
The Internet Kill Switch; With Global Wiretapping Capability? - pimeys
http://www.pastebay.net/308121
======
ktosiek
Slightly off-topic, but this led me to discover whois spam:

(please don't go there and feed the spammers, thank you :-))

    
    
      $ whois facebook.com
      FACEBOOK.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM from whois Server: whois.tucows.com
      FACEBOOK.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM from whois Server: whois.instra.net
      FACEBOOK.COM.LOVED.BY.WWW.SHQIPHOST.COM from Whois Server: whois.onlinenic.com
      FACEBOOK.COM.KNOWS.THAT.THE.BEST.WEB.HOSTING.IS.NASHHOST.NET from Whois Server: whois.your-server.de
      FACEBOOK.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM from Whois Server: whois.PublicDomainRegistry.com

~~~
getsat
Microsoft.com has better results IMO.

~~~
anonymous
Hah, yeah

    
    
      MICROSOFT.COM.WILL.BE.BEATEN.WITH.MY.SPANNER.NET
      MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
      MICROSOFT.COM.OHMYGODITBURNS.COM
      MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET

~~~
X4
<http://slacksite.com/humour/whois.html>

That's been around for more than 10 years, the reason is that whois is doing
subtring matches.

Blackhat SEO stuff. Easy to fool google suggest also.

------
cleverjake
This is just drivel. A company is providing a service that is extremely well
executed and has a great reputation. Google uses it for the same reason most
people use Google - it is the best around for what they want.

If there is a single shred of evidence other than "isn't it weiirdd...." then
perhaps we can discuss this.

~~~
ynniv
It raises my eyebrow that a third party controls MSN, Google, and Facebook's
DNS entries while also being a trusted certificate authority. This makes a
man-in-the-middle SSL attack "somewhat easy". Does anyone publicly audit the
DNS entries of major services? I haven't heard of any browsers alerting on SSL
certificate changes (a la ~/.ssh/known_hosts).

Perhaps I like my tinfoil hat more than the average Joe, but this sounds like
an excellent way to execute wiretaps. I can only imagine that
<http://news.ycombinator.com/item?id=3929507> reminded the submitter of this
old (Feb 17th) paste.

~~~
sneak
They are the REGISTRAR of the domains - they are not hosting DNS for the
domains. The fact that they manage the registration is completely irrelevant
from a wiretapping point-of-view.

If true, the fact that they have a CA is what allows them to wiretap. But they
don't need control of DNS to do that - just cooperation of an ISP.

~~~
ynniv
_The fact that they manage the registration is completely irrelevant from a
wiretapping point-of-view._

As the registrar, you specify which DNS servers are authoritative for the
domain. It is much easier for the registrar to quietly change a domain than
any other 3rd party in the system.

That in itself isn't scary. Lots of people use(d) GoDaddy, eNom, etc. Another
commenter pointed out that Last.fm likes the service because it abstracts the
pain of domain registration.

But does Google care about the pain of registering Google in new TLDs? Does
Facebook worry that their domain will expire due to an out of date credit
card? Using a third party service introduces risk of failures out of your
control. Any interruption to these major providers will cause damage far in
excess of them not having to deal with spam domains.

Consolidation when consolidation is unnecessary should raise questions.

~~~
sneak
If you think it's possible for anyone, registrar or no, to "quietly" change
the NS records for google.com., you're confused.

~~~
harshreality
Not instantly, because google.com's glue records have a 2-day TTL.

Verisign has the ability to alter DNS glue records for .com and they have the
ability to issue browser-trusted certificates, except in cases of browser cert
pinning functionality or extensions (like CertPatrol) that check for certs
being altered before they're nearly expired.

Registrars can instruct Verisign to alter the glue records for .com domains.
Are you saying Verisign has special policies in place to double check with
major companies before changing their respective glue records?

~~~
ynniv
Do any browsers pin certs by default? I haven't heard of CertPatrol, but
alerting when a cert changes well before expiration seems like good default.

~~~
harshreality
Chrome has certain google.com certificates (maybe all of them) pinned.

{accounts, mail, docs}.google.com (at least) have HSTS forced and preloaded in
Chrome, but www.google.com does not.

~~~
cleverjake
I'd love to see where you found this information. I wasn't able to find it in
Chrome's source, but I didn't have the change to do a deep dive.

~~~
harshreality
<http://www.imperialviolet.org/2011/05/04/pinning.html>

[http://blog.chromium.org/2011/06/new-chromium-security-
featu...](http://blog.chromium.org/2011/06/new-chromium-security-features-
june.html)

as well as empirical Chrome behavior.

------
Nyr
At the end of the day, all the mentioned companies need to trust their domain
name registrations to someone and just like normal people can use Namecheap or
Gandi as their domain name registrar, big companies seem to use MarkMonitor
because the services they provide are useful to them.

Last.fm also uses MarkMonitor and they explained why here:
<http://news.ycombinator.com/item?id=3687600>

------
guard-of-terra
amazon.com isn't under this switch.

Some local services: yandex.com, mail.ru, vk.com, ozon.ru, rutracker.org,
lenta.ru, ok.ru - are all unaffected. I bet Chinese resources are unaffected
too.

------
StavrosK
What the hell is going on here? I understand that this might be a legitimate
company, but I don't see Google having any need for such a thing, let alone to
the point where they'd just surrender their domain name to them.

Does anyone have more information on this?

~~~
sneak
They didn't surrender their domain name - they're just using them as
registrar. Google still runs their own authoritative DNS servers.

~~~
bobds
Google is also a registrar (I think just for .com/.net domains). I guess they
don't want to deal with dozens of ccTLDs.

