Yes, techonology will change, but the IT guy will still do what the IT guy does, fix all the problems that nobody else can. People will still get virus's and trojans and need new hardware. Yes, I believe that we may get to the point that we might be able to have cloud data, but to keep that data secure and encrypted (or just secure) is going to require VPNs and other tech. I don't really want to put my company's source code out there for the cloud to see (I'm sure all the cloud is secure and nobody could possibly mount my drives or make a clone of my machine). I can't tell you how many times I've had to help the same people over and over again with the same task, e.g. set up email, provide a link and/or password, print to a printer that doesn't work, set up a mobile device, backup or restore a computer.
In the 18 years I've been doing IT, the day-to-day tasks haven't really changed all that much.
Does your domain-validated cert use the same cert that one of the big companies that gave a signing cert to the U.A.E.?
Linux, no matter how secure you think it is...
My Mozilla comment was that if the opensource community starts, MS may follow suit. MS's caching DNS server accepts DNSSEC keys (though I'm not sure if it validates).
It is happening..gov has been signed..com has been signed..org has been signed. Many ccTLDs are signed. It'll just take a bit more time, like IPv6.
Since I still work for a DNSSEC company, there is a lot of interest. It's just taking the time for the investment. Do you buy proprietary or opensource? If you opensource, are you doing it right?
Since there are not enough.com domains signed, there's really no need to put it in the browser yet. Though I'm sure Mozilla will figure it out (or at least Chrome will).
We have computers that can, for all intents and purposes, replace the TV and stereo. We have phones that can, in some instances replace a computer. We have cameras that keep getting more megapixels but the noise issue is back-burnered. We have cars that, while styling has changed, haven't really changed. We have TV's that only seem to be able to play "reality" programs and sports. We lock into a game console that hasn't been updated in years. We have kitchen gadgets that sit there as we go out to eat. How much more do we need?
The problem is is that we've overbought and if we take a moment to look at it all, how much of it is important? The answer, my smartphone.
I haven't paid my account for a few months now and I'm really debating to spend the money on Cataclysm. When I got my first dread steed at level 40 and then amount of money and time I had to spend and never got to get the level 60 dread steed, I was a bit torqued regarding the ability to get it after taking a few months off at that point.
If anything, Blizzard should have 2 modes, stupid-easy mode with all the new "wonderments" and regular mode with all the original requirements.
The problem there is that if you take a lot of pictures at your location you want blacked out, eventually, a scattered plot of image locations would show up and the more you take, the more exact you could get on locating the location.
Why not just have a camera setting that says "Do not record geotag data within 1 minute of my selected location(s)"? Seems that would be the easiest fix. No extra processing needed.
Since you are dealing with public-key cryptography, your private keys have to be maintained as private. That's not so difficult if you have a machine that's not connected to the Internet. If your private key-signing key got out, your signatures could easily be compromised. Then you sneeker-net the zone-signing keys over and sign your zones. Not too difficult if you follow the NIST 140 page manual.
Of course, a machine that could do all the work for you would be what's best.
Actually, iTunes is as expensive and probably more expensive for music then buying CDs. Granted, you're given the privilege of not having to buy a whole CD. If iTunes pricing were fair, music would cost about $0.10/minute, i.e. 80 minute CD = $8.00, i.e. about half the price of the physical media. Movies and TV shows that are delivered on DVD after the fact should be less expensive, overall, then the price of the physical media package. Since I can rent a movie at RedBox for $1.00, shouldn't I be able to get the same copy from some company server for a lesser price.
The problem is, the idea of giant profit just because it's convenient and over that new fangled thing called the Intertubeswebnet, is the wrong business model. The Internet is on par with CD technology and should be rather inexpensive to utilize it by now.
Current U.S. copyright for an individual is life plus 70 years and for a corporation 95 years. Since both of those are longer then the U.S. life expectancy, copyright is now infinite. I guess Jack Valenti got his wish.
If the roots signed and then.com signed, there would be some benefits over time as more and more domains sign their zones. If there was some policy as to getting the signing key from the parent, exammple.com may not be able to validate with DNSSEC and the ignorant might be a little more secure. The more that sign, the less spam you might get from a botnet or some spam house.
There are benefits and when only a few people have
Guaranteeing that the domain and IP address are what they should be is the benefit. In a properly configured DNSSEC deployment, with the appropriate security protecting your keys, then the man-in-the-middle attack that's currently capable with SSL today is next to impossible. Getting poisoned results could happen, but you're assured that it's not the correct response.
