DNSSEC in its current state would not prevent any of the attacks mentioned in the article. The root currently does not sign its zone, and as such there is no way to trace a secure delegation to a non-root zone.
The entire security of DNS as provided by DNSSEC is predicated on the ability to trace a secure delegation. The general theory of operation is that you'd preconfigure your resolver with cryptographic hashes of the root's public DNSKEY records. Then every time you wanted to do a secure lookup, you'd begin at the root, first asking for its DNSKEYs (assuming you didn't have them cached) and then verifying those using your preconfigured hashes. It would then give you the records you asked for, likely the nameservers and DS records for the next level of the hierarchy. That zone's nameservers would then give you their DNSKEYs, which you could verify with the DS records from the root, and you continue the process of DS + NS followed by DNSKEY verification until you're in the zone you're looking for.
Until the root is signed and until we have resolvers that both support DNSSEC and have been pre-configured with those key hashes, DNSSEC doesn't do us much good. Various research projects have been formed around the notion that the root will never be signed but that it should still be possible to configure a secure system. One of the most promising is a perspectives-based approach, the theory being that a worldwide monitoring system would be harder to spoof, so use this information as a sort of key repository for the apexes of the islands of security. You can trace a secure delegation from any of these zones down to a sub zone, but the weak point of your system is still the fact that you have to trust someone somewhere, and the only real trustworthy place is the root itself. It's something of a hack on top of an academic system that has limited utility in practical applications.
I agree, community is vital to the success of a programming language. Some languages, C for instance, have uninviting but huge communities. You won't be hard pressed to find someone who knows the answer to a run of the mill question in C. You may have some trouble getting an answer other than RTFM, though.
However, a friendly, helpful, and well-established community is not a sufficient condition for the success of a language. Take Perl as an example. Perl Monks is one of the most welcoming and helpful communities I've ever seen on the internet, period. Literally nothing compares regardless of field. And furthermore, they'll answer the full gamut of questions, ranging from utter newbie to relatively advanced functional programming and beyond.
Let's not forget CPAN, which is probably the largest and best organised collection of packages and libraries for any programming language on the internet. Yes, there is a little noise you have to wade through, but the signal to noise ratio is unbelievably high. If you want to do something in Perl, it's likely that you can find a module on CPAN that will at least give you a base of code to work with, if not a completely working and tested solution.
You'll note that despite those two great features, Perl continues to lose popularity, mostly to Python. It's probably due to the fact that, even though Perl is pretty easy to get started with, as you note Python is down right trivial. People call it pseudocode that you run because it's so damn simple and easy to get going, which is probably one of its greatest strengths. Perl has been around longer, probably has a larger and friendlier community, yet the outright ease with which one can program in Python trumps those other, greater (in my opinion) strengths of Perl.
It's sad to see such a great language get knocked all the time due to a bad reputation (which it certainly deserved--five to ten years ago). Unfortunately, a combination of a bad rep and an easier to use, more popular language is starting to make it look like Perl will soon be relegated to a relative niche, at least in the eyes of the public.
My desktop journey is quite similar to yours. Never got the hang of Gnome/KDE on low res screens and low memory systems, so I switched between a bunch of lightweight WMs, finally settling on Blackbox. Eventually the lure of antialiased fonts dragged me to Openbox, as this was in Blackbox's stale 0.65.0 period. Ironically enough, I turned off antialiasing on Openbox (although I still use it with plain fonts) and continue to use Blackbox 0.65.0 on another machine. To this day, I still have a.xinitrc that launches a term. Indispensible.
Sometimes you don't even need to find something as complicated as a buffer overflow. Look at the recent Wii homebrew explosion: the backdoor was exactly as you describe, a flaw in the implementation of RSA. However, the flaw was as trivial as using strcmp instead of memcmp, rendering it equivalent to about 8 bits of security. Homebrew devlopers used this knowledge to trivially break the encryption, allowing them to run code that wasn't signed by Nintendo.
