Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

5 Years After Major DNS Flaw Found, Few US Companies Have Deployed Long-term Fix

Soulskill posted about a year ago | from the rome-wasn't-built-in-5-years-either dept.

Security 313

alphadogg writes "Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC) to alleviate this threat. In 2008, security researcher Dan Kaminsky described a major DNS flaw that made it possible for hackers to launch cache poisoning attacks, where traffic is redirected from a legitimate website to a fake one without the website operator or end user knowing. While DNS software patches are available to help plug the Kaminsky hole, experts agree that the best long-term fix is DNSSEC, which uses digital signatures and public-key encryption to allow websites to verify their domain names and corresponding IP addresses and prevent man-in-the-middle attacks. Despite the promise of DNSSEC, the number of U.S. corporations that have deployed this added layer of security to their DNS server is minuscule."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


How custom hosts files help vs. DNS flaws... apk (0, Troll)

Anonymous Coward | about a year ago | (#42729809)

As they help you avoid making DNS requests, if you use 'hardcoded' entries of your favorites, properly resolved against the in-arpa addr "TLD" that houses that information!

I do so, via this application I wrote up:


APK Hosts File Engine 5.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

Which, if you read the list of what it can do for you as an end user of the resulting output it produces listed in the link above, you'll understand how/why...

"It's as strong as steel, & a 3rd of the weight" - Howard Stark from the film "Captain America"


Especially vs. competing alternate 'solutions', noted below in AdBlock/Ghostery & yes even DNS servers, next, as 'examples thereof'...

(Solutions that used to be good & I even recommended them in security guides I wrote up over the decades now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Submit&gbv=1&sei=ka3yUKzxB-6_0QHLroCQCA [google.com]

(Security guides of mine that did extremely well for myself and users of them) for Windows users, for "layered-security"/"defense-in-depth" purposes - the BEST THING WE HAVE GOING vs. threats of all kinds, currently!

(Not anymore though, & certainly NOT far as AdBlock's concerned especially, not after this):


Adblock Plus To Offer 'Acceptable Ads' Option:

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org]

(Meaning by default, which MOST USERS WON'T CHANGE, it doesn't block ALL ads - they "souled-out"... talk about "foxes guarding the henhouse")!


Plus, Adblock CAN'T DO AS MUCH & not from a single file solution that runs in Ring 0/RPL 0/kernelmode via tcpip.sys, a driver (since it's part of the IP stack & tightly integrated into it) which is far, Far, FAR FASTER than ring 3/rpl 3/usermode apps like browsers, & addons slow them down (known issue in FireFox).

To wit, 10++ things AdBlock can't do, hosts can:


1.) Blocking rogue DNS servers malware makers use

2.) Blocking known sites/servers that serve up malware... like known sites/servers/hosts-domains that serve up malicious scripts

3.) Speeding up your FAVORITE SITES that hosts can speed up via hardcoded line item entries properly resolved by a reverse DNS ping

4.) AdBlock works on Mozilla products (browser & email), hosts work on ANY webbound app AND are multiplatform.

5.) AdBlock can't protect external to FireFox email programs, hosts can (think OUTLOOK, Eudora, & others)

6.) AdBlock can't help you blow past DNSBL's (DNS block lists)

7.) AdBlock can't help you avoid DNS request logs (hosts can via hardcoded favorites)

8.) AdBlock can't protect you vs. TRACKERS (hosts can)

9.) AdBlock can't protect you vs. DOWNED or "DNS-poisoned" redirected DNS servers (hosts can by hardcodes)

10.) Hosts are EASIER to manage, they're just a text file (adblock means you had BEST know your javascript, perl, & python (iirc as to what languages are used to make it from source)).

& more... as a tiny 'sampling' & proofs thereof!


Same with Ghostery:


Evidon, which makes Ghostery, is an advertising company.

They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons.

Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy.

Evidon bought Ghostery, an independent privacy tool that had a good reputation.

They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned.

The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.

(AND, when confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today.)

They took an open-source type tool, bought it, turned it from something that's actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.

To sum up:

Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money.

That's an inverse relationship.

Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers.

Their motivation to promote it, however, isn't for better privacy; it's because they hope that you'll opt in to GhostRank and send you a bunch of information.

They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy.


Yes, so overall? Absolutely - hosts are superior!

Vs. even DNS servers too (which hosts files can supplement to overcome THEIR shortcomings, as follows):


A.) Running another program (sometimes in usermode no less, far, Far, FAR slower than kernelmode by many orders of magnitude & easily attacked) vs. the single hosts file (tightly integrated into the IP stack itself as part of it). ADDING COMPLEXITY & MORE "moving parts" room for error & breakdown!

B.) Wasting CPU cycles, RAM memory, & other forms of I/O to do what a single file can do

C.) Wasting ELECTRICITY (especially if the DNS server is setup as a separate machine) even if run as a service/daemon on a single system as user has

D.) DNS has NUMEROUS faults, & should anyone request a sampling of them? Ask & "ye shall receive" (see my 'p.s.' below...).



I don't "hate" DNS servers!

In fact - I use them myself (since I don't attempt to resolve 'every host-domain there is online' via hosts, only my favorites @ the top of the file, 20 of them, which beats hashtable indexing or b-tree binary seeks past 2++ million records no less).

I use specialized FILTERING DNS SERVERS that help block out malicious sites/servers/hosts-domains via DNSBLs:


Norton DNS:

http://setup.nortondns.com/ [nortondns.com]


http://www.opendns.com/home-solutions/ [opendns.com]

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]


ALL in layered formation in both my network connection AND my Cisco/LinkSys stateful packet inspecting router.

(Again - for the concept of "layered-security"/"defense-in-depth": The best thing we have going currently vs. malicious threats online & otherwise...)

* :)

(Beat THAT with a stick... or better yet? With information that disproves my points (to any 'naysayers' or trolls, that is)).

Now - I truly KNOW this post will no doubt be downmodded, because Advertisers do NOT want this type of information getting out en-masse to enlighten users - they bought out Ghostery, crippled Adblock, but TRY THAT with a local hosts file (good luck!) especially one a user builds himself!




DNS flaw reanimates slain evil sites as ghost domains:

http://www.theregister.co.uk/2012/02/16/ghost_domains_dns_vuln/ [theregister.co.uk]


BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]



http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)


DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)


Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)


DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com]


DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org]


Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org]


Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com]


DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]


Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]



http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]


TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]


DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]


DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]


Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]


BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]


DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]


DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]


High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org]


Photobucket's DNS Records Hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com]


Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]


DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org]


5 years after major DNS flaw is discovered, few US companies have deployed long-term fix (vs. Kaminsky Bug above...):

http://www.networkworld.com/news/2013/012913-dnssec-266197.html?page=3 [networkworld.com]


HOWEVER/AGAIN - there DNS servers ones that help, vs. online threats, as listed above earlier...

