Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Plot Massive Internet Router Security Upgrade

timothy posted more than 5 years ago | from the let's-like-totally-upgrade dept.

The Internet 101

BobB-nw writes "The U.S. federal government is accelerating its efforts to secure the Internet's routing system, with plans this year for the Department of Homeland Security to quadruple its investment in research aimed at adding digital signatures to router communications. DHS says its routing security effort will prevent routing hijack attacks as well as accidental misconfigurations of routing data. The effort is nicknamed BGPSEC because it will secure the Internet's core routing protocol known as the Border Gateway Protocol (BGP). (A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.) Douglas Maughan, program manager for cybersecurity R&D in the DHS Science and Technology Directorate, says his department's spending on router security will rise from around $600,000 per year during the last three years to approximately $2.5 million per year starting in 2009."

Sorry! There are no comments related to the filter you selected.

Hai /b/ (-1, Offtopic)

boxxybabee (1453963) | more than 5 years ago | (#26477471)

You b& me but you can't unlulz me! Also fuck Wikipedia for "featuring" /b/ on the Main page. Anonymous will be putting [citation needed] in your [citation needed]. Partyvan go!

Re:Hai /b/ (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26477687)

The question I have for Obama is this: Who is stimulating the economy? Me, the guy who has provided 14 people good paying jobs and serves over 200,000 people per year with a flourishing business? Or, the single fat colored mammy sitting at home pregnant with her fourth child waiting for her next welfare check?

And as far as router security upgrades go, I'm sure B. Hussein Obama doesn't give a rat's ass. For my part, I give router security upgrades two thumbs up.

Re:Hai /b/ (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26477761)

That's nice. Now go the fuck back to 4chan, ensign Boxxy-chan. The penis-nosed fox demands it.

anal sex (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26477483)

it won't do anything but make your dick stink

Re:anal sex (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26477563)

Didn't make my dick stink. Made my ass hurt, though.

Red Title? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26477487)

Why is the summary title red on the front page?

It's a plot! (5, Funny)

PixelThis (690303) | more than 5 years ago | (#26477497)

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

Re:It's a plot! (4, Funny)

MooseMuffin (799896) | more than 5 years ago | (#26477547)

Wrong meaning of plot. This is referring to a small patch of land.

Re:It's a plot! (1)

conureman (748753) | more than 5 years ago | (#26478301)

I've a plot that wants securing. Stones & grapestakes are all I have to do it with.

Re:It's a plot! (0)

Anonymous Coward | more than 5 years ago | (#26484027)

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

It is a nefarious evil plot!

Creeping Charlie as far as the eye can see...

Re:It's a plot! (0)

Anonymous Coward | more than 5 years ago | (#26478489)

If the given title were "Feds' Plot's Massive Internet Router Security Upgrade" (just to say what TFA would be about), that would be easily believable.

Awesome. It's a three-character difference.

Re:It's a plot! (1)

barkingcorndog (629651) | more than 5 years ago | (#26487899)

Wrong meaning of plot. This is referring to a small patch of land.

Weird. I thought they were talking about a storyline. Go figure.

Re:It's a plot! (3, Interesting)

spazdor (902907) | more than 5 years ago | (#26477549)

I guess it depends on whether they're planning on submitting an RFC, or just creating a new Sekrit Routing Protocol that only Unca Sam's buddies will know how to implement.

I dearly hope the DHS is at least smart enough to get this one right.

Re:It's a plot! (4, Informative)

jmauro (32523) | more than 5 years ago | (#26477653)

I think they're just enabling MD5 on the BGP sessions. It's already specified in RFC 2385 - Protection of BGP Sessions via the TCP MD5 Signature Option [sunsite.dk] . It's basically a $600k program to manage the logistics of turing this on. I do give props for Network World for making a mundane task 5 whole pages.

Re:It's a plot! (2, Informative)

jmilne (121521) | more than 5 years ago | (#26477837)

It's more than just authenticating your neighbor. It's also about confirming that they have the right to be announcing the blocks that they're trying to announce to you.

Re:It's a plot! (4, Interesting)

Stile 65 (722451) | more than 5 years ago | (#26477853)

I think it's actually referring to S-BGP [bbn.com] . I also thought it was just the MD5 signature option, but it's not.

Then again, one of the comments in TFA is that it won't require any new software or hardware to be installed, so maybe it IS just the MD5 option. The features didn't sound like it; it sounded like they were establishing a whole PKI.

Re:It's a plot! (1)

SpaceLifeForm (228190) | more than 5 years ago | (#26478753)

When you throw a net over a net,
the top net can control the lower net.

Re:It's a plot! (3, Funny)

Anonymous Coward | more than 5 years ago | (#26478031)

I think they're just enabling MD5 on the BGP sessions.

And everybody knows that MD5 hashes are secure, so problem solved!

Re:It's a plot! (5, Insightful)

X0563511 (793323) | more than 5 years ago | (#26478449)

OK smartass...
I'll give you a BGP packet, and you have to replace it with another working BGP packet (with addresses that you want) that has the same hash.

Go ahead. I'll wait for you. Well, not really - I'm sure the universe will reach heat-death before you find one.

