Month: July 2008

DNS mess and what I think about DNSSEC

Posted by – 30/07/2008

I am following closely this new DNS mess. In fact, there’s nothing really new in that. DNS has been attacked lots of times over the years – as a result of not being designed with security in mind from the ground up -, just this new one is a combination of known attacks against known security flaws. The “quick fix” is not a real fix, and just incorporate old ideas into the most used DNS software, strengthening it to face the attack. The details leaked, and there’s already at least one public exploit (and who knows how many in the wild).

The new buzzword is DNSSEC.

I don’t like DNSSEC. I never did. The first time I heard of it, around year 2001, it was a centralization of a decentralized database: A proposed company (called Network Solutions) would serve as a central authority, signing every root DNS entry. It was a joke! Come on! DNS is suppose to be decentralized! Having a central company anywhere is just a huge step back in decentralization (not to mention a huge step back in security).

Time passed, and the DNSSEC specs evolved to a more decentralized way of thinking. The state it is now, and the implementations we saw so far are not good. No! I am not talking about security… I am talking about the KISS principle: DNSSEC turns something really simple to deploy into a full-time job, with frequent key roll-overs and re-signing everytime you change the zone – a huge mess! Yes, there are automated tools, but, come on! you still have to wait for TTL to expire before publishing this part or that part of the cryptographic machinery… And, if we are talking about real security, are we going to build some automated tool “fire-and-forget”-style and not follow it? If we are not looking at it as it goes, and it fails, we could end up with a completely wrong set-up or (even worse) a non-validating zone.

And I haven’t yet mentioned the increase in payload… I am not completely convinced that this alone would not lead to DoS attacks just by compromising the responsiveness of the servers (and DoS attacks are already available for quite some time – maybe the DNSSEC-medicine is worse than the disease…). The root (”.”) servers are not even DNSSEC-aware, and there’s a whole class of other stuff to work-around the fact that they may not be DNSSEC-aware for quite some time yet.

There has to be a simpler way!

I can imagine at least three ways to fix the problem until we can fix DNS in a KISS way… And they’re all KISS also:

  • Change Transaction ID field. This is the first Achiles heel of this crisis. Let’s increase the length of this field to 2048 bits, or even larger. Better yet, let’s make it variable, so every system administrator can set his servers’ own size. Yes, I know this leads to replacing ALL the DNS infrastructure, but isn’t that what we are doing right now, anyway?
  • Deactivate in-bailiwick injection. Over the years, DNS have been expanded to allow a lot of things other than translation of names into numbers (or to ease this translation). The second Achiles heel is the ability to inject the IP address for WWW.VICTIM.COM while consulting for 10294DKGJSDL.VICTIM.COM since both name-addresses are in the same bailiwick (in-bailiwick). Let’s take a step back, and deactivate all this… Before 1995, the same thing could happen with any addresses, including those “out of bailiwick”, and it was fixed to only allow those in-bailiwick… Let’s fix it again to not allow it at all!
  • Good, and old iptables. Couldn’t we just use iptables’ LIMITS to stop this attack and blacklist the attacker? We’ve been doing this for a lot of other things (SYN-floods, ICMP attacks, etc). Can’t we just do the same. Again: this is not a new thing… it relies on multiple attacks in a short period of time, just like other attacks we’ve seen and successfully blocked with these techniques…

Maybe some of those three solutions are flawed… Maybe none are flawed and can be deployed together… Maybe I am wrong and DNSSEC is the only way to go… But let’s not panic, let’s cool our minds and begin thinking it through. I still don’t think DNSSEC is the holy grail…

Now… I already spent more time than intended on this… let me go back signing some zones ūüėČ

Great News: Etch’n’Half

Posted by – 28/07/2008

Great to hear about “etch and a half”. I’ve just upgraded all my systems and everything went smooth. I dumped my home-compiled Ruby in favor of Debian’s version now, since it fixes the annoying security bug. Thanks for the good work people!

Azeredo, petições e contadores

Posted by – 25/07/2008

Eu j√° disse aqui o quanto eu gosto de contadores… acontece que n√£o gosto s√≥ de contadores regressivos! Gosto de contadores de qualquer coisa. Atualmente, como voc√™s devem ter visto nesse blog, eu estou em campanha contra o projeto de lei “Azeredo”, e at√© traduzi o projeto de lei para o Ingl√™s, o que rendeu alguns coment√°rios de “estrangeiros”, no pr√≥prio artigo… Isso levou a outras pessoas traduzirem a peti√ß√£o para o Espanhol, e j√° fiquei sabendo que uma vers√£o em Ingl√™s est√° a caminho.

