One thing holding up DNSSEC adoption has been to lack of DNSSEC awareness in the client browsers. Although the caching DNS servers are for the most part DNSSEC aware, browsers are not. This leaves the "last mile" unprotected and limits some of the usefulness for users.

Microsoft is adding DNSSEC awareness to Windows 7, as pointed out by Mitchell Ashley in his Converging on Microsoft blog today: Windows 7 and Server 2008 R2 Bring Us DNSSEC. Will We Use It?

So will we use it? I think we will once we and businesses understand the benefits.

Today if you go to Amazon.com, United.com, eBay.com, BarackObama.org or Wells Fargo.com, there is no way of knowing with certainty that you have arrived at the correct web site or that no one is spying on you through a "man in the middle" attack (see this 60 Minutes video on how this can happen). The result is bad for the consumer but it is equally bad for the web site operator whose customers could be victimized by identity theft, or outright theft  by obtaining credit card information or receiving campaign or charitable contributions on the fake site.

If your browser and the Internet itself authenticated the site you will know with certainty that you are at the correct site and no one is "in the middle" spying on you.

Won't everyone demand this feature once it is available? Won't every business, charity and health care organization want their customers to use their site with confidence? I would think the legal implications alone would drive business to adopt this technology. Credit card issuers will no doubt add this to Payment Card Industry (PCI) compliance, which affects how much businesses pay on their credit card transactions. This cost is ultimately passed on to consumers.

By providing client operating system support, Microsoft will make adoption simple - although it is unclear how this will work with browsers. 

DNSSEC makes Internet authentication ubiquitous - you know where you are. Without it you cannot begin to say you are secure on-line.

Consumers should be asking questions about DNSSEC implementation now for the sites they use.

With the US Government adopting DNSSEC this year I will give it another year to become standard for commercial web sites.

Network World's article today "Cloud Computing a 'security nightmare,' says CISCO CEO" got me going. I'm glad to hear an acknowledgment of the security concerns from someone as prominent as John Chambers. And the statement "boy am I going to sell a lot of stuff to tie that together" points up the potential cost as well as the need to look at Internet security more holistically.

Dan Kaminsky has pointed out many of these vulnerabilities and The Register highlighted some recent exploits. These threats are growing.

Cloud computing has a lot of potential to lower cost and improve services, but it creates a dependency on the insecure Internet, something beyond any individual entity's control. Before anyone puts anything important into the cloud they had better assess the risks and insist on a service provider who has adopted DNSSEC.

Awareness of security breaches and malware exploits continues to grow. Today's Wall Street Journal article "Computer Spies Breach Fighter-Jet Project" is only the latest discovery that establishes our almost total lack of Internet security. If the bad guys (or just the really curious guys) want your data, they can get it. We are lucky the jihadists don't seem to possess computer skills.

Hackers to the Military: Who's your Daddy?

And if the Pentagon can't protect data then the corporate world is not going to do the job either.

The Obama Administration wants to put medical records on-line? See "Big Challenges Await Health-Records Transition". Someone stop this bus.

Information Technology is running headlong into cloud computing and virtualization due to their tremendous cost saving potential. Both of these technologies introduce additional security issues and requirements that are perhaps poorly understood. Here are just a few links that highlight the problem:

• Cloud Computing's Inherent Security Risks

• Virtualization: Guest-to-host attack demonstrated

• Cloud computing is a storage spot for malware
• Cloud Computing: More Storm Clouds Ahead

• Key Security Issues for the Amazon Cloud

It seems to me that we are going backwards despite existing technologies like DNSSEC that can be used for authentication, Itanium processors that have secure memory compartments and software that can use those compartments and other techniques to make applications malware immune.

If we are looking to the military for leadership here we are looking in he wrong place.

Approximately 20 people have contacted me today regarding the front page article in the Wall Street Journal, "Electricity Grid in U.S. Penetrated by Spies", and a CNN.com article, "Official: Millions spent defending Pentagon computers from attack", and more in depth from SC Magazine, "Cyberattack repairs cost Pentagon $100 million in six months" (see more attacks and vulnerabilities in the sidebar to this article). CNBC also had segments on power grid vulnerabilities. 

In addition to these headline articles there continue to be unprecedented denial of service attacks: DDoS Attacks on Web Hosts Continue.

The take away from all of this is that we don't really know what is out there, what is vulnerable and what could blow up or burn up (the power grid and generators can blow up, so its not an expression). 

What bothers me even more is that we increasingly depend upon mobile devices whose security vulnerabilities are just now coming into focus. These devices tie into the Internet and represent yet another attack vector for networks, power and the web.

The complexity of cyber space is beyond the abilities of individuals. Complexity is the enemy of security. The problem must be attacked in segments and the first step (you know its coming) is to deploy DNSSEC. Until you can authenticate who is who, you cannot begin to solve this puzzle - not for anything connected to the Internet. Without it we simply throw resources down the drain. The cyber security market has been estimated at $79 billion annually (I can't recall where I got that but I'll reference it shortly). 

That is a lot of unproductive but essential money that could be put to better use.

We may have come through the April 1 Conficker worm event smoothly but there has been a rash of Denial of Service ("DDoS") Attacks on DNS services sites over the past few days, as reported in SC Magazine: DDoS attacks hit major web services, and by Network World (also see their Podcast). Some believe this is a major event: Cyberspace 9/11is here

A lot of entities spend a bundle on DDoS protection services and appliances but the attacks still largely succeed.

Fair disclosure: my company has built  DDoS protections into our DNS products that protect our customers from these attacks. If anyone employs bodyguards to protect their DNS they will save money and improve reliability with Secure64. Every important system should have these built-in protections.

Ok that's my one shameless pitch for the month.

These attacks are successful and Internet-based applications (e.g. web sites, web services, cloud computing, VoIP, email) remain at risk because their are still millions of virus-infected PCs and servers out there ready to dish up malicious traffic. If you suffer from slow speeds at times you may be one of them. The attacks continue to grow in sophistication as attackers exploit a never-ending list of vulnerabilities in the hardware and software that runs the web. Thank goodness they can't give us the Novovirus or we would all be suffering nausea or worse.

There is a stated goal of putting medical records on-line. Imagine a DDoS attack on a major hospital with on-line records. It could be a catastrophe.