I don't know how DNSSEC is supposed to work. Help me out?
Isn't the target of cracking, the 1024 bit RSA key, a long-lasting key? The server's public key?
If so, can't it be broken "as you're making the request, or before you receive the answer"? Indeed, couldn't it even be cracked before you make the request?
Just in case it's also hard to follow links, here's some selected text:
IEEE P1363 standardized elliptic-curve cryptography in the late 1990s. NIST standardized several elliptic curves following the P1363 recommendations. In 2005, NSA issued a new "Suite B" standard, recommending the NIST elliptic curves (at two specific security levels) for all public-key cryptography and withdrawing previous recommendations of RSA.
If someone hijacked slashdot's domain, they could use it to transfer money out of your account by using cross-site request forgery (CSRF).
Hm. And if someone could hijack any web page you visited, they could attempt CSRFs. Check the list of the most popular search terms and try to crack the top 10 Google results for each.
I don't know how to create CSRFs, but isn't protection against CSRF mostly handled by the target site, not the hijacked site?
Because OP said "makes me nervous about online bill pay sites", to which parent said, "this has nothing to do with online bill paying". But it does. It was an incident involving an online bill paying service, regardless of the particular kind of exploit actually used.
If I could be assured that the impact of a stolen domain for my online bill pay service was only ever a blank page with malware, I wouldn't be nervous. But the perps having control of the domain opens up much more to be nervous about because they can masquerade as a site you trust to spend money from your bank account.
I don't think that technically classifies as phishing; it's more like direct control of the business's service. Anyway, OP's nervousness is related to the stolen domain of a trusted-to-spend-your-money business, not to malware just because it happened to be used this time.
Well, for one thing, 1.www.google.com has access to the www.google.com cookie. It's also a really good place to phish from. In some circumstances, document.domain is even set up such that 1.www.google.com has script level access to www.google.com. Not good.
That makes sense. Nonexistent, subdomain host poisoning is also a serious problem.
Taking over existing domains is a superset of that serious problem, and can be done with the same style attack, just by adding glue. Because existing hijackable domains include nameserver domains, you could take over all DNS for google.com, from webservers and mail servers to SPF and DKIM records.
Anyway, it's all bad. Yes, poisoning is bad.
At this point, BIND, Nominum, Unbound, and Microsoft all suppress colliding queries. The only name server I know of that doesn't is DJBDNS, and it drops its security level noticeably.
DJB was the first to point out that Source Port Randomization would help, years ago, and he gets no credit? Why not concede any? And how many of those servers you named have been open to an easily feasible 32,000 max packet poisoning attack for the eight years that djbdns was requiring a TXID + SPR packet attack? And now you're trying to ding djbdns, characterizing it as a less secure outlier, for allowing 200 simultaneous queries, which opens the space by not quite 8 bits? TXID + SPR for djbdns is still 24 bits. TXID + SPR is only 27 for Microsoft (2500 source ports).
The real lesson is that the patch treadmill doesn't work, and it hasn't for years. This cycle of finding security holes and rushing to patch them before the bad guys exploit those vulnerabilities is expensive, inefficient and incomplete. We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design. This process won't prevent every vulnerability, but it's much more secure -- and cheaper -- than the patch treadmill we're all on now.
What a security engineer brings to the problem is a particular mindset. He thinks about systems from a security perspective. It's not that he discovers all possible attacks before the bad guys do; it's more that he anticipates potential types of attacks, and defends against them even if he doesn't know their details. I see this all the time in good cryptographic designs. It's over-engineering based on intuition, but if the security engineer has good intuition, it generally works.
Kaminsky's vulnerability is a perfect example of this. Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.
That's what a good design looks like....
