Podcasts
Caveat
Ep 191
Caveat 10.19.23
Ep 191 | 10.19.23

Getting on track with DNS.

Show Notes
Transcript

Robert Carolina: Let's just call them the IP number address service provider. And they're saying to this person when somebody asks you how can I find this site, we want you to tell them anything but the truth, even though you know what the address is, don't give it to the person requesting because by giving that address to the person requesting, you are, in our opinion, facilitating the infringement of copyright. That's the short version of the argument. And there are so many things wrong with it.

Dave Bittner: Hello, everyone. And welcome to "Caveat", the CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner. And joining me is my cohost Ben Yelin from the University of Maryland's Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today Ben and I discuss an article from the International Red Cross, looking at eight rules for civilian hackers during war and four obligations for states to restrain them. And later in the show, Ben and I welcome back Robert Carolina who takes issue with our recent episode where we discussed DNS. He's going to help us get on the right track. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. So, Ben, we have a full show today. And I thought perhaps rather than each of us having our own stories, we could team up on this interesting article from the International Red Cross. This is from the Humanitarian Law and Policy section on their website. And it's an article titled "Eight Rules for Civilian Hackers During War, and Four Obligations for States to Restrain Them." And I think this is certainly triggered by initially the situation in Ukraine with Russia, but then also more recently the situation going on with Israel and Hamas. And these groups of civilian hackers who are assisting whichever side of these conflicts that they're on with some of the goings on in these wars. It's an interesting article. And I thought it might be fun for us to unpack it here together.

Ben Yelin: Yeah, I think so too. I think it is very timely. We have a very live armed conflict. And there are going to be civilian hackers involved on both sides. And I think it's important to look at an ethical framework. Even if we don't expect that either side will fully follow the ethical framework, I think it's important for us to realize that some ethics need to be involved in this just as there are ethics and international norms related to any type of offensive war activity. I think this is just the next realm of it. So, I think it's very relevant and important to cover.

Dave Bittner: Well, let's go through the list here together. Starting off with the Eight Rules for Civilian Hackers. Number one is, "Do not direct cyberattacks against civilian objects."

Ben Yelin: Yeah, this one is very important because it deals with civilian infrastructure so things like public services, companies, private property. The one kind of gray area is civilian data, that's very broad. So, perhaps there are some areas that might be fair game in a global conflict that tangentially involve civilian data. But for things like public services, companies, private properties, this is very similar to just the general laws of armed conflict that to the extent that you can avoid harming civilians you do so. Your goal should be to achieve military objectives. So, I think the ethics around hacking should be to compromise the physical and digital infrastructure of the military itself. If the military is using civilians as a shield, if they are hiding behind civilians, if they are making their presence known in civilian spaces, that complicates the picture. But as a general rule, attacks against civilian objects should be out of bounds. And I think that certainly makes a lot of sense. I think that's kind of the basics of Armed Conflict 101, to the extent that you can limit harm to the civilian population, it is your obligation to do so.

Dave Bittner: Yeah. And there is some cross-over of these eight rules that they outline here. And certainly, they are parallel a lot of those rules of armed conflict. The second one here is, "Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately." Pretty straightforward.

Ben Yelin: Yeah, I mean, you can think of a lot of non-digital world analogs to this. So, you know, instituting some type of chemical attack on a military base is not just going to affect that military base. There are going to be surrounding areas with civilians that are going to be protected. Once that deadly toxin is released, you've lost control of the toxin. I think that's somewhat of a fair metaphor here. You can be intending to target military targets but if you have something that's spread automatically, it could reach civilian objects as well, and that's something to avoid.

 

Dave Bittner: There's a reason we ban biological weapons.

Ben Yelin: Exactly.

Dave Bittner: The third one says, "When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians."

