Blog: 
Dec
Nov
Sep
Aug
Arsenic and Namespace
Jul
Jun
Apr
Every few years, an elite force convenes to tackle some unprecedented
menace. You've never heard of this loose-knit league of geniuses, but
their members have saved us all on many occasions. Sometimes they take
down rogue operations or prop-up fledgling humanitarian efforts. They
unmask false fronts and strike to prevent cascading failures. Last
month, news broke that our hidden heroes saved the most prominent of
celebrities from a threat of death by poisoning. The target now safely
carries these words to your screen. We almost lost the Internet.
Drink from me and you shall die.
A Glorious Hack
There are not many threats to the most complex and fastest growing system
ever engineered by humanity. Taking an axe to the server room or a knife
to bundles of fiber optic cable might cripple at most some remote,
unimportant corner of the network. When frazzled, components reboot and
recuperate. This behavior is a realized dream. Early Internet venture
capital came from the Department of Defense, who wished for a communications
network that could survive nuclear war. Their brainchild is resilient.
Despite the impressive scope, capacity and regenerative powers of the
Internet, the underbelly is not gleaming celestial order but a maze
of twisty passages forming a colossal mess. The System is not one grand
unified vision, but a million million afternoon whims hammered into
late night projects. Whole subsystems viciously compete then lay abandoned,
dutifully shuffling data for years with no maintenance. Interconnection
occurs through casual agreements, not law inviolate. The Internet is a
glorious hack—amazing and amazingly unlikely. If something breaks,
almost no one will understand why.
The Darkest Yellow Pages
In ages past, we users made servants of a worldwide telecommunications
network using a thick stack of paper called a phone book. To call
anyone, you thumbed through the alphabetized volume to find the desired
name, and then punched in a sequence of digits called a telephone
number. System changes, upgrades and relocations might require
the occasional reissue of the big yellow tome, perhaps with entirely
different numbers. This detail was of no consequence. The process
remained: look up, dial, and reach out and touch someone.
Relics from a bygone era.
These phone books, scattered about like oversized candy hurled at the
crowd in a hometown parade, represent an enormous security risk. Suppose
some nefarious agent from the Evil League of Evil distributed tainted
versions of the yellow pages. The names would all be correct, but modified
phone numbers would actually route you to a call center staffed by mid-level
henchmen. They might pose as the people you intended to reach and trick
you into revealing damaging personal information. Worse, these depraved
phone-book fraudsters could silently connect you to your party and
listen in on your private conversation. If you are speaking with your
banker, therapist, or travel agent, expect to be scammed out of your wealth,
blackmailed for your secrets, or robbed while visiting Boca Raton. These
treacherous deceits could all be achieved merely by swapping some numbers.
The Namespace Problem
Printing fake phone books and running a headset jockey sweatshop requires
an industrious mastermind. To my knowledge, it was never attempted. The
Internet, like its telephonic predecessor, also boasts a name-to-number
lookup system. This is one volume big enough to cover the entire world,
a phone book with a spine a mile high. Common monikers like “John Smith”
would not occupy a few column-inches but might fill thousands of
pages. Imagine scanning entries for long-lost childhood pals. The blame
lies with parents, who bequeath on their precious and unique children
names that are altogether tired and commonplace. Geeks call this phenomenon
“namespace collision.” Early Internet pioneers deem the practice
unacceptable for their babies. The name of every computer is distinct.
DNS
Just as great families grow into powerful dynasties, the architecture of unique
computer names persists through spheres of influence called domains. These
regions form a sweeping hierarchy, with its genesis in top-level domains like
“com”, “edu” and “org”, down through established
second-level domains like “google", “harvard” and
“wikipedia”, which in turn command subdomains, ad infinitum.
Every laptop on every kitchen table and every PC in every computer lab, internet
café and soul-crushing cubicle can connect to each other through one
unified Domain Name System. Type in the address of your favorite website into
any computer, and incredulously, you'll be whisked to the right location. Name
lookup and information routing is ubiquitous. This phone book includes everything.
Our Hidden Heroes
The Internet's lookup utility consists of more than a single list of a billion
names next to a billion numbers. Requests, changes, moves and additions occur
orders of magnitude more often than a simple directory could ever manage.
Instead, a hideously complex algorithm tears off sheaves of the phone
book and hastily distributes them across the Internet. DNS messages bounce
around like pinballs in an engine room, continuously delegated, deferred and
captured. Information is cached and later dumped, caveats applied and priorities
considered. One component, called Time-To-Live, marks a promise of patience made
by a spunky requestor to an overloaded responder. Another, called the Transaction
ID, enables a pair of DNS participants to carry on multiple simultaneous
conversations without crossing wires. Six months ago, security researcher
Dan Kaminsky
realized that these two design features actually comprised a design flaw. The
namespace could be silently corrupted. The whole Internet could falter and collapse
through poisoning.
