Network Solutions Interface to DNS Acting Strange
Is it sneaky business stragegy #2 for Network Solutions, or just a crappy application interface?
The domain name registrar that everyone loves to hate may be up to no good again. After taking two weeks to wade through their customer support and billing processes, I finally was able to register a domain for our church (It's
holycitydc.org if you're interested.) After a couple weeks of struggling, we discovered a slight flaw in their billing software. It was irritating and I thought that the NetSol guys did very little to help me debug their software. But, at long last I was able to register a domain name with them.
I then setup my server, ready to serve hits to the world. Once the server was setup, the next step was to change the DNS records to point to my service provider. Except you can't.
If you go to the Network Solutions account manager site and click on the link that says "Change the DNS Server," you are taken through a series of dire warnings:
* Your email won't work if you make this change. (which is total rubbish)
* You won't be able to serve web pages if you make this change. (again, total rubbish)
* You won't be able to use Network Solutions' really cool services. (which is why I'm making the change)
All I'm trying to do is change the server that's canonical for this domain. I appreciate that NetSol has setup a default for me. That's great. It's just that I have another service provider that's more responsive to my support requests that I'd like to use.
Eventually you get to the page where you enter in IP addresses or FQDNs (Fully Qualified Domain Names) for the name server for your domain. There's a warning that you should only use alphanumerics, etc. They even have a handy drop down list with previously used domain name servers, and it's already populated with the name of my provider's DNS server name(s). So, I select the servers I want to use and click "continue."
Ah. But something's wrong. Apparently the host name is invalid. Crap.
What's so invalid about that host name? It's the host name that the application placed in the form, for cryin' out loud!
So... given Network Solutions' history of "value added default services," I wonder... Is this NetSol's way of morphing themselves into a DNS hosting company? By refusing to let customers move DNS service off their servers? Any other company I would have been inclined to believe it's just a simple mistake. With NetSol though, I just don't know how far to trust them.
So... I guess it's time to start thinking about transferring my registrations from NetSol. I've put up with NetSol's weirdness in the past because I have actually received good service from them in the past. When I lost my account password, the process for getting a new one wasn't the easiest thing in the world, but it wasn't cumbersome, and they asked me the proper "security" questions, so I got a good feeling that they were defending my domain(s) against social engineering attacks. But hell, I've been wading through bugs in their software and processes for two weeks; each time I report a problem, the NetSol support rep tells me it's my problem (really? Is it really my problem that your system keeps trying to bill my old Visa card that was disabled after it was lost, even though I've entered the new one in time and time again?)
Ugh.
Key Decay
So I happened to be reading
Brad Templeton's excellent blog and noticed an entry on key recovery. This got me thinking about an idea that's been kicking around in my head for a few years: key decay. If you're a fan of PGP or S/MIME or encrypted email, you might find this interesting. If not, you might just want to skip this entry.
One of the problems I often encounter when sending PGP encrypted email is that key servers will often serve up outdated keys. This isn't too much of a problem if you're clever and expire your keys regularly or revoke keys you suspect have been compromised. But what if you happen to lose a key. This happened to me several years back; I generated a PGP 2.x key, dutifully backed up the key on a floppy and published the key along with my email address. A couple months later I suffered a hard drive crash which took out my private key. "No Problem," I thought, "I've got a backup on this floppy. Hey? Where'd I put that floppy?"
Sadly, the floppy was gone, my hard drive was (effectively) gone. Ack! I should have printed the BASE64 encoding of the key and stored it along with my passport and birth certificate.
I generated a new key with the same address and uploaded to the server again. The server dutifully added my key to its store, but it still had the old key. Over the next several months I receieved several emails from people who had downloaded the wrong key from the server and sent me email encrypted to a key I no longer posessed. Luckily most people would resend their email using the correct key when I informed them what had happened. But it was a bit of a pain.
There are several ways around such problems in newer versions of PGP, and this is a scenario that hierarchical key management schemes like X.509 tend to do better than the web of trust. (Of course, you have to trust your CA to properly follow the revocation process, and for some CA's I've seen that's a bit of a stretch.)
So I got the idea, what if every time you use a private key, a small token is signed and sent to the server. The token would include the key id and email address associated with the signing key's key pair. When the server received the token, it would verify the signature and record the fact that the key had been used.
The server could then create a metric based on how frequently a key is used. An example metric might be the reciprocal of the average time between key usages. When a user queried the server for a key, the server would then return keys in "most frequently used" order.
Email clients would have to be modified to understand that order is important, of course, so the solution might not be practical for the current installed base of PGP users. However, people working on new secure email services might find it useful.
It's unlikely that such a scheme would solve all the problems associated with key management, but it might just mask some problems from some users.
