Sandia National Labs: DNS Filtering In SOPA/PIPA Won't Stop Piracy, But Will Hurt Online Security
from the more-experts-weigh-in dept
We've covered at great length the problems with DNS filtering in SOPA and PROTECT IP (PIPA) and how it will harm internet security. These concerns were first highlighted by a group of folks who are considered to be some of the foremost experts (and original architects) on DNS. The MPAA and other SOPA/PIPA startups have been trying for months to diminish these points, but have yet to find any kind of argument that makes sense. The argument they fall back on is "well, if this law breaks DNSSEC, just change the code and fix it." This represents a fundamental misunderstanding of the technoloy. That's not too surprising, coming from the MPAA, frankly. However, now, Sandia National Labs, which is a part of the Department of Energy, has sent a letter to Rep. Zoe Lofgren confirming most of the problems with the idea of DNS filtering, noting that it would make the internet less secure... and would do nothing to actually stop piracy.It is not likely DNS filtering would be effective in blocking U.S. access to targeted foreign websites....On the question of DNSSEC, the letter notes that slowing the adoption of DNSSEC would have significant "negative consequences" for US online security. While DNSSEC may not be fully rolled out yet, nearly everyone who understands this stuff knows that it's needed to fix key flaws in DNS. And while it takes time, simply breaking it and waiting for the next generation to rewrite it from scratch would be a mistake. Many years of careful work has gone into DNSSEC. Scrapping it for something else random is not going to help.
At this point, I don't see how any SOPA/PIPA supporters can still claim that the concerns over DNS blocking are unfounded. When you even have a major national lab saying that it's a bad idea, won't work and will be bad for online security... can the MPAA still respond with nothing more detailed than "we disagree" (which was the MPAA's actual statement at the hearing when challenged about the security problems associated with DNS blocking).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: censorship, department of energy, dns, filtering, sopa
Companies: sandia national labs
Reader Comments
Subscribe: RSS
View by: Time | Thread
It baffles me. What kind of engineers do they work with? Which incompetent consultants told them this would work?
Oh well, their entire internet campaign has been riddled with incompetence so it's not that surprising.
[ link to this | view in chronology ]
Re: Consultants
[ link to this | view in chronology ]
Re:
What SOPA will do is to make it easy for big companies to outright kill innovative noninfringing startups on the net. It's very clear from their actions as well as their words that the **AAs are terrified that they are losing control of the distribution channel. SOPA is a powerful tool to let them forcibly take control of the internet as such a channel.
I think that this is the real purpose of the law. If so, then there's nothing wrong with it, technically. It can easily accomplish that goal.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
I thought I'd engage them on "this is what you say, it is silly and will not work"
[ link to this | view in chronology ]
Re: Re:
I suspect you are dead on in your analysis of this. The people who want this are so paranoid that someone is going to get something without their getting a big chunk of money for it, that they would - so to speak - burn the entire barn (the Internet) to the ground to get rid of a few pesky rats.
Stupid.
[ link to this | view in chronology ]
Re:
It was probably the same idiot that told them IPv6 would be the, end all and be all, of IP infringement tracking, and prevention.
[ link to this | view in chronology ]
Re: DNS filtering
The sad thing is that incompetent fools like this are allowed to dictate tech policy.
[ link to this | view in chronology ]
SOPA/PIPA is tearing families apart
Here's Hoping that they get together for Thanksgiving and Leonard helps her understand a thing or two.
[ link to this | view in chronology ]
Re: SOPA/PIPA is tearing families apart
[ link to this | view in chronology ]
Re: Re: SOPA/PIPA is tearing families apart
[ link to this | view in chronology ]
Like this
[ link to this | view in chronology ]
Re: Like this
[ link to this | view in chronology ]
Well, China manages DNS blocking...
I've given you empirical example and a logical counter to a prior line of argument. You're basically just using a "fear of change" line here. -- Most things never get fixed until they are broken, so could be just the impetus needed for DNS, eh?
