FC: Responses to ICANN preserving Net-stability against terrorists

From: Declan McCullagh (declanat_private)
Date: Sat Sep 29 2001 - 15:36:46 PDT

  • Next message: Declan McCullagh: "FC: Salon's David Talbot: "Democracy held hostage""

    [Karl is on the ICANN board of directors. --DBM]
    
    **********
    
    Date: Fri, 28 Sep 2001 12:23:53 -0700 (PDT)
    From: Karl Auerbach <karlat_private>
    To: Declan McCullagh <declanat_private>
    cc: <rfornoat_private>
    Subject: Re: FC: Richard Forno on ICANN and Net-stability against terrorists
    
    On Fri, 28 Sep 2001, Declan McCullagh wrote:
    
     > [ICANN representatives are welcome to reply, of course. --DBM]
     >
     > Date: Fri, 28 Sep 2001 13:46:18 -0400
     > Subject: Re: FC: ICANN tries to preserve Net-stability against terrorist
     >       attacks/RFF Reply
     > From: Richard Forno <rfornoat_private>
     > To: <declanat_private>, <politechat_private>
     > Organization: WWW.INFOWARRIOR.ORG
     >
     > I was NSI's Chief Security Officer 1998-2001, and had a ringside seat to the
     > evolution from the InterNIC to the Shared Registry System and the rise of
     > ICANN. I can safely say that the only security most of ICANN's Board is
     > interested (or qualified) to address is job security.
    
    I don't agree.
    
    As for myself:
    
    I spent about 8 years doing research, design, and implementation of secure
    operating systems and networks back in the 1970's for the US Dept of
    Defense, for the RSRE in the UK, and elsewhere.  Because some of this work
    was classified I'm not free to discuss all of it.  However, I can say that
    I've spent a lot of time dealing with capability based operating systems
    (a technology that I believe deserves to be revived), mathematical
    expressions of security policy, formal proof of correctness of operating
    systems, real-live inplementations of secure operating systems and
    networks, cryptographic engines, key management systems, etc.
    
    Most of the document are buried deep in paper archives at the old National
    Bureau of Standards.  As for the software and networks: Who know where
    they might be these many years later.  Perhaps the most easily accessed
    bit of material is a somewhat involved letter published in the Technical
    Correspondence section of Communications of the ACM in the January 1980
    issue.  (I doubt that it's online anywhere.)
    
    It was during this work that I met Vint Cerf.  He and I spent many a long
    day dealing with the issues of integrating security and encryption into
    datagram and connection oriented protocols.
    
    And we must not forget that Lyman Chapin is coming onto the ICANN Board.
    Lyman's Internet technical credentials are impressive.
    
    And there are others on the ICANN board who have strong technical
    backgrounds, although not necessarily on Internet technologies.
    
    And let's put things in perspective.  What we're going to be doing is
    looking at many non-technical protections, like making sure that there are
    sufficient backups and procedures so that DNS infrastructure can be
    repaired.  This involves some rather low-tech things, like good off-site
    backups/escrows.  It also involves things that ICANN is merely in a truly
    coordinating role - like trying to work with those those involved in the
    routing decisions of the Internet (the ISP community) in hopes that they
    will be willing and able to shift packet routing should it be necessary to
    reestablish root DNS servers at new physical locations.
    
    To my way of thinking, this kind of technical review of DNS and pragmatic
    managment of the technologies that have been given us by the IETF and
    others is exactly the kind of thing that ICANN ought to have been doing
    all along.
    
                             --karl--
    
    **********
    
    Date: Fri, 28 Sep 2001 15:58:11 -0400
    From: James Love <loveat_private>
    Organization: http://www.cptech.org
    X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U)
    To: declanat_private
    Subject: Re: FC: ICANN tries to preserve Net-stability against terrorist 
    attacks
    
    Can we spell, mission creep?
    
    **********
    
    From: "Bridis, Ted" <Ted.Bridisat_private>
    To: "'declanat_private'" <declanat_private>
    Subject: RE: Richard Forno on ICANN and Net-stability against terrorists
    Date: Fri, 28 Sep 2001 16:38:01 -0400
    
     From today's WSJ
    
    http://interactive.wsj.com/articles/SB1001643073146154880.htm
    
    Industries That May Be Vulnerable Race
    To Boost Security and Limit Disruptions
    
    [snip...]
    
    The Bush administration for months has privately expressed concerns about
    the security of the Internet's 13 most important computers, called root
    servers, which manage global Internet traffic. These computers, controlled
    by universities, corporations, government agencies and research centers, are
    located throughout the U.S. and in Tokyo, Stockholm and London. "They are
    the most important computers running out there," says Chris Wysopal, a
    cybersecurity expert for At Stake Inc. in Cambridge, Mass. "There would be
    major problems if they were to go down."
    
    Some of these computers, such as the primary "A" root server in northern
    Virginia, operate within secure buildings, but others are far less
    protected. When congressional auditors recently checked the security
    surrounding them, "one of them was sitting in a professor's office at the
    University of Maryland," says Keith Rhodes of the General Accounting Office.
    "I would worry."
    
