
The internet is actually controlled by 14 people who hold 7 secret keys - alvil
http://www.businessinsider.com/the-internet-is-controlled-by-14-people-2014-3
======
code_chimp
Introducing 'the internet':
[https://www.youtube.com/watch?v=iDbyYGrswtg](https://www.youtube.com/watch?v=iDbyYGrswtg)

------
ryangittins
This kind article comes out every year or two and it's always incredibly
misleading. They always try to make it sound spooky and dystopic. What would
it even mean for 14 people to "control" the internet in any newsworthy way?

------
jwn
"The group conducts the ritual, then each person files out of the room one by
one, and then they all head to a restaurant and party."

Well, I now know where I would attack if I had any interest in a takeover of
DNS.

------
gruez
Misleading title. More accurate title would be "the domain name system is
actually controlled..."

~~~
tptacek
The domain name system functions fine regardless of who has the DNSSEC root
keys or what they do with them. The private keys could be posted to Pastebin
today and --- I mean this literally --- nothing important on the Internet
would break.

"Ceremony" is a good word for what this stuff is.

~~~
AndyMcConachie
This statement is not provably true. With a DNSSEC signed root anyone can host
their own copy of the root zone, and we can all cryptographically verify that
it is the same root. If someone were to sign a different root with the same
key we would no longer be sure which was the right one. An attacker could
redirect traffic away from TLD nameservers to their own nameservers.

I think you understand this. What I don't understand is why you think this
scenario would not be a problem.

~~~
TazeTSchnitzel
TLS works on the assumption that DNS is insecure. So, since everything that
matters happens over TLS, it's not a problem if DNSSEC is compromised. It
wouldn't matter if DNSSEC wasn't invented to begin with. It might be better
that way, actually, given its problems.

~~~
AndyMcConachie
Let's Encrypt, and pretty much any other CA, will issue me a TLS cert based on
what they find in DNS. So how's that for circular reasoning :)

But seriously, wouldn't it be better if DNS wasn't so insecure? Or do you
think that DNS being insecure provides a net good?

~~~
tptacek
No, it wouldn't be better if DNS was less insecure: applying cryptography to
address security problems adds cost (along several dimensions), and those
costs outweigh the marginal benefit. It's like asking, "wouldn't the Internet
be better if ARP were secure?"

~~~
AndyMcConachie
I don't get the Internet ARP reference? That's just false equivalence.

I think we're just going to continue to disagree. We've argued over DNSSEC on
HN many times and it's clear to me we don't see eye-to-eye. That's fine, and I
respect your opinion. I just think you're wrong, and I doubt anything you say
will convince me otherwise.

------
guan
This is only for DNSSEC signing for the root zone, right? If you don’t use
DNSSEC, those 14 people don’t affect you in any way.

~~~
AndyMcConachie
8.8.8.8 DNSSEC validates. So that's a lot of people right there. I think
Comcast also validates. There are others but I think you get the point.

You might be relying on DNSSEC validation without knowing it.

~~~
tptacek
Where by "relying on" you mean "impacted by outages and little else", since we
systemically do not validate DNSSEC and any attack that DNSSEC "prevents" can
simply be aimed at a different part of the communications infrastructure.

Also, obviously, people who "rely on" 8.8.8.8 doing DNSSEC lookups are in fact
relying on a _single bit_ in an unencrypted DNS response packet that vouches
for the validation that the server did. Nothing 8.8.8.8 can do will protect
the link between the user's stub resolver and Google's DNS server.

~~~
AndyMcConachie
> Where by "relying on" you mean "impacted by outages and little else", since
> we systemically do not validate DNSSEC and any attack that DNSSEC "prevents"
> can simply be aimed at a different part of the communications
> infrastructure.

You could make that statement about nearly any security mechanism. It still
doesn't explain why you think unsigned DNS responses are better than signed
ones.

> Also, obviously, people who "rely on" 8.8.8.8 doing DNSSEC lookups are in
> fact relying on a single bit in an unencrypted DNS response packet that
> vouches for the validation that the server did. Nothing 8.8.8.8 can do will
> protect the link between the user's stub resolver and Google's DNS server.

Yes, which is why the kind folks at the IETF are working on DNSoTLS. But
that's orthogonal to DNSSEC.

~~~
tptacek
No, you don't understand what I'm saying. I'm saying that by using Google DNS
to "verify" DNSSEC, you're playing pretend, because DNSSEC doesn't do anything
to protect the last mile between your stub resolver and Google's servers;
instead, it sets a single bit in the header to reassure your resolver that
"yes, Google verified this DNSSEC request". But any coffee shop MITM can
simply flip that bit back!

Google DNS's DNSSEC support is pure security theater.

~~~
AndyMcConachie
Which is why I brought up DNSoTLS which you conveniently ignored. That 'last
mile' problem you speak of is being worked on at the IETF. It's not an easy
problem to solve. But I suspect this argument of yours, which is valid BTW,
will be less of problem in 5 years. We're already starting to see DNSoTLS
testing happening.

You could also run a DNSSEC validating stub resolver on your laptop. Or you
can run DNSMasq on my home router with DNSSEC validation enabled. Both of
these effectively prevent the MITM you bring up.

------
prvst
"the Elders of the Internet"

------
onetom
I got this article a day before from a friend and he brought up the question
which I have no answer for: > what if all 14 are assassinated? > 14 is not
that many, especially when they meet occasionally

Then I was just reading the [https://github.com/orisi/wiki/wiki/Orisi-White-
Paper](https://github.com/orisi/wiki/wiki/Orisi-White-Paper) which has a
"contract amendments" section saying: "... if over 50% of oracles notice that
one of them fell, they can transfer the contract funds to another multisig
address, with the dead oracle replaced by another one, allowing for safe and
long-term contract management."

which sounds like they don't have plan for 100% death rate either.

I guess in case of such an horrible event, we would finally setup a different
process which wouldn't require the collocation of several people...

------
ehsanu1
Someone has got to write _Lord of the Keys_.

~~~
qbrass
[http://www.azlyrics.com/lyrics/helloween/keeperofthesevenkey...](http://www.azlyrics.com/lyrics/helloween/keeperofthesevenkeys.html)

------
hughw
Now may we please have Namecoin .bit domains? Thanks.

~~~
Sanddancer
No one is stopping you from making alternate root servers. AlterNIC [1]
offered them for years.

[1]
[https://en.m.wikipedia.org/wiki/AlterNIC](https://en.m.wikipedia.org/wiki/AlterNIC)

~~~
hughw
I'm surprised at the violently negative voting reaction to this common-
sensical wish. What am I missing? Sure, nobody is stopping me from making
alternate root servers. But I'm not competent to run alternate root servers.
Don't we all need a decentralized DNS? I suppose some people interpreted my
remarks to be trolling, but I wouldn't know enough to do a good troll on this
topic. I'm just a dumb user, who suspects peer DNS would eliminate the value
in DDOS against centralized DNS.

