Spinning SiteFinder: FUD, brought to you by VeriSign Richard Forno 7 October 2003
Source URL (includes in-line URL references): http://www.infowarrior.org/articles/2003-04.html (c) 2003 by Richard Forno. Permission granted to reproduce in entirety with this notice intact. After significant public and regulatory opposition, and in danger of being found in breach of its government agreement to operate the Internet Shared Registry, VeriSign removed its controversial SiteFinder "service" this past weekend after receiving a direct request from its oversight body, the Internet Corporation for Assigned Names and Numbers (ICANN). SiteFinder, for those on vacation this past month, was an attempt by VeriSign to modify the master domain name file on the Internet to "catch" anyone mistyping a domain name in their web browser, bring them to a VeriSign page, and allow them to browse what essentially was a watered-down commercial portal site. In other words, any and all combinations of alphanumeric characters would indeed resolve to a "real" domain name and website at VeriSign. ('Apple.Com' would bring you to the computer maker's main site; 'Ap1pe.Com' � if not already registered - would bring you to VeriSign instead.) With every possible domain name now resolving to a valid site at VeriSign, we began to see problems cropping up in spam-control software and other network tools that were now unable to determine whether a domain name it encountered was "real" (e.g., 'Apple.Com') or faked (e.g., 'Ap1pe.Com') � the latter being a common trick of spammers. (For the three weeks SiteFinder was operational, VeriSign must have been seen as the largest source of spam on the Internet!) Other reports of serious e-mail and web privacy and security concerns soon surfaced, since SiteFinder was now serving as the figurative 'garbage disposal' for mistakenly-typed Internet content. Finally, this past weekend, amid great fanfare, VeriSign disabled the DNS wildcard called SiteFinder, and things seemed to return to normal. But the corporate spin was just beginning. An October 3 press release cites VeriSign spokesman Tom Galvin as saying "without so much as a hearing, ICANN today formally asked us to shut down the Site Finder service." Obviously the VeriSign executives feel they've been wronged by ICANN, the nonprofit regulatory body overseeing domain name policy - and VeriSign's conduct as a Registry. Yet VeriSign had absolutely no problem announcing its unilateral decision to launch SiteFinder with a rather innocuous two-paragraph e-mail notice sent to the NANOG mailing list back on September 15 more than six hours after it made the changes to the root zone file. (Normally, changes of any significance to the Internet's standard mode of operation undergo advance public warning and periods of public comment prior to release. VeriSign ignored that long-standing and well-served tradition.) What's good for the goose must be good for the gander, right? Not necessarily. VeriSign launched a defensive broadside against ICANN this week, breathlessly claiming the entity had overstepped its regulatory role and was interfering with VeriSign's legitimate business operations. Rusty Lewis, a senior executive at VeriSign, said at a Monday press conference that "VeriSign considers ICANN's action today a groundless interference with VeriSign's business and existing contractual relationships, for which VeriSign will hold ICANN fully accountable." Granted, ICANN's approval process for policy items moves at a frustrating snail's pace in-between exotic venues when their Board meets, and the entity is in dire need of effective organizational change, but VeriSign is clearly � and wrongfully - trying to pin the blame for SiteFinder on ICANN, who is acting well within its bounds and contractual obligations as the regulatory body for DNS operations. As part of VeriSign's spin control on the SiteFinder issue is an entertaining October 6 op-ed at News.Com by VeriSign Vice President Mark McLaughlin. Unfortunately, his comments fall far short of providing a realistic appraisal and competent understanding of the situation caused by SiteFinder and reek of a company desperately trying to spin its problems in the best possible light by spreading fear, uncertainty, and doubt (FUD). McLaughlin starts off with the first of several invocations of what I call the "Microsoft Defense" � namely, that innovation on the Internet will be damaged if someone mistypes a domain name into their browser. SiteFinder, he claims, gives the user the opportunity to search the Internet and browse popular subject categories. It's so popular and helpful, he says, that over 40 million people have "used" SiteFinder. How exactly does one "use" an error page? Being redirected to the SiteFinder page doesn't mean the user actually "uses" the page and navigates through it � merely that they encountered the site because of a typing error. They "get" (as McLaughlin says) where they want to go by retyping their URL correctly, not by being forced into SiteFinder. Does this mean we "use" a telephone company's busy signal when the person we're calling is talking to someone else? And what does this have to do with innovation, anyway? I guess "innovation" these days means less about "invention" and more about a feel-good defensive tactic used by a technology company when it gets into trouble. McLaughlin's tirade then attempts to portray the sizable anti-SiteFinder community (e.g., ICANN, ISPs, and noted experts like Paul Vixie, Dave Farber, and Karl Auerbach) as belonging to a "technology-religion" of technological