For example,.gov has signed some of their zones (failed to meet the mandate?). In an emergency, isn't it better to have the actual government site then some bogus site that directs you to the wrong place to get your water?
dig +dnssec @nameserver domain.xx SOA. If you get the SOA, you have a signature. Then dig +dnssec @nameserver domain.xx DS to see if you have a DS record. Then dig +dnssec @publicvalidatingserver domain.xx to see if the Chain-of-Trust is established.
A simple way to accomplish the clothing aspect is to disallow us to wear clothes on an airplane. Of course, the flying naked idea wouldn't fly. So why not provide us with a flight uniform that is made from some easily scanned material so if you're wearing clothes, it would be easy to tell. That way, no naked scanners. No puff tests. No shoes. Then when we're off the flight, collect our luggage, change our clothes and get on our way. Not allowing bags or clothes and such on the plane would be best.
Just removing the ridiculous security checks and allowing us to continue living a life of liberty would be best, even if some people die.
An extension is an easy way to organize something. I can write a script that say find.jpg and move them to my images folder. If I need to use metadata, my job just got harder because I have to know now what I'm looking for.
Granted, if you're complaining that a.zip shows up as a zipped icon based only on.zip, then yes, it's a bit absurd.
The problem with CA's is that, in general, when people get to a site with SSL that doesn't have a valid CA, people will tend to click through. I know I do it and I know the risks. I know not to do that if I'm going to a site that I exchange money with, but other sites I click through. Also, when phished, you may get to a duplicate site where you type in your username and password and then get forwarded back to your intended site, but the phisher now has your username and password. The problem with CA's is that if you cannot trust that you are actually getting to the site you expect to be at, what's the point? If you're not certain, you can be violated (taken for a ride, robbed, etc.). And who's to say that there aren't malicious cert providers that will provide a valid cert to a malicious site. Nobody is saying that CA's aren't valid, but if you cannot be sure you're going where you think you're going, no amount of extra security is going to help in every instance.
With signed zones, you can verify that you are really talking to someone's email server and that they are talking to you. spam could be reduced. I'd welcome that.
The problem is that DNSSEC is a manually intensive proposition. Keys have to be rolled daily and those keys have to be generated on a machine that is not connected to a network, i.e. sneaker net. The problem stems from current OS implementations that allow you to have access to all the memory. If I could compromise your signing keys, I could sign your zone with my keys and probably get away with further damage as people would inherently trust DNS. The issue is automation. Since you cannot, on Linux or Windows or other OS, have it online and sign the keys automatically, the manual process takes a back seat. It would be a very time consuming job to handle more than a small zone. Plus the NIST manual is about 120 pages on how to do it to what the NIST standards would require. It not a trivial proposition. Since the keys from the signing box are in the clear, as well, they could be thefted by a crafty thief. Or they could walk out with the thumb drive that they were stored on for the sneaker net transaction.
Slashdot Mirror
Yes, techonology will change, but the IT guy will still do what the IT guy does, fix all the problems that nobody else can. People will still get virus's and trojans and need new hardware. Yes, I believe that we may get to the point that we might be able to have cloud data, but to keep that data secure and encrypted (or just secure) is going to require VPNs and other tech. I don't really want to put my company's source code out there for the cloud to see (I'm sure all the cloud is secure and nobody could possibly mount my drives or make a clone of my machine). I can't tell you how many times I've had to help the same people over and over again with the same task, e.g. set up email, provide a link and/or password, print to a printer that doesn't work, set up a mobile device, backup or restore a computer.
In the 18 years I've been doing IT, the day-to-day tasks haven't really changed all that much.
Does your domain-validated cert use the same cert that one of the big companies that gave a signing cert to the U.A.E.?
Linux, no matter how secure you think it is...
My Mozilla comment was that if the opensource community starts, MS may follow suit. MS's caching DNS server accepts DNSSEC keys (though I'm not sure if it validates).
It is happening. .gov has been signed. .com has been signed. .org has been signed. Many ccTLDs are signed. It'll just take a bit more time, like IPv6.
Since I still work for a DNSSEC company, there is a lot of interest. It's just taking the time for the investment. Do you buy proprietary or opensource? If you opensource, are you doing it right?
