We sat down with internet pioneer and Farsight Security CEO Dr. Paul Vixie, who co-invented some of the services that are central to the ‘Net’s fabric, to discuss a range of issues affecting security and privacy
The contributions that Dr. Paul Vixie has made to some of the foundational technologies underpinning the internet need little by way of introduction. As one of the brains behind the Domain Name System (DNS) architecture and an inventor of anti-spam measures, Dr. Vixie is an authoritative voice on a range of matters that concern the global internet.
Hence, ESET is very pleased that Dr. Paul Vixie will be presenting the keynote speech at the 22nd International AVAR Cybersecurity Conference in Osaka, Japan, 6 – 9 November, 2019. In advance of the conference, ESET security evangelist Tony Anscombe interviewed Dr. Vixie about his perspectives on a free and secure internet.
To be sure, the lightly edited excerpt that follows provides just a taste of the insightful interview, which is available in its entirety at the link below.
Tony Anscombe: Paul, AVAR has been taking place for over 20 years, along the way marking, in a fashion, the internet’s evolution. What’s on your mind ahead of delivering the keynote to a solidly APAC audience here in Japan?
Dr. Paul Vixie: I’ve been working with partners inside APAC for about 20 years also, and I’ve found the region to be full of smart and ambitious people who can, in many cases, leapfrog over nations like the USA. Fiber to the home is far more advanced in Japan and Korea than in the USA, for example. APAC has also pushed for (and helped to create) internationalization technologies like IDN for DNS. The world owes a lot to the APAC region.
TA: To your eyes, will the ‘Pacific century’ hold a unique place in the evolution of the internet?
PV: I think that the Pacific century will be where the Internet, as the mover and arbiter of most economic and cultural value, coincides with the rise of Asian nations as world powers. The internet doesn’t prefer one cultural norm over another; it can be used however its maintainers and users agree. This means APAC will shortly be much more dramatically affected by internet-enabled crime than the rest of the world.
TA: This year’s theme is Hacker versus counter-hacker: From retribution to attribution. What role does DNS, or better DNSSEC, have to play in this most serious of ‘games’? Do you think that researchers, developers and educators (generally) pay enough respect to the fact that DNS underpins so much of the function of the internet and internet security activity?
PV: There has been a war for three decades for control over the DNS resolution path, and this war is heating up now that many hackers, companies, and national security groups have begun to appreciate the way that DNS can be a control and monitoring point for other activities. To retain any safety, the rest of the technical and online communities must now also learn the powers and dangers of DNS. For example, with DNSSEC we could have a more vibrant global commerce system, yet the web community is pushing for non-DNSSEC ways to grow their economy, and of course the blockchain people are looking for some way they can make money. DNSSEC has been long coming, but we must all unite behind it.
TA: A new, open and more collaborative approach to cybersecurity seems to be afoot. ESET for example contributes to MITRE ATT&CK, and also has provided IOC/detections from its EDR solution to Domain Name System protection services to build use cases and get feedback on its products and data. Do the wider shifts, favoring a collaborative approach to cybersecurity, strike you as a boon for security?
PV: Threat and intelligence sharing has been going on for 15 years now, and yet newcomers still enter our field thinking that this is an unsolved problem where they can make an impact (and perhaps make some money). ESET has always done threat and intelligence sharing, they were part of the STIX/TAXII effort and also part of the IODEF/IDMEF community. What’s important is that every participant in the economy recognizes that no defender will be very much safer than the average, and so only by cooperation can we begin to reverse the trend of losses.
TA: You’ve co-founded SIE Europe, an organization that aims to secure the digital economy via the “collection, aggregation, and sharing of data, without Personally Identifiable Information.” However, profiting from data, which until Data Protection Regulations with teeth, a low-cost and high-return ‘gambit’ has become a widespread business model, how can SIE Europe and other parties protect the wider digital economy while in some ways undermining the gold rush taking place around data collection that is worth tens of billions of dollars in the US alone?
