On-Prem

Networks

Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can't open a safe

Online security process stalled by offline security screw-up


The organization that keeps the internet running behind-the-scenes was forced to delay an important update to the global network – because it was locked out of one of its own safes.

“During routine administrative maintenance of our Key Management Facility on 11 February, we identified an equipment malfunction,” explained Kim Davies, the head of the Internet Assigned Numbers Authority (IANA), in an email to the dozen or so people expected to attend a quarterly ceremony in southern California at lunchtime on Wednesday.

The malfunction “will prevent us from successfully conducting the ceremony as originally scheduled" on February 12, Davis explained. “The issue disables access to one of the secure safes that contains material for the ceremony.” In other words, IANA locked itself out.

The ceremony sees several trusted internet engineers (a minimum of three and up to seven) from across the world descend on one of two secure locations – one in El Segundo, California, just south of Los Angeles, and the other in Culpeper, Virginia – both in America, every three months.

Once in place, they run through a lengthy series of steps and checks to cryptographically sign the digital key pairs used to secure the internet’s root zone. (Here's Cloudflare's in-depth explanation, and IANA's PDF step-by-step guide.)

At the heart of the matter, simply put, is the Key Signing Key (KSK): this is a public-private key pair, with the private portion kept locked away by IANA. This is because the KSK is used, every three months, to sign a set of Zone Signing Keys, which are used to secure official copies of the internet's root zone file. That file acts as a kind of directory for other parts of the internet, and these parts in turn, provide information on more of the internet. It is, in a way, the blueprint for how the internet as we know it is glued together: how domain names resolve to computers on the global network, so that when you visit, say, theregister.com, you eventually reach one of our servers at network address 104.18.235.86.

Critical root DNS servers are spread out around the planet, each armed with a copy of the latest signed root zone file, and used, in a distributed, cascading manner, by other DNS servers to look up domain names for the internet's users. These servers can check the root zone file underpinning all of this is secured by a ZSK recently signed by the central IANA KSK, and thus can be treated and trusted as gospel. The KSK is thus the domain-name system's trust anchor. Everything relies on it to ensure the 'net's central directory is laid out the way it should be, according to IANA, anyway.

This is all necessary because it should be immediately obvious whether or not a root zone file is an unsigned forgery, or an authentic and clean copy secured by IANA's KSK. Otherwise, a well-resourced malicious organization could potentially fool networks into using a sabotaged root zone file that redirects vast quantities of traffic, i.e. billions of internet users, to different parts of the internet. Even worse, if someone were to get hold of the KSK, they could sign their own zone file and have the internet blindly trust it. The result would be a global loss of trust in the 'net's functioning.

Security up the wazoo

For that reason, IANA takes its Root Key Signing Key Ceremony extremely seriously, and has a complex and somewhat convoluted DNSSEC-based process that briefly unlocks the private portion of the KSK to sign the ZSKs every three months. Only during this ceremony is the KSK used, and put away again when it is over, leaving IANA with a set of ZSKs to authoritatively secure its root zone.

Only specific named people are allowed to take part in the ceremony, and they have to pass through several layers of security – including doors that can only be opened through fingerprint and retinal scans – before getting in the room where the ceremony takes place.

Staff open up two safes, each roughly one-metre across. One contains a hardware security module that contains the private portion of the KSK. The module is activated, allowing the KSK private key to sign keys, using smart cards assigned to the ceremony participants. These credentials are stored in deposit boxes and tamper-proof bags in the second safe. Each step is checked by everyone else, and the event is livestreamed. Once the ceremony is complete – which takes a few hours – all the pieces are separated, sealed, and put back in the safes inside the secure facility, and everyone leaves.

You're ARIN a laugh: Critical internet org accused of undercutting security over legal fears

READ MORE

But during what was apparently a check on the system on Tuesday night – the day before the ceremony planned for 1300 PST (2100 UTC) Wednesday – IANA staff discovered that they couldn’t open one of the two safes. One of the locking mechanisms wouldn’t retract and so the safe stayed stubbornly shut.

As soon as they discovered the problem, everyone involved, including those who had flown in for the occasion, were told that the ceremony was being postponed. Thanks to the complexity of the problem – a jammed safe with critical and sensitive equipment inside – they were told it wasn’t going to be possible to hold the ceremony on the back-up date of Thursday, either.

