インターネットを救ったボランティア
インターネットの世界を揺るがす危機に救いの手を差し伸べたのはいつも個人のボランティアだった。DNSはハッカー・コンベンションやインターネット・バンキングなどが生まれる以前の1983年に作られたプロトコルで、この20年以来手を加えられ改善されてきたがそのコアな部分ではまだ開発当初の脆弱さが残っていた。しかしダン・カミンスキーDan Kaminskyが発見したDNSの脆弱さを利用すればそれまでのDNSキャッシュポイズニングを利用した攻撃に比べいとも簡単にDNSを破ることが出来てしまう。カミンスキーは結局その発見を最もよく使われているDNSソフトBIND 9の開発者であるPaul Vixieに連絡し事なきを得た。
またインターネットの構造上の欠陥が露呈した事件としてパキスタンのyoutube禁止があった。パキスタンはyoutubeがイスラム教を冒涜する内容があるとして、自国のISPにパキスタン国内からのyoutube閲覧を禁止するよう通達したが、そのうちあるISPは世界のどこからでもyoutubeを見ることができなくなる方法を偶然に見つけてしまった。このときもインターネット上のゆるい関係で結ばれたボランティアの連携によって90分以内に問題が解決され事なきを得た。
When DNS was created in 1983, it was designed to be helpful and trusting―it's directory assistance, after all. It was a time before hacker conventions and Internet banking. Plus, there were only a few hundred servers to keep track of. Today, the humble protocol stores the location of a billion Web addresses and routes every piece of Internet traffic in the world. [...] DNS attacks were nothing new and were considered difficult to execute. The most practical attack―widely known as cache poisoning―required a hacker to submit data to a DNS server at the exact moment that it updated its records. If he succeeded, he could change the records. But, like sperm swimming toward an egg, whichever packet got there first―legitimate or malicious―locked everything else out. If the attacker lost the race, he would have to wait until the server updated again, a moment that might not come for days. And even if he timed it just right, the server required a 16-bit ID number. The hacker had a 1-in-65,536 chance of guessing it correctly. It could take years to successfully compromise just one domain. The experts watched as Kaminsky opened his laptop and connected the overhead projector. He had created a "weaponized" version of his attack on this vulnerability to demonstrate its power. A mass of data flashed onscreen and told the story. In less than 10 seconds, Kaminsky had compromised a server running BIND 9,
http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky?currentPage=all
A much larger problem, though, are flaws in the set-up of the web itself. It is organised around the principle of trust, which can have unexpected knock-on effects. Nearly a year ago, Pakistan tried to ban a YouTube video that it deemed to be offensive to Islam. The country's internet service providers (ISPs) were ordered to stop all YouTube traffic within Pakistan. However, one ISP inadvertently managed to make YouTube inaccessible from anywhere in the world. But in cyberspace, nobody is responsible for dealing with such incidents. It fell to a loose group of volunteers to analyse the problem and distribute a patch globally within 90 minutes.
