Forgot your password?

Comment: Re:Host your own DNS (Score 1) 101

by DarkOx (#47695191) Attached to: ICANN Offers Fix For Domain Name Collisions

Denying access as the default and explicit allowing exceptions is much more secure than the opposite.

Well no argument there but there are appropriate places to install filters and in appropriate ones. Its the job of the firewall to prevent connections to outside resources or possibly a proxy or gateway server, not the DNS servers because if the ip can be discovered some other way the control is bypassed.

Naturally in a high security environment you might need to control DNS. It can after all (at least with a cooperative) remote server be used for ingress and egress. You might configure an internal DNS server to return records only for zone on which it is an authority and perhaps whitelist specific external zones like; but you certainly are not going to say allow it to resolve any .com and not any .mail|.food|.biz that makes no sense.

Comment: Re:Host your own DNS (Score 2) 101

by DarkOx (#47693941) Attached to: ICANN Offers Fix For Domain Name Collisions

Right so we can repeat the problems where dip shit network admin decided to not read any documentation and used something other than RFC1918 address space for internal routing. Now Bob in customer service is trying to get to the clients website which happens to be in the same IP range internal hosts uses, and wonders why he can't.

Seen it. You can't just exclude conflicting TLDs because sooner or later someone might need a resource on one of those tlds.

Comment: Re:Not much of a fix (Score 3, Interesting) 101

by DarkOx (#47693751) Attached to: ICANN Offers Fix For Domain Name Collisions


There is a universal truth out there nobody, not even Vixie, fully understands DNS in terms of all its interactions with it self scaled globally and what assumptions (correct or otherwise) software that uses it makes.

I fail to see how this proposed behavior solves anything. Most software out there was written to assume that if you get back an address DNS resolution worked, if there was a problem you get back something like NXDOMAIN. Lots of apps are not going to report any problems if they get back, there are going to sit and wait for the connection to time out or depending on how the system is configured report connection refused. Leaving the user with no way to know the name was wrong.

Its not good for developers writing new code either, because now they have to do somethig like this:

Try addr = gethostbyname($hostname) //stupid hack to test for
raise NSException.NXDOMAIN if addr == aton("")
catch NSException => e
echo 'Name resolution problem' + e.msg >> $strerr

Which is ungly confusing and stupid.

Of course the real issue here nobody is taking care of is the security one. Bob is happily using his laptop to read his mail on the corporate network connected to mail.some_now_public_tld and then he goes to the coffee shop, the guys operating some_now_public_tld fixup their dns to answer for mail and wait for Bob to send his credentials. It will work too because Its a certain that the same folks who thought it was a good idea to ignore the rfcs and use some_now_public_tld are the same ones who still think its okay to run services with no authentication to the client. So Bobs mail app not configured to use SSL etc never checks any server cert and just sends his password.

Comment: Wait (Score 1) 166

by DarkOx (#47683981) Attached to: Watch a Cat Video, Get Hacked: the Death of Clear-Text

many otherwise well-informed people think they have to do something wrong, or stupid, or insecure

Wait how does executing code delivered over a clear text channel without some other strong attribution and integrity controls in place not count as stupid or insecure.

Then we have slashdot here were we shove our session cookies back and forth in clear text. Not ideal but I don't execute code from slashdot (noscript) and I don't reuse my user name ore password elsewhere. So that lowers my exposure somewhat.

The browser makes need to at this point:
Disable the execution of any script or content of any script tag that was not transferred securely or loaded from local media; by default. Perhaps provide a white-list function to accommodate legacy intranets and stuff. They should similarly deny embedded objects like flash, sliverlight, acrobat, etc in those situations.

This would do a lot to protect people from both inject attacks and various forms of phishing. It would also really push site operators and web hosts to make sure SSL is available everywhere.

Comment: Re:On come on now Edward (Score 1) 194

by DarkOx (#47666485) Attached to: Snowden: NSA Working On Autonomous Cyberwarfare Bot

He admits to the acts but not to the intents. Intent is a big part of criminal culpability. He would also dispute many of the claimed harms done.

I work in Information Security, much of what I do phishing, exploit development, etc would be illegal except for intent and harm. There is no harm because any property I obtain or gain control of is not converted for my use but promptly returned unimpaired. I have no intent to illegally convert anything for my use or disclose any information about your organization but rather to fully comply with the NDA and scope of activities agreement I signed with your boss.