... apk

Re:How custom hosts files help vs. DNS flaws... ap (0)

Anonymous Coward | about a year ago | (#42729915)

great... now all the hosts file shills will come crawling out of the wood work. Yes, fine for a few machines... but how about 5000? You really want to make 5000 hosts file entries every time you want to lock down a domain name? idk, running your own DNS server, and locking that down, sounds shittons easier.

Re:How custom hosts files help vs. DNS flaws... ap (2)

Sheetrock (152993) | about a year ago | (#42730005)

Nah, just edit once and have the other 4999 machines fetch through Gnutella with a batch file. It's not like this isn't a solved problem.

Logon scripts & my app I posted... apk (-1)

Anonymous Coward | about a year ago | (#42730123)

See subject-line above, & my program automates imports of threat based sites online - learn to read!

* Apparently, you also need to learn about networking a bit more too, troll... lol!

As to "shittons" easier?

DNS servers are more complexity to work with as well as more "moving parts" complexity vs. the hosts file working @ the ring 0/rpl 0/kernelmode level of the IP stack, & mere text file work (cached into RAM for speed too no less) AND they eat more ELECTRICITY, CPU cycles, RAM, & other forms of I/O too...

AND have a TON of faults per my last post -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org]


P.S.=> Ever heard of a logon script? Migrating custom hosts to 1000's of client rigs on a LAN/WAN is cake because of logon scripts...

... apk

Re:Logon scripts & my app I posted... apk (0)

Anonymous Coward | about a year ago | (#42730423)

Sure, update the hosts file and have everybody logout/login again. Nothing of value will be lost during working hours.

Smart companies have you logout @ day's end (0)

Anonymous Coward | about a year ago | (#42730535)

BOTH for security purposes (& to save power too), 1st of all.

Secondly, that's only 1 way - there are others (some of the other repliers note them to you in fact, not sure if they're valid or not, but - learn to read!)

* In any case, you fail (and posting as AC too, "gosh, I wonder WHO downmodded my post & now has to reply AC"... lol, NOT!) - especially on security & why logging out @ day's end, IS important!

Especially considering you missed this simple fix that easily overcomes your "objection", troll, & in your initial trolling ac post here -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729915 [slashdot.org]


P.S.=> IF/when the "best you've got" is an unjustifiable downmod vs. my initial posts' points -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org] YOU FAIL!... apk

Re:Smart companies have you logout @ day's end (0)

Anonymous Coward | about a year ago | (#42730715)

You're the one obsessed with the hosts file. Freak. Windows doesn't even have a fucking /etc directory!

You're in error: %Windir%\system32\drivers\etc (0)

Anonymous Coward | about a year ago | (#42730963)

" Windows doesn't even have a fucking /etc directory!" - by Anonymous Coward on Tuesday January 29, @03:22PM (#42730715)

What? Your "FoaMiNg-@-teh-MouTh" profane failed illogical ad hominem attack shows you're in error as does my subject-line!

("Rinse, Lather, & Repeat", troll -> %Windir%\system32\drivers\etc).

CLUE/New NEWS/NewsFlash: Windows IP stack is BSD derived & yes, it has an etc folder (subfolder/subdirectory actually)...



"You're the one obsessed with the hosts file. Freak." - by Anonymous Coward on Tuesday January 29, @03:22PM (#42730715)

Not obsessed - I just know custom hosts are effective for added speed, security, reliability, & even anonymity to an extent is all... & yes, they work!

(Better than competing solutions like AdBlock, Ghostery, & even DNS - which custom hosts can overcome its shortcomings supplementing them, even the secured-filtered ones I used listed in my 1st post)...

Nice part is, because of hardcoded fav. sites of yours you can put into it for the above benefits? It "lightens the load" of DNS server requests for those that admin them too - BONUS!

... apk

Re:Smart companies have you logout @ day's end (0)

Anonymous Coward | about a year ago | (#42731531)

A login script is the solution you suggested, that clearly has huge drawbacks during working hours. You created this problem, you solve this. Sofar I still favour a dnsserver with a database backend if there was actually some problem solved by handcrafted "dns" responses.

Algemene Periodieke Keuring.

Admins on AD can do it ANY time... apk (0)

Anonymous Coward | about a year ago | (#42731671)

"A login script is the solution you suggested, that clearly has huge drawbacks during working hours. You created this problem, you solve this." - by Anonymous Coward on Tuesday January 29, @04:30PM (#42731531)

Any admin with AD rights globally on a LAN/WAN can enmasse copy them over with batches, powershell etc. type work (takes seconds) since they have access to all nodes/disks/shares (or should).

* And, there you go... another solution that works, easily!

Especially since a smart AND SKILLED admin HAS access to any & all lan/wan nodes, pc workstation OR server-wise, to do so, easily, per the methods noted above, and, can script too!


" Sofar I still favour a dnsserver with a database backend if there was actually some problem solved by handcrafted "dns" responses." -

Which DNS servershave, and have had, PROBLEMS!

( Such as per this article & my list of faults noted in my initial post point out -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org] @ its termination... see my 'p.s.' section there for that list!)

Feel free to refer to it, AND also it's list of filtered secured DNS servers I listed that I use!

(Yes, I use DNS too, just not locally here with a single machine @ home is all, I use external online ones... GOOD ones!)

I *think* you don't understand - I don't "hate" DNS, I need it too, but it has shortcomings that for instance, per this article? Custom hosts files CAN OVERCOME (via hardcoding your favorites into them).


P.S.=> And, there you go! Still - a SMART COMPANY has you logoff after you're done working, to save power but MORE FOR SECURITY PURPOSES, if they're smart - then, your logon script copies in an updated hosts then (takes seconds)...

... apk

Re:Logon scripts & my app I posted... apk (0)

Anonymous Coward | about a year ago | (#42730903)

Just a shame your program is so slow. Isn't it, APK?

You call 2-3 minutes full runtime slow?... apk (0)

Anonymous Coward | about a year ago | (#42731385)

To wit, after doing a FULL import run (1 min. on a SLOW DSL connection, it's MUCH faster on FIOS), deduplicate (10 seconds), do favorites for more speed (7 seconds), & save (JUST sub 1minute)?

* I guess it depends on what you call "slow"...

(IF you run the "optional" but recommended 'convert & filter', it adds another 3-5 minutes or so, tops - again, depending on the CPU & internet connection speeds you have).

