Domain: xelerance.com
Stories and comments across the archive that link to xelerance.com.
Comments · 12
-
Re:If this is about cyberwar,
An organic system is inherently unstable - this is why the global network is so resilient against targetted attacks (such as wide-scale DNS poisoning, root name server outage...). The system will route around the dark spot. Whether or not it's "what the man wants" is irrelevant. If "The Man" wants the Internet to go dark permanently, all "The Man" has to do is cause a global, total and simultaneous blackout of every node, domain and name server, webserver - anything with a CPU and internet connection.
No biggy.
-
Re:So what powers does the IETF have on this?
you need to work on your reading comprehension skills.
DNSSEC exists plain and simple. it's already been deployed for a lot of domains and root nameservers. just because there are difficulties hampering its widespread adoption doesn't mean it doesn't exist. that's like saying IPv6 doesn't exist because it's still suffering from a lack of widespread adoption.
none of the factors preventing more widespread deployment are problems that need "solving." in fact, they're more social/political problems than they are technical problems. so the "solution" to these problems is simply to persuade/pressure/coerce DNS servers to adopt DNSSEC, which is what IETF is debating about.
- backward-compatibility may be difficult to maintain, but this is a transitional problem, and it's not a real technical barrier to adoption at this point. BIND 9.3 (several older versions are compatible as well) officially supports DNSSEC, so does NSD, and Nominum's ANS and CNS. the fact of the matter is, there are tons of domains already using DNSSEC without issue.
- the zone enumeration issue has already been solved with NSEC3 (RFC 5155) released in March--which you'd already know if you'd read the rest of that Wiki article.
- this is a logistical problem that every new technology/protocol/standard faces. the main issue here is the last-mover advantage. nobody wants to be the first to adopt a new standard when there's no financial incentive to do so. but somebody has to go first. and at this point there is already a wide variety of software, prototype systems & tools available for implementing DNSSEC with little to no risk involved.
- this is purely a political issue, and it has more to do with the U.S.'s monopolistic control over the DNS system than DNSSEC. perhaps if ICANN acted more impartially instead of getting in bed with Verisign and other commercial corporations we wouldn't have political BS hindering technological progress. in any case, this is an ICANN problem and could be solved by organizational reforms to make ICANN operate with more transparency and give other nations a voice in domain name management.
- the perception of DNSSEC being too complex or difficult to adopt is just that--a problem with public perception. IETF is working on resolving this problem through education and training, which are on their deployment road map. there's a lot of good free resources out there to help ease others through this transitions and dispel false perceptions.
-
Re:DNSSEC is dead, let's move on
As Morrisey's song goes, "The world is not America".
DNSSEC deployment is already happenening on Large Scale.
djdns refuses to fix his code to protect against OS errors as "not his job". That makes that DNS software pretty useless.
powerdns is fuly mysql driven, and uses a record, not a zonefile as their basic unit. DNSSEC will break that. That's why they do not like it.
People say things will break, but things are broken already. If someone has a better fix, please step forward. Whining and doing nothing is not an option, and people who whine about DNSSEC not being the right solution have done nothing for 10 years, so they have become part of the DNSSEC solution as a result. Note that no one has broken the protocol or principles behind DNSSEC. At most people say "It's too hard". That's what people said about SSL too.
DNSSEC has been deployed, and will be the protocol protecting your DNS. Get over it. -
Off The Record
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
Encryption
No one else can read your instant messages.
Authentication
You are assured the correspondent is who you think it is.
Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.
http://www.xelerance.com/mirror/otr/, and a plugin of the same for GAIM: http://osx.freshmeat.net/projects/otr/ -
stegnography is security through obscurity
as soon as a method for stegnography is discovered it basically looses any advantage. the only way it could work is if the number of methods would increase at a exponential or higher rate. otherwise any interested party can just brute force your data for every possible stegnoraphy method. even if one that you use hasn't been discovered yet they can store that data and check it later. in either case if you got something to hide from they you are screwed. a much better way for secure communication is http://www.xelerance.com/mirror/otr/
-
Off-the-record messaging
-
Hmm .. here's a variation of the idea
Generate per-message signing key just the way these guys do it, but require your peer to disclose this key immediately after he uses it to verify your message.
PS. Damn .. 8 pages and 10 references for a simple idea, which would probably occupy under 2 lines in a normal crypto book .. man, what a bloat. -
Re:a little information would be nice
The presentation at http://www.xelerance.com/mirror/otr/otr-wpes-pres
e nt.pdf is pretty good.A few paragraphs of description and some high level maths too.
-
Re:Debian packages now avalible for freeswan
There's a discussion about which type of linux is best for running it here on the mailing list. They like both Debian and SuSe.
That said, it should work well enough on most things-from their site, "Standards Compliant: Openswan conforms to nearly all IPsec + IKE RFCs, and has one of the based interoperability track records of any IPsec implementation. It is compatible with products from Microsoft, Cisco, Nortel, Netscreen, Checkpoint, and many others vendors."
And "Platforms: x86, IA64, PPC, PPC64, MIPS, Alpha, StrongArm"
Openswan should work for just about anyone who isn't satisfied with KAME or Racoon (though it might be hard to set up, see this thread...
The front page summary makes it sound like the company they're starting exists solely for openswan, but it's worth noting Xelerance is producing some other stuff including freeRadius, think about your breathing-you have to manually control your breathing or suffocate, DNSSec, and Asterisk. The changeover will likely mean an increase in the quality of support available for (paying) swan users, since they provide an array of consulting services.
That also gives them an incentive to spread adoption. Unlike FreeS/WAN-one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. According to their FAQ, "As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods." For example, they went out of their way to avoid allowing any handling of single DES.
And if you've got any more questions about openswan, the guy to ask is on slashdot with user id #11! He'll probably be posting in here when it's morning in that part of the world.
Who would win? Flying Shark or Flying Croc?? Croc all the way, fools! -
Re:Debian packages now avalible for freeswan
There's a discussion about which type of linux is best for running it here on the mailing list. They like both Debian and SuSe.
That said, it should work well enough on most things-from their site, "Standards Compliant: Openswan conforms to nearly all IPsec + IKE RFCs, and has one of the based interoperability track records of any IPsec implementation. It is compatible with products from Microsoft, Cisco, Nortel, Netscreen, Checkpoint, and many others vendors."
And "Platforms: x86, IA64, PPC, PPC64, MIPS, Alpha, StrongArm"
Openswan should work for just about anyone who isn't satisfied with KAME or Racoon (though it might be hard to set up, see this thread...
The front page summary makes it sound like the company they're starting exists solely for openswan, but it's worth noting Xelerance is producing some other stuff including freeRadius, think about your breathing-you have to manually control your breathing or suffocate, DNSSec, and Asterisk. The changeover will likely mean an increase in the quality of support available for (paying) swan users, since they provide an array of consulting services.
That also gives them an incentive to spread adoption. Unlike FreeS/WAN-one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. According to their FAQ, "As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods." For example, they went out of their way to avoid allowing any handling of single DES.
And if you've got any more questions about openswan, the guy to ask is on slashdot with user id #11! He'll probably be posting in here when it's morning in that part of the world.
Who would win? Flying Shark or Flying Croc?? Croc all the way, fools! -
Re:Ouch. This is going to hurt.
-
Re:corporation
I've taken my Super FreeS/WAN tree, and formed a company with some other ex-FreeS/WAN folks.
Openswan is new name of the project, you can already get code from www.openswan.org.
Commercial support + services from us via Xelerance
Ken