We converted my multi-billion dollar employer to djbdns on the majority of externally-visible IP addresses, and took some flak for it.
This was about a month before the big BIND vulnerability became public. The timing wasn't ESP, it was pro-active security, but it sure made our group look good when the announcment hit 'mainstream' news sources.
Regardless of what
their explanation says, the real reason Microsoft's domains were unavailable today is that they had put all of their eggs in one basket...
All four of the DNS addresses for microsoft.com and other microsoft domains are in the same Class-C range. If routing or connectivity for that one IP subnet is disrupted, those names stop resolving.
This goes against everything recommended in
RFC2182.
Yes, this is a common mistake, but one of the first rules you learn when becoming a DNS admin is to have diversity in your name servers. Spread them across multiple hosts, on different networks, in physically separate datacenters.
Apparently Microsoft had to learn this the hard way.
To stop our users from complaining about the long lookup timeout on MICROSOFT,COM, MSN.COM, MSFT.NET and various other sites, I aliased those domains in our name servers to return immediately with 'no A records available'.
It's a shame management will insist that I take out those aliases tomorrow morning.
The Apex is a cheesy low-end DVD player that happens to be macrovision and region free.
There is a French company (name escapes me) which sells and installs chips for real name-brand 'respectable' DVD players to allow the end user to easily disable the region-locking and macrovision 'features'.
Expensive, but much better than buying a crappy player just because you have the option of playing disks from third world nations.
In the state of Illinois, any legislation passed at the state level must apply to a single subject matter. This has resulted in at least one "rider" bill being thrown out (The 'safe neighborhoods act' which made CCW a felony).
Perhaps we need a similar constitutional amendment for Federal legislation?
Re:OK -- So when's /. going to HTTPS ???
on
The Encryption Wars
·
· Score: 2
My suggestion (see my other reply to the parent article) is for Slashdot to offer SSL as part of an enhanced "subscription" service, charging an annual fee.
Along with SSL, they could provide faster response time than the free service (give port 443 higher priority on the routers and servers), and offer access to a caching proxy server to avoid the slashdot effect.
As a "subscription" to a "journal" related to my job, I can get work to cover the cost.
Increase use of Cryptography on Slashdot?
on
The Encryption Wars
·
· Score: 2
One idea I've suggested often is for Slashdot to offer an "enhanced" membership, with an annual fee, that would provide additional services to paying users-
Browsing via SSL.
Better page load times by giving SSL traffic a higher priority at Slashdot's servers and routers.
Access to a SSL'ized caching proxy server, providing cached copies of slashdotted pages from all current stories.
Other services that are too 'costly' to offer with the current free site.
By calling it a "subscription", I can get work to pay for it. Just keep the rate under USD $100/year:-)
Not a spelling flame, but the word you want is "tough".
So when is Slashdot getting a spelling and grammer check option as part of 'Preview' ?
Not everybody has forgotten TEMPEST.
on
New Crypto-OS
·
· Score: 2
RF "sniffing" is easily defeated.
Move your laptop or other high-confidentiality computer into a "container" (form-fitting skin, box, closet, or even a small room) covered in copper mesh. The only cables passing through the mesh should be 8-gauge 12VDC power cables and fiber-optic ethernet. The only data entering or leaving on the ethernet is encrypted. No high-frequency RF data will enter or leave on 8-gauge DC power cables.
Problem solved. Cost, about $250 if you buy the copper mesh and AC-DC conversion hardware new, or a fraction of that if you can find everything as surplus or scrap. The FOTs (Fiber Optic Transceiver) are the expensive part.
Or about $25,000 if you are a US Federal agency:-)
If you use computer software with predominantly benign uses (i.e. PGP) to hide evidence of criminal activity, you run the risk of losing that sheild to whatever means the law enforcement community can leverage without crossing the line of legality.
Realize that law enforcement has always had rights to mitigate a citizen's privacy AS LONG AS DUE PROCESS HAS BEEN FOLLOWED. This is an inherent requirement to do their job, and, knowing the restrictions placed on them, I think that almost
all of the time that ethic is upheld. (There will always be screw-ups, but those responsible are held to their actions.)
One interesting question is, how far can they go to "mitigate a citizen's privacy"? This case shows that they can go so far as to "bug" my keyboard to obtain my PGP passphrase.
How much longer before they follow the lead of the U.K. and have the ability to imprision me for refusing to provide my cryptographic key.
Where does the 4th amendment end and the 5th amendment begin?
It's not just a question of whether you have done anything illegal.
Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.
Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...
When the sources for your news stories are found dead from a "self inflicted" park in Washington
When you lose every project you bid on to competitors who underbid you by exactly 3%
When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.
When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia.
The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?
If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.
The suspect uses PGP. Like many other cryptographic systems, his email, stored messages, and other information the FBI would like to use for evidence are stored encrypted.
The FBI could obtain a search warrant for his computer and email messages, but this would only get them the encrypted messages, and the encrypted version of his decryption key.
The ability to "wiretap" his keyboard is the only way (short of torture, or taking several years to brute force the key) to obtain the "passphrase" that unlocks his encryption key, turning all of that meaningless random data into human-readable incriminating evidence.
Personally, I tear apart my PC every week or so (not solely from paranoia), and I think I'd notice any extra little boxes on the keyboard port.
Between that and keeping the machine in my hidden copper mesh closet with filtered DC-power and fiber-optic ethernet under 24-hour gaurd by a specially bred pack of mute doberman attack dogs, I'd say I'm fairly safe.
Just remember- always ground your faraday cage to a cold water pipe!4
I'm not sure if it's a solution, but it certainly is possible to implement a cryptographic keyboard.
When I read stories such as this one, a saying common in the security industry immediately comes to mind:
Physical access trumps all.
If the "attacker" (in this case, the FBI) can obtain physical access to your system, just about any protection can be broken. Perhaps with a laptop that you keep on your person at all times, you might be able to feel secure, assuming you can trust the operating system, the laptop manufacturer, the CPU and auxillary chip production plants, and the original chip designers.
Stare too long into the abyss of paranoia, and the abyss starts to stare back...
What is your opinion of the "capabilities" model of security, as implemented in Linux or in SecureOS, a BSD-variant used by Secure Computing's Sidewinder firewall?
Will OpenBSD ever support "role accounts" with the ability to perform very specific functions that would otherwise require superuser access?
So physical harm is a reasonable price to pay for doing something that people stronger than you do not approve of? Might makes right?
What if you couldn't conform?
Perhaps the "in crowd" wears Tommy Hilfiger and you're lucky to have your older brother's faded levi's. Do you deserve to be beaten up?
Perhaps "somebody stronger than you" tells Jewish jokes and your grandfather died at the hands of the Nazis. Do you deserve to be thrashed for speaking up?
Not everybody wants to conform, not everybody is capable of conforming.
I don't have to stop using it when my daughter wants to print out her term paper.
That's odd. I've never had to quit watching TV on my PC to print out anything. As a matter of fact, I often let my TV app
stay under my text editor while I type and just listen. If it sounds like something cool is happening, I just change windows.
What could be more cool than watching TV, surfing the net, and typing a report on the same screen?
Your "TV App" is most likely just feeding a video signal directly to the video card from a tuner, not actively reading and writing live MPEG to and from a hard drive and MPEG codec.
Watching live TV in a window using a hardware tuner is like listening to a CD in your CD-ROM drive directly attached to a sound card. You can crash MS-Windows, and it just keeps playing.
What TiVo does is more akin to playing one 192Kbps MP3 stream from disk speakers while you encode another stream to the same hard drive, in realtime. Considerably more system intensive.
TiVo is a PPC at 50Mhz, with EIDE and dedicated MPEG audio+video encoder and decoder, it only manages to function with such minimal hardware because that is the _only_ task that gets "foreground" priority on the CPU.
Read the
"Legal Notices" section on the TV Guide web site, or the equivalent section of every other online show listings source- including TiVo and ReplayTV.
You cannot legally extract the guide information and use it to populate listing information on your home-brew PVR.
I'd be happier with TiVo if it ran a more robust operating system, perhaps something like QNX instead of their own specialized realtime extensions and filesystem grafted onto a stripped down Linux kernel.