Now, assuming you do find one... find some for the whole communication. Also, you only have a few milliseconds to do it.

Starting to sound difficult?

Don't spout off bullshit when you KNOW you have no idea what you are talking about.

Re:It's a plot! (1)

hesaigo999ca (786966) | more than 5 years ago | (#26481227)

Well put, I concur!

Re:It's a plot! (1)

ScrewMaster (602015) | more than 5 years ago | (#26490063)

Don't spout off bullshit when you KNOW you have no idea what you are talking about.

I think the GP was making a joke. Fortunately the mods picked up on it.

Re:It's a plot! (0)

zappepcs (820751) | more than 5 years ago | (#26478455)

I'm glad I'm not the only one that thought WTF? MD5? Didn't we just agree that it was not secure? So, 2.5 million per year to implement broken security? Yep, that's the DHS we've all come to know and hate.

---
ceiling cat says DHS = don't haz sents... which is odd if you think about it. A fscking Internet meme with more intelligence than DHS? hmmm

Re:It's a plot! (4, Informative)

Have Blue (616) | more than 5 years ago | (#26478683)

MD5 is only weak when used on data in formats which allow for large amounts of padding. BGP packets are a much less flexible format so collision attacks are much more difficult.

Re:It's a plot! (1)

timmarhy (659436) | more than 5 years ago | (#26479469)

md5 has only been broken in labs, not in the wild, in the wild it's much much harder

Re:It's a plot! (3, Insightful)

nabsltd (1313397) | more than 5 years ago | (#26482701)

Not too long ago, this MD5 crack [events.ccc.de] allowed a trusted SSL CA cert to be created.

Although it's not "in the wild", the listed steps are such that pretty much anybody can do the same thing today. Plus, the actual hack required using real, live CA servers, and not just lab systems.

Re:It's a plot! (0)

Anonymous Coward | more than 5 years ago | (#26485999)

Yeah, but the attack takes 4 months. The maximum attack window against BGP is 3 minutes.

Re:It's a plot! (0)

Anonymous Coward | more than 5 years ago | (#26487909)

fuck off no one asked for your opinion you bitch

Re:It's a plot! (0)

Anonymous Coward | more than 5 years ago | (#26483481)

"MD5 considered harmful today Creating a rogue CA certificate" http://www.win.tue.nl/hashclash/rogue-ca/ [win.tue.nl] You're welcome.

Re:It's a plot! (1)

ion.simon.c (1183967) | more than 5 years ago | (#26479593)

*blink*

Isn't MD5 busted?

Re:It's a plot! (3, Interesting)

ScrewMaster (602015) | more than 5 years ago | (#26477553)

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

Yeah, that sure put a negative spin on it, didn't it? Fact is, a good chunk of core Internet functionality continues to work only because nobody's yet made a concerted effort to break it on a significant scale. Eventually somebody will, either via a state-sponsored attack of some kind, or a tech-savvy terrorist outfit looking to make a name for itself (the two can't always be easily separated, when you get right down to it.) Either way, hardening this stuff is a good idea. Whether or not the Feds are doing to do it competently is another issue entirely.

Re:It's a plot! (1)

spazdor (902907) | more than 5 years ago | (#26477565)

Where the hell is the IETF in all this, I want to know?

Re:It's a plot! (4, Informative)

youknowjack (1452161) | more than 5 years ago | (#26477753)

Where the hell is the IETF in all this, I want to know?

http://www.ietf.org/internet-drafts/draft-ietf-rpsec-bgpsecrec-10.txt [ietf.org]

Abstract:

The security of BGP, the Border Gateway Protocol, is critical to the proper operation of large-scale internetworks, both public and private. While securing the information transmitted between two BGP speakers is a relatively easy technical matter, securing BGP, as a routing system, is more complex. This document describes a set of requirements for securing BGP and the routing information carried within BGP.

Re:It's a plot! (1)

dmomo (256005) | more than 5 years ago | (#26477625)

I also thought the word "plot" was a little odd. I think "Caper" would have been better than "Upgrade".

Maybe it's our fault for associating the word with villainy when in fact in this case it merely means "to map out". Maybe all map makers were sinister back in the day. Who knows, but I'm sure they will begin to conspire, er... plot a racket to get their word back.

Re:It's a plot! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26477869)

dastards!

Re:It's a plot! (2, Funny)

CarpetShark (865376) | more than 5 years ago | (#26478109)

This plan to upgrade router security is a plot? Are there some nefarious evil masterminds behind it?

No, just a bunch of colored pens.

Re:It's a plot! (1)

noidentity (188756) | more than 5 years ago | (#26478503)

Dictionaries plot [dict.org] to educate about the meanings of words.

Re:It's a plot! (1)

MrNaz (730548) | more than 5 years ago | (#26479057)

Given my observations of the use of language, it would seem that their evil machinations are not welcome here on Slashdot.

Re:It's a TRAP!!! (1)

pha3r0 (1210530) | more than 5 years ago | (#26479021)

Its a trap! [youtube.com] SSBB reference

Had to sorry regulars.

