Skip to content

Somebody asked what’s so scary about RPZ?

@pmoriarty asks “What’s so scary about RPZ?” in reference to a couple of tweets of mine regarding DNS reputation blacklisting.

So I’ll try to phrase a response. It’ll take more than 140 characters.

First up, I want to be clear about the terms of the question – this is not a technical crit of RPZ, it’s certainly not a crit of Vixie for whom I have enormous respect – although we’ve not met since Ranum and my getting dreadfully drunk at some Monterey USENIX bash in the mid 90s and my listening to MJR and Vixie hammering out some obscure point of trust, leaving me with an impression of Paul being a paragon of earnestness.

The question is: what are my fears, regarding RPZ. So I shall be brief, but in round terms my concerns are these:

Infinite Space Whackamole
DNS is a potentially infinite space, certainly potentially (actually?) larger than IPv4. If I took the contrary position of “what if we went to a whitelist-only system?” – I believe the proposition would be declared unworkable due to its complexity and communication-inhibiting nature; from this we can establish that any significant amount of declaring who is “good” and who is “bad” makes for an unworkable solution irrespective of who does it, an issue which equally affects blacklisting.
Empirical Sensation
Twice, now, I’ve had to deal with some idiot security company blacklisting my security-themed blog as a “hacking” website, and preventing several of my friends reaching it/me, so that they have to resort to Twitter and Facebook to let me know there’s a problem. The cleanup/appeals procedure is atrocious, and would be worse if my key resource (my domain) was blacklisted. I have no reason to believe DNS blacklisting will be better administrated.
The Law of Unintended Consequences
Witness 1) Wikipedia and 2) the sort of stuff that happens because of the IWF which I am sure some day some politician will try to use to their benefit; it would be better if such a structure did not exist
WTF? – a subclass of the previous
Vixie writes: “Most new domain names are malicious“; as Wikipedia would say that’s a matter of “[citation needed]” but also I wonder what’s being got-at here; yes I have suffered any number of redirects through u43vbs1egs.com to www.viagrascammers.com, but banning them just means they’ll all just move to GMail or Picasa.

So – whitelists? blacklists? What’s my choice?

I choose neither, I express a preference for “everybody learning to live in a world where spam, fraud and other forms of shit, exist”; and if they don’t like that then it’s their tough luck.

But these are my fears. You asked. :-)

2010 09 02 alecm Uncategorized Comments (2) Permalink

Demo Password Cracker in 1 line of Perl

By someone’s request, one of my old demonstration programs:

perl -nle 'setpwent;crypt($_,$c)eq$c&&print"$u=$_"while($u,$c)=getpwent' <dictfile

…works on Unixes without shadow files / with NIS, or with root privilege.

It’s hardly the most efficient way of doing a sweep for weak passwords, but there was a time where doing:

echo changeme | perl -nle ...cut-and-paste...

…was horrifyingly effective when given a NIS password map containing 30,000+ entries.

Happy now, Paul?

2010 08 30 alecm Uncategorized Comments (1) Permalink

Eileen’s Baked Apple Recipe

  • lg handful chopped dates
  • lg handful chopped dried apricots
  • spoon sticky honey
  • small splash water

warm-through the above mixture (low heat) in a small saucepan until goopy and thoroughly mixed, and some of the water has evaporated off

de-core 2+ cooking apples and score them equatorially with a knife tip

stuff the hollow apple cores with the mixture above

place apples in a smallish ceramic dish, add a splash of water in the base to provide steam/humidity.

cook at 200C until apple starts to leak from the scored equatorial line

2010 08 27 alecm Uncategorized Comments (2) Permalink

Regarding the police’s use of “fluid debonding agents” for #superglue protestors

The jokes just write themselves…

http://www.bbc.co.uk/news/magazine-11062193

How do you un-glue a protester?

Climate campaigners superglued themselves to a car park gate during a demonstration on Monday. How are they released?

It is the latest tactic used by direct action activists to make sure they stick in the public consciousness – but you definitely should not try it at home.

Climate campaigners in Edinburgh are the latest to superglue themselves to premises in order to make a point – a technique designed to cause maximum disruption to police.

