Dan Kaminsky, one of the Internet's essential squad of "volunteer fire fighters" who oversaw the largest-ever synchronized vulnerability patching in Internet history, has written a stirring editorial for Wired explaining what the FBI puts at risk when it demands weaker encryption: it's not our privacy, it's the security of finance, health care, roads, and every other piece of tech-enabled infrastructure in the land. Read the rest
Dan Kaminsky is master of all that is terrible and wonderful about the Internet's Domain Name Service, a vital piece of Internet infrastructure dating back to 1983, whose criticality and age make it a source of ongoing problems in Internet securityland. Read the rest
One year ago today
Dan Kaminsky on BitCoin: Bitcoin’s fundamental principle of fraud management is one of denial.
Five years ago today
Scalia Scoffs at Calls for More Data Privacy Protection, Students Surprise Him With Dossier of His Own Data.: The class turned in a 15-page dossier that included not only Scalia's home address, home phone number and home value, his food and movie preferences, his wife's personal e-mail address and photos of his grandchildren.
Ten years ago today
Collisions in T9:
46637: GONER, GOODS, GOOFS, HOMER, HOMES, HONER, HONES, HOODS, HOOFS, INNER Read the rest
Ever since BitCoin appeared, I've been waiting for two security experts to venture detailed opinions on it: Dan Kaminsky and Ben Laurie. Dan has now weighed in, with a long, thoughtful piece on the merits and demerits of BitCoin as a currency and as a phenomenon.
Read the rest
Bitcoin’s fundamental principle of fraud management is one of denial. If we drop our wallet on the street, the U.S. government is not going to compensate us for our lost cash. Bitcoin attempts to make the same deal, to the point where it calls its stores of keys, “wallets.” If we drop our wallet on the street — heck, if someone picks it out of our pockets — the money’s gone.
There have been bitcoin thefts. A few years ago, I tried to break Bitcoin, and failed quite gloriously. The system and framework itself is preternaturally sound. But it too is built on the foundation of buggy technologies we call the internet, and so Bitcoin must experience failures from the code around it. Hackers don’t care whose code they broke on their way to bitcoin, any more than pickpockets care that they’re exploiting the manufacturer of one’s jeans or leather wallet. So they break the server below the money, or the web interface above it. They still win.
At least, that’s the theory. Reality is more complicated. Of all the millions of dollars of purloined bitcoin that’s floating around out there, not one Satoshi of it has been spent. That’s because while most other stolen property becomes relatively indistinguishable from its legitimate brethren, everybody knows the identity of this particular stolen wealth, and can track it until the end of time.
Last week I was excited to announce the birth of Coffee Common, a project of coffee enthusiasts (one of them being me) coming together to improve the experience of coffee for both industry and consumers. I mentioned that to kick off the launch, the project organizers and a handful of baristas from around the world will be spending this week in conjunction with the TED conference talking about (and serving) a few noteworthy selections from a select group of roasters.
We narrowed our list to the roasters we know have beautiful coffees with clarity and balance on their offering menus—and, who would be able to produce, roast and ship enough coffee to meet the needs of the thirsty TED attendees, at their own expense.
Normally, these roasters would consider each others competition, but the Coffee Common project is about collaboration. So we had an idea. We could write a short introduction for each included roaster, or we could assign each participating roaster the task of writing the intro for one of the others - knowing very well that one of the others would be writing theirs as well. This sounded much more interesting to us. After all, your fans can gush about you, but what your competition says may be more telling. So with that in mind...
Intelligentsia - introduced by James Hoffman of Square Mile Coffee
Stumptown - Introduced by Benjamin Kaminsky of Ritual Roasters
Has Bean - Introduced by Peter Giuliano of Counter Culture Coffee
Square Mile - Introduced by Trevor Corlett of Madcap Coffee
Ritual Roasters - Intriduced by George Howell of Terroir Coffee
Terroir Coffee - Introduced by Steve Leighton of Has Bean
More introductions will be posted soon. Read the rest
Legendary DNS hacker Dan Kaminsky has a new, out-of-left-field project to mitigate color blindness with augmented reality software for mobile phones. DanKam is a mobile app that you calibrate so it knows the specifics of your color blindness (I can't see a lot of greens), and then it automatically color-corrects the world as seen through the phone's lens to compensate for your deficit.
Really though, not being color blind I really can't imagine how this technology will be used. I'm pretty sure it won't be used to break the Internet though, and for once, that's fine by me.