Research Finds that Mobile Phones Are Annoying to Bystanders
So I recently discovered Jakob Nielson's Alert Box blog. One item caught my eye: Why Mobile Phones are Annoying. Apparently some people at the University of York conducted an experiment; a pair of guys get on a bus or train and start having a conversation. On some trains they have the conversation at normal level, on others they talk a little louder. Still on other trains, only one guy gets on and pretends to have the same conversation on a cell phone. Bystanders are then approached by the researchers and asked to fill out a questionaire about how annoying the conversation is.
The results appear to imply that people find one-sided conversations more difficult to ignore.
This reminds me of an experience I've had several times. I'll be walking down the street and coming towards me is someone talking to themselves gesticulating wildly. In the old days if you saw something like this, you would assume the guy was a bit nuts and give him a lot of space as you passed him on the sidewalk. These days it's hard to tell if the guy is nuts or if he's simply talking on his cell phone via a headset. So... yes... I too find that one-sided conversations are difficult to ignore.
A couple years ago, some amigos and I came up with the general convention that people who use headsets should wear an band of LEDs across their forehead. When they're on the phone, the RF energy produced by their mobile would power the lights and provide passers-by with critical clues as to what type of "headspace" the speaker is in. When you're walking around with a mobile phone held up to your ear, it's pretty obvious you're on the phone; but it's real easy not to see some of the smaller headsets out there, so we don't get the queues that the speaker is talking to someone on the cell phone and not a figment of their imagination.
The 802.11b DoS Attack and Portable Viruses
By now you will probably have heard about the alert from AuCert that describes a Denial of Service (DoS) attack on Wi-Fi networks. You might also have heard it's an attack against the protocol and not against a specific implementation. This means it's likely to be difficult to defend yourself simply by applying a patch from your vendor. Addressing this issue will likely require a fair amount of work from ALL the vendors involved; the type of intense collaboration that resulted in 802.11i and it's less beefy, but easier to implement cousin Wi-Fi Protected Access (WPA). We hope you've also heard that an attacker will only be able to attack networks they can reach directly, over the air; an attacker must have control of a machine on or near the wireless network. They can't simply logon to a machine in London and send a specially crafted packet across the Internet to a wireless network in Washington DC; the attack doesn't work that way.
Computer security researchers and practitioners have been falling over themselves telling people "this is not the end of Wi-Fi." A recent story at eWeek:
DoS Vulnerability Threatens Wireless Networks reminds users that though the attack can be mounted with inexpensive hardware, your network should return to normal after the attack stops. In other words, it's an attack against the network, not against any of the systems or servers on the network.
"I spend some time over the weekend reminding friends, family, and customers that the attack ... requires close proximity to the attacked network," says Matt Hamrick, Security Technique Editor and information security consultant. "There are some Wi-Fi installations that operate over wide areas, but for most home users, it shouldn't be too big a risk." He continues by expressing a hope that an enterprising Linux hacker with more time than he has will develop a tool to evaluate Wi-Fi network performance, raising an alarm if a denial of service attack is occuring. "If you know the attack is happening, look around your office cube or home. Do you see a shady character with an iPaq and a grin?"
To help sort out the uncertainty, we've assembled a list of "things to worry about..."
Things to Worry About
- Requires only inexpensive hardware. The attack as it is described on the AuCERT website can be implemented with relatively inexpensive hardware.
- Does not require physical access to your network. The attack can be mounted remotely. Depending on the signal strength of the attacker's hardware, the attack could be mounted in the next room, from a van on the street, or a room across the street. Locations that physical security experts often overlook.
Things Not To Worry About
- High Speed Wi-Fi Networks. The attack does not affect the higher speed 802.11a and 802.11g networking technologies. Products like Apple's Airport Extreme should not be vulnerable.
- The Attack Does Not Target Servers. Though it is possible to force some systems to fail in "interesting" ways by removing their network connectivity, common services such as serving web pages, sending or receiving email, or file sharing should not be affected. When the attack is over, the network should return to a normal state quickly.
- The attack cannot be made "over the internet." Home users of WiFi products need not worry (much) about attackers infiltrating their systems via their always-on broadband connection.
Things That May Be Worrisome in the FutureBut there are some issues that may be a worry in the future. Chief amongst them is the use of viruses to carry code that exploits the protocol weakness. "The PalmOS and PocketPC communities have been fairly lucky with respect to viruses," Mr. Hamrick comments "The high payoff targets for the virus-writers have been WinTel desktop systems. There are so many of them, they're such a rich target space. But we're now seeing lots of portables running Microsoft WinCE, PalmOS, or Symbian operating systems. Though the manufacturers of each OS product have done a good job securing their product(s), you never know you're insecure until someone finds a vulnerability. My nightmare scenario is a WiFi DoS virus for PocketPC that targets a particular highly-critical WiFi network."
