[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NSA software in Debian


On 01/26/2014 01:30 PM, Andrew McGlashan wrote:
> On 25/01/2014 7:39 PM, Emmanuel Thierry wrote:
>> Then DNSSEC appeared ! :)
> 
> I wish it was that simple .... I don't believe it is today, but one day
> it will have to be the standard.
> 
>> I remind you it is really difficult to compromise DNS zones protected by DNSSEC, even if you have control on root DNS servers (they probably have it) and the knowledge of the complete root DNS key (they likely don't have it).
>>
>> There is no point in considering DNS as compromised, since it would be much easier (and as difficult to hide) to subvert IP routing. By the way if you succeeded in redirecting DNS traffic to your box, you probably have the power of redirecting all the traffic to your box.
> 
> It is technically very easy to compromise DNS for many people.  It often
> surprises me that people don't question absolutely whether or not a
> webpage is legitimate, they almost always take it on faith unless there
> is something very obviously wrong and even then the person will take
> some convincing (especially the lesser educated on these matters).
> 
> Kind Regards
> AndrewM

I think the MITM attacks that the NSA does on the core internet routers are
likely based on IP rather than DNS.  The reports talk about the system is
setup to respond before any of the real servers can.  So my guess is that they
are replying to ARPs, thereby claiming an IP.  Just a guess...

.hc
Reply to: