Valdis.Kletnieks at Valdis.Kletnieks at
Sat May 26 23:43:17 UTC 2001

On Sat, 26 May 2001 19:23:16 EDT, Mitch Halmu said:
> Did I happen to mention MAPS in my post? I didn't. The argument was made
> for ORBS, or any FOREIGN entity that blocks North American networks.
> ORBS fans in this country will have lots of explaining to do and hell to 
> pay if any foreign entity exploits this weakness to attack US interests
> in an international incident.

For those who read Computerworld, a co-worker of mine was quoted on page 1
of the May 21 issue, saying "You can expect to see major liability lawsuits
in the next 18 months or so".  Better install those IIS patches *NOW* -
I'm more concerned about a lawyer attack than an international terrorist

OK.. so a hostile site *could* use DNS cache poisoning or hack the
ORBS DNS servers to screw up your e-mail.  On the other hand, you have
the *EXACT* same vulnerability for *ANY* use of DNS.  So unless you're
using /etc/hosts exclusively, you have *bigger* problems if faced by a
determined adversary.  Frankly, if *I* were a determined adversary, the
site's use of ORBS would be the least of their problems.

I don't know.. maybe the foreign terrorists are like the Three Stooges - they
DID catch the guys who bombed the World Trade Center when one of them tried
to get back the deposit on the now-destroyed truck.....

For bonus points - if anybody is both paranoid and anal-retentive enough
to care about this sort of thing, I presume you *HAVE* edited your DNS
cache hints to only include root name servers that are located on US soil,
and reachable entirely by communications links that do not take a loop
through non-US territories.

THere *will* be hell to pay if foreign terrorists take over a root name
server that's outside the US, after all....
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 211 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list