And for those reasons it isn't fraud when I call you pretending to be from the IT Directory from the European Subsidiary needed you to install the emgency "patch" I am about to e-mail you.

The law is not as simple as "what you did" why you did it matters and so does what the outcome was and even what the potential outcomes were.

Comment: Re:Don't allow jpg or gif or ... (Score 3, Funny) 299

by DarkOx (#47666375) Attached to: Writer: Internet Comments Belong On Personal Blogs, Not News Sites

many of the highly rated comments are really just wisecracks which might be funny, but don't add anything to the discussion.

Two comments on that.

The wise cracks tend to actually be moderated as "funny" by simply not including a funny moderation options a site would probably do a lot to discourage modding comments of that type up. A site could also easily offer user preferences for not including funny up mods when determining how to sort comments for display time.

A bit of levity might not directly contribute to the conversation by may encourage others to participate who otherwise would not have. IT may also inspire creative thinking in others leading to additional insight. Humor is something many people use to tackle issues they find challenging.

+ - NSA not Assad brought down Internet in Syria->

Submitted by DarkOx
DarkOx (621550) writes "In his most recent interview with Wired Edward Snowden makes the claim that in 2012, the NSAâ(TM)s TAO hacking group was attempting to install surveillance malware when it accidentally brought down a crucial router at a Syrian Internet service provider, and the nation's Internet connectivity with it.

The NSA allowd the public to blame the Assad regime, while others within the NSA apparently considered pointing the finger at Israel for the botched intrusion. This revelation raises even more questions about the legality of the NSA actions, as they would seem to be very similar to electronic atacks other officials have suggested the USA would consider acts of war if used against infrastructure based in the USA.

Could the reckless behavior by the NSA cause our nation to be drawn into war?"

Link to Original Source

Comment: Re:On come on now Edward (Score 4, Informative) 194

by DarkOx (#47665467) Attached to: Snowden: NSA Working On Autonomous Cyberwarfare Bot

if he was a true patriot as he claims he'd have faced the music

Oh come on, what the hell is patriotic about being shoved in an oubliette some place, after a show trial where you can't present any evidence because everything is classified?

Snowden would never get anything resembling a fair trial before a jury of his peers. A show trial is the most he could hope, but its just as likely he'd be held pretty much indefinitely without trial on some flimsy constitutionally unsound national security pretext. If you want to know who the cowards are its Kerry, Clapper, and Alexander who want to burry him or avoid tackling his criticism with lies and indirection rather than confronting it with actual facts.

Going through the system, and there is evidence he did try does not work. Just try filing and FOIA request about anything that is connected to "terrorism" in their wildest imaginations (like animal rights) and see what happens. The first time you will probably get a nice letter back telling you: "they can't tell you why they can't tell" you what you wanted because 'national security'. Send a another request for ANY information on how they handled your first request and they will probably just stonewall. Which is ILLEGAL the law say they have 20 days to do something and the three letter agencies won't do that.

Statistically you are more likely to die falling out of bed than you currently are from any kind of terrorist attack. Logic would then dictate at the very least we would create a "Bedtime Safety Authority" to make sure we are all tucked in at night before investing more in counter terrorism and yet we keep allocating more and more federal to that; well that is what the NSA tells us they are doing with them anyway preventing terrorism. Then we also dump more money into policing while crime nears all time lows, and yet no recruitment fliers for the BSA are there to be found.

There are no good reasons for these people to be doing what they are so they instead just want to silence critics like Snowden. No Snowden is no coward he is the guy that gave up home, family, and a cushy job in paradise to keep this issue alive.

Comment: Re:Should we really be worried? (Score 2) 194

by DarkOx (#47665227) Attached to: Snowden: NSA Working On Autonomous Cyberwarfare Bot

Automating war is a scary. What people should really look at is things like the flash crash to know why; or even the recent BGP hijacks for that matter.

The more automation your create and the more those autonomous systems interact with one another the more potential you have for bizarre positive or negative feedback problems. Eventually the system becomes so complex it is no longer very predictable but plenty dangerous.

The stock market today can plunge 700 points for no fundamental reason what so ever. One machine starts selling, which triggers another machine to act and so on. Its bad enough when its only money, and these people want to weaponize it!

Or one person manages to compromise one machine and instructs it do something like advertise a route and the next thing you know thousands of other machines react to it making the attack possible.

