I agree with the grandparent, he's just being an ass. He's using the word "secure" in the original question in a very narrow way. Of course a password policy must be human-centric as well as containing enough randomness to not be brute forced or attacked easily through rainbow tables. There's education in teaching users how to select strong and yet memorable passwords, and when it's OK to write them down at least partially in your wallet or strong encrypted password store. He's being an ass because he's asking a complex question, then telling everyone they're wrong and giving a simple smug answer. You can be right and still be an ass.;-)
An aside is the fact that we rely on passwords too much. Dual factor authentication for internal business use is relatively cheap and easy to set up in windows and linux for login, for ssh, etc. I'm genuinely surprised more people outside of the military don't use it.
This is why hubris is one of the most important qualifications of a security researcher, and what makes us a PITA to deal with. Most people look at a protocol and say, "Gee, Paul Vixie and the rest of the DNS people are smart, and I'm sure they've thought of all the important stuff." Security researchers are the people who say, over and over again, "I bet they didn't think of this!" That's essentially the job description, thinking you're smarter then the rest of the world. Kind of makes us pricks, but it's a fun job.;-)
Patch the OS, not the BIOS. At very least, blacklist only the known broken OS, and give everyone else the correct thing. If you're handing every OS different information, you're doing something wrong...
NSEC3 solves the enumeration problem, but everything else you have to say is valid. Of course, we have yet to see what the uptake will be in the US, because the TLDs are not signed yet. Until that happens (.org this year sometime, the rest undetermined) there's no good way to use DNSSEC.
The best known unpatched attacks really had no upper bound. You got one chance to attack, then had to wait for the records to timeout before you could try again.(usually set from 1 hour to 1 week, depending on the service) What this vulnerability does is give you infinite chances to attack with no delay, so you can try 1000 times a second if your connection is fast enough. If you can do that, you will win, and quickly. The attacks themselves have not really changed, we can just use them much faster.
Different vulnerability, that tool checks for non-random TXID, not this exploit. This exploit changes the game in letting other exploits work well. It's not so much a new class of attack, as a way to give you infinite chances to use the old attacks. If you don't have a IPS checking for this, an attacker who can submit recursive queries to your resolver and wants to poising your DNS will eventually be successful. Publicly available tools work in one minute, Dan says coding in C on a fast connection he's able to do it in 10 seconds. Has DNS been broken this badly before? Yes, multiple times. However, the will and knowledge of how to use DNS cache poising for further evil is much higher now then it was in the past. Also, we are becoming increasingly dependent on the Internet, and attacks on the infrastructure do more then just keep us from our news sites. As Dan says, "Patch. Today. Now. Yes, stay late."
SSO centralizes the risk, then you can decide how much to invest in that risk. This is how the US military CAC system works, with smartcards issued to all personal and SSO for many services. Not all services are SSO enabled mind you, but their security needs are higher then most. For OpenID, I use Verisign's PIP service with Firefox plugin to combat spoofing and hardware token for 2 factor auth, and I'm quite comfortable with the security. Unfortunately there's not too many places to use it, as everyone wants to be a provider but not a consumer of OpenID, but that's a separate issue.
From my point of view, this is MySQL finally embracing their target market. These features are great and important, but if you're doing small scale web programming through a framework that uses an ORM, or just very simple SQL, why not slim the program down? If you want real database features, you probably shouldn't be using MySQL in the first place in my opinion.
I would argue that a happy, well rested, social programmer is going to do a better job and "contribute to the stock price" more then someone working 80 hours, burnt out, overcaffinated, undersocialized, etc. Of course, there's a lot of middle ground here, but great employees work for great employers who let them be creative and social individuals rather then overdriven cogs in the machine. Sometimes that means you code on open source in your spare time, and some times that means you enjoy time recharging with your friends / spouse. Good companies hire people, not "human resources".
No, some of us get it. We also have wives, kids, and other hobbies that we do outside of work. Yes, I do some coding outside of working hours on things for myself, but not nearly as much as I put time into my family, my friends, my house, etc.. Time relaxing and enjoying yourself and others can make you much more creative and energetic at your work rather then just another burnt out techie.
In order to make C anything approaching safe, you're going to end up with something that has the speed of Java or less, with similar memory requirements. And we all know how well Java applets went over. The only upside is the ease of compiling existing C code, vs rewriting code in java. And if it already exists in C form and I need it, I'd rather just run it locally thanks.
