Robustly flawed
Discuss this article in the ZeroFlaws forums
As far as security services go, it's often quite hard to find real gems on the Internet. There are certainly lots of software and services available out there, but many of them cost money and don't deliver the goods. Some are even simple fronts for spyware and spam mongers, leaving you with a false sense of security whilst delivering you right into the attacker's hands. Fortunately those malicious trojan horses are few and far between. Where they do exist they're quite well documented and most decent anti-spyware or anti-virus software can catch them for you.
This leaves us with the fundamental question: how do you know if a service you're using is doing its job? Think about that for a moment. As a conscientious computer user you've no doubt installed anti-malware software as well as a firewall or other, similar "security suite". That's good practice, but how do you know any of your measures are actually working? There might be a handy status icon in your system tray, but this does little more than show you the software is loaded - it doesn't mean it's actually defending you from threats.
It's a nasty little conundrum for the average computer user. Some of the time you can take it on trust that things are getting done. You can be confident, for example, that the copy of Symantec anti-virus you just purchased will actually detect and remove any viruses on your system. Symantec is a well known company and there would be uproar if its software failed to do the job (or, for example, contained a massive security vulnerability like this one). But other than trust you have precious little else to go on. Fortunately this is the Internet, where reviews are easy to find and opinions are a dime a dozen. A quick browse around the software vendor's website, a google for a product review, and you've got all the information you need, right?
Well let's see. I came across a handy service a few weeks ago called OpenDNS. As the name implies it's a free DNS service that anyone can use; no fees, no signup, just click the mouse a few times and you're ready to go. If you're unfamiliar with DNS, think of it as the phone directory for the Internet. Whenever you want to call Bob's Pet Store in Miami you open the Miami phonebook, find the "B" section, locate Bob's entry and read off his phone number. Phone directories are useful because the phone system uses numbers, not letters, and we humans are pretty bad at remembering lots of numbers. The Internet works in exactly the same way, except with IP addresses instead of phone numbers. When you typed "http://www.zeroflaws.net" into your web browser your computer sent the address to your DNS server and asked it to look up the IP address for the Zero Flaws web server. The DNS server opened the ".net" directory, looked through it to find "www.zeroflaws.net" and returned the IP address to your computer. The actual process is a little more complicated than that, but the principle is the same: every time you use a human-language address to access a service on the Internet - a website, an FTP site, a P2P server - DNS is the key.
DNS really is the backbone of the Internet. Right now you're using your ISP's DNS servers; if they went offline you'd quickly find you can't get much done. So OpenDNS, by giving us a set of alternative DNS servers, is providing a really useful service. But it doesn't end there. OpenDNS also flaunts itself as a security service. On the front page alone there are numerous references to security features, explaining how the service will block phishing and adult sites. And with the site touting numerous big-business customers, how can you possibly go wrong? Surely it's just plain irresponsible if you continue to let your kids use a DNS system that isn't OpenDNS.
Ahh, it's a spam-fighting, phisher-beating, porn-blocking machine. Every parent should use it, every business should sign up for it. In their own words, OpenDNS is "making the Internet safer, faster, smarter and more reliable for millions of people around the world". The fact that it's totally free and requires no software just makes it all the more compelling.
If no software is required and no sign-up needed, how does it work? As explained above, DNS is the system that converts human-language addresses to IP addresses. By using OpenDNS you are giving it the authority to perform all your DNS lookups, so when you accidentally try to access a "dangerous" site the OpenDNS servers will simply refuse to convert the site address to an IP address. It's like you're using a censored phone directory, where all the entries for adult shops and loan sharks have been removed. Without an IP address your computer can't figure out where on the Internet it should go, so OpenDNS keeps you safe from the nasty, evil parts of the web.
Except it doesn't. Here's a little exercise for you. In your web browser's address bar, type the following: http://88.208.244.34.
Surprised? You shouldn't be. 88.208.244.34 is the IP address for the Zero Flaws web server. By typing it in directly you are able to access the site just as if you'd typed "http://www.zeroflaws.net". The difference is that you didn't need to use DNS because no human-language address to IP address lookup was needed. It's like knowing the phone number you need to call without having to look in the phonebook. And if you don't need the phonebook, any service that censors it is rendered useless. OpenDNS is a useful backup DNS service, but it's not a security solution because it doesn't robustly defend against anything. If you access services by IP address the OpenDNS servers aren't even consulted.
If you switched to OpenDNS thinking that it would stop your children browsing to porn sites, you've been fooled: they can just access the site by IP address1. Try it; you'll find sex.com at http://69.42.90.94. If you switched believing that viruses and malware would be stopped, you've been fooled: most malware uses IP addresses anyway.
This is a very real, very dangerous issue with IT security solutions. Companies have quickly realised that by adding a security aspect to their product they can increase hype, market share, revenue or whatever else is important to them. The person who loses out is the end user, who simply can't make an informed decision because the knowledge barrier is so high.
So ask yourself that question again: "how do I know my security software is working?". Sorry, I don't have a panacea or an answer for you, but at least now you're thinking about it...
1. In fact it's even easier to bypass OpenDNS when browsing to websites. Cloaking sites such as Avoid Filter will do the DNS lookup and download the web page for you.
