On the morning on November 7, while folks in my part of the country (Oklahoma) were still trying to come to grips with being rocked by two damage-causing earthquakes in less than 24 hours (that’s unheard of for OK), a previously unknown software bug in the BGP function of Juniper routers caused a major hiccup in the Internet. Details on what exactly the problem was are very thin, but Juniper acknowledged that “a small percentage of customers” was affected. Unfortunately, that small percentage happened to be companies that run routers in the core of the Internet (like Level 3). The outage was widespread, but short.

A CNN story leads with a sentence beginning “The seemingly indestructible Internet…” Seemingly indestructible? For years I have been of the opinion that the Internet is extremely fragile and has only been able to survive this long because of sheer momentum. Here’s my analogy: The Internet is like a runner stumbling over a hurdle. While it may still be on its feet, the inevitable outcome is that its momentum will bring it to a spectacular, smashing conclusion.

So, if the Internet is so fragile, you may ask, why has it not crashed yet as a result of terrorism, nation-state attack, or simple accident? Allow me to present my theories.

• The terrorists want to cause terror, not boredom, which is exactly what most of the developed world would experience if the Internet failed.  Large numbers of dead bodies get more media attention than 5 billion people bored to tears, not to mention that the media wouldn’t be able to distribute images of the terrorism without the Internet, and the terrorists wouldn’t be able to take credit without it.  So no, they won’t take down the Internet.

• The nation-state attackers would love to take down the Internet because of the economic damage it would do to their adversary, but they realize this: their nation and its economy is in the same boat as who they would be attacking.  If the Internet core failed, the world would end up with several dozen very small and useless Internets.  E-commerce would cease to exist until everything was put back together.  You can’t wage war if you can’t fund it, or communicate to your troops, or schedule the movement of supplies.  Nope, these guys aren’t that dumb either.  (Although a leader like the one the North Koreans had might just be crazy enough to do it anyway.)

• That leaves us with a simple accident.  Why has this not happened yet?  Good question.  We’ve gotten close, although I think some of the close calls may have been made to look like accidents.  Some very smart people watch the core of the Internet, though, and so far they’ve been able to stem the damage of these accidents very quickly.

I will tell you who is going to take down the Internet: it’s going to be some crazy, over-worked, computer nerd at a small regional ISP who’s just going to snap one day and unleash hell upon the Tubes.  Sure, the Feds will label this nerd a “terrorist,” but he/she will really be nothing more than a nut job.  Mark my words.

Many of my friends call me a cynic.  I believe I am a realist.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The Internet security community is abuzz with rumors of an attack against the TCP protocol that can DoS almost (if not all) machines.  The attack is against the TCP state machine.  Details are very sketchy, but the rumors suggest that an extremely low-bandwidth attack could effectively kill a machine to the point that it must be rebooted to once again be effective at communicating on the network.

Adding to the hype is the claim that almost all machines running TCP can be attacked, regardless of the vendor.  Windows, Linux, Mac, Solaris, all manner of embedded devices, etc., are all supposedly vulnerable.

It seems like a “vulnerability” like this (that is, one that will completely cripple the Internet) is announced once a year.  A few details[t2.fi] are released to the media that make the vulnerability sound really scary in an effort to hype the conference where the full details are going to be discussed (which, in this case, is “T2 ’08″ in Helsinki, Finland).

Call me a skeptic, but these usually turn out to be false.  The sallacious details released to the media are mere propaganda items to increase interest.  This particular vulnerability will probably turn out to be a non-issue except on your local network, which should be a (relatively) trustworthy area, anyway.

To sum it up: don’t go jumping out of a window yet.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

Here is an hilarious article[timesonline.co.uk] from The (London) Times. Foxnews.com’s title is even more hilarious: “Report: The End of the Internet Is Near”. OMG!!! Gather up the Ponies!!

Messr. Harris at The Times either has no idea what he’s writing about or owns a ton of stock in Cisco or Juniper. Or perhaps both. The following line from the article is particularly ridiculous:

If, for example, Google wants to support IPv6, it will need to build a whole new IPv6 web service, complete with new domain names, servers and bandwidth.

Hogwash, my good chap! The only bloody thing good ol’ Google will need to do is get IPv6 addresses from its ISPs. Its servers undoubtedly already support IPv6 as do almost all recent Un*x and Windows OSes (Linux and Mac OSX included). All Google will have to do is tell its servers what each one’s IPv6 address is and everything will work just the same as it has. No need for a new domain name, new servers, or new bandwidth. And certainly not any new code for their web services.

In fact, what I said above isn’t even necessarily true: Google doesn’t need to get an IPv6 address from its ISPs because there is an IPv6 prefix[wikipedia.com] already reserved for all the old IPv4 addresses. In essence, if you have an IPv4 address, you already have an IPv6 address that will route to all other IPv6 addresses–if only your upstream ISPs supported IPv6.

