Where was that again?

Wednesday, January 18, 2012

SOPA... a borrowed breakdown


This is being shared with permission of CodeBastard Redgrave, and all the information that this post contains was pulled from the plurk page located at http://www.plurk.com/p/fctraw . Only minor adjustments have been made for readability by way of spelling and some grammar correction. None of the actual information was changed.

So.  DNS Blacklisting. How does it work, and how does it affect the internet? Let me explain all of that to you. First and foremost, to understand SOPA and how bad its whole basis is, you have to understand what a DNS server is and how it works. 

See, all websites on the internet are accessed through what is called TCP/IP, the basic internet protocol. But TCP/IP only deals with numbers. IP addresses are constituted of 4 8bit numbers separated by a dot, looking something like 192.67.23.121 (this address is fake, the 192 Class A is reserved for internal LAN uses and doesn't exist on the net).

so, of course, numbers being not really practical for humans to remember beyond a phone number, the engineers thought about some kind of universal internet Yellow Book, a glue that would take every name and translate them into an IP address, and vice versa. Enter DNS, the Domain Name System, through which we can affectionately use a common name like plurk.com, and DNS resolves it to an IP. Your web browser then knows where the website is located by its IP, and magic! You can now view your beloved web page.
Unfortunately, DNS had to be centralized some way or else nobody would have had consistent results as for their DNS queries. Enter the ROOT DNS servers. Those are a bunch of central DNS servers that are fed by a plethora of other DNS servers in the world. The ROOT DNS belong mostly to a handful of American companies but some root servers are also hosted elsewhere in the world.

Every ISP and hosting providers have their own DNS servers, which are in Master mode, so when the Root server gets a query on a non-authoritative domain, the request is simply sent to the DNS server the domain is pointing to, and voila, it replies to the query.      

Simple enough I hope? Now you can see that the whole interwebs  is stuck together by merely a handful of DNS servers, the Root servers. This is a weakness but also a force of the internet, as there is little to no intervention on them, as long as they are up everybody can count on them to serve then the webpage.
(Quick pause in the thread’s progression with a comment of “btw, people, this also explains why sometimes your browser doesn't seem to work but your Skype does (Skype uses IP addresses) when your ISP's DNS goes kaput” and the response of “^ definitely true. Some applications use IP directly instead of DNS for more "reliability" as DNS is an extra point of failure.”)

Anyways, enter SOPA…
SOPA's whole concept is based on what is called DNS blacklisting, which only exists at a lower DNS level than root servers for example China and Syria uses a DNS blacklist since the whole country is behind a firewall, the government controls all of the DNS servers being used to resolve domain names for that country. So if they add something on that list, boom, nobody is able to resolve it anymore, and the website is effectively blocked. Imagine going to open very popular websites and see them vanish, while the rest of the world can see them. Scary, innit?
               
Think that is scary? This is still on a local point, this particular country's DNS. If they added Google to their own blacklist, only their own country would be blocking it. But imagine if it affected the whole internet?

More discussion ensues:
Question: is there a theoretical possibility to somehow decentralize root servers? As in torrent decentralized?
Answer: That's what the SOPA/PIPA have in planning, putting blacklist software on the ROOT DNS servers.
Asker: Sure, that torrent would be huge... but still sounds nice

Answerer: (asker): yes and yes, it's actually being discussed by several engineers, but it needs a complete re-engineering of the DNS system. There are several propositions in that way and i hope they will be implemented pronto.

Second Answerer: (Asker): a lot has to do with traffic minimization too. DNS' update themselves only as rarely as they can afford to (diff. levels etc) traffic "costs money", so you want to keep that battened down

Answerer: yes true (Second), actually the root servers mainly replies with other DNS servers as authoritative and rarely replies to requests directly. They are like the glue that holds the DNS system together

Second Answerer: imagine if all the buses decided to talk to each other ALL THE TIME to sort out their schedule instead of having a centralised routine. don't know about buses in your city, but yeah...NOT IN MY TOWN.

Back to the original discussion line…

So, we got that scary new software installed that would allow global blocking of all root servers for any given domain. Can someone see an immediately worrying issue with that? Well, the internet is fragile. You think the root servers can't be hacked? Think again. It happens REGULARLY; so often that the root servers are now multi cluster virtual machines that can be snapshotted and restored. So, compromising those lists by hackers, which will ALL go after that blacklist, trust me. It will become better than hacking the NASA. Gaining access to those lists would mean controlling what people can and cannot view. Imagine the blackmail possibilities!

