- 21 March 2019
- Posted by: cioadmin
- Category: Fără categorie
Dr. Paul Vixie, one of the Internet veterans with a major contribution to DNS and DNSSEC protols and applications, inducted into the Internet Hall of Fame in 2014 is the guest of CIO Council Romania association and guest of honor in the CIO Council National Conference, the annual event of the assosiacion. Dr. Paul Vixie had the curteosy to shared some thoughts with Yugo Neumorni the president of CIO Council.
Yugo Neumorni: Dr. Paul Vixie. You have a major contribution to the World Wide Web designing several Domain Name System (DNS) protocol extensions and applications. Is the Internet looking like the environment you have dreamed on 30 years ago? Is it safer and does it serve the purposes the Internet was initially created?
Paul Vixie: Every person and every company who had a role in creating and growing the Internet was independent. My own goals were at first to make communications easier, thus promoting cultural exchange and commerce. Later, I realized that criminals and corporations and government intelligence services were abusing this new ease of communications, and I changed my goals.
What are the main issues with the DNS protocol? Is there any “design” issue? In the past we used to have our own DNS system inside the companies but now we are relying on the DNS services of external sources. Is there anything wrong with that?
There was never a need to outsource DNS services. When you outsource, you give some outside party a very detailed view of what your users and applications are doing. This is most unwise. It’s best to buy a Raspberry Pi for Eur 25, install Linux and Unbound on it (which are free), and operate your own DNS service for your own family or company or customers. The job is in no way difficult.
You were a pioneer of anti-spam measure starting Mail Abuse Prevention System (MAPS) in 1998? Why are we still receiving spam? What can we do to prevent spam? Can regulations stop spam abuse?
Spam will exist so long as some victims of it continue to engage and make purchases. We cannot prevent spam from being sent, unless it becomes unprofitable to do so.
Having in mind Stuxnet and other major APT type attacks, can the CIOs or the IT Departments in general to protect companies from a nation state or cybercrime targeted attack? Should they rely strictly on their own defensive capabilities or a cyber defense should include other external partners? Is “Cybersecurity as a Service” an option for companies to defend themselves from cyberattacks?
The greatest security, whether on the Internet or in any other part of life, comes from understanding what you are doing, knowing what your actions depend on, and seeing your risks clearly. If you don’t do those things, you will not be secure, no matter what investments you make or what services you engage. As long as our attackers know more about our networks and systems and software than we do, and they know more about vulnerabilities in those systems than we do, we will face continuous and growing losses.
What do you think about the perceptions of cyber threat inside society in general? Do the users understand the risks of surfing the Internet, of using the social media, USB usage? How can we raise the awareness of humankind about cyberthreats?
Our Internet-connected world is worse than a nightmare, and most users lack the willingness to believe it could be as bad as it really is. So, they ignore most advice. I do not believe that additional awareness-raising would make any difference at this stage.
Is the freedom of Internet poisoning us? Should we restrict or control the Internet somehow? What kind of general regulation would you suggest for a safer Internet?
Every country should follow Russia’s example in one way. All information about their citizens must be stored in data centers which are in-country, and subject to local law, including local law enforcement inquiries. GDPR is a good idea, but we can do better.
What is wrong on Internet fundamentals? Lack of regulations, lack of society awareness, insufficient security measures, o technology problem?
The Internet changes everything, in ways no regulator or legislator has yet understood. National borders and national law have been made meaningless. Only Finland makes it illegal to operate a network without Source Address Validation (described in BCP38). Every country has to do this, and has to understand it, and has to enforce it.
What do you think on data protection and data privacy in general considering the enormous personal leakages in the last years? Do you expect GDPR regulations to have a positive effect?
GDPR can’t prevent errors, and most leaks are due to errors. Some leaks, like the Facebook problem with Cambridge Analytica, were not errors, but rather, unintended consequences of naïve business and technical planning. GDPR can help prevent those, and GDPR if enforced will eventually place some limits on “surveillance capitalism”, which has been the source of most of the Internet’s recent negative impact on society.
Profiling Internet users seems to be an activity performed by commercial companies and government agencies as well. Is there a way to protect ourselves from being profiled? Do you think that somewhere there is a database that contain some records for Paul Vixie profile with all his Internet activity, all his ecommerce purchases, all his political views spread on Internet and so on? Or our imagination goes too far?
We must all view every Internet service or Internet-connected device with the same suspicion we once viewed our oppressive governments. Facebook is not our friend, nor is Google or any of the other big American tech giants. They make it easy for us to share our lives with our friends, but that ease is like magic – it always comes with a cost. Yes, there are online databases on me, you, and everyone else who has been online. If we want to stop helping those databases grow, we must stop buying IoT devices. I don’t think we can do what’s required.
CIO Council Conference you will attend in march 26th in Bucharest address Artificial Intelligence on business, cyber defense, education and innovation. Could AI be used to secure Internet or to increase cyber defense measures? Could the hackers use the AI in cyberattacks?
Right now, AI is mostly still science fiction, but it’s useful when talking to investors and raising money, even if it’s not generally useful outside of Amazon, Facebook, and Google. Many Internet Security companies claim to use AI, or another buzzword, Machine Learning (ML), or perhaps even Deep Learning (DL), but what that means is they won’t be able to explain how they detected or stopped some attack, or why they were unable to in any specific situation. It’s the dream of all marketing departments!
How do you perceive the role of the AI in the society? Should we be scared of losing jobs, increased lack of privacy, too much digitalization?
We should fear those things, but not simply because of AI or technology. No single human is as strong as any group of humans, which is why we form families, clubs, companies, cities, states, nations, churches, and so on. These groups fight for control, in the name of their members. Most of them are also acting for the good of their leaders. In that age-old struggle, technology is EXTREMELY powerful and useful. But technology is not the threat – organized groups of people are the threat, just as they always have been. Today we no longer expect to lose our property or our freedom because of some invading army – instead our position in society, including our wealth and our freedoms, are reduced because of the effectiveness of corporate power in the technology era.
What message do you have for Romanians CIOs?
Think about your DNS. Bring it in-house. Monitor the DNS questions and answers generated by your employees and applications, because the things you can’t easily explain, are probably due to intruders or malware or bots. Control your DNS, by refusing service to known-bad actors. Deploy a DNS firewall like RPZ, which is free. Be aware that the big American tech firms are working hard to take you out of your own DNS operations path, and make a plan to tightly restrict all outbound HTTPS connections, even if that means forcing all employees and all servers to use a proxy gateway.
Dr. Paul Vixie is an Internet pioneer. Currently, he is the Chairman, CEO and cofounder of Farsight Security, Inc. Dr. Vixie was inducted into the Internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source Internet software including BIND 8, and of many Internet standards documents concerning DNS and DNSSEC. In addition, he founded the first commercial anti-spam company (MAPS, 1996), the first non-profit Internet infrastructure software company (ISC, 1994), and the first neutral and commercial Internet exchange (PAIX, 1991). In 2018, he cofounded SIE Europe UG, a breakthrough European data sharing collective to fight cybercrime. Dr. Vixie earned his Ph.D. from Keio University for work related to DNS and DNSSEC in 2010.