DNSO Archives: [ga]

ICANN/DNSO DNSO Mailling lists archives
[ga]

<<< Chronological Index >>> <<< Thread Index >>>
[ga] my recent love letter to the US Senate

To: General Assembly of the DNSO <ga@dnso.org>
Subject: [ga] my recent love letter to the US Senate
From: Joe Baptista <baptista@dot-god.com>
Date: Wed, 12 Jun 2002 12:48:40 -0400 (EDT)
Sender: owner-ga@dnso.org

I sent this out to some of the members of the Committee on
Commerce, Science, and Transportation which is holding hearings today.

Don't miss out on the fun folks.

regards
joe

---------- Forwarded message ----------
Date: Wed, 12 Jun 2002 11:45:22 -0400
From: Joe Baptista <baptista@dot-god.com>
To: Senator $Firstname $Lastname <$mailto>
Subject: URGENT - ICANN Governance


Dear Senator $Lastname:

I am the top level domain administrator for .GOD which is operated by
The dot.GOD Registry, Limited and listed on the root systems operated by
the ORSC, TINC, NewRoot and Pacificroot.

I am writing you with respect to todays hearings on ICANN Governance and
comments recently made to the press by members of the Committee on
Commerce, Science, and Transportation - which see url at:

http://story.news.yahoo.com/news?tmpl=story&u=/nm/20020611/pl_nm/tech_icann_dc_2

In reading this article I was amazed at the ignorance displayed by
Senator Burns with respect to ICANN and I have no doubt that his
ignorance is shared by every politician in Washington D.C.

I also want to make clear that Senator Burns can not be held responsible
for his lack of understanding.  Much of that blame is held by the Dept.
of Commerce who I accuse of being responsible for this dogs breakfast
called ICANN.  Hopefully this email will clear up some of this ignorance
shared by the Senate and actively sponsored by the DOC.

In the interview with Andy Sullivan, Senator Burns seems to claim that
ICANN has some authority over the domain name system.  This is completely
wrong.  ICANN is not in control of anything.  It is the U.S. Dept of
Commerce which is in control of the U.S.G. Root Servers which provide
name to address resolution to 70% of internet users.  And the control
by Commerce of these root servers should in no way be interpreted to
mean that ICANN or Commerce has any authority over the domain name
system.

At best ICANN is an attempt by Commerce and the former Clinton
Administration to take control of the internet through the domain name
system based on a number of false assumptions.

The U.S. civil service and the former administration made a simple
mistake back in 1998.  They assumed the root server system under their
control gave them a natural monopoly over the domain name system.
Under these false assumptions they built the ICANN experiment.

I predicted back in 1999 that ICANN would fail and it is with the greatest
pleasure that I watch this monstrosity burn.  Unfortunately there is
nothing at this time which can replace this organization and the
internet will now experience a period of instability as individuals and
organizations adjust to this failure.  And that has already caused harm
to the internet.

Senator $Lastname I don't have much faith that you or the Committee on
Commerce, Science, and Transportation can save the day.

However, this failure Senator $Lastname is your governments legacy
to the internet community and nothing to be proud of.  If it was the
administrations intention to make the United States the fools in this
fiasco, then indeed they have succeeded.  However the truth is that
this legacy was a miscalculated experiment in control based on a false
assumption that a monopoly existed in the first place.

The internet Senator $Lastname is controlled at it's end points.  This
means there is no centralized control.  And the end points are controlled
by users.  Live flesh and blood Senator $Lastname - the type that votes.

ICANN's false assumption of monopoly is due to the fact that back in the
80's we the internets system administrators made a mistake.  We trusted one
man - a Jon Postel to maintain the primary databases which allowed us to
find each other on the internet through name to address translation.  As a
result of this trust we programmed our systems to use the USG root system.
That was a mistake - but not a critical one.  However as a result of this
foolishness most resolver programs which are used to translate names to
addresses are programmed with the USG root servers as default pointers.

And that Senator $Lastname is what this monopoly is based on.  A few lines
of code that any qualified technician or experienced user can modify and
replace.  Not much to base a monopoly on - is it Senator $Lastname?

And the proof of this false claim to monopoly is evidenced by the fact that
the USG root system once provided resolution to 100% of the internet under
the administration of Jon Postel.  Today I understand the USG roots as a
result of competition now only provide resolution to 70% of the internet.

The last time I surveyed the internets DNS shortly after ICANN was formed
I discovered the USG had a 95% market share.  That was back in 2000.

This is a significant drop which once again makes clear the claims to a
monopoly of any type are pure fiction.

At this rate I predict the USG root will become obsolete and irrelevant by
the year 2005.

