ICANN chief to address hackers at Black Hat
Globe-trotting ICANN president Rod Beckstrom is heading to Vegas this week, to participate in a panel discussion on DNS security at the Black Hat conference at Caesar’s Palace.
He’ll be joined by Dan Kaminsky, discoverer of the notorious DNS vulnerability that bears his name, and is expected to sing the praises of the new DNSSEC security standard.
Also on tomorrow’s panel, entitled “Systemic DNS Vulnerabilities and Risk Management” are DNS inventor Paul Mockapetris, VeriSign CTO Ken Silva and NERC CSO Mark Weatherford.
ICANN and VeriSign recently signed the DNS root using DNSSEC standard. The challenge they face now is persuading everybody else in the world to jump on the bandwagon.
It’s likely to be slow going. DNSSEC has more than its fair share of skeptics, and even fierce proponents of the standard sometimes acknowledge that there’s not a heck of a lot in the way of a first mover advantage.
I’ll be interested to see if the subject of a DNS-CERT – a body to coordinate DNS security efforts – is raised either during the panel or the subsequent press conference.
From a policy point of view, DNSSEC is pretty much a done deal, whereas a DNS-CERT is still very much a matter for debate within the ICANN community.
I believe this is the first time ICANN has talked publicly at Black Hat. Beckstrom himself has taken the stage under his previous roles in government, but not as ICANN’s top dog.
Despite its name, Black Hat is a pretty corporate event nowadays. In my experience, the proper black/gray hats show up (or swap their lime green corporate polo shirts for Metallica T-shirts) at the weekend for Def Con, which is usually held at a cheaper venue around the corner.
ICANN Brussels trending topics: security and control
Security and politicking over control of the domain name system’s critical functions emerged as key memes during the opening ceremony of ICANN’s 38th public meeting this morning, here in Brussels.
In a speech that addressed a few controversial topics, ICANN president Rod Beckstrom responded unapologetically to those who had criticised the fairly alarmist tone of his remarks about DNS security at ICANN 37, three months ago.
Directly addressing his Nairobi comments, Beckstrom said:
You may disagree with what I said, and openness to different viewpoints is what makes our community strong. Some have asked why I said what I did. Simple. I said it because I believe it is the truth. And more than twenty years of experience in risk management have taught me that in addressing highly complex systems, it is better to be more concerned about risk than less.
The ccTLD constituency – led by .uk and .au – had been concerned about Beckstrom’s warning in Nairobi, which was made at a meeting of the Governmental Advisory Committee, because they risked giving governments reason to interfere with their country’s ccTLD.
Beckstrom’s keynote addressed the risk of too much government control over the DNS, embodied currently in rumblings about another International Telecommunications Union power grab, with a call to action for all those who support ICANN’s model.
We must face the fact that governments control these institutions. Given the serious proposals for an alternative to our bottom-up, multi-stakeholder model, we must redouble our efforts to support it if we are to protect the global public interest. All our stakeholders must step up to the plate and defend our common interest.
We will of course work closely with the Governmental Advisory Committee. But we need the active involvement of all stakeholders. We need your help, through every means available to you, to counter the misinformation and ensure that governments understand what is at stake when these issues are debated in the UN General Assembly later this year.
Beckstrom’s sentiments on security were echoed by both European Council President Herman Van Rompuy and, in a recorded address, European Commissioner for competition Neelie Kroes.
Kroes, in particular, seemed keen to marry the ideas of security risks and control over the internet’s crucial policy-making functions.
I am hopeful that the expiry of the IANA contract next year will be turned into an opportunity for more international cooperation servicing the global public interests.
But don’t misunderstand me. The internet’s day to day functioning works well, and I’m the first to say that if it isn’t broken don’t fix it. We all have an interest that this wonderful platform for innovation, entrepreneurship and free expression works perfectly well at a technical level. It is a great adventure that must continue to flourish. Yet, does it mean all is well in the cyber world?
Take the issue of security and resilience. We need to fight against spam, identity theft, phishing and other evolving types of crime on the internet. Both the public and private sectors have a joint obligation to act. And that approach has to go hand in hand with ensuring the internet itself is not vulnerable to any large-scale failure, whether as a result of an accident of a deliberate attack.
