On-Prem

Networks

Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can't open a safe

Online security process stalled by offline security screw-up


The organization that keeps the internet running behind-the-scenes was forced to delay an important update to the global network – because it was locked out of one of its own safes.

“During routine administrative maintenance of our Key Management Facility on 11 February, we identified an equipment malfunction,” explained Kim Davies, the head of the Internet Assigned Numbers Authority (IANA), in an email to the dozen or so people expected to attend a quarterly ceremony in southern California at lunchtime on Wednesday.

The malfunction “will prevent us from successfully conducting the ceremony as originally scheduled" on February 12, Davis explained. “The issue disables access to one of the secure safes that contains material for the ceremony.” In other words, IANA locked itself out.

The ceremony sees several trusted internet engineers (a minimum of three and up to seven) from across the world descend on one of two secure locations – one in El Segundo, California, just south of Los Angeles, and the other in Culpeper, Virginia – both in America, every three months.

Once in place, they run through a lengthy series of steps and checks to cryptographically sign the digital key pairs used to secure the internet’s root zone. (Here's Cloudflare's in-depth explanation, and IANA's PDF step-by-step guide.)

At the heart of the matter, simply put, is the Key Signing Key (KSK): this is a public-private key pair, with the private portion kept locked away by IANA. This is because the KSK is used, every three months, to sign a set of Zone Signing Keys, which are used to secure official copies of the internet's root zone file. That file acts as a kind of directory for other parts of the internet, and these parts in turn, provide information on more of the internet. It is, in a way, the blueprint for how the internet as we know it is glued together: how domain names resolve to computers on the global network, so that when you visit, say, theregister.com, you eventually reach one of our servers at network address 104.18.235.86.

Critical root DNS servers are spread out around the planet, each armed with a copy of the latest signed root zone file, and used, in a distributed, cascading manner, by other DNS servers to look up domain names for the internet's users. These servers can check the root zone file underpinning all of this is secured by a ZSK recently signed by the central IANA KSK, and thus can be treated and trusted as gospel. The KSK is thus the domain-name system's trust anchor. Everything relies on it to ensure the 'net's central directory is laid out the way it should be, according to IANA, anyway.

This is all necessary because it should be immediately obvious whether or not a root zone file is an unsigned forgery, or an authentic and clean copy secured by IANA's KSK. Otherwise, a well-resourced malicious organization could potentially fool networks into using a sabotaged root zone file that redirects vast quantities of traffic, i.e. billions of internet users, to different parts of the internet. Even worse, if someone were to get hold of the KSK, they could sign their own zone file and have the internet blindly trust it. The result would be a global loss of trust in the 'net's functioning.

Security up the wazoo

For that reason, IANA takes its Root Key Signing Key Ceremony extremely seriously, and has a complex and somewhat convoluted DNSSEC-based process that briefly unlocks the private portion of the KSK to sign the ZSKs every three months. Only during this ceremony is the KSK used, and put away again when it is over, leaving IANA with a set of ZSKs to authoritatively secure its root zone.

Only specific named people are allowed to take part in the ceremony, and they have to pass through several layers of security – including doors that can only be opened through fingerprint and retinal scans – before getting in the room where the ceremony takes place.

Staff open up two safes, each roughly one-metre across. One contains a hardware security module that contains the private portion of the KSK. The module is activated, allowing the KSK private key to sign keys, using smart cards assigned to the ceremony participants. These credentials are stored in deposit boxes and tamper-proof bags in the second safe. Each step is checked by everyone else, and the event is livestreamed. Once the ceremony is complete – which takes a few hours – all the pieces are separated, sealed, and put back in the safes inside the secure facility, and everyone leaves.

You're ARIN a laugh: Critical internet org accused of undercutting security over legal fears

READ MORE

But during what was apparently a check on the system on Tuesday night – the day before the ceremony planned for 1300 PST (2100 UTC) Wednesday – IANA staff discovered that they couldn’t open one of the two safes. One of the locking mechanisms wouldn’t retract and so the safe stayed stubbornly shut.