Cheap Wi-Fi DoS Attack Described by AusCERT
Researchers at the Austrailian Computer Emergency Response Team (AuCERT) have discovered a vulnerability with 802.11b that could lead to an inexpensive Denial of Service attack for the popular wireless networking technology. An advisory at the AuCERT site,
AA-2004.02 -- Denial of Service Vulnerability in IEEE 802.11 Wireless Devices, announces the existance of an attack against the 802.11 CCA (Clear Channel Assessment) procedure, the algorithm used by Wi-Fi hardware to determine whether or not a channel is in use. The advisory was quick to note that high speed variations of 802.11 (such as 54MBps 802.11a and 802.11g) are not vulnerable to the attack.
In the past, attackers would have had to use expensive custom hardware to flood an area with a wide band of RF energy to successfully "DoS" a Wi-Fi network. The new attack, which exploits a vulnerability in the
802.11 protocol can be launched with inexpensive "off the shelf" Wi-Fi hardware and drivers.
Hopes for a workaround or patch are low as the vulnerability a problem in the protocol itself. The advisory states:
At this time a comprehensive solution, in the form of software or firmware upgrade, is not available for retrofit to existing devices. Fundamentally, the issue is inherent in the protocol implementation of IEEE 802.11 DSSS.
The advisory does not provide technical specifics of the attack, but does provide "high level details."
Keeping Tabs on your Familiar Strangers
The Feature is running an interesting story about an upcoming Intel application designed to track your "Familiar Strangers." (See
Intel: Keeping Tabs on Your Slithy Toves .) The application, called Jabberwocky scans for other BlueTooth devices within range, storing their unique IDs in a database. When a new device is detected, the application checks to see if it's unique ID is already in the database. The number of times and frequency with which you've "seen" this other device is used to calculate a familiarity metric.
The idea behind the application is to make you aware of your "Familiar Strangers." These are people you recognize on your way to the office, or to school, but with whom you never speak. Yale Psychologist Stanley Milgram wrote about such relationships, documenting their social dynamics.
If you're part of the hip youth culture obsessed with cool phone features, you're likely to have a BlueTooth enabled phone. What's more, you're probably more likely to work with or close to other youth culture obsessed hipsters. Or maybe your route to work (or to the pub) takes you past a large gaggle of them. Run Jabberwocky when it comes out, you might learn a thing or two about the people around you...
Learning the Dvorak Keyboard
People who know me, know that I'm a bit quirky. If there's a beaten path, I like to roam far away from it. It's a little dangerous, but hey, all the predators are going to be stalking the herd anyway, and there's likely more interesting stuff out here in the fringes.
So... I'm a computer geek. And I avoid the beaten path. Three guesses what my preferred keyboard layout is... Yup. It's Dvorak. You can do a Google search for "
Dvorak Keyboard" if you're unfamiliar with it. It's essentially a different keyboard layout than the standard QWERTY you're probably familiar with. In a recent posting over at
Orkut, someone recommended
http://www.dvorak.nl/learn.plp as a good site for learning the Dvorak keyboard.
I actually went over there to practice my typing technique and I think it's good even for non-beginners. So... If you have any interest in Dvorak... check it out!
Welcome to Yet Another Mindless Blog
How many blogs have I started? five? ten? Hard to say, I've lost track.
I'm a bit of a collaborative software junkie. Anytime I hear of a new Blogging tool or collaboration environment, I've just got to go check it out. I guess I'm looking for that perfect tool that will allow me to collaborate on creative projects with friends, or maybe I'm just want to make sure that collaborative software won't lead us down some dystopian future.
In case you don't know, I run a couple other sites:
Cryptonomicon.Net,
SecurityTechnique.Com, and
Hamrick.Org. I'm also the technical contact for
Washington DC's Church of the Holy City. Each of these sites has a relatively narrow focus. So, this blog will likely be a place for me to put "everything else."
In case you're wondering what the other sites are for... Cryptonomicon.Net is a link farm and news site for crypto and security related issues. It's got a fairly wide mandate: if it concerns internet security or cryptography, we'll talk about it. Recently we've been running a number of "controversy" stories about privacy, fair use rights, and government regulation. Strictly speaking, they're not exactly about security or cryptography, but crypto tools feature prominently in the discussion, so we talk about such things. SecurityTechnique.Com is where I've been putting original articles on information security. Less news, more in-depth discussion. We actually pay people money for articles about how to develop secure sysetms or software, so if you write such articles, please feel free to contact me. I'll send you out a prospective writer's guide. Hamrick.Org is about all things "Hamrick." If your last name is Hamrick, or your spouse's last name is (or was) Hamrick, or maybe the last time you were playing Scrabble(tm), the letters you picked out of the bag were H-A-M-R-I-C-K, then this is the site for you.
Okay... so I've said too much already. Now I'm just going to go off and find something interesting to post here.
