Click the comments link on any
story to see comments or add your own.
Subscribe to this blog
 RSS feed
|
Home
22 Dec 2017
Let's say I'm with the Chinese government and
decide that I am tired of people evading currency controls and money
laundering using Bitcoin. So we adjust the Great Firewall of China to
block port 8333. We also add some proxies that allow some uncleared
transactions from outside to flow into Chinese networks but not the
other way, and keep track of which ones we let through.
Since a large fraction of the miners are inside China and all of the
hard currency exchanges are outside, this will cause a pretty serious
fork. No doubt people will start trying to evade the block, but the
GFoC works pretty well, and any evasion will take a while to start
being effective. It'd also be easy to tell who was trying to evade
(look for outside transactions in the chains they publish) and send
someone around to chat with them.
Even if the two sides are eventually reunited, then what? You have
two separate chains, with overlapping sets of transactions, which
would make any sort of ad-hoc hack to splice one chain onto the other
impossibly hard, even if the anarchists in the Bitcoin world could
agree to it. The bitcoin voting algorithm would eventuall make one
chain win and the other one disappear. If some of the disappeared
transactions were yours, how would this affect your opinion on
Bitcoins?
Stable link is https://jl.ly/Money/bitsplit.html
22 Oct 2017
Rep's Graves and Sinema recently introduced H.R. 4036, the catchily named
Active Cyber Defense Certainty Act or ACDC act which creates some exceptions to criminal parts of computer crime laws.
Lots of reports have decried "hack back" but if you read the bill, it's surprisingly
well targeted.
See more ...
Stable link is https://jl.ly/Internet/hackback.html
26 Sep 2017
Here's some unexpected advice about what to do about the recent
giant Equifax breach: nothing.
See more ...
Stable link is https://jl.ly/Money/equinot.html
26 Aug 2017
A recent article
in the New York Times Dealbook column reported on phone number hijacking, in which a
bad guy fraudulently takes over someone's mobile phone number and used it to
reset credentials and drain the victim's account.
It happens a lot, even to
the chief technologist of the FTC.
This reminds us that security is hard, and understanding two factor authentication is
harder than it seems.
The usual definition of two-factor is to pick two different items from
a list of security types:
See more ...
Stable link is https://jl.ly/Security/2fphone.html
10 Aug 2017
Yesterday's article introduced my
DNS extension language, intended to make it easier to add new DNS
record types to DNS software.
It described a new perl module Net::DNS::Extlang that uses the extension language
to automatically create perl code to handle new RRTYPEs.
Today we look at my second project, intended to let people create DNS records and zone
files with new RRTYPEs.
See more ...
Stable link is https://jl.ly/Internet/extlang2.html
08 Aug 2017
The Domain Name System has always been intended to be extensible.
The original spec in the 1980s had about a dozen resource record types (RRTYPEs),
and since then people have invented many more so now there are about 65 different RRTYPEs.
But if you look at most DNS zones, you'll only see a handful of types, NS, A, AAAA, MX, TXT,
and maybe SRV.
Why?
A lot of the other types are arcane or obsolete, but there are plenty that are useful.
Moreover, new designs like DKIM, DMARC, and notorously SPF have reused TXT records
rather than defining new types of their own. Why? It's the provisioning crudware.
While DNS server software is regularly updated to handle new RRTYPEs, the web based
packages that most people have to use to manage their DNS is almost never updated,
and usually handles only a small set of RRTYPEs.
This struck me as unfortunate, so I defined a DNS extension
language that provisioning sytems can use to look up the syntax of new RRTYPEs, so
when a new type is created, only the syntax tables have to be updated, not the software.
Paul Vixie had the clever idea to store the tables in the DNS itself (in TXT records
of course), so after a one-time upgrade to your configuration software, new RRTYPEs
work automagically when their description is added to the DNS.
The Internet draft that
describes this has been kicking around for six years, but with support from ICANN (thanks!)
I wrote some libraries and a sample application that implement it.
See more ...
Stable link is https://jl.ly/Internet/extlang.html
17 May 2017
It is not much of an exaggeration to say that
the Digital Millenium Copyright Act
of 1998 makes the Internet as we know it possible.
The DMCA created a safe harbor that protects online service providers from copyright suits so
long as the follow the DMCA rules.
One of the rules is that the provider has to register with the Copyright Office, to designate an agent
to whom copyright complaints can be sent.
The original process was rather klunky, send in a paper form that they scan into their database, along
with a check.
This year there is a new online systems, and as of December they will no longer provide the old paper
database.
So if you are a provider (run web servers, for example) and want to take advantage of the safe harbor,
you have to register or re-register.