I would say careful users do not need background AV, but a regular on-demand scanner is good enough. Of course, by careful I mean paranoid, running the latest firefox with noscript, running without flash or with the latest version of flash, not surfing to too many free pron sites and downloading wares, etc... I work in web security, so the "careful" bar is set pretty high for me;-)
NOD32 It's awesome. Fast, simple, small, high quality results on all the tests. Not free, but cheap ($30-$40 depending on how many licenses you buy). If you need free, I now recommend avast over AVG with the newest bloatware version of AVG.
So you keep around emulators, or virtualize old windows. For old games I either use DOSBox, Wine, or a copy of Windows 2k or XP in a virtual machine. Same strategy for playing C64 games, Atari 2600, NES, etc.. Game backwards compatibility specifically or backwards compatibility in general is a bad excuse for not fixing a broken architecture. Arguably MS is trying to rearchitect through.NET, just few people are interested as long as they have a choice...
This is a replay of the OHCI/UHCI host controller interface standards of original USB. This does NOT at all effect users, only driver writers. What is being forked is the USB driver interface, and does not effect device compatibility at all. As mentioned above, there were two driver interfaces for the original USB standard, and the only people who knew were driver writers and nerds compiling their own custom kernel. This is blown way out of proportion, and doesn't effect 99.999% of us. Nothing to see here, move along....
You forgot to mention that the "war on drugs" that our legal system has been dealing with so admirably is over, so we have plenty of law enforcement to spare.
No. That could refer to a proxy for an authoritative name server, a proxy for a resolver, etc. A recursive resolver does much more then simply proxy requests, it searches down the DNS namespace to find the information you are looking for. You ask for www.amazon.com, and it queries multiple servers get more and more specific information, then returns the result to you. There are good definitions for the terms name server, authoritative name server, resolver, recursive resolver and more in the DNS world, but "DNS server" is ambiguous and means exactly what the speaker means. People who deal with DNS tend to avoid the general term due to this difficulty.
Correct. I was just referring to the ambiguity of the term "DNS Server", since the parent claimed that unbound was not one. Name server, authoritative server, resolver, etc are all strictly defined, but DNS server can mean any of the above.
It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client). Most DNS servers do both, so "DNS server" means many different things depending on the context. When your ISP gives you a "DNS server" to use, it's a recursive server, not an authoratative server. The end user has a "stub resolver", which does not qualify as a server.
You obviously are not a OSS developer. For most projects, OSS development happens in our free time, after working hours. It is done primarily to "scratch our own itch" or to build reputation in a community. "Death march" style project planning does not fit either one of those goals. (I'm not sure it fits -ANY- goals well, but that's a different rant) It's done when it's done. If development goes on forever, sometimes features are cut for release, but releases shouldn't happen until they are solid. Anything else causes OSS to lose all the benefits it enjoys, and the developers will quickly burn out. You don't like the release schedule? Do the work yourself or pay the developers to do it for you. Otherwise you have no say.
Ubuntu ships with a list of 98307 known bad SSH-DSA keys. I don't know if this list is exhaustive, but if it is, that's really a vanishingly low number of possibilities to try to brute force. Might want to put down that coffee...
The best thing you can do to get people involved is to make some thing cool, and make it easy for people to join you. Assuming you already made something cool, you need to make sure your project has visability to people who might want to help. This means at minimum, public documentation and some sort of archived email list or forum where they can contact you (and each other) and get questions answered. It has to seem like an alive and healthy project where their contributions will be valued, and accomplish something of worth. There should be suggestions of parts of the project that would be easy places to start getting involved, and you should make it clear that you are avalibale and willing to mentor others in th project. Once you have these things together, if your project is interesting and getting any attention, it will probably gather new developers. I know the projects I have joined have tended to be the ones that had these things, and other sexier projects with no docs, no openness in development, and no invitation from the project leaders have withered and died.
Honestly, these types of skills get you good jobs at large companies or the ability to work for yourself and earn a comfortable living. Any skilled hacker who is also good at understanding the needs of business and has good communications skill will not be without good ethical job prospects for the foreseeable future.
Slashdot Mirror
I agree with the grandparent, he's just being an ass. ;-)
He's using the word "secure" in the original question in a very narrow way. Of course a password policy must be human-centric as well as containing enough randomness to not be brute forced or attacked easily through rainbow tables.
There's education in teaching users how to select strong and yet memorable passwords, and when it's OK to write them down at least partially in your wallet or strong encrypted password store.