People make mistakes. Programmers are people. And furthermore, this isn't just some theoretical thing. It happened recently to Nintendo, a game company that likely has more money to throw at such problems than most.
I honestly doubt that typo-squatters care about the millions of requests for com, net, org, and all the other TLDs and ccTLDs, which is all you'll get if you have control of a root server. If someone makes a typo on some com domain, it won't make it any further than com's servers, so having control of the root is rather moot unless someone also makes a typo in the TLD.
On the other hand, the person in control of the root could give bogus records for the name servers for something like com. This is unlikely to be a major problems since the TTL on all the records served by the root is 120 days. Most people are going to be querying a caching name server of some sort, so it's statistically unlikely to affect much of the population before it is detected and dealt with.
Not to plug my own work too much, but as a part of my research, I work with a team that monitors DNSSEC deployment. This is something we would in theory be able to see from our distributed polling framework, and our datasets going back to 2005 don't show anything like a rogue TLD server being published. Kind of unfortunate in a way, being that DNS isn't exactly the most interesting research topic at face value.
you also need to regenerate any certificates made with OpenSSL since 2005
Not 2005, it's 2006. I'm not sure what versions of Debian it affects, but it definitely does not affect Ubuntu prior to (and including ) 6.06 LTS. Still terrible, but if you generated your keys in 2005 or most of 2006, you should be good.
FWIW you don't need a dedicated HTTP proxy, as SSH has a built-in SOCKS proxy. Try it out some time: ssh -D 1080 remote.tld and configure your browser of choice to use SOCKS on localhost port 1080. For other apps that don't have native support for proxying, check out proxychains (on Unix). Not only great for browsing at work, but also a godsend for unsecured wireless nets.
The interesting thing is that, at least with my recent experience with RoadRunner cable, when they hijacked the DNS they didn't technically do anything out of spec. If you searched for an A record for an inexistent zone, it would return NXDOMAIN as the DNS RCODE. However, they also returned A records for their search pages. Firefox interpreted this as a successful resolution since A records were returned, but mail daemons typically interpreted this as a failure to resolve (which it was) since the RCODE was not NOERROR.
It's really a matter of Jon Postel's famous quote: be conservative in what you send and liberal in what you receive. In this case, Firefox technically handled the DNS reply in a manner not consistent with the spec but in such a way as to confuse the least users. Mail daemons, at least ones coded to spec, failed correctly. I'm not trying to defend RoadRunner et al. for their practises, but they haven't broken anything that was coded properly.
I travel with a Sharp Actius MM10 fairly regularly and I've never been hassled. This laptop is truly uber tiny, and it's quite similar to the Macbook in many of the ways listed. I'm willing to believe this is just viral marketing crap from Apple.
Have to second this: those are among my most-used applications. Add mutt, irssi, and tie it all together with screen and you have one hell of a good computing experience.
And don't forget to use your editor of choice in conjunction with that whole rigamarole;).
Warner did the right thing, and I'm confident there will be much more progress in HD movies. I think these films look much better than DVD, and while DVDs were much more of a revolution in technology, Blu-ray is a real step up that downloads cannot hope to compete with in the US.
Wow astroturf much? I can only say that you've clearly never seen much on Bluray. Either that, or that you've never seen what an upscaling DVD player can do.
HD much better my arse. The quality difference is nil from five feet away on virtually any size screen. The only reason this ``upgrade'' exists is to push more draconian DRM on the consumer.
How does that make a modded Xbox necessarily better than my PC, whose Radeon 9000 video card is connected to a television and whose USB hub has a Nintendo 64 controller and two PlayStation controllers plugged into it through adapters? I can't think of anything specific.
It's not better, just different:). In my case, I did it for the cost, which was almost zero (got the Xbox for free and modded it without a chip).
I've also had trouble getting video from computer to display properly on a television, as the last time I tried I had serious dot crawl issues. Granted, this was a long time ago and I didn't put much time into it. However, given that the Xbox was designed to connect to a television, I had no trouble with that.