Re:It's a plot! (1)

Sleepy (4551) | more than 5 years ago | (#26479041)

Well, I'm sure China considers this a plot to hamper their technology acquisition efforts. :)

first post (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26477503)

hdfuehfbgcfuiderhy

Question for the experts (3, Interesting)

JoshuaZ (1134087) | more than 5 years ago | (#26477533)

For those of who aren't experts on this sort of thing, will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.

Re:Question for the experts (4, Informative)

Klootzak (824076) | more than 5 years ago | (#26477635)

will this only increase security at things that are .gov? That's the impression I get but I don't know enough technically to be sure.

Pretty much... it means that when Router A says to Router B "I have a new path to this network." the routers will first authenticate eachothers identity utilizing Digital Signatures [wikipedia.org] .

Basically it's applying elements of PKI [wikipedia.org] to router communications, so the router receiving the information knows it can trust other router's updates. If you didn't do it I could (potentially) spoof updates and say "this network exists here now" and all the information destined for that network would then be routed to me to packet-sniff to my heart's content.

This type of stuff (in addition to SSL/TLS [wikipedia.org] encryption of sensitive data communication channels) has been used internally in (most) Banking networks for awhile now, I'm actually surprised they didn't have something like it in place already.

Re:Question for the experts (4, Funny)

Anonymous Coward | more than 5 years ago | (#26477957)

If you didn't do it I could (potentially) spoof updates and say "this network exists here now" and all the information destined for that network would then be routed to me to packet-sniff to my heart's content.

Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!

+1 Funny! :) (2, Interesting)

Klootzak (824076) | more than 5 years ago | (#26478069)

Couldn't you just not do that? Why do the Feds have to roll out a $600k program because of you? That is taxpayers money for gods sake!

I wouldn't do it (I don't even have an AS to play with anymore), and it's rather more complicated than my explination made out...

I think a possible way to implement this would be a Hierarchical model where IANA [iana.org] has a top-level certificate for the trust and then it signs each regional NICs certificate, and they sign AS's which sign their subnets, then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things (like advertise subnets that aren't theirs), still it would require alot more overheads in terms of processing and memory than BGP currently requires.

I should also mention, I haven't worked with BGP in around 7 years now.

Re:+1 Funny! :) (4, Insightful)

guruevi (827432) | more than 5 years ago | (#26478447)

then IANA could ask various NICs to revoke the Certificates of AS's that do dodgy things

Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).

The biggest 'problem' with all these 'old' protocols like DNS, SMTP, TCP/IP... is that they were built primarily (by the military) for allowing decentralized communication protecting against massive failures (due to atomic bombs) and secondary (as soon as the academics jumped on) to allow free communications, free speech and research (science) to flourish through open, decentralized, ungoverned communications (the message will get there one way or another) and censorship would be treated as damage and routed around.

The 'problem' is that free speech also includes spam and other 'nasty' things to go through. To protect against that you need to start censoring the communications channels. As soon as you do that you destroy the original purpose of the Internet for what? Terrorists? Children? Hackers? Not really, the only people that would be able to successfully pull that off (rerouting major traffic through their own DNS or BGP-routers) against a clean subnet would have to be large enough to influence your life or make you do what they want without being deceptive which are currently, the ones that own the lines (but they won't do it because they would instantly lose their business) on the other hand they would like to clean house so they can oversell even more without adding capacity and governments (which have proved do anything to remain in control no matter the legality).

Don't give up your free speech and the open nature of the Internet just because you are inconvenienced. If you are really inconvenienced by spam, just let the machine learn to ignore it. My mail server is set up to do so and there are wonderful tools that help you with that.

Re:+1 Funny! :) (4, Insightful)

Klootzak (824076) | more than 5 years ago | (#26478605)

Sounds like a great way to implement censorship or force traffic to follow certain (compromised) routes. Simply say: Wikipedia does something dodgy, they allow free speech and free information, let's revoke their cert (since IANA can be controlled by a government).

Preaching to the converted here my friend...

I immediately thought of this topic [theage.com.au] when I was reading the BGP article and thinking about the implications of a hierarchal structure (incidentally, they can pretty much "disconnect" direct connections between eachother NOW if they want to... but of course we can route around it, if required - adding encryption/PKI doesn't make all that much of a difference if people don't enforce it).

See, Governments are still duking it out (Diplomatically and Militarily) while their populations talk to eachother on the net' - the wonderful thing about this is I can talk to you, not knowing if you're White, Black, Green, Yellow, Blue, Purple, Male, Female, American, French, Canadian, Belgian or Martian... if you call me an idiot, I can't say "You called me an idiot because I'm (insert racial/gender type here)", well, I CAN, but you can reply... "I didn't know that, but I still just think you're an idiot!".

The concept of a Worldwide Global Communications network with almost ubiquitous availability is something we really haven't had for along time, it's going to take the Governments of the world a bit of time to get their head around it... Personally I think the Politicians/Diplomats of the world should read The Truth [wikipedia.org] by Terry Pratchett (if they haven't already), as it has alot of similar concepts regarding local, social, and geo-political issues in it, just with a different "new" Technology.

