The Internet infrastructure has been having a bad month. Not as bad as, say, the world's aviation infrastructure, but bad enough. First, Chinese Internet censorship leaked out to a few massively unlucky users of the I root server. Then China Telecom failed to filter someone who leaked thousands of hijacked routes to other people's networks through them, probably by accident. And then, inexplicably, Forbes went where no one had gone before... more
Google has released a government requests tool. It's highly illuminating and may end up being quite disruptive. That's what surprising data visualizations can do for us. ... The tool allows us to see the number of requests from different countries that Google received during the last six months of 2009. More than 3600 data requests from Brazil during those six months and more than 3500 from the US. But just 40 or so from Canada and 30 from Israel. more
The registries (gTLDS) are all moving towards signing in about a year. PIR and .org is going to be first with .edu, .biz, and others closely behind. The root is scheduled to be signed in the beginning of July (end of June looking at the holiday calendar) being the biggest milestone. Some of the roots already contain DNSSEC information. Other ccTLDs continue to turn DNSSEC on with countries on every continent signed. more
As a reader of this article, you are probably familiar with the DNS cache poisoning techniques discovered a few years ago. And you have most likely heard that DNSSEC is the long term cure. But you might not know exactly what challenges are involved with DNSSEC and what experience the early adopters have gathered and documented. Perhaps you waited with our own rollout until you could gather more documentation over the operational experience when rolling out DNSSEC. This article summarizes authors' experiences and learnings from implementing the technology in production environments as well as discusses associated operational issues. more
The Washington Post had a good article up yesterday capturing comments issued by the United States military that it has the right to return fire when it comes to cyber attacks... This is an interesting point of view, and it extends from the United States's policy that if it is attacked using conventional weapons, it reserves the right to counter respond in kind. This has been a long accept precept governing US foreign military policy for generations. Yet cyber attacks are different for a couple of reasons... more
Some email discussion lists were all atwitter yesterday, as Sourcefire's open-source anti-virus engine ClamAV version 0.94.x reached its end-of-life. Rather than simply phase this geriatric version out the development team put to halt instances of V0.94 in production yesterday, April 15, 2010. In other words, the ClamAV developers caused version .94 to stop working entirely, and, depending upon the implementation, that meant email to systems using ClamAV also stopped flowing. more
Google may have unnecessarily provoked a fight with China, but the Middle Kingdom better keep its wits, lest it repeat a sad protectionist history. Early last millennium China was the world's richest civilization and technology leader. It famously invented gunpowder, iron casting, paper, porcelain, printing, and gigantic nine-masted sailing vessels. Between 1405 and 1433, the great Muslim Chinese explorer Zheng He led seven expeditions in the South Pacific and Indian Oceans, reaching the coast of East Africa. China's naval fleet grew to 3,500 ships... more
Complete DNSSEC implementation requires that domains are authenticated at the root by the Registry, and that DNS zones and records are authenticated as well. Now before I go any further, let me begin by stating that I fully support the development and deployment of DNSSEC and that the vulnerabilities presented by Cache Poisoning are very real, especially for those websites collecting login credentials or other types of sensitive information. more
Nobody doubts that some time in the near future there will be Internationalized Domain Names (IDNs) in Chinese, Russian or Arabic scripts. The Chinese, Russian and Arabic-character-using worlds are large -- encompassing hundreds of millions of current and potential users. They are politically influential blocs, with the ability to demand action in international meetings. And perhaps most importantly, they are -- at least when taken together -- rich. Everybody knows that access on the web in these languages is not a matter of if, but simply a question of when... more
At the beginning of this year, a set of powerhouse organizations in cybersecurity (CSO Magazine, Deloitte, Carnegie Mellon's CERT program, and the U.S. Secret Service) released the results of a survey of 523 business and government executives, professionals and consultants in the ICT management field. The reaction generated by this survey provides an unusually clear illustration of how cyber-security discourse has become willfully detached from facts. more
This is a reply to Susan Crawford's circleid article "Comcast v. FCC - "Ancillary Jurisdiction" Has to Be Ancillary to Something". I started writing a reply to her article, adding some comments I had and also reminding her that she'd predicted this herself, in an earlier circleid article, but it turned out long enough that I decided to submit it as a circleid post instead. On the whole, the facts agree with this CNET article. This court decision was correct, and expected... more
Any vendor in the platform business knows that their primary product is programming interfaces -- the so-called APIs that developers depend upon in order to deliver applications. The API exposes features of the platform, and differentiate applications running on that platform from all others. Lose control of the API, and you will lose control of the developer. Developers are the leading indicator for platform success. Ergo, lose the developer, lose the platform. more
I read, with some small amount of discomfort, an article by Bill Brenner on CSO Online, wherein he interviewed several other CSOs and other "Security Execs" on their opinions on the firing of Pennsylvania CISO Robert Maley. For those who haven't heard about this, Mr. Maley was fired for talking about a security incident during the recent RSA conference without approval from his bosses. more
Yesterday's Wikipedia outage, which resulted from invalid DNS zone information, provides some good reminders about the best and worst attributes of active DNS management. The best part of the DNS is that it provides knowledgeable operators with a great tool to use to manage traffic around trouble spots on a network. In this case, Wikipedia was attempting to route around its European data center because... more
Big news today - Judge Tatel has written the D.C. Circuit's opinion in Comcast v. FCC, and Comcast wins. Bottom line: The FCC didn't have regulatory authority over Comcast's unreasonable network management practices because it failed to tie that authority to any express statutory delegation by Congress... more