I tend to believe that Google has already prepared for this. I’m betting that their servers are already configured for IPv6. Their routers are probably configured for IPv6. Google might even have pure IPv6 connections to the Internet already. It’s hard for me to confirm my suspicions, though, because I don’t have a pure IPv6 connection to the Internet although I could setup something like 6to4[wikipedia.com].

Messr. Harris pumps the same old doom-and-gloom line that has been going around since the mid-1990s. Yes, friends, back when IPv6 was started the “experts” were prediciting we would run out of IPv4 addresses within a few years. Over a decade later, the new “experts” are predicting another three years.

Here’s a prediction: NASA will land men on Mars before IPv6 makes its way down to the home user, and I’m talking about his Cable/DSL router, not his actual PC.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

According to PC Pro[pcpro.co.uk], Facebook is now larger than MySpace. Thank goodness. MySpace was the worst assault on the eyes since the short striped shorts of the early 80′s. Facebook at least has a somewhat consistent interface from profile to profile, and none of those god-awful tiled backgrounds of kitty cats or what have you.

Still, Facebook is beginning to get cluttered and annoying thanks to the proliferation of extensions with their constant annoying questions. For the last time, I do NOT WANT TO PLAY RISK VIA FACEBOOK!!! Get a life, buy the board game, gather up some friends, and freaking talk to another person tête-à-tête!!

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

With yesterday’s introduction[reuters.com] of Google Health, we can now add personal health records and related information to the types of data Google is storing. This service includes connections to pharmacies, like Walgreen Co. and CVS Caremark, and other health groups. It will “allow patients to schedule appointments, refill prescriptions, receive diagnostic results online, and instantly add their doctors’ email addresses to a list of contacts.”

This service sounds very useful and is likely to be used by many people. My concern is that as the diversity and sensitivity of data Google is storing increases, so does it’s attractiveness as a target for those with malicious intent. According to Marissa Mayer, Google’s vice president for search services and user experience, the service involves an additional layer of security and the data is stored separately from Google’s other data. Mayer stated that, “We certainly have put in place the foremost privacy policy[google.com] that we could construct.” We all hope so!

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

Slashdot has posted an item[slashdot.org] about the upcoming results of a survey by Symantec and Applied Research-West describing the threat to IT from the so-called ‘Millenials’ generation–those born after 1980. The IT threat apparently comes from the willingness of this young crowd to connect almost any device or social networking software to the corporate network. There is a positive in the report: Millenials are more likely to be aware of the security implications of what they are installing or connecting.

Whew…for a second there I thought my generation was going to be banned from working! It’s not like that would make that many of us angry…just don’t take away our Internets!!! You don’t want us to get angry!

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

The new Boeing 787 Dreamliner has been widely reported as a feat of technological engineering. The plane has three separate networks on-board: an administrative network, a flight control/navigation network, and a passenger network. Everything about this plane seems cool from the Ethernet jacks in the armrest of every seat, to the completely computerized flight controls system, to the ability for the plane to automatically adjust humidity settings based on the number of passengers on-board. There’s just one problem. Reports indicate[foxnews.com] that the three networks (administrative, flight, and passenger) are not completely separated. There is at least the ability for one-way communications from one of the networks to another. But unless this is a connectionless, no guarantee of delivery, UDP-like fire-the-message-and-hope-it-arrives communications protocol, there are obviously two-way connections, even if control information was designed (in software) to be transmitted in only one direction.

So these networks are not air-gapped, the only foolproof way to prevent one network from talking to another. To make matters worse, it seems that the administrative network is accessible via Wi-Fi (for maintenance personnel), particularly while the aircraft is sitting at the gate. So a sufficiently skilled 16-year-old Johnny Q. Hacker could sit comfortably in an airport terminal with his laptop and attempt to hack into a 787′s administrative network.

I hope they are using WPA2 with AES encryption and rolling keys…

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

We can all breathe a collectively sigh of relief – terrorists now have the ability to communicate securely[reuters.com]. I was really starting to be concerned for their privacy…

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

HBO will soon make many of their shows and movies available on the Internet[reuters.com] for no additional charge, similar to what many other channel are already doing. In related moves, Wal-Mart recently suspended Internet movie rentals and Apple added movie rentals to its iTunes store.

While people are undoubtedly interested in accessing this type of content on-demand over the Internet, I wonder whether Wal-Mart’s move indicates an unwillingness in consumers to pay for such services. It will be interesting to see whether Apple has better success with their movie rentals.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

Comcast is unveiling a new cable Internet standard today at CES. The new standard is DOCSIS 3.0, and promises to allow download speeds of 150Mbps. That’s faster than the 100Mbps most home-user network interface cards currently support. Comcast believes they will have the technology available to millions of homes in 2009.

In other news, dozens of RIAA and MPAA execs have been found cowering in the fetal position in the corner of their offices…

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts