Slashdot Mirror
Securing DNS From The Roots Up
jeffy124 writes: "This article at ComputerWorld tells the story of how ICANN would like to replace the root DNS systems with secured servers. Lars-Johan Liman, one of the root operators, spoke about the concept at ICANN's annual meeting today. He discussed how the world's current redundant DNS system is vulnerable to DDOS attacks and yet-to-be-discovered root holes in bind that can ultimately undermine the entire Internet by taking away the name-IP mappings that are relied upon by just about everyone."
Bind may be vulnerable to security exploits! Sendmail may *not* be as secure as qmail! Walking through harlem with $100 bills hanging out of your pockets isn't smart! Sky is blue!
Some people just never get the news....
The Internet is depending on unsecured servers for DNS? Now how am I going to sleep at night? Next you'll be telling me the earth isn't sitting snugly atop a giant turtle! Is nothing certain any more?
...then malicious intruders will just go after the core routers, saturate lines, do things of that nature. Not that locking down DNS is a bad thing, but you can't defend everything all the time.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
I have yet to find the great reason of why everyone uses BIND. I've been working on my own DNS server just for kicks. The protocol itself is trivial. It can be handled so easily, but yet, if you look at BIND's source code, you can't tell what is going on at all. So, why does everyone continue to use it? Or better question, why hasn't someone written a better alternative?
kc8apf
Is there anyone here knowledgeable about this who can comment on a few things?
I'd love to see (more closely) another implementation of the DNS system other than the 3 or so commonly found.
Does it strike anyone else as a bad thing that all of the root nameservers, and for that matter almost all important nameservers, run BIND? Ergo, a serious security bug can be used to take out all of the root nameservers.
We need another DNS server that has the (relative) standard compliance and scalability so that we could have some other server software running on some of the root servers. Unfortunately, all of the alternatives I know of don't scale to that volume of transactions, aren't nearly as proven as BIND, and many of them have standards compliance issues worse than BIND.
Real men surf the net using ip addresses. (And NOT in base 10)
Also OpenNIC is an ICANN indepent root system ... why not just use them instead of ICANN?
Ignore the "p2p is theft" trolls, they're just uninformed
I know this is slightly offtopic, but this was there on the bugtraq mailing list, thought ppl here may find it interesting:
/var logging is recoverable. This machine was running
/usr/bin/bin/u/src/ircd
/u/, mysqld klogd ...)
.dk domain, as well
.cais.net .cais.com
/usr/sbin/init.d
/sbin/ipchains -I input -p tcp -d 0/0 3879 -j DENY
To: bugtraq@securityfocus.com
Subject: Fwd: Possible DDOS network being built through ssh1 crc compromised hosts
I am making this notification to assist in determining whether other
folks have been affected by this attack.
An associate's home NAT gateway linux box was hacked by what I am
guessing was the ssh1 crc bug (ssh1 was the only exposed service).
This
machine looks to have been compromised on Nov 2nd at 1:15pm PST, I
won't know for certain until I obtain his hard disk later today, and
provided that
redhat 6.2, reasonably patched except for the fact that he was still
running ssh1.
It appears that someone may be building up a network of (potentially)
DDOS hosts. I have done some quick research and found no matches for
the signatures I have been able to identify so far.
Using the Chkrootkit (www.chkrootkit.org) utilities did not identify
a known trojan pack, so if this isn't identified in the wild, I'm
already referring to it as the LIMPninja.
It also appears that this particular host was used as a central host
for other LIMPninja zombies. Also, haven't been able to determine
what the command structure it is that the remote bots act upon.
The following is by no means complete, even after a full examination
of the drive has been completed, as there was never any file
integrity base line completed(a shame).
The attack appears to be scripted as all changes happened within a
minute, except for the IRC server which was not installed until 2
days later (and manually). When I found this particular irc net
there were over 120 hosts all communicating via IRC. This host was
found to be running an unrealircd daemon from
listening at port 6669.
All other compromised hosts were joining this irc network
(ircd.hola.mx holad) on channel #kujikiri with a channel key of
'ninehandscutting'. All bots joined as the nick ninjaXXXX where XXXX
is some RANDOM? selection of 4 upper case letters.
