[Karl is on the ICANN board of directors. --DBM] ********** Date: Fri, 28 Sep 2001 12:23:53 -0700 (PDT) From: Karl Auerbach <karlat_private> To: Declan McCullagh <declanat_private> cc: <rfornoat_private> Subject: Re: FC: Richard Forno on ICANN and Net-stability against terrorists On Fri, 28 Sep 2001, Declan McCullagh wrote: > [ICANN representatives are welcome to reply, of course. --DBM] > > Date: Fri, 28 Sep 2001 13:46:18 -0400 > Subject: Re: FC: ICANN tries to preserve Net-stability against terrorist > attacks/RFF Reply > From: Richard Forno <rfornoat_private> > To: <declanat_private>, <politechat_private> > Organization: WWW.INFOWARRIOR.ORG > > I was NSI's Chief Security Officer 1998-2001, and had a ringside seat to the > evolution from the InterNIC to the Shared Registry System and the rise of > ICANN. I can safely say that the only security most of ICANN's Board is > interested (or qualified) to address is job security. I don't agree. As for myself: I spent about 8 years doing research, design, and implementation of secure operating systems and networks back in the 1970's for the US Dept of Defense, for the RSRE in the UK, and elsewhere. Because some of this work was classified I'm not free to discuss all of it. However, I can say that I've spent a lot of time dealing with capability based operating systems (a technology that I believe deserves to be revived), mathematical expressions of security policy, formal proof of correctness of operating systems, real-live inplementations of secure operating systems and networks, cryptographic engines, key management systems, etc. Most of the document are buried deep in paper archives at the old National Bureau of Standards. As for the software and networks: Who know where they might be these many years later. Perhaps the most easily accessed bit of material is a somewhat involved letter published in the Technical Correspondence section of Communications of the ACM in the January 1980 issue. (I doubt that it's online anywhere.) It was during this work that I met Vint Cerf. He and I spent many a long day dealing with the issues of integrating security and encryption into datagram and connection oriented protocols. And we must not forget that Lyman Chapin is coming onto the ICANN Board. Lyman's Internet technical credentials are impressive. And there are others on the ICANN board who have strong technical backgrounds, although not necessarily on Internet technologies. And let's put things in perspective. What we're going to be doing is looking at many non-technical protections, like making sure that there are sufficient backups and procedures so that DNS infrastructure can be repaired. This involves some rather low-tech things, like good off-site backups/escrows. It also involves things that ICANN is merely in a truly coordinating role - like trying to work with those those involved in the routing decisions of the Internet (the ISP community) in hopes that they will be willing and able to shift packet routing should it be necessary to reestablish root DNS servers at new physical locations. To my way of thinking, this kind of technical review of DNS and pragmatic managment of the technologies that have been given us by the IETF and others is exactly the kind of thing that ICANN ought to have been doing all along. --karl-- ********** Date: Fri, 28 Sep 2001 15:58:11 -0400 From: James Love <loveat_private> Organization: http://www.cptech.org X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) To: declanat_private Subject: Re: FC: ICANN tries to preserve Net-stability against terrorist attacks Can we spell, mission creep? ********** From: "Bridis, Ted" <Ted.Bridisat_private> To: "'declanat_private'" <declanat_private> Subject: RE: Richard Forno on ICANN and Net-stability against terrorists Date: Fri, 28 Sep 2001 16:38:01 -0400 From today's WSJ http://interactive.wsj.com/articles/SB1001643073146154880.htm Industries That May Be Vulnerable Race To Boost Security and Limit Disruptions [snip...] The Bush administration for months has privately expressed concerns about the security of the Internet's 13 most important computers, called root servers, which manage global Internet traffic. These computers, controlled by universities, corporations, government agencies and research centers, are located throughout the U.S. and in Tokyo, Stockholm and London. "They are the most important computers running out there," says Chris Wysopal, a cybersecurity expert for At Stake Inc. in Cambridge, Mass. "There would be major problems if they were to go down." Some of these computers, such as the primary "A" root server in northern Virginia, operate within secure buildings, but others are far less protected. When congressional auditors recently checked the security surrounding them, "one of them was sitting in a professor's office at the University of Maryland," says Keith Rhodes of the General Accounting Office. "I would worry." These computers act as master directories for the Internet, matching numerical addresses with more familiar Web-site names. The primary