* Posts by Chris Buxton

5 publicly visible posts • joined 2 Jun 2006

Apple releases bumper patch batch

Chris Buxton

The BIND fix was in a previous security update

Apple put the BIND -P1 versions in a previous update. So the article's subtitle is wrong.

This latest security update includes the -P2 release. There is no security difference between the two, just a performance improvement. Anyone affected by the performance problems of the -P1 release has already found another solution, such as manually updating to a -P2 or beta release, from source code.

Shocker DNS spoofing vuln discovered three years ago by a student

Chris Buxton

@ "patched in minutes"

> i'd love to move to something more more security... but i dont see

> DNSSEC being properly taken up widely for years and years to come :-(

It's coming, and fast. Implementation at the TLD level is getting closer and closer - at least 4 TLD's are now signed, plus some parts of in-addr.arpa. The new DLV service offered by ISC and others makes even the lack of signing of TLD's less of a barrier.

Chris Buxton

@ JonB

> How come there hasn't been a massive exploit of this, potentially lucrative flaw?

Oh but there has been. It's called "pharming". Been going on for years.

The secret shortcut Mr. Kaminsky has "discovered" is simply that you can rather easily get the source port used for queries, because it's unchanging. That reduces the problem to the query ID, which in some vulnerable implementations is entirely predictable (bad entropy algorithm). At best, this is a 16-bit random number - how secure is 16-bit crypto?

Modest reform efforts mask tough issues in gTLD reform

Chris Buxton

Re: No more TLD

We don't need TLD's? How would you find a website or send an email? By IP address? By search engine? By hosts file?

If you mean that you would simply allow every corporation (or company, or individual, or non-profit/not-for-profit organization/club/co-op, professional association, etc., etc.) to have their own "name" as their domain name, such as "apple" for the Apple that makes iPods, then who decides who gets what name? There has to be a central authority over these names. And in order to have a completely flat namespace, each name has to become longer - "appleinc" instead of "apple.com", to distinguish it from Apple Corps, the local apple grower's association, etc.

A dozen years ago, that central authority was, practically speaking, an organization named Internic, the overseer of all of the non-governmental gTLD's. That organization has evolved and been divided into what is now Verisign and Network Solutions, and in the process competition has been introduced to both parties - there are more TLD's, and there are more than one registrar for most TLD's. The yearly registration fee has plummeted from $50 (or $35 after the court judgement 10 or 11 years ago) to approximately $10, at least for some TLD's.

If we get rid of the current system of TLD's, then we're back to just one central authority - ICANN, which is overseen by the US government. As a DNS professional, excuse me if I don't think they're best suited for the job.

If we discard domain names entirely, and switch to a completely search-engine-driven model, then we effectively lose what little validation we currently have that we're connecting to the intended other side of the conversation.

I agree that the system we have has flaws - the system(s) in place to resolve name disputes is unfair, for example. And the DNS protocol as currently implemented is somewhat lacking in security and validation. But to argue that we should discard it as irrelevant displays a remarkable lack of forethought and understanding. The solutions to the problems in domain names will be found in fixing the current system (e.g. by rolling out DKIM, DNSSEC, [GSS-]TSIG, and IDNA), not in scrapping it and starting over.

What lies without

Chris Buxton

Bad numbers, bad math

The arithmetic in this article is terrible. First, it starts by saying there are 10m bacteria per cm2 (155,000 per in2). Note the ratio, 10m in a small area vs 155,000 in a larger area.

The rest of the article appears to use a ratio of 2.54 cm2 per in2. This ratio is correct for converting between cm and in, but not the squares - for that, you must square the conversion number, reaching something around 6.45.

So if there are 10m bacteria per cm2, then there are 64.5m bacteria per in2. However, this is inconsistent with the rest of the article, wherein the number 203,000 is given as higher than average, the concentration in an average armpit. (203,000 per cm2 is not 516,000 per in2, as stated, it's around 1,310,000 per in2.)