Aug
7
DNS Flaw Update
Filed Under Computers & Tech, Security on August 7, 2008 | 1 Comment
I listened to Dan Kaminsiki’s Black Hat talk on the DNS flaw he discovered this afternoon (it’s on the web). I was disappointed by the lack of technical details, particularly about the client attacks, but it did answer some of my questions. For me the biggest deal was that yes, clients are vulnerable, and yes, clients do need to use port randomisation. This is what Apple failed to do in their latest update, and what Apple now need to do ASAP. Dan described the server flaw as being like a nuke, and the client flaw as being like a sniper, both will kill you if they hit you, but you defend against the nukes first, hence the focus on servers.
Another key point is that this is a temporary fix, not a permanent fix. By adding in source port randomisation we’ve bought ourselves some more time, probably a few years, but as networks continue to get faster, even this boost of entropy will cease to be enough. There are two permanent fixes, but neither are easy to deploy, and since DNS is a global system it will take time, and probably the patience of a saint, to get either implemented. At the core of the problem is the fact that DNS uses UDP, which is a connectionless protocol, making it easy to spoof packets. One way around this is so-called DNSSEC, which extends the current DNS architecture to use certificates to authenticate responses. Another solution would be to switch DNS from UDP to TCP. Both sound simple, but no change to DNS is simple, and if you get it wrong you literally kill the internet!
Bottom line, we haven’t heard the last of this yet, not nearly!
[tags]security, DNS, Blackhat, Kaminsky[/tags]
Aug
7
I’ve Joined the Mac Round Table Podcast
Filed Under Computers & Tech, My Projects on | 1 Comment
It’s funny how one thing will often lead to another. It’s not long since I joined the production team of the International Mac Podcast, and now I’ve been invited to join the pool of panellists for the Mac Round Table Podcast. The MRT is a very interesting idea. They have a large pool of Mac Podcasters and each week they host a round-table discussion with three to five members from this pool on some Mac related topic. Because it’s a big pool there’s a great variety of voices on the show and no two weeks are the same. If you’re tying to figure out which Mac podcasts to subscribe to, the MRT is a great place to start since you get to hear lots of Mac podcasters in one place. I’m exceptionally honoured to have been invited into the pool. I recorded my first show last night with Don McAllister, Joseph Nilo, Chuck Joiner & Dave Hamilton, so keep an eye out for it on the RSS feed.
Aug
5
July Photos Uploaded
Filed Under Photography on August 5, 2008 | Leave a Comment
I’m a lot more on the ball this month, I just got the last of my July photos uploaded today. Lots of shots I’m really happy with this month, including some lovely shots of butterflies and Geraldine (AKA Maynooth) Castle. Some of these shots are HDRs that I’m very happy with because they don’t look like HDRs.
Aug
3
Photo of the Week 24 – Large Bindweed
Filed Under Photography on August 3, 2008 | Leave a Comment
Technically this flower is a terrible weed, you really don’t want this in your garden, but it’s still beautiful! This shot is clearly processed but I hope you’ll agree that it’s been done tastefully. What I’ve done is desaturate everything in the shot apart from the flowers and leaves of the Bindweed so that it stands out from the grass that it was growing amidst.
I got this shot while mountain biking along the towpath of the Royal Canal between Maynooth and Leixlip, or to be more precise, between Pike’s Bridge and Deey Bridge.
For those of you interested in such things here are some of the technical details of the original shot:
- Camera: Nikon D40
- Lens: Nikon DX AFS 18-55mm (D40 kit lens)
- Exposure: 1/320 sec
- Focal Length: 55mm
- Focal Ratio: F8
- ISO: 200
- Camera Mode: Auto
- Exposure Compensation: 0.0
The processing was done using the GIMP. I used this image in my tutorial demonstrating this technique.
[tags]wild flower, flower, blossom, Bindweed, photography, Maynooth, Kidlare, Ireland[/tags]
Aug
2
The Apple DNS Saga Continues
Filed Under Computers & Tech, Security on August 2, 2008 | 1 Comment
Yesterday Apple released security update 2008-005 which was supposed to fix the DNS flaw I recently complained about Apple not having fixed yet. Well, it appears that Apple only half-fixed the problem. Yes, they have fixed the BIND DNS server in OS X, but in reality that only protects X-Serves running a DNS server. Sure, regular OS X ships with the BIND DNS server installed, but it’s not on by default, and almost no one turns it on. What we all use all the time is the stub resolver that’s part of OS X, and that’s what Apple didn’t fix. This means that regular Mac users are still not protected from this DNS flaw while just about everyone else is.
[tags]Apple, OS X, DNS, vulnerability, security[/tags]