China, the US and cybersecurity: is Mandiant promoting a Cold War mentality?

The release of the Mandiant report on "Advanced Persistent Threat 1" (APT1) marked a watershed in US-China relations on cybersecurity. We are glad the security company released the report: it is good that we are now discussing specific allegations backed with specific items of evidence instead of vague accusations about...

The routing security battles intensify

An important debate about the implications of BGPSEC - a new protocol that would use a hierarchical Resource Public Key Infrastructure (RPKI) to validate Internet route announcements - is taking place in the IETF's Secure Inter-domain Routing (SIDR) Working Group. It's a highly technical discussion, but its significance for Internet governance...

Of canaries and coal mines: What happened at VeriSign?

Too many techies still don't understand the concept of due process, and opportunistic law enforcement agencies, who tend to view due process constraints as an inconvenience, are very happy to take advantage of that. That's the lesson to draw from VeriSign's sudden withdrawal of a proposed new “domain name anti-abuse policy” yesterday.

Russia & China propose UN General Assembly Resolution on “information security”

On September 12 China, the Russian Federation, Tajikistan and Uzbekistan released a Resolution for the UN General Assembly entitled “International code of conduct for information security.” The resolution proposes a voluntary 12 point code of conduct based on “the need to prevent the potential use of information and communication technologies for purposes that are inconsistent with the objectives of maintaining international stability and security and may adversely affect the integrity of the infrastructure within States…” The Code seems to be intended to preserve and protect national sovereignty in information and communication.

“Do not complicate routing security with Voodoo Economics”

That was the eye-catching subject line in a recent note from Randy Bush to the North American Network Operators Group (NANOG) about secure Border Gateway Protocol (S-BGP). His note critiqued a paper, Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security, which was presented recently at SIGCOMM and NANOG meetings. The paper argued that under certain conditions, the transition to secure Internet routing could be driven by ISPs' incentive to increase their revenue-generating traffic. But as Bush noted, focusing on the economic incentives affecting ISP routing decisions in light of S-BGP may be missing the point. For him, the problem of secure routing deployment is grounded in economic and institutional issues around RPKI, something we identified in a paper earlier this year. While there certainly is a need to understand the micro-foundations surrounding adoption of Internet security standards like RPKI, S-BGP or DNSSEC, understanding and resolving the institutional problems must happen simultaneously.

The new Kaminsky bug

Dan Kaminsky seems to have rocked the cyber-world with a presentation at Black Hat in Las Vegas. The security expert received a massive amount of publicity for “releasing” – er, talking about – a free software tool he is calling N00ter. N00ter is supposed to be incredibly exciting because it can detect when an Internet service provider (ISP) is slowing down or speeding up traffic to and from a website.

We found it really hard to get excited about this.

ICANN’s new “Chief Security Officer”

Jeff Moss is famous in the security community as the founder of DEF CON and Black Hat. He is in Internet governance news today because ICANN has just hired him as its new “Chief Security Officer.” The corporation has issued a self-congratulatory news release, prepared by its London public relations firm, in which various prominent people effusively praise the hire. We offer up our own observations and a cautionary note.

No joke: .com zone is DNSSEC signed

As expected, VeriSign placed its key material in the root zone yesterday (click on the picture below to view more detailed key information, etc.). Secure resolvers can now authenticate the .com key starting from the root zone and validate DNSSEC secured domains in the .com zone. Certainly a big accomplishment for the technical community. But a big question still remains – is there any incentive for resolvers to validate?