I'd like to see the full text of the opinion. The small extracts I've seen so far basically amount to "I don't like giving the police such power", which, if it were the only legal basis of the opinion, would be the worst kind of legislating-from-the-bench, and not likely to survive an appeal. Surely in 20 pages of opinion, there was an actual legal basis given for their decision. One can hope?
While he was wary about the ethical implications of using someone's death as a social experiment, he had carefully generated the quote so as not to distort or taint Jarre's life, he said. 'I didn't expect it to go that far. I expected it to be in blogs and sites, but on mainstream quality papers? I was very surprised.'"
Isn't that the same excuse virus authors use when they get caught? "I didn't expect it to go that far". Whatever issues we have with Wikipedia, I don't think we should excuse this guy's irresponsible behavior any more than we should excuse a virus author's. He did use a famous person's death to conduct a social experiment, and as a result deceived a lot of people. Put the blame where it belongs.
Commerce Clause. Thanks for making the argument that more education is needed.
Thankfully, the SCOTUS came to their senses a few years ago and declared that the CC is NOT a blanket justification for universal Federal authority over everything. Congress had used it to justify totalitarian powers up till that point. Any argument using the CC as its justification has to have a much more narrow focus now, or SCOTUS will throw it out. I can only hope that one day they'll make a similar ruling on the "general welfare" clause.
Is that so? In the last major case on the Commerce Clause,
Gonzales v. Raich, 545 U.S. 1 (2005), the Supreme Court actually upheld, under the Commerce Clause, the application of the Controlled Substances Act to the growing of marijuana for medical purposes, even though this was a "non-economic" activity. So I wouldn't read the obituary of the Commerce Clause just yet -- it still has plenty of life in it.
As for the current proposal to subsidize and/or educate the public in the use of anti-virus software, I think it's fairly trivial to demonstrate that computer viruses are both a) interstate by nature, and b) have a substantial economic effect. Thus it easily falls within the enumerated Commerce Clause power (if not other enumerated powers) of the U.S. Government to subsidize or educate software that prevents it
The TFA doesn't say they love rap. What it says is that the 2007 and 2008 crickets had "hipper tastes" (i.e. weren't as deterred by heavy-metal music as the 2006 crickets were). Apparently samzenpus mis-read "hipper" as "hip-hop" and assumed they love rap.
Perhaps "cyber attack" should be limited to attacks which both use modern/dominant communication networks as the meansand focus on modern/dominant communication networks as the target(s).
An attack that uses, say, the Internet, in the form of email, instant messaging, forums, etc. to convince someone to jump off a cliff, would therefore not be a "cyber attack" (used a "cyber" means, but not against a cyber target), nor would simply planting a bomb, or launching a missile at the location of an ISP (non-cyber means attacking a cyber target).
Obviously, there are gray areas, and room for interpretation. A lot can be clarified by looking at the intent of the attack, to the extent it can be determined. In the Morgan Hill case, we don't really know what the intent was -- we don't even know who the attackers were. So it's not the best example.
I think the important lesson to take away here is that communications networks are becoming increasingly vital resources to our communities and our country as a whole. The Powers That Be need to stop treating them as merely "entertainment", dispensible, or somehow on a tier of importance several levels lower than traditional, "tangible" vital resources such as food, water, shelter, medical care, physical protection, etc. As much as we may hate to admit it, most of us are dependent on communications networks, and it's more than just an "inconvenience" when they become unavailable. That dependence lures terrorists and other miscreants.
The All Writs Act (28 U.S.C. Â 1651) very generally allows Federal courts to "issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law", and while the FRCP abolishes several writs by name, mandamus isn't one of them.
Advisory writs of mandamus are "extraordinary", in the legal sense, only meant to be used for matters of great public importance and urgency. Apparently the Appeals Court felt that this matter fell into that category
We all have varying degrees of impulse control, what we mean by psychological addictiveness is that a given person may, for whatever reason, have stronger impulses with respect to a particular activity or emotional state, such that it may be beyond their threshold of controllability. Not all impulses have equal strength.
Your amateurish treatment comes dangerously close to implying that "psychologically addicted" people are simply weak-willed and will just do anything that gives them short-term gratification. While there may be some people like that, they are very rare. That would be Hedonism, and probably the result of some sort of Arrested Development since -- as you more or less correctly point out -- this is how a child engages the world, before their impulse control is developed.
