I always enjoy getting Bruce Schneier’s “CRYPTO-GRAM.” This month’s issue, at http://www.schneier.com/crypto-gram-0309.html, has an interesting discussion about “Accidents and Security Incidents.” He quotes computer-security researcher Ross Anderson’s describing the difference as “Murphy vs. Satan.” (This is why I almost put this under “theology”. I would have if he described it as “Our sin nature and Satan”: sometimes it’s the devil and sometimes I don’t need his help to screw up. :-))

Bruce give some examples, including: “Safety: Knives are accidentally left in airplane carry-on luggage and can be spotted by airport X-ray machines. Security: An attacker tries to sneak through a knife made of a material hard to detect with an X-ray machine, and then deliberately positions it in her luggage to make it even harder to detect with the X-ray machine.” Check it out at the URL above and if you like it, subscribe.

I mentioned this same tension in one of my NetSec Letters (here) — someone thought this would make a good marketing line: “Just because you feel safe, doesn’t mean that you’re secure.”

It’s been in the news. Maybe you’ve read it. It’s been the topic of various Internet mailing lists. Maybe you wonder “What’s all the fuss?” Let’s look at it allegorically.

What if the technology existed for someone to intercept all telephone calls in an exchange not owned by anyone else? My phone number is 410-309-6910 (6911 is fax). Suppose no one actually owns 6912 and 6919. If someone misdials my number they’ll get someone else. Maybe that someone will have a recording that says simply “Press ‘1’ to send a fax. Press ‘2’ to talk to an attendant.” What is the harm? Faxes meant for me could be easily misdirected. Calls intended for me could be answered by someone who might redirect business to a competitor. I lose the potential client. The potential client loses me. Maybe.

Check it out. Click on www.avolio.cm. (Note, “com” is misspelled.) You get an error. Now, Click on www.aviolo.com. My domain name is misspelled. But Verisign “owns” .com, and so helpfully intercepts it. Not as bad as whitehouse.com instead of whitehouse.gov. (And I purposely do not include the links… the “.com” address is a porn site.) It even suggests you may have meant my site. So, what’s the fuss?

The main problem – from a security perspective, anyway – is that DNS information (the Domain Name System, among other services, translates www.avolio.com to its actual IP address, for example) is expected to be accurate. E-mail servers, such as mine, depend on getting a response of “no such name” to make antispam decisions. Again, think of the above telephone allegory. E-mail directed to me should get to me. E-mail directed to fred@aviolo.com should, for now, bounce. What if someone claimed to be the mail server for “*.com?” That is effectively what Verisign is doing for .com and .net.

DNS depends on correct DNS responses, not responses geared to make the life of web surfers easier.