I'm not a DJB fanboy. I concede that I think the 200 simultaneous identical queries is a big loss of security. But I also recognize that DJB was doing the right thing nearly a decade ago, and warning people, while everyone else took until now, after disclosure of a specific, very bad vuln, to clean up their acts. I find it distasteful that people are reluctant to publicly acknowledge DJB's right thinking, or even to acknowledge it to themselves. That's the other face of fanboyism, just inverted from fan to detractor.
Well, technically, glue trust is a big deal. It enables corruption of existing domains. That's a big deal. I think your point is that there are other, overshadowing problems. That may be the case; I am only familiar with this aspect of how DNS poisoning is a big deal. What specific problems arise from being able to add arbitrary subdomains in a browser context?
And, no offense to DJB, but port randomization is not by itself a sufficient response to the birthday attack. Come on, we've known not to have simultaneous outstanding requests for the same name for the last six years.
Port randomization helps. I don't think there's any offense to be had on DJB's part; port randomization was never said to be sufficient. Defense in depth means doing what you can where you can, "practical mitigation". DJB advised port randomization (and non-colliding queries) at least seven years ago. The CERT advisory came out a year later.
I think this is better said as "the attack undermines any vulnerable caching DNS resolver".
People need to distinguish between DNS servers and caching resolvers.
...invisibly
To be effective you need to redirect people to a machine under your control. Some "downstream" resolvers would log the poisoned results, thus getting you the IP of such a machine and a step closer to the perpetrator.
As far as hype, there are a lot of people out there who are quick to judge a situation based on perceived personalities rather than details of the facts or are quick to think about things emotionally (i.e., what they want or fear). This vuln is very big and very important and very scary. Some of the media around it sensationalize this, which doesn't help.
If more folks ran DJB's dnscache then more folks wouldn't be as scared and would probably be more inclined to nodding at the importance of the vuln. (And less inclined to thinking Kaminsky's discovery was unprecedented.)
DJB's dnscache (half of the djbdns suite): Randomizes source port, distrusts glue.
First of all, as I pointed out to the other person, lack of aging does not [mean] you never die!
No, it just means that people live a lot longer. And I already looked at adding 30 and 60 years to lifespan and the result was horrific.
Second, you fail to take into account that population growth is naturally decreasing...
Actually, I took that into consideration. It's independent of my point. You said immortality (i.e., life extension) would have a negative impact on population growth, so my response is that no it would have a positive impact. That's my point. That's what I'm addressing.
You could say "Well, life extension would lead to a temporary bump in population growth, but with life extension coming on gradually and with overall trends in decreasing population growth and with life extension itself providing some negative feedback into the loop, we'd end up with a workable balance." I think you were conflating "it's gonna be alright eventually" with "extending life decreases population". Or at least you came across to me (and apparently others) that way.
I doubt that immortal people will continue to crank out kids decade after decade. It's more likely that an older population of people who have "been there, done that" will be done making kids, and we'll actually have an human extinction crisis in 1,000 years.
You don't need any one generation to keep having kids to have a population problem. Just failing to die off will cause numbers to rocket.
You'd increase the population growth rate by 50%. (Yearly birth rate around 134M, yearly death rate around 62M pre-immortality.) Dude, taking your population growth rate and multiplying it by 1.5 is not a decrease.
But, yeah, you're sure to hit a extinction crisis somewhere in that surge. And, yeah, in that way immortality would lead to a decreasing population. But I wouldn't want to see it. I wouldn't want to see world-wide war, famine, and pestilence mowing down vast swaths of humanity, the newly immortal keening with horrific grief at eternal loss.
Immortality leads to rocketing population. If you want to do something about it, I recommend not allowing new children in a bloodline unless elders die off.
Absolutely right. Due to increased efficiencies and improved and novel abilities to tap natural resources brought by technological progress we're looking at a +2147 units/year game. And that number is on the rise! The sum as affected by tech is not zero, it's quite positive.
Sadly, due to pollution we're looking at a -470 units/year impact that's increasing apace with the per-year sum tech gain by some estimations, and beating it by others.