There are also serious security issues involved in the use of the USG
root system.  These issues have been ignored by ICANN and Commerce.  This
is understandable because to pay attention to these security issues
would break this false assumption of monopoly advocated by ICANN insiders.

First, the 13 USG root servers were introduced at a time when the internet
was a small user community in comparison to todays numbers.  About 70% of
internet systems now use the 13 USG roots to resolve namespace.  The 13 USG
roots are easily identified and can be easily attacked.  This means any kiddy
hacker - or terrorist to use a popular term - can identify these systems,
target and take them out.

If this happens, or to be clear - when it happens then I estimate some 200
million users/systems will go dark and experience problems in resolving names
to addresses.

The only way to address this potential security issue is to encourage the
deployment of multiple root systems.  ICANN recognizes this problem and
understand the solution but has failed to address it.  And this is
unfortunate - ICANN could of provided the world with some leadership -
but it has failed and now I feel it is simply too late.  No one trusts this
dogs breakfast called ICANN and people like you Senator $Lastname should
be very concerned that an opportunity for America to stand out and lead the
world has been forever lost.

Next - there is a darker security issue which most of the world is ignorant
of.  I can put it in a few simple words - "He who controls the root is GOD".

A root system is a trusted reference point for internet communications.  If
it gives out false answers no one will know unless they are actively
monitoring for this sort of thing and know the correct answers in advance.

It is technically possible to program a root to provide false answers to
questions.  And this misinformation can be targeted by country, organization
or individual computer user.  False answers can be issued by a root based on
the IP number of the DNS servers used by the targeted user(s) and/or systems.
And one only needs control of one of the root servers to effectively highjack
and monitor internet traffic by country, organization or individual computer
user.

This means the United States through it's control of the 13 roots servers is
in an excellent position to conduct survellance on 70% of the internets user
population.  The proceedure is simple enough to explain.

Example - let us assume that some agency of the United States wishes to
conduct surveilance on the elected members of the European Parliament.  The
agencies first task to effect this survellance via the USG root system would
be to identify which computers in the EU are used by the targeted members to
resolve names to addresses.  This would involve some investigation.  In this
case I called the European Parliament recently and asked the technical
support staff which DNS servers I should use and the answer was "use
158.169.9.11, 158.169.131.22, 158.169.131.32 and 158.169.9.30".

The agency would then test each of these DNS servers to verify that they use
USG root service to resolve.  And indeed each of these machines rely on
A.ROOT-SERVERS.NET. which is operated by VERISIGN under contract to the Dept.
of Commerce.

So now the agency knows the origin of the dns servers used by members of the
European Parliament.  I can now program any root server under my control to
provide false answers to any dns query originating from netblock
158.169.0.0/16.

So in this case the root server(s) can be directed to give out the address of
a proxy like carnivore system which can be used to intercept any traffic using
netblock 158.169.0.0/16 to resolve.  No one would notice.

Under the circumstances Senator $Lastname I don't trust the US government
is in a position to protect my privacy on the internet.  But I'm also not very
concerned.  There are many root systems available and I use a non USG root
which I trust is secure in my case www.pacificroot.com.  Incidentally Pacific
Root or PACROOT as it is known in the industry is operated by a former
employee of the Department of Defence.

There are also legal issues.  In the case of the Europeans the very use of the
USG root is in direct violation of EU privacy legislation - Directive 95/46/EC
and 97/66/EC.  It would be prudent that the europeans run their own root
server system simply to ensure complience with their privacy legislation.

Unfortunately most of the world is not aware that these security issues exist
and ICANN and the DOC have done nothing to educate the internet community or
the various national governments which use the USG root.  At best after 9/11
ICANN paid some lip service to security issues but it was all fluff and
without much substance.

Now Senator $Lastname I don't expect you to fix the ICANN problem.  My
extensive experience with North American politicians leads me to the
opinion that most of you are technological bimbos.  What ever you do with
ICANN will ultimately be irrelevant.

However if you are serious in finding a solution to this nightmare and saving
the day then I recommend you direct your attention to RFC 1591 writen by Jon
Postel the original USG root administrator.

http://www.ietf.org/rfc/rfc1591.txt?number=1591

RFC 1591 provides the only solution which has ever worked with respect to
technical naming conventions.

In closing let me say that I hope you have fun today examining the ICANN dog
and pony show.  Good luck.

Regards
Joe Baptista, Managing Director
The dot.GOD Registry, Limited

       http://www.dot-god.com/
              .. on the other side of the internet universe

--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html
<<< Chronological Index >>> <<< Thread Index >>>