The Seven People Who Can Turn Off the Internet

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Great and interesting video but he does say Paul Kane of Great Britain is one of the key holders but I believe that's not true anymore. According to the IANA website it has Paul Kane retiring his role as a TCR for the recovery key in 2017. He was replaced by Kristian Ørmen of Denmark.

https://www.iana.org/dnssec/tcrs

Edit: ay let’s go he used this in the corrections video

👍︎︎ 8 👤︎︎ u/OfficialStryXe 📅︎︎ Jul 30 2020 🗫︎ replies

Kind of disappointing to see a channel I respect repeat the same "The seven people who can turn off the internet" stuff that is rolled out as clickbait quite regularly, so often in fact that ICANN have a whole article explaining why it's incorrect. https://www.icann.org/news/blog/the-problem-with-the-seven-keys

👍︎︎ 5 👤︎︎ u/Sgtpanda6 📅︎︎ Jul 30 2020 🗫︎ replies

Bashing computer literate people for having no friends stopped being funny in 2007.

👍︎︎ 4 👤︎︎ u/Serialk 📅︎︎ Jul 31 2020 🗫︎ replies

Yeah this video is just inaccurate. Twitter doesn't use DNSSec, see: https://dnssec-name-and-shame.com/domain/twitter.com

Honestly, basically no one uses DNSSec. It's HTTPS (HTTP over SSL/TLS) which lets you determine if you are really connected to Twitter. DNS spoofing is entirely possible because of this, just once you connect to the rouge I.P, you should get a HTTPS error if the site is properly configured to use TLS.

👍︎︎ 3 👤︎︎ u/pentesticals 📅︎︎ Jul 31 2020 🗫︎ replies

brick brick brrrr brick

👍︎︎ 3 👤︎︎ u/yayepic 📅︎︎ Jul 30 2020 🗫︎ replies

This video is extremely misleading, if not outright incorrect. DNSSEC basically isn't used at all. The vast majority of websites, including Twitter, the example you use in the video, don't use it at all. It breaks for various domains semi-regularly, and almost nobody notices. Other, smarter people than me have already written about it a lot, but it's a bad protocol extension that wouldn't matter if it disappeared tomorrow.

This is pretty disappointing to see from the Wendover/HAI team. It makes me wonder how many of your other videos I've watched that were incorrect, but I didn't realize because they were topics I was unfamiliar with. The only thing more disappointing than this would be finding out you don't even really care about bricks.

👍︎︎ 4 👤︎︎ u/Salax_ 📅︎︎ Jul 30 2020 🗫︎ replies

I lost him when he mentioned the IP Address for twitter is 199.59.148.0

Twitter owns the 199.59.148.0/22 network address range. Big difference between the two.

👍︎︎ 1 👤︎︎ u/waldo_whiskey 📅︎︎ Jul 31 2020 🗫︎ replies

Good video as always!

