CEO Remarks on Black Hat / Def Con

by Rod Beckstrom on August 3, 2010

Several ICANN staff members attended the Black Hat and Defcon conferences last week to launch DNSSEC to the global Internet security community.

Black Hat is one of the world’s premier security conferences; it attracts about 5,000 onsite participants and many more online. Defcon is a hacker event, also attended by government and security types, and nearly 10,000 people registered for this year’s conference. These are important communities for ICANN.

Black Hat Chair Jeff Moss addressed thousands of participants at the opening session and asked a challenging question. Security has been discussed and debated throughout Black Hat’s 13-year history, yet what progress have we made? What real successes can we celebrate? The growth in malicious traffic on the web is higher than the growth in legitimate traffic. The Internet security community, he said, has had no solid accomplishment to show for our efforts – until today. Today DNSSEC is being launched, and just days ago the root of the Internet was cryptographically signed. This is the first major Internet security enhancement since the beginning of Black Hat, and we thank ICANN for this accomplishment.

This set the tone for other successes, including:

Whit Diffie’s Keynote at Black Hat Executive Session

Eighty top leaders from governments and corporations participated in an exclusive one-day program the day before Black Hat officially began. Whit Diffie, ICANN’s new Vice President for Information Security and Cryptography, was the keynote luncheon speaker and greatly impressed the audience, many of whom knew of his global reputation as a groundbreaking cryptographer.

Black Hat DNS Vulnerability Panel

The event was well attended and focused entirely on how to deploy DNSSEC successfully at all levels. The lively discussion included Whit Diffie; Sandy Wilbourn, CTO of Nominum; Ken Silva, CTO of VeriSign; Mark Weatherford, former Chief Information Security Officer of the State of California, which implemented DNSSEC; Dan Kaminsky, Chief Scientist at Recursion Ventures and a DNS activist; and me.

Press conference launching DNSSEC, with a live hook-up to the IETF meeting in Maastricht

The press conference was well attended by the world’s media, both technical and mainstream. Russ Housely, Chair of the Internet Engineering Task Force, joined by video link along with Mark McLaughlin, CEO of VeriSign, and Dan Kaminsky. Russ provided excellent detailed explanations to numerous questions, and the press conference was greatly enhanced by his participation. Dozens of articles on DNSSEC have appeared, including an Agence France Presse article that has been picked up by media outlets around the world and stories in the National Journal, MSNBC, CBS News and ABC News. To get a sense of the coverage, please see:

Black Hat Kaminsky session on how to implement DNSSEC for browsing, email and websites

Over 1,000 people packed in to hear Dan present a set of tools that can rapidly and easily cryptographically sign any website. Though initially a skeptic about DNSSEC, Dan stated that he had been wrong and is now a huge believer. He urged everyone in the industry to implement this important technology. He showed a private version of the Google Chrome browser that is fully DNSSEC-enabled, as well as tools he has created to add DNSSEC to Internet Explorer and Mozilla Firefox browsers. He capped it off by demonstrating DNSSEC-enabled email and announced he will be posting code so that DNSSEC-protected email can be sent and received though Microsoft Outlook. The crowd was wowed.

Defcon DNS Vulnerability Panel

This panel included ICANN’s Rick Lamb and Mehmet Akcin, Nominum’s Sandy Wilbourn, VeriSign’s Ken Silva and Dan Kaminsky, and was attended by about 800 people. Mehmet reports that it was an interactive and constructive session with considerable input from the audience.

Successes and lessons learned

Participants’ high level of engagement on DNSSEC and interest in ICANN demonstrate that these two events have helped to kickstart the long-term push for universal adoption of DNSSEC.

The panels and presentations had a significant impact in promoting DNSSEC. The most important lesson of ICANN’s experience at Black Hat and Defcon remains one of our defining philosophies: collaboration works. We made clear that everyone has a role in enhancing the security of the global Internet and we invited everyone to be a part of the solution. Many participants said they would push their ccTLDS, their own companies and software companies to enhance their product offerings to leverage DNSSEC. Participants clearly understood that this first true centralized trust anchor is a foundation for further global security enhancements.

ICANN’s first formal participation at Black Hat and Defcon, with many senior officials from the national security communities of the United States and other governments attending, also helped position ICANN as an important player in global Internet security. I believe our greatest achievement was the goodwill we created with the global security community and the governments they work with.

And special thanks again to all in the Internet Engineering Task Force for championing DNSSEC from the early days. It wouldn’t have happened without their unwavering commitment.

{ 4 comments… read them below or add one }

Jim Fleming 08.05.10 at 3:05 pm

ICANN shows the IETF and RIRs in their Organization Chart

Does ICANN have any contracts with the RIRs ?

What is the Asset Valuation of a /8 ?

How did AT&T obtain 32/8 directly from ICANN without an RIR?
Are the dates “1994-06″ correct?
031/8 RIPE NCC 2010-05 ALLOCATED
032/8 AT&T Global Network Services 1994-06 LEGACY
033/8 DLA Systems Automation Center 1991-01 LEGACY

Also, what does the following imply?
8. IN-ADDR background
Olaf described that IN-ADDR.ARPA is currently being operated by
ARIN and that there are plans in development to move the
function under IANA. He had recently discussed the move with John
Curran (ARIN President), and the board discussed coordination that
might be needed with ARIN and IANA in order to properly structure
the transfer.

Jim Fleming 08.06.10 at 10:46 am

Why DNSSEC Marketing is Irresponsible

DNSSEC starts with a noble goal, some ideas, etc and then implements about 2% of the total plan. People are being given the impression that 98% is finished. In either case 100% is required.

Imagine if the goal was to create driver-less cars and drive-by-wire highways. Imagine the short-term solution is some crude retrofit into existing roads. Imagine one section of Interstate is selected, called “the root”. Imagine an eclectic group of volunteer engineers cobble together some solutions. Imagine a car heads down the road and the driver never touches the wheeel. Pay no attention no other cars are on the road. Pay not attention to the special car or the cost.

After seeing this one small demo, high-fives erupt from the group of engineers and word sweeps around the world that: DRIVER-LESS Cars Now a Reality – Safer, More Secure, Efficient…blah blah blah

Imagine from there, the news morphs into PR statements that people can NOW take their hands off the wheeel on all Interstate Highways.

DNSSEC is now being sold as mostly complete. People are being told they are now secure. They can take their hands off the wheel.

THAT is irresponsible.

Jim Fleming 08.08.10 at 3:36 am

Defcon speaker calls IPv6 a ‘security nightmare’

Why would ICANN recommend a “Security Nightmare” ?

Is ICANN held responsible and accountable for its recommendations?

Jim Fleming 10.27.10 at 1:02 pm

“why ipv6 would be a security nightmare?”

IETF 2010 on Failure of IPv6

ICANN Director Steve Crocker on the Failure of IPv6

Defcon speaker calls IPv6 a ’security nightmare’

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image