He's being an ass because he's asking a complex question, then telling everyone they're wrong and giving a simple smug answer. You can be right and still be an ass.
An aside is the fact that we rely on passwords too much. Dual factor authentication for internal business use is relatively cheap and easy to set up in windows and linux for login, for ssh, etc. I'm genuinely surprised more people outside of the military don't use it.
This is why hubris is one of the most important qualifications of a security researcher, and what makes us a PITA to deal with. ;-)
Most people look at a protocol and say, "Gee, Paul Vixie and the rest of the DNS people are smart, and I'm sure they've thought of all the important stuff."
Security researchers are the people who say, over and over again, "I bet they didn't think of this!"
That's essentially the job description, thinking you're smarter then the rest of the world. Kind of makes us pricks, but it's a fun job.
Patch the OS, not the BIOS.
At very least, blacklist only the known broken OS, and give everyone else the correct thing.
If you're handing every OS different information, you're doing something wrong...
NSEC3 solves the enumeration problem, but everything else you have to say is valid.
Of course, we have yet to see what the uptake will be in the US, because the TLDs are not signed yet.
Until that happens (.org this year sometime, the rest undetermined) there's no good way to use DNSSEC.
The best known unpatched attacks really had no upper bound. You got one chance to attack, then had to wait for the records to timeout before you could try again.(usually set from 1 hour to 1 week, depending on the service)
What this vulnerability does is give you infinite chances to attack with no delay, so you can try 1000 times a second if your connection is fast enough. If you can do that, you will win, and quickly.
The attacks themselves have not really changed, we can just use them much faster.
Different vulnerability, that tool checks for non-random TXID, not this exploit.
This exploit changes the game in letting other exploits work well.
It's not so much a new class of attack, as a way to give you infinite chances to use the old attacks. If you don't have a IPS checking for this, an attacker who can submit recursive queries to your resolver and wants to poising your DNS will eventually be successful. Publicly available tools work in one minute, Dan says coding in C on a fast connection he's able to do it in 10 seconds.
Has DNS been broken this badly before? Yes, multiple times. However, the will and knowledge of how to use DNS cache poising for further evil is much higher now then it was in the past. Also, we are becoming increasingly dependent on the Internet, and attacks on the infrastructure do more then just keep us from our news sites.
As Dan says, "Patch. Today. Now. Yes, stay late."
SSO centralizes the risk, then you can decide how much to invest in that risk.
This is how the US military CAC system works, with smartcards issued to all personal and SSO for many services. Not all services are SSO enabled mind you, but their security needs are higher then most.
For OpenID, I use Verisign's PIP service with Firefox plugin to combat spoofing and hardware token for 2 factor auth, and I'm quite comfortable with the security. Unfortunately there's not too many places to use it, as everyone wants to be a provider but not a consumer of OpenID, but that's a separate issue.
From my point of view, this is MySQL finally embracing their target market.
These features are great and important, but if you're doing small scale web programming through a framework that uses an ORM, or just very simple SQL, why not slim the program down?
If you want real database features, you probably shouldn't be using MySQL in the first place in my opinion.
No, but close.
It's a "tuning fork" gyroscope, specifically the InvenSense IDG-600.
http://en.wikipedia.org/wiki/Vibrating_structure_gyroscope#Tuning_fork_gyroscope
http://www.invensense.com/news/071508.html
I would argue that a happy, well rested, social programmer is going to do a better job and "contribute to the stock price" more then someone working 80 hours, burnt out, overcaffinated, undersocialized, etc.
Of course, there's a lot of middle ground here, but great employees work for great employers who let them be creative and social individuals rather then overdriven cogs in the machine. Sometimes that means you code on open source in your spare time, and some times that means you enjoy time recharging with your friends / spouse. Good companies hire people, not "human resources".
No, some of us get it.
We also have wives, kids, and other hobbies that we do outside of work.
Yes, I do some coding outside of working hours on things for myself, but not nearly as much as I put time into my family, my friends, my house, etc..
Time relaxing and enjoying yourself and others can make you much more creative and energetic at your work rather then just another burnt out techie.
In order to make C anything approaching safe, you're going to end up with something that has the speed of Java or less, with similar memory requirements. And we all know how well Java applets went over.
The only upside is the ease of compiling existing C code, vs rewriting code in java. And if it already exists in C form and I need it, I'd rather just run it locally thanks.
