Friday, August 15, 2008

Experts Accuse Bush Administration of Foot-Dragging on DNS Security Hole

Despite a recent high-profile vulnerability that showed the net could be hacked in minutes, the domain name system -- a key internet infrastructure -- continues to suffer from a serious security weakness, thanks to bureaucratic inertia at the U.S. government agency in charge, security experts say.

If the complicated politics of internet governance continue to get in the way of upgrading the security of the net's core technology, the internet could turn into a carnival house of mirrors, where no URL or e-mail address could be trusted to be genuine, according to Bill Woodcock, research director at the nonprofit Packet Clearing House.

"The National Telecommunications and Information Administration, an agency of the Department of Commerce, is the show-stopper here," Woodcock said.

At issue is the trustworthiness of the domain name system, or DNS, which serves as the internet's phone book, translating queries such as into the numeric IP address where the site's server lives.

Just weeks ago, security researcher Dan Kaminsky announced he'd discovered a way for hackers to feed fake info into DNS listings, which would allow hackers to redirect web traffic at will -- for example, routing every person attempting to log in to the Bank of America to a fake site controlled by the attacker.

Kaminsky quietly worked with large tech companies to build patches for the net's name servers to make the attack more difficult. But security experts, and even the NTIA, say those patches are just temporary fixes; the only known complete fix is DNSSEC -- a set of security extensions for name servers.

Those extensions cryptographically sign DNS records, ensuring their authenticity like a wax seal on an letter. The push for DNSSEC has been ramping up over the last few years, with four regions -- including Sweden (.SE) and Puerto Rico (.PR) -- already securing their own domains with DNSSEC. Four of the largest top-level domains -- .org, .gov, .uk and .mil, are not far behind.

But because DNS servers work in a giant hierarchy, deploying DNSSEC successfully also requires having someone trustworthy sign the so-called "root file" with a public-private key. Otherwise, an attacker can undermine the entire system at the root level, like cutting down a tree at the trunk. That's where the politics comes in. The DNS root is controlled by the Commerce Department's NTIA, which thus far has refused to implement DNSSEC.

The NTIA brokers the contracts that divide the governance and top-level operations of the internet between the nonprofit ICANN and the for-profit VeriSign, which also runs the .com domain.

"They're the only department of the government that isn't on board with securing the Domain Name System, and unfortunately, they're also the ones who Commerce deputized to oversee ICANN," Woodcock said.

"The biggest difference is that once the root is signed and the public key is out, it will be put in every operating system and will be on all CDs from Apple, Microsoft, SUSE, Freebsd, etc," says Russ Mundy, principal networking scientist at Sparta, Inc, which has been developing open-source DNSSEC tools for years with government funding, He says the top-level key is "the only one you have to have, to go down the tree."

A European networking group known as RIPE called in June 2007 for the root to be signed, with Swedish and British representatives echoing the call in October. But NTIA is not moving quickly enough to sign the root, given the looming threat, even after the final technical problems have been resolved, according to Woodcock and others.

"A few years ago, there were still technical hurdles to actually signing and using DNSSEC, but in the past few years, a lot of software tools, both commercial and open-source, have come out, and now it's a completely solved problem," Woodcock said. "All that's left is the far less tractable, purely political problem."

"Arguing over who gets to hold the cryptographic keys in the long run [should] wait until we're not facing a critical threat," Woodcock said.

But the NTIA insists it is moving at just the right pace.

"We are committed to taking no action that would have the potential to adversely affect the operational stability of the DNS," says spokesman Bart Forbes. "While there is increasing pressure to secure the DNS, NTIA must work with all stakeholders and consider all possible solutions."

Olaf Kolkman, a Dutch networking export, says there's no time to waste. The only way for DNSSEC to work is for the top-level zone file -- which lists the specifics for top-level domains like .gov -- to be signed by a trusted authority.

"Currently DNSSEC is the only mechanism known to protect against the Kaminsky attack," Kolkman said. "It is not clear that other solutions will provide the same level of protection as DNSSEC."

Without such extensions, a hacker eager for trade secrets could hijack the DNS listing for Apple's e-mail server and insert the number for a server he controls instead. He could then keep a copy of every message sent to the company and forward them all. No one would likely to be any wiser until a human looked closely at the mail headers.

Still, even DNSSEC's most fervent backers admit that signing the root won't instantly secure the net. Installing the extensions internet-wide will be costly and time-intensive, but proponents say that getting the root signed will turbocharge the process.