[ link to this | view in chronology ]
Re: Well, China manages DNS blocking...
[ link to this | view in chronology ]
Re: Re: Well, China manages DNS blocking...
[ link to this | view in chronology ]
Re: Well, China manages DNS blocking...
The situation is completely different with regards to the US. Because so many Internet-related and Internet using companies are based/headquartered in the US, SOPA is bad news for them. SOPA isn't a bill being discussed in my country, but if it passes, some of my favourite websites will have to redesign themselves completely (i.e., forgo user participation entirely) even though I am accessing the site from a country where SOPA isn't a law.
What if I want to upload a video to Youtube? Sorry, someone just accused them and Youtube's been blocked from receiving income through its payment processors! Therefore, I can't upload video and expect it to be watched.
[ link to this | view in chronology ]
Re: Re: Well, China manages DNS blocking...
[ link to this | view in chronology ]
Re: Re: Re: Well, China manages DNS blocking...
What you fail to understand is that only the entertainment companies matter. They are single-handedly keeping the world's economy afloat. Without them, the economy would be doomed, the governments would fall and the world would descend into chaos! Also, the planet would probably stop turning and the sun would go out.
Do you really want to be the cause of the extinction of the entire human race???
[ link to this | view in chronology ]
A key point
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Wrong FUDpacker. Only the US Attorney can bring an action that would lead to site blocking. I guess when you have no answer you simply invent a new lie.
[ link to this | view in chronology ]
Re: Re: Re:
The US Attorney don't even bother checking those list apparently since they seized a lot of things that are not even infringing or against the law.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Wrong FUDpacker. Only the US Attorney can bring an action that would lead to site blocking. I guess when you have no answer you simply invent a new lie.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
Quote:
Source: http://www.pcworld.com/businesscenter/article/235742/engineers_protect_ip_act_would_break_dns.html
When things break people go after solutions, if you believe any American will seat idle and allow censorship you are just an idiot.
[ link to this | view in chronology ]
Re:
I don't know what they do with child porn sites but I assume it involves getting local authorities involved to remove the content from the servers and track down the perpetrators.
You see, other countries will track down citizens whom engage in the vile and disgusting act of abusing children and spreading that abuse around the internet for fun and profit.
On the other hand, governments of other countries care a lot less that some guy in Hollywood or an already rich artist claims they aren't making enough money off their population.
You see, any reasonable person sees that these two things are nothing alike and anyone that compares the sexual exploitation of defenseless children to not making enough money can probably go fuck themselves.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
.....................#.....................#...................
Here's the net after SOPA passes;
..#..#.##...###...##.###....####..#.###.###.##.
Any questions?
[ link to this | view in chronology ]
Credibility
[ link to this | view in chronology ]
Currently, most networks are upgrading to allow for IPv6. Upgrades for DNSSEC may not or may not be possible on all of this equipment. It is likely that until the current equipment reaches it's EOL and is taken down that DNSSEC will not be any more complete than IPv6 currently is.
Further, a full implimentation of DNSSEC requires replacement of eveything right down to your local router at home. The time frame for that to happen is "years", if not a decade or more at all levels.
If anything, DNSSEC turned on too early could break the internet. So DNSSEC at this point is just not really an issue, even those who created it admit that it is not widely in use and unlikely to be there any time soon.
[ link to this | view in chronology ]
Re:
Where DNSSEC could become a problem is the ALG in NAT gateways (including home routers), which is responsible for parsing DNS responses to determine which masked computer they're intended for. Poorly implemented ALGs may be confused by DNSSEC packets. I suppose it's also possible that some gateway devices include a caching DNS resolver or some sort of DNS proxy that would need to be updated, but I've personally never seen one. DNSSEC is not exactly a new protocol, however. Most reasonably new hardware should support it.
Turning on DNSSEC too early won't break the Internet. Legacy clients will simply continue to use regular, unsecured DNS. Rolling out DNSSEC won't do anything to change that. While it is true that clients configured to require validation will fail if the recursive resolver doesn't support it, that's a per-client setting and can easily be disabled.
