Just thinking about the difficulties in rolling out a network is enough to make anyone’s head spin, but the boffins over at Reddit are thinking about doing just that in a direct response to SOPA. While this is an interesting idea there are some security things they are going to want to take into planning when doing this. Right now the plans look highly immature, but I expected something like this amongst the technical folks who know how the internet works, and how to build something separate.
While the discussion on Reddit has also taken into account TOR and the P2P darknets already available, there are some serious security things they also need to think about. The recent actions of Anonymous on TOR with the DDoS attacks, social engineering of plugins for browsers, as well as track and trace down to ISP of people who are doing illegal things on TOR are something to take into account. A node that is not owned and operated by a trusted person or company is a danger to the entire network.
The interesting part is that SOPA is unpopular on both sides of the isles in political circles, and could just be the worst idea this year.
So here is my list of things to consider as part of the network design, because network design implies the security design that will go along with that network. Failures in network design will equate to failures in security design.
- End to End Encryption – the traffic has to be encrypted end to end from user to provider, this makes it more difficult to snoop on what is happening.
- You will want your own DNS SEC system with heavy monitoring for false updates that will propagate in from the regular internet.
- Your gateways to the Darknet will be exposed on the internet; these gateways have to have a level of trust with the end user and the network at large. As Anonymous has shown, an evil gateway for any reason exposes the people who are using the system.
- There has to be security built in, things like DDoS, flooding, spam, and other associated evils need to be filtered on the tiered backbone, and at the gateways. This means the gateways and intermediate systems need to understand and have software that will filter for those issues.
- Your entire core infrastructure has to be outside the continental USA. You have to plan on seizure of systems over time, anything in the USA is easily seized under SOPA, and you need your core infrastructure away from that potential mess.
- SOPA and a number of laws being proposed allow for the extra-judicial rendering of systems, people, and otherwise. With the EU Parliament looking at similar or same legislation, you also have to think through the people problem, what happens if the administrator is arrested compromising a huge segment of the network?
- People, you have to plan on people being stupid and doing stupid things, like being social engineered into downloading software that will allow track and trace across the darknet.
- You have to plan on hackers, both civilian and military, because they are going to want in, and they are going to want to monitor what is happening on the network. Most if not all commercial software has bugs that are easily exploited that could damage core systems, or turn core systems into monitoring bastions.
- Speed, you are going to want to have awesome speed along the Darknet so that people will actually use it. While TOR and Peers are awesome, they are slow networks and while people might be willing to learn to use a slow network, it will be difficult to ensure adoption.
- I have seen a proposal for a wireless mesh on Reddit as well, that carries its own liabilities that need to be better explored. At some point though any wireless mesh needs to hit a land line to reach services, gateways here are going to be exposed and subject to seizure.
- You are going to have to monitor the network for things that we all agree are illegal; if the darknet becomes a safe haven for crime or criminal activity then its purpose is over with. This goes beyond “information wants to be free”, information does not want anything, but there are things we all agree universally that are illegal and should not be supported on the darknet. That means we will have to censor, and that means we need the tools to censor.
- Blue Coat and other monitoring systems present a real challenge, you will need dedicated security and network folks who are familiar with industrial grade track, trace, and monitoring to get around, inject false data, or otherwise compromise those governmental big buck items.
Some things to think about from a security viewpoint, there is more, but this is just the initial things that come to mind. If there really is going to be a darknet in response to SOPA, then it by its nature has to be exposed in places, and if we care about the people who are using it, we want them to be as safe as possible using it.
- Wary Of SOPA, Reddit Users Aim To Build A New, Censorship-Free Internet (forbes.com)
- The Darknet Project: netroots activists dream of global mesh network (arstechnica.com)
- “The Darknet Plan” Subreddit dedicated to creating a decentralized VPN (reddit.com)
- Anonymous Attacks Child Porn Websites and Publish User Names (zdnet.com)
(Cross-posted @ Techwag)