The Internet Assigned Numbers Authority -- which coordinates the internet -- has been prototyping a system to sign the root-zone file for the last year, but they can't do the same for the internet's top servers without approval from the Department of Commerce.

That's where the rub is, according to Kolkman.

"Then the issue becomes political because there seems to be the perception that the introduction of a key guardian changes the current policies," Kolkman said

That could also simplify how top-level zone files are created, according to Richard Lamb, a technical expert at IANA. Currently companies that manage top-level domains like .com submit changes to ICANN, which then sends them to NTIA for approval, before they're forwarded to VeriSign. VeriSign actually edits the root file and publishes it to the 13 root servers around the world.

"We would want to bring the editing, creation and signing of the root zone file here," to IANA, Lamb said, noting that VeriSign would likely still control distribution of the file to the root servers, and there would be a public consultation process that the change was right for the net.

But changing that system could be perceived as reducing U.S. control over the net -- a touchy geopolitical issue. ICANN is often considered by Washington politicians to be akin to the United Nations, and its push to control the root-zone file could push the U.S. to give more control to VeriSign, experts say.

VeriSign did not respond to a request for comment, but its CTO said earlier this year that it was creating its own root-zone file-signing test bed.

The root-zone file, which contains entries for the 300 or so top-level domains such as .gov and .com, changes almost every day, but the number of changes to the file will likely increase radically in the near future, since ICANN decided in June to allow an explosion of new top-level domain names.

Woodcock isn't buying the assurances of NTIA that it is simply moving deliberatively.

"If the root isn't signed, then no amount of work that responsible individuals and companies do to protect their domains will be effective," Woodcock said. "You have to follow the chain of signatures down from the root to the top-level domain to the user's domain. If all three pieces aren't there, the user isn't protected."

Windows apps on Linux the CrossOver way

Who says you have to give up your must-have Windows applications when you migrate to Linux? If you can't leave some crucial Windows program behind, you can run it using CodeWeavers' latest version of CrossOver Linux.

Though today there are many great Linux end-user applications, some people still have "must-have" Windows applications -- Quicken instead of GnuCash, for instance, or Photoshop instead of the GIMP. That's where CrossOver Linux 7 comes in.

With this new version, you can run more Windows programs on Linux than ever. Such popular Windows programs as Microsoft Office -- from 97 to 2007 -- Internet Explorer 6, and Quicken run almost as well on Linux as they do on Windows. Other programs, like Adobe Photoshop CS3, run decently albeit not perfectly on Linux with CrossOver.

CrossOver is based on the open source project Wine, an implementation of the Windows API on top of the Unix/Linux operating system family. Wine is a very mature project, which, after 15 years of development, has reached the 1.0 mark.

You don't need CrossOver Linux to run Windows applications on Linux. Wine alone is enough. Wine, however, requires more technical expertise to use properly. What CrossOver gives you is an automated Windows application installation and technical support. For most users, who just want to run their Windows programs and not bother with the nuts and bolts of Wine, CrossOver Linux, which retails for $40, is worth the money. CodeWeavers also offers CrossOver Mac, which brings the same functionality to Intel-powered Macs.

To see how well this Wine 1.0-powered edition of CrossOver Linux works I tested it on two systems. The first was my main openSUSE 11 desktop, a Hewlett-Packard Pavilion A6040N Desktop PC powered by a 1.86GHz Intel Core 2 Duo E6320 dual-core processor with 2GB of 533MHz RAM and a 320GB SATA (Serial ATA) hard drive running at 7200 RPM. It's a good 2007-era PC.

I also put CrossOver 7 through its paces on an older Gateway 503GR running Ubuntu 8.04. It comes with a 3GHz Pentium 4 CPU, 2GB of RAM, an ATI Radeon 250 graphics card, and a 300GB SATA drive. Both systems had more than enough raw horsepower power to run Linux, CrossOver Linux, and multiple Windows and Linux applications simultaneously.

CrossOver requires very little from a system. CodeWeavers claims that any 32-bit system that runs at 200MHz can run CrossOver. The program will run on 64-bit systems, but only if they have the 32-bit compatibility library installed. CrossOver also requires that your Linux includes Glibc 2.3.x or greater and X11R6 3.3 or greater. XFree86 4 with XRender and FreeType support is recommended. The bottom line is any modern Linux can run CrossOver.

The program can be installed in several different ways. The sure-fire way of installing it on any Linux is to use its shell script. Once you have it installed, CrossOver presents you with a GUI that works equally well with both KDE and GNOME. Here, you choose which Windows applications you want to install from a supplied list of supported applications.

