someone found a way to turn off the internet.

they should hook this up to that big red button at turnofftheinternet.com

Back in about 1995-96, when I was working in a certain place and before SysAdmins were the "professional" bunch they are now, I had a fair amount of involvement in LAN management and how it connected to the then primitive internet.

I and another "admin" were convinced that desktop encryption was the way to go to protect sensitive LAN traffic ... and that as soon as it was viable, we also wanted to see encrypted traffic as the norm on the internet.

It took a decade, but recently that organisation implemented desktop encryption (at the NIC level).

I think it's high time the other suggestion was implemented. Make encrypted internet traffic the norm. (Yes, I know there are other problems and exploits .... nothing's perfect).

Paris? No one can understand what she's saying at the best of times, even if they intercept it.

Hijack the path for applying updates to (name your application) as described for a variation of the recently described DNS flaw. How many people would have a clue about what is going on? Even running EtherReal/brouter and observing the traffic the tainting would be very hard to observe until the malware activated and did something stupid like trying to phone home to an alien IP address (it could hypothetically phone to a hijacked regular banner spam address and not be noticed if the hijacking lived long enough.).

An excellent attack vector for the black helo boyz, remote implantation of spyware... with a rubber hose they can hijack a DNS, and with the same rubber hose a cert for a convenient SBGP gateway (did anyone notice how infrequently SBGP changes certs? Same attack vector as for the old nym servers, don't need a rubber hose though, just some NSA compute time to crack the key), and off they go with the MITM attack.

(even most corps use dual tunnel for VPN remote to "save money" (by sacrificing security), leaving one tunnel subject to attack. A bit of spear phishing and the CEO's email is accessible... and most of the emps.... a large corp is a nice big IP address target too.)

This problem is inherent to the way BGP works. The article itself even states this. Why is this news and why did it get airtime at Defcon?

"Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs." Is that what passes for innovation these days?

BGP has always operated on human trust (for better or worse). If we decide we want to fix it fine but let's not make out this is news or in some way new.

Sorry but where is the story? This is how BGP works. It didn't deserve to be mentioned at Defcon never mind repeated here. Even with encryption if you can gain access to a routing node you can redirect traffic as the router needs to know where did is coming from and going to.

At the end of the day you need to accept that there needs to be some trust in communicating via the internet or you won't be able to send and receive data.

BGP routes to organizations, a.k.a. ASs (Autonomous System number). You'd have to setup a multi-homed company or organization, or an ISP and get your AS number. Last I checked, ARIN, RIPE et al do pretty thorough identity checks (atop the need-to-have checks).

Transits and large NOCs can already do this, sometimes it's done on purpose for non-nefarious reasons. We presume the CIA has better ways.

After careful planning and great expense, a small company could probably steal another small companies data, but if you get caught, we know who you are and where you live. There are easier ways.

As if they can redirect your traffic - they can send it to a man in the middle style attack. So unless you can verify the certificate of the website/remote end - and how do you check the certificate - usually via an internet connection by any chance or ones stored on local computer - which are usually updated via internet!

lets face it - unless we can get a separate distribution channel for certificates - it is all fubared

How exactly would you system test this website? And how would you switch the internet back on?

Mines the one with the big red one....button I mean...

Now would someone care to route the Internet in a great circle around Sweden!

This is just BGP, its not news, don't quote wired. And quit sending correspondents to defcon who don't understand things, and get all excited about stuff like this. This article is complete FUD. (Just like the last article from defcon)

"Now would someone care to route the Internet in a great circle around Sweden!" ... By EmperorFromage Posted Thursday 28th August 2008 12:57 GMT

Much Easier and more Fun for the Swedes to Route IT through them, EmperorFromage, then they can Savour and Favour all the Good Bits and Bin all the Rubbish for Onward Recycling/Intellectual Property Return to Sender........ a Sort of Sub Prime Collateralised Debt Obligation Special Investment Vehicle in Reverse.

"As if they can redirect your traffic - they can send it to a man in the middle style attack. So unless you can verify the certificate of the website/remote end - and how do you check the certificate - usually via an internet connection by any chance or ones stored on local computer - which are usually updated via internet!"

To change the certificate for my bank, they need to change the countersignatories as well, all the way up the chain, until they reach those root certificates that ship with Windows. Unless they'd got at the CD-ROMs, this seems unlikely. They'd also need to quietly modify and re-sign everything coming through file downloads, like Windows Update, not just web traffic. That's going to need some pretty smart AI algorithms to do real-time reverse engineering of downloads and some hefty processing to regenerate the modified versions. I doubt there is enough money in my bank account to make it worth their while, but if they try it anyway they will be easily detected by the sheer scale of their operations. (In the infra-red, it ought to be visible from space.)

Sure it's fine on the Reg, where most of us understand it's not earth shattering news, and it's been possible for ages - but not really done.

But I really wish journalists would start being responsible and putting "This is why we use secure connections for sensitive information, and you're safe with it" in these articles. It's not us lot that read this that will suffer, it's Joe Public who now has one more misinformed reason to steer clear of one of mankind's greatest inventions.

So they route traffic through their systems. If its properly encrypted then it doesn't mean a thing. When the world talks about 'intercepting' or 'man in the middle' then they're talking eavesdropping on or modifying confidential messages, Clear text -- like this -- is designed to go anywhere to get to where its going. If some hacker wants to help it along, then great. (If they bit-bucket it, though -- not so great -- but then the Internet was designed with disappearing nodes in mind).

Defcon delegates must be either seriously running out of ideas, or getting much younger and hence unable to recall discussion of this in past literature, which dates back _at least_ ten years.

Granted your average internet 'civilian' wouldn't necessarily be aware of this, but anyone who claims or considers themselves to be an internet security 'expert' or 'researcher', or even to be knowledgeable in the field and expresses surprise at this should be dismissed a s charlatan immediately.

2008 will surely be remembered as the year that Defcon became even less relevant and even more tediously uninteresting than it was to begin with.