Paul Vixie Explains, In Great Detail, Why You Don't Want 'Policy Analysts' Determining DNS Rules

from the let-the-geeks-be-geeks-please dept

There's been plenty of talk, obviously, about the problems with SOPA and PIPA and how they treat DNS as a tool for blocking, despite the massive problems it causes for security efforts like DNSSEC. Every single working engineer who's spoken out on this issue (that we've seen, at least), has made this same point. We've even heard from techies within the government saying the same thing. And, of course, even Comcast itself (despite supposedly being in favor of the bill) proudly admits that DNS blocking is incompatible with DNSSEC. Even as the House and Senate are trying to punt on DNS issue, they still fully expect to put it in place at a later date, so it's important to discuss why it's a bad, bad idea.

So far, the "pro-SOPA/PIPA" folks haven't been able to find a legitimate working technologist who says that these plans make sense. Instead, they've brought out some "policy analysts" who have some basic technology background, but not a deep understanding of DNS. But, because they can toss around some tech terms, SOPA/PIPA supporters think they sound credible. However, in his latest post on the subject, Vixie walks through a step-by-step explanation for why each suggested method of DNS blocking won't work and/or breaks DNSSEC. Basically, these "policy analysts" keep suggesting different ways that they think DNS blocking could work, and Vixie explains why they're wrong each time, and points out the importance of actually having DNS engineers do DNS engineering -- not policy analysts.

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers....

And yet... it's not being designed by DNS engineers at all. It's being designed by policy people, with a smattering of help from some former technologists who don't really understand DNS. That seems like a pretty big problem.

Filed Under: blocking, dns, dnssec, paul vixie, pipa, policy, protect ip, sopa, technology

Paul Vixie: SOPA/PIPA Would Be Good For My Business, But I'm Still Against It

from the the-toothpaste-will-come-out-somewhere dept

Last night, there was an interesting panel at Stanford discussing many of the problems with SOPA. It covered a lot of the ground that we've covered here over the past few months, but there were a few interesting moments. Paul Vixie, who has been a very vocal opponent to DNS blocking, explained why it wouldn't work, and how it would cause a lot of other problems... but he also noted that he was probably going against his own self-interest in making this argument. That's because the problems caused by SOPA/PIPA's DNS blocking would need fixing... and he suggests lots of folks would come to his company and pay for fixes. So it's a pretty principled stand by Vixie.

A separate point that was raised by Mark Lemley early on was that this argument that those in the US simply can't go after foreign sites is ridiculous. Under existing law, it's happened plenty of times in the past where copyright holders have gone after sites and companies based outside of the US and dragged those folks into US courts.

The vast majority of the evening proceeded with the implicit assumption that everyone there was categorically opposed to SOPA... but towards the end two execs from Paramount Pictures made it known they were there, and they were very much on the other side. The temperature in the room must have dropped 20 degrees when that happened. To be honest, the panel itself might have had a few more fireworks (though likely wouldn't have been that productive) if there had been a SOPA supporter on the panel itself. Of course, the Paramount guys, in typical Hollywood fashion, made a bunch of false assumptions. Perhaps the best part was when one of them challenged venture capitalist Albert Wenger by claiming that the companies in his portfolio used intellectual property laws to protect their business: to which Wenger immediately shot back that they did not, and that they didn't support such things at all. Instead, he noted that the companies his firm (Union Square Ventures) invests in tend to win in the marketplace by competing and winning. He noted that even if they completely gave away the source code of Tumblr (one of USV's investments), it wouldn't matter. In fact, he pointed out that another company had copied Tumblr feature-for-feature... but they couldn't get users. The point is clear, and it's the same point we've made here for years: focusing on copyright to protect yourself is not a good business model, and not something they invest in. Instead, they focus on things that can succeed by executing even if someone copies them line for line.

Finally, there was an entertaining moment when Andrew Bridges asked the Paramount guys exactly how many sites they saw as a problem. Because, he noted, other studio execs from some of the big Hollywood studios had given him numbers between 10s and a few hundred. And, he noted, if it's just such a small number of sites, then why create massive regulatory issues for the entire internet, rather than trying to deal with the sites. The problem is that Hollywood wants control over much more than what's really "the worst of the worst." However, when someone suggested it was "a couple hundred" sites that were problems, Mark Lemley pointed out that then they should be all done, because ICE has already seized 450 domains.