Much more common, however, is the case where a particular thing creates such a strong impulse in a particular, otherwise-"normal" person, that they cannot control, and are compelled to act on it. This is what causes most of the problems and needs to be addressed in a comprehensive and understanding way. Yelling at them to "grow up!" is unhelpful when they can already control 99% of their impulses -- maybe even more than you can, since you apparently have an uncontrollable impulse to paint people with a very broad brush -- and it's just this one thing that is their weakness, their Achille's Heel, as it were, the thing they need help with.
And blaming the state of the economy on the poor impulse control of people who eat too much cake or interrupt sex to watch hockey, or steal baubles from dime stores, seems a little opportunistic and far-fetched for my tastes. Kinda blows a hole in the credibility of the rest of your argument.
No, no, that's not the most clueless quote in the article. Try this one:
Liliana Gil, director of global marketing services with Johnson & Johnson, doesn't see the common suffixes being overtaken but believes, "This could be a fun new way to communicate a message digitally....You could have tylenol.children, tylenol.pm."
To start with,.pm already exists. It's the Country-Code TLD (ccTLD) for "Saint Pierre and Miquelon". So this clueless person could register "tylenol.pm" today for J&J's website, if the name conforms to the namespace rules of the ccTLD registry and J&J, as a business, meets the "eligibility" requirements as well (e.g. they might require that your business has a "presence" in their country, or be on the offical local "registry" of businesses). Regardless, adding new gTLDs per this new ICANN policy has zero effect on the ability of J&J to register tylenol.pm or not.
OK, so then this person also muses about registering tyenol.children. Do they think that Johnson & Johnson would have sole control of the.children TLD, for the benefit of one subdomain (or maybe a handful, if J&J has "children's" versions of more than one of their drugs)? No, it seems far more likely that.children will be registered by some other organization, a children's rights group, for instance (cue all the lame Slashdot "think of the children!" quasi-jokes now), and then J&J would need to go begging them for a delegation for their "fun" new website's name. Whoever held the.children TLD could then charge J&J an exorbitant fee for that delegation. Marketing opportunity? Sure, whoever makes out well on the initial "land grab" is going to make tons of money, but is J&J going to benefit? Probably not. These new "marketing opportunities" will probably impose a new "tax" on those of us who market regular products and services on the Intartubes, while benefiting the "land-grabbers". Dollar for dollar, J&J's marketing budget may be far more effective in more "traditional" channels rather than pursuing these new "fun" -- but likely very expensive -- arbitrary-TLD opportunities.
Study Con Law much? That line of reasoning went out the window several decades ago.
First of all, I assume you occasionally access sites that are outside the boundaries of your own state. Your packets are therefore crossing state lines, and you're paying your ISP to route them that way, advertising is coming at you from another state, there's very little "wiggle room" here to say that this is not "Interstate Commerce" and thus proper subject matter for Federal legislation.
Are you with me so far?
Now, even if hypothetically you never access an out-of-state site, it still doesn't really matter. Your access of in-state sites still "affects" Interstate Commerce. Those in-state sites offer services which could be provided out-of-state, thus by accessing them, you are depriving the out-of-state sites of possible revenue. You're "affecting" Interstate Commerce. See Wickard v. Filburn, 317 U.S. 111 (1942) (in that case it was about wheat which was consumed entirely within a state, the ruling was that the consumption still "affected" Interstate Commerce). Wikipedia has an entry for that particular decision, if you don't want to wade through the legalese of the decision itself
Kaminsky supports patching existing nameservers (to increase query source-port entropy and thus make the so-called "Kaminsky" attack far less likely to succeed).
He also supports DNSSEC as the long-term solution to the whole class of vulnerabilities.
But these are not the same thing.
Patching DNS servers is done to the nameserver programs, DNSSEC is done to the nameserver configurations and to the DNS data itself.
The article, and Slashdot's summary of it, mixes up the two in an unfortunate salad.
Very disappointing indeed.
DNS already has this functionality in the form of SRV records, see, e.g. http://www.pantz.org/software/bind/srvdnsrecords.html
The problem is, the client software maintainers/vendors have yet to incorporate SRV support into their packages/products.
The methods within an object are, of course, functional.
Despite omnipresent side effects?
Um, "omnipresent" means being everywhere, simultaneously, and is thus an attribute of a deity. I doubt that even the most ardent OO-worshipper would ascribe godhood to an object.