purity and resentment at the Internet being used for commercial purposes. In other words, McLaughlin's taking a page from the George W. Bush lexicon, saying "you're either with us, or you're with the terrorists." For sure, there are technology purists that make a lot of noise on the Net; but there are also respected technologists who expect due process to occur when a major technical change is forced on what serves as the fundamental public architecture for the global Internet community. He then equates the advent of SiteFinder with the development of Amazon and EBay as vibrant commercial internet services. Now, he's mixing apples and oranges � Amazon and EBay are not providing infrastructure-level services for the Internet like VeriSign does. If Amazon or EBay decides to change the way it provides e-retail services, the Internet won't be disrupted, and life goes on. Further, he hints that the Internet infrastructure will never improve if "new services" (such as SiteFinder) can't be offered. Using SiteFinder as an example, I'm still trying to figure out how this "improves" anything but VeriSign's revenues through advertisements and potential domain registrations through Network Solutions, a VeriSign subsidiary. It sure doesn't "improve" the Internet infrastructure, but as we've seen since SiteFinder went live, it sure managed to break plenty of it. Regarding new "services" like SiteFinder, he believes that "if the [Internet] community can't find a way to introduce new services while reaching a resolution on technical matters that might arise, then the Internet infrastructure will never improve." Here, McLaughlin is using the tried-and-proven Microsoft ploy that claims innovation will be threatened if the company can't get its way without constant accountability and third-party oversight. Stealing another trick from the Microsoft public-relations and policy-making playbook, McLaughlin makes a desperate final � and implied - appeal to the newly-established court of final resort, the US Department of Homeland Security, responsible for US national cyber-security efforts: "We have seen firsthand what investment in these networks means. Nearly a year ago, the root servers that serve as the foundation of the Internet came under intense computer attack. VeriSign's two root servers withstood the attack, in large part because we have invested hundreds of millions of dollars to fortify them and have hired the very best people to run them." The October 2002 attack was not as disruptive as McLaughlin � or VeriSign, when trying to prove its worth to the world � would lead you to believe. According to a network traffic report by Xaffire (formerly Matrix NetSystems) during those attacks, "The impact to the root servers was less significant than the effects of the attacks on regional and private DNS servers�Reports from Web servers operators indicate that customers were complaining about not being able to reach their Web sites but internal monitoring equipment indicated that connectivity had not been affected�Overall, the effect of the DDoS attack was short-lived and server operators are now more prepared to deal with sudden attack such as this one." Again, apples and oranges � VeriSign is charged with providing a trusted infrastructure service for the Internet as one of its primary missions. The money it spends on root server security and operability is money well-spent for the Internet community; modifying that service for cheap commercial gain through such unilaterally-deployed "services" like SiteFinder endangers the net far more than any hacker or computer attack. Bringing root server security � an important topic but one totally unrelated to his argument -- into the SiteFinder debate is a classic FUD tactic that tries to increase the perceived importance of the message. (Rusty Lewis said the same thing on Monday, saying that unless VeriSign could make money from such services, it will "not be able to protect the Net's critical infrastructure.") In other words, McLaughlin's attempt to include cyber-security into the SiteFinder debate is a moot point. The very nature of DNS � including its time-to-live (TTL) protocol � means that even if the root servers disappeared for a while, the net would continue to function, since the world's DNS servers would still be resolving DNS until its TTL expired. At that point � many hours later � there would be widespread problems; but at by then, one would hope that VeriSign would have activated new root servers and pushed out a new DNS zone file. Any downtime would be kept to a minimum. My guess is that VeriSign will continue using this issue in future statements when defending SiteFinder and other crass "innovations." VeriSign's clumsy, unilateral attempt to hijack the DNS space through its SiteFinder wildcard service (and its goofy FUD-filled management statements since) proves that profiteering decisions can � and do � endanger the Internet more than any hacker or computer attack. It also proves once again that the Internet community � ISPs, developers, engineers, and other experts -- can come together to effectively and quickly counter corporate, not just criminal, attacks on the network infrastructure - and we owe them our thanks. # # # # # Richard Forno is a security technologist, author, and the former Chief Security Officer at Network Solutions (now owned by VeriSign.) His home in cyberspace is at http://www.infowarrior.org/. -- You are a subscribed member of the infowarrior list. Visit www.infowarrior.org/list for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