Try it yourself, you'll see - nicest part is, I have a personal version (6.0++) I am testing that cuts that by another 20% eaisly... can't wait to release it in fact!


P.S.=> Mind you, that's ONLY on an Intel Core I7 920 cpu @ stock 2.67 ghz here, & a SLOW FIOS connection... put it on a faster CPU, & faster internet connection for import? Cut that time down by a HELL of a lot!

... apk

Re:How custom hosts files help vs. DNS flaws... ap (1)

aztracker1 (702135) | about a year ago | (#42731913)

If you have that many machines to manage, then running your own DNS server with those zones setup as you would a hosts file shouldn't be an issue.

I'd recommend BOTH (I use both)... apk (0)

Anonymous Coward | about a year ago | (#42732167)

As "layered-security"/"defense-in-depth" is the BEST thing we have going vs. online threats... get a GOOD filtering vs. online threats DNS server, & a good hosts file (as well as the usual 'security hardening' for various OS, such as this guide of mine outlines for years now -> http://www.google.com/search?hl=en&tbo=d&output=search&sclient=psy-ab&q=HOW+TO+SECURE+Windows+2000/XP&btnG=Submit&gbv=1&sei=I08IUdP6A-f90gHZpYC4Bg [google.com] )

In fact, I outlined some good filtering vs. online threats type DNS servers for that here in my initial posts on hosts -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org]

Which, yes, hosts files can & do overcome this DNS issue, via hardcoded favorite sites in them,!

Thus, relieving webbound clients of having to even query DNS at all, bonus since it's generally FASTER than remote queries, especially how I do it off a TRUE SSD (based on DDR-2 RAM, the Gigabyte IRAM & with my favs @ the top of the hosts file, cached into the local kernelmode diskcaching subsystem, rather than the faulty Windows DNS clientside cache).

Nice part is, IF you run a DNS server? Hosts can "lighten your load" by lessening queries routed to them - BONUS!


P.S.=> I also listed some GOOD filtering vs. online threats DNS servers there too, but again - DNS has problems (see the termination of my initial post on just a partial list of them over time)...

However - those I listed? For home machines, or stand-alone single machine users only...

E.G.-> I wouldn't use them on an AD network (won't work, I've tried it - it messes up mailserver MX records stuff & clients like outlook etc.)

... apk

Re:How custom hosts files help vs. DNS flaws... ap (2)

dickplaus (2461402) | about a year ago | (#42729937)

I only scanned this, but I'm supposed to turn off my computer and no longer use the interwebs is what I gathered?

Re:How custom hosts files help vs. DNS flaws... ap (-1)

Anonymous Coward | about a year ago | (#42730211)

You need to learn to read or to learn more about computers.

As usual, I am correct in my predictions... apk (0)

Anonymous Coward | about a year ago | (#42730353)

"Now - I truly KNOW this post will no doubt be downmodded, because Advertisers do NOT want this type of information getting out en-masse to enlighten users - they bought out Ghostery, crippled Adblock, but TRY THAT with a local hosts file (good luck!) especially one a user builds himself!" - by Anonymous Coward on Tuesday January 29, @02:12PM (#42729809)

See subject-line & that quote of mine from my posting: Technically unjustifiable downmods = "the best you've got", troll naysayers?

* Apparently so, since I don't see ANYONE able to validly disprove my computing technical points in my initial post on custom hosts files value on MANY levels (added speed, security, reliability, & even anonymity to an extent) -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org] :)


P.S.=> So much for the 'brainpower' of /. forums trolls, eh? I even challenged them to disprove my points in that same post:

"(Beat THAT with a stick... or better yet? With information that disproves my points (to any 'naysayers' or trolls, that is))." - by Anonymous Coward on Tuesday January 29, @02:12PM (#42729809)

Any takers? Apparently not - nope, all my 'detractors' have is BOGUS unjustifiable downmods of my post, nothing more... lol, as usual!

... apk

Re:As usual, I am correct in my predictions... apk (0)

Anonymous Coward | about a year ago | (#42730805)

Good God APK - try to organize your thoughts and keep it concise (but I know you can't). You'll probably still be considered a troll but I won't have to scroll so far.

APK - Always Pointless Kerfuffle

Ok, a challenge to you (OR anyone)... apk (0)

Anonymous Coward | about a year ago | (#42731025)

Disprove my points on a valid technical computing basis here http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org]

* Let's see how "organized & concise" YOU are... especially since you're reduced to illogical off topic b.s. rather than sticking to the subject @ hand here!

(Good luck - you'll NEED it, as I've made that challenge here 100's of times, & not a SINGLE 'naysayer troll' has been able to disprove my points, not a one, ever!)


P.S.=> Call me all the names you want to, you're only projecting your own faults onto me... but, again, meet my challenge!

(Face facts: You can't - you know it, I know it & anyone with 1/2 a brain knows it, lol...)

... apk

Seek assistance for your mental health (0)

Anonymous Coward | about a year ago | (#42731251)

You do realise the reason that no-one ever actually reads what you write is because of all the tiresom eMPaSiS you insist on using? People just can't be bothered picking their way thorugh that mess, especially when they know in advance that it will be the usual incoherent screed. More than that, your style of posting suggests a problem with your mental health. If you're not already under the care of an appropriately qualified health professional, I would suggest seeking help asap.

Opinions vary (by a 242++:1 ratio)... apk (0)

Anonymous Coward | about a year ago | (#42731467)

"You do realise the reason that no-one ever actually reads what you write is because of all the tiresom eMPaSiS you insist on using? People just can't be bothered picking their way thorugh that mess, especially when they know in advance that it will be the usual incoherent screed. " - by Anonymous Coward on Tuesday January 29, @04:04PM (#42731251)

Regarding your failed illogical off-topic ad hominem attack, & to the ratio of 242++:1 per your /. peers (regarding upward moderations of my posts listed next):


Roughly 242++ of them & I post as AC (hard to get even +1, as /. hides our posts & we "AC"'s start @ ZERO/0 points, unlike registered "lusers", lol!):

+5 'modded up' posts by "yours truly" (8):

HOSTS & BGP:2010 -> http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
FIREFOX IN DANGER: 2011 -> http://news.slashdot.org/comments.pl?sid=2559120&cid=38268580 [slashdot.org]
TESLA:2010 -> http://science.slashdot.org/comments.pl?sid=1872982&cid=34264190 [slashdot.org]
TESLA:2010 -> http://tech.slashdot.org/comments.pl?sid=1806946&cid=33777976 [slashdot.org]
NVIDIA 2d:2006 -> http://hardware.slashdot.org/comments.pl?sid=175774&cid=14610147 [slashdot.org]
Ubuntu Linux sends back local disk query strings to CANONICAL: 2012 -> http://news.slashdot.org/comments.pl?sid=3304601&cid=42234351 [slashdot.org]
Question to Mr. Mark Shuttleworth @ UBUNTU/CANONICAL: 2012 -> http://news.slashdot.org/comments.pl?sid=3304725&cid=42243467 [slashdot.org]
COMPUTER ASSOCIATES BUSTED FOR ACCOUNTING FRAUD:2010 -> http://news.slashdot.org/comments.pl?sid=1884922&cid=34350102 [slashdot.org]


