How SOPA Benefits Cyber Criminals

The Online Piracy Act (SOPA), also known as H.R. 3261, is a bill working it's way though the House that promises to end piracy over the Internet.  The crux of internet piracy is offshore web sites that the government can't control.  Shutting down the web sites is almost impossible, so the bill provides a mechanism to disrupt how the sites are accessed using the Domain Naming System (DNS).

For those non technically inclined, DNS is the protocol use by web browsers to find the IP address of a web server.  It's very similar to a phone book (you remember those).  Back in the dark ages when you wanted to find how what time Bob's Auto Shop closed you pulled out the yellow pages, found the Automotive Services category and then found Bob's Auto Service.  This provided you with Bob's phone number which you then dialed into your phone to call Bob.  In the enlightened age of the Internet you go to your browser and type in www.BobsAutoService.com. Your browser then contacts the DNS server supplied by your Internet Service Provider (ISP) and asks whats the IP address for www.BobsAutoService.com.  When the browser gets the reply from the DNS server it contacts the web site using the IP address and downloads the page that you want.

One of the provisions of the SOPA bill would allow the Department of Justice or any rights holders to establish blocks on DNS requests for domains that they believe are hosting copyright infringing content.  So, when your thirteen years old daughter trys to go download the newest Justin Bieber song from SvensMusicDownloads.com the browser contacts the ISP's DNS server to get the IP address.  However, since SvesMusicDownload.com is now on a block list the ISP's DNS server simply responds that it can not find it. 

To return to our phone number analogy all this does is make the IP address unlisted in your local phone book.  All anyone needs to do is find a phone book that still has the number listed.

So, your thirteen year old daughter really want's that Justin Bieber song.  Her friend Susie's older brother gave her a tip that if she sets the computer to use 10.154.165.37 as the DNS server she can download her music.  He herd about it from his buddy Steve who has an internship with IBM, so Steve knows what he's doing on the Internet.  Plus, Susie's brother has been using this server for weeks and he can still get to Facebook AND download all the music he wants so it MUST be all right.  She makes the change and wow, she can download her music again.  All is right with the world.

Unfortunately your thirteen year old daughter, her friend Suzie's brother and even Steve the college intern did not know that the 10.154.165.37 server is actually run by a Vladimir's Cyber Crime Gang.  Vladimir setup the server to return legitimate IP addresses for every web site on the Internet.  Except for for a couple of large banks!

A couple of days later you sit down at the computer to pay your bills.  You open your web browser to www.BankOfAmerica.com and see the same login page that you always use.  However, on the back end your browser requested the IP address for www.BankOfAmerica.com form Vladimir's DNS server.  Instead of providing the real IP address for your banking site it provided the ip address for Vladimir's web server.  Your browser actually connects to Vladimir's web server but you can't tell the difference. Even the SSL security icon in the browser bar is green like it should be; the SSL security features in your browser also rely on DNS. You enter your password into the page get all those pesky bills paid and never notice anything is wrong.  Vladimir's web server was acting as a middle man between you and the bank web server.  Vladimir now has your password.  A week later you log back in and see that your savings account has 27 cents left in it.  Thirty thousand dollars has been transferred to a bank in the Caymans.

DNS is a VERY important part of the Internet.  It is at the foundation of how the Internet works.  This is just one example of how mucking with it can and will break the Internet!   Please cal your Congressmen, write your Congressmen, do what ever you need to do to get this bill stopped!

Using junipernc script under Ubuntu 11.10.

Getting the the Juniper Network connect client to work under Ubuntu can be a bit of a challenge. I learned quite a while ago that it requires the Sun / Oracle versions of Java, openJDK will not work. If you try using the openJDK Java you will quickly see the “Session Timeout” error when connecting.

With previous versions of Ubuntu I simply installed the sun jvm from the repositories and reconfigured the system to use it rather then openjdk. However, Oracle has decided to change the licencing requirements and newer versions of Java are no longer available in the repositoy. Now I could manually download and install the Oracle Java for the entire system to use, but then I’d have to manually keep it updated. I much prefer letting the package manger handle updates (so they actually get done).

My solution this problem is to setup a dedicated Oracle Java install that is only used by Network Connect. As an added benefit it uses the junipernc script, which in my opinion is much easier to use.


Here is what you need to do:

1. Download and save the junipernc script.
2. I like to put it in ~/bin. Don't forget to make it executable.
   mv ~/Downloads/junipernc ~/bin
   chmod +x ~/bin/junipernc
3. Browse to your company vpn site and log in. (no need to install the correct java first) Click “allow” any any warnings and ctrl-c when it asks for the root password. This will download the files into the ~/.juniper_networks folder.
4. Download the Oracle jdk .bin installer. Make it executable and execute to extract the files. Move the jdk directory to the .juniperNetwork
   chmod +x ~/Downloads/jdk-6u29-linux-i586.bin
   ~/Downloads/jdk-6u29-linux-i586.bin
   mv jdk1.6.0_29/ ~/.juniper_networks/
5. Temporally update the PATH and run .junipernc for the first time.
   export PATH=~/.juniper_networks/jdk1.6.0_29/bin/:$PATH
   ~/bin/junipernc
6. You should get a notice that initial setup requires administrative privileges. Enter your password several times Enter your server name, user name and realm. ( check out Issue #2 on this blog entry to determine your realm) Enter your password or securid/pin.

Why this works
In step 4 we temporally added the path to the downloaded Oracle Java install BEFORE the existing path. The junipernc script finds the Oracle Java version first and uses it (because it’s first in the path). This allows us to connect and all is good with the world. The junipernc script also writes the path to java in the ~/.vpn.default.cfg file. On subsequent execution of junipernc it uses the path in the cfg file.

Note:  None of this would be possible without the junipernc script developed by Paul D. Smith. Please check out his site (http://mad-scientist.us/juniper.html) for more information.