PV: After I lost the internet’s first culture war in the 1990’s, which was about spam, I spent several years trying to decide where we’d gone wrong with the first anti-spam company (Mail Abuse Prevention System or MAPS) and the first distributed reputation system which we invented (Realtime Blackhole List or RBL). Finally, I realized that building roads has greater long-term leverage and impact than building walls, and that at MAPS, with the RBL, we had built walls. Spammers and their enablers built roads, and they beat us. So, SIE Europe is about building roads, and if data monetizers go up against us they will have to compete by building roads also. We will all win from that, no matter which outcome.
TA: With stronger hints at both government and business seeking to carve up the WWW into “regional internets”, firewalled environments, etc., how far have we stepped away from a ‘free’ global internet? As for the perceived tradeoffs – restrictions for better/more (perceived) security… are there other ways forward? What role do DNS-based/oriented security approaches and/or threat-intelligence have to play in helping balance between a free and secure internet?
PV: We are all at the mercy of the worst-operated networks on the internet, and the worst-engineered hardware and software connected to the internet – even if we don’t connect directly to those networks or use any of those hardware or software products. As long as malicious actors can buy services or steal services they need for their attacks, we will all be vulnerable. I don’t think governments have a proper role deciding who can connect to whom – but they must form mutual defense treaties for the internet that parallel the treaties around nuclear proliferation and human trafficking. In particular, government-sanctioned cybercrime must be punished early and often by trade restrictions. I mean to include election interference in “cyber-crime” here. Just because some countries don’t want democracy doesn’t mean they get to prevent democracy from existing elsewhere. To reverse that trend, we will all have to get ready for internet-related trade sanctions.
TA: DNS – security, filtering… there are a lot of points of intersection around how users may leverage the world wide web in future. Amongst the points you would like to drive forward at AVAR… is there any “homework” you’d like our readers and AVAR’s attendees to do, or meditate on to prepare, before you take the stage?
PV: I hope that everyone will read my article from last year, “Benefits of DNS Service Locality”. Much of what’s trending harmfully in internet security right now is due to the generation gap between people who remember when every network ran its own DNS name servers, and the people who have just been using 188.8.131.52 without knowing why, from the first day they got online. We have to reclaim our autonomy – all of us, each and every one. This means that many of us have to stop outsourcing our DNS and take direct local responsibility for it.
TA: How do you see the increasing push of recursive domain name system servers (RDNSs) away from customer networks and toward ISPs and then later over the internet affecting concerns over loss of privacy. Has this very process been a key driver in pushing us into the current situation with GDPR, CCPA and other data protection regulations?
PV: Yes, because any unopposed trend will accelerate, and nothing that can be abused won’t be. On-path providers of DNS, such as appliance vendors and ISPs, have abused their positions, which is natural and unavoidable. As in most negative social trends, all of us will have to become mindful in order to build a road to the world we’d rather live in.
TA: What is driving the new web-based “DNS over HTTPS” or “DoH” protocol now being strongly pushed by Mozilla and others? Is this a project that will actually increase/stabilize privacy?
PV: No actual privacy is added by DNS over HTTPS (DoH); that’s a lie that its proponents tell to cover up their real motives. DNS over TLS (DoT) offers the same privacy as DoH, because they both rely on Transport Layer Security (TLS). What’s different about DoH is that network operators can’t easily block it, thus forcing users and applications on their networks to use local DNS servers that are well-monitored and that can filter out known attacks. The DoH specification (RFC 8484) says it intends to “prevent on-path interference in DNS operations”. Well, every parental control device and every corporate security device is an “on-path interferer in DNS operations”, but the DoH people simply do not care about us.
TA: How can we better protect the log of stub DNS transactions, where personal information is present, in the future to ensure privacy for all users of the internet? Is privacy the strongest weapon (word/issue) that security practitioners have in their quivers?
PV: There’s an aphorism which applies: if you aren’t paying for the product, then you are the product. Nobody who offers a free DNS service has its users’ best interests at heart – all have their own agendas, which they might or might not reveal, and which might or might not be compatible with the users’ best interests. My advice is, use your ISP’s or your employer’s DNS unless you have a commercial VPN with an enforceable contract that guarantees privacy of your Internet activities including your DNS lookups. And if you’re running a family or company network, then operate your own DNS server, and use that one. DNS was never meant to be centralized, and we should resist that centralization now.