Agora resolvi unir a campanha ao meu gosto por contadores, e coloquei a√≠ ao lado uma imagem com o n√ļmero atual de assinaturas nas peti√ß√Ķes (estou somando Portugu√™s com Espanhol, e quando ficar pronto, somarei a em Ingl√™s tamb√©m), linkando para a vers√£o em Portugu√™s… Talvez algu√©m coloque uma p√°gina a respeito da exist√™ncia de outras vers√Ķes da peti√ß√£o… a√≠ eu troco o link para essa p√°gina.

Al√©m da vers√£o que voc√™ pode ver a√≠ ao lado em 180×135 px, fiz uma vers√£o em 160×120 px (para poder usar no portal do PSL-Brasil), mas disponibilizo abaixo os links para quem quiser usar:

 

Esse contador est√° sendo atualizado a cada 15 minutos.

Quero agradecer a todos que j√° assinaram e pedir que consigam mais um amigo que assine. Se muitos dos mais de 80 mil que j√° assinaram conseguirem mais um, passaremos f√°cil dos 100 mil!

A propósito, as imagens de base que usei são da campanha anterior, feitas pelo Valessio Brito.

The new Brazilian Internet surveillance

Posted by – 18/07/2008

Here I am writing today to tell something that might not be known outside Brazil – at least, I haven’t read much in English about it – the attempt to turn the Internet into a government surveillance device.

This story goes back to 2006 (and even back), when we first successfully blocked the approval of a bill that would, in effect, turn the Brazilian Internet into a giant Big Brother. This bill was introduced by Senator Eduardo Azeredo as a replacement to a series of other similar bills that were attempted before and was followed by a strong resistance by civil organizations, one of those being ASL, of which I am proud of being one of the founders. By that time we ended having it postponed for more debate.

It happened that the bill made a come back last weeks, and was pushed into approval by a subcommittee of the Senate (one that was suppose to deal with the constitutionality of bills) and now is heading to the Chamber of Deputies for appreciation. Apart from the first debates back in 2006, nothing happened between then and the approval. The bill have changed a little bit, but not much as to change its effects.

In Brazil, we have two legislative houses, Federal Senate and Chamber of Deputies. If a Law Project is proposed by one, is revised by the other. So we have already lost 50% of the fight. Ronaldo Lemos, professor of Funda√ß√£o Get√ļlio Vargas (think about a Brazilian version of “Harvard Law School”) have already stated how dangerous such a Law can be, once approved. In his own words: “The wording of the law is too broad, and can be applied in several cases. The interpretation of what is a crime or not will be done by a criminal judge, who is used to deal with homicides and not with technology”.

Since its approval in Senate, several people have been putting together a resistance. Central to it is a Petition, hosted at Petition Online, that already holds 64-thousand signatures. One of the writers of that petition, Andr√© Lemos, a university professor and researcher, have said that the regular user will have the feeling of being watched, and not knowing if what he’s doing in legal or not: “For instance, if I disseminate a virus without knowing, will I be arrested? Can I exchange my files in P2P networks (my pictures, my musics, my text files) without asking for permission? How will the ISPs interpretate these exchanges? Can I copy a part of a text from a blog and paste it into mine? This law creates a feeling of insecurity and generalized fear”.

FGV’s Center for Society and Technology have published an analysis of the Law Project, and have spotted a lot of problems in it. For instance:

  • Unlock a cellphone to be used in another carrier or unlock a DVD player, so it reads disks from different regions, can be a crime punished with 1 to 3 years of imprisonment and a fine, as deals article 285-A;
  • Copy something from a blog that doesn’t state access restrictions is turned into a crime since a blog is covered by copyright and, if not stated otherwise, those restrictions should apply, and someone that copies can be punished with the same 1 to 3 years of inprisonment and a fine, as deals article 285-B;
  • Unlock the iPhone using softwares like “jailbreak” is turned into a crime punished with 2 to 4 years of imprisonment and a fine, as deals article 163-A. Even put a link somewhere in your site pointing to the software “jailbreak” is considered a crime;
  • The ISP is turned into a surveillance apparatus, and is mandate to inform the authorities about any of the crimes the Law deals with, as states article 22.

Thinking of how I can help, after sending an email to every Deputy whose email address I was able to get, I decided to translate the law into English (I also uploaded a version with indentation, since it’s pretty hard to understand the whole law without it, if you’re not used to), so the World can be made aware of what’s going on in Brazil. I also just sent an email with it to EFF, asking for their help. Not that I think they can do much, but they surely will know one or two strings to pull in order to put more pressure on the Brazilian government. I also hope that, once this post reaches Planet Debian, even more people become aware of the issue. In a sense, this is an appeal for all the Freedom Culture lovers out there to take any actions they can to help us prevent this Law Project to become a Law.