+4 'modded up' posts by "yours truly" (5):

APK SECURITY GUIDE:2005 -> http://developers.slashdot.org/comments.pl?sid=167071&cid=13931198 [slashdot.org]
INFO. SYSTEMS WORK:2005 -> http://slashdot.org/comments.pl?sid=161862&cid=13531817 [slashdot.org]
WINDOWS @ NASDAQ 7++ YRS. NOW:2009 -> http://tech.slashdot.org/comments.pl?sid=1290967&cid=28571315 [slashdot.org]
CARMACK'S ARMADILLO AEROSPACE:2005 -> http://science.slashdot.org/comments.pl?sid=158310&cid=13263898 [slashdot.org]
What I admire about Theo DeRaadt of BSD fame: 2012 -> http://linux.slashdot.org/comments.pl?sid=3007641&cid=40785151 [slashdot.org]


+3 'modded up' posts by "yours truly" (8):

APK MICROSOFT INTERVIEW:2005 -> http://developers.slashdot.org/comments.pl?sid=155172&cid=13007974 [slashdot.org]
Linux security failures 2011-2012: 2012 -> http://it.slashdot.org/comments.pl?sid=3319303&cid=42306663 [slashdot.org]
APK MS SYMBOLIC DIRECTORY LINKS:2005 -> http://it.slashdot.org/comments.pl?sid=166850&cid=13914137 [slashdot.org]
APK FOOLS IE7 INSTALL IN BETA HOW TO:2006 -> http://slashdot.org/comments.pl?sid=175857&cid=14615222 [slashdot.org]
PROOFS ON OPERA SPEED & SECURITY:2007 -> http://slashdot.org/comments.pl?sid=273931&cid=20291847 [slashdot.org]
HBGary POST in Fake Names On Social Networks, a Fake Problem:2011 -> http://tech.slashdot.org/comments.pl?sid=2375110&cid=37056304 [slashdot.org]
APK RC STOP ROOKIT TECHNIQUES:2008 -> http://it.slashdot.org/comments.pl?sid=1021873&cid=25681261 [slashdot.org]
Elevator Algorithm for harddisk drives #2 of 2 (1st's in +1): 2012 -> http://hardware.slashdot.org/comments.pl?sid=3287917&cid=42158041 [slashdot.org]


+2 'modded up' posts by "yours truly" (23):

CODING FOR DEFCON (my compressed/packed exe + sizecheck @ startup technique): 2005 -> http://it.slashdot.org/comments.pl?sid=158231&cid=13257227 [slashdot.org]
HOW DLL API CALL LOADS WORK:2008 -> http://tech.slashdot.org/comments.pl?sid=1001489&cid=25441395 [slashdot.org]
WERNER VON BRAUN - A Nazi Scientist used by U.S.A. for rocketry: 2011 -> http://science.slashdot.org/comments.pl?sid=1957608&cid=34933062 [slashdot.org]
APK TRICK TO STOP A MALWARE:2008 -> http://tech.slashdot.org/comments.pl?sid=1010923&cid=25549351 [slashdot.org]
DOING SHAREWARE 1995-2004:2007 -> http://it.slashdot.org/comments.pl?sid=233779&cid=19020329 [slashdot.org]
MHTML SECURITY BUG FIX IE:2011 -> http://tech.slashdot.org/comments.pl?sid=1973914&cid=35056454 [slashdot.org]
EXCEL SECURITY FIX:2009 -> http://it.slashdot.org/comments.pl?sid=1139485&cid=26974507 [slashdot.org]
CODING JOBS OFFSHORING:2007 -> http://slashdot.org/comments.pl?sid=245971&cid=19760473 [slashdot.org]
WE SHOULD PENALIZE & TAX JOB OUTSOURCERS/OFFSHORERS: 2008 -> http://yro.slashdot.org/comments.pl?sid=978035&cid=25176841 [slashdot.org]
BOGUS POLITICIAN PERFORMANCE: 2008 -> http://yro.slashdot.org/comments.pl?sid=978035&cid=25176955 [slashdot.org]
MS PUTS YOU TO WORK:2006 -> http://it.slashdot.org/comments.pl?sid=174759&cid=14538593 [slashdot.org]
ARSTECHNICA & JEREMY REIMER LOL:2008 -> http://it.slashdot.org/comments.pl?sid=1021733&cid=25675515 [slashdot.org]
CYBERSECURITY LEGISLATIONS:2011 -> http://yro.slashdot.org/comments.pl?sid=2222868&cid=36379698 [slashdot.org]
FILTERING ONLINE:2010 -> http://politics.slashdot.org/comments.pl?sid=1790178&cid=33610372 [slashdot.org]
APK ON PLANTED SHILLS BY TELECOM/ISP/BSP:2010 -> http://tech.slashdot.org/comments.pl?sid=1827308&cid=33940988 [slashdot.org]
TAX THE TAR OUT OF OUTSOURCERS/OFFSHORERS & PENALIZE THEM ALSO #1 of 2: 2012 -> http://yro.slashdot.org/comments.pl?sid=2795637&cid=39728333 [slashdot.org]
HBGary & Chinese Water Army b.s. posted: 2012 -> http://developers.slashdot.org/comments.pl?sid=2615084&cid=38662598 [slashdot.org]
OPERA & MULTITHREADED DESIGN: 2007 -> http://slashdot.org/comments.pl?sid=290711&cid=20506147 [slashdot.org]
MICROSOFT "FLIPS THE SCRIPT" ON CISPA: 2012 -> http://yro.slashdot.org/comments.pl?sid=2817555&cid=39833573 [slashdot.org]
Microsoft's MISTAKE in Windows 8 "metro-ized" ready for 3-5 yr. old interface on PC desktops (1 of 2, other is +1): 2012 -> http://tech.slashdot.org/comments.pl?sid=3330901&cid=42354181 [slashdot.org]
VLC 64-bit being better than MediaPlayerClassic on Win7 64-bit: 2012 -> http://news.slashdot.org/comments.pl?sid=3336253&cid=42378657 [slashdot.org]
Windows 8 failed for 3 simple reasons: 2012 -> http://tech.slashdot.org/comments.pl?sid=3411357&cid=42706875 [slashdot.org]
Delphi/Object Pascal & C++ vs. NIKLAUS WIRTH PASCAL/KERNIGHAN & RITCHIE C on EfNet IRC failure & possible fix: 2012 -> http://tech.slashdot.org/comments.pl?sid=3350243&cid=42437411 [slashdot.org]