Ben Yelin: Yeah, so there are going to be things you try to do to hurt your enemy's military objectives. Some of that is going to involve infrastructure. So, disrupting the supply of electricity or some type of campaign against railroads so that they can prevent travel. Those are things that ostensibly would be geared toward limiting the military. But civilians might rely on that infrastructure. And I think that's been highlighted in the past week, in this Israel-Gaza conflict where I think Israel after the Hamas attack felt that, in order to limit the planning capabilities of Hamas and its leadership and to isolate residents of Gaza, they were going to cut off electricity and water. And that spurred a pretty serious international reaction. They've been working with the United States to restore potable water, which obviously is critically important. There are negotiations ongoing now relating to humanitarian aid and preserving energy resources for critical operations, hospitals, etc. So, you are just as a part of any armed conflict or any conflict at all going to want to damage your enemy's infrastructure, their ability to instigate attacks against you. But in doing so, to the extent reasonable, try to avoid those attacks having an impact on the civilian population.

Dave Bittner: Number four, "Do not conduct any cyber operation against medical and humanitarian facilities." Pretty straightforward.

Ben Yelin: Yeah, very straightforward there.

Dave Bittner: Yeah.

Ben Yelin: Hospitals, not right for attack, should not be permitted within the laws of any type of conflict.

Dave Bittner: Yeah, certainly, coming from the International Red Cross whose, you know, symbol says, "Do not bomb here", right?

Ben Yelin: Now, there are complicating factors. You know, I think we have to approach this with all candor that certainly in the Gaza Strip, there have been situations where Hamas has set up training facilities, headquarters within sensitive facilities, and have used civilian targets as kind of a shield to protect themselves when planning terrorist activities. So, it's not always a black-and-white issue. I think to the extent that you're going to have rules for this type of hacking, I still think it's self-explanatory that you wouldn't primarily try to attack these facilities.

Dave Bittner: Yeah. Number five is, "Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces."

Ben Yelin: Yes. So, they mention here dams, dykes, nuclear-electrical engineering stations, chemical and similar plants also contain dangerous forces. We saw that at the beginning of the Russia-Ukraine conflict, I believe it was Russia who attacked -- was it a nuclear facility? Located inside of the country of Ukraine. Any type of cyberattack against one of those facilities is kind of the same thing as the previous rule we talked about with malware, but this is just more in the physical realm that if you instigate harm against one of these facilities, even if it's targeted toward a military objective, it could spill over, not just to the civilian population of that country but it can spread internationally as well. So, I think that certainly is a wise rule.

Dave Bittner: Number six is, "Do not make threats of violence to spread terror among the civilian population."

Ben Yelin: So, the example they give here hacking into communication systems to publish information designed to spread terror among civilian populations, designing and spreading graphic content to strike fear in your opponents in the conflict should be unlawful. I think explicitly talking about threats of violence, using the cyber realm to instigate threats of violence designed to induce terror. That's not only going to frighten civilians, but it also has the potential to prolong the military conflict because you're just kind of rabble-rousing and perhaps creating fear and paranoia that wouldn't otherwise exist.

Dave Bittner: Is this a digital version of dropping leaflets from the sky? I mean, you know, I guess, there's leaflets and there's leaflets. You know, put down your weapons is different from you're all going to die. Right?

Ben Yelin: Yeah.

Dave Bittner: I guess I'm showing my ignorance here in the arms of armed conflict. If there's a difference with leafletting.

Ben Yelin: I mean, frankly, they are using leaflets in the Israeli-Hamas conflict. Israel dropped a series of leaflets on the northern part of the Gaza Strip that said, "For your own safety, move to the southern portion of the Gaza Strip where we're not going to be instigating an attack." I think this is very distinct and separate from that. I think this is more like the type of social media scare campaigns that we've seen in other conflicts with explicit threats that might induce some type of paranoia or would even inspire civilians on the other side to take arms and commit acts of terrorism. So, it's more about messages designed to spread fear, anger, and paranoia.