I'm thinking the word you meant was something more along the lines of "inevitable" or "ineluctable".
Read the policy more carefully, please. It says that "University offices" get this exception for announcing "changes of University policies or procedures".
Ordinary students or, presumably, individual faculty members, don't enjoy the exception
No, that's not it. If the perp controls the domain.com domain, they don't need to play any CNAME tricks, they can spoof www.domain.com directly.
In simple terms, the Kaminsky exploit fools a caching nameserver's notion of what addresses are associated with example.com's nameservers, by eliciting a bunch of doomed-to-failure queries of names underneath example.com (e.g. a.example.com, aa.example.com, xyz.example.com) along with fake, source-address-spoofed answers to those queries. Eventually the query ID # matches, the caching nameserver accepts the response, including the NS records and associated A/AAAA records (collectively called "glue") in the response identifying the example.com nameservers, and subsequent queries of all example.com names -- including the omnipresent www.example.com -- are redirected to the bad guy's nameservers, until the TTL on the glue records expire.
The reason for not just querying the same name under example.com is because negative caching would substantially drive up the number of packets required for a successful attack. That's the innovation that Kaminsky brought to bear on the scenario; using a series of doomed-to-failure subdomain queries instead of the same name over and over. That makes the attack much faster, and thus far more likely to be successful in the limited-time windows that hackers have available to them for source-address spoofing.
The long-term fix is something like DNSSEC to crypto-authenticate the packets. In the meantime, randomizing the source ports of queries adds enough entropy, in addition to randomizing the query ID #, that the packet volume of a would-be attacker is (hopefully) detected and their attempt blocked before it succeeds
You might want to check out http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html, which appears to be a fairly good "beginner's guide to iterative DNS resolution and its vulnerability to the Kaminsky attack" document. Lots of pretty diagrams...
Sigh, yet another throwback who doesn't understand addiction pathways in the brain. Do I need to use some sort of science-fiction example to show that sometimes a "choice" isn't simply a conscious, informed, objective choice? There are chemical and psychological underpinnings that cause many choices to be somewhat less than "free". Volition is not absolute.
Some people profit off getting other people addicted. Some people die or get seriously harmed (physically, medically, socially, financially) because of this exploitation. Society exists largely to prevent harm done by people to others through exploitation.
Ergo: it is a valid social policy objective to limit or restrict certain substances, objects, devices, etc. which have a proven track record of leading to addiction and/or to punish those who deliberately set out to addict and exploit others for their own gain.
I thought we all understood this by now. I guess there's always going to be some troglodytes worshipping "personal responsibility" as if it were some graven idol. Ignore them. Society moves on and evolves to deal with its never-ending challenges, regardless of those who cling to outdated ideas of human behavior.
As for "interstate communication", that's trivial to prove since Lori Drew's "criminal" actions almost certainly caused packets to traverse the physical borders of a physical state at least once, if not thousands of times.
No, that's not what she was prosecuted under, and if you care to look at the definition of "damage" within the statute itself, you'll see that there is no plausible way she could have been prosecuted that way.
Do you have any freaking clue what she was actually convicted of? Harassment? No. She was convicted of (excerpting the relevant text from 18 USC 1030 and adjusting the verb tense) "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] [...] information from any protected computer if the conduct involved an interstate or foreign communication".
If you don't see how broad and sweeping and unprecedented such a conviction is, then I pity you. In a more perfect world, Missouri would have had laws on the books to be able to throw Lori Drew's ass in jail for a long time, for what she did to Megan Meier, without getting the feds involved, but no such laws existed, so those seeking retribution went this "backdoor" route. But it's wrong, wrong, wrong, and dangerous
This needs to be dismissed outright (the judge is still considering that motion), or overturned on appeal. We can't give power to ISPs and/or content providers to arbitrarily and without notice criminalize users by manipulating their respective ToSes. That's incredibly ripe for abuse. And I'm damn sure that Congress never intended that to be the effect of the law when they passed it.
That was the Kashpureff attack, not the Kaminsky attack. Your understanding of DNS cache poisoning attacks is unfortunately about a decade out of date. All major resolver implementation now do "bailiwick checking" and aren't fooled by crude, cheap tricks as you describe.
The Kaminsky attack does use forged packets, which then poison the cache with bogus NS records in ways that are not blocked by bailiwick-checking. These bogus NS records then "redirect" future queries of names under the same delegation point. Yes, using TCP exclusively would add much more entropy to DNS transactions, and thus make them much more resilient to forgery and thus to Kaminsky attacks.