Although there is no conclusive information about whether or not he donned a cape, cowl
and spandex tights, Kaminsky leapt into action. To prove a vulnerability is more than
an illustrious theory, a crack security expert must adopt an insidious mindset and
demonstrate their destructive powers. The seduction of evil must have plagued the lone
genius at the hour of discovery. Present in solely his mind, implemented in working code
in solely his own computer lay an unprecedented nefarious capacity. Indulge a megalomaniac
fantasy, and Kaminsky could have controlled the world.
This supposition is no hyperbole. A poisoned DNS can silently monitor, redirect and wreak
havoc on every form of online traffic. Criminals can read your email, modify it in transit,
and send you undetectably fraudulent messages. Any website you visit may be swapped for
a malicious, data-collecting copy. We might have our internet phone calls intercepted, bank
transactions ravaged, flight reservations cancelled, medical records stolen, and personal
identity trashed. Even the so-called Secure Sockets Layer (SSL), the lock icon that appears
in the corner of your browser provides only false hope. SSL connections are established
via DNS.
Finding, Keeping and Sharing Secrets
Faced with the knowledge of possibly the most awesome and horrific power ever known to only
one person, Kaminsky chose to help humanity rather than unleash chaos. He assembled a
team, a group of brilliant, defect-fighting commandos. People in near obscurity who
deserve at least their own comic-book crossover series: Paul Vixie, venerated,
well-connected superhero, botnet expert David Dagon, European savants Florian Weimar
and Wouter Wijngaards, and the Japanese enterprise architect Jinmei Tatuya. This heroic
confederacy vigorously debated the issue. Kaminsky's hypothesis became accepted fact, and
eventually the covert meetings produced a workable redesign. They hoped to vaccinate the
Internet against this potential threat. They had to do it before some maniacal super
villain shared the same revelation.
A security vulnerability is the acid reflux of secrets. You must remain absolutely
mum for fear of leaking out details to the insidious forces of the world, yet vigorously
share this same information in confidence with the designers and administrators who must
act in private solidarity. The league of Internet engineers labored tirelessly in this
regard. They implored and convinced every major vendor of DNS software, from Microsoft
to Cisco to Nominum. They inspired open source contributors to quietly but efficiently
patch their free tools. They beat down the bureaucracy at the Department of Homeland
Security's Computer Emergency Readiness Team (US-CERT), judiciously flooded the
auto-update networks, and promoted the fix to system administrators across the planet.
They convinced everyone to time this worldwide upgrade to occur on a single July day.
This is akin to inventing a skeleton key that could open all the doors in the world,
and quietly empowering a million locksmiths to fix a million security holes at the
precisely same time. Had the secret design of the key surfaced or the coordination
been less than perfect, burglars would strike unrelentingly. This is Olympic-class
execution, flawless project management under some of the greatest possible stress.
Kaminksy and company succeeded.
He Who Controls
The Domain Name System is the primary artery of online interaction, the watershed
river for the grandest continent of human endeavor. The unsurpassed strategic
importance of centrality is what Julius Caesar meant by the famous assertion:
“He who controls the Danube, controls Europe.” Our heroes kept the
network safe from madmen, whose dominance and piracy might have been destructive
and largely undetectable. Kaminsky and his team safeguarded the Internet from
a specific breed of deadly poison. We owe them for every word, note and pixel
transported. Their genius, honor and diligence preserved the system.
They kept control in our distracted, distributed hands.
The engineering monstrosity which enables near-instantaneous worldwide
commerce and communication surely contains many more hidden flaws. The glorious
hack, with its cacophony of random internal noises and chewing-gum interconnects,
will be threatened again. The network of networks may be unimaginably massive and
an unparalleled financial investment, but the Internet is not mature
technology. One ingenious engineer, working alone, found a terrifying weakness
and led an astonishing collaboration to implement repairs. Thankfully, Kaminsky
is a man with a moral conscience. The next discoverer may be less scrupulous. The
potential for evil remains.
Further Reading:
Would you like to leave a comment?
Read this.
###
Characterizing a complex system as an undignified kludge may seem
offensive to the engineers and organizations responsible for its
creation. This claim, however, is not questioning competence but
referencing climate. The Internet is a crazy, flailing mishmash of
half-baked ideas entirely because the nature of the available
resources. Most notably,
The problem Kaminsky discovered is technical but not complicated. Imagine the domain
name system as a network of deli counters, each packed with customers pulling
tickets out of a take-a-number contraption. This slip of paper identifies one
particular transaction. When a counter runs short on a popular
tasty item and punts to a neighbor, the proprietor can begin announcing he's out of
tuna salad without checking the fridge—at least for a limited time. Tickets
and timeouts (or Transaction IDs and Time-To-Live values) make the whole system run
smoothly, until a hoagie hater arrives. The badguys can take down the deli.
Had he lived today, Caesar might have gone after
the Domain Name System instead of fighting the Gauls.