As soon as they discovered the problem, everyone involved, including those who had flown in for the occasion, were told that the ceremony was being postponed. Thanks to the complexity of the problem – a jammed safe with critical and sensitive equipment inside – they were told it wasn’t going to be possible to hold the ceremony on the back-up date of Thursday, either.

We understand, however, that following an emergency meeting on Wednesday, the issue should be fixed by Friday, and the ceremony has now been moved to Saturday. In the meantime, some lucky locksmith in Los Angeles is going to have to drill out the safe’s locking mechanism and put in a new one.

Fortunately, apart from the inconvenience, there is no impact on the internet itself, particularly in this short term. The current arrangement will simply continue to do its job for three additional days. And IANA has been keen to point out that it has an identical set of equipment on the other coast of the US that can also be used if necessary.

“We apologize for the inconvenience for the attendees who had already traveled to participate in the ceremony. This is the first time a ceremony has needed to be rescheduled in the 10-year history of KSK management,” the email announcing the delay noted.

There is a certain irony, of course, that the security of the virtual internet has been held hostage by an old-school physical safe. ®

Send us news
84 Comments

Meta trains data2vec neural network to understand speech, images, text so it can 'understand the world'

Whatever it takes, Mark

Researchers at Facebook parent's Meta have trained a single AI model capable of processing speech, images, and text in the hope that these so-called multi-modal systems will power the company’s augmented reality and metaverse products.

The model, known as data2vec, can perform different tasks. Given an audio snippet, it can recognize speech. If it’s fed an image, it can classify objects. And when faced with text, it can check the grammar or analyse the writing’s tone and emotions.

AI algorithms are typically trained on one type of data, though data2vec is trained on three different modalities. It still, however, processes each form, whether its speech, images, and text, separately.

Continue reading

Apple preps fix for Safari's web-history-leaking IndexedDB privacy bug

Disclosure of WebKit flaw appears to have prodded iBiz to undertake repairs

Apple is preparing to repair a bug in its WebKit browser engineer that has been leaking data from its Safari 15 browser at least since the problem was reported last November.

Updates made available on Thursday to Apple developers – iOS 15.3 RC and macOS 12.2 RC – reportedly fix the flaw, an improper implementation of IndexedDB API that allows websites to track users and potentially identify them.

The bug affects Apple's Safari 15 browser on macOS, and all browsers on iOS and iPadOS 15 – because Apple requires all browsers on iOS to be based upon its WebKit engine, instead of alternatives like Chromium's Blink or Mozilla's Gecko.

Continue reading

Nvidia pushes crowd-pleasing container support into AI Enterprise suite

As long as you're running on VMware

Nvidia has rolled out the latest version of its AI Enterprise suite for GPU-accelerated workloads, adding integration for VMware's vSphere with Tanzu to enable organisations to run workloads in both containers and inside virtual machines.

Available now, Nvidia AI Enterprise 1.1 is an updated release of the suite that GPUzilla delivered last year in collaboration with VMware. It is essentially a collection of enterprise-grade AI tools and frameworks certified and supported by Nvidia to help organisations develop and operate a range of AI applications.

That's so long as those organisations are running VMware, of course, which a great many enterprises still use in order to manage virtual machines across their environment, but many also do not.

Continue reading

Wolfing down ebooks during lockdown? You might want to check out Calibre, the Swiss Army ebook tool

When audiobooks just take too darn long...

Friday FOSS Fest In this week's edition of our column on free and open-source software, El Reg takes a look at Calibre, which converts almost any file type into almost any other file type, so you can read whatever you want, wherever you want, no matter what format it's in.

It's free and runs on Windows, Linux and Mac.

There's more to ebooks than the Kindle, of course, with devices such as the Kobo, Nook, and Onyx Boox. The author's own Sony Reader still worked fine when I gave it to a friend a year ago.

Continue reading

Dog forgets all about risk of drowning in a marsh as soon as drone dangles a sausage

It's not the wurst idea in the world

Man's best friend, though far from the dumbest animal, isn't that smart either. And if there's one sure-fire way to get a dog moving, it's the promise of a snack.

In another fine example of drones being used as a force for good, this week a dog was rescued from mudflats in Hampshire on the south coast of England because it realised that chasing a sausage dangling from a UAV would be a preferable outcome to drowning as the tide rose.

