WingNews logo WingNews GitHub [2]

blumentopf's comments

blumentopf | 11 years ago

> Browsers and operating systems aren't going to add full DNSSEC resolving caches.

Actually they already did. OS X for instance has this baked into mDNSResponder.

blumentopf | 11 years ago

I worked at an ISP in the late 90's which was bought up, together with several other small ISPs. Before the acquisition it was a bunch of techies working their asses off. After, dozens of non-technical staff came on board who all got huge paychecks and a BMW, bossed the techies around in clueless Outlook 98 fullquote e-mails but contributed zero to the bottom line.

The money, in our case, came from a large north-european telco with deep pockets. They turned a blind eye to the burn rate for almost 2 years before pulling the plug.

I've heard of a German tech company hiring a philosopher, you know, just for fun. On a superficial level, this might seem comparable to Google hiring Ken Thompson, Guido van Rossum and tytso. In reality however these folks not only boost Google's reputation among developers, they innovate and make a technical contribution to the company. That precisely is the difference between 90's dotcoms' thrift-spending habits and how companies work today. The article misses that completely.

blumentopf | 11 years ago

Apple LaserWriter 16/600 PS (1994)

Got it on eBay for 1 Euro. Eats standard HP LaserJet cartridges that you can find on eBay for just a few bucks.

blumentopf | 11 years ago

I use ZFS on a dual-boot Mac to cross-mount the Linux partitions on OS X. ZFS is pretty much the only file system that allows this: The XFS OSXFUSE plugin is read-only, the ext plugin only supports ext2 with unstable write support and BtrFS can't be mounted on OS X at all.

The ZoL-derived OpenZFSonOSX port inherits ZoL's maturity, runs in kernel space and the OS X integration is really nice (Notification Center integration in ZED, custom icons, etc).

Lovin' it!

blumentopf | 11 years ago

Hm, that page doesn't provide a PGP key for the iwanttohack address, neither is there one on pgp.mit.edu. :( I do find two keys of you personally on pgp.mit.edu, 0x1DBE9880 from 1999 with an mit.edu address and 0x6BA33506 from 2000 with a mindspring.com address, but none with a duckduckgo.com address. Typically public keys that old without a contemporary e-mail address are no longer in use and the corresponding private key has often been lost.

It would be nice if you could make a new key available (RSA with 3072 or 4096 bit) for either the iwanttohack address or your own address, and preferrably link to it on your hiring page. It would underscore your privacy credo and help you stand out from the crowd. (Sadly, even here in the HN Who's Hiring thread, few people have a PGP key and even fewer include it in their job postings.)

blumentopf | 11 years ago

If your zones are signed with DNSSEC, just add a TLSA record for the self-signed certificates to the zones. Clients with DANE [1] support will then recognize that the self-signed certificates are valid.

Of course, very few clients support DANE as of yet. Nevertheless, that is the most modern solution and you'll spur adoption of DNSSEC and DANE if you offer it to clients.

[1] https://tools.ietf.org/html/rfc6698

blumentopf | 11 years ago

This. Tweakability isn't the issue. Simply catering to pro users is the issue. I moved from Linux to OS X in 2004 and am now on the fence about moving back.

When OS X came out, Steve Jobs promised an OS that would cater to pro users as well as amateurs. He literally said so in one of his keynotes. But around 2006, Apple started focusing on the upcoming iPhone and downprioritized OS X development. Nowadays it's all about making OS X more and more like iOS. They no longer care about pro users.

Case in point: If you're doing pentesting you need a machine that stays silent when connected to a network. With OS X you always have mDNSResponder blaring out. Prior to 10.6 you'd just solve this with a simple "launchctl unload" and be done with it. From 10.6 however, unicast DNS resolution was moved into mDNSResponder, so you need to keep it running or you lose the ability to resolve anything in the DNS. Of course it's possible to filter the multicast DNS announcements with pf, but it turns out that mDNSResponder will occasionally resolve various apple.com and Akamai addresses and that can't be disabled.

Same with IPv6 link-local addressing, it used to be possible to disable it completely, now that's no longer possible because they've dumbed down the UI. And when you use WiFi, OS X will regularly send 802.1X EAPOL messages out. That can't be disabled even with pf because pf doesn't filter on layer 2. Under these circumstances I find OS X to be unusable for pentesting.

And don't get me started on the laughable HFS filesystem and the non-existence of a package manager.

blumentopf | 12 years ago

The concern that the Lybian TLD registry might fake NS and/or DS records of 2LDs applies equally to unsigned and signed zones. So if that is a concern, why use an untrusted TLD, or why use DNS at all?

If you do not trust the Lybian TLD, configure a negative trust anchor for that TLD in your resolver.

Alternatively, if you want to pin that TLD to a particular KSK, configure that KSK as a (positive) trust anchor in your resolver.

If you do not trust the IANA at all, disable the IANA root in your resolver and add trust anchors for the domains you trust. Use lookaside validation if you find that too cumbersome and want to let others do that work for you.

blumentopf | 12 years ago

By definition a tree has a single root. Please specify what you mean be "roots".

The private key of the DNS root was split in seven parts held by seven people [1]. It is stored in two HSMs, one on the east coast of the United States, one on the west coast. Could the NSA or some other agency have gotten hold of the private key? Probably. But spinning that as "the DNSSEC root is controlled by the governments" is FUD.

[1] http://venturebeat.com/2010/07/28/seven-security-experts-get...

blumentopf | 12 years ago

Döpfner is trying to pivot the Axel Springer publishing house into a digital media company but their efforts are laughable. They sold some of their newspapers and magazines and are investing the money in dotcoms, but compared to Google or even Yahoo they're just small fish. They're clueless about technology so they resort to whining about the oh-so-evil Google.

For a quick laugh, watch this video of a tourist trip to Silicon Valley they did last year: https://www.youtube.com/watch?v=ug4Rcip9SHg

blumentopf | 12 years ago

Your zones need to be either online-signed by the authoritative DNS servers for these zones or offline-signed (using e.g. OpenDNSSEC) and then pushed to the authoritative DNS servers. Offline-signing is obviously more secure but signatures need to be refreshed regularly, so it's not sufficient to sign the zone once and be done with it. The zone needs to be resigned and pushed out to the authoritative DNS servers continually. If that process fails somehow, the signatures will expire and your zones will no longer validate. It's like a self-inflicted DoS. Setting this up properly is a nightmare.

The ISP you're hosting your domains at needs to support this.

blumentopf | 12 years ago

There are so-called "sustainable banks". The largest in Europe is Triodos, they also have a British subsidiary. Globally they are networked through the Global Alliance for Banking on Values (http://gabv.org). Key features of those banks are transparency as to how much money is lent to whom (there's a Google Maps based tool on Triodos' website to discover their borrowers), non-financing of certain industries (e.g. weapons), non-participation in food speculation, etc.
page 3
newer more