+1 'modded up' posts by "yours truly" (139) & we AC's start at ZERO, not 1 or 2 like registered users on /. do:

APK SSD/RamDrive/RamDisk usage since 1996:2008 -> http://tech.slashdot.org/comments.pl?sid=1014349&cid=25591403 [slashdot.org]
DISASSEMBLY & PROTECTING CODE:2010 -> http://news.slashdot.org/comments.pl?sid=1719570&cid=32907418 [slashdot.org]
APK ON RESERVED PORTS IN WINDOWS:2007 -> http://it.slashdot.org/comments.pl?sid=235621&cid=19229493 [slashdot.org]
MEMORY FRAGMENTATION: 2007 -> http://slashdot.org/comments.pl?sid=367219&cid=21434061 [slashdot.org]
NORTON DNS & DNSBL:2011 -> http://yro.slashdot.org/comments.pl?sid=2311948&cid=36708742 [slashdot.org]
IRON FILESYSTEMS:2007 -> http://it.slashdot.org/comments.pl?sid=359507&cid=21347933 [slashdot.org]
APK ROOTKIT KILLING TECHNIQUE USING RC:2011 -> http://tech.slashdot.org/comments.pl?sid=2428486&cid=37405530 [slashdot.org]
APK STOPPED CONFICKER BEFORE ANYONE DID:2009 -> http://it.slashdot.org/comments.pl?sid=1159209&cid=27178753 [slashdot.org]
APK ON WINDOWS DFS vs. LINUX COPYING FEATURES LIKE IT:2008 -> http://ask.slashdot.org/comments.pl?sid=447752&cid=22361236 [slashdot.org]
WINDOWS #CPU's SUPPORTED (much higher now in Win7/Srv2k8 now, 256):2009 -> http://hardware.slashdot.org/comments.pl?sid=1160287&cid=27191729 [slashdot.org]
DISK DEFRAG STRATEGY OPTIONS:2011 -> http://it.slashdot.org/comments.pl?sid=2435272&cid=37443738 [slashdot.org]
APK PART OF ULTRADEFRAG64 PROOF:2011 -> http://it.slashdot.org/comments.pl?sid=2435272&cid=37443252 [slashdot.org]
DATASTRUCTURES & SQL:2011 -> http://news.slashdot.org/comments.pl?sid=2080454&cid=35794668 [slashdot.org]
BINARY HEAPS:2010 -> http://developers.slashdot.org/comments.pl?sid=1686094&cid=32581292 [slashdot.org]
CACHE COHERENCY:2005 -> http://hardware.slashdot.org/comments.pl?sid=168793&cid=14070783 [slashdot.org]
DELPHI ROCKS VB/VC++:2007 -> http://it.slashdot.org/comments.pl?sid=236049&cid=19261269 [slashdot.org]
MEMORY FRAGMENTATION IN FF:2007 -> http://slashdot.org/comments.pl?sid=367219&threshold=-1&commentsort=0&mode=thread&cid=21434061 [slashdot.org]
CODING PROFESSIONALLY:2005 -> http://developers.slashdot.org/comments.pl?sid=170925&cid=14238424 [slashdot.org]
MULTIPLE MESSAGE QUEUES:2010 -> http://linux.slashdot.org/comments.pl?sid=1618508&cid=31847246 [slashdot.org]
APK ROOTKIT.COM ON WINDOWS VISTA IPSTACK SECURITY:2009 -> http://tech.slashdot.org/comments.pl?sid=1339085&cid=29106629 [slashdot.org]
USING CSC & SCIENCE TOGETHER IN ACADEMIA:2010 -> http://ask.slashdot.org/comments.pl?sid=1531366&cid=30971224 [slashdot.org]
PROGRAMMING CONCEPTS MORE IMPORTANT THAN SYNTAX:2009 -> http://tech.slashdot.org/comments.pl?sid=1314993&cid=28827429 [slashdot.org]
SSD DECADES OF USAGE:2009 -> http://hardware.slashdot.org/comments.pl?sid=1273501&cid=28375697 [slashdot.org]
CODING .NET FROM VB:2006 -> http://developers.slashdot.org/comments.pl?sid=176229&cid=14641701 [slashdot.org]
LAMP SECURITY:2011 -> http://it.slashdot.org/comments.pl?sid=2243006&cid=36462748 [slashdot.org]
SLASHDOT "Pro-*NIX" SLANT CONTROVERSY = GOOD:2005 -> http://slashdot.org/comments.pl?sid=154725&cid=12974078 [slashdot.org]
WINDOWS vs. IBM vs. LINUX ARCHITECTURE STEALING:2005 -> http://linux.slashdot.org/comments.pl?sid=160244&cid=13414756 [slashdot.org]
ADBANNERS & VIRUSES:2005 -> http://slashdot.org/comments.pl?sid=169309&cid=14112880 [slashdot.org]
SECURITY BUGS LINUX vs. WINDOWS:2011 -> http://news.slashdot.org/comments.pl?sid=2247480&cid=36485068 [slashdot.org]
NYSE+LINUX STOCK EXCHANGE LIE BY PENGUINS:2010 -> http://linux.slashdot.org/comments.pl?sid=1842764&cid=34046376 [slashdot.org]
APK ON PROCESSEXPLORER & NETSTAT:2009 -> http://ask.slashdot.org/comments.pl?sid=1328371&cid=28981169 [slashdot.org]
COMPLETION PORTS + SCHEDULING LINUX vs. WINDOWS:2005 -> http://linux.slashdot.org/comments.pl?sid=160290&cid=13419053 [slashdot.org]
WINDOWS vs. LINUX SECURITY ISSUES:2009 -> http://news.slashdot.org/comments.pl?sid=1135717&cid=26948399 [slashdot.org]
LINUX IMITATING WINDOWS:2005 -> http://linux.slashdot.org/comments.pl?sid=170126&cid=14177851 [slashdot.org]
LINUX SERVING DUQU ROOTKIT: 2011 -> http://it.slashdot.org/comments.pl?sid=2551740&cid=38215752 [slashdot.org]
WINDOWS vs. Linux SECURITY VULNS UNPATCHED:2011 -> http://it.slashdot.org/comments.pl?sid=2077414&cid=35776848 [slashdot.org]
WINDOWS vs. Linux vs. Mac SECURITY VULNS UNPATCHED:2010 -> http://it.slashdot.org/comments.pl?sid=1681772&cid=32524188 [slashdot.org]
APK Windows vs. Linux on UNPATCHED SEC. VULNS:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35656126 [slashdot.org]
PROOF MS HAD LESS BUGS THAN LINUX/MACOS X:2005 -> http://it.slashdot.org/comments.pl?sid=173564&cid=14442403 [slashdot.org]
PROOF MS HAD LESS BUGS THAN LINUX/MACOS X:2006 -> http://it.slashdot.org/comments.pl?sid=173016&cid=14398069 [slashdot.org]
APK USING KDE & LINUX:2010 -> http://linux.slashdot.org/comments.pl?sid=1750240&cid=33214838 [slashdot.org]
APK CONGRATS TO LINUX:2005 -> http://linux.slashdot.org/comments.pl?sid=170296&cid=14192885 [slashdot.org]
APK KUDOS TO LINUX:2005 -> http://slashdot.org/comments.pl?sid=162921&cid=13614370 [slashdot.org]
LINUX WENT DOWN 2x in LESS THAN 1 YEAR @ London Stock Exchange:2011 -> http://linux.slashdot.org/comments.pl?sid=1999478&cid=35231358 [slashdot.org]
LINUX SECURITY vs. JAVASCRIPT:2010 -> http://yro.slashdot.org/comments.pl?sid=1820234&cid=33892258 [slashdot.org]
CONGRATS TO LINUS TORVALDS ON MILLENIUM PRIZE: 2012 -> http://linux.slashdot.org/comments.pl?sid=2913441&cid=40308721 [slashdot.org]
KUDOS TO LINUX KERNEL 3.3 - 3.5 & NO BUGS PRESENT: 2012 -> http://linux.slashdot.org/comments.pl?sid=2995701&cid=40727067 [slashdot.org]
GENETICS PLAYING WITH GOD'S ENGINEERING on mice: 2011 -> http://science.slashdot.org/comments.pl?sid=2581286&cid=38423712 [slashdot.org]
1 GOOD THING ABOUT HACKER/CRACKERS:2011 -> http://yro.slashdot.org/comments.pl?sid=1982796&cid=35119212 [slashdot.org]