Woah, boy! (2, Insightful)

mcrbids (148650) | more than 5 years ago | (#26479383)

Ease off that hair trigger a bit, eh?

I think you missed something rather fundamental - in the case of PP "dodgy" behavior meant doing illogical things with routing paths, not publishing unpopular or dissenting content!

Colour me paranoid... (1)

ResidentSourcerer (1011469) | more than 5 years ago | (#26496815)

Or maybe they want the protocol done in a way that NSA CAN subvert any router detouring it's packets through their own computers, sniffing and injecting (cocaine & herion?) to their hearts content.

Just because I'm paranoid doesn't mean they aren't out to get you.

(He says, from his satellite connected hide-away in rural Alberta, 500 km from the nearest chunk of American soil)

Re:Question for the experts (0)

Anonymous Coward | more than 5 years ago | (#26478035)

This type of stuff (in addition to SSL/TLS [wikipedia.org] encryption of sensitive data communication channels) has been used internally in (most) Banking networks for awhile now, I'm actually surprised they didn't have something like it in place already.

I would say that the vast majority of banking networks don't use this... Let me know which bank you're talking about so I can switch, but I do security assessments and I don't think I've run across any banks using secure BGP (or very much SSL/TLS internally either).

Re:Question for the experts (2, Informative)

Klootzak (824076) | more than 5 years ago | (#26478205)

I don't mean public networks, I mean private ones, SWIFT [swift.com] for instance..

Has been a few years since I've worked in the finance arena, but I thought each BIC code [wikipedia.org] was signed (or at least they were talking about it while I was involved in that area) and things like MQSeries channels [wikipedia.org] between nodes that were used for transporting data have been SSL/TLS encrypted for ages? I remember doing it actually, MQ Version 5.2 (or 5.3?) included SSL-over-channel functionality.

Anyways, I'm sure it's being taken care of, maybe get in touch with your bank and ask them if you're concerned?

Re:Question for the experts (1)

modestgeek (1449921) | more than 5 years ago | (#26478083)

Exactly. This has been standard practice by me. All it took was one person to bring in their own wireless router with RIP enabled and broadcasting. That router exchanged routes with my routers and it caused quite a bit of confusion. Since then, it's been all OSPF with authentication and ACLs on my corporate network.

Re:Question for the experts (1)

hesaigo999ca (786966) | more than 5 years ago | (#26481261)

Probably because of the price of the upgrade, they are like the oil companies....
"Yes..let's make billions of dollars PROFIT each year, but never upgrade our infrastructure, or even remotely maintain it...or even just build another few plants just in case hurricanes wipe out our Texas locations again...no,no,no...let's just keep things the way they are, and justify why we have total control to up the gas price at will, when ever we want just because my grandmother sneezed!"

Re:Question for the experts (1, Informative)

Anonymous Coward | more than 5 years ago | (#26477713)

This would apply to the backbone of the internet.
BGP is a different kind of routing protocol compared to others.....
You have two varient iBGP (internal) eBGP (external), eBGP is the one used for internet traffic.

With BGP, there is no real knowledge where particular networks are.....they just hand off traffic to the next Autonomous Domain or AS (Autonomous System) that will get the traffic to the right place.

So that is the fear with the protocol, people can go out there and start setting up the protocol in ASs and redirect traffic.....and there is no real way to verify it is taking the right path.

Maybe someone who knows more than I can explain better.

Is it must me, or is that sum peanuts? (4, Informative)

dmomo (256005) | more than 5 years ago | (#26477541)

I don't know much about security and cost, but the 600k does indeed seem fairly small to me for something like this. Even 2.x million seems like a sizzle in the pan. Can anyone speak to the costs involved?

Re:It's you (1)

symbolic (11752) | more than 5 years ago | (#26477757)

You're failing to take into account the 2-3 times the project will be extended and the quadrupling in cost. That's just SOP for a government contract. Sad, but true.

Re:It's you (1)

the eric conspiracy (20178) | more than 5 years ago | (#26478047)

Still peanuts. If you want to really spend other people's money the Dept of the Treasury is the place to be.

Only reseach at this stage (1)

EmbeddedJanitor (597831) | more than 5 years ago | (#26477765)

That costs a lot less than rolling out new hardware/software.

Re:Is it must me, or is that sum peanuts? (0, Offtopic)

isBandGeek() (1369017) | more than 5 years ago | (#26477947)

You're right. Compared to the size of the recent bailout, 600k is a drop in the bucket. Even 100x this would still be almost trivial for the government.

It's not all that trivial... (1)

solder_fox (1453905) | more than 5 years ago | (#26478009)

When you're $10.6 trillion dollars in debt, even $600 k shouldn't be considered trivial. That's real money our grandkids will be paying off...

Re:It's not all that trivial... (1)

wooferhound (546132) | more than 5 years ago | (#26478785)

$640 k should be enough for anybody . . .

Re:Is it must me, or is that sum peanuts? (1)

John Hasler (414242) | more than 5 years ago | (#26477955)

> Can anyone speak to the costs involved?

Salaries, obviously. Sounds like a couple of guys are going to study the problem full-time. How many women would you assign to the task of gestating that baby?