All of that is largely irrelevant to the discussion of SOPA. Your post seems to be insinuating that DNSSEC is not ready and thus we have time to fix it. Unfortunately, SOPA doesn't just break some implementation detail of DNSSEC as the MPAA seems to think. It breaks the very idea of DNSSEC. It enshrines in law the idea that the recursive resolver must lie to the client, which is exactly what DNSSEC was designed to prevent.
[ link to this | view in chronology ]
Re: Re:
As a result, each of those routers along the way have to be at minimum reprogrammed not to filter oversized packets, and in many cases, may not be able to handle oversized UDP packets (which they handle seperate from other traffic to speed them up).
Safe to say that DNSSEC, even without SOPA, wouldn't be here much before 2020.
It would also appear that DNSSEC was designed with the intent of hurting the ability for anyone to control or filter the net in any manner, and that itself may be enough of a reason not to go down that road.
[ link to this | view in chronology ]
Re: Re: Re:
If that's the design in intention of DNSSEC then I want to go down that road as fast as we can.
On the other hand if SOPA/PIPA wants to break that road then it's better avoided. The statement from Sandia Labs is anything to go by the proposal is not only easily circumvented but may also have commercial and military consequences for the United States.
Europe won't follow suit, Canada won't, Japan won't, China doesn't care and, in fact, the only country I can think of that might is that already dangerously censorious country known as Australia.
In the age of the Internet the United States isn't an island and can't be. Doing things like this hurts the US more than it does anyone else. Consequently it doesn't help the *AA's one bit as it's inconsequential to work around what they propose.
Ironic, don't you think?
[ link to this | view in chronology ]
Re:
Barn-the Internet
Rats-infringers
Get it?
[ link to this | view in chronology ]
ARIN probably will be forced to remove contact information and IP address from its database, meaning not even them will be able to find out who is who LoL
That is just marvelous.
[ link to this | view in chronology ]
The Internet itself is IP
(self deluded individual who believes that government is "of the people, for the people by the people" )
[ link to this | view in chronology ]
You could also just skip DNS altogether.
[ link to this | view in chronology ]
Your pop quiz du jour
1. What is the difference between an authoritative resolver and a recursive resolver?
2. How does DNS cache poisoning work?
3. What does NXDOMAIN mean, and when does it mean it?
4. What are the DNS requirements for a mail server?
5. What is the relationship between the TTL value and DNS caching?
6. Presuming you're using the ISC BIND distribution, what is the best command-line program to use in order to find out DNS information?
7. What is a lame delegation?
8. What would one expect to see in the DNS A records for a multi-homed host?
9. What command-line tools do you use to trace the hierarchy of reverse DNS assignment?
10. What does "fast flux" mean, and why do we care?
[ link to this | view in chronology ]
Re: Your pop quiz du jour
[ link to this | view in chronology ]
Re: Your pop quiz du jour
Yeah? Did I win?
[ link to this | view in chronology ]
Re: Your pop quiz du jour
Do i win anything? ;-)
[ link to this | view in chronology ]
Re: Your pop quiz du jour
I say anyone who can think of one easy way to bypass this proposed regime and realizes the importance of a single root DNS for commerce and internet stability has every right to comment.
[ link to this | view in chronology ]
Re: Your pop quiz du jour
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"SOPA supporters question Google's blocking of website
By Jennifer Martinez
11/18/11 5:18 PM EST
Google and Public Knowledge are both opposed to online copyright legislation in Congress, but the search engine’s blocking of the public interest group’s website this week gave supporters of the bills some new ammunition.
For part of Friday, visitors who attempted to access Public Knowledge’s site via the Mozilla Firefox browser were greeted with a bold warning message that said visiting the site may harm their computers. Public Knowledge spokesman Art Brodsky said that the organization found a piece of malicious code was slipped onto the site and Google blocked access to the site because of this security threat.
