The DNS servers themselves are an eclectic mix of Linux, Solaris, and I think BSD, running a mix of BIND and djbdns. The firewalls are Secure Computing Sidewinders (now Secure Computing Secure Firewall), which are expensive but I think worth it. Secure Computing issued a patch for the DNS vulnerability last week, and some follow-up tests show that we're not vulnerable.
To be clear, the Sidewinders just seem to handle the source ports. I don't believe that they alter the query ID at all, so patching the DNS servers themselves (or just running djbdns) is still important.
I'm not sure that I've ever celebrated someone's death. When word hit that Saddam Hussein was executed, I didn't celebrate or even smile. I was just relieved that it was over. The same thing happened when word of his sons deaths was released, and when Jeffrey Dahmer's murder was announced (though that was tempered with some frustration that he would not serve his sentence). The same thing happens when murderers are executed. I personally have no reason to celebrate, as I was not directly affected by it. I don't know that I would even if it directly affected me or someone I knew.
He didn't go through all that much trouble. He was at a minimum-security federal prison camp, and walked off the premises. His wife was waiting at the side of the road for him, and they just drove off.
Because that's how DNS generally treats requests that fall within the same domain (known as bailiwick protection). The question that you ask has been asked numerous times, and there's certainly good reason to review the logic behind Additional Resource Record handling, but tinkering with DNS is a very tricky thing. A proposed solution may fix the problem, but break other things on a much wider scale.
Where I work, we run the servers through a proxy firewall with a DNS proxy service, and the DNS service on the firewall has been patched for this vulnerability. For traffic run through it, it doesn't preserve source port from the DNS servers, and from a quick glance, the source ports on requests seem to be randomized, so I think from that perspective, we may well be safer even for unpatched servers. However, our setup seems to be the exception, and we may have a couple of other networks (physically and logically separated from the primary) that do not have the benefits of this arrangement.
The problem is that glue records are often used to pass the addresses of nameservers required to resolve the domain in question. If that glue record can be passed back with a false address to the nameserver, the entire domain can now be controlled. If you can pull this off with a TLD, then the attack becomes much more serious. It appears at first glance that in addition to TTL restrictions (com has a TTL of two days), bailiwick limitations may limit these kinds of attacks (com, for example, is served off of [a-m].gtld-servers.net). Even if bailiwick limitations wouldn't stop this case, it would take probably tens of thousands of days -- and hence many years -- to pull this off, and that's if you got the response just perfect. If there's a way to have a DNS server ignore a TTL or drop it from the cache and necessitate a lookup, though, there could be some more promise in this route.
You may still not be safe. If someone can fire off a XSS attack through your browser, it could do enough lookups to make you vulnerable. Combine this with a periodic other run to a controlled server to grab your source port for guessing (presuming that you have not patched), and you may have a problem.
Granted, it's unlikely that you would explicitly be targeted, and things like NoScript help defend against it, but there are still possible gaps. In fact, there are several tens of million of systems which will remain vulnerable for some time to come; I haven't seen many SOHO router firmware fixes released so far, and a lot of people point to their routers for their DNS.
There's a measure on the November ballot to add a state constitutional amendment. While a year ago it would have stood a very good chance of passing, many observers think that it's now doomed to fail, seeing as how gays are getting married and the state hasn't yet fallen into the Pacific.
As I understand it, the attack is that simple, with the added caveat that the query ID has to match. By my calculations, a 1Mbps uplink can attempt around 1000 attacks per second (two UDP packets, one for the request and one for the spoof). Picking a query ID of, say, 3526 for the spoofed response sent, there's a 1/65535 chance of that matching the query ID. Odds are that it would take under a minute of that to successfully poison the server.
The server should be using randomized source ports, but many OSes do not properly randomize their use of ephemeral ports, and instead go sequentially. Watching for the source port used here (by querying against one's own DNS server) allows the source port to be guessed during the attack, reducing the range of ports to be attempted. Some DNS servers use port 53 as source and destination, which is even worse, and was recommended against long ago.
I'm not completely sure of what the patches changed. It's mentioned that source port randomization was enabled by Microsoft, and that at least some Unix vendors have disabled "query-source port" lines in their named.conf files. We should have some solid details no later than Kaminsky's talk at Blackhat.
LEDs are constant outflow, like incandescents. There is no flicker at all.
A lot of people who experience headaches under fluorescent bulbs are able to fix it by adjusting the refresh rate of their CRT screens, as the 60Hz flicker and 60Hz refresh rate can cause discomfort. If you have an LCD, you're out of luck, but if you have a CRT and can get a refresh rate of 75 or above, it may help alleviate the pain somewhat.