Not to go all SkyNet but something like this could quite literally inflict massive damage on the world before any person even realizes something is wrong. Be pretty sad if a software bug ends modern society as we know it because some asshat military-industrial-complex guy thought automated strikes were a good idea.

Comment: Re:Let's play the who goes to jail game.... (Score 1) 127

by DarkOx (#47657115) Attached to: DEA Paid Amtrak Employee To Pilfer Passenger Lists

I am sure it came from all the property the cease without any kind of due process. The DEA like the NSA is so out of control and so culturally broken the ONLY viable solution is complete dissolution of the agency. The cancer is so bad just outright killing the patient is the best outcome; we can't fix'em.

Honestly we need a whole house cleaning of these two agencies (to start with) that includes pretty much anyone who has greater role than sweeping the floors or brewing coffee. Every last 'analyst' every supervisor, every IT guy. We need to ensure the current culture dies completely.

Comment: Re:You can't travel anonymously... (Score 1) 127

by DarkOx (#47657049) Attached to: DEA Paid Amtrak Employee To Pilfer Passenger Lists

Given all the ridicules and bullshit mental gymnastics the government does all the time to argue they can do clearly unconstitutional things like compel you to use your private property to purchase a service you may not want; its not hard to construct a right to travel. In fact I think the right to travel is actually pretty clear.

We have a first amendment right to peaceful assembly. In order to assemble one must be able to go to that place the assembly is taking place. (1) this should establish a basic right to right travel.

Now can the government determine how you travel? No it can't. The tenth amendment grants any powers not enumerated for the federal government or reserved for the states to the people. No where is the an enumerated right for the government to define in what manor a citizen may travel. (2) So its clear they cannot constitutionally forbid you to fly, ride a bus or train or car, bike etc.

Which leaves the commerce clause, where you could make an argument that transporting someone over state lines constitutes interstate commerce, so they probably have you there, but if you want to fly from say Cleveland to Cincinnati I don't believe there is any legitimate way the Federal government can interfere constitutionally, but good luck getting thru the TSA line if you are on one of their lists regardless.

Comment: Re:This is hilarious (Score 1) 101

by DarkOx (#47637059) Attached to: Network Hijacker Steals $83,000 In Bitcoin

What you are looking for is ex post facto but that isn't the case against the Computer fraud and abuse act. What that means is you can't do something which is perfectly legal, congress decide they don't like it, quickly pass a law against it and than prosecute you for what you did before the law was written.

The problems with the CFNA are that it is,
1. Vague - a law that is so broad a prosecutor can apply it to basically anything is unconstitutional, or void for vagueness.

2. Its cruel and unusual in that the sentences is prescribes are often far more severe than many violent crimes. When altering the query string in your URL bar can get your more years than rape something is terribly terribly wrong.

Comment: So really bitcoin is incidental (Score 4, Informative) 101

by DarkOx (#47629901) Attached to: Network Hijacker Steals $83,000 In Bitcoin

So what we have here are two problems.

One lack of authentication for the miners with the pools. Something a few SSL on the servers and wrapping those sockets calls with openSSL would make the route hijacking ineffective for stealing mining resources.

So there is a lesson in this whatever it is you are doing on the internet if you care AT ALL about it you should be using SSL and checking certs, (Looking at your slashdot) sure there are tons of problems as weaknesses in SSL but until something better comes along its beats the hell out of clear text with no authentication what so ever.

Two BGP needs to be replaced or updated to support much stronger authentication and the network operators need to just push getting it done, even if it means telling customers we can't / won't peer with you and neither will anyone else unless you get you routers and or software update to do this. If they stick together in it there should be no trouble getting that done.

Stealing some computer cycles used to generate bit coins is probably among the least real harm someone with access to advertise bogus routes in BGP could do; and lots of people are in a position to do that. We should be thankful its only a little money these guys were making off with. The Internet has gotten to big for the network operators to just relay on everyone playing nice and being good citizens, We need some stronger technical controls put in place and regular auditing beyound well nobody has complained on NANOG.

Comment: Re:Are you kidding me? (Score 4, Insightful) 286

Okay maybe its not the kind of thing I would be willing to invest time and money in; but you could easily ask the opposite question:

What kind of society have we become when we allow vendors to blatantly misrepresent products prior to sale?

Sony should be honest about the products actual specifications. We have regulations in place because we collectively decided that all the snake-oil selling had to stop. We standardized weights and measures, and pass truth in advertising laws. They should be followed, simple as that.

Biology is the only science in which multiplication means the same thing as division.