👍︎︎ 1 👤︎︎ u/internet96 📅︎︎ Jul 31 2020 🗫︎ replies

Captions

This video was made possible by CuriosityStream. When you sign up for an annual subscription, you’ll also get access to Nebula, now streaming HAI’s first ever 40-minute special, which premiered yesterday. It’s about bricks. Happy now? Alright so, here’s the deal: there’s this group of nerds called ICANN—the Internet Corporation for Assigned Names and Numbers, and they have handed out seven keys to seven individuals spread across the world, and with those keys, you can shut down, and reboot, the internet. Now normally, this is where I would make a bunch of bad jokes, and call them stuff like the Fellowship of the Keys, or the Key-I Joes, or You, Key, and Dupree, but we don’t have time for that, because to understand these keys, you need to understand a bunch of complicated internet stuff that was very confusing for me to figure out, starting with DNS. In case you don’t know what DNS is, because, I dunno, you had friends in college, I’ll explain: all the computers that make up the internet are identified via long numbers called IP addresses; but when I want to go to, for example, Twitter, because I want to scroll through an endless mix of hot takes, anger, harassment, product placement, and videos of Kanye West saying problematic things but then it turns out that he’s actually a cake, I don’t want to have to type in 199.59.148.0—which is the IP address of one of the servers that hosts Twitter. I just want to type www.twitter.com, and then be taken there so I can get to my seeing-photos-of-people-partying-during-Covid induced panic attack. So my computer has to translate www.twitter.com into the right IP address, and it does that first by asking a whole long line of things—first, of course, it asks Clippy, but Clippy doesn’t know. So instead, it asks your Operating System, which maybe knows, but if it doesn’t it asks something called a recursive name server, which also maybe knows, but if it doesn’t it asks of the world’s 13 root servers, which send you to the appropriate top-level domain server—in this case, the one that runs all the .coms—who sends you to the right authoritative name server, which eventually is like “oh yeah, twitter is 199.59.148.0.” But you need someone to administer this whole system—to make sure, first of all, that IP address aren’t handed out willy nilly, and more importantly, to keep everything secure, so people can’t come in and mess with it, and say “hey check it out, the IP address for irs.gov is actually this IP address, which goes to a site called free-money-just-give-me-your-bank-info-first.totally-legit.net. So the DNS is authenticated through a system called DNSSEC. And I promise we’re going to get to their mystical internet keys soon, but first, you need to understand how DNSSEC works. The first important idea is asymmetrical encryption, which involves a private key and a public key, which are long numbers that are linked mathematically. The public key is a number everybody can know, but the private key is very secret, and only held by one entity. And this is what’s important: with the private key, you can make something called a digital signature over a document, that someone can, by looking at the corresponding public key, go, “oh man, based on what this public key says, I know that that signature was definitely made by the person with the corresponding private key.” And that’s how DNS is authenticated—the information saying “twitter.com is 199.59.148.0” is signed by Twitter using their private key, and then my computer uses Twitter’s public key, looks at the signature, and says, “yep, this signature was definitely made using Twitter’s private key, so the information must be legitimate.” The problem is, we have to be sure that Twitter’s public key, off of which I’m basing this analysis, is legit too. So Twitter’s public key is signed by a higher authority, the top-level domain server who runs all dotcoms, using their private key. And then I use their public key to be like, “yup, this signature was made by the dotcom people.” But to know that public key is legit, it’s signed by an even higher authority, up and up and up, until it’s signed off on by ICANN, that nonprofit I mentioned earlier, using a single private key. Every single website’s IP address in DNS is ultimately secured by ICANN’s single public and private key, which is called the trust anchor. In fact, I can even show you ICANN’s public key—It’s this. And I shouldn’t say this, but, their private key, the super top-top-top-secret number that secures the whole internet, is seven… four… two—okay look I don’t know their private key, I just wanted you to think I’m cool. Now, the numbers that make up the private key that secures the whole DNS are stored on hardrives inside physical boxes, called Hardware Security Modules, or HSMs for short, or H’s for shorter, or “huh’s” for shortest, and there are four of them, kept in pairs in ICANN stations 2,500 miles apart: one in Culpepper, Virginia and one in El Segundo, California. Once you get past the armed guards and pin pads, and card scanners, and biometric security stops, and sword-fighting bears, to get into those physical HSM boxes that hold that secret number, you need several smart cards, and those smart cards are kept inside other boxes, which can only be opened with physical keys, which are… finally, held by seven people across the world. Oh, I was kidding about the sword-fighting bears, by the way—ICANN actually uses nunchuck wielding fish. The key-holders aren’t world leaders or anything, but just security experts designated by ICANN. In fact, I can show you who they are: it’s these people. I know, not that exciting. Should DNS ever be compromised, five of the seven key-holders would have to go to an ICANN facility, use their keys, in what’s called a “key ceremony” to get to the smart-cards, then use those smart-cards to physically open the box with ICANN’s private key in it, and use that to shut DNS, and with it much of the functionality of the internet, down, and reset it. Some people say the keyholders are the most powerful people in the world. But whoever said that is an idiot, because clearly the most powerful people in the world are the Half As Interesting commenters who spent literal years demanding that we make a video about bricks, because guess what: we finally did it. And it’s way way more than just another HAI video—it’s a 40-minute long special called The Brick Façade: A True Crime Drama and it’s got action and drama and suspense and cameos and, more than anything, it’s got bricks—and, it’s available right now on Nebula. The best way to get Nebula is through the CuriosityStream bundle: for just $15 a year, for a limited time, you’ll get an annual subscription to CuriosityStream, where you can watch all sorts of great full-length documentaries, and Nebula. Just go to curiositystream.com/HAI.

Info

Channel: Half as Interesting

Views: 2,902,293

Rating: 4.8793831 out of 5

Keywords: icann, internet, dns, dnssec, internet security, computer science, keys, seven people can turn off the internet, the keys that control the internet, half as interesting, hai

Id: 6KDBpn8fW78

Channel Id: undefined

Length: 6min 15sec (375 seconds)

Published: Thu Jul 30 2020