(In time, I’d like to thank Alexandre Oliva, who revised the translation).

Update (2008-07-23 11:50): Steve Langasek also revised the translation of the Law Project and I’ve made a “cherry-pick merge”, which resulted in the version currently linked in the text above. Older version of the plain and the indented documents are still available. Thanks Steve!

Glorfindel of Gondolin and Glorfindel of Rivendell

Posted by – 09/07/2008

I was browsing my old emails and I found a 2002 one to the Tolkien List (I believe that list is dead, since Google seems to know nothing about it), that have generated a thread over the known controversy of the two Glorfindels.

By that time, the discussion was over with the argument that Tolkien have not said a thing about it and, since he re-used a lot of names, the two Glorfindels might not be the same person… Tolkien might have just let it slip without further consideration. While Googling for the dead list I just found some text that shed more light on the issue: apparently Tolkien have written about the controversy!

The information comes from a book published after Tolkien’s death by his son, Christopher, and it sets the story of one Glorfindel, dead in Gondolin, after defeating a balrog, gone to Mandos in the blessed land and

After his purging of any guilt that he had incurred in the rebellion, he was released from Mandos, and Manw√ę restored him‚Ķ We may then best suppose that Glorfindel returned during the Second Age, before the ‚Äėshadow‚Äô fell on N√ļmenor. . .

The Tolkien Gateway goes further and speculates he became a follower of Olórin (who became Gandalf in the Middle-earth) after being released from Mandos, and that he came to Middle-earth around the time the Blue Wizards came, to help in their task.

That last part is not quoted from the Tolkien text, so I would have to read it from some source to believe it (although quite possible). Now I’ll have to find a copy of that book to learn the rest of the story. Might not be easy to get one… the book was published in 1996, and, apparently, nobody knew it back when I had the discussion at the Tolkien List… Any idea where I can find one in Brazil?

O desafio da intangibilidade

Posted by – 05/07/2008

Desde que bloguei a respeito estive lendo o projeto de lei do Sen. Azeredo, que obtive na SaferNet, e, devo admitir, o projeto mudou muito desde que o li pela √ļltima vez. Continuo n√£o concordando com ele em hip√≥tese alguma, e o achando uma perda de tempo e uma tentativa (mesmo que inconsciente) de instituir uma sociedade a la 1984 no Brasil. No entanto, agora consigo entender seu maior problema… o desafio da intangibilidade.

O ser humano sempre teve dificuldade para lidar com o intang√≠vel… Isso n√£o √© nenhuma novidade. O problema √© que, com o avan√ßo da Rede, o intang√≠vel passou a ser uma parte mais presente na vida de todos. Seguramente muito mais presente do que quando por ‘intang√≠vel’ se conheciam apenas bens como marcas e patentes (e que naturalmente j√° estavam distantes da popula√ß√£o como um todo, restrito a pequenos grupos que os manipulavam como queriam). Tomemos o exemplo de um filme: se voc√™ √© como eu, uma pessoa sem talento especial para o estrelato, ou para tornar-se um cineasta, sua rela√ß√£o com um filme √© a de consumidor. At√© h√° bem pouco tempo, seus √ļnicos meios l√≠citos para “acessar” um filme eram o cinema, o aluguel ou a compra de fitas VHS (ou DVDs). Ou seja, por todos os meios l√≠citos, voc√™ paga uma taxa estipulada pelo “dono” do bem intang√≠vel (direta ou indiretamente). O meio il√≠cito mais difundido no caso do filme √© a c√≥pia pirata: por n√£o pagar a mesma “taxa” que pelos meios l√≠citos, o custo de uma c√≥pia pirata √© muitas vezes menor que o de uma c√≥pia l√≠cita. At√© o avan√ßo da Rede, era muito f√°cil “tangir” o intang√≠vel… Bastava recolher as c√≥pias f√≠sicas do filme, prender e multar os piratas e tudo estava resolvido…

Mas a Rede trouxe outro problema: o meio “f√≠sico” passou a ser intang√≠vel: apenas bits e bytes circulando no que o Senador estado-unidense Ted Stevens chamou de uma s√©rie de tubos. √Č a√≠ que o projeto do Senador Azeredo (assim como quaisquer projetos que “metem a m√£o” no intang√≠vel) peca: ele leva em considera√ß√£o os velhos m√©todos de sempre para tratar da Internet como se ela fosse apenas uma s√©rie de tubos… como se ela fosse algo f√≠sico, algo sujeito a apreens√£o, multa e reclus√£o. Adivinhem: n√£o √©!

