

Stealing the United States Government by stealing .gov - iinventeddice
http://www.breaksecurity.com/2011/01/stealing-the-united-states-government/

======
Hoff
Welcome to the on-going privatization of government services, and the plan to
have all of .gov outsourced and privately hosted, and with the registration
processing services having been bid out and presently hosted by Cyberdyne
Systems domain registration services.

As part of this, Cyberdyne Systems will be running .gov-wide grid services in
the background on the .gov hosts, so please ignore the skynetd daemon that
will now be running on your servers.

But seriously, this is how outsourcing and privatization works. It's how Xe
Services is an extension of the military, how Corrections Corporation of
America runs private prisons, the Kelo case in Connecticut, the 1% claims
settlement between BofA and Fannie Mae, and other cases of privatization.

The government does what the population and the corporations ask of it, and
the private entities then provide the rest of the services on behalf of the
government; it's how government itself gets outsourced.

And yes, government-outsourcing makes following the accounting and the budgets
far more difficult. You just don't easily know how big a military effort might
be without finding those other line items in those other budgets, for
instance. Or when some private entity effectively holds the keys to some large
tract of government services or security.

~~~
steveklabnik
> Xe Services

Little note: this is what Blackwater is calling themselves these days. I
didn't know this, and figured I'd save someone from looking it up.

~~~
getsat
Did you know that Philip Morris is now operating as the Altria Group?

~~~
steveklabnik
Only vaguely.

------
trotsky
_Update: Derek McUmber pointed out a good point that IANA actually glues the
records of a.usadotgov.net in the root zone
via<http://www.iana.org/domains/root/tld-change-template.txt> so it doesn’t
look like as bad of things can happen if in fact the root-servers give out the
name servers ips_

So basically he just took back everything he wrote before that update.

~~~
iinventeddice
Update 2

Derek and I had a good talk on the phone and some things I brought up are that
if the domain usadotgov.net does get hijacked and the person does fiddle with
things it could cause some issues if you are using a non-verifying DNSSEC
resolver (not only this but .net domains can’t be signed at the registry yet)
but the question becomes does the resolver go to the root or the .net for the
information for a.usadotgov.net and do all resolvers work the same. What he
was trying to convey is that since the records are signed and the government
uses verfying resolvers there should be no issues.

I also brought up the fact that a country could send back spoofed records from
the root servers as has happened before. If I can spoof a.usadotgov.net and
look like I’m answering from l.root-servers.net then what happens. Hopefully
this will all go away as DNSSEC is more widely deployed.

Update 3

I asked Paul Vixie the question below as I didn’t want to keep going back and
forth on the issue.

“I guess my question is what happens to .org is usadotgov.net is hijacked,
what damage can truly be done.”

His reply:

Such a hijacker could make any .gov name say anything they wanted it to say,
as long as the software looking up the bad data wasn’t dnssec-aware.

------
smountcastle
It looks like they're already working on addressing this issue by having
Verisign operate .gov: <http://domainincite.com/verisign-takes-over-gov/>

~~~
Hoff
Verisign already has de facto control over huge tracts of network security by
virtue of having their root certs embedded in various browsers and other PKE-
related tools.

~~~
smountcastle
As of August 2010 Symantec owns those root certs. Verisign is left with the
various top-level domain registries.

~~~
iuguy
Why do I not feel any better about that?

~~~
krakensden
Crushing levels of skepticism and a poor impression of their rancid consumer
software?

~~~
iuguy
That would be it then. Oh wait, they bought PGP. Great, now my crypto's
screwed.

------
iuguy
Incidentally it's a similar setup for .edu, which is run through the edu-
servers.net domain (registered via dotster to a real person), which is subject
to the standard TLD glue that _should_ make changes a little harder than
regular domain hijacking.

Incidentally mod.uk has a nameserver pointing to ns1.cs.ucl.ac.uk. I wonder if
there are many other domains that use academic resources.

~~~
olkiujytryujik
UCL's CS dept were in at the start of the internet - they used to manage the
old x500 network and the .gb domain and invented a bunch of the domain
management stuff.

I would probably trust them to get it right more than whatever nominet are
calling themselves today

------
alexbowman
Main page stated there was a comment, but that comment is now not here. Spam,
deleted, or other?

~~~
barrkel
It was a guy who said "wikileaks.gov, anyone?" and was downvoted to at least
-1.

~~~
polynomial
I would be (only a little) surprised if a gov agency didn't grab that ala Bank
of America, to use for a counter-information campaign.

But then, the thought probably never occurred to them.

------
tomkinstinch
The .net version was most likely registered and used while waiting for the
.gov (presumably they can take a while to register).