And, devastatingly, population increase accounts for a -1293 units/year drain, and by most estimates it's gaining faster than the technological progress add rate.
But, with these factors totalled, we're looking at a yearly net gain of 384 units!
And the forecast is for global wealth to reach 51029492 units this year.
Interestingly, the gain tends to end up in the hands of just a few folks while many of us struggle to afford health care.
Using medical information on the web as one's only source is irresponsible; it should be common sense to get a balanced opinion and also to see a real medical professional.
How does one go about seeking a balanced opinion? By going to other laymen? You must mean by seeking the advice of a trained and certified medical professional period, not "also".
But not everyone has that option. Even if you do, not everyone has health care.
We should be glad for the availability of information online (and in libraries).
With MIT.edu at the end of his email address, however, he gets heralded as a prescient futurist.
I don't want to come across as a Kurzweil fanboy or Geek Rapture devotee — I find Kurzweil a little "strident" and cheerleaderish — but you appear to fail to grasp who Kurzweil is.
For one thing, he's twice your age and he got his CS degree from MIT when you were born. Since then he's been rather busy as an inventor and businessman. He's not sitting in any ivory tower.
And this thing with exponential technological progress? The trends look real. Is it really an S-curve or will the petri dish population kill itself somehow? I think those are legit questions. Your anecdotal pharma product failure is pretty much pointless in the face of "gee, we couldn't even synthesize these drugs when I was born, or even sequence woolly mammoth genomes at all let alone quickly".
Do you really think technological progress isn't racing along? Faster and faster? Do you feel like you have to reach way back to the last millennium (say the 1980's) to find examples of technological backwardness? 15 years ago folks had to travel to libraries to do research.
The slope's high at this part of the curve, and it's ratcheting upward still. There's mind-blowing shit coming down the pike. Kurzweil's predictions are probably more accurate than yours.
Slashdot Mirror
Even those of us that are Conservatives.
We that are conservatives?
We who are conservatives.
Just had to get that in since you were making a point of appearing smart.
Jolly good show in owning up to the mistake, and with grace. Extraordinary forthrightness for Internet behavior.
I don't know how DNSSEC is supposed to work. Help me out?
Isn't the target of cracking, the 1024 bit RSA key, a long-lasting key? The server's public key?
If so, can't it be broken "as you're making the request, or before you receive the answer"? Indeed, couldn't it even be cracked before you make the request?
I might recommend looking further into this "new crypto" business.
Here are a couple links in case they're hard to find:
Just in case it's also hard to follow links, here's some selected text:
If someone hijacked slashdot's domain, they could use it to transfer money out of your account by using cross-site request forgery (CSRF).
Hm. And if someone could hijack any web page you visited, they could attempt CSRFs. Check the list of the most popular search terms and try to crack the top 10 Google results for each.
I don't know how to create CSRFs, but isn't protection against CSRF mostly handled by the target site, not the hijacked site?
Why would that matter?
Because OP said "makes me nervous about online bill pay sites", to which parent said, "this has nothing to do with online bill paying". But it does. It was an incident involving an online bill paying service, regardless of the particular kind of exploit actually used.
If I could be assured that the impact of a stolen domain for my online bill pay service was only ever a blank page with malware, I wouldn't be nervous. But the perps having control of the domain opens up much more to be nervous about because they can masquerade as a site you trust to spend money from your bank account.
I don't think that technically classifies as phishing; it's more like direct control of the business's service. Anyway, OP's nervousness is related to the stolen domain of a trusted-to-spend-your-money business, not to malware just because it happened to be used this time.
We don't yet have details on how the perps got the account credentials.
Welcome to Network Solutions, please log in.
username: hostmaster@checkfree.com
password: nochecks1
If there were a Slashdot feature to transfer money out of your bank account...
Well, for one thing, 1.www.google.com has access to the www.google.com cookie. It's also a really good place to phish from. In some circumstances, document.domain is even set up such that 1.www.google.com has script level access to www.google.com. Not good.