MINIMUM WINDOWS SERVICES:2005 -> http://slashdot.org/comments.pl?sid=157321&cid=13190570 [slashdot.org]
HIDDEN SECURITY BUGS:2005 -> http://linux.slashdot.org/comments.pl?sid=164039&cid=13698742 [slashdot.org]
APK & FIREFOX BUGFIX TEAM:2005 -> http://it.slashdot.org/comments.pl?sid=161697&cid=13526010 [slashdot.org]
WHY OPERA ROCKS:2005 -> http://slashdot.org/comments.pl?sid=170983&cid=14242283 [slashdot.org]
OPERA BEST SPEED & SECURITY: 2010 -> http://tech.slashdot.org/comments.pl?sid=1881444&cid=34333966 [slashdot.org]
OPERA "SUPERIOR WARRIOR":2009 -> http://developers.slashdot.org/comments.pl?sid=1309763&threshold=-1&commentsort=0&mode=thread&pid=28768721 [slashdot.org]
OPERA=FASTER & MORE SECURE:2005 -> http://it.slashdot.org/comments.pl?sid=157615&cid=13208800 [slashdot.org]
OPERA "The Superior Warrior" vs. FIREFOX:2007 -> http://slashdot.org/comments.pl?sid=286721&cid=20452183 [slashdot.org]
OPERA:2007 -> http://it.slashdot.org/comments.pl?sid=233227&threshold=1&commentsort=0&mode=thread&cid=18969947 [slashdot.org]
OPERA BY SITE PREFS:2010 -> http://tech.slashdot.org/comments.pl?sid=1881444&cid=34333758 [slashdot.org]
OPERA 64-BIT "FOR INDEPENDENT SMART PEOPLE" ROUND 1 FOR WINDOWS & MAC RELEASED:2011 -> http://tech.slashdot.org/comments.pl?sid=2576256&cid=38388178 [slashdot.org]
OPERA HAS AN ADBLOCK ADDON: 2012 -> http://news.slashdot.org/comments.pl?sid=2579684&cid=38412366 [slashdot.org]
APK SANDBOXING IE:2007 -> http://it.slashdot.org/comments.pl?sid=236547&cid=19310513 [slashdot.org]
APK ON SANDBOXIE:2010 -> http://it.slashdot.org/comments.pl?sid=1875754&cid=34281930 [slashdot.org]
CHROME NEEDS BY SITE PREFS TO SANITYINANARCHY:2011 -> http://slashdot.org/comments.pl?sid=2358734&cid=36946676 [slashdot.org]
DO YOUR BEST WORK OUR YOUNG MENS LIVES RIDE ON IT:2010 -> http://developers.slashdot.org/comments.pl?sid=1898806&cid=34472826 [slashdot.org]
STAT I/II SKEWING:2010 -> http://slashdot.org/comments.pl?sid=1504756&cid=30711074 [slashdot.org]
SEARCH ENGINES:2005 -> http://science.slashdot.org/comments.pl?sid=162717&cid=13598832 [slashdot.org]
PORTING CODE:2007 -> http://linux.slashdot.org/comments.pl?sid=236367&cid=19291677 [slashdot.org]
DARTH CHENEY POLITICALS:2007 -> http://yro.slashdot.org/comments.pl?sid=237091&cid=19362755 [slashdot.org]
WINDOWS EMPLOYS YOU BETTER:2006 -> http://linux.slashdot.org/comments.pl?sid=174277&cid=14498965 [slashdot.org]
MS PUTS YOU TO WORK:2005 -> http://books.slashdot.org/comments.pl?sid=169549&threshold=-1&commentsort=0&tid=109&mode=thread&cid=14132540 [slashdot.org]
"666":2008 -> http://news.slashdot.org/comments.pl?sid=548476&cid=23353722 [slashdot.org]
APK ON HARDCODES & SHELLOPEN ASSOCIATION:2010 -> http://tech.slashdot.org/comments.pl?sid=1519842&cid=30854906 [slashdot.org]
DR. DEMENTO SHOW:2010 -> http://news.slashdot.org/comments.pl?sid=1678308&cid=32494990 [slashdot.org]
CA DISREPUTABLE #2 of 2:2010 -> http://news.slashdot.org/comments.pl?sid=1884922&cid=34351020 [slashdot.org]
NO PROOF USED BY LOB:2010 -> http://tech.slashdot.org/comments.pl?sid=1907190&cid=34529734 [slashdot.org]
ON KIDS CODING & ARMCHAIR QB's:2011 -> http://science.slashdot.org/comments.pl?sid=2040490&cid=35508400 [slashdot.org]
FPGA & TERMINATORS:2011 -> http://it.slashdot.org/comments.pl?sid=2341586&cid=36842168 [slashdot.org]
APK ON CHESS:2010 -> http://ask.slashdot.org/comments.pl?sid=1877160&cid=34293988 [slashdot.org]
RON PAUL & WIKILEAKS:2010 -> http://yro.slashdot.org/comments.pl?sid=1907000&cid=34528958 [slashdot.org] /. "CATERING TO CRONIES":2010 -> http://it.slashdot.org/comments.pl?sid=1664046&cid=32336794 [slashdot.org]
BEING MORE "ALL AROUND" THAN 1 DIMENSIONAL IN IT/IS/MIS:2005 -> http://it.slashdot.org/comments.pl?sid=166174&cid=13863159 [slashdot.org]
GET RID OF S. BALLMER @ MS:2008 -> http://slashdot.org/comments.pl?sid=543962&cid=23310698 [slashdot.org]
COMBO OF CODER/NETWORKER = MOST DANGEROUS HACKER/CRACKER: 2011 -> http://yro.slashdot.org/comments.pl?sid=2590324&cid=38490476 [slashdot.org]
FACEBOOK ENHANCES mySQL: 2012 -> http://news.slashdot.org/comments.pl?sid=2643681&cid=38857629 [slashdot.org]
APPSTORE/WALLED-GARDEN DL OF APPS WON'T HELP vs. TODAY'S INFECTION VECTORS: 2012 -> http://it.slashdot.org/comments.pl?sid=2655681&cid=38943319 [slashdot.org]
REGISTRY ACCESS WINDOWS 32-BIT vs. 64-BIT in code: 2012 -> http://news.slashdot.org/comments.pl?sid=2680271&cid=39093835 [slashdot.org]
2nd REGISTRY ACCESS WINDOWS 32-BIT vs. 64-BIT in code: 2012 -> http://news.slashdot.org/comments.pl?sid=2680271&cid=39093873 [slashdot.org]
CHINESE "CYBER-WAR" THREAT: 2012 -> http://politics.slashdot.org/comments.pl?sid=2718289&cid=39312311 [slashdot.org]
ON DR. MARK RUSSINOVICH MS DESKTOPS APP & MORE: 2012 -> http://tech.slashdot.org/comments.pl?sid=2741569&cid=39445275 [slashdot.org]
DEFENDING STEVE GIBSON OF SPINRITE + "SHIELDS UP" vs. DEFAMATION: 2012 -> http://yro.slashdot.org/comments.pl?sid=2747957&cid=39479257 [slashdot.org]
OS/2 & What I thought was cool about it & when I used it: 2012 -> http://tech.slashdot.org/comments.pl?sid=2761033&cid=39550525 [slashdot.org]
ActiveX Usage in Korea still "huge": 2012 -> http://tech.slashdot.org/comments.pl?sid=2767885&cid=39584683 [slashdot.org]
On "insta-downmods" & /. "fine moderation" (b.s.!): 2012 -> http://news.slashdot.org/comments.pl?sid=2772023&cid=39606941 [slashdot.org]
TAX THE TAR OUT OF OUTSOURCERS/OFFSHORERS & PENALIZE THEM ALSO #2 of 2 + ECONOMIC CLASS 1984-1985: 2012 -> http://yro.slashdot.org/comments.pl?sid=2795637&cid=39729177 [slashdot.org]
GATTACA #1 of 2: 2012 -> http://science.slashdot.org/comments.pl?sid=2792033&cid=39722291 [slashdot.org]
GATTACA #2 of 2: 2012 -> http://science.slashdot.org/comments.pl?sid=2792033&cid=39711991 [slashdot.org]
ROMAN MARONI (lol) = arth1 "murder of the English Language": 2012 -> http://slashdot.org/comments.pl?sid=2773803&cid=39617941 [slashdot.org]