Dave Bittner: Number seven is, "Do not incite violations of international humanitarian law." Again, pretty straightforward.

Ben Yelin: Yeah. That would be a good idea. So, the example they give here do not share technical details and communication channels to facilitate attacks against civilian institutions, seems pretty self-explanatory on that one.

Dave Bittner: Yeah. And then last but not least, "Comply with these rules even if the enemy does not."

Ben Yelin: Yeah. I mean, this is the toughest one. Oftentimes the justification for any party in any conflict whether it's a cyber conflict or a kinetic conflict is this idea of revenge or reciprocity. So, they took a particular action on us, we are justified in responding in kind. And that's not how international humanitarian law or the law of armed conflict is designed. That's not what you're supposed to do. The actions of the enemy are never a proper justification for your side to take illegal actions. And I think that's a difficult one for countries that have suffered, especially the psychological effects of such a vicious attack to follow, but if you want to maintain the international community that you support the rule of law, I think you have to abide by something like not seeking revenge or reciprocity for a type of attack.

Dave Bittner: A war crime is a war crime.

Ben Yelin: Exactly. And the fact that the enemy committed a war crime against you does not give you any type of moral or ethical authorization to commit a similar crime against your enemy. That's not how the laws of armed conflict work because the natural end result of that is we all die in a nuclear Armageddon. So, to the extent that countries follow these types of rules in armed conflict, which they certainly they do not always do, the United States included, I think that's a really key important principle just not to overstate things but for the survival of our species is to not have this endless cycle of escalation.

Dave Bittner: Yeah, those are attributed to Gandhi, perhaps apocryphal that an eye for an eye and the world is blind.

Ben Yelin: Yeah, absolutely, one of the great quotes in human history that I certainly subscribe to. Not everybody subscribes to that. I think there are theorists out there who really do believe in an eye for an eye. I don't, I think it's ultimately harmful to the international community and I'm pleased to see that the Red Cross in this document agrees here.

Dave Bittner: So, the second half of this is about the obligations of the states themselves to put limits on these hackers. They make the point that the hackers don't live in cyberspace, they live in the real world. And they outline four limitations here. First, they say if civilian hackers act under the instruction, direction, or control of a state, that state is internationally legally responsible for any conduct of those individuals that is inconsistent with the state's international legal obligations.

Ben Yelin: Yes. You can't just farm out your offensive cyber activities to "volunteers". If they're hacking on your behalf, whether it's a direct relationship or indirect relationship, it's the country itself, the state itself that is internationally legally responsible for that conduct.

Dave Bittner: What about -- I'm just trying to think of the old-timey history of, you know, pirates and -- what are the old? What's the other -- mercenaries.

Ben Yelin: Right, mercenaries of the state.

Dave Bittner: Yes. Yes. Is this a similar type of thing to that?

Ben Yelin: Yeah, it is. I think mercenaries have been used to exceed or violate the laws of armed conflict in a way that shields a nation-state from legal liability. Oftentimes it disguises the role that the nation state has played in facilitating these attacks. And I think the principle at play here is just because the hacker is not a government employee or a direct contractor with the government, that doesn't absolve the government of their responsibility. There are going to be rogue hackers who are acting not on the behest of any state. But if the state is involved in any way, if they are soliciting volunteers to commit offensive cyber operations, they are legally responsible in the eyes of international law.

Dave Bittner: Well, that leads us to our second rule they propose here, which is that states must not encourage civilians or groups to act in violation of international humanitarian law.

Ben Yelin: Right. So, all of the principles we talked about, sort of the first eight principles that we talked about here in terms of the rules for cyber conflict, if you as a state have decided to follow these rules, follow these principles, it is not acceptable for you to delegate the kind of immoral, unethical actions to your subordinates, to your civilians. So, you can't just say, "Well, we're not going to engage in this type of offensive cyber operation, but if anybody out there, in the spirit of the nation of Israel or the nation of Ukraine or the nation of Russia, wants to propagate this type of attack, you know, we can't stop you." I think that's a key principle here. There should be no inducement or encouragement for civilians themselves to engage in illegal conduct under international humanitarian law.

