Sunday, December 17, 2006

dynamic pharming

I just learned what DNS pinning is and how it can be defeated when a domain is associated with multiple DNS A records.

The basic idea of DNS pinning is that when your browser loads something from x.com, it caches the DNS A record for x.com (the IP) and then keeps using that local copy instead of sending a DNS request each time.

This means that all requests to x.com for a browser session will be sent to the same IP address.  Unfortunately, there's an attack: if the IP that was "pinned" stops responding, the browser throws away the pinning and issues another DNS request.

If the two IPs are different, the browser will still see pages from both IPs as being in the same domain, and thus in the same origin -- scripts from one will have full access to content from the other.

This means that an attacker who controls the DNS records for x.com can put his IP first and the real x.com's IP second in the list of A records.  Then, at will, he can instruct his server to quit responding to requests.  This allows him to force clients to go from using his version of x.com to the real one.  The result: scripts served by his version of x.com can access content on the real x.com.  Browsers' Same Origin policies do nothing to fix this (in my opinion, they aren't supposed to).

What is this if not motivation to make DNS much more secure, since it is considered an authority!

Link to more info

Friday, December 15, 2006

public domain DRM

Most current DRM revolves around the idea that each person should be required to pay for their right to view/use some protected media.  The rights may be temporary or permanant, and may or may not be transferrable.  Ideally, a DRM system should be able to restrict who, what, when, and how.

Kelsey and Schneier propose "The Street Performer Protocol" that adds a twist onto DRM.  Instead of protecting content from the public, it pays the distributor if the content is released to the public domain.  

Essentially, people put donations in an escrow, and then when the content is released to public domain, the distributor (or artist) is paid.

I haven't read the paper yet, but this looks like a promising way to help free software developers pay for overhead costs.

Thursday, December 14, 2006

newcomb's paradox

a clairvoyant being presents you with two boxes: one is open, and has $1000 in it.  The other one is closed, and you're told it contains either nothing or $1,000,000.  

The being asks you to choose to take either both boxes, or just the closed one.  He claims (due to his clairvoyance) that if he predicted you would choose the closed one, then he put the $1,000,000 in it.  If he predicted you would choose both, he left it empty.

The paradox is: which do you choose?  Both, or just the closed box?  Why?

(Link to essay by Franz Kiekeben)

Tuesday, December 12, 2006

progenetorivox

This is one of the funniest videos I've seen in a long time:
Drugs I need

Cheers to the folks at jibjab.com who keep coming out with hilarious animations!

this is our country

There's a new Chevy ad that I find interesting.  The song in the background keeps repeating "This is Our Country," meanwhile the camera pans for what seems like ever showing people erecting a long barbed wire fence.  

Take away message: to show you this is OUR country, we're going to put up a barbed wire fence to keep everyone else out... oh, and buy a Chevy to support the fence.

Wednesday, December 06, 2006

Fishing, not Phishing

Apparently someone used a rod, line and hook to pull bags of money out of one of our local bank's night deposit boxes! (Link) The thief left the fishing pole at the scene (probably accidentally) giving investigators a clue about what happened.

Immediately, I see a quick low-tech fix. If bags entering the drop box wouldn't simply drop 3 feet to the floor, but instead slid down a spiral slide for 5 feet, it would be INCREDIBLY hard for someone to get a hook on a bag. Optionally, one could include a second door, a trap door, that opens only when there's enough weight to push it open. A bank fisher would then need one heck of a sinker to get the hook down to the bags! Any other ideas?

(Link to story)