Several ports were listening
3879 term (this port had an ipchains rule blocking all external
traffic - placed by the attacker's script)
6669 ircd
9706 term
42121 inetd spawned in.telnetd
Logs were wiped, and couldn't find a wiping utility so I'm thinking a
simple rm or unlink was used, so I'm hoping to find more details when
the disk is in hand. File modifications that were made follow:(not
necessarily a complete analysis yet)
clearly Trojaned binaries (probably others)
/bin/ps
/bin/netstat
/bin/ls (this ls binary was hiding several things, directory
structures named
/usr/local/bin/sshd1 (the file was just several hundred bytes larger
than previously)
Binary file/directory additions
/usr/bin/bin/u/ An entire directory structure containing the ircd
server source
/usr/bin/share/mysqld (looks like some type of irc spoofing proxy)
/bin/klogd (almost looks like an ftp proxy)
/bin/term (A bindshell of some sort)
/usr/sbin/init.d was added and is exactly the same file size as term
System configuration files that were modified/added
/etc/hosts.allow made specific allowances for the
as
/etc/passwd two new accounts were added with the same password (des
hashes -NOT MD5)
/etc/shadow The added accounts were lpd 1212:1212, and admin 0:0
/etc/inetd.conf 200+ lines of whitespace added, and then the single
telnet entry
/etc/services was modified for telnet to start on port 42121
/etc/resolv.conf a new nameserver was added...
/etc/psdevtab haven't examined closely yet
/etc/rc.sysinit a line was added to start the
trojan/backdoor
/etc/rc.local after much whitespace was added.... following lines at
the bottom of the rc.local file
killall -9 rpc.statd
killall -9 gdm
killall -9 gpm
killall -9 lpd
term
klogd
"/usr/bin/share/mysqld"
-----
This should assist other ppl who have had similar attacks...
There seem to be some pretty big problems in how the whole DNS system works in the first place; for a system with a fairly high degree of built-in redundancy, I've often found websites where ONE of their DNS servers has gone down, and I can't access the site. The other DNS somehow isn't queried, other caching DNS servers along the chain aren't queried, and it fails. The IP address I'm looking for is, in theory, sitting in a thousand caches all over the net, but it's not fetched? The loss of Microsoft's DNS a few months back is a good (although not particularly worrying) example.
Then again, maybe I don't notice the times it DOES work like it's supposed to.
-"I still believe in revolution; I just don't capitalize it anymore." - srini!
It's not difficult to get a nameserver backup and running, and the volume of data maintained by the root server is nothing in quantity compared to, for instance, .com.
The main problem is that all the second-level servers have fixed pointers (usually hard-coded, I believe, in text files) to the root servers.
Assuming some form of robust authentication could be worked out, this could be a killer app for IP multicast, where, if a root server goes down, once the replacement comes back up, the IP of that server gets instantly disseminated to all secondary level (or maybe even even futher down) nameservers around the world rather than manual notification (or however it works now), so that downtime would be minimal.
Sound viable?
George W. Bush
President, United States of America
Yup...13
The Locations are:
Moffer Field CA
Woodside CA
Marina Del Rey CA (2)
Herdon VA (3)
College Park MD
Vienna VA
Aberdeen MD
London
Stockholm
Keio
As long as no one opens their mouth about possible security leaks, we'll be safe.
Last post!
Don't get me wrong. It's a great system, it's worked for a very long time, it does it's basic job admirably. My single main issues with it are it's centralization, and increasing politicization.
.info proves.
I've given this a little thought over the years. There's a few fundamental issues with the centralized DNS system.
I've tried kicking around a few replacements ideas, like a peer-to-peer exchange system carrying certificates that act a little like resource search records.
The FreeNet project actually gives a good model for how to distribute and search for these 'domain certificates'.
I'd like to see a system that you essentially 'anonymously' submit namespace entries to. Conflicts are resolved based on context. If a dozen people want "money.domain", fine. If you try to browse to it without any context, you have to choose which one you want based on other information in the certificates (full name, location, nickname etc) and once you've chosen, that context sticks. URL's would need to be extended to also carry this context, which probably need to be a cryptographic signature to prevent abuse.