Dave Bittner: Third, they say that states have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory.

Ben Yelin: Yeah, I mean, this goes back to the point a state cannot prevent all violations of the law, otherwise we wouldn't need any laws, the state would just prevent all bad things from happening. There are going to be rogue actors within states that have the capability and the desire to harm something like critical infrastructure. What the state's responsibility is, is to take feasible measures such as their public positions or the positions they announce publicly requiring civilian hackers to conduct operations in coordination with international humanitarian law. So, I think that's important that the public position of the state involved in this conflict tell their civilians that it is the position of our government not to engage in unethical or illegal hacking under international law.

Dave Bittner: Yeah. And then related to that, fourth, they say states have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations.

Ben Yelin: Yeah. So, we haven't always followed the prosecution of war crimes in our own history. Oftentimes we've chosen to look the other way when the United States itself has violated the laws of armed conflict. Oftentimes civil cases against US government entities have been dismissed, even though the allegation is that the US has violated international criminal laws. I don't want to limit this to the United States, most countries have a pretty checkered history about holding their own accountable for violations of international legal obligations or ethical war measures. So, this to me, of the four here, seems like the biggest pipe dream.

Dave Bittner: We're unlikely to see President Putin at the Hague.

Ben Yelin: Exactly. But I think it's, you know, so many of these are -- it's a recognition that not every state in an armed conflict is going to follow these principles. I think this is a message to those countries that want to consider themselves as part of the international community that this is an ideal to try and follow. This separates us as a humanitarian-conscious country from the barbarism of the other side. So, I think it can help build the distinction between your side which operates ethically and within the rules of international conflict, and the other side which does not. So, I think even just putting this framework out there, we can have metrics to look at whether one side in the conflict is following the principles outlined here. And I think that can affect our own view of which side is acting within the confines of international law.

Dave Bittner: I'll note that separate from this article from the International Red Cross, I've seen folks wondering over the past few weeks do hackers lose the protection they enjoy as civilians because they're hacking, in other words, if you're hacking on behalf of your country in a wartime situation, can that put a target on -- a physical target on you to kinetic action because of your actions. Do you lose your immunity if you will of being a civilian?

Ben Yelin: Yeah, I mean, I think that particularly becomes a question if a civilian acts not in accordance with the principles laid out here. But I do think anybody who does engage in these type of offensive operations, at least theoretically, is subjecting themselves to being part of the armed conflict. It's almost like you're forfeiting your status as a civilian.

Dave Bittner: Yeah.

Ben Yelin: I don't think that's an explicit principle that's laid out here but there's certainly a risk in that.

Dave Bittner: All right. Well, we will have a link to this article in the show notes. Again, this is from the International Red Cross. And, of course, we would love to hear from you, if there's something you'd like us to consider for the show, you can email us. It's caveat@n2k.com. [ Music ] Ben, it is my pleasure to welcome back to the show Robert Carolina. He is General Counsel at the Internet Systems Consortium and also a senior teaching fellow in the Information Security Group at Royal Holloway University of London. And quickly I want to acknowledge that Robert Carolina is joining us today on his own accord and not representing any of the organizations to which he is employed or consults with.

Robert Carolina: Hello, fellows.

Dave Bittner: So, I am delighted to have you back. And I have to say the reason for you coming back is that you wrote us a very polite but strongly-worded letter.

Ben Yelin: What he's trying to say is he wrecked us a new one is what Dave is trying to say.

Dave Bittner: Okay. I think that's a way it could be characterized. Let me say that you are not the only person to write in, but your letter was certainly the most direct and also the longest. So, I am happy to have you back. So --

Robert Carolina: I was trying to be constructive.

Dave Bittner: It absolutely was. So, a few episodes back, in episode 186, I had a story about the folks at Quad9, and Sony coming after them to try to restrict their DNS services pointing toward some content that Sony had the rights to. And you took issue with some of the ways that we characterized the story. And as I say, you're not the only one who had a problem with the way we presented it. So, I wanted to give you the opportunity here to make your case and kind of set us straight and get us back on the right track here. So, where did we blow it, Rob?

Robert Carolina: Well, if you want to approach it that way, sure. I think there were a couple of things. One of them is that I think you, you know, as so many people do, mischaracterized what is the role of an organization like Quad9 in actually matching content to a destination. You were kind of -- you were sort of all over the place in terms of grappling with it. And this is something that we see routinely with people who try to grapple with the problem of understanding DNS. I think the quickest way to get at this is to try to explain what is actually happening and what the court is actually trying to do rather than sort of deconstruct your thing, if we can take it that way.

Dave Bittner: Sure.

Ben Yelin: Just ignore what we said altogether. We'll just get off to -- let's get off to a fresh start.

Robert Carolina: Since you characterized my note, I'm going to reveal how I opened it. I said, "Listening to you guys talk about this was a bit like watching a room full of kindergarteners blindfolded trying to swing at a pinata." I mean, it was entertaining but you weren't really making contact. And so, rather than deconstruct that, let's start with a fresh slate. So, what the case is about is a court in Germany has received a request from copyright owners. And the copyright owners have a problem. The problem they have is there is a site hosted outside of Germany that's connected to a domain name that is outside of the control of entities in Germany. And they are trying to stop people in Germany from infringing copyrights. How those people infringe it? By downloading from this foreign site. So, they can't get jurisdiction over the site operator, they can't get jurisdiction presumably, I assume, over the registrar who sold the domain name, they can't get jurisdiction over someone we're going to talk about quite a bit in the next few minutes, I suspect, the authoritative DNS server for that domain. So, who do they decide to target? They decide to target the -- I'm going to call them -- they call it recursive resolver, but let's just call them the IP number address service provider. Okay. Just to get us started for people who don't do DNS full-time. And they're saying to this person when somebody asks you how can I find this site, we want you to tell them anything but the truth. Even though you know what the address is, don't give it to the person requesting. Because by giving that address to the person requesting, you are, in our opinion, facilitating the infringement of copyright. That's the short version of the argument. And there are so many things wrong with it. It's difficult to know where to begin.

Dave Bittner: So many things wrong with the argument?

Robert Carolina: Well, there's a lot of things wrong with the argument, I mean, there's a copyright argument, copyright law argument about whether or not someone who merely provides a pointer to or a reference to, or directions to a copyright infringing site is themselves responsible for breaching copyright. That's a very copyrighty answer, and I think Ben's probably stronger on copyright law than I am, although this is a matter of German copyright law rather than the US.

Ben Yelin: I can't even fake to be an expert in that.

Robert Carolina: We'll find something where you can. So, that's one question. But the next question becomes, well, hang on a second, you know, just because this stuff infringes copyright in Germany, what is it that you're asking this service provider to do? And originally I thought, based on stuff published more than a year ago, I thought originally the court was asking Quad9 to try to filter the result, as they say, specifically by reference to the geolocation of the requesting entity, which would be in Germany. So, but the most recent case, the appeal from apparently the Court in Leipzig seems to have gone so much further than that that Quad9 have stated on their website that they've taken the extreme decision to filter results asked by anybody. And, you know, which is a shame because, you know, then you're over-withholding, you know, because copyright laws are weirdly different from country to country. There are places where certain actions would not be an infringement and other places where they would be. So, Quad9 is being asked to filter all results or now is not being -- well, now they are in the unfortunate position of feeling as though they have to filter all results, even though this particular case only relates to infringements in Germany.

Dave Bittner: Well, I'm reminded of a couple of things. First of all, when it comes to respecting copyrights, I remember when compact disks were brand new, the US market was flooded with cheap CDs of recordings of, at the time, Soviet orchestras because we did not respect each other's copyrights. And so, it was a way for, you know, people selling classical music here in the States to get content without being obligated to pay for it. The other thing that I'm thinking of is I remember years ago someone saying that if you wanted to get rid of the Nazis on Twitter, tell Twitter that you're in Germany and they would be filtered out because of the rules in Germany having to do with Nazis and content. I don't know the degree to which that is true, but that was the lore. And that's partly what you remind me here by saying that part of the original request perhaps was that they merely filter -- maybe not merely but they filter traffic originating in Germany.

Robert Carolina: Well, now, and let's also pause there for a moment because you used the phrase "filtering traffic". And that can create some confusion. Keep in mind that Quad9 and any DNS recursive resolver is simply fulfilling a function very similar to what those of us of a certain age will remember as directory assistance. So, let me just play out this analogy because I think this helps to focus what the problem is and what the problem isn't. A recursive resolver is very much like the old-fashioned service of dialing 411. A human being answers the phone and says, you know, "You're asking for a phone number, what number would you like?" You gave that person a name and some coordinates, you know, so-and-so who lives in this-and-such city. And a few moments later the person would say, "Here is the number that you want." So, you asked them to match a name with the specific phone number. And they did that. That's the role of the recursive resolver. But the question becomes how does the recursive resolver or how does our 411 operator get that answer? And the answer is they have to look in an official directory someplace. So, the 411 operator picks up like the local subscriber database directory and looks it up, and gives you an answer. Well, on the internet, of course, we're dealing with a 411 operator who has to be able to answer queries for every single location in every place on the Earth. So, our recursive resolver has to find the authoritative name server which is a different type of DNS service. And that authoritative name server is a database that answers the question if I'm looking for www-dot, you know, superevilbadguys.com, how do I look that up? How do I look up the number for that? Oh, you can find that at this particular name server. So, you look at that name server and you get the answer. Well, what if I don't know where the name server is? Well, then I have to look at the different authoritative name server, which is a directory of directories. And it builds up like that until you -- so the recursive resolver assembles the answer based on a combination of what you asked, what it already knows because it's had to answer questions like this before, and what it can look up from authoritative directories in different places around the world. So, people who do recursive resolving piece are sitting right squarely in the middle of DNS traffic. But the only thing they're doing, to get back to my original point, they're not actually carrying anything to anywhere, they're not dialing the phone for you. They're not connecting the call. They're not routing the traffic. They're not carrying the packets. They're not transmitting or receiving any substance so they're not making copyright -- they're not making copies of the infringing material. They're not fulfilling that function of being an internet service provider unless -- except for internet service providers who also do this. But they're two very, very separate functions. So, this was not a case where the court was seeking to interfere. I think the word you used last time was interfering with the routing. They weren't technically trying to interfere with the routing of traffic, they were trying to interfere with the process of looking up the answer to the directory inquiries.

Dave Bittner: So, let me ask you this. Were they requesting -- using your analogy of the 411, of directory assistance, were they requesting that the directory assistance professional not answer that question, or were they requesting that the answer not be in the book that the directory assistance person goes to look things up in?

Ben Yelin: Good question.

Robert Carolina: The first, they were saying -- using my metaphor, they were asking the directory service operator whether or not you know the answer to this question, tell the customer I don't know the answer to that question. Or in some other cases like this in other countries pursuing other agendas, they'll say don't give the correct answer to the customer. Lie to the customer and give them this other number, which is under government control because we want to see who's visiting that particular resource. But in this case, I don't think that was in play. Now, there are other times where courts and others will tell the directory maintainer in the background, "We want you to change the entry in your directory in accordance with our instructions." Probably the most dramatic example of that is when US government agencies used court procedures to seize a domain name from the dot com domain. Ben will love this. They essentially issue what I believe to be an in-rem action directed to the dot com registry. They're the ones who maintain the directory of directories for dot com, they maintain the directory of every single domain name and says if you want the authoritative directory for this domain, you look at that particular site. So, the in rem action is directed to the dot com registry and says, "Repoint that at this particular government thing and we'll decide where that traffic is." That's changing the official directory entry. But that's not this case.

 

Dave Bittner: I think one of the things that you took issue with, and other folks wrote in as well, was our using an analogy of a bus service or a taxi or something like that. And someone pointed out, and I can't recall if it was in your letter or not, that it's kind of like if -- let's say you get into a taxi and you say, "I want you to take me to Bob's house of illegal downloaded software." And the taxi driver says, "I'm sorry, I can't take you there." But you could just as well get in a taxi and say, "I want you to take me to 123 Main Street," which is where that place is.

 

Robert Carolina: Indeed. And I like the way that you employed the metaphor this time but I don't like the metaphor.

Dave Bittner: Okay.

Robert Carolina: And the reason I don't like the taxi metaphor because I find the transportation metaphors of carrying people get bogged down and distract from the reality of the internet. So, instead of using a taxi or a bus metaphor, I would urge us to talk about package delivery, you know, something like a package delivery service or mail service or a carrier service. Because we're not going back and forth, we're just asking for information to go back and forth, we're asking somebody to carry our packets for us, literally carry our packets for us and get the return packets back. And you're absolutely right, this type of order, the recursive resolver provider would say, "I want to go to superevilbadguys.com." They say, "I don't know where that is." Well, I want to go to 192.1.someting.something, which is actually another public IP address. And the internet service provider would say, "Oh, I know where that is." In the same way that if you pick up the phone to, you know, data express package delivery company and you say, "I want you to send this to Evil Empire Incorporated." "Oh, I don't know where -- I'm going to lie and tell you I don't know their address." "Oh, it's 123 Main Street, Anytown, Maryland." "Oh, I'll take the package there, Sweet 1600." Now, but that metaphor also has a weakness.

Dave Bittner: Of course, it does.

Robert Carolina: Did you think this was going to be easy? That metaphor has a flaw, particularly when we're looking at web traffic and that is if you want to resolve a website, having the IP number alone is not enough information for the other side to return the content that you're looking for because the site server, the server where the site is hosted will be co-hosting a lot of different pages on a single IP address number. So, finding the IP address number alone is not enough to resolve the website, you need the IP address number and you need a way to pass the information about the website address to the server. So, if you just enter the IP number in your browser in place of the domain name, most of the time that's not going to get you the content. You have to do something else. Now, there are many something elses you can do, but that's just where the metaphor slightly breaks down.

Dave Bittner: Well, getting back to the original case with Quad9, what is your take on this action? Do you think justice is being done here?

Robert Carolina: Not especially. I don't think it's a good action to take. But the reason I think it's not a good action to take is because I'm not really sure that tinkering with DNS is the most appropriate way for a court to enforce its orders. I mean, now we get to the problem of jurisdictional arbitrage. You know, we said earlier that some places in the world enforce copyright, you know, they enforce copyright differently. And what courts do for a living is -- at least in theory -- is to enforce their laws for the protection of their residents in their place. That's their job, you know, we can argue with whether that's really their job or not but, you know, that's what we all believe in. So, if they're looking for a tool that prevents the entry of let's call it illicit material into their country, I just don't think that tinkering with the global addressing system, the global unified addressing system is the way to fix that problem. It leads us down a path where we start to lose the thing that we all want for the internet which is a single unbroken name and number space. We're getting into a world now where people say, "Well, where is this?" Oh, it might be -- oh, it's here. But I'm going to lie to you and tell you it's there. Or I'm not going to tell you the answer to that information, or you don't get to know, you know, at the technological level. I don't think that's the way to do it. In this case, in particular, of course, you have a court in Germany addressing an order to someone providing this service from Switzerland. I mean, you know, resolving DNS addresses is meant to be, was designed to be something that was not inherently bound up in questions of jurisdiction, it was meant to be a very technical process by which we simply match domain name resources with IP number resources. It was meant to get us into a position where end users didn't have to enter long strings of numbers as you did on a telephone, and instead could just use something easy-going.