But, at what cost? TCP is a hog, and typical DNS servers perform many millions of queries a day. Tens of millions and even hundreds of millions, are not uncommon.
Also, the DNS standards explicitly say that TCP is used for ordinary queries only as a fallback in case the response doesn't fit in a UDP packet -- and since the introduction of EDNS0 it's actually becoming quite rare for TCP fallback to become necessary. So the standards would have to be updated, and DNS software would then have to be modified to reflect the new standards. DNSSEC has a huge head-start on your "TCP exclusively" proposal along the standards-approval process.
Lastly, many firewall rulesets wouldn't allow TCP queries and responses as a regular occurrence, so they would need to be updated as well
All of this would take many years to implement. From a cost/benefit standpoint and a how-soon-to-implement standpoint, DNSSEC comes out ahead of "TCP exclusively" and what you get when all is said and done is superior protection against Kaminsky attacks.
First of all, that's not the interpretation under which she was indicted. Read the indictment.
Secondly, look at the definition of "damage" in (e)(8): "the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information".
Whatever mental state Lori Drew caused with her "unauthorized" access of MySpace, that ultimately lead Megan Meier to kill herself, it doesn't qualify as "damage" under the statutory definition
IANAL, but I don't think those statutes can be used unless the perpetrator actually has some special responsibility towards the child -- parent, guardian, custodian, in loco parentisetc.
You have to have some sort of limitation like that, otherwise you'd end up criminalizing all sorts of "ordinary" negligent behavior that wouldn't be prosecutable per se but which coincidentally ends up hurting a child, e.g. forgetting to clean up some broken glass on one's sidewalk.
Slashdot Mirror
I'd like to see the full text of the opinion. The small extracts I've seen so far basically amount to "I don't like giving the police such power", which, if it were the only legal basis of the opinion, would be the worst kind of legislating-from-the-bench, and not likely to survive an appeal. Surely in 20 pages of opinion, there was an actual legal basis given for their decision. One can hope?
While he was wary about the ethical implications of using someone's death as a social experiment, he had carefully generated the quote so as not to distort or taint Jarre's life, he said. 'I didn't expect it to go that far. I expected it to be in blogs and sites, but on mainstream quality papers? I was very surprised.'"
Isn't that the same excuse virus authors use when they get caught? "I didn't expect it to go that far". Whatever issues we have with Wikipedia, I don't think we should excuse this guy's irresponsible behavior any more than we should excuse a virus author's. He did use a famous person's death to conduct a social experiment, and as a result deceived a lot of people. Put the blame where it belongs.
... that should read "subsidize or educate people in the use of software that prevents it"
Commerce Clause. Thanks for making the argument that more education is needed.
Thankfully, the SCOTUS came to their senses a few years ago and declared that the CC is NOT a blanket justification for universal Federal authority over everything. Congress had used it to justify totalitarian powers up till that point. Any argument using the CC as its justification has to have a much more narrow focus now, or SCOTUS will throw it out. I can only hope that one day they'll make a similar ruling on the "general welfare" clause.
Is that so? In the last major case on the Commerce Clause, Gonzales v. Raich, 545 U.S. 1 (2005), the Supreme Court actually upheld, under the Commerce Clause, the application of the Controlled Substances Act to the growing of marijuana for medical purposes, even though this was a "non-economic" activity. So I wouldn't read the obituary of the Commerce Clause just yet -- it still has plenty of life in it.
As for the current proposal to subsidize and/or educate the public in the use of anti-virus software, I think it's fairly trivial to demonstrate that computer viruses are both a) interstate by nature, and b) have a substantial economic effect. Thus it easily falls within the enumerated Commerce Clause power (if not other enumerated powers) of the U.S. Government to subsidize or educate software that prevents it
Or, maybe hyperbaric, as in, oxygen at high pressure, because whoever wrote that press release sounds a little loopy...
The TFA doesn't say they love rap. What it says is that the 2007 and 2008 crickets had "hipper tastes" (i.e. weren't as deterred by heavy-metal music as the 2006 crickets were). Apparently samzenpus mis-read "hipper" as "hip-hop" and assumed they love rap.
Le Sigh.
Perhaps "cyber attack" should be limited to attacks which both use modern/dominant communication networks as the means and focus on modern/dominant communication networks as the target(s).