Re:Is it must me, or is that sum peanuts? (4, Informative)

Morty (32057) | more than 5 years ago | (#26478201)

They're talking about funding research, not deployment. RTFA. The dollar amounts in question sound about right.

Note also that this goes way beyond SSL. This is not about identifying your BGP peers -- that's a relatively simple problem that can easily be solved with MD5 [or one of the hash algorithms that is replacing MD5, since MD5 is problematic.] This is about validating that your BGP peers have the right to announce what they are announcing. This is a much harder problem than SSL.

That is, let's say you have a router that peers with $someco's router. It's easy to use MD5 [or replace it with something better] so you are sure that you are talking to $someco's router. It might also be possible to set up SSL instead, so you are even more sure you are talking to $someco. But even if you know you are talking to $someco, how do you know you can trust what $someco is telling you? What if $someco's router says it's a good path to get to a chunk of address space that belongs to $otherco -- should you believe it? BGP is full of settings that let you limit how much you trust your peers, but how do you know what you should set them to? Note that this is not a simple question of "is address space X associated with the $someco that is announcing it" -- even if address space X belongs to $otherco, it's possible that $someco is a legitimate transit network rather than a malicious third party.

Sounds like DHS is funding research to try to solve this.

This is somewhat different than the DNSSEC push. The DNSSEC effort is looking to deploy an existing but unpopular technology across the US federal government. The BGPSEC effort seems to be about creating a new technology for possible future deployment.

Re:Is it must me, or is that sum peanuts? (1)

dmomo (256005) | more than 5 years ago | (#26478267)

Thank you. I have to admin, reading the fa, my eyes kind of glazed over! Your post was easier to digest.

Re:Is it must me, or is that sum peanuts? (2, Informative)

m0i (192134) | more than 5 years ago | (#26480033)

It exists already, it is called a routing registry. The most famous is RADB [radb.net] but they can use IRRd [irrd.net] to have their own private version (which they probably do already).

Re:Is it must me, or is that sum peanuts? (1)

jmilne (121521) | more than 5 years ago | (#26482831)

Do you really trust the routing registry? And I'm talking about more than just using an SSL cert to verify their information. How frequently do they update their entries? I saw a number of problems dealing with RADB when I worked at Sprint a few years back. Customers get assigned blocks that used to be assigned to other customers, and RADB didn't always reflect that change in usage in a timely manner.

That's where your money's going to go. Creating a secure registry, and the infrastructure to handle the amounts of changes that occur on a daily basis.

Re:Is it must me, or is that sum peanuts? (0)

Anonymous Coward | more than 5 years ago | (#26478207)

I don't know much about security and cost, but the 600k does indeed seem fairly small to me for something like this. Even 2.x million seems like a sizzle in the pan. Can anyone speak to the costs involved?

Just contract the whole thing out to Cisco and be done with it.

So they are copying from 24 (1)

Joe The Dragon (967727) | more than 5 years ago | (#26477543)

put all the top workers under full secret service protection and don't fire any one or will may see a under siege 2.

router signing (1, Offtopic)

Speare (84249) | more than 5 years ago | (#26477735)

[tinfoil] Sure, and adding signatures to all routers couldn't possibly be trying to make Thomas Paine [lulu.com] roll over in his grave, now, could it? [/tinfoil]

Just imagine... (0, Redundant)

msimm (580077) | more than 5 years ago | (#26477791)

A few short years ago we managed to live without the DHS and now we accept them like we don't foot the bill. Just another group of people sucking tax dollars off the American people in the name of protection.

Re:Just imagine... (1)

John Hasler (414242) | more than 5 years ago | (#26477911)

> A few short years ago we managed to live without the DHS...

I have no love for the DHS, but it was created by smushing a bunch of existing agencies together. They do little that wasn't being done before. In their absence this work would probably be being funded by one of the agencies that was destroyed to create them.

Re:Just imagine... (0)

Anonymous Coward | more than 5 years ago | (#26485181)

> A few short years ago we managed to live without the DHS...

I have no love for the DHS, but it was created by smushing a bunch of existing agencies together. They do little that wasn't being done before.

Sometimes, they do more than is needed...

The DHS controls things the DHS is, IMHO, not in ithe business of.

This spring (2008), I, along with many neighbors and my City Council, had to fight the DHS to get a majority of my neighborhood out of a recently added flood plain (for insurance purposes).

Some guy in a plane flew over, took a picture or two, and sent them to the DHS, which then declared a few square blocks to be in a Flood Plain. We live on top of a hill.

We (neighbors) all had a laugh until about a week later when our (all my neighbors) mortgage companies started sending notices to start foreclosure unless we immediately get flood insurance.

We fought back (top of hill, remember), which apparently surprised the DHS (most communities must not).

After a physical survey was done (actual measurements, not some plane's photos from 500 ft), we forced the issue with a lawsuit. The DHS caved in, and only required 2 lots (out of 50 or so) to require flood insurance. Those two lots were the nearest to a dry wash.

