindless consumers" still many of the younger folk growing up are or have been around Computers for at the very least a decade.
    Hopefully there will be a call to a lot more than just a tent and walking around with a poster.I am really angry and disgusted.
    SOPA/PIPA is a direct assault on this whole Country.If only I had a little more money as I would love to put a website up called boycott hollywood or something like that.
    And I am also ready to go to Washington and March on that Cancer along with millions.I do not think in the end they are really going to get away with this untouched.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 11:08am

    Re: Re: So when will DNSSEC be available?

    Can you imagine an internet wide thing? I can't.

    “The world is home to 7 billion people, one third of which are using the Internet.”

              —ITU, The World in 2011: ICT Facts and Figures

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 11:14am

    Re: Re: Re:

    ... DNSSEC is a great idea that is still a non-implemented pipe dream...


    Top Headlines from DNSSEC Deployment.Org:

    • Czech mobile operator Vodafone now secured with DNSSEC (Dec 12, 2011)

    • Paypal, more ccTLDs deploy DNSSEC (Dec 9, 2011)

    • Comcast signs 90% of its domain names; urges commerce, banking domain owners to deploy DNSSEC (Dec 8, 2011)

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Josh in CharlotteNC (profile), Dec 15th, 2011 @ 12:17pm

    Re: So when will DNSSEC be available?

    Why has it taken 16 years to implement a feature that sounds like it should be easy to implement?

    You might as well ask why its taken Microsoft the same amount of time to come out with an OS that both works well and is relatively secure. That sounds easy, right?

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Josh in CharlotteNC (profile), Dec 15th, 2011 @ 12:29pm

    Re: Re: Re:

    and the bill to maintain the sky would be way lower than it is to maintain roads.

    Perhaps, but your flying car insurance will cost so much that you'll beg to go back to paying for roads. The reason flying cars are not workable for the foreseeable future is a human issue.

    It's not generally in use, and there is little movement towards using it.

    You're wrong about that. There has been tremendous movement in the past year or so to really get it working. It's like the transition from IPv4 to IPv6. There's so many things that can go wrong when you're changing one of the fundamental pieces of an incredibly complex system (the internet). So the prudent approach is to test, retest, and implement slowly, monitor, and make sure it works the way its supposed to before moving on to the next bit.

    I am confident that a modified DNSSEC style protocol will exist that will allow for local exclusions, while maintaining security.

    If you can give a detailed overview of exactly how that would work, even in theory, I'll listen. Otherwise you're just wildly speculating on something you know nothing about.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Casey, Dec 15th, 2011 @ 12:49pm

    Let's pretend that it does pass...

    From a totally realistic point of view, how in the hell is this bill goin to stop piracy? Once implemented, the Fed would have to spend billions processing questionable sites. After that mule's been flogged, they would have to somehow mystically filter anaonymous domains like Tor. That will cost (the taxpayers) way more than the value of lost profits.

    Also, once a domain has been blacklisted, the criminals could just choose a different one. Really, how hard would it be to scam this new system?

    This is clearly just a rouse. The Fed wants a nice little perch on your headset, so it can spoon feed you fascist bullshit via the Internet (yes, I'm one of those people).

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Overcast (profile), Dec 15th, 2011 @ 1:07pm

    SOPA is a great bill... of fail.

    But it can be beat with a host file.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 1:20pm

    Yes, our politicians think this is a good idea because they are paid very well by large Hollywood media companies to think that way. When has an American Congressman showed common sense? Especially when it comes to the right thing to do vs. Money. Money is undefeated and wins every time in Washington.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Dec 15th, 2011 @ 1:41pm

    Re: Re: Re: Re:

    I am not a network technician, nor do I write high end protocols. However, any secure structure needs to allow for regional differences, or it is too rigid to work. Any country with any sort of filtering (I am thinking all of the middle east, much of Asia, some of Europe, etc) cannot use DNSSEC. That is a major strike against it.

    They need to head back to the drawing board to allow for some sort of regionalization, otherwise the system will never be truly secure and fully adopted.

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    TtfnJohn (profile), Dec 15th, 2011 @ 8:30pm

    Re: Re: So when will DNSSEC be available?

    As most internet servers run either BSD or Linux the actual code update would be, compared to Windows, relatively trivial the way 'Nix systems are built. Where the problem comes in is who does what when, adoption through the entire ecosystem and that sort of thing. Along the lines of the XP to Win7 issues you're talking about only with other networking issues on top of that. DNSSEC would also cause, at least in the adoption stage slower connections to new sites which would annoy some people who will immediately complain about it. Certain AC's here come to mind.

    And I'm not surprised it's taken 16 years as it's basically a roll-over/roll-across fail safe and would have to be tested and restested 18 different ways come Sunday then tested and retested again.

    But heck, Congress and the entertianment industry can toss that out the window because who cares about security when all that matters is Hollywood's money and, ahhhhhhhhhh, deliberate mistruths.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    tsavory (profile), Dec 15th, 2011 @ 10:13pm

    Re:

    host file already in place to anywhere I normally go just in case. Got all my backups I have uploaded to to files servers backed up local hard drives as well and going to start working on a website(in the next few days) to start a class action suit against who ever decides to block me from my legal files first as I have no infringing content on any one of these servers. I know I can't take them on myself but I think if I find enough that use the sites legally to join me some big law firm will be willing to make a payday. So come on RIAA MPAAA.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Josh in CharlotteNC (profile), Dec 15th, 2011 @ 10:57pm

    Re: Re: Re: Re: Re:

    However, any secure structure needs to allow for regional differences,

    That's new. Also, completely and utterly wrong, at least in the way I think you mean it. Because you know, I am a network technician, and I am in computer security at one of the largest banks in the country.

    Any country with any sort of filtering (I am thinking all of the middle east, much of Asia, some of Europe, etc) cannot use DNSSEC. That is a major strike against it.

    That is a tremendous benefit to it. DNSSEC is specifically designed not to allow anyone (be it a nation state or your 12 year old neighbor who has hacked your router) to break the trust chain between you and the authoritative DNS root servers. If you poke a hole in it to allow country XYZ to intercept or modify the communication between you and the DNS servers, it is by definition no longer secure.

    otherwise the system will never be truly secure and fully adopted.

    No system is ever "truly secure" nor is fully 100% adoption necessary for a determination of success. Not every risk can be perfectly mitigated. There will always be those who do not use standards and work out their own solutions. But those are not good reasons for intentionally designing something with gaping security holes.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Berto, Dec 22nd, 2011 @ 5:52am

    http://www.mspy.com

    this is somewhat useful… can i request basci cmd for networking… like tracert,arp,netstat,ipconfig n so on… thanks v4l!

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This