Both TiVo and Replay handle duplicate episodes exactly the same. Most people feel that TiVo's handling of scheduling conflicts is better than Replay's.
Have you looked at DirecTivo?
The 2.0 software (standard on DirecTivo, coming next year as a free upgrade to all other TiVo's) has the best handling of recurring shows and scheduling conflicts.
Getting the television listings in a usable format is the "holy grail" of a good, free PVR package.
There are two, maybe three companies that are the only sources for full listing information for upcoming shows. All others (Replay, TiVo, etc) just license the information from these sources.
One of the biggest attractions of the TiVo is that while they license the same Tribune Media Services data as everybody else, they make a novel use of the information in the Thumbs Up/Down preferences and automatic "Suggestions" of similar shows to what you already watch.
Had I attended the public school system beyond 4th grade, I would not be alive today.
Second, If you care about your children, send them to a non-coeducational Jesuit-run college-prep high school.
I don't care what religion you are (and neither do the Jesuits). Those guys know how to teach- I learned to be an atheist, a programmer, a productive member of society, etc. from the Jesuits.
Slashdot Mirror
This was about a month before the big BIND vulnerability became public. The timing wasn't ESP, it was pro-active security, but it sure made our group look good when the announcment hit 'mainstream' news sources.
http://www.openbsd.org/errata.html
This comes in two parts- 'tinydns', which only handles serving authoritative data, and 'dnscache' which only handles providing caching DNS services.
Installation is somewhat complex, but the software works like a charm once you get past that.
All four of the DNS addresses for microsoft.com and other microsoft domains are in the same Class-C range. If routing or connectivity for that one IP subnet is disrupted, those names stop resolving.
This goes against everything recommended in RFC2182.
Yes, this is a common mistake, but one of the first rules you learn when becoming a DNS admin is to have diversity in your name servers. Spread them across multiple hosts, on different networks, in physically separate datacenters.
Apparently Microsoft had to learn this the hard way.
To stop our users from complaining about the long lookup timeout on MICROSOFT,COM, MSN.COM, MSFT.NET and various other sites, I aliased those domains in our name servers to return immediately with 'no A records available'.
It's a shame management will insist that I take out those aliases tomorrow morning.
The Apex is a cheesy low-end DVD player that happens to be macrovision and region free. There is a French company (name escapes me) which sells and installs chips for real name-brand 'respectable' DVD players to allow the end user to easily disable the region-locking and macrovision 'features'. Expensive, but much better than buying a crappy player just because you have the option of playing disks from third world nations.
Perhaps we need a similar constitutional amendment for Federal legislation?
Along with SSL, they could provide faster response time than the free service (give port 443 higher priority on the routers and servers), and offer access to a caching proxy server to avoid the slashdot effect.
As a "subscription" to a "journal" related to my job, I can get work to cover the cost.
By calling it a "subscription", I can get work to pay for it. Just keep the rate under USD $100/year :-)
So when is Slashdot getting a spelling and grammer check option as part of 'Preview' ?
Move your laptop or other high-confidentiality computer into a "container" (form-fitting skin, box, closet, or even a small room) covered in copper mesh. The only cables passing through the mesh should be 8-gauge 12VDC power cables and fiber-optic ethernet. The only data entering or leaving on the ethernet is encrypted. No high-frequency RF data will enter or leave on 8-gauge DC power cables.
Problem solved. Cost, about $250 if you buy the copper mesh and AC-DC conversion hardware new, or a fraction of that if you can find everything as surplus or scrap. The FOTs (Fiber Optic Transceiver) are the expensive part.
Or about $25,000 if you are a US Federal agency :-)
How much longer before they follow the lead of the U.K. and have the ability to imprision me for refusing to provide my cryptographic key.
Where does the 4th amendment end and the 5th amendment begin?
Perhaps you hold political opinions that are unpopular with the current administration. Maybe you have your local mayor upset at you for campaigning against him last election. Maybe you are a journalist who has published stories that upset the FBI. Perhaps your ex-girlfriend has taken a job in the local field office.
Get the wrong people mad at you, and you too may find out that government agents have added some tiny components to your computer...