Ultimately, why do I think DanKam is working? The basic theory runs as so:
1. The visual system is trying to assign one of a small number of hues to every surface
2. Color blindness, as a shift from the green receptor towards red, is confusing this assignment
3. It is possible to emit a "cleaner signal", such that even colorblind viewers can see colors, and the differences between colors, accurately.
4. It has nothing to do with DNS (I kid! I kid! But no really. Nothing.)
DanKam: Augmented Reality For Color Blindness
How Dan Kaminsky broke and fixed DNS - Boing Boing
Kaminsky on the net-shaking DNS bug - Boing Boing
Boing Boing: Sony infects more than 500k networks, including ... Read the rest
Dan Kaminsky sez, "Digital: A Love Story is set 'five minutes into the future of 1988', and is one of the most fascinating games I've played in years. Set entirely within an Amiga Workbench desktop, the concept of the game is that you are just your average BBS user, when you meet someone...interesting."
Just played this for ten minutes and was overwhelmed with nostalgia for my Amiga 1000. Looks like LOADS of fun.
Digital: A Love Story
Review: GP2X Wiz runs retrogaming rings around mainstream rivals ...
A weekend with Amiga Forever 2008: retrogaming without the hassle ...
From Atari Joyboard to Wii Fit: 25 years of "exergaming"
Lenslok: proto-DRM from the ZX Spectrum era
Andy Warhol paints Debbie Harry on an Amiga Read the rest
Wired's Joshua A Davis has a great profile of my pal Dan Kaminsky's work on discovering and then helping to fix a net-crashing DNS bug earlier this year. Davis really captures the excitement of discovering a major security flaw and the complex web of personal, professional and technical complications that come to bear when you're trying to disclose the research in a way that minimizes harm to the net.
Dan does a lot of fun security-related stuff that doesn't get talked about in public. There's this one thing he does --
But that would be telling.
Read the rest
The next morning, Kaminsky strode to the front of the conference room at Microsoft headquarters before Vixie could introduce him or even welcome the assembled heavy hitters. The 16 people in the room represented Cisco Systems, Microsoft, and the most important designers of modern DNS software.
Vixie was prepared to say a few words, but Kaminsky assumed that everyone was there to hear what he had to say. After all, he'd earned the spotlight. He hadn't sold the discovery to the Russian mob. He hadn't used it to take over banks. He hadn't destroyed the Internet. He was actually losing money on the whole thing: As a freelance computer consultant, he had taken time off work to save the world. In return, he deserved to bask in the glory of discovery. Maybe his name would be heralded around the world.
Kaminsky started by laying out the timeline. He had discovered a devastating flaw in DNS and would explain the details in a moment.
Wired's Danger Room has a good interview with Dan Kaminsky, whose DNS hack has been burning up the wires. Dan figured out a means of disrupting the entire Internet by poisoning DNS. The exploit's existence and scope have been hotly debated ever since, and it all came to a head when details of the exploit leaked:
Read the rest
Well you know, there were people who said, Dan, I wish I could patch but I don't know the bug and I can't get the resources I need to patch it. Well you know the bug now.
You know, Verizon Business has a blog entry where they say that the greatest short-term risk from patching DNS was from the patch itself, from changing such a core and essential element to their systems. I know this. I was a network engineer before I was a security engineer. So that's why we took such extraordinary lengths to try to get people as much time as possible (to patch their systems). There's just a lot of complexity in doing something on this scale. This is something I think a lot of people don't realize. It was difficult to get the patches even written, let alone get them all released on a single day.
But let me tell you, the complete lack of whining from the (DNS software) vendors . . . if I could have gotten as little whining from the security (professionals) . . . no I'm not going to say that. It's so tempting! I'm simply going to say this in positive terms.
Dan Kaminsky has produced slides showing the "information density" of several different blocks of text, including the corpus of Project Gutenberg, the Windows kernel, and the US legal code. The conclusion? The law has more structural similarities to software code than to the prose in Gutenberg's 17,000 books: "Legalese is a massively structured dialect. Symbols appear in very distinct patterns that are more reminiscent of machine code than text."
Read the rest
About the 2001
-themed images above
, BB reader Jack
says, "Teh astronaut cat
inspired me to make them."
Best iPod inscription ever: It's time for hoboes to take over the US government
's snaps from Black Hat
hacker con, which ends today: Richard Clarke
, Dan Kaminsky
, Phil "zphone" Zimmerman
Booze-themed lipgloss/chapstick products
seemingly marketed at tweens and kids.
Earthlink wants the City of San Francisco
to guarantee baseline revenue before it will light up muni wireless project. LOL.