We don't know that. Even the summary says that the reporter "worries that doing so makes kavya look like an idiot rather that the sweetly earnest 7-year-old that he or she might be." (Emphasis added)
There are cases where it may be appropriate to paraphrase instead of directly quoting, such as the case of a child asking a question or perhaps someone whose native language is not English. They should be the exception, however. Even those who went through the US public school system should know enough basic grammar and spelling to be able to ask, "How is a baby formed?" and "How does a girl get pregnant?" without mangling things so badly.
I think they should be left alone in all formats. When it's put against a background of generally proper grammar, it looks even worse. If there's a higher chance of someone's quote becoming popular, it may (may) get them to consider using a spell checker. Even if it's incremental, getting people to learn better grammar is good for everyone.
You can buy systems with Windows licenses that come under the corporate agreements. You have to do it through a Microsoft license rep for the company, though, and not through the regular sales channels.
Corporate customers get significant leeway in their orders, especially if a contract was signed beforehand. Even without those, however, most corporate customers have access through Microsoft to Windows XP under Open, Select, or Software Assurance licenses and if the Vista licenses that come with the computer fall under the terms of those agreements, they may legally downgrade. (There may be some other situations in which a customer may legally install a prior version of Windows, but I'm kind of fuzzy on what they may be.)
Severe turbulence can quickly throw one into nausea. I generally don't get airsick, but in cases of heavy or severe turbulence, I can certainly start to feel queasy. After we cleared that thunderstorm, a lot of people around me were asking for ginger ale.
Maybe if the Reagan administration wouldn't have helped Bin Laden and Crew fight the russians in the 80's
There were a lot of groups fighting the Russians in Afghanistan in the 1980s, with many of them receiving help from the US, but bin Laden's group wasn't among them. He brought with him his own money, or accepted donations from certain Arabic groups, but he was adamant about keeping money from heretic sources well away from him.
I have. It's not at all pleasant, and not something that you can sleep through by any means without serious medication. I know that we didn't fly through the heaviest parts -- that can actually be lethal due to hail and some seriously evil wind, and planes have been knocked from the sky by this -- but it was bad enough that I would prefer to avoid it, though I don't mind most turbulence. I can't find it right now, but I've seen photos of test planes that were flown through thunderstorms, and they came back with dents from nose to tail and all over the wings due to hail bouncing off of the plane.
I'm not arguing against that. I'm just saying that for the purposes of my backups, what I write to today is not much of a concern for the data that I have in a decade or two, as the data will have moved forward with me in that time.
By the time I got into computers, 8" floppies were already out of date. I have access to Jaz drives, Superdrives, and a few others.
I think that since we have pretty much settled on an optical disk physical size, the risks are less, since the ever-finer beams in advancing formats can be used for older media types with wider spacing. It's a consequence of the commoditization of optical media.
I have a 5.25" floppy, two functional Zip drives, and a couple of other odds and ends that may or may not work, including some 4X CD-ROM drives. Seeing as how the backups are not really intended to be permanent, the DVDs will suffice.
This is a persistent worry for me. I recently started considering again what I was backing up, and realized that a full backup of just the data that is either impossible or very difficult to replace takes up about seven DVDs. Then there's the stuff that's just really, really annoying to replace, and that's more than half a terabyte.
And then when I settle on a solution (recently including Taiyo-Yuden DVD+R media stored in a fireproof lockbox), I wonder about whether it will survive an EMP blast. I worried that I obsessed over too-trivial things, and then I read this xkcd, and realized that yes, I do obsess over too-trivial things, but I am not alone.
Is it seriously so hard to ignore your blackberry that you won't take it with you on vacation?
I'm on vacation. I have colleagues whose job is to fill in when I'm not available. They'll survive.
If it really is absolutely necessary to contact me, my team colleagues (and only them, totaling five people) have my personal cell number. We have an internal taboo about calling personal numbers; it took four years of me working here before I gave mine up, and then only because of a problem where someone left his Blackberry downstairs when he went to bed and he was the only one with the answer, so I volunteered the first private number up to let them know how serious the situation had been. It's a very fragile situation, though, and everyone knows it. If it's abused, or if someone else gets my number, they will lose the privilege of calling my personal cell. So far, no one has called even once.
there is nothing that can not wait until tomorrow.
This applies to your job, and if you enforce it, then I applaud you. Some of us aren't so lucky and have to maintain 24/7 shops. However, as I mention above, it's still possible to craft personal rules within policy that ensure that my time actually is my time, and not stolen by the employer.