We understand, however, that following an emergency meeting on Wednesday, the issue should be fixed by Friday, and the ceremony has now been moved to Saturday. In the meantime, some lucky locksmith in Los Angeles is going to have to drill out the safe’s locking mechanism and put in a new one.

Fortunately, apart from the inconvenience, there is no impact on the internet itself, particularly in this short term. The current arrangement will simply continue to do its job for three additional days. And IANA has been keen to point out that it has an identical set of equipment on the other coast of the US that can also be used if necessary.

“We apologize for the inconvenience for the attendees who had already traveled to participate in the ceremony. This is the first time a ceremony has needed to be rescheduled in the 10-year history of KSK management,” the email announcing the delay noted.

There is a certain irony, of course, that the security of the virtual internet has been held hostage by an old-school physical safe. ®

Send us news
84 Comments

Chat among yourselves: New EU law may force the big IM platforms to open up

Send an iMessage to Facebook, and we'll talk

The European Parliament's new Digital Markets Act, adopted as a draft law this week, could compel big platforms owned by large firms including Apple, Google, and Facebook to make their tech interoperable.

Among other things, this might mean forcing the tech vendors' messaging apps to allow communication with other services.

If the EU deems a company to be what it calls a "gatekeeper", it could impose "structural or behavioural remedies" – compelling the largest outfits to allow interoperability, or imposing fines. The Act would also restrict what companies could do with personal data – not the first time it's tried.

Continue reading

Sweden asks EU to ban Bitcoin mining because while hydroelectric power is cheap, they need it for other stuff

Lighting and warming homes in winter, or ransoming encrypted files and buying drugs? Hmmm

The directors general of Sweden's Financial Supervisory Authority and Environmental Protection Agency have called upon both the EU and Sweden's government to ban cryptocurrency mining.

Continue reading

The rocky road to better Linux software installation: Containers, containers, containers

Let's be real: Everyone is trying to catch up with Apple

Analysis Linux cross-platform packaging format Flatpak has come under the spotlight this week, with the "fundamental problems inherent in [its] design" criticised in a withering post by Canadian software dev Nicholas Fraser.

Fraser wrote in a blog published on 23 November that "these are not the future of desktop Linux apps," citing a litany of technical, security and usability problems. His assertions about disk usage and sharing of runtimes between apps were hotly disputed by Will Thompson, director of OS at Endless OS Foundation a day later in a post titled: "On Flatpak disk usage and deduplication," but there is no denying it is horribly inefficient.

Most people don't care about that any more, one could argue. But they should.

Continue reading

EU needs more cybersecurity graduates, says ENISA infosec agency – pointing at growing list of master's degree courses

Skills gap needs filling somehow

The EU needs more cybersecurity graduates to plug the political bloc's shortage of skilled infosec bods, according to a report from the ENISA online security agency.

The public sectors of EU countries should "support a unified approach" to infosec-focused higher education, it says, addressing an issue that is by no means unique to the bloc.

In a new report titled "Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education", academics Jason Nurse and Konstantinos Adamos, together with ENISA's Athanasios Grammatopoulos and Fabio Di Franco, said the European Union needs to get more students signing up for cybersecurity degrees.

Continue reading

Nuclear fusion firm Pulsar fires up a UK-built hybrid rocket engine

A win in the rocketry world: 'Flames came out of the right end'

UK nuclear fusion outfit Pulsar Fusion has fired up a chemical rocket engine running on a combination of nitrous oxide oxidiser, high-density polyethylene fuel and oxygen.

The acceptance tests of the UK-built rocket were conducted at COTEC, a UK Ministry of Defence site at Salisbury Plain in southern England.

We spoke to CEO of the company, Richard Dinan, in 2018, when he discussed the prospects for fusion power, and the use of the technology for space travel as well as electricity generation. In 2020 he was showing off an ion thruster with plasma running at several million degrees and particles fired at speeds over 20km per second.

Continue reading

Bad news for Tencent: Chinese companies steer employees away from Weixin or WeChat

Middle Kingdom's internet giant: It's a switch to enterprise apps. Try ours?

Managers of large Chinese state-run companies have told employees to delete, shutdown and discontinue use of Tencent messaging app Weixin for work purposes, citing potential security breaches, according to the Wall Street Journal.