San Francisco orders medical weed dispensaries to sell fatter bags.
Hey, speaking of stoners! Pro-pot lobbyists are tops on congressional softball team
, ahead of teams for DNC, RNC, Sen. McCain, DoJ.
(thanks, brooklyngirl.com, Dave, and anonymous others!)
Reader comment: Anonymous says,
Read the rest
The inscription on apelad's ipod is from John Hodgman's book, on page 123, where he shows the hobo-sign for the coming hobo government take-over. That same hobo sign is hidden in each of the lolcats comics created by apelad. Look for an H in sunrays.
This betatted fellow isn't worried about disappointing box office returns or concomitant studio whinery -- or, it would seem, the fact that ink in flesh lasts longer than internet fads.
BoingBoing reader Adam explains,
Read the rest
A gentleman named Jim Dozier ("Doz," or "iBgerd") decided he was so excited about the movie that he would have its logo tattooed on his arm. (Link) Doz has been a cherished member of our site for years now, so we all cheered him on when we realized the tattoo was real. One of our members photoshopped the picture of the tattoo replacing the logo with one from "Howard The Duck" and reminded Doz that he was really going to regret this in a few years.
A few days after getting the tattoo, New Line Cinema announced the "Snakes on a Plane #1 Fan Sweepstakes." (Link) Doz immediately entered the contest, and as of today, he's firmly in second place. Max (of YTMND.com fame) has a commanding lead thanks to his army of followers, but even he has admitted that Doz is clearly the #1 fan.
At this point, it's easy for people to roll their eyes and write Doz off as some creepy old guy living in his mom's basement. Indeed, he's gotten a bit of media exposure because of all this, and has been treated poorly by some. A few mouthbreathing DJ's on some morning show decided to interview Doz, and tried their best to run a bunch of cliche jokes into the ground while embarrassing and demeaning him.
Dan Kaminsky, DNS hacker and rootkit infection sleuth, has devised a test for checking to see if your Internet connection is "neutral" -- that is, whether your connection is being filtered, throttled, slowed down, or monkeyed with secretly by your ISP:
Kaminsky calls his technique "TCP-based active probing for faults." He says that the software he's developing will be similar to the Traceroute Internet utility that is used to track what path Internet traffic takes as it hops between two machines on different ends of the network.
But unlike Traceroute, Kaminsky's software will be able to make traffic appear as if it is coming from a particular carrier or is being used for a certain type of application, like VoIP. It will also be able to identify where the traffic is being dropped and could ultimately be used to finger service providers that are treating some network traffic as second-class.
I've suggested that a keystone of any solution to the Net Neutrality problem will be keeping the ISPs honest -- even if we pass a law prohibiting the auction of access to your connection to Internet companies, there's no guarantee that the Bells won't do it, and without a tool like this, it could be very hard to spot. If this works, maybe Google or Alexa (two companies that rely on a neutral net) will put it in their toolbars. It would be very good if there was some public place where data about different ISPs could be aggregated as a real-time Internet health report. Read the rest
See Part I, Part III, Part IV, Part V and Part VI of this post for more.
It's been three days since the first roundup post on Sony's rootkit DRM and lots of new stuff has come to light since. Below is a timeline of posts since then, but first, here's the Sony debacle news that came in while I slept:
Immunize Yourself Against Sony’s Dangerous Uninstaller
: Princeton DRM researchers Ed Felten and Alex Halderman explain how to miitgate the security vulnerabilities
left behind by Sony's incompetent "uninstaller" program.
List of infected CDs
: Sony finally lists the 52 titles infected with the XCP rootkit. Note that Sony initially claimed that fewer than half that number were infected. (Thanks, Kurt!
US-CERT: Never Install Audio-CD DRM Software
. The Department of Homeland Security's Computer Emergency Readiness Team advises that you never install CD DRM
: "Do not install software from sources that you do not expect to contain software, such as an audio CD." (Thanks, Kurt!
Now, all the news that's come in since the initial roundup post on Nov 14:
Nov 14: Sony anti-customer technology roundup and time-line
Roundup of Sony's misdeeds to Nov 14.
Nov 14: EFF to Sony: you broke it, you oughta fix it
EFF publishes an open letter to Sony calling on the company to make amends for its misdeeds -- Sony should disclose the risks of its DRM software, it should give customers uninfected CDs, help anti-spyware companies fix the holes, compensate customers for damage to PCs, and package their CDs will full disclosure of any malware contained within. Read the rest