Slashdot Mirror
The DNS servers themselves are an eclectic mix of Linux, Solaris, and I think BSD, running a mix of BIND and djbdns. The firewalls are Secure Computing Sidewinders (now Secure Computing Secure Firewall), which are expensive but I think worth it. Secure Computing issued a patch for the DNS vulnerability last week, and some follow-up tests show that we're not vulnerable.
To be clear, the Sidewinders just seem to handle the source ports. I don't believe that they alter the query ID at all, so patching the DNS servers themselves (or just running djbdns) is still important.
I'm not sure that I've ever celebrated someone's death. When word hit that Saddam Hussein was executed, I didn't celebrate or even smile. I was just relieved that it was over. The same thing happened when word of his sons deaths was released, and when Jeffrey Dahmer's murder was announced (though that was tempered with some frustration that he would not serve his sentence). The same thing happens when murderers are executed. I personally have no reason to celebrate, as I was not directly affected by it. I don't know that I would even if it directly affected me or someone I knew.
He didn't go through all that much trouble. He was at a minimum-security federal prison camp, and walked off the premises. His wife was waiting at the side of the road for him, and they just drove off.
Good point. I forgot about those. We're not burning yet in SoCal, so we don't really care. :)
Because that's how DNS generally treats requests that fall within the same domain (known as bailiwick protection). The question that you ask has been asked numerous times, and there's certainly good reason to review the logic behind Additional Resource Record handling, but tinkering with DNS is a very tricky thing. A proposed solution may fix the problem, but break other things on a much wider scale.
Where I work, we run the servers through a proxy firewall with a DNS proxy service, and the DNS service on the firewall has been patched for this vulnerability. For traffic run through it, it doesn't preserve source port from the DNS servers, and from a quick glance, the source ports on requests seem to be randomized, so I think from that perspective, we may well be safer even for unpatched servers. However, our setup seems to be the exception, and we may have a couple of other networks (physically and logically separated from the primary) that do not have the benefits of this arrangement.
The problem is that glue records are often used to pass the addresses of nameservers required to resolve the domain in question. If that glue record can be passed back with a false address to the nameserver, the entire domain can now be controlled. If you can pull this off with a TLD, then the attack becomes much more serious. It appears at first glance that in addition to TTL restrictions (com has a TTL of two days), bailiwick limitations may limit these kinds of attacks (com, for example, is served off of [a-m].gtld-servers.net). Even if bailiwick limitations wouldn't stop this case, it would take probably tens of thousands of days -- and hence many years -- to pull this off, and that's if you got the response just perfect. If there's a way to have a DNS server ignore a TTL or drop it from the cache and necessitate a lookup, though, there could be some more promise in this route.
You may still not be safe. If someone can fire off a XSS attack through your browser, it could do enough lookups to make you vulnerable. Combine this with a periodic other run to a controlled server to grab your source port for guessing (presuming that you have not patched), and you may have a problem.
Granted, it's unlikely that you would explicitly be targeted, and things like NoScript help defend against it, but there are still possible gaps. In fact, there are several tens of million of systems which will remain vulnerable for some time to come; I haven't seen many SOHO router firmware fixes released so far, and a lot of people point to their routers for their DNS.
There's a measure on the November ballot to add a state constitutional amendment. While a year ago it would have stood a very good chance of passing, many observers think that it's now doomed to fail, seeing as how gays are getting married and the state hasn't yet fallen into the Pacific.
As I understand it, the attack is that simple, with the added caveat that the query ID has to match. By my calculations, a 1Mbps uplink can attempt around 1000 attacks per second (two UDP packets, one for the request and one for the spoof). Picking a query ID of, say, 3526 for the spoofed response sent, there's a 1/65535 chance of that matching the query ID. Odds are that it would take under a minute of that to successfully poison the server.
The server should be using randomized source ports, but many OSes do not properly randomize their use of ephemeral ports, and instead go sequentially. Watching for the source port used here (by querying against one's own DNS server) allows the source port to be guessed during the attack, reducing the range of ports to be attempted. Some DNS servers use port 53 as source and destination, which is even worse, and was recommended against long ago.
I'm not completely sure of what the patches changed. It's mentioned that source port randomization was enabled by Microsoft, and that at least some Unix vendors have disabled "query-source port" lines in their named.conf files. We should have some solid details no later than Kaminsky's talk at Blackhat.
LEDs are constant outflow, like incandescents. There is no flicker at all.
A lot of people who experience headaches under fluorescent bulbs are able to fix it by adjusting the refresh rate of their CRT screens, as the 60Hz flicker and 60Hz refresh rate can cause discomfort. If you have an LCD, you're out of luck, but if you have a CRT and can get a refresh rate of 75 or above, it may help alleviate the pain somewhat.