All in all it was an interesting evening. The specific discussions on the problems of DNS blocking were particularly enlightening. It's why when the House had its ridiculously one-sided hearing on SOPA last month -- in which not a single panelist knew anything about DNS -- they should have had someone like Paul Vixie there to explain the basics of why SOPA and PIPA are bad ideas that won't fix things and will likely make things worse.

There was one metaphor that was used repeatedly through the evening, and it's really quite apt. People kept noting that "the toothpaste is just going to come out somewhere else." It's a good way of noting the unintended consequences here. Plugging this "hole" and then putting pressure on sites may stop certain actions, but it won't deal with the real issue that Hollywood is facing. In fact, it's likely to cause more problems, as the toothpaste squirts out somewhere else, unexpectedly.

Filed Under: dns, dnssec, paul vixie, protect ip, sopa, unintended consequences

Paul Vixie Explains How PROTECT IP Will Break The Internet

from the not-cool-folks dept

It's pretty difficult to question Paul Vixie's credibility when it comes to core internet infrastructure. Creator of a variety of key Unix and internet software, he's still most known for his work on BIND, "the most widely used DNS software on the internet." So you would think that when he and a few other core internet technologists spoke up about why PROTECT IP would break fundamental parts of the internet, people would pay attention. Tragically, PROTECT IP supporters, like the MPAA, appear to be totally clueless in arguing against Vixie. Their response is basically "it's fine to break the internet to evil rogue sites."

That, of course, is missing the point. It's not that anyone's worried about breaking the internet for those sites. It's that it will break fundamental parts of the internet for everyone else as well. And... it will do this in a way that won't make a dent in online infringement. Afterdawn sat down with Vixie who gave a clear and concise explanation of why PROTECT IP is a problem. The biggest issue is how it will impact DNSSEC, which adds encrypted signatures to DNS records to make sure that the IP address you're getting is authentic. You want that. Without that, there are significant security risks. But PROTECT IP ignores that.

Explained simply, for DNSSEC to work, it needs to be able to route around errors. But the way PROTECT IP is written, routing around errors will break the law:

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.

And, of course, none of these DNS efforts will actually stop infringement. As the Afterdawn article notes: "Bypassing DNS filtering is trivially easy. All you need to do is configure your computer to use DNS servers outside the US which won't be affected by the law."

And while supporters of PROTECT IP insist that there's nothing to worry about because it only impacts those "foreign websites," that's misleading in the extreme. PROTECT IP will impact a ton of US-based technology companies. First, if we have a less secure internet, that's going to be a problem for obvious reasons. Additionally, the way the law works is that it puts a direct burden on US companies to figure out ways to block sites declared rogue (you know, like the Internet Archive and 50 Cent's personal website), or face liability. This will increase both compliance and legal costs.

In the last few months we've been hearing from more folks in the startup world who are really concerned about the excessive burdens PROTECT IP is going to put on them. If you're an entrepreneur who's worried about this, we'd like to hear about it. Please contact us.

Filed Under: break the internet, dns, dnssec, paul vixie, protect ip, unintended consequences

Why PROTECT IP Breaks The Internet

from the collateral-damage dept

Last year, after the entertainment foisted COICA on an unsuspecting public, Paul Vixie -- a guy you should listen to when he's concerned about the technical impact of something on the internet -- explained why COICA's reliance on DNS block was incredibly stupid. Not only would it not work, but it would fundamentally fracture the way the internet works, creating massive collateral damage. Last week, when the Senate Judiciary Committee pushed forward with PROTECT IP, we mentioned in passing a new report from Vixie and other internet technology gurus explaining why PROTECT IP's focus on the DNS system would cause tremendous damage. While we had mentioned it, lots of folks keep submitting it, and judging from the ridiculous claims of those in favor of PROTECT IP, the folks in DC pushing for this bill are apparently still ignorant of what the report says -- so we're posting about it again. The report, titled Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill (pdf) is worth a read. The five authors are incredibly well respected, and the entertainment industry folks who are trying to claim this paper can be ignored are going to come out of this looking quite silly.

These are concerns that shouldn't be taken lightly. The paper's authors also make it clear that they're not in favor of infringement, and in fact support enforcement of IP laws. They just recognize that this particular solution is dumb and counterproductive:

Two likely situations ways can be identified in which DNS filtering could lead to non-targeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS.

First, it is common for different services offered by a domain to themselves have names in some other domain, so that example.com’s DNS service might be provided by isp.net and its e-mail service might be provided by asp.info. This means that variation in the meaning or accessibility of asp.info or isp.net could indirectly but quite powerfully affect the usefulness of example.com. If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate. When evaluating a targeted domain, it will not be apparent what other domains might point to it in their DNS records.