See more ...
Stable link is https://jl.ly/Internet/dmcareg.html
30 Apr 2017
Among the many issues affecting ICANN's thousand new TLDs is collisions, that
is, the same name already used elsewhere.
The other uses are non-standard and unofficial, but some names turn out to have
been used a lot.
One approach to see how bad the collisions are is controlled interruption,
in which the TLD publishes wildcard records with obvious impossible values, in
the hope that systems that use colliding names see them and do something about it.
The process is pretty simple. For 90 days the domain publishes records like these
currently in the new .hotels TLD:
hotels. 3600 in a 127.0.53.53
hotels. 3600 in mx 10 your-dns-needs-immediate-attention.hotels.
hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.
*.hotels. 3600 in a 127.0.53.53
*.hotels. 3600 in mx 10 your-dns-needs-immediate-attention.hotels.
*.hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
*.hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.
When the 90 days are up, the domain takes out the interruption records, and starts
putting in real ones.
That's the theory, and what the ICANN registry agreements require.
The practice turns out to be different.
See more ...
Stable link is https://jl.ly/ICANN/newtldcrud.html
21 Apr 2017
Classified ad site craigslist is famously protective of its contents.
While they are happy for search engines like Google to index the
listings, they really, really do not like third parties to scrape
and republish their content in other forms.
In 2013 craigslist sued a company called 3taps which had created
an API for craigslist data. They also sued real estate site Padmapper, which
showed craigslist and other apartment listings on a map, something
craigslist didn't do at the time.
After extensive
legal wrangling,
3taps eventually gave up and in 2015 paid craigslist $1 million and shut down.
Craigslist donated the money to the EFF which was a little odd since the EFF
had generally supported 3taps.
One of 3taps' other customers was another real estate site Radpad, which
kept showing craigslist listings after 3taps shut down.
See more ...
Stable link is https://jl.ly/Email/radpad.html
13 Apr 2017
M3AAWG is a trade association that brings together ISPs, hosting providers,
bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware,
and mobile abuse. (Those comprise the M3.) One of the things they do is publish
best practice documents for network and mail operators, including two recently published,
one on
Password Recommendations for Account Providers,
and another on Password Managers Usage Recommendations.
Since I'm one of M3's senior technical advisers, I helped write them, but I think they're pretty
good anyway.
See more ...
Stable link is https://jl.ly/Internet/maawgpwd.html
01 Apr 2017
Human rights are a topic that came up several times at the IETF meeting that just ended.
There's a Human Rights Research Group that had a session with a bunch of short
presentations, and the featured two talks at the plenary asking Can Internet Protocols
Affect Human Rights? The second one, by David Clark of MIT was particularly good,
talking about "tussle" and how one has to design for it or else people
will work around you. You can watch
it here.
Although his talk was a lot better than most of the human rights stuff I've heard
in technical fora, the rest of the discussion had the same old problem:
true believers obsessing about a very narrow set of issues.
See more ...
Stable link is https://jl.ly/Internet/userrights.html
14 Mar 2017
Yesterday at ICANN 58 in Copenhagen there was session on
DNS Abuse Mitigation:
The Cross Community Topic Discussion proposed by the GAC Public Safety
Working Group will focus on ICANN's Efforts, based on answers to
questions in Annex 1 of Hyderabad Communiqué with expected
contributions from ICANN's SSR Team and Contractual Compliance.
In one of the talks, ICANN staff talked about the new Abuse Data Analysis
Platform, with an example with live data, including the ten worst gTLDs,
ranked by the percentage of the TLD's names that have various abuse indicators
(click on the picture to see it at legible size):
See more ...
Stable link is https://jl.ly/ICANN/tenworst.html
26 Jan 2017
In September I wrote about a proposal to allow one-click
unsubscriptions from mailing lists without user interaction.
After taking a rather tortuous path through the IETF, it's now been issued
as RFC 8058. The changes
since September are quite minor, mostly tightening up some details to prevent
various attacks from fake unsub requests.
Now that it's official, I expect email service providers will start implementing it,
and we'll have an arguably better alternative to mail feedback loops to tell
mailers when their mail is unwanted.
Stable link is https://jl.ly/Email/oneclickrfc.html
|
Topics
My other sites
Who is this guy?
Airline ticket info
Taughannock Networks
Other blogs
CAUCE Online Clairvoyance Platforms Sanctioned for GDPR Violations 77 days ago
A keen grasp of the obvious Italian Apple Cake 883 days ago
Related sites
Coalition Against Unsolicited Commercial E-mail
Network Abuse Clearinghouse
My
Mastodon feed
|