We felt very vindicated when this spring/early summer had the heaviest rain fall on record (100+ yrs), even surpassing 1993's rainfall. Only after this deluge, and then a storm dumping 6" of rain in 24 hrs, did the 2 lots get minor flooding (1" of water came in their lower floor patio doors). This flooding only happened because 2 24" culverts plugged with corn stalk debris from a nearby field.

 

One thing we (neighbors, townsfolk) never did find out was, WTH was DHS in charge of flood control (or at least, flood plain detection). I am pretty sure that is nowhere in the charter for the department (or do they even have a charter, and not just a mantra "DHS Control Everything").

Re:Just imagine... (1)

Idiomatick (976696) | more than 5 years ago | (#26477987)

In the grand scheme of things a million a year isn't something to bitch about. I mean the... 'defense acquisition university' gets 120million... We spend 16billion dollars to fight IEDs. We spend 430million for 'polar research' ... The office on violence against women gets 280million. Oh and my favourite 9.7Billion freaking dollars for air traffic control. Honestly that could be done by computers for several million dollars.
 
  Really we should pay everyone there a million dollars a year just because their plan hasn't ballooned into something silly yet.

Re:Just imagine... (2, Insightful)

Detritus (11846) | more than 5 years ago | (#26478741)

Oh and my favourite 9.7Billion freaking dollars for air traffic control. Honestly that could be done by computers for several million dollars.

That might pay for a requirements analysis, but that's about it. A real system is going to be much more expensive.

Re:Just imagine... (1)

Idiomatick (976696) | more than 5 years ago | (#26480905)

Keeping track of and navigating a few million planes could be done on one server if it was well coded. Which would really cost like 500,000. I'm sure there are a bunch of other things that need doing but i'm so far off of 10billion that i've no idea how they got it that high.

Re:Just imagine... (1)

b3m87 (1176511) | more than 5 years ago | (#26481667)

right... They couldn't even make a system to route baggage for a single airport and you want them to route every plane in the world on one server.... for $500k

Re:Just imagine... (1)

WuphonsReach (684551) | more than 5 years ago | (#26484375)

Keeping track of and navigating a few million planes could be done on one server if it was well coded. Which would really cost like 500,000. I'm sure there are a bunch of other things that need doing but i'm so far off of 10billion that i've no idea how they got it that high.

You're living up to your name?

Let's talk about some of the issues:

- Radar is an inexact medium of information. Transponders help a lot, but they only have 4 digits and can be disabled or break. GPS transponders (where the aircraft reports its position) would help, but not every plan has that.

- Communication between the air/ground is not assured.

- Weather, visibility, winds aloft, precipitation, fog are all unpredictable elements that have to be accounted for. You need sensors for all that, or figure out how to do voice interpretation of a pilot's report of bad weather.

- You also need to know the status of the runways. Are they clear of ice, snow, debris or other incursions?

ATC only seems simple on the surface, during good weather, clear skis and everything running on schedules.

Re:Just imagine... (1)

DrgnDancer (137700) | more than 5 years ago | (#26484619)

Are you serious? You want one, crash prone, computer to manage all air traffic in the skies of the United States? You realize that this computer would be tracking millions of objects a second, in a three dimensional space, analyzing all of their current courses for collisions in the next say 5-10 minutes (you wouldn't want to cut it closer than that and honestly even more warning that that would be good), scheduling take-offs and landing from thousands of airstrips, accepting interrupts for emergency requests at ALL of those airstrips, processing voice inputs and outputs from thousands of (still human) pilots a second, and making judgment calls when conflicting requests come in (Do you let the plane with low fuel land first, or the one with engine trouble? How bad is the engine trouble, how low is the the fuel? etc.) I'm quite sure I haven't even scratched the surface of what air traffic control for the ENTIRE COUNTRY would involve, but that alone is more load than even the most powerful computers in the world could handle.

Ignoring the fact that you'd need at least two for redundancy (probably more, these are hundreds of thousands of lives an hour we're talking about, failure is NOT an option). Ignoring the fact that voice to data interfaces are only partially reliable, especially if the user has an accent ("Air Rus 13654, this is the tower, I did not understand your last transmission, please say again" - "Ai says, 'Ve have vuel leek. Reqvest immideet landing'" - "Air Rus 13654, this is the tower, I did not understand your last transmission, please say again" - "Ahhhhhh!" - "Air Rus 13654, this is the tower...."). Ignoring the fact that computers are terrible at judgment calls. Ignoring all of that you'd have to have a HUGE data pipe going into this mythical computer, capable of accepting data from EVERY radar station in the country, ALL of the tower control frequencies in the country, and transmitting back out to ALL of the traffic control frequencies, plus sending messages to various EMS and law enforcement agencies local to air ports (who do you think calls the cops when a flight attendant wants to eject a drunk passenger? The tower. Calls the ambulance for the lady who goes into birth or the guy who has a heart attack? The tower. Requests emergency services on site in the unlikely but occasional event of an incident? The tower.) It needs to talk to all of this stuff with little or no latency.

What do you think air traffic controller DO? Sit and watch their little radar screens hoping that no little dots cross each other? It's considered one of the most stressful jobs in the world. These guys are constantly making decisions that might result in or prevent any number of major and minor disasters.