    These computers act as master directories for the Internet, matching
    numerical addresses with more familiar Web-site names. The primary root
    server periodically sends replicas of the master directory to the other
    servers, which act as redundant backups and help prevent the primary server
    from being overwhelmed with data queries.
    
    An official of he organization that coordinates the technical management of
    the Internet, the Internet Corporation for Assigned Names and Numbers,
    acknowledges there is "obviously a range of security on the root servers."
    
    This official notes that during testing for the year-2000 rollover, experts
    determined that even the loss of nine of the 13 root servers would have only
    marginal impact on global Internet traffic. However, other experts point out
    that each of the root servers runs similar software. "They're redundant in
    that if you can bring one down you can bring down all of them," says Peter
    Neumann, a security expert at SRI International in Menlo Park, Calif.
    
    --Ted Bridis
    
    **********
    
    Date: Fri, 28 Sep 2001 13:34:38 -0700
    From: David Brownell <david-bat_private>
    Subject: Re: Richard Forno on ICANN and Net-stability against terrorists
    To: declanat_private, politechat_private
    Cc: rfornoat_private
    
     >    How  many more years of analysis, studies,
     > and research before we see operational
     > results and increased security on such systems?
    
    Rhetorical question, right?  The "job security" aspect is telling;
    most people now running such systems don't stand to benefit
    by bringing in people who can provide operational security.
    That's a familiar dynamic, neither Democratic nor Republican.
    
    There appears to be some sentiment that technical mechanisms
    are to be avoided, and legal ones are to be preferred.  That
    of course is foolish, just trying to offload the heavy lifting, and
    will be as effective as privatized airplane security was.
    
    - Dave
    
    **********
    
    Date: Fri, 28 Sep 2001 14:10:28 -0700
    To: declanat_private
    From: Jim Warren <jwarrenat_private>
    Subject: Re: FC: ICANN tries to preserve Net-stability against terrorist
      attacks
    Cc: farberat_private (Dave Farber), freemattat_private (Matthew Gaylor)
    
     From the zeal with which US security agencies are seeking radically 
    expanded freedom to surveil, monitor and record net content, one might 
    assume that it has become an invaluable resource for terrorists worldwide.
    
    If so, then it would seem that the world's terrorists would be the LAST 
    ones to want to attack their one-and-only most-secure (via globally 
    available secure crpto software), most reliable (designed to withstand 
    nuclear attack), and best different-time different-place communication and 
    coordination system.
    
    --jim
    
    **********
    
    Date: Fri, 28 Sep 2001 15:32:35 -0700
    To: declanat_private
    From: Dave Crocker <dcrockerat_private>
    Subject: Re: FC: Richard Forno on ICANN and Net-stability against
       terrorists
    Cc: politechat_private, rfornoat_private,
             Stuart Lynn <lynnat_private>, Andrew McLaughlin <mclaughlinat_private>
    In-Reply-To: <5.0.2.1.0.20010928135313.02283030at_private>
    Mime-Version: 1.0
    Content-Type: text/plain; charset="us-ascii"; format=flowed
    X-UIDL: d5f35a173a7ae9fd6219237b5a2f6906
    
    At 10:53 AM 9/28/2001, Declan McCullagh wrote:
    >[ICANN representatives are welcome to reply, of course. --DBM]
    
    Declan,
    
    I doubt that an ICANN representative will respond.  The problem with your 
    invitation is that there is nothing substantive for them to respond 
    to.  The only content in Richard's note is a series of generic slanders on 
    people and processes.
    
    In fact it is most striking that anyone from NSI would believe that they 
    occupy a position of authority, concerning service issues, given their 
    overall poor performance on transactions, customer service and, of course, 
    DNS and Whois database corruption.  (That is a corruption that they have 
    demonstrated to be far more real than the personal slander that Richard 
    tosses about freely and without substantiation.)  In fact it was remarkably 
    apt of Richard to use the term "ringside" given that NSI's performance has 
    so often been a circus.
    
    And the difficulty with these clever volleys is that they ignore the 
    serious nature of ICANN's mandate.
    
    The real problem is not that it required September 11 to cause ICANN to 
    make operations issues its first priority.
    
    It is that silliness like Richard's attacks have prevented these issues 
    from getting attention sooner.
    
    And erroneous comments like Andy Duff's mis-characterization of the planned 
    agenda do not help, either.  (Please review the ICANN announcement and tell 
    us where it says "all" other items will be pushed off the agenda, or where 
    it says anything other than "some might" be delayed.)
    
    Really, it is time to stop treating ICANN as a sandbox for rigid, 
    idealistic social and political agendas, and remember that it has a narrow 
    focus, and that is to administer some essential infrastructure 
    administration and operations.
    
    Part of the reason it has performed so badly as a vehicle for grandiose 
    goals is that those goals have nothing to do with its job.
    
    d/
    
    ----------
    Dave Crocker  <mailto:dcrockerat_private>
    Brandenburg InternetWorking  <http://www.brandenburg.com>
    tel +1.408.246.8253;  fax +1.408.273.6464
    
    **********
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Sep 29 2001 - 16:02:43 PDT