That makes sense. Nonexistent, subdomain host poisoning is also a serious problem.
Taking over existing domains is a superset of that serious problem, and can be done with the same style attack, just by adding glue. Because existing hijackable domains include nameserver domains, you could take over all DNS for google.com, from webservers and mail servers to SPF and DKIM records.
Anyway, it's all bad. Yes, poisoning is bad.
At this point, BIND, Nominum, Unbound, and Microsoft all suppress colliding queries. The only name server I know of that doesn't is DJBDNS, and it drops its security level noticeably.
DJB was the first to point out that Source Port Randomization would help, years ago, and he gets no credit? Why not concede any? And how many of those servers you named have been open to an easily feasible 32,000 max packet poisoning attack for the eight years that djbdns was requiring a TXID + SPR packet attack? And now you're trying to ding djbdns, characterizing it as a less secure outlier, for allowing 200 simultaneous queries, which opens the space by not quite 8 bits? TXID + SPR for djbdns is still 24 bits. TXID + SPR is only 27 for Microsoft (2500 source ports).
Scheier:
I'm not a DJB fanboy. I concede that I think the 200 simultaneous identical queries is a big loss of security. But I also recognize that DJB was doing the right thing nearly a decade ago, and warning people, while everyone else took until now, after disclosure of a specific, very bad vuln, to clean up their acts. I find it distasteful that people are reluctant to publicly acknowledge DJB's right thinking, or even to acknowledge it to themselves. That's the other face of fanboyism, just inverted from fan to detractor.
Glue distrust isn't that big of a deal.
Well, technically, glue trust is a big deal. It enables corruption of existing domains. That's a big deal. I think your point is that there are other, overshadowing problems. That may be the case; I am only familiar with this aspect of how DNS poisoning is a big deal. What specific problems arise from being able to add arbitrary subdomains in a browser context?
And, no offense to DJB, but port randomization is not by itself a sufficient response to the birthday attack. Come on, we've known not to have simultaneous outstanding requests for the same name for the last six years.
Port randomization helps. I don't think there's any offense to be had on DJB's part; port randomization was never said to be sufficient. Defense in depth means doing what you can where you can, "practical mitigation". DJB advised port randomization (and non-colliding queries) at least seven years ago. The CERT advisory came out a year later.
yes his attack only involves one dns server
I think this is better said as "the attack undermines any vulnerable caching DNS resolver".
People need to distinguish between DNS servers and caching resolvers.
...invisibly
To be effective you need to redirect people to a machine under your control. Some "downstream" resolvers would log the poisoned results, thus getting you the IP of such a machine and a step closer to the perpetrator.
As far as hype, there are a lot of people out there who are quick to judge a situation based on perceived personalities rather than details of the facts or are quick to think about things emotionally (i.e., what they want or fear). This vuln is very big and very important and very scary. Some of the media around it sensationalize this, which doesn't help.
If more folks ran DJB's dnscache then more folks wouldn't be as scared and would probably be more inclined to nodding at the importance of the vuln. (And less inclined to thinking Kaminsky's discovery was unprecedented.)
DJB's dnscache (half of the djbdns suite): Randomizes source port, distrusts glue.
Is there no better way to get those certs approved?
Is it possible to install Firefox with your own CA cert? Or maybe the employees install their own Firefox at your site?
This legislation brought to you by the California Bluetooth Vendors Association.
Being a local business whore is much better than being a multinational conglomerate whore.
How's that for charged (and missing the point) editorial? Pretty distasteful.
This seems like a very unusual thing to do.
May I ask why you chose this?
Heck, just mail them a payment.
First of all, as I pointed out to the other person, lack of aging does not [mean] you never die!
No, it just means that people live a lot longer. And I already looked at adding 30 and 60 years to lifespan and the result was horrific.
Second, you fail to take into account that population growth is naturally decreasing...