I have serious doubts as to whether it would even be technically possible to implement the kind of system you envision at an acceptable level of safety, but if it were it would be more like hundreds of billions of dollars to put in not a couple of million. I don't think you even begin to comprehend what the requirements documentation for something like this would look like. Hell, I don't begin to comprehend such a thing, and I've already posted about a dozen problems you didn't even start to think of. Imagine if I were someone that actually knew something about this.

Re:Just imagine... (1)

Idiomatick (976696) | more than 5 years ago | (#26490749)

Lol well obviously It'd be redundant but keep in mind the price tag is still .005% of what is currently being spent. Make the system as big and redundant as you want 10x what i said.... .05%. And the processing isn't that bad, they are just paths in 3d space which computers are very well equipped at figuring out. Especially GPUs and such.
For emergency situations they have coded numbers for situations like cops and everyone else. If there is a misunderstanding then it can be bumped instantly to a human (if computer is only 60% sure of what it heard). The same way a phone company works. Make that up to .1% for 100 employees.
  Judgment calls are fairly rare. Aside from what impression movies might give you emergencies like fuel leaks and such are rare. Also they are determined by the planes computer sensors so having that interact with another computer is no problem. Add a button on the plane for unusual situations then like terrirists lol. So we can also add a bureaucracy bringing us up to .15% now that we have enough employees.
I know, we've all seen pushing tin. But directing the actual path of planes as i've said could be done by computer without any issues at all.
How is hundereds of humans doing calculations any better than a computer? This is the exact type of problems computers excel at. And I had thought of these but originally I was just referring to actually directing the planes.

Re:Just imagine... (1)

DrgnDancer (137700) | more than 5 years ago | (#26491115)

Computers already track the planes. Most airports past "decent" sized and even a lot of small ones have computer assistance for the air traffic controllers. Planes can be tracked based on transponders and even GPS in some cases. People are still necessary for everything else though. Not all planes (especially small personal planes) are equipped with transponders, and fairly few are equipped with GPS transponders. Radar at most airports is not sensitive enough for exact locations, so eye balls are still needed. Most of all while you're right that true "emergencies" of the "Oh my God we're all going die!" type are fairly rare, most large airports field several to several dozen small emergencies everyday. Some of those would become serious emergencies if not expeditiously dealt with by trained controllers.

Tracking planes is a fairly small (though doubtless critical) part of the job of the tower, you can possibly reduce some of that load with more computing power. I doubt you could reduce it all that much though, certainly not eliminating it.

Most troubling about this (2, Interesting)

nwssa (993577) | more than 5 years ago | (#26477801)

Most troubling is that problems like these were basically known about for years but nothing is done until after threats are displayed at sec conferences.

Re:Most troubling about this (1)

Iowan41 (1139959) | more than 5 years ago | (#26479133)

Maybe it took them this long to get the backdoors and packet tracing software into the router upgrades.

U.S owns the internet? (1, Funny)

Anonymous Coward | more than 5 years ago | (#26478067)

The U.S. federal government is accelerating its efforts to secure the Internet's routing system

Did I miss something?

I thought China had all the control.

DNSSEC (1)

bill_mcgonigle (4333) | more than 5 years ago | (#26478309)

A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.

That's the name of a set of protocols [wikipedia.org] that predates the DHS, not their effort.

Re:DNSSEC (0, Troll)

geekmux (1040042) | more than 5 years ago | (#26478435)

A separate federal effort is under way to bolster another Internet protocol, DNS, and it is called DNSSEC.

That's the name of a set of protocols [wikipedia.org] that predates the DHS, not their effort.

Wow, the RFC that DNSSEC is based on is only 10 years old, so moving at the speed of .gov, they're "right on time". Punctual bunch, aren't they?

And what's this "they're calling it DNSSEC" crap? Damn 10-year old RFC and they're prancing around like they came up with the idea 3 months ago. Who's in charge of this, Al Gore? It would make sense, I mean after all, he invented the Internet, right?

Re:DNSSEC (4, Informative)

Morty (32057) | more than 5 years ago | (#26478563)

They're not claiming that they invented it, they're just trying to help it along. While DNSSEC has been around a while, the overwhelming majority of zones, including the root zone and .com, are not signed yet. It may look like the US government is late to the party, they're actually ahead of most of the US commercial sector on this one.

So how does this "bolster" DNSSEC? Answer: the government is hoping that a large-scale implementation by a major buyer will push vendors to properly support DNSSEC. Many vendors don't support DNSSEC at all, or only support part of it; Microsoft, for example, only has minimal DNSSEC support. How do you think vendors will respond when .gov customers start telling them "we can't buy your product because it doesn't support DNSSEC. We'll have to go with one of your competitors."

RTFA.