It constantly amazes me that people are willing to pay $50 to 'own' a record in a database. The domain land grab was just stupid... in virtual space, you can always just make more land. As
DNS will obviously persist for decades, (simply because of the financial and general mindspace investment in 'dots') but hopefully as only one of a plethora of address resolution systems. Name resolution needs to be a pool, not a tree.
"For as long as the DNS system exists, the Internet will never be free" - Morpheus, while very Drunk
Jeremy Lee | Orinoco
Oh how much the world would be a better place if these technologies were implemented!
This time I will be prepared.
/etc/hosts file so I can be immune to the attacks
I am downloading as we speak all the DNS records in the planet into my
I encourage others to do the same.
Untrue, DNS is like www.whitehouse.gov under permanent attack. The article is based on a number of assumptions that are not true of all the root servers.
Steve Bellovin is somewhat inaccurate in his statement about BIND. While it is true that most of the Root servers run code that originated in BIND most of the heavy lifting is done by a few servers that sit on the fattest pipes that run a stripped code base. The code paths of that code base have at this point been as near to completely tested as anything gets.
The real problem is that most of the root servers are still maintained by the ad-hoc volunteer network of the 1980s Internet. As a result many of the 'root servers' are hosted on drinking straws rather than pipes.
There are 13 servers however and all have to go down to take out the Internet. Even then the effect would take some time to be felt. The root servers only manage the top level domains. These tend not to change very often and so the TTL on the root records can be made very long without causing operational difficulty.
A much more serious problem would be if someone brought up a fake root server. DNS does not provide authentication.
Rather than obsess about the code base problem ICANN should be either deploying BIND or telling the IETF the characteristics of the security protocol it really needs.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
ICANN is only relavent as long as everybody uses their DNS. I don't understand why somebody with some moral authority in the IT world doesn't just set up an alternative. I know there are in fact several alternatives, but these are private companies that nobody has heard about. .tld (although you could set up a few with restricted access, perhaps '.trademark' or something like that). That way, for example, IBM could use "buy.ibm", while somebody who doesn't like IBM could use "dontbuy.ibm". There would be no way to purchase all the domains under a .tld.
So who could do it? The IETF and the ACM come to mind. There are probably a few others.
Note that you don't have to switch all at once, you can still fall back to legacy ICANN domains if the new domain system doesn't find a match.
My "ultimate" domain name scheme would allow anything as a
If you celebrate Xmas, befriend me (538
ICANN would like to replace the root DNS systems with secured servers.
/etc. Then, a patent would be granted for "a static internet address to domain name mapping system" and "a static domain name to internet address system"
/. before, but there are many people who run their own DNS roots, underground dns if you will. Anyone have any links?
Ok, how long before someone at ICANN suggests that the servers should maintain domain to ip mappings in static files. Something like a file called hosts and that could be stored in
Sorry, I'm just in a sarcastic mood given the fact that they actually use bind. Does anyone find that a little scary?
I know it's been brought up here on
Chaos, Mayhem, and Destruction: Not
You can't do zone transfers using djbdns for one thing. DJB thinks that zone transfers are evil, and has his own method for doing the task (rsync over ssh I believe), but whether they're evil or not is beside the point. Like it or not, zone transfers are a part of the core DNS protocols and any proper successor to BIND must implement them all. Starting a standards war with the IETF is not something I want to have along with a name server I deploy. Let Bernstein write an RFC for publication describing his idiosyncratic methods and get the IETF to ratify it as a core standard if he wants, if he truly thinks his way is the better way. The way he operates reminds me more of the way Microsoft handles standards than anything else.
Besides, djbdns is also deficient in a far more important way (for me and to a lot of people here on Slashdot anyhow, I hope): it's actually proprietary software with a limited license for gratis use. It's not Free Software or even Open Source, not by any reasonable definition of the term. There is no license along with his programs, and absent a license you have NO RIGHT to share, study, or change Bernstein's code!
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Perhaps to top if off we could have all the corresponding text names to ip addresses on a Microsoft SQL Server with IIS.
http://saveie6.com/
check here:
http://cr.yp.to/djbdns/axfrdns.html
this supports outgoing transfers. Incoming are a possible security risk (NO authentication happens in most cases, other than IP address checking, IIRC), making this a prudent decision, IETF or no.