root server periodically sends replicas of the master directory to the other servers, which act as redundant backups and help prevent the primary server from being overwhelmed with data queries. An official of he organization that coordinates the technical management of the Internet, the Internet Corporation for Assigned Names and Numbers, acknowledges there is "obviously a range of security on the root servers." This official notes that during testing for the year-2000 rollover, experts determined that even the loss of nine of the 13 root servers would have only marginal impact on global Internet traffic. However, other experts point out that each of the root servers runs similar software. "They're redundant in that if you can bring one down you can bring down all of them," says Peter Neumann, a security expert at SRI International in Menlo Park, Calif. --Ted Bridis ********** Date: Fri, 28 Sep 2001 13:34:38 -0700 From: David Brownell <david-bat_private> Subject: Re: Richard Forno on ICANN and Net-stability against terrorists To: declanat_private, politechat_private Cc: rfornoat_private > How many more years of analysis, studies, > and research before we see operational > results and increased security on such systems? Rhetorical question, right? The "job security" aspect is telling; most people now running such systems don't stand to benefit by bringing in people who can provide operational security. That's a familiar dynamic, neither Democratic nor Republican. There appears to be some sentiment that technical mechanisms are to be avoided, and legal ones are to be preferred. That of course is foolish, just trying to offload the heavy lifting, and will be as effective as privatized airplane security was. - Dave ********** Date: Fri, 28 Sep 2001 14:10:28 -0700 To: declanat_private From: Jim Warren <jwarrenat_private> Subject: Re: FC: ICANN tries to preserve Net-stability against terrorist attacks Cc: farberat_private (Dave Farber), freemattat_private (Matthew Gaylor) From the zeal with which US security agencies are seeking radically expanded freedom to surveil, monitor and record net content, one might assume that it has become an invaluable resource for terrorists worldwide. If so, then it would seem that the world's terrorists would be the LAST ones to want to attack their one-and-only most-secure (via globally available secure crpto software), most reliable (designed to withstand nuclear attack), and best different-time different-place communication and coordination system. --jim ********** Date: Fri, 28 Sep 2001 15:32:35 -0700 To: declanat_private From: Dave Crocker <dcrockerat_private> Subject: Re: FC: Richard Forno on ICANN and Net-stability against terrorists Cc: politechat_private, rfornoat_private, Stuart Lynn <lynnat_private>, Andrew McLaughlin <mclaughlinat_private> In-Reply-To: <5.0.2.1.0.20010928135313.02283030at_private> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-UIDL: d5f35a173a7ae9fd6219237b5a2f6906 At 10:53 AM 9/28/2001, Declan McCullagh wrote: >[ICANN representatives are welcome to reply, of course. --DBM] Declan, I doubt that an ICANN representative will respond. The problem with your invitation is that there is nothing substantive for them to respond to. The only content in Richard's note is a series of generic slanders on people and processes. In fact it is most striking that anyone from NSI would believe that they occupy a position of authority, concerning service issues, given their overall poor performance on transactions, customer service and, of course, DNS and Whois database corruption. (That is a corruption that they have demonstrated to be far more real than the personal slander that Richard tosses about freely and without substantiation.) In fact it was remarkably apt of Richard to use the term "ringside" given that NSI's performance has so often been a circus. And the difficulty with these clever volleys is that they ignore the serious nature of ICANN's mandate. The real problem is not that it required September 11 to cause ICANN to make operations issues its first priority. It is that silliness like Richard's attacks have prevented these issues from getting attention sooner. And erroneous comments like Andy Duff's mis-characterization of the planned agenda do not help, either. (Please review the ICANN announcement and tell us where it says "all" other items will be pushed off the agenda, or where it says anything other than "some might" be delayed.) Really, it is time to stop treating ICANN as a sandbox for rigid, idealistic social and political agendas, and remember that it has a narrow focus, and that is to administer some essential infrastructure administration and operations. Part of the reason it has performed so badly as a vehicle for grandiose goals is that those goals have nothing to do with its job. d/ ---------- Dave Crocker <mailto:dcrockerat_private> Brandenburg InternetWorking <http://www.brandenburg.com> tel +1.408.246.8253; fax +1.408.273.6464 ********** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Sep 29 2001 - 16:02:43 PDT