Or rather the tantalising treat overrode any instinct the pet had to avoid the incoming water.

Continue reading

Almost there: James Webb Space Telescope frees its mirrors and prepares for insertion

Freed of launch restraints, mirror segments can waggle at will

NASA scientists have deployed mirrors on the James Webb Space Telescope ahead of a critical thruster firing on Monday.

With less than 50,000km to go until the spacecraft reaches its L2 orbit, the segments that make up the primary mirror of the James Webb Space Telescope (JWST) are ready for alignment. The team carefully moved all 132 actuators lurking on the back of the primary mirror segments and secondary mirror, driving the former 12.5mm away from the telescope structure.

Continue reading

Arm rages against the insecure chip machine with new Morello architecture

Prototypes now available for testing

Arm has made available for testing prototypes of its Morello architecture, aimed at bringing features into the design of CPUs that provide greater robustness and make them resistant to certain attack vectors. If it performs as expected, it will likely become a fundamental part of future processor designs.

The Morello programme involves Arm collaborating with the University of Cambridge and others in tech to develop a processor architecture that is intended to be fundamentally more secure. Morello prototype boards are now being released for testing by developers and security specialists, based on a prototype system-on-chip (SoC) that Arm has built.

Arm said that the limited-edition evaluation boards are based on the Morello prototype architecture embedded into an Armv8.2-A processor. This is an adaptation of the architecture in the Arm Neoverse N1 design aimed at data centre workloads.

Continue reading

Multi-level marketing corporation that sells weightloss products sues ex-exec over 'fraudulent' Dell deal

Alleges he had an off-the-books agreement with reseller

MLM firm Herbalife, which sells diet-linked products but styles itself as a "nutrition company", has accused one of its former execs of cutting a "fraudulent" $20m deal with a Dell reseller.

Continue reading

'95% original' film star Spitfire could be yours for a mere £4.5m (or 0.05 Pogbas)

Freshly overhauled, several careful owners

Fancy buying an almost-original and flyable Second World War Supermarine Spitfire? If you've got £4.5m gathering dust in the bank, today might be your lucky day.

Spitfire LF Mk.IXB MH415 is up for sale, with various news outlets reporting its sale price as around £4.5m.

Built in 1943, the veteran of two wars and several decades of airshow flying was fully refurbished over the last few years and has just six flying hours on its newly reset clock. Its pristine Rolls-Royce Merlin 66 engine has just 11 hours, meaning the Spitfire can fly for months or years before needing another total overhaul.

Continue reading

You might want to consider the cost of not upgrading legacy tech, UK's Department for Work and Pensions told

Processes relying on 1980s ICL mainframe contributed to £1bn pension black hole

Brit MPs have told the Department for Work and Pensions (DWP) it should factor in the cost of not upgrading a 34-year-old legacy system when reviewing tech investments after it contributed to a £1bn pension shortfall.

The department should consider whether there are "cost-effective ways to upgrade its IT systems and enhance its administrative processes to ensure the quality and timeliness of management information and reduce the risk of repeated errors," a report from the Public Accounts Committee (PAC) said.

This follows a report by the National Audit Office (NAO) which found that a legacy ICL-era mainframe was one of the causes behind the failure to pay more than £1bn in state pensions.

Continue reading

Joint European Torus celebrates 100,000 pulses: Neither Brexit nor middle age has stopped '80s era experiment

Fusion energy projects nearing 40th anniversary

A milestone was reached this week by the Joint European Torus (JET): the 100,000th pulse of the fusion energy experiment.

JET, which is located at the Culham Centre for Fusion Energy in the English county of Oxfordshire, has a history going back to 1975. The Culham site was chosen in 1977 and the doughnut-shaped tokamak achieved its first plasma in 1983 (the Queen did the official switching on duties the following year.)

In 1991 JET performed the world's first deuterium-tritium experiment and by 1997 it achieved 22.5 megajoules of fusion energy (and 16 megawatts of fusion power) in a dedicated deuterium-tritium run of experiments. In 2021 it completed a second full-power run using deuterium and tritium.

Continue reading