BBK
That's news to me. I always thought Network Solutions or whoever runs the other root name servers had their own proprietary and more robust and scalable DNS software.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Not a complete solution, but it would be enough to keep the net going if DNS went down.
No, Thursday's out. How about never - is never good for you?
Is it my imagination or is ICANN actually working on getting their job done rather than horribly complex politics (more complex than needed to solve the problem), or trademark/legal craziness? There's some background at the page of the ICANN DNS Root committee.
Now, I'm pretty skeptical that a closed source DNS server from Register.com is going to be a big part of the solution, but even that I don't really mind so much. Having a few alternatives is good if for no other reason than helping to keep BIND from stagnating.
The article didn't talk much about DNSsec (or this older page) which has got to be part of the solution (to try to give the 10 second summary, when a client makes a DNS query and gets a response, it is kind of tricky to ensure that the response is really from the correct server, and DNSsec uses crypto to solve this and other problems).
This Is something I was just looking at... very interesting, shows what techniques have been used to hijack domains.
I'm a minister!
$ ping www.slashdot.org
PING slashdot.org (64.28.67.150): 56 data bytes
That's 64.28.67.150!! Start memorizing now!!!
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
The answer is simple, just ask the author of IPF how he did it...
Change the BIND license to make it much more restrictive, then sit back as the OpenBSD developers build their own simpler, better, more stable, and much more secure, replacement.
SSH.
IPF.
BIND?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This is clearly just a ploy to establish iron-fisted control over the internet. What is more likely to be for the best in the long run is an extensible, completely open holographic DNS schema distributed across each client. That the problem of DNS and the fecundity of PtoP have not been mated seems to me an absurd thing.
This is the difference between hackers and bureaucrats in a nutshell. Centralized control over resiliant sophistication. God damn each of those bimbo sellout engineers for their short sightedness. If I had one ounce of say, one chance at effecting or affecting the logical and liberty enhancing solution I mention above, I could consider my life more or less comlete. (And I'm a card carrying member of ICANN at-large, dammit, and so much closer to such a goal than the bulk of you all!!) This is surely going to be the doom of the net as we know it.
How long before the governing body (ICANN) of such a rigid and authoritarian system becomes a mere appendage of one of the big players (IBM, AOL, MSFT)? That ICANN is already rotten with corruption is apparent to almost everyone, but what I am asking is how long before even the lip service is discarded? I am aghast at the thought of a monopoly on basic existance that such moves as this do threaten.
This is a call to arms. Anyone involve with open DNS or PtP should reply to this thread or email me at: this adress to discuss superceding such insidious and freedom wrecking evil as presented in the parent story.
Thankyou.
64.28.67.150 is the only IP you need!
This space left intentionally blank.
haha, yeah right, everyone's a cheap bastard. ;-)
Actually, David Weekly and the California Community Colocation Project is hosting one of my new servers at their space in HurricaneElectric's colo. So at the moment I'm good but it's always nice to get a sponsor especially at the rate I'm growing.
thanks for caring,
-davidu
# Hack the planet, it's important.
Reading this article, I have to start wondering if maybe I'm misunderstanding the problem.
The actual root servers are only queried for the top-level domains and while they have rather massive databases, the types of queries they get is limited.
Now, I'm going to assume that given all the money collected for domains, there somewhere exists a nice pot of money available for running root DNS servers. If there isn't then something is seriously wrong with the administration of DNS.
Segmentation of the actual root servers from the world by utilizing a front-end dns cache that would rewrite the actual DNS queries would solve a lot of problems.
First, rewriting queries would allow an amazing amount of sanity checking to be done on the query itself and should prevent exploiting the back-end root servers directly.
Second, as front-end dns caches can be extremely simple and require almost no configuration, the OS installation can be absolutely minimal excluding even shells. You could go as far as to use an OS that allowed you to revoke system privledges such as certain syscalls (fork, exec, open, etc aren't all that necessary once everything is running) and even make the caching DNS server run as init (though you must have something to bring up networking interfaces.)