FLASHY FLASH DRIVES: 2005 -> http://slashdot.org/comments.pl?sid=154997&cid=12998477 [slashdot.org]
ROOTKIT CREATORS "GO PRO": 2005 -> http://it.slashdot.org/comments.pl?sid=165958&cid=13843462 [slashdot.org]
MS LESS SECURITY ISSUES THAN *NIX in 2005: 2006 -> http://it.slashdot.org/comments.pl?sid=173564&cid=14441639 [slashdot.org]
OPERA ROCKS & WHY: 2007 -> http://it.slashdot.org/comments.pl?sid=233227&cid=18969947 [slashdot.org]
McAfee, Symantec, ClamAV, COMODO, ArcaBit/ArcaVir, & Dr. Web "False Positive" of my "APK Hosts File Engine 5.0++": 2012 -> http://it.slashdot.org/comments.pl?sid=2872677&cid=40107921 [slashdot.org]
Linux "Fine Security" (lol, NOT!) 2011-2012: 2012 -> http://linux.slashdot.org/comments.pl?sid=2875333&cid=40119001 [slashdot.org]
SAY NO TO MS & SAY NO TO A JOB: 2005 -> http://books.slashdot.org/comments.pl?sid=169549&cid=14132540 [slashdot.org]
"START ME UP" REGARDING WINDOWS 8, METRO, & RIBBONS: 2012 -> http://tech.slashdot.org/comments.pl?sid=2955431&cid=40538813 [slashdot.org]
GHOSTERY TRUTHS #1: 2012 -> http://yro.slashdot.org/comments.pl?sid=2931443&cid=40413453 [slashdot.org]
GHOSTERY TRUTHS #2: 2012 -> http://yro.slashdot.org/comments.pl?sid=2931443&cid=40413493 [slashdot.org]
"DEAR MR. GATES": 2012 -> http://tech.slashdot.org/comments.pl?sid=2955431&cid=40536263 [slashdot.org]
Bill & Melinda Gates Foundation tax shield: 2012 -> http://news.slashdot.org/comments.pl?sid=2957987&cid=40549931 [slashdot.org]
Colorblindness and camouflage: 2012 -> http://games.slashdot.org/comments.pl?sid=3010409&cid=40798555 [slashdot.org]
HBGary and "Freedom of Speech" plus REAL NAMES on forums: 2012 -> http://yro.slashdot.org/comments.pl?sid=3012595&cid=40811497 [slashdot.org]
Large Projects (millions of lines) vs. TINY ones (200k lines) & rewrite: 2012 -> http://developers.slashdot.org/comments.pl?sid=3026933&cid=40885035 [slashdot.org]
Native Code/"single stand-alone" non-interpreted code executables are "where it's at": 2012 -> http://developers.slashdot.org/comments.pl?sid=3041081&cid=40956381 [slashdot.org]
Windows in the "Fortune 100/500" high TPM environs & 99.999% "Fabled '5-9's'" uptime: 2012 -> http://linux.slashdot.org/comments.pl?sid=3110069&cid=41305947 [slashdot.org]
Brennz bitching about Mikko Hyponnen Security Expert: 2012 -> http://it.slashdot.org/comments.pl?sid=3129943&cid=41398979 [slashdot.org]
AntiVirus FALSE POSITIVES (even on themselves) 3-10 examples: 2012 -> http://it.slashdot.org/comments.pl?sid=3132237&cid=41402041 [slashdot.org]
Speaking to Naval Information Warfare Officer on China threat: 2012 -> http://news.slashdot.org/comments.pl?sid=3156485&cid=41517129 [slashdot.org]
FTC Busts Phone Support Scammers: 2012 -> http://tech.slashdot.org/comments.pl?sid=3161653&cid=41543619 [slashdot.org]
Polish & Russian = Romulans & Vulcans: 2012 -> http://apple.slashdot.org/comments.pl?sid=3156271&cid=41517631 [slashdot.org]
Good for Mr. T. (Linux kernel 2.7): 2012 -> http://linux.slashdot.org/comments.pl?sid=3164013&cid=41553831 [slashdot.org]
Building homes, RIGHT: 2012 -> http://it.slashdot.org/comments.pl?sid=3227591&cid=41863891 [slashdot.org]
CA's breached = 5/6 Linux based: 2012 -> http://tech.slashdot.org/comments.pl?sid=3222433&cid=41835589 [slashdot.org]
I post as AC and get modded up when all my other posts were downmodded: 2012 -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41660255 [slashdot.org]
Windows 7 will NOT GET "SERVICE PACK #2": 2012 -> http://tech.slashdot.org/comments.pl?sid=3207047&cid=41753975 [slashdot.org]
Opera can do "site specific" preferences vs. online threats (Jeremiah Grossman's only NOW hitting on my idea there): 2012 -> http://it.slashdot.org/comments.pl?sid=3237707&cid=41913801 [slashdot.org]
Linux security blunders 2011-2012: 2012 -> http://mobile.slashdot.org/comments.pl?sid=3281695&cid=42128897 [slashdot.org]
HIPAA: 2012 -> http://science.slashdot.org/comments.pl?sid=3290685&cid=42171403 [slashdot.org]
Adbanners having malicious code in them: 2012 -> http://tech.slashdot.org/comments.pl?sid=3299759&cid=42215249 [slashdot.org]
Elevator Algorithm for harddisk drives #1 of 2 (1st's in +3): 2012 -> http://hardware.slashdot.org/comments.pl?sid=3287917&cid=42156255 [slashdot.org]
Microsoft's MISTAKE in Windows 8 "metro-ized" ready for 3-5 yr. old interface on PC desktops (2 of 2, other is +2): 2012 -> http://tech.slashdot.org/comments.pl?sid=3330901&cid=42354749 [slashdot.org]
How to install NVidia DRIVER ONLY (not control panelware stuff too): 2012 -> http://it.slashdot.org/comments.pl?sid=3344029&cid=42407223 [slashdot.org]
DUSTING 'CruTcHy' the NOOB who can't prove his words he's a professional coder & is a "pot calling a kettle black": 2012 -> http://slashdot.org/comments.pl?sid=3272015&cid=42125693 [slashdot.org]
How programming changes you into a "nerd" but ANYONE could learn it (& value others too): 2012 -> http://developers.slashdot.org/comments.pl?sid=3368605&cid=42530957 [slashdot.org]
THE APOPHIS ASTEROID (what to do to destroy it (how & when)): 2012 -> http://science.slashdot.org/comments.pl?sid=3371057&cid=42541663 [slashdot.org]
CODING BIND/BOUND VARIABLES & USING SQL STORED PROCEDURES on DB engine servers, vs. DirectExecute ExecSQL stuff in front ends: 2012 -> http://developers.slashdot.org/comments.pl?sid=3368605&cid=42530471 [slashdot.org]
Using GroupPolicy @ AD Level (via gpedit.msc) or SECPOL.MSC to set NTLMv2 vs. NTLMv1 security vs. penetration: 2012 -> http://slashdot.org/comments.pl?sid=3368135&cid=42527187 [slashdot.org]
DOING AN "IRON CROSS" vs. "Gorilla Arm" on touchscreen not making it on PC desktops: 2012 -> http://hardware.slashdot.org/comments.pl?sid=3361017&cid=42495827 [slashdot.org]
LinkSys/CISCO router featureset (most of it, lacking VPN & Port Forwarding/Triggering onlY): 2012 -> http://it.slashdot.org/comments.pl?sid=3406867&cid=42689537 [slashdot.org]