I don't have a 360; I've only used homebrew on the original Xbox. While it's true the D-pad on the normal Xbox controller isn't as nice as the one on a Super Famicom controller, being able to control the action buttons with my thumb is what makes it for me. I grew up with home systems and hardly ever hit the arcade, so my video game controlling skills are all in my thumbs. Perhaps it's different for you due to a background in arcade rather than consoles.
Emulators remain very popular Xbox homebrew applications. It is usually nicer than playing on a PC since the game is shown on a television and controlled with a real controller. Even though the Xbox controller isn't identical to whatever system you're trying to emulate, it beats the pants off using a PC keyboard.
There are too many light switches in the house because you have so much control over the lighting. Oddly enough, the fix for this probably can actually be -more- technology instead of less. I plan to one day hook up my lights to the computer and control them based on time, where people are in the house, and other factors.
Totally off-topic here, but I once did that. My father works for a major American electrical company (sells switches, outlets, and other commodity stuff), so we always got to play around with the latest gadgets in that field when I was a kid. Our house had X10 on a bunch of lights and appliances. For around ten bucks, I bought something that allowed me to control those appliances from the serial port of a computer. I hacked together some simple software to do scheduling, simple IR presence detection, and so forth.
It wasn't exactly high-tech (only one command per second, for instance), but more than once my father used it to demonstrate what the future of the technology could provide. Unfortunately, the scene hasn't improved much in the past decade. They're starting to use new technologies (RF instead of over power lines), but it's only beginning to pick up speed. In the next few years, we may be seeing some very cool things in this area.
I had similar experiences with Grandstream phones, they're complete and utter trash. The software actually wasn't too bad, and they had nice things like tools for provisioning centralised provisioning. However, the hardware was really terrible. We got complaints of echo (and yes, we tried all the usual software solutions on the PBX) and inexplicable humming all the time. In the end we went with Snom 360 handets and couldn't have been happier. They were more expensive, but certainly cheaper than the Nortel phones they were replacing.
The Gimp is a fine piece of software. It has many great features and can do a whole lot of ``professional'' design tasks. I personally use it as a day-to-day graphics editor (a la MS Paint on steroids). I also think it's underplayed by a lot of Photoshop die hards, mostly due to things like keyboard shortcuts differing from what they've been using for the better part of a decade and other UI inconsistencies.
However, Gimp is lacking in a number of areas. For instance, there is still no native support for CMYK, which I know turns away a lot of designers. There are a variety of other things noted in the Wikipedia page about Gimp.
Sorry to cop out to WP on this one, but I personally haven't run into any areas where Gimp didn't meet my needs. And that's exactly my point: Gimp is good enough for most people. However, it's not a replacement for Photoshop (yet).
Slashdot Mirror
DNSSEC in its current state would not prevent any of the attacks mentioned in the article. The root currently does not sign its zone, and as such there is no way to trace a secure delegation to a non-root zone.
The entire security of DNS as provided by DNSSEC is predicated on the ability to trace a secure delegation. The general theory of operation is that you'd preconfigure your resolver with cryptographic hashes of the root's public DNSKEY records. Then every time you wanted to do a secure lookup, you'd begin at the root, first asking for its DNSKEYs (assuming you didn't have them cached) and then verifying those using your preconfigured hashes. It would then give you the records you asked for, likely the nameservers and DS records for the next level of the hierarchy. That zone's nameservers would then give you their DNSKEYs, which you could verify with the DS records from the root, and you continue the process of DS + NS followed by DNSKEY verification until you're in the zone you're looking for.
Until the root is signed and until we have resolvers that both support DNSSEC and have been pre-configured with those key hashes, DNSSEC doesn't do us much good. Various research projects have been formed around the notion that the root will never be signed but that it should still be possible to configure a secure system. One of the most promising is a perspectives-based approach, the theory being that a worldwide monitoring system would be harder to spoof, so use this information as a sort of key repository for the apexes of the islands of security. You can trace a secure delegation from any of these zones down to a sub zone, but the weak point of your system is still the fact that you have to trust someone somewhere, and the only real trustworthy place is the root itself. It's something of a hack on top of an academic system that has limited utility in practical applications.