In addition, one IP address may support multiple domain names and websites; this practice is called “virtual hosting” and is very common. Under PROTECT IP, implementation choices are (properly) left up to DNS server operators, but unintended consequences will inevitably result. If an operator or filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host. The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe.

Second, some domain names use “subdomains” to identify specific customers. For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings. This type of collateral damage was demonstrated vividly by the ICE seizure of mooo.com, in which over 84,000 subdomains were mistakenly filtered.

The defenders of propping up the business models of dying industries will brush these unintended consequences as no big deal or a "small issue" at the expense of "saving" the entertainment industry. This is because they don't understand the technology at play, the First Amendment or the nature of collateral damage. It's pretty ridiculous in this day and age that we still have to deal with technically illiterate "policy people" and politicians trying to regulate technology they clearly have little knowledge about. Only those who don't understand the technology think the collateral damage described above is minimal.

Filed Under: dns, internet, paul vixie, protect ip

Paul Vixie Explains Why COICA Is A Really Dumb Idea

from the read-and-learn dept

If you don't know who Paul Vixie is, you should. When Vixie speaks about something concerning the underlying state of the internet -- or, more specifically, a ridiculously stupid government plan to do something involving the underlying state of the internet, you should listen. On that front, Vixie is now explaining why the proposed COICA bill is incredibly short-sighted and will fail miserably. He focuses on the requirements to block sites at the DNS level that the Justice Department has declared to be "dedicated to infringing content." As Vixie notes, people who don't understand the internet will think that this will stop access to pirated material. People who understand how the internet works realize what it will really do is drive people to alternative DNS systems. He lays out the rather likely scenario of what happens the second COICA passes, in which an alternative DNS system is set up, perhaps by folks associated with The Pirate Bay, and set up in a way that is compelling:

First, they'd decide in advance to mirror the IANA DNS system as closely as possible. Anything that appeared in the IANA DNS system would automatically and instantaneously appear in the Pirate Bay DNS system. If ICANN goes ahead and creates a lot of new TLDs then all of those new TLDs would appear in the Pirate Bay DNS system as well, all pointing at ICANN's chosen registrars. In other words no existing DNS content would be overridden (or dare I say: "pirated".)

Second, they'd pick some new TLD that they wanted to create in the Pirate Bay DNS system that would serve their business needs and would be extremely unlikely to ever conflict with any future IANA TLD. For this I'm thinking .PIRATE or .PIRATEBAY or .ARGHHH but that's a decision best left up to the artistic team. For now let's assume that they chose .PIRATE so that their second level domain names would be content names like TORRENTS.PIRATE or ITS-A-WONDERFUL-LIFE.PIRATE.

It goes on from there. I won't go through all the details he lays out (go there and read it yourself), but he basically concludes that this can be done quickly and cheaply. Of course, he may not know that plans for something along these lines have already been in motion for some time.

His basic point is that COICA won't work. At all. In fact, the growth and acceptance of such alternative DNS systems will break a big part of the internet, potentially in dangerous ways:

My greatest worry is what people will do to bypass all this junk or to prevent other people from bypassing it. My fellow humans are a proud and occasionally adversarial bunch and they don't like being told what they can't do or what they have to do. The things we'll all be doing to bypass the local DNS restrictions imposed by our coffee shops or our governments or our ISPs will break everything. Where this ends is with questions like "which DNS system are you using?" and "which DNS systems is your TLD in?" which in other words means that where this ends is a world without universal naming. We adopted DNS to get universal naming, and today we have universal naming except inside Network Address Translation (NAT) borders. Universal naming is one of the reasons for the Internet's success and dominance. If we're going to start doing stuff like COICA then we should have stuck with a "hosts file" on every Internet connected computer and let every connected device decide for itself what names it recognized.

So his recommendation is not to even try with COICA, but he recognizes the US government seems to want to move forward with it. He's pretty clearly warning that it's going to be a huge mistake with tremendous unintended consequences. Now, the only question is whether or not anyone in the US government will actually listen, or will they blithely move forward not realizing the almost obvious reaction to their initial actions? As so often happens with governments, they seem to forget that any move causes a reaction. COICA is a big move that most people pushing for it do not understand at all.

Filed Under: break the internet, coica, dns, paul vixie, unintended consequences