Since there are not enough .com domains signed, there's really no need to put it in the browser yet. Though I'm sure Mozilla will figure it out (or at least Chrome will).
IA64 is not x86 (though it can do x86). That seems to be the problem people have with it, i.e. ignorance of what it is.
We have computers that can, for all intents and purposes, replace the TV and stereo. We have phones that can, in some instances replace a computer. We have cameras that keep getting more megapixels but the noise issue is back-burnered. We have cars that, while styling has changed, haven't really changed. We have TV's that only seem to be able to play "reality" programs and sports. We lock into a game console that hasn't been updated in years. We have kitchen gadgets that sit there as we go out to eat. How much more do we need?
The problem is is that we've overbought and if we take a moment to look at it all, how much of it is important? The answer, my smartphone.
I haven't paid my account for a few months now and I'm really debating to spend the money on Cataclysm. When I got my first dread steed at level 40 and then amount of money and time I had to spend and never got to get the level 60 dread steed, I was a bit torqued regarding the ability to get it after taking a few months off at that point.
If anything, Blizzard should have 2 modes, stupid-easy mode with all the new "wonderments" and regular mode with all the original requirements.
Of course, that presumes a purely random one-time pad.
The problem there is that if you take a lot of pictures at your location you want blacked out, eventually, a scattered plot of image locations would show up and the more you take, the more exact you could get on locating the location.
Why not just have a camera setting that says "Do not record geotag data within 1 minute of my selected location(s)"? Seems that would be the easiest fix. No extra processing needed.
Probably wouldn't switch over to TCP for that response. If the signature were larger though.
dig @x.x.x.x www.dol.gov
Results size, 115 bytes
dig +dnssec @x.x.x.x www.dol.gov
Results size 293 bytes.
That's why there could be a perceived slow-down, particularly over a 2400 baud modem.
Under the flags section, a signed and validated record will have the ad bit set.
Don't know what happened to the nice formatting above.
Here are a couple results. As you can see, when you request the signed dol.gov, you get a bigger response, i.e. not UDP, but TCP.
dig @x.x.x.x www.dol.gov
; > DiG 9.7.0-P1 > @x.x.x.x www.dol.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER> DiG 9.7.0-P1 > +dnssec @x.x.x.x www.dol.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER- opcode: QUERY, status: NOERROR, id: 46373 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ;; QUESTION SECTION: ;www.dol.gov. IN A ;; ANSWER SECTION: ;; Query time: 71 msec ;; SERVER: x.x.x.x#53(x.x.x.x) ;; WHEN: Sat Jul 17 08:20:18 2010 ;; MSG SIZE rcvd: 293
; (1 server found)
; (1 server found)
; EDNS: version: 0, flags: do; udp: 1452
www.dol.gov. 889 IN CNAME www.dol.gov.edgekey.net.
www.dol.gov. 889 IN RRSIG CNAME 7 3 900 20100816030022 20100717030022 50870 dol.gov. l725oDYX1Hyn8KlBxARPtDfB/U4sbuGI/vCF5E23Iy4tANYpU/MY0vZU XgRDpqoVziXSqVw4v9bPGxifzK6e8Sz3Vb3Y0NddidI709YvvblSIKlk cYgvuEcefavrb9oxHfCpy2wewC6m0XDB4sQkaOpbNv6OSxX+ScEhTPrI CZM=
www.dol.gov.edgekey.net. 21589 IN CNAME e1617.b.akamaiedge.net.
e1617.b.akamaiedge.net. 9 IN A 96.7.22.185
Since you are dealing with public-key cryptography, your private keys have to be maintained as private. That's not so difficult if you have a machine that's not connected to the Internet. If your private key-signing key got out, your signatures could easily be compromised. Then you sneeker-net the zone-signing keys over and sign your zones. Not too difficult if you follow the NIST 140 page manual.
Of course, a machine that could do all the work for you would be what's best.
Actually, iTunes is as expensive and probably more expensive for music then buying CDs. Granted, you're given the privilege of not having to buy a whole CD. If iTunes pricing were fair, music would cost about $0.10/minute, i.e. 80 minute CD = $8.00, i.e. about half the price of the physical media. Movies and TV shows that are delivered on DVD after the fact should be less expensive, overall, then the price of the physical media package. Since I can rent a movie at RedBox for $1.00, shouldn't I be able to get the same copy from some company server for a lesser price.
