Author: otmar

Heise, Slashdot, Broken Records, and DNSSEC

Post author By otmar
Post date June 19, 2009

Almost whenever a security event involving Windows is featured on Slashdot or Heise, some Linux fanboys will invariably post their cocky “that would not have happened with Linux” messages.

I start to see the same thing with DNS incidents and DNSSEC.

This is just as childish and stupid, especially as the voices writing such notes are often enough established engineers and not your average adolescent geek.

In reality most of the recent DNS hacks were not perpetrated by crafting forged DNS responses to poison caches but were successful attacks against the Registrar/Registrant interfaces. No, DNSSEC would not have helped in such a case.

The same is true for DNSSEC and the domain-based censorship which was just passed by the German government. DNSSEC will not help here. It is no panacea against meddling with DNS answers. It depends on who is doing the validation and whether the offending domains are actually signed or not (not likely these days):

DNSSEC validation is done at the ISP resolver:
DNSSEC doesn’t help the end-user here at all.
DNSSEC validation in the client, ISP recursor is used:
If the domain is signed, then the user will get a NXDOMAIN (or maybe a better error-reporting) instead of the IP address of the STOP-sign website.

So the censuring still works, just the alerting of the user (and the logging of the STOP-sign access) does not.
DNSSEC validation in the client, full recursion at the client
Censorship is ineffective. Just the same as when the local recursor does no DNSSEC checking.

Remember: DNSSEC is not about the availability part of security, it’s only about the integrity. Censorship does not really need to attack the integrity, it’s all about availability.

Life

Diversions at work

Post author By otmar
Post date June 15, 2009

Our office is at a busy intersection and sometimes this provides interesting views:

bim vs rettung

Tracks

Post author By otmar
Post date June 11, 2009

track 2009-06-11a

This time I tried something new: the goal was to build a track where the electric locomotive would pass over all pieces when set on the track. That goal is simple to reach by building a simple loop or anything else topologically isomorphic to a circle. Getting the same result with a lot of switches and having the train run back over the same piece is a lot trickier. The only assumption you need to make is that the train will take the straight rail when encountering a switch.

track 2009-06-11b

The second picture is right before godzilla got her fingers on the track.

Tracks

Post author By otmar
Post date June 9, 2009

Hannes and Evelyn are back in Vienna. We built this one together:

track 209-06-09

Tracks

A new feature for this blog

Post author By otmar
Post date May 27, 2009

Kevin Drum does “Friday cat-blogging”, John Cole has also pictures of pets between serious posts, so I thought I do something similar.

So, from now on this blog will feature wooden train tracks.

Clemens Track

They are actually toys for the kids. When we first got them, Clemens didn’t quite know what to do with them, but now he finally starts to build his own tracks and trains to push along.

And then there is the menace of land of trains: Godzilla, the destroyer of tracks:

Elena engine

Anyway, as with a good number of stuff kids get from their parents, it’s not all selfless giving. (Andrea is looking forward to buy Clemens a Carrerabahn, as she always wanted to have one as a kid.) Sometimes it’s nice to have an excuse for playing with children’s toys again.

So I’ve taken up building fancy sets of tracks with Clemens’ wooden tracks.

I’ve started to photograph my creations some time ago and will now upload them. I’ll date the blog posts accordingly, so some of the entries will appear in the past. Use this link to see them all.

Internet Pet Peeves

Bad timing, Last.fm

Post author By otmar
Post date May 25, 2009

Date: Wed, 20 May 2009 14:05:42 +0000
To: @bofh.priv.at
From: “Last.fm”
Subject: Your free trial to Last.fm Radio is over. Did you enjoy it?

Hi XYZ,

Your free trial to Last.fm Radio is about to end. If you’re enjoying it, why not
subscribe for only €3.00/month and continue listening to non-stop personalised
radio.

http://www.last.fm/subscribe

Best Regards,
The Last.fm Team

and

Deny This, Last.fm
by Michael Arrington on May 22, 2009

A couple of months ago Erick Schonfeld wrote a post titled “Did Last.fm Just Hand Over User Listening Data To the RIAA?” based on a source that has proved to be very reliable in the past. All hell broke loose shortly thereafter.

I was inclined to pay them the 3€, partly because I’ve listened a lot to a stream from them, but after this breach of their privacy agreement?

Sorry, no deal guys.

[Update: yes, I know that LastFM is disputing this story.]

Life

And then the first year was over …

Post author By otmar
Post date May 23, 2009

It’s strange: this happened just a year ago, but sometimes it feels like it was ages ago. Maybe it just depends on the perspective: For Elena, this year made quite a difference: from 9 months to 21 months of existance, or from zero to one years of life. For me it was just the step from 38 to 39 years. No big deal.

Elena's first birthday

CERT

Otmar @ DNS-OARC in Amsterdam

Post author By otmar
Post date May 22, 2009

I almost forgot: one of the reasons I was in Amsterdam was the DNS-OARC Workshop. I gave two presentations there:

An update on the post-Kaminsky patch statistics concerning the Austrian recursors.

Stephane asked me to be on a panel regarding what Registries should do about Conficker (and similar threats). I presented our point of view with these slides.

Tracks

Post author By otmar
Post date May 21, 2009

track 2009-05-21

This one started with the crossing in the center.

Internet

A Picture from Amsterdam

Post author By otmar
Post date May 11, 2009

The Internet Community thanks the RIPE staff for their dedicated work during the RIPE and OARC meeting:

Donating to RIPE