An attack that uses, say, the Internet, in the form of email, instant messaging, forums, etc. to convince someone to jump off a cliff, would therefore not be a "cyber attack" (used a "cyber" means, but not against a cyber target), nor would simply planting a bomb, or launching a missile at the location of an ISP (non-cyber means attacking a cyber target).
Obviously, there are gray areas, and room for interpretation. A lot can be clarified by looking at the intent of the attack, to the extent it can be determined. In the Morgan Hill case, we don't really know what the intent was -- we don't even know who the attackers were. So it's not the best example.
I think the important lesson to take away here is that communications networks are becoming increasingly vital resources to our communities and our country as a whole. The Powers That Be need to stop treating them as merely "entertainment", dispensible, or somehow on a tier of importance several levels lower than traditional, "tangible" vital resources such as food, water, shelter, medical care, physical protection, etc. As much as we may hate to admit it, most of us are dependent on communications networks, and it's more than just an "inconvenience" when they become unavailable. That dependence lures terrorists and other miscreants.
The All Writs Act (28 U.S.C. Â 1651) very generally allows Federal courts to "issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law", and while the FRCP abolishes several writs by name, mandamus isn't one of them.
Advisory writs of mandamus are "extraordinary", in the legal sense, only meant to be used for matters of great public importance and urgency. Apparently the Appeals Court felt that this matter fell into that category
We all have varying degrees of impulse control, what we mean by psychological addictiveness is that a given person may, for whatever reason, have stronger impulses with respect to a particular activity or emotional state, such that it may be beyond their threshold of controllability. Not all impulses have equal strength.
Your amateurish treatment comes dangerously close to implying that "psychologically addicted" people are simply weak-willed and will just do anything that gives them short-term gratification. While there may be some people like that, they are very rare. That would be Hedonism, and probably the result of some sort of Arrested Development since -- as you more or less correctly point out -- this is how a child engages the world, before their impulse control is developed.
Much more common, however, is the case where a particular thing creates such a strong impulse in a particular, otherwise-"normal" person, that they cannot control, and are compelled to act on it. This is what causes most of the problems and needs to be addressed in a comprehensive and understanding way. Yelling at them to "grow up!" is unhelpful when they can already control 99% of their impulses -- maybe even more than you can, since you apparently have an uncontrollable impulse to paint people with a very broad brush -- and it's just this one thing that is their weakness, their Achille's Heel, as it were, the thing they need help with.
And blaming the state of the economy on the poor impulse control of people who eat too much cake or interrupt sex to watch hockey, or steal baubles from dime stores, seems a little opportunistic and far-fetched for my tastes. Kinda blows a hole in the credibility of the rest of your argument.
Liliana Gil, director of global marketing services with Johnson & Johnson, doesn't see the common suffixes being overtaken but believes, "This could be a fun new way to communicate a message digitally. ...You could have tylenol.children, tylenol.pm."
To start with, .pm already exists. It's the Country-Code TLD (ccTLD) for "Saint Pierre and Miquelon". So this clueless person could register "tylenol.pm" today for J&J's website, if the name conforms to the namespace rules of the ccTLD registry and J&J, as a business, meets the "eligibility" requirements as well (e.g. they might require that your business has a "presence" in their country, or be on the offical local "registry" of businesses). Regardless, adding new gTLDs per this new ICANN policy has zero effect on the ability of J&J to register tylenol.pm or not.
OK, so then this person also muses about registering tyenol.children. Do they think that Johnson & Johnson would have sole control of the .children TLD, for the benefit of one subdomain (or maybe a handful, if J&J has "children's" versions of more than one of their drugs)? No, it seems far more likely that .children will be registered by some other organization, a children's rights group, for instance (cue all the lame Slashdot "think of the children!" quasi-jokes now), and then J&J would need to go begging them for a delegation for their "fun" new website's name. Whoever held the .children TLD could then charge J&J an exorbitant fee for that delegation. Marketing opportunity? Sure, whoever makes out well on the initial "land grab" is going to make tons of money, but is J&J going to benefit? Probably not. These new "marketing opportunities" will probably impose a new "tax" on those of us who market regular products and services on the Intartubes, while benefiting the "land-grabbers". Dollar for dollar, J&J's marketing budget may be far more effective in more "traditional" channels rather than pursuing these new "fun" -- but likely very expensive -- arbitrary-TLD opportunities.