Discussion continues….

Comment: So essentially they’ll break everything. Yay.
Reply 1: Quite indeed. Not only break, but endanger the single system that holds the internet together.
Reply 2: The internet was built on the principle of neutral openness of information and resource, each censorship sets back that original ethos a bit.

Comment: It’s the content industry’s failure to offer reasonable alternatives to piracy and adopt new business models. They tend to seek limitations and restrictions through DRMs, content restriction than just do business in new ways.

Comment:  Think about how that same industry that lobbied it will be able to also control who criticizes them.

Comment: Consumers want unfettered affordable access to resources. Not controlled by large corporate who are answerable to stakeholders who want $$

Comment: Yes. That’s what scares me. Like China’s firewall. How they restrict their media. Americans used to say that was barbaric, look at this crap now.

Comment: Just shows how little our representatives know about the technology, and how much they’re pocketing from special interest.

Comment: Want a good example? Check the Youtube VEVO/BMG arrangement that grants UMG a blacklist right on any Youtube video.  

Comment: Thanks for the clear explanation! I think their real goal is censorship, not IP rights.

Comment: Really, what comes down to it is simply the US government answering not to the people, for the people, but to profit-seeking shareholders

Comment: Yeah..."piracy is costing us billion of dollars!" Well, keep charging me $15 a movie then, you dicks.

Comment: Yeah, imagine a net w/out Youtube, Vimeo, Wordpress, Blogger, StumbleUpon, DeviantArt, Wikipedia, Grooveshark, OpenSim
Comment (in addition): Twitter, Plurk, Allrecipes, Pandora, Sourceforge, Mozilla

Comment: Imagine a web without all the good stuff, and the only sites you can get to are corporate sites full of ads trying to sell you stuff

Comment: But what I really don't get is the global thing, like it's a US bill. Why are they trying to control the world's internet? Well I guess as I was told, most websites or the content are US based.
Response to above: Most regulatory bodies of the net are based in the US (they DID invent the internet, pretty much). It's the concept that might spread to other countries, that is the threat.

And then came the following additional information, from another plurker:

Okay. I was going to stay out of this, but since it got really interesting, I'm gonna dive in. HERE IS THE OTHER PART OF THE STORY: DNSSEC.

DNSSEC is a set of security improvements to DNS. It provides specifications for end-to-end encryption of domain names, data integrity, etc. In 1990, security researchers discovered fundamental flaws in the architecture of DNS that could lead to malicious users hijacking or disabling the entire internet. Not exaggerating: entire internet, at least the way we know it. This discovery led to the development of DNSSEC, which was designed to protect DNS clients from forged DNS data, such as that created by DNS cache poisoning. Remember that; there'll be a pop quiz.

Anyway, how it works: All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. DNSSEC is, at this point, fairly widely deployed; many countries have already adopted it. The US government has been sponsoring a "DNSSEC Deployment Initiative" as part of its cyber-security efforts, and it has been deployed on .gov sites since 2008. It is considered a priority.
So let's go back to what CENSORED was saying about how SOPA and PIPA deal with allegedly piratical domain names. They require DNS redirects, right? Okay. This requirement isn't compatible with DNSSEC; it completely undermines efforts to build a secure domain name service. Remember the bit about DNSSEC being designed to protect from forged DNS data? A domain name service designed to protect against forged DNS data can't tell the difference between data forged by malicious attackers and data forged by the government or the internet service provider. The only work-around is to punch holes in the basic security of DNSSEC, which thus leaves the internet itself vulnerable to attack.

(There's another work-around which involves deep packet inspection, but I've plurkjacked enough for today, I think.)

My commentary add-on:
SOPA and PIPA are two dangerous pieces of legislation that threaten the accessibility of the internet as we currently know it, not just in America, but in the world. If you’re not, at this point, aware of what’s going on, please take a little time to check out websites such as http://americancensorship.org/supporters.htmlhttp://sopablackout.org/learnmore/, and http://americancensorship.org/infographic.png.

No comments:

Post a Comment