valerybrozhinsky - stock.adobe.c
Executive interview: DNS designer David Holtzman discusses net security
How is it possible for criminals to lure people onto fake websites? Holtzman says it’s because DNS is fundamentally insecure
The domain name system (DNS), which enables any computer on the internet to be identified in a human-readable form, is often regarded as the modern equivalent to the classic phone book. It’s organised as a tree, with the root server and branches – known as top-level nameservers, such as .org, .com and .edu – followed by what are known as authoritative nameservers.
David Holtzman, who previously worked as chief scientist at IBM, is the designer of the global DNS registration system used by the Internet Corporation for Assigned Names and Numbers (ICANN), and now works as chief strategist at decentralised cyber security network Naoris Protocol.
The success of the DNS system has resulted in the explosion of servers on the internet, and has made it possible for anyone to have a website, which can be accessed if the URL is known or can be found through a web search. This is both powerful and a massive security risk. “The DNS system has fundamentally no security whatsoever, even today,” he says. “If you had even the remotest idea of what you were doing, you could sit in a hotel room on your laptop and take entire countries off the internet.”
There have been initiatives to harden DNS, but there is a lack of motivation to resolve the security issue. Holtzman says that a quarter of a century ago, the people behind the internet agreed on an improved DNS – DNSSec – to carry cryptographic identification information at each node on the DNS tree.
In his experience, company executives simply do not want to spend the extra money needed to fix internet security. “Why would you spend half a billion dollars to improve your security? That’s actually an issue for the regulators,” says Holtzman.
In some places, like the US, he says there is a lack of privacy and understanding of what security means. The fines imposed on companies for data losses are so insignificant that there is little incentive to improve security. For instance, pointing to Equifax, Holtzman says that one in every three Americans were affected by its data breach, yet it received a minimal fine, so the downside of a data breach is trivial.
According to Holtzman, another fundamental problem with the internet is the fundamentally insecure way computers are designed and operating systems are built. “The Von Neumann machine architecture that we’ve used since the beginning of computers is massively insecure architecture,” he says. This is likely because there is no protection for memory spaces, which is a weakness most cyber attacks exploit to inject rogue code in vulnerable IT systems.
Potential for blockchain
For Holtzman, blockchain offers plenty of opportunity in terms of securing the internet. “One of the nice things about about the concept of a blockchain is that anything you put on a blockchain is fundamentally immutable,” he says.
While there are ways of messing with it, Holtzman says its strength is that a data object committed to a blockchain will remain on that blockchain. This, he says, is the first property of blockchains he finds interesting. The second area of interest for Holtzman is the fact there are controls for ownership based on cryptographic tokens, which determine who can use the data object.
The third area that interests him is the idea of smart contracts. For Holtzman, this is the killer feature, as it enables consumers and citizens to reduce the need for lawyers and government officials. “We can ratify our own agreements and we don’t need to pay someone,” he says.
While there will be many who will question the need to change societal structures that have been running for centuries, Holtzman believes this point of view is generational and age-related. “I think genuinely creative people thrive on chaos,” he says. “I would define creativity as the art of making something interesting out of chaos. If you don’t have chaos, you probably don’t have a lot of creativity going on.”
Internet maturity and standards
In many ways, Holtzman sees the maturity of the internet as analogous to a small child being presented with a pile of stuff on the floor to play with. “If you ever want to get little kids to do something really interesting, take a whole bunch of random stuff and dump it in a pile on the floor; it’s amazing what they do,” he says. “That’s how I view the internet right now. I think, in a lot of ways, it’s really just the beginning.”
But when asked about the ability of people and businesses to adopt new internet developments, Holtzman agrees there is plenty of resistance to making changes.
“There’s always resistance to a new technology, but once it’s adopted, it’s virtually impossible to get rid of,” he says. “Nobody wants to rock the status quo.”
For instance, says Holtzman, the lanes on English roads are based on the width of a Roman chariot. “It becomes a protocol,” he says. “You always want backward compatibility, and we’re talking 1,000 years in this case.”
Read more about internet infrastructure
- Helsinki has a reputation as the go-to place for game development, and now the city’s tech community is taking gaming into new areas.
- Operators at both ends of the corporate scale make notable advances in their respective roll-outs of gigabit connectivity in the UK.
One obstacle in computer technology is that in the early days of PC operating systems, like MS-Dos, the size of a data object was restricted to 64 Kbytes. This limitation is basically still in Windows, he says, but it’s an artificial limitation.
“It’s a sort of protocol and has been around for 25 years because it will take too much work to change,” says Holtzman.
The same is true of the internet protocol. For years, there have been industry warnings that the IPv4 address space is running out. While IPv6 has been around for decades, it remains a curiosity, he says. People and businesses do not want to change.
What is clear from the conversation is that many of the security challenges the internet faces can be fixed – but new, more secure protocols may well break older systems, and as the adoption of IPv6 has shown, even if there is an impetus to update, there is a massive resistance to change.