When the sources for your news stories are found dead from a "self inflicted" park in Washington
When you lose every project you bid on to competitors who underbid you by exactly 3%
When the conservative christian boss of your same-sex lover "somehow" gets a copy of your last mash note.
When somebody says "If you aren't guilty of any crimes, you have nothing to fear", remember it's not question of whether you are guilty of crimes against the law, it's not a question of paranoia. The question is, have you committed a crime against somebody else's god, have you done anything that somebody else wishes was against the law, is there anybody who would benefit from hrting you?
If the answer is "yes" to any of the above, then you do have something to fear from this sort of "wiretap" activity.
The FBI could obtain a search warrant for his computer and email messages, but this would only get them the encrypted messages, and the encrypted version of his decryption key.
The ability to "wiretap" his keyboard is the only way (short of torture, or taking several years to brute force the key) to obtain the "passphrase" that unlocks his encryption key, turning all of that meaningless random data into human-readable incriminating evidence.
Personally, I tear apart my PC every week or so (not solely from paranoia), and I think I'd notice any extra little boxes on the keyboard port.
Between that and keeping the machine in my hidden copper mesh closet with filtered DC-power and fiber-optic ethernet under 24-hour gaurd by a specially bred pack of mute doberman attack dogs, I'd say I'm fairly safe.
Just remember- always ground your faraday cage to a cold water pipe!4
When I read stories such as this one, a saying common in the security industry immediately comes to mind:
If the "attacker" (in this case, the FBI) can obtain physical access to your system, just about any protection can be broken. Perhaps with a laptop that you keep on your person at all times, you might be able to feel secure, assuming you can trust the operating system, the laptop manufacturer, the CPU and auxillary chip production plants, and the original chip designers.
Stare too long into the abyss of paranoia, and the abyss starts to stare back...
Will OpenBSD ever support "role accounts" with the ability to perform very specific functions that would otherwise require superuser access?
What if you couldn't conform?
Perhaps the "in crowd" wears Tommy Hilfiger and you're lucky to have your older brother's faded levi's. Do you deserve to be beaten up?
Perhaps "somebody stronger than you" tells Jewish jokes and your grandfather died at the hands of the Nazis. Do you deserve to be thrashed for speaking up?
Not everybody wants to conform, not everybody is capable of conforming.
The exception that proves the rule.
Your "TV App" is most likely just feeding a video signal directly to the video card from a tuner, not actively reading and writing live MPEG to and from a hard drive and MPEG codec.
Watching live TV in a window using a hardware tuner is like listening to a CD in your CD-ROM drive directly attached to a sound card. You can crash MS-Windows, and it just keeps playing.
What TiVo does is more akin to playing one 192Kbps MP3 stream from disk speakers while you encode another stream to the same hard drive, in realtime. Considerably more system intensive.
TiVo is a PPC at 50Mhz, with EIDE and dedicated MPEG audio+video encoder and decoder, it only manages to function with such minimal hardware because that is the _only_ task that gets "foreground" priority on the CPU.
You cannot legally extract the guide information and use it to populate listing information on your home-brew PVR.
I'd be happier with TiVo if it ran a more robust operating system, perhaps something like QNX instead of their own specialized realtime extensions and filesystem grafted onto a stripped down Linux kernel.
Have you looked at DirecTivo?
The 2.0 software (standard on DirecTivo, coming next year as a free upgrade to all other TiVo's) has the best handling of recurring shows and scheduling conflicts.
There are two, maybe three companies that are the only sources for full listing information for upcoming shows. All others (Replay, TiVo, etc) just license the information from these sources.
One of the biggest attractions of the TiVo is that while they license the same Tribune Media Services data as everybody else, they make a novel use of the information in the Thumbs Up/Down preferences and automatic "Suggestions" of similar shows to what you already watch.
TiVo charges $200 for a lifetime subscription.
Neither unit is useful without a subscription.
Second, If you care about your children, send them to a non-coeducational Jesuit-run college-prep high school.
I don't care what religion you are (and neither do the Jesuits). Those guys know how to teach- I learned to be an atheist, a programmer, a productive member of society, etc. from the Jesuits.
Available at http://www.networkmagazi ne. com/article/NMG20001106S0004.