Physical segmentation is obviously important as well so a private backbone strung between all core root servers and a seperate interface on each front end cache to access them would help quite a bit.
Of course then comes the issue of DoS attacks which again should be rather easy to solve considering what we are talking about. Just buy a lot of front-end cache systems. You would think given how important root servers are and how much money domain revenues generate, buying a thousand or even ten thousand machines and sticking them in every major network access point wouldn't be all that big of a deal.
Now you still have to deal with the fact that most DNS servers still have a static list of root server IPs. Thankfully, the simple DNS queries that hit root servers can be done with a single UDP packet request and response (until you have to work up the hierarchy) making them prime targets for one of the many clustering solutions out there from simple IP sharing virtual servers to routing protocol tricks.
Of course, I may be oversimplifying the problem.
The world is neither black nor white nor good nor evil, only many shades of CowboyNeal.
Common implementations of DNS and even the protocol itself have quite a number of flaws which make DNS spoofing rather easy. DNS spoofing is targeted at the clients, and the root servers have nothing to do with it, so you can't solve this problem at the root servers. DNSSEC won't solve it completely either because no one expects clients to move to DNSSEC anytime soon (you don't install full resolvers on clients, either).
In additions, occasionally, DNS database entries are wrong (although the servers are operating correctly), due to maintenance errors or social engineering attacks. Security on the root servers or even DNSSEC does not address this problem at all.
So the best solution is not to base any authentication on DNS names at all. (Then there's hardly any need for DNSSEC either.) Of course, quite a few Internet users rely heavily on the non-existent DNS security. They fetch mail using unencrypted POP3, use HTTP-based mail solutions, and so on, and if someone is able to redirect their connections as a consequence of DNS spoofing, he can obtain their passwords pretty easily. But reasonable secure solutions (e.g. TLS and server certificates) already exist.
100 Gb hard disks are cheap nowadays, and almost all OS support > 2Gb files. So securing the DNS from the roots up is simple : have a local /etc/hosts file with all existing hosts.
/etc/hosts file up to date.
Then, subscribe to a mailing list that sends daily changes, so that you can keep your
Ehm... yeah. You first have to secure mail to do this.
{{.sig}}
Poorly edited, poorly written. What was his conclusion anyway? Maybe I'm looking for too many technical details, but ending with "diversity improves security" implies that the solution is simply to replace *some* BIND servers with other servers. Yeah, that should work. Duh.
He went on to argue that "most security holes are due to buggy software. All the cryptography in the world is not going to change the buggy software problem."
In my experience, most security holes are caused by careless or ignorant users. Even if you take all the bugs out of all the software, there are still going to be security holes. Its like the locked doors at work: secure entrances are pointless if you hold the door open for the guy behind you (and you don't know the guy behind you).
The Daily Build
it's quite funny actually. DJB has gained so much by creating qmail that when he released djbdns, users blindly followed into it expecting it to be void of security holes.
the biggest problems with DNS on the internet have NOTHING to do with the software used. the protocol itself is quite insecure- and what's worse is that this isn't news!
one thing that certainly needs to change is this silly concept of recursive-resolvers; they change the responses, and thus it's next to impossible to determine which is the "Real" resolver.
thanks to sequence prediction, and because DNS servers/clients don't have any "other" protection, it's quite trivial to smash or alter someone's dns tables (during a zone transfer), or redirect users someplace else (when doing recursion).
what we need is a cryptographic method of "signing" requests. root nameservers should maintain keys in addition to NS rrs. And what bind calls "root hints" should contain the keys of the root nameservers. this way, we can digitally sign responses so that their authenticity can be verified. moreover, if packet-space is limited (and even though a "most" queries should have a hundread or three bytes free) we could always just store a hash of the signature. but that's getting too far into implimentation.
the basic droll is that we need something BETTER than dns... not just new software, but a new design...
and plus, by implimenting crypto into the name services, we'll be able to finally keep the french off the internet.
(for those of you lacking any kind of crypto-political background: the french aren't allowed ANY cryptography.... and you thought US export control was bad!)