The problem is, the idea of giant profit just because it's convenient and over that new fangled thing called the Intertubeswebnet, is the wrong business model. The Internet is on par with CD technology and should be rather inexpensive to utilize it by now.
Copyright that last forever is the problem here.
Current U.S. copyright for an individual is life plus 70 years and for a corporation 95 years. Since both of those are longer then the U.S. life expectancy, copyright is now infinite. I guess Jack Valenti got his wish.
If the roots signed and then .com signed, there would be some benefits over time as more and more domains sign their zones. If there was some policy as to getting the signing key from the parent, exammple.com may not be able to validate with DNSSEC and the ignorant might be a little more secure. The more that sign, the less spam you might get from a botnet or some spam house.
There are benefits and when only a few people have
I know that's a bad example, but it was the only one I could think of.
Would tax forms have been a better example?
Guaranteeing that the domain and IP address are what they should be is the benefit. In a properly configured DNSSEC deployment, with the appropriate security protecting your keys, then the man-in-the-middle attack that's currently capable with SSL today is next to impossible. Getting poisoned results could happen, but you're assured that it's not the correct response.
For example, .gov has signed some of their zones (failed to meet the mandate?). In an emergency, isn't it better to have the actual government site then some bogus site that directs you to the wrong place to get your water?
dig +dnssec @nameserver domain.xx SOA. If you get the SOA, you have a signature.
Then
dig +dnssec @nameserver domain.xx DS to see if you have a DS record.
Then
dig +dnssec @publicvalidatingserver domain.xx to see if the Chain-of-Trust is established.
A simple way to accomplish the clothing aspect is to disallow us to wear clothes on an airplane. Of course, the flying naked idea wouldn't fly. So why not provide us with a flight uniform that is made from some easily scanned material so if you're wearing clothes, it would be easy to tell. That way, no naked scanners. No puff tests. No shoes. Then when we're off the flight, collect our luggage, change our clothes and get on our way. Not allowing bags or clothes and such on the plane would be best.
Just removing the ridiculous security checks and allowing us to continue living a life of liberty would be best, even if some people die.
The trust anchors work. I don't see what the problem is. I use a trust anchor on my DNSSEC deployment because the root isn't signed.
There will be pressure to get the roots signed as more and more TLDs are signed. .gov, .org, plus the plethora of CCTLDs.
dig +dnssec @a.gov.zoneedit.com. gov.
An extension is an easy way to organize something. I can write a script that say find .jpg and move them to my images folder. If I need to use metadata, my job just got harder because I have to know now what I'm looking for.
Granted, if you're complaining that a .zip shows up as a zipped icon based only on .zip, then yes, it's a bit absurd.
The problem with CA's is that, in general, when people get to a site with SSL that doesn't have a valid CA, people will tend to click through. I know I do it and I know the risks. I know not to do that if I'm going to a site that I exchange money with, but other sites I click through. Also, when phished, you may get to a duplicate site where you type in your username and password and then get forwarded back to your intended site, but the phisher now has your username and password. The problem with CA's is that if you cannot trust that you are actually getting to the site you expect to be at, what's the point? If you're not certain, you can be violated (taken for a ride, robbed, etc.). And who's to say that there aren't malicious cert providers that will provide a valid cert to a malicious site. Nobody is saying that CA's aren't valid, but if you cannot be sure you're going where you think you're going, no amount of extra security is going to help in every instance.
With signed zones, you can verify that you are really talking to someone's email server and that they are talking to you. spam could be reduced. I'd welcome that.
The problem is that DNSSEC is a manually intensive proposition. Keys have to be rolled daily and those keys have to be generated on a machine that is not connected to a network, i.e. sneaker net. The problem stems from current OS implementations that allow you to have access to all the memory. If I could compromise your signing keys, I could sign your zone with my keys and probably get away with further damage as people would inherently trust DNS. The issue is automation. Since you cannot, on Linux or Windows or other OS, have it online and sign the keys automatically, the manual process takes a back seat. It would be a very time consuming job to handle more than a small zone. Plus the NIST manual is about 120 pages on how to do it to what the NIST standards would require. It not a trivial proposition. Since the keys from the signing box are in the clear, as well, they could be thefted by a crafty thief. Or they could walk out with the thumb drive that they were stored on for the sneaker net transaction.
I tend to agree.