I would say careful users do not need background AV, but a regular on-demand scanner is good enough. ;-)
Of course, by careful I mean paranoid, running the latest firefox with noscript, running without flash or with the latest version of flash, not surfing to too many free pron sites and downloading wares, etc...
I work in web security, so the "careful" bar is set pretty high for me
NOD32
It's awesome. Fast, simple, small, high quality results on all the tests. Not free, but cheap ($30-$40 depending on how many licenses you buy).
If you need free, I now recommend avast over AVG with the newest bloatware version of AVG.
So you keep around emulators, or virtualize old windows. .NET, just few people are interested as long as they have a choice...
For old games I either use DOSBox, Wine, or a copy of Windows 2k or XP in a virtual machine.
Same strategy for playing C64 games, Atari 2600, NES, etc.. Game backwards compatibility specifically or backwards compatibility in general is a bad excuse for not fixing a broken architecture.
Arguably MS is trying to rearchitect through
This is a replay of the OHCI/UHCI host controller interface standards of original USB.
This does NOT at all effect users, only driver writers.
What is being forked is the USB driver interface, and does not effect device compatibility at all.
As mentioned above, there were two driver interfaces for the original USB standard, and the only people who knew were driver writers and nerds compiling their own custom kernel.
This is blown way out of proportion, and doesn't effect 99.999% of us. Nothing to see here, move along....
You forgot to mention that the "war on drugs" that our legal system has been dealing with so admirably is over, so we have plenty of law enforcement to spare.
And this differs from gnutella how?
No. That could refer to a proxy for an authoritative name server, a proxy for a resolver, etc.
A recursive resolver does much more then simply proxy requests, it searches down the DNS namespace to find the information you are looking for.
You ask for www.amazon.com, and it queries multiple servers get more and more specific information, then returns the result to you.
There are good definitions for the terms name server, authoritative name server, resolver, recursive resolver and more in the DNS world, but "DNS server" is ambiguous and means exactly what the speaker means. People who deal with DNS tend to avoid the general term due to this difficulty.
Correct. I was just referring to the ambiguity of the term "DNS Server", since the parent claimed that unbound was not one. Name server, authoritative server, resolver, etc are all strictly defined, but DNS server can mean any of the above.
It IS a DNS server, just not an authoritative server. DNS servers come in 2 flavors, authoritative servers (which hold the actual info) and recursive servers (which do the looking up for a client).
Most DNS servers do both, so "DNS server" means many different things depending on the context. When your ISP gives you a "DNS server" to use, it's a recursive server, not an authoratative server.
The end user has a "stub resolver", which does not qualify as a server.
For a more indepth discussion of DNS architecture and DNSSEC, you can check out "DNS for Rocket Scientists" here http://www.zytrax.com/books/dns/ or a talk I gave on DNS security here:
http://www.mavensecurity.com/presentations
You obviously are not a OSS developer.
For most projects, OSS development happens in our free time, after working hours. It is done primarily to "scratch our own itch" or to build reputation in a community. "Death march" style project planning does not fit either one of those goals. (I'm not sure it fits -ANY- goals well, but that's a different rant)
It's done when it's done. If development goes on forever, sometimes features are cut for release, but releases shouldn't happen until they are solid. Anything else causes OSS to lose all the benefits it enjoys, and the developers will quickly burn out.
You don't like the release schedule? Do the work yourself or pay the developers to do it for you. Otherwise you have no say.
Ubuntu ships with a list of 98307 known bad SSH-DSA keys. I don't know if this list is exhaustive, but if it is, that's really a vanishingly low number of possibilities to try to brute force. Might want to put down that coffee...
The best thing you can do to get people involved is to make some thing cool, and make it easy for people to join you.
Assuming you already made something cool, you need to make sure your project has visability to people who might want to help. This means at minimum, public documentation and some sort of archived email list or forum where they can contact you (and each other) and get questions answered.
It has to seem like an alive and healthy project where their contributions will be valued, and accomplish something of worth. There should be suggestions of parts of the project that would be easy places to start getting involved, and you should make it clear that you are avalibale and willing to mentor others in th project.
Once you have these things together, if your project is interesting and getting any attention, it will probably gather new developers.
I know the projects I have joined have tended to be the ones that had these things, and other sexier projects with no docs, no openness in development, and no invitation from the project leaders have withered and died.
Honestly, these types of skills get you good jobs at large companies or the ability to work for yourself and earn a comfortable living.
Any skilled hacker who is also good at understanding the needs of business and has good communications skill will not be without good ethical job prospects for the foreseeable future.