Installing Windows applications is a snap. It's a pick and clip operation. You can also install non-supported applications. Some, such as my favorite HTML editor, NoteTab, even though not technically supported, will run, albeit with some problems.

You should also keep in mind that, while CodeWeavers is trying to support the most popular Windows applications on Linux, it doesn't support every program. Check the company's compatibility pages to see if anyone has tried to run your particular favorite program with CrossOver and how well it has gone for them.

Once in place, the supported Windows applications ran without a hitch. I spent most of my time working on Word 2003 documents, Excel 2003 spreadsheets, IE 6, and fairly complicated Quicken 2006 financial statements. The programs ran well. As a matter of fact they ran better on Linux than they did on Vista. Quicken, in particular, took better to CrossOver than it did to Vista. With a little research I found out that this was not just me. Vista is known to have trouble with several versions of Quicken.

Some Windows software runs better on Linux than it does on the latest version of Windows -- who knew?

CrossOver isn't perfect of course. While I was able to run Photoshop CS3, I sometimes had trouble rendering the CS3 interface. A screen refresh usually took care of the problem, but some users will doubtlessly find that annoying.

I would also sometimes need to force a screen refresh when one Windows application's window covered up another. When I'd reveal the "lower" application, the part of it that had been covered by the other Windows application wouldn't render properly. After doing anything with the new foreground application, such as running a command, the foreground program's screen reappeared as it should.

CodeWeavers also offers CrossOver Linux Professional, which costs $70, can be used for multiple users, and comes with CrossOver Games. This addition includes advanced support for DirectX, Microsoft's graphics application programming interfaces for games. With this, many Windows games will run well on Linux. I can personally attest that zapping your enemies and other baddies in World of Warcraft and Guild Wars is just as much fun on Linux as it on Windows. CrossOver Games is also available separately for $40.

Not sure if CrossOver is right for you? You can download a free 30-day trial version of CrossOver Linux and a seven-day trial edition of CrossOver Games. You should find that more than enough time to see if these programs deliver the Windows goods for you.

Sharing 2999 Songs, 199 Movies Becomes ‘Safe’ in Germany

During the last few years the legal climate in Germany has become more and more weighted against file-sharers, with hundreds of thousands receiving threats of legal action. Based on information gathered by anti-p2p tracking outfits, an offense is reported which the public prosecution service is obliged to investigate due to the fact that copyright infringement is a criminal issue in Germany. The ISP of the alleged infringer would then be forced to hand over the personal details of those accused, who would then be threatened with legal action.

Very often the legal action is not carried out but the threats are used as leverage to get ‘compensation’ from the alleged infringer to hand to the rights holder. It seems that the legal system in German has had enough of this ‘abuse’ of the criminal law system for ‘civil’ monetary gain.

In an interview with, prosecutors from the Nort-Rhine Westphalia area state that those sharing files for personal, non-commercial uses, will no longer be the target of a lawsuit.

Christian Solmecke, a lawyer working at lawyers Wilde & Beuger and currently defending around 500 file-sharers against the German music industry told TorrentFreak: “That means, that the music industry in Germany has no chance to find out the real address behind an IP-address at the moment,” which is clearly a major obstacle for someone looking to take legal action.

The dividing line between personal file-sharing and commercial file-sharing needs to be defined clearly under the law, and the prosecutors have gone some way in offering this definition. “The guidelines say that no investigation should be done if the damage is lower than 3000 Euros (approx $4,500),” Christian told us. “The guideline says that the damage of trading one song is 1 Euro ($1.50). That means, that you could have 2999 Files on your computer and the prosecutors will not investigate.”

The damages for a movie are being touted at 15 Euros (approx $22.00) each, so presumably anyone sharing less than 200 movies will be considered a non-commercial file-sharer and should avoid prosecution. However, the prosecutor has indicated that those sharing brand new movies still in theater cannot expect to receive the same treatment.

Christian told TorrentFreak: “This decision is very new, we do not know what consequences it will have or if all prosecutors in Germany will follow the new guidelines.” However, the German music industry is clearly unhappy, labeling the decision as “a catastrophe” and refusing to accept it.

Should this decision spread around Germany, P2P tracking outfits such as Logistep AG and the German company Digiprotect will have to look elsewhere to make up their revenue. There are indications that Digiprotect is already branching out into the UK, in a new partnership with everyone’s favorite anti-p2p lawyers, Davenport Lyons.