I agree, community is vital to the success of a programming language. Some languages, C for instance, have uninviting but huge communities. You won't be hard pressed to find someone who knows the answer to a run of the mill question in C. You may have some trouble getting an answer other than RTFM, though.
However, a friendly, helpful, and well-established community is not a sufficient condition for the success of a language. Take Perl as an example. Perl Monks is one of the most welcoming and helpful communities I've ever seen on the internet, period. Literally nothing compares regardless of field. And furthermore, they'll answer the full gamut of questions, ranging from utter newbie to relatively advanced functional programming and beyond.
Let's not forget CPAN, which is probably the largest and best organised collection of packages and libraries for any programming language on the internet. Yes, there is a little noise you have to wade through, but the signal to noise ratio is unbelievably high. If you want to do something in Perl, it's likely that you can find a module on CPAN that will at least give you a base of code to work with, if not a completely working and tested solution.
You'll note that despite those two great features, Perl continues to lose popularity, mostly to Python. It's probably due to the fact that, even though Perl is pretty easy to get started with, as you note Python is down right trivial. People call it pseudocode that you run because it's so damn simple and easy to get going, which is probably one of its greatest strengths. Perl has been around longer, probably has a larger and friendlier community, yet the outright ease with which one can program in Python trumps those other, greater (in my opinion) strengths of Perl.
It's sad to see such a great language get knocked all the time due to a bad reputation (which it certainly deserved--five to ten years ago). Unfortunately, a combination of a bad rep and an easier to use, more popular language is starting to make it look like Perl will soon be relegated to a relative niche, at least in the eyes of the public.
My desktop journey is quite similar to yours. Never got the hang of Gnome/KDE on low res screens and low memory systems, so I switched between a bunch of lightweight WMs, finally settling on Blackbox. Eventually the lure of antialiased fonts dragged me to Openbox, as this was in Blackbox's stale 0.65.0 period. Ironically enough, I turned off antialiasing on Openbox (although I still use it with plain fonts) and continue to use Blackbox 0.65.0 on another machine. To this day, I still have a .xinitrc that launches a term. Indispensible.
Sometimes you don't even need to find something as complicated as a buffer overflow. Look at the recent Wii homebrew explosion: the backdoor was exactly as you describe, a flaw in the implementation of RSA. However, the flaw was as trivial as using strcmp instead of memcmp, rendering it equivalent to about 8 bits of security. Homebrew devlopers used this knowledge to trivially break the encryption, allowing them to run code that wasn't signed by Nintendo.
People make mistakes. Programmers are people. And furthermore, this isn't just some theoretical thing. It happened recently to Nintendo, a game company that likely has more money to throw at such problems than most.
I honestly doubt that typo-squatters care about the millions of requests for com, net, org, and all the other TLDs and ccTLDs, which is all you'll get if you have control of a root server. If someone makes a typo on some com domain, it won't make it any further than com's servers, so having control of the root is rather moot unless someone also makes a typo in the TLD.
On the other hand, the person in control of the root could give bogus records for the name servers for something like com. This is unlikely to be a major problems since the TTL on all the records served by the root is 120 days. Most people are going to be querying a caching name server of some sort, so it's statistically unlikely to affect much of the population before it is detected and dealt with.
Not to plug my own work too much, but as a part of my research, I work with a team that monitors DNSSEC deployment. This is something we would in theory be able to see from our distributed polling framework, and our datasets going back to 2005 don't show anything like a rogue TLD server being published. Kind of unfortunate in a way, being that DNS isn't exactly the most interesting research topic at face value.
FWIW you don't need a dedicated HTTP proxy, as SSH has a built-in SOCKS proxy. Try it out some time: ssh -D 1080 remote.tld and configure your browser of choice to use SOCKS on localhost port 1080. For other apps that don't have native support for proxying, check out proxychains (on Unix). Not only great for browsing at work, but also a godsend for unsecured wireless nets.