My workplace blocks all URLs with "sex" as a label of the domain name, you insensitive clod! So I can't access TFA.
But, as someone who deals with DNS professionally, I have a legitimate need to read about TLD registry policy changes.
Does anyone have an alternate URL for this story?
Study Con Law much? That line of reasoning went out the window several decades ago.
First of all, I assume you occasionally access sites that are outside the boundaries of your own state. Your packets are therefore crossing state lines, and you're paying your ISP to route them that way, advertising is coming at you from another state, there's very little "wiggle room" here to say that this is not "Interstate Commerce" and thus proper subject matter for Federal legislation.
Are you with me so far?
Now, even if hypothetically you never access an out-of-state site, it still doesn't really matter. Your access of in-state sites still "affects" Interstate Commerce. Those in-state sites offer services which could be provided out-of-state, thus by accessing them, you are depriving the out-of-state sites of possible revenue. You're "affecting" Interstate Commerce. See Wickard v. Filburn, 317 U.S. 111 (1942) (in that case it was about wheat which was consumed entirely within a state, the ruling was that the consumption still "affected" Interstate Commerce). Wikipedia has an entry for that particular decision, if you don't want to wade through the legalese of the decision itself
P.S. IANAL, Con Law is just one of my hobbies
Kaminsky supports patching existing nameservers (to increase query source-port entropy and thus make the so-called "Kaminsky" attack far less likely to succeed).
He also supports DNSSEC as the long-term solution to the whole class of vulnerabilities.
But these are not the same thing.
Patching DNS servers is done to the nameserver programs, DNSSEC is done to the nameserver configurations and to the DNS data itself.
The article, and Slashdot's summary of it, mixes up the two in an unfortunate salad. Very disappointing indeed.
DNS already has this functionality in the form of SRV records, see, e.g. http://www.pantz.org/software/bind/srvdnsrecords.html The problem is, the client software maintainers/vendors have yet to incorporate SRV support into their packages/products.
How many flies does it take to screw in a lightbulb?
Two, but how do you get them in there?
After that, I wasn't sure I wanted to read TFA about something "screw[ing] on my skin". Ick.
Despite omnipresent side effects?
Um, "omnipresent" means being everywhere, simultaneously, and is thus an attribute of a deity. I doubt that even the most ardent OO-worshipper would ascribe godhood to an object.
I'm thinking the word you meant was something more along the lines of "inevitable" or "ineluctable".
Read the policy more carefully, please. It says that "University offices" get this exception for announcing "changes of University policies or procedures".
Ordinary students or, presumably, individual faculty members, don't enjoy the exception
No, that's not it. If the perp controls the domain.com domain, they don't need to play any CNAME tricks, they can spoof www.domain.com directly.
In simple terms, the Kaminsky exploit fools a caching nameserver's notion of what addresses are associated with example.com's nameservers, by eliciting a bunch of doomed-to-failure queries of names underneath example.com (e.g. a.example.com, aa.example.com, xyz.example.com) along with fake, source-address-spoofed answers to those queries. Eventually the query ID # matches, the caching nameserver accepts the response, including the NS records and associated A/AAAA records (collectively called "glue") in the response identifying the example.com nameservers, and subsequent queries of all example.com names -- including the omnipresent www.example.com -- are redirected to the bad guy's nameservers, until the TTL on the glue records expire.
The reason for not just querying the same name under example.com is because negative caching would substantially drive up the number of packets required for a successful attack. That's the innovation that Kaminsky brought to bear on the scenario; using a series of doomed-to-failure subdomain queries instead of the same name over and over. That makes the attack much faster, and thus far more likely to be successful in the limited-time windows that hackers have available to them for source-address spoofing.
The long-term fix is something like DNSSEC to crypto-authenticate the packets. In the meantime, randomizing the source ports of queries adds enough entropy, in addition to randomizing the query ID #, that the packet volume of a would-be attacker is (hopefully) detected and their attempt blocked before it succeeds
You might want to check out http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html, which appears to be a fairly good "beginner's guide to iterative DNS resolution and its vulnerability to the Kaminsky attack" document. Lots of pretty diagrams...
Sigh, yet another throwback who doesn't understand addiction pathways in the brain. Do I need to use some sort of science-fiction example to show that sometimes a "choice" isn't simply a conscious, informed, objective choice? There are chemical and psychological underpinnings that cause many choices to be somewhat less than "free". Volition is not absolute.