Re:DNSSEC (1)

slydder (549704) | more than 5 years ago | (#26479311)

... the government is hoping that a large-scale implementation by a major buyer will push vendors to properly support DNSSEC. Many vendors don't support DNSSEC at all, or only support part of it; Microsoft, for example, only has minimal DNSSEC support. ...

and there is good reason why it's a 10 year old technology that is still not widely available.

because the idea is flawed and doomed to failure or will force the big players to invest a lot more in infrastructure than is actually needed for a protocol such as DNS.

whatever idiot came up with the idea of adopting DNSSEC now should be slapped and sent back to school. afterwards we should get on with adopting DNSCURVE and be done with until a more permanent and secure solution is available.

Re:DNSSEC (1)

slydder (549704) | more than 5 years ago | (#26479321)

oh. and almost forgot. I just HOPE that BGPSEC, in whatever form it takes in the end, is a better idea than DNSSEC or we could just forget that as well.

Re:DNSSEC (1)

jd (1658) | more than 5 years ago | (#26479109)

I was beginning to wonder if the IETF had been bought up or kidnapped by the DHS. That would explain where this "plot" business comes in, anyway.

Excellent (1)

Eravnrekaree (467752) | more than 5 years ago | (#26478371)

This is what we need. I am glad that action is being taken on the router and DNS vulnerabilities. These are very serious issues that are a danger to everyones security and privacy. Especially rerouting attacks for download and software is a perfect way to redirect users into downloading virus loaded software, and into giving confidential information to fake websites. Its about time something is done to improve the security of these systems, and they are doing the right things it appears by addressing true threats in ways that improve and protect the users rights and freedoms rather than take them away. Its clear that there are IT experts involved with this rather than politicians. What australia has done is an example of what NOT to do.

Re:Excellent (2, Informative)

jd (1658) | more than 5 years ago | (#26479183)

Well, yes, it is about time. Especially as the actual protocols needed were defined a long time ago. (To give you a frame of reference, the DoD were releasing Open Source IPSEC implementations in 1997. Ok, that specific protocol wasn't finalized at that point, but that tells you when the Government was sufficiently capable of and expert at encrypting router communications that they'd admit to it.)

That BGP, DNS and other mission-critical protocols aren't secure even twelve years later says a lot for the extreme lethargy at the level of critical infrastructure. Sure, they can't afford to dive straight in, but since when does the DoD release as Open Source their cutting-edge technology? If they were willing to let potential opponents (such as US citizens) have access, you can be certain they were already considering it old-hat.

It follows that they had the means and capability to install highly reliable, strongly encrypted, strongly authenticated router-to-router and DNS-to-DNS communications within the Internet. Of course, by that time the NSF had sold all the US links to Sprint and assorted other scrap-metal merchants, which is presumably why they never bothered.

It also tells me that the corporate sector is incapable of handling such infrastructure, that the "invisible hand" is too busy playing with itself to worry about such things as security and reliability, that those who believed businesses would be safer hands than universities have been shown to be utterly and completely incorrect.

This is not to say the public sector better. The UK's JANET is hardly a paragon of virtue. It turns out that they're all incompetent, but for different reasons. Businesses know better but want your money at no effort on their part, Governments know better but want your souls at no effort on their part.

Is this who we want doing this? (1)

LostCluster (625375) | more than 5 years ago | (#26478373)

we really want to use new protocols from the government. They may put "warrantless wiretap" capabilities in...

Re:Is this who we want doing this? (1)

darkonc (47285) | more than 5 years ago | (#26478675)

We're not just talking about the government. This is Homeland Security -- the group that repeatedly got a D- on their network security. .... and these guys want to tell the rest of the internet how to secure their protocol against some serious hackers?

The fact that they may actually want to add backdoors to the protocol doesn't help their case that much.

Re:Is this who we want doing this? (1)

SpaceLifeForm (228190) | more than 5 years ago | (#26478881)

May?

Are you sure it's not already in place?

Made in China (3, Interesting)

binaryseraph (955557) | more than 5 years ago | (#26478799)

So does that mean we are going to buy MORE fake routers [zdnet.com.au] from china with hardwired security issues?

good move (0, Offtopic)

saraJamboo (1452413) | more than 5 years ago | (#26478837)

well done!!! way to keep the cash rolling i say :-) all this is economics to me so good job!! for more cool jobs check out http://www.jobstaxi.com/ [jobstaxi.com]

Turns router over (1)

Big Hairy Ian (1155547) | more than 5 years ago | (#26480157)

Reads made in China Laughs

not quite (0)

Anonymous Coward | more than 5 years ago | (#26486795)

Border Gateway != Core

Good.. (1)

StikyPad (445176) | more than 5 years ago | (#26490553)

Now all they have to do is upgrade that damn firewall protecting our air traffic, water distribution, and electrical generation control systems. It's only a matter of time before terroraxxors take over our country and crash planes into each other!

About time (1)

stanjam (1057588) | more than 5 years ago | (#26497923)

I was wondering when they were going to start this. There was a lot of discussion about this a coupl years ago. One of the best ways to upgrade security on the net is to upgrade the routers. You can actually do a lot there, including an easier method to track and stop attacks at their source, as well as identify the originating machines. I hope there is more to the upgrade then stated there. It would be expensive, and some would probably say that there may be some constitutional issues. Hopefully they are including hardware/software to trace the point of origin for these attacks and shut down their proliferation by at least dropping them off the system.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?