The interesting thing is that, at least with my recent experience with RoadRunner cable, when they hijacked the DNS they didn't technically do anything out of spec. If you searched for an A record for an inexistent zone, it would return NXDOMAIN as the DNS RCODE. However, they also returned A records for their search pages. Firefox interpreted this as a successful resolution since A records were returned, but mail daemons typically interpreted this as a failure to resolve (which it was) since the RCODE was not NOERROR.
It's really a matter of Jon Postel's famous quote: be conservative in what you send and liberal in what you receive. In this case, Firefox technically handled the DNS reply in a manner not consistent with the spec but in such a way as to confuse the least users. Mail daemons, at least ones coded to spec, failed correctly. I'm not trying to defend RoadRunner et al. for their practises, but they haven't broken anything that was coded properly.
A combination of ssh -D with proxychains makes life pretty damn nice, especially on wireless nets.
I travel with a Sharp Actius MM10 fairly regularly and I've never been hassled. This laptop is truly uber tiny, and it's quite similar to the Macbook in many of the ways listed. I'm willing to believe this is just viral marketing crap from Apple.
Check out Befunge. It's the only language I know of that explicitly uses the two-dimensional spatial structure of code for flow control.
Actually, Anonymous Coward is UID 666.
Wow, that's exactly what I've been looking for over the past few weeks. Thanks a lot quigonn!
And don't forget to use your editor of choice in conjunction with that whole rigamarole
Warning: Mixing yoda and the subjunctive mood considered dangerous!
HD much better my arse. The quality difference is nil from five feet away on virtually any size screen. The only reason this ``upgrade'' exists is to push more draconian DRM on the consumer.
Dropped like a bad packet hitting ipf: is it possible for any phrase to be more awesome than this?
I've also had trouble getting video from computer to display properly on a television, as the last time I tried I had serious dot crawl issues. Granted, this was a long time ago and I didn't put much time into it. However, given that the Xbox was designed to connect to a television, I had no trouble with that.
I don't have a 360; I've only used homebrew on the original Xbox. While it's true the D-pad on the normal Xbox controller isn't as nice as the one on a Super Famicom controller, being able to control the action buttons with my thumb is what makes it for me. I grew up with home systems and hardly ever hit the arcade, so my video game controlling skills are all in my thumbs. Perhaps it's different for you due to a background in arcade rather than consoles.
Emulators remain very popular Xbox homebrew applications. It is usually nicer than playing on a PC since the game is shown on a television and controlled with a real controller. Even though the Xbox controller isn't identical to whatever system you're trying to emulate, it beats the pants off using a PC keyboard.
It wasn't exactly high-tech (only one command per second, for instance), but more than once my father used it to demonstrate what the future of the technology could provide. Unfortunately, the scene hasn't improved much in the past decade. They're starting to use new technologies (RF instead of over power lines), but it's only beginning to pick up speed. In the next few years, we may be seeing some very cool things in this area.
Girl on Slashdot.. with a five digit UID? MARRY ME!
I had similar experiences with Grandstream phones, they're complete and utter trash. The software actually wasn't too bad, and they had nice things like tools for provisioning centralised provisioning. However, the hardware was really terrible. We got complaints of echo (and yes, we tried all the usual software solutions on the PBX) and inexplicable humming all the time. In the end we went with Snom 360 handets and couldn't have been happier. They were more expensive, but certainly cheaper than the Nortel phones they were replacing.
However, Gimp is lacking in a number of areas. For instance, there is still no native support for CMYK, which I know turns away a lot of designers. There are a variety of other things noted in the Wikipedia page about Gimp.
Sorry to cop out to WP on this one, but I personally haven't run into any areas where Gimp didn't meet my needs. And that's exactly my point: Gimp is good enough for most people. However, it's not a replacement for Photoshop (yet).
Oh god I thought only Penny Arcade could ruin my childhood memories of Teddy Ruxpin. Now Slashdot too?!?