Some people profit off getting other people addicted. Some people die or get seriously harmed (physically, medically, socially, financially) because of this exploitation. Society exists largely to prevent harm done by people to others through exploitation.
Ergo: it is a valid social policy objective to limit or restrict certain substances, objects, devices, etc. which have a proven track record of leading to addiction and/or to punish those who deliberately set out to addict and exploit others for their own gain.
I thought we all understood this by now. I guess there's always going to be some troglodytes worshipping "personal responsibility" as if it were some graven idol. Ignore them. Society moves on and evolves to deal with its never-ending challenges, regardless of those who cling to outdated ideas of human behavior.
As for "interstate communication", that's trivial to prove since Lori Drew's "criminal" actions almost certainly caused packets to traverse the physical borders of a physical state at least once, if not thousands of times.
No, that's not what she was prosecuted under, and if you care to look at the definition of "damage" within the statute itself, you'll see that there is no plausible way she could have been prosecuted that way.
Do you have any freaking clue what she was actually convicted of? Harassment? No. She was convicted of (excerpting the relevant text from 18 USC 1030 and adjusting the verb tense) "intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] [...] information from any protected computer if the conduct involved an interstate or foreign communication".
If you don't see how broad and sweeping and unprecedented such a conviction is, then I pity you. In a more perfect world, Missouri would have had laws on the books to be able to throw Lori Drew's ass in jail for a long time, for what she did to Megan Meier, without getting the feds involved, but no such laws existed, so those seeking retribution went this "backdoor" route. But it's wrong, wrong, wrong, and dangerous
This needs to be dismissed outright (the judge is still considering that motion), or overturned on appeal. We can't give power to ISPs and/or content providers to arbitrarily and without notice criminalize users by manipulating their respective ToSes. That's incredibly ripe for abuse. And I'm damn sure that Congress never intended that to be the effect of the law when they passed it.
That was the Kashpureff attack, not the Kaminsky attack. Your understanding of DNS cache poisoning attacks is unfortunately about a decade out of date. All major resolver implementation now do "bailiwick checking" and aren't fooled by crude, cheap tricks as you describe.
The Kaminsky attack does use forged packets, which then poison the cache with bogus NS records in ways that are not blocked by bailiwick-checking. These bogus NS records then "redirect" future queries of names under the same delegation point. Yes, using TCP exclusively would add much more entropy to DNS transactions, and thus make them much more resilient to forgery and thus to Kaminsky attacks.
But, at what cost? TCP is a hog, and typical DNS servers perform many millions of queries a day. Tens of millions and even hundreds of millions, are not uncommon.
Also, the DNS standards explicitly say that TCP is used for ordinary queries only as a fallback in case the response doesn't fit in a UDP packet -- and since the introduction of EDNS0 it's actually becoming quite rare for TCP fallback to become necessary. So the standards would have to be updated, and DNS software would then have to be modified to reflect the new standards. DNSSEC has a huge head-start on your "TCP exclusively" proposal along the standards-approval process.
Lastly, many firewall rulesets wouldn't allow TCP queries and responses as a regular occurrence, so they would need to be updated as well
All of this would take many years to implement. From a cost/benefit standpoint and a how-soon-to-implement standpoint, DNSSEC comes out ahead of "TCP exclusively" and what you get when all is said and done is superior protection against Kaminsky attacks.
"TCP exclusively" isn't a particularly original idea, by the way, see http://www.merit.edu/mail.archives/nanog/msg10298.html (August 9) and the subsequent discussion
First of all, that's not the interpretation under which she was indicted. Read the indictment.
Secondly, look at the definition of "damage" in (e)(8): "the term 'damage' means any impairment to the integrity or availability of data, a program, a system, or information".
Whatever mental state Lori Drew caused with her "unauthorized" access of MySpace, that ultimately lead Megan Meier to kill herself, it doesn't qualify as "damage" under the statutory definition
IANAL, but I don't think those statutes can be used unless the perpetrator actually has some special responsibility towards the child -- parent, guardian, custodian, in loco parentisetc.
You have to have some sort of limitation like that, otherwise you'd end up criminalizing all sorts of "ordinary" negligent behavior that wouldn't be prosecutable per se but which coincidentally ends up hurting a child, e.g. forgetting to clean up some broken glass on one's sidewalk.