A Scotland Yard spokesman says its officers use a “fluid de-bonding agent” to detach them, but declined to specify exactly which one for operational reasons.

I suppose that if the police told us all how to defeat superglue, that society would become unstuck at the hands of adhesive terrorists.

Further punnage welcome below…

2010 08 24 alecm Uncategorized Comments (4) Permalink

#TFL has a “Head of Behaviour Change” job role?

This is great, until you get to the signature…

What do they call him in private – “Head of Cognitive Bicycle Therapy?”

2010 08 24 alecm Uncategorized Comments (5) Permalink

political correctness question

uggc://jjj.oop.pb.hx/arjf/hx-11067028

Dhbgr:
Qba’g ynory urebva hfref nf ‘whaxvrf’ – Qeht Pbzzvffvba
Crbcyr fubhyq fgbc pnyyvat urebva hfref “whaxvrf” be “nqqvpgf”, na vasyhragvny guvax gnax ba qehtf unf fnvq.

Fb jung’f na npprcgnoyr nygreangvir? “Crbcyr bs Fznpx?”

2010 08 24 alecm Uncategorized Comments (4) Permalink

NYTimes damning #WikiLeaks by faint acknowledgement of quashed rape warrant?

OK – here’s a cool experiment – go to the NYT homepage and do a search on WikiLeaks and you’ll get the following search results and headline:

Sweden Rescinds Warrant for WikiLeaks Founder Julian Assange
Julian Assange was sought by Swedish prosecutors for questioning on rape allegations, but the prosecutors then said the accusations were …

Note the headline. Now, click through to the link:

Sweden Adds to Drama Over Founder of WikiLeaks
By JOHN F. BURNS and ERIC SCHMITT
Published: August 21, 2010

LONDON — Julian Assange, the founder of the WikiLeaks Web site who is embroiled in a fight with the Pentagon over the disclosure of secret military documents, was caught up in a new drama on Saturday when Swedish prosecutors sought him for questioning on allegations of rape and molestation — and then announced the rape allegation was unfounded.

WTF is “Adds To Drama?” Surely the big news is the quashing of the allegation, it’s not “additional drama” it’s complete negation of the old story, and a bigger one atop it viz: who issued the warrant, why, and under what circumstances?

2010 08 22 alecm Uncategorized Comments (0) Permalink

A Contrarian View: Evolutionary is pressure being applied to the Web. Excellent!

I was going to make this a longer and more academic blogpost, but today’s news (whatever the truth or falsehood behind it) makes it more pertinent than it has been for quite some time.

To make the points briefly:

In some ways I see this all as a goodness; sorry if that comes at a shock but what is happening here is a form of evolutionary selection, and what is being selected-for are the protocols and mechanisms that are even more proof against the efforts of a centralised control/authority.

Consider the loss of net neutrality, the premise of which is that a carrier (eg: Verizon) can receive money from a website that wants their traffic to be delivered as quickly as (eg:) Google’s traffic. Contrawise, it means Google can pay Verizon to ensure that its traffic arrives preferentially to any other providers’ traffic.

Now step back for a moment, and realise that net neutrality only works when a carrier is in a position to extort receive money from one data provider to serve its data in preference to another; but in a BitTorrent-like network such a control is an irrelevance — the first packet comes from Finland, the next from France, the third from Malaysia… there is no throat to be choked, nobody from whom to demand payment, and the result of losing net-neutrality will be to encourage adoption of BitTorrent and similar distributed data models [edit:] which will maintain high-bandwidth to the end user, below the radar of corporate bandwidth chokes.

Re: WikiLeaks – I don’t know what’s going on, but I am pretty sure that any attempt now to remove Julian Assange from it will only result in the infrastructure itself becoming even more distributed and harder-to-destroy than it currently is; and there will be clones and forks, too. The result will be information-leakage-whack-a-mole across the breadth of the net.

People in the Government who are trying to kill WikiLeaks should really read-up on the consequences of the improper use of antibiotics; or maybe re-watch Star Wars ep IV:

Obi-Wan: “If you strike me down, I shall become more powerful than you could possibly imagine”

2010 08 21 alecm Uncategorized Comments (9) Permalink