Thursday, January 19, 2012

The utter security disaster that was the SOPA DNS restriction

The most interesting part of the whole SOPA/PIPA debate is the original restrictions that the statutes placed on DNS, the Internet Domain Name System.  The first objections were raised by the White House, and the DNS clause was quickly dropped.  None of the media outlets are looking into this at more than a cursory level.  They should.

This provision was so bad that the behind the scenes Fed.Gov security establishment (almost certainly the NSA) pushed the President to block the provision [note: this is speculation, but informed speculation].  The reason is that the clause would have good news and bad news.

The good news: computer viruses would almost cease to exist.  The bad news: they'd cease to exist because they wouldn't be needed by the Bad Guys.

I'd like to explain why, but you'll want to read an early post of mine, How to hack a classified network.  This post builds on that one.  The gist was that end users want interesting or funny content, and will figure out how to get it even if the network architecture intentionally tries to stop them.

And so to the DNS block.  DNS is the communication exchange that translates names ( into IP addresses (numeric identifiers that the Internet uses to deliver your messages).  The original bill would allow the Motion Picture Association of America (MPAA) to basically block the DNS entry for infringing sites, making it hard to get to them.  Not impossible, mind, because if you know that's IP address is, you can just type "" into your browser's address bar and you'll get there fine.

But the reasoning was that it's too hard to keep track of the IP addresses, which is probably right.  And so, more and more sites would begin to disappear from the 'Net, and more and more interesting and funny content with them.

And so to my old post, and to frustrated users:
The problem is that what you want (security) and what your users want (information on Al Gore's Intarwebz) inherently is in conflict. You can't win unless they lose, and vice versa.
And now to the threat scenario that (presumably) brought the NSA calling at 1600 Pennsylvania Ave.  Suppose that someone set up an uber DNS server in Moscow, a server that didn't block any addresses at all.  Remember those frustrated Internet users?  All they'd have to do is change their computer's configuration so that their computer used that Moscow DNS server, rather than the one their ISP gave them.  Sure, you'd have to manually configure Windows to do this, but you'd only have to do it once.  Soon, people would be writing scripts that you could click on that would do it for you.

In a matter of months, a large part of the United States would be relying on the Moscow DNS server.  Presumably, this would include a lot of computers in the US Federal Government itself.

So what, you say.  Well, remember - DNS tells you the address of where you want to go.  What if it sends you somewhere else?  They'd have to be clever doing this - you'd have to transparently end up at your intended destination, but DNS could cause all your traffic to go through servers in Russia which would silently read everything that you type.

Security gurus call this a "Man in the Middle" attack, and it's hard to see how the Russians (or Red Chinese, or a whole bunch of other folks) couldn't entirely pwn everyone's traffic.

The Russians wouldn't need computer viruses to plant on your computer to get your data.  You'd be sending them all your data all by yourself.

Just how much of this traffic is encrypted strongly enough that it couldn't be read?  Quite frankly, nobody knows.  What everyone does know is that number is way less than 100%.

Remember that a lot of this traffic would be coming from,, and

Oh, and for the traffic that does have decent encryption?  Well, roll out the computer viruses.  They know that you're going to your bank (they have the DNS request, duh), and so why not pass down a "Click here to access your bank" fishing link.  You only get that pop-up when you actually go to your bank - probably 95% of everyone will click to install.  Next -> Next -> Next Oh for God's sake just install already!

Game over, man.  Smart bit of legislation, right there.

And so the White House made them take it out.  This is all speculation, of course, but I'd bet cash money that this was how it played out.

The punchline?  SOPA and PIPA probably can't actually work without blocking DNS.  And so they have to rely on overly broad (and likely unconstitutional) measures like if there's a single link, the entire site goes down.  But I'm not a lawyer, and so won't speculate on the intimate constitutionality of this piece of craptacular legislation.

But this is the part of they story that you hadn't heard.  Some things seem like a good idea, but aren't.

Looks like the MPAA didn't climb a mountain, they climbed a mountain lion.


ASM826 said...

Well, ain't you wicked smaaart? I kept up, but it was nice to have you pointing out the highlights along the way.

Dave H said...

I want a bumper sticker that says: "Everything I needed to know about national security I learned from Fallout 3."

Borepatch said...

ASM826, not sure that it's "smart" so much as unable to turn off "what is the worst case scenario" thinking. Probably there's a pill for that, but then I might be out of a job.

Dave H, I love that picture. Sadly, it applies to a LOT of security situations ...

Broken Andy said...

Two comments:

1) "None of the media outlets are looking into this at more than a cursory level." Given that these media outlets are companies that support SOPA/PIPA, I wouldn't expect them to look at it very hard. In fact, I'm amazed they have reported this at all.

2) ISPs routinely block ports today, so blocking port 53 to cut out the use of Moscow Uber DNS would be quite easy to foist upon network operators. So I don't think the reason for the WH interjecting was based on national security fears.

Borepatch said...

Andy, if you block port 53 to Russia, it's likely that nobody will be able to read Pravda.

Sure, it's Pravda, but it's not clear that these days it's more of a propaganda organ than the press here. I've linked at least twice to stories there that were not being reported here.

Broken Andy said...

That's not how it works. ISPs run recursive resolvers which is what most people use. By blocking port 53 to anything but the ISPs recursive resolver, customers will get the answers the ISP resolve. Blocking port 53 would only affect customers running their own recursive resolvers. And this isn't theory. A good number of ISPs and corporate networks do this today. ISPs even monetize this by returning special search pages for DNS entries that don't exist, kinda like a localized version of the VeriSign's failed SiteFinder attempt.