The news outlet named China Mobile, China Construction Bank and China National Petroleum among nine companies that confirmed the communication policy change, although none have officially gone on record.

Employees have reportedly also been warned to beware Weixin's sister app, WeChat. No details were given regarding what communication tools personnel were directed to use instead.

Continue reading

Privacy Sandbox saga continues: UK watchdog extracts more commitments from Google over ad tech

Roll up, roll up. Come and be the CMA-approved trustee to keep an eye on the Chocolate Factory's antics

The torrid tale of Google's Privacy Sandbox took another turn today with the UK's Competitions and Markets Authority (CMA) saying it has "secured improved commitments" from the ad giant over the cookie crushing tech.

The CMA's claims come in the wake of yesterday's call by the UK's data watchdog, the Information Commissioner's Office (ICO), for Google and co to sort out the privacy risks posed by ads. The ICO continues to work with the CMA to review the plans of the Mountain View gang.

The investigation by the competition regulator kicked off in January amid worries that Google's intention to change its Chrome browser and phase out third party cookies in favour of a so-called Privacy Sandbox would, in fact, strengthen the megacorp's grip on the online ad ecosystem.

Continue reading

Government-favoured child safety app warned it could violate the UK's Investigatory Powers Act with message-scanning tech

Redesigned SafeToNet feature highlights tech law mess

A company repeatedly endorsed by ministers backing the UK's Online Safety Bill was warned by its lawyers that its technology could breach the Investigatory Powers Act's ban on unlawful interception of communications, The Register can reveal.

SafeToNet, a content-scanning startup whose product is aimed at parents and uses AI to monitor messages sent to and from children's online accounts, had to change its product after being warned that a feature developed for the government-approved app would break the law.

SafeToNet was hailed this week by senior politicians as an example of "new tech in the fight against online child abuse," having previously featured in announcements from the Department for Digital, Culture, Media and Sport over the past 12 months.

Continue reading

Reviving a classic: ThinkPad modder rattles tin to fund new motherboard for 2008's T60 and T61 series of laptops

When vendors don't update old models, someone must step up

The range of Thinkpads you can modernise is getting wider. XyTech is trying to crowdfund a new mainboard for the 2008 T60/T61 so fans can upgrade the much-loved noughties laptop.

"The goal is to recreate the TP experience as much as possible, while incorporating the latest CPUs and technology," XyTech's Xue Yao writes. "As the motherboard is not from [Lenovo], it will require quite a bit of hands-on from the user to get the best experience out of the machine. It will be as stable as any other computer motherboard but will not have original TP software support and features."

XyTech is not alone. CnMod is another small Chinese business that updates teenaged – and by laptop standards, that's positively geriatric – ThinkPads. The replacement motherboards come from cottage-industry scale manufacturers on the forums at 51NB.com. They offer replacement motherboards for various classic ThinkPads, including the X200, X201 and X62, updating them with modern processors, memory and storage. There's also the X330, which combines the classic keyboard of the X220 with the faster mainboard of an X230.

Continue reading

You forced me to use this fancypants app and now you're asking for a printout?

'Just take the meds, Mr Sloper, and enjoy your holiday'

Something for the Weekend, Sir? I could just do with some popcorn right now.

I am loitering among the sick and deranged. The selfish fools decided to pile into the chemist's at 9am, the very moment I sensibly chose to visit. Half of them seem to be loitering around the entrance, jabbing urgently at their smartphones and muttering to themselves.

The popcorn? It will not cure my ailment but, despite research from the Rotterdam School of Management that claims otherwise, popcorn would enhance my user experience (UX) of waiting in the queue.

Continue reading

<abbr title="Bastard Operator from Hell">BOFH</abbr>: What if International Bad Actors designed the vaccine to make us watch more Steven Seagal movies?

Pipe down – Nicolas Cage could be listening

Episode 21 I've got nothing against conspiracy theories in general because if they didn't exist the PFY would probably have to join a book club or a sewing circle. But even the PFY will admit there's a limit, and at lunch today we think we found it ...

"So let me get this straight," I say. "The vaccine contains tiny … robots …"

"Nanobots," the bloke across the table from me chips in.

Continue reading