Actually, I took that into consideration. It's independent of my point. You said immortality (i.e., life extension) would have a negative impact on population growth, so my response is that no it would have a positive impact. That's my point. That's what I'm addressing.
You could say "Well, life extension would lead to a temporary bump in population growth, but with life extension coming on gradually and with overall trends in decreasing population growth and with life extension itself providing some negative feedback into the loop, we'd end up with a workable balance." I think you were conflating "it's gonna be alright eventually" with "extending life decreases population". Or at least you came across to me (and apparently others) that way.
I doubt that immortal people will continue to crank out kids decade after decade. It's more likely that an older population of people who have "been there, done that" will be done making kids, and we'll actually have an human extinction crisis in 1,000 years.
You don't need any one generation to keep having kids to have a population problem. Just failing to die off will cause numbers to rocket.
You'd increase the population growth rate by 50%. (Yearly birth rate around 134M, yearly death rate around 62M pre-immortality.) Dude, taking your population growth rate and multiplying it by 1.5 is not a decrease.
But, yeah, you're sure to hit a extinction crisis somewhere in that surge. And, yeah, in that way immortality would lead to a decreasing population. But I wouldn't want to see it. I wouldn't want to see world-wide war, famine, and pestilence mowing down vast swaths of humanity, the newly immortal keening with horrific grief at eternal loss.
Immortality leads to rocketing population. If you want to do something about it, I recommend not allowing new children in a bloodline unless elders die off.
Renew!
Renew!
Absolutely right. Due to increased efficiencies and improved and novel abilities to tap natural resources brought by technological progress we're looking at a +2147 units/year game. And that number is on the rise! The sum as affected by tech is not zero, it's quite positive.
Sadly, due to pollution we're looking at a -470 units/year impact that's increasing apace with the per-year sum tech gain by some estimations, and beating it by others.
And, devastatingly, population increase accounts for a -1293 units/year drain, and by most estimates it's gaining faster than the technological progress add rate.
But, with these factors totalled, we're looking at a yearly net gain of 384 units!
And the forecast is for global wealth to reach 51029492 units this year.
Interestingly, the gain tends to end up in the hands of just a few folks while many of us struggle to afford health care.
Using medical information on the web as one's only source is irresponsible; it should be common sense to get a balanced opinion and also to see a real medical professional.
How does one go about seeking a balanced opinion? By going to other laymen? You must mean by seeking the advice of a trained and certified medical professional period, not "also".
But not everyone has that option. Even if you do, not everyone has health care.
We should be glad for the availability of information online (and in libraries).
How much fun academia must be.
With MIT.edu at the end of his email address, however, he gets heralded as a prescient futurist.
I don't want to come across as a Kurzweil fanboy or Geek Rapture devotee — I find Kurzweil a little "strident" and cheerleaderish — but you appear to fail to grasp who Kurzweil is.
For one thing, he's twice your age and he got his CS degree from MIT when you were born. Since then he's been rather busy as an inventor and businessman. He's not sitting in any ivory tower.
And this thing with exponential technological progress? The trends look real. Is it really an S-curve or will the petri dish population kill itself somehow? I think those are legit questions. Your anecdotal pharma product failure is pretty much pointless in the face of "gee, we couldn't even synthesize these drugs when I was born, or even sequence woolly mammoth genomes at all let alone quickly".
Do you really think technological progress isn't racing along? Faster and faster? Do you feel like you have to reach way back to the last millennium (say the 1980's) to find examples of technological backwardness? 15 years ago folks had to travel to libraries to do research.
The slope's high at this part of the curve, and it's ratcheting upward still. There's mind-blowing shit coming down the pike. Kurzweil's predictions are probably more accurate than yours.
Gird your future shock helmet.
Fuckin' cheaters.
"Feel free, my friend. Whatever moves your cursor."
<C-[> is also escape. (That's Control-left bracket.)
D and C will do the same.