As I type, Beckstrom is hosting a panel discussion with Whit Diffie, Paul Mockapetris, Steve Crocker and Dan Kaminsky on DNS vulnerabilities in front of a packed audience.
ICANN staff need to get their pee tested
I imagine it’s a pretty hard job, largely thankless, working at ICANN. No matter what you do, there’s always somebody on the internet bitching at you for one reason or another.
The job may be about to get even more irksome for some staffers, if ICANN decides to implement new security recommendations made by risk management firm JAS Communications.
In a report published yesterday, JAS suggests that senior IANA staff – basically anyone with critical responsibilities over the DNS root zone – should be made to agree to personal credit checks, drug screening and even psych evaluations.
To anyone now trying to shake mental images of Rod Beckstrom peeing into a cup for the sake of the internet, I can only apologise.
This is what the report says:
JAS recommends a formal program to vet potential new hires, and to periodically re‐vet employees over time. Such a vetting program would include screening for illegal drugs, evaluation of consumer credit, and psychiatric evaluation, which are all established risk factors for unreliable and/or malicious insider activity and are routinely a part of employee screening in government and critical infrastructure providers.
I’ve gone for the cheap headline here, obviously, but there’s plenty in this report to take seriously, if you can penetrate the management consultant yadda yadda.
There are eight other recommendations not related to stoners running the root, covering contingencies such as IANA accidentally unplugging the internet and Los Angeles sinking into the Pacific.
Probably most interesting of all is the bit explaining how ICANN’s custom Root Zone Management System software, intended to reduce the possibility of errors creeping into the root after hundreds of new TLDs are added, apparently isn’t being built with security in mind.
“No formal requirements exist regarding the security and resiliency of these systems, making it impossible to know whether the system has been built to specification,” the report says.
It also notes that ICANN lacks a proper risk management strategy, and suggests that it improve communications both internally and with VeriSign.
It discloses that “nearly all critical resources are physically located in the greater Los Angeles area”, which puts the IANA function at risk of earthquake damage, if nothing else.
JAS recommends spreading the risk geographically, which should give those opposed to ICANN bloat something new to moan about.
There’s a public comment forum over here.
UPDATE (2010-06-13): As Michael Palage points out over at CircleID, ICANN has pulled the PDF from its web site for reasons unknown.
On the off-chance that there’s a good security reason for this, I shall resist the temptation to cause mischief by uploading it here. This post, however, remains unedited.
Politics at play in DNS CERT debate
ICANN chief Rod Beckstrom may have shot himself in the foot when he claimed at the Nairobi meeting that the domain name system is “under attack” and “could stop at any given point in time”.
Beckstrom wants ICANN to create a new CERT, Computer Emergency Response Team, to coordinate DNS security, but he’s now seeing objections from country-code domain managers, apparently connected to his remarks last month.
Chris Disspain of auDA, Australia’s .au registry, has just filed comments on behalf of the ccNSO council, which he chairs, saying it’s not clear whether there’s any need for a DNS CERT, and that ICANN is moving too fast to create one.
It’s pretty clear from the ccNSO statement that Hot Rod’s fairly blunt remarks at the GAC meeting in Nairobi, which I transcribed in full here, have influenced the ccNSO’s thinking on the matter:
the comments of ICANN’s CEO and President, Rod Beckstrom, to governmental representatives in Nairobi, have the potential to undermine the productive relationships established under ICANN’s multi-stakeholder model, cause damage to the effective relationships that many ccTLD operators have developed with their national administrations and discounted the huge efforts of many in the ICANN and broader security community to ensure the ongoing security and stability of the Internet
Disspain had already strongly written to Beckstrom, during the ICANN meeting, calling his comments “inflammatory” and reiterating some of the points made in the latest ccNSO filing.
Beckstrom’s response to Disspain’s first letter is here. I would characterize it as a defense of his position.
It seems pretty crazy that something as important as the DNS has no official security coordination body but, as Disspain points out, there are already some organizations attempting to tackle the role.