No caso do filme, como nosso amigo Alexandre Oliva disse, apenas o fato de receber um link para um v√≠deo colocado na Internet por um terceiro qualquer de forma il√≠cita e, antes mesmo de saber o que cont√©m no link, baix√°-lo, torna voc√™ um criminoso. Sim, a lei acrescenta um “quando exigida” para dizer que voc√™ s√≥ √© um criminoso se a autoriza√ß√£o do autor for, em algum momento, exigida… Mas quem escolhe de quem essa autoriza√ß√£o ser√° exigida? E nos casos em que ela √© impl√≠citamente exigida?

Ademais, a Rede foi feita para transitar dados sem se preocupar com essas institui√ß√Ķes mundanas, como propriedade intelectual e direito autoral. Se voc√™ entrar em uma p√°gina que tenha aqueles v√≠deos em Flash, e um deles for de um filme, mesmo que voc√™ n√£o queira assist√≠-lo (ou n√£o dessa forma), seu ato foi il√≠cito. Se o cache do seu navegador armazenou o v√≠deo “em todo ou em parte”, ent√£o al√©m de receber o conte√ļdo, voc√™ o est√° armazenando!

Outros pontos podem ser levantados como os artigos contra a pedofilia, ou quanto a obrigatoriedade do provedor de manter o registro dos acessos de seus usuários (mas a não obrigatoriedade de disponibilizar esses registros para exame do próprio usuário Рafinal de contas, nem todas as senhas que usamos são seguras, e acessos em seu nome podem não vir de você) podem ser facilmente levantados, mas todos giram em torno do mesmo tema: a indomável intangibilidade.

J√° ouvi (li) uma vez, mas n√£o custa repetir: os √ļnicos prejudicados por essa lei ser√£o os que tentarem cumpri-la: n√≥s, os cidad√£os comuns, que n√£o se preocupam com a navega√ß√£o que est√£o fazendo, ou n√£o limpam os caches dos navegadores depois de cair em uma p√°gina de pedofilia por engano (ao abrir um pop-up sem querer, ou clicar onde n√£o devia em um email de spam, por exemplo). Quem realmente pratica os il√≠citos v√£o usar as caracter√≠sticas da Rede para se ocultar… em grande parte como fazem hoje (ou voc√™ acha que as p√°ginas de pedofilia do Orkut representam a totalidade da pedofilia que circula na Internet?).

Vamos supor o seguinte cen√°rio: voc√™ √© um pirata inteligente, que n√£o quer ser pego pela nova lei. Tudo o que voc√™ tem a fazer √© manter seus filmes piratas em uma parti√ß√£o criptografada (talvez at√© steganografada), e fornec√™-los atrav√©s de redes an√īnimas (Tor, FreeNet, OFFSystem, i2P etc). Se voc√™ for realmente inteligente, sua identidade nunca vai circular por a√≠, e mesmo que algu√©m o denuncie diretamente, quem vai obter as provas do seu crime de sua parti√ß√£o? Se ela for steganografada, ningu√©m nem vai saber que ela existe; se criptografada, voc√™ n√£o precisa fornecer a senha, uma vez que ningu√©m √© obrigado a produzir provas contra si mesmo. Simples, n√£o? Aplique a mesma equa√ß√£o para todos os crimes que a lei aborda e veja que n√£o √© t√£o simples domar o intang√≠vel.

Embora eu n√£o tenha motivos para crer que a maioria da pedofilia e pirataria j√° esteja operando em um sistema t√£o complexo (complexo?), ningu√©m sabe o que aconteceria se esse projeto virasse lei. Hoje √© relativamente f√°cil identificar os criminosos (e enquadr√°-los na lei vigente) j√° que esses n√£o s√£o cuidadosos o suficiente, acreditando em sua impunidade… Mas e depois dessa lei? Eu acredito que somente teremos o fomento a tornar essas atividades cada vez mais refinadas, cada vez mais complexas, cada vez mais imposs√≠veis de atingir. Eventualmente o Estado acabar√° pegando os “peixes pequenos”, e talvez alguns inocentes no processo… mas s√≥ dar√° oportunidade aos “peixes grandes” se enterrarem cada vez mais no anonimato, mantendo suas atividades ainda mais lucrativas pelo decr√©scimo na concorr√™ncia.

Percebam que apenas arranhei a superf√≠cie. Nem falei das coisas √≥bvias: m√°quinas zumbis, spywares, virus, invers√£o do √īnus da prova, neutralidade da rede, etc. A todos que acham que esse assunto √© simples demais, e que deveria ser tocado t√£o rapidamente quanto est√° sendo, s√≥ tenho a lembrar que, com essa lei no lugar, qualquer um (at√© mesmo seus defensores) podem ser suas v√≠timas. Qual ser√° o pr√≥ximo passo? Pol√≠cia do Pensamento?