[LINK] CIA honeypot WikiLeaks mirror - retracted

Tom Koltai tomk at unwired.com.au
Mon Dec 13 14:59:42 AEDT 2010



> -----Original Message-----
> From: Glen Turner [mailto:gdt at gdt.id.au] 
> Sent: Monday, 13 December 2010 11:18 AM
> To: Tom Koltai
> Cc: The Link Institute
> Subject: Re: [LINK] CIA honeypot WikiLeaks mirror - retracted
> 
> 
> On Sun, 2010-12-12 at 14:37 +1100, Tom Koltai wrote:
> > Well depending on the peering agreements one has with the various 
> > switches in the exchanges, not very hard at all. Access to 
> the switch 
> > backplane is a relatively trivial exercise.
> 
> It is not trivial. Even it if were done, put bluntly, our 
> technical people are better than their's (for a start, we pay 
> them more) and discovery is only a matter of time. An 
> Australian agency acting that way would destroy the trust 
> required for the operation of the interception arrangements, 
> to the detriment of Australian society.

I regret I must disagree.
My comments are based on observations of breaches on a certain popular
widely deployed Gb switch.

> 
> > Earlier this year I was laughed at for suggesting that Australia 
> > needed to run it's own Root Server.
> 
> We do run own own root server.

It's a copy of the J (Telstra) and the F servers and updated
automatically, including any "discreet" policy changes.

Unless of course the Australian mirror has automatic updates turned off
and is manually fed (by several people) in which case, I am content.

> 
> But you have confused the technical and the political. The 
> root servers only point to the servers for the next level 
> down .au, .com., .edu and so on. Whilst running a root server 
> enhances the stability of the internet, it doesn't achieve 
> the policy outcome you desire.
> 
> What you desire is the ability to augment the official zones 
> with additions or deletions. That is, "split DNS". Only one 
> country has deployed that -- China. It was one of the 
> technical approaches to implementing Internet filtering in 
> Australia -- it was the preferred solution by Telstra. So in 
> future years you may yet get your wish. Personally, I'm happy 
> enough for the US to control a small proportion of the DNS 
> namespace as opposed to Australia having full control of the 
> DNS as seen by Australians implemented by using a 
> filtering-ready DNS infrastructure.
> 
Actually, I was aware of the Filter implication, but in the heat of
battle (so to speak) forgot about the downside of having a single point
of delegation.
Which would suggest that a Distributed system as per the following
proponent submissions, might be appropriate. 

Serving DNS using a Peer-to-Peer Lookup Service
http://www.cs.rice.edu/Conferences/IPTPS02/178.pdf Circa June 1995
(Based on Chord)

P2PNS: A Secure Distributed Name Service for P2PSIP, Ingmar Baumgart,
Proceedings of the Sixth Annual IEEE International Conference on
Pervasive Computing and 
Communications (PerCom 2008), Hong Kong, China, p. 480-485, Mar 2008.
http://doc.tm.uka.de/2008/P2PNS_2008.pdf

With the paper specifying:

Quote/
Requirements
The name service P2PNS should fulfill the following requirements:
. The name service should not be limited to P2PSIP, but
also support e.g. distributed DNS. Therefore the name
service should be independent from the SIP protocol.
. The P2PNS architecture should be completely decentralized.
In particular it should not depend on any centralized
login servers or other trustworthy authorities.
. The user should be able to choose an arbitrary AoR.
. P2PNS should provide mechanisms to guarantee the
uniqueness of AoRs and prevent identity theft.
/Quote


Tom




More information about the Link mailing list