The malware has since been scrubbed from Public Knowledge’s site. But the incident has motivated supporters of the two bills — the PROTECT IP Act in the Senate and Stop Online Piracy Act in the House — to ask why the search giant is objecting to taking the same action against so-called rogue sites that offer illicit copies of entertainment content and counterfeit goods when served with a court order.
“It does beg the question, if they do this on their own to prevent malware, couldn’t they do the same when a court tells them a domain name is being used to sell counterfeits or pirated works?” a Senate aide for a member who supports the PROTECT IP Act told POLITICO.
In response, Google pointed to the testimony of the company’s copyright counsel Katherine Oyama this week at the House Judiciary Committee hearing on the Stop Online Piracy Act.
“Google takes the problem of online piracy and counterfeiting very seriously, devoting our best engineering talent and tens of millions of dollars every year to fight it,” Oyama said.
She also noted that the search company has spent more than $60 million to remove online pirates from its ad services and processed Digital Millennium Copyright Act takedown requests for nearly five million items so far this year.
Public Knowledge’s site was accessible via Microsoft’s Internet Explorer and Apple’s Safari browsers, Brodsky said. The site became available via Firefox Friday afternoon.
Brodsky lauded Google for taking action to prevent Web visitors from picking up a virus.
Both Google and Public Knowledge are staunch opponents of the House and Senate bills. They have argued the bills would threaten constitutionally protected speech on the Web, discourage online innovation and ultimately not solve the problem of online piracy.
Google’s blocking of sites infected with malware and its objection to domain name blocking and filtering in the copyright legislation are “not analogous at all,” according to Brodsky.
“The situations are very different,” he said."
https://www.politicopro.com/go/?id=7428
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Under SOPA I would need to start blocking you as an infringer, or risk having Techdirt shut down.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
What a lying piece of shit slimeball.
Yeah, they're different alright: with piracy Google makes money.
Fuck off and die Google.
[ link to this | view in chronology ]
Oh good, then they should have no problem applying this to infringing content.
[ link to this | view in chronology ]
Re:
A voluntary list that users may or may not use and may or may not ignore based upon their choice. That is weaker than a DMCA notice.
[ link to this | view in chronology ]
Re:
But others would not do that, they would simply configure their DNS servers to be foreigner servers that the US has no control off of it, which can expose people to problems.
Basically we are going back 30 years to a time when there was no authoritative DNS system and people where still developing the solutions they use today, but this time it will be decentralized so you muppets can't meddle with it.
[ link to this | view in chronology ]
Sandia is what is known as a GOCO, which stands for Government Owned Contractor Operated, that manages the Sandia National Laboratories for the Department of Energy, the latter, of course, being an executive agency. Having worked closely with Oak Ridge, Sandia, and other labs that have managed these various DOE facilities, it is nothing short of amazing that this letter appears to have bypassed the DOE. I rather suspect that both Lockheed Martin and the DOE are about to have some very interesting conversations (what I call "bonding sessions") with Mr. Napolitano. He may know a lot about technical matters, but does appear to be a bit naive about political matters.
[ link to this | view in chronology ]
If every ISP in the country agreed to shut down their network and show each user a page urging them to contact their congressmen demanding the end of net censorship bills, SOPA & PROTECT IP would be going through the shredder by the end of the day.
I don't think the government can legally force any private company to do business, can they? If every ISP did this, they wouldn't lose any customers to the competition, and unless I'm mistaken, it wouldn't cost them anything to not use their network for a few days. Of course there's always the risk that some people will cancel their accounts in protest, but would that really be an option for most people, especially if they have nowhere else to turn?
Sure, it's nice to say that the government doesn't give in to blackmail, but what choice would they have? They wouldn't have the resources to take over every ISP, and even if they did, how would that even be legal?
If a few web sites blacking out part of their pages (which I never even saw) can get half a million protest letters (or so I read) to congress, think what having every consumer level internet account shut down would do.
[ link to this | view in chronology ]
Because scribd is annoying
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]