Dave Bittner: Was it ultimately naive to think that that could survive the scrutiny of global politics?

Robert Carolina: Well, I think there's a couple of different factors. I mean, there is a certain degree of naivete on these kinds of matters. But equally, there's kind of an unfortunate but real aspect -- but a pragmatic aspect of this that you guys also didn't talk about. And that is keep in mind that the people providing this service, you know, not just Quad9, but just about everybody in the recursive resolver service space to some degree filter their answers. But when they do it, they, to my knowledge, they all uniformly do it on the basis of we get reports about sites that are hosting malware. And the most efficient way to keep malware out of the hands of regular human beings like you and me, who have no clue about how to configure advanced security settings let alone worry about our DNS, is to just kind of tell a little fib to the end user and say, "Oh, you're trying to connect to Evil Empire, you know, version27.com, you really don't know, we don't know where that is." And the end user just says, "Oh, gosh, I can't connect to that, I wonder why." And then move on. Now, having said that, even though these people, DNS resolvers and, you know, Quad9 does it, Google does it, Cloudflare does it, they also, for people who are very aware give an unfiltered service offering that you can plug into. So, for example, Quad9, literally 9.9.9.9 is the DNS service landing point for the security-filtered version of Quad9. Whereas if you want it completely unfiltered, okay, use it at your own risk, drive to whatever neighborhood you wish, you know, here is the complete unfiltered map 9.9.9.9.10. You know, Quad9 has a very good explainer on their website, and they have a third level of service that sort of sits in between those two. So, there is -- I think that filtering -- unfortunately, I think this is kind of a sad reality that DNS filtering is probably here to stay but it's a sort of thing that ought to be used very carefully and very sparingly. And I don't think this is the kind of case where it's used to best effect, in part because -- now I'm going to be really provocative -- there are so many ways around this thing. You know, just having this thing addressed to Quad9 Quad9 provides a significant but very tiny proportion of the world's recursive resolver service.

Ben Yelin: So, do you remove intellectual property disputes entirely from -- in your perfect world if you're made king, would you only have restrictions on transactions dealing with things like malware and just cut out any type of claim based on intellectual property violations?

Robert Carolina: Well, in my perfect world, Ben, I wouldn't be using DNS filtering as a tool of state intervention, as a tool of state action.

Ben Yelin: I see.

Robert Carolina: I think the better vector is for them to talk to people who are in their own jurisdiction using whatever technological methods are available at that level. Now, some people in the networking community might say, well, the tools available there are not always effective and that's always going to be a true statement no matter which tools you choose. I just think that tinkering with DNS as an extension of state authority is inherently dangerous because it breaks the name and number space for purposes of state content policy rather than for purposes of engineering efficiency, or self-selected security choices.

Dave Bittner: All right. Well, Robert Carolina is General Counsel at the Internet Systems Consortium and also a senior teaching fellow in the Information Security Group at Royal Holloway University of London. Robert, thank you so much for taking the time for us and setting us straight, and also giving us a better understanding of the issue. I truly appreciate you reaching out to us.

Robert Carolina: My pleasure. I'm looking forward to the follow-up. You can forward me the follow-up correspondence from people telling you how many things I've got wrong.

Dave Bittner: Deal. I can't wait for that. You're going to taste your own medicine, Robert.

Robert Carolina: It will happen. Trust me, it will happen. [ Music ]

Dave Bittner: And that is our show. We want to thank all of you for listening. A quick reminder that N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our Senior Producer is Jennifer Eiben. The show is edited by Tré Hester. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. 

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.