We don't know that. Even the summary says that the reporter "worries that doing so makes kavya look like an idiot rather that the sweetly earnest 7-year-old that he or she might be." (Emphasis added)
There are cases where it may be appropriate to paraphrase instead of directly quoting, such as the case of a child asking a question or perhaps someone whose native language is not English. They should be the exception, however. Even those who went through the US public school system should know enough basic grammar and spelling to be able to ask, "How is a baby formed?" and "How does a girl get pregnant?" without mangling things so badly.
I think they should be left alone in all formats. When it's put against a background of generally proper grammar, it looks even worse. If there's a higher chance of someone's quote becoming popular, it may (may) get them to consider using a spell checker. Even if it's incremental, getting people to learn better grammar is good for everyone.
You can buy systems with Windows licenses that come under the corporate agreements. You have to do it through a Microsoft license rep for the company, though, and not through the regular sales channels.
Corporate customers get significant leeway in their orders, especially if a contract was signed beforehand. Even without those, however, most corporate customers have access through Microsoft to Windows XP under Open, Select, or Software Assurance licenses and if the Vista licenses that come with the computer fall under the terms of those agreements, they may legally downgrade. (There may be some other situations in which a customer may legally install a prior version of Windows, but I'm kind of fuzzy on what they may be.)
Severe turbulence can quickly throw one into nausea. I generally don't get airsick, but in cases of heavy or severe turbulence, I can certainly start to feel queasy. After we cleared that thunderstorm, a lot of people around me were asking for ginger ale.
There were a lot of groups fighting the Russians in Afghanistan in the 1980s, with many of them receiving help from the US, but bin Laden's group wasn't among them. He brought with him his own money, or accepted donations from certain Arabic groups, but he was adamant about keeping money from heretic sources well away from him.
They're too busy trying not to spew. Turning the head during motion like that can worsen nausea. Otherwise, they probably would.
Now, if you consider the question of why you haven't been "accidentally" smacked by one of them, you may have a real question on your hands.
I have. It's not at all pleasant, and not something that you can sleep through by any means without serious medication. I know that we didn't fly through the heaviest parts -- that can actually be lethal due to hail and some seriously evil wind, and planes have been knocked from the sky by this -- but it was bad enough that I would prefer to avoid it, though I don't mind most turbulence. I can't find it right now, but I've seen photos of test planes that were flown through thunderstorms, and they came back with dents from nose to tail and all over the wings due to hail bouncing off of the plane.
I'm not arguing against that. I'm just saying that for the purposes of my backups, what I write to today is not much of a concern for the data that I have in a decade or two, as the data will have moved forward with me in that time.
By the time I got into computers, 8" floppies were already out of date. I have access to Jaz drives, Superdrives, and a few others.
I think that since we have pretty much settled on an optical disk physical size, the risks are less, since the ever-finer beams in advancing formats can be used for older media types with wider spacing. It's a consequence of the commoditization of optical media.
I have a 5.25" floppy, two functional Zip drives, and a couple of other odds and ends that may or may not work, including some 4X CD-ROM drives. Seeing as how the backups are not really intended to be permanent, the DVDs will suffice.
This is a persistent worry for me. I recently started considering again what I was backing up, and realized that a full backup of just the data that is either impossible or very difficult to replace takes up about seven DVDs. Then there's the stuff that's just really, really annoying to replace, and that's more than half a terabyte.
And then when I settle on a solution (recently including Taiyo-Yuden DVD+R media stored in a fireproof lockbox), I wonder about whether it will survive an EMP blast. I worried that I obsessed over too-trivial things, and then I read this xkcd, and realized that yes, I do obsess over too-trivial things, but I am not alone.
I'm on vacation. I have colleagues whose job is to fill in when I'm not available. They'll survive.
If it really is absolutely necessary to contact me, my team colleagues (and only them, totaling five people) have my personal cell number. We have an internal taboo about calling personal numbers; it took four years of me working here before I gave mine up, and then only because of a problem where someone left his Blackberry downstairs when he went to bed and he was the only one with the answer, so I volunteered the first private number up to let them know how serious the situation had been. It's a very fragile situation, though, and everyone knows it. If it's abused, or if someone else gets my number, they will lose the privilege of calling my personal cell. So far, no one has called even once.
This applies to your job, and if you enforce it, then I applaud you. Some of us aren't so lucky and have to maintain 24/7 shops. However, as I mention above, it's still possible to craft personal rules within policy that ensure that my time actually is my time, and not stolen by the employer.