The real problem is that most of the root servers are still maintained by the ad-hoc volunteer network of the 1980s Internet. As a result many of the 'root servers' are hosted on drinking straws rather than pipes.
Bullshit. See RFC 2870.
DNS does not provide authentication. [...] ICANN should be [...] telling the IETF the characteristics of the security protocol it really needs.
They are. It's called DNSSEC, and there's tremendous work and buzz going on about it throughout the IETF.
--
Mod up a post Rob doesn't like and you'll never mod again
Readoing RFC 2870 doesn't tell you anything really. It's a best practices document, and as such it's full of 'SHOULD' and 'MUST' and 'SHOULD NOT'. However, it doesn't tell you anything about what's really happening.
The biggest hurtle to implementing such a system is the learning curve for the cryptographic APIs for the languages I'd want to use. There is not a wealth of information on such APIs to begin with. The next biggest hurtle, of course, being that if it were developed inside the US, it'd probably be considered an act of terrorism to ship it outside the US.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
djbdns (and qmail, etc) are NOT under a restrictive license as you like to argue. In fact, they are under no license. DJB simply doesn't believe that software licenses are valid, so he doesn't grant one. His "license" page that you refer to simply reiterates his right of first distribution, as well as waiving some of his right to first distribution under certain circumstances. Read this for more background on why DJB doesn't issue licenses.
The only appearance of the word license on that page is in a quote from a RedHat employee, not DJB. It would seem impossible to me to grant a license without specifically stating that you are granting a license.
The inability to change pathnames is a bunch of hooey. I've seen packages included with a major distribution that could have been modified to use paths that make more sense, but have been packaged with the author's defaults instead.
xjosh
Seriously, though, that works well when you've got one box sitting out there, but a lot of services install round robin DNS with multiple servers for load balancing. Try "dig yahoo.com" or lycos or google, for example. Socks3 here at work consists of about 9 servers, only three of which seem to work with any reliability.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The link above is a site that has been known to often send people to goatse.cx.
-no broken link
Look at the members of the ICANN board, look at the membership of the IESG and IAB over the past 10 years. Oh and look up Steve Bellovin's research interests.
I had meant to type 'DNSSEC' in the original in place of BIND. DNSSEC many not be the answer, if it was the answer maybe it would have taken less than ten years to deploy after the RFCs were written.
The main problem is that DNSSEC turned into a design for a general purpose PKI. As a result lots of features were added such as the NXT record that make deployment sticky. Also the nature of DNS lookups has changed drastically. TTLs are often measured in minutes rather than days as they once were. This means that the DNSSEC method of signing each RR individually is a very high overhead. The servers can do the siging offline, not so hot for the clients though which can have ten or more signatures to verify for a single lookup.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I like that they mentioned that diversity results in more security (at the very end of the article). This is one of the major problems with Microsoft products: they only make two operating systems, so when a bug is found in one or both of them, the whole world goes down from some email script virus that a child can write. Under the alternative Linux and BSDs, there are differences between the distributions and even between installations, resulting in big headaches for would-be virus writers. (Sure, this also results in headaches for developers, but who said that making software is easy? Yeah, developing is allegedly "easy" under Microsoft platforms, potentially saving your business big dollars in R&D, but that money gets thrown away on the inevitable repairs necessary after some k1ddy in Congo or something manages to deploy a virus.)
So, like the article says, diversity improves security. In my opinion, each site should choose the best system for the job and configure it to do that job well. If you end up with 10 different platforms and operating systems, so be it.
Oh well.
Oh yeah, so what I was trying to say is that not only the operating system, but also the software running on it, should be diverse and come from as many different sources as possible. I would even say that if you run several machines that perform the same job, perform that job with different software on the several machines. This way, when one gets cracked, the others continue to work (at least for a while).
That is not what I said. I said that ICANN should specify the requirements they have for a DNS security infrastructure to secure the DNS and tell the IESG what they are.
The IETF has designed some good security protocols. It has also produced a lot of bad ones. They are not bad because they are insecure, they are bad because they don't meet the real requirements. PEM and MOSS being prime examples. IPSEC and DNSSEC both have clear usability problems that mean that they are not being used in practice for the purpose they were originally advertised as solving.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/