DNS-OARC, for example, was set up to fulfill the functions of a DNS CERT. However, as founder Paul Vixie confessed, it has so far failed to do so. Vixie thinks energies would be better spent fixing DNS-OARC, rather than creating a new body.
ICANN’s comments period on its DNS CERT business case is open for another couple of days. It’s so far attracted only a handful of comments, mostly skeptical, mostly filed by ccTLD operators and mostly suggesting that other organizations could handle the task better.
If Beckstrom’s aim in Nairobi was to reignite the debate and Get Stuff Done by scaring stakeholders into action, he may find he’s been successful.
However, if his aim was to place ICANN at the center of the new security initiative, he may ultimately live to regret his remarks.
Either way, I expect DNS security will eventually improve as a result.
ICM says ICANN’s options for .xxx are ‘unacceptable’
ICM Registry has issued a speedy response to ICANN’s .xxx approval options paper, calling it “unacceptable” and urging the ICANN board to put the issue to bed ASAP.
Late Friday, ICANN published a flowchart outlining the possible ways the board could handle .xxx in the light of February’s Independent Review Panel decision, which found ICANN acted unfairly when it rejected the TLD in 2007.
ICM president Stuart Lawley said in a letter to ICANN today that most of the paths through the flowcharts “are in many respects substantively and procedurally inconsistent with the IRP declaration”.
The company believes the IRP decision resets the approval process to prior to the 2007 decision, when the two parties were in contract talks for an already-approved TLD.
The letter claims that “it would be inappropriate, illegal and inconsistent with ICANN’s core values and model of self governance for ICANN to set up an evaluative process that is lacking in objectivity and that does not affirmatively give effect to the underlying IRP declaration”.
There are presumably few people involved with ICANN in any doubt that ICM intends to take its case to the ‘proper’ courts if needs be, which is probably why its powers-that-be have been unwilling to meet with the company.
As I reported Friday, the options paper creates the possibility of re-evaluating the .xxx application under the Draft Applicant Guidebook v4 for new gTLDs, which is not yet completed.
It also suggests that ICANN will have to ask its Governmental Advisory Committee for its current opinion on the application, a move likely to stretch out a decision for months.
It also has an option to expedite the approval based on the “sponsored” TLD process under which ICM, and others such as .post and .asia, originally applied.
ICM’s latest letter is here. ICANN’s options paper can be found here. The public comment period is open here. Unlike many ICANN comments periods, it has comments.
Internet ‘villain’ to headline ICANN Brussels
It’s a date! Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, has accepted Rod Beckstrom’s invitation to attend ICANN’s meeting in Brussels this June.
Reding is a mildly controversial figure in the domain name world.
Notably, she is the recipient of a UK Internet Service Provider Association Internet Villain award over the launch of .eu, which happened under her watch as Information Society commissioner.
ISPA nominated her in 2007, for “foisting the most arcane set of rules yet seen for prior registration of .eu domains, requiring UK-registered companies to submit legal affidavits to justify the authenticity of their business.”
Arcane rules? At an ICANN meeting? Shurely shome mishtake.
It’s not clear whether Reding will be speaking at the meeting. She’s agreed to attend on June 22, the same day as the Governmental Advisory Committee meeting.
Beckstrom: DNS is under attack
ICANN chief Rod Beckstrom has come in for a bit of criticism over “inflammatory” comments he made at the Government Advisory Committee meeting on Tuesday.
The headline quote: “The domain name system is more fragile and vulnerable today than it has ever been. It could stop at any given point in time, literally.”
Beckstrom described a DNS on its knees, then pointed the finger at unspecified nations for DNS abuses allegedly happening within their virtual borders, and said he would be writing to GAC members for more information and advice.
It was part call to arms, part Chicken Little.
If you missed it, here’s a full transcript. (continue reading)
Gossip: Geldof, China and Site Finder
Eight Sunday morning tidbits.
- Bob Geldof was on the BBC’s Andrew Marr Show this morning, via satellite from Nairobi. It seems likely he’s there in relation to to IGAD conference on east-African drought, which is being held at the same venue as the ICANN meeting, which kicked off today. Let’s hope he’s (continue reading)
Recent Comments