* THE HOSTS FILE GROUP 41++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APPLYING HOSTS TO DIFF. PLATFORM W/ TCP-IP STACK BASED ON BSD: 2008 -> http://mobile.slashdot.org/comments.pl?sid=1944892&cid=34831038 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org] in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org] IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org] in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org] in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1139705&cid=26977225 [slashdot.org]
HOSTS MOD UP:2009 -> http://hardware.slashdot.org/comments.pl?sid=1319261&cid=28872833 [slashdot.org] (still says INSIGHTFUL)
APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org]
HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
HOSTS MOD UP vs. botnet: 2012 -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216 [slashdot.org]
HOSTS MOD UP vs. SOPA act: 2012 -> http://yro.slashdot.org/comments.pl?sid=2611414&cid=38639460 [slashdot.org]
HOSTS MOD UP vs. FaceBook b.s.: 2012 -> http://yro.slashdot.org/comments.pl?sid=2614186&cid=38658078 [slashdot.org]
HOSTS MOD UP "how to secure smartphones": 2012 -> http://mobile.slashdot.org/comments.pl?sid=2644205&cid=38860239 [slashdot.org]
HOSTS MOD UP "Free Apps Eat your Battery via ad displays": 2012 -> http://mobile.slashdot.org/comments.pl?sid=2734503&cid=39408607 [slashdot.org]
HOSTS MOD UP "How I only hardcode in 50 of my fav. sites": 2012 -> http://it.slashdot.org/comments.pl?sid=2857487&cid=40034765 [slashdot.org]
HOSTS vs. TRACKING ONLINE BY ADVERTISERS & BETTER THAN GHOSTERY: 2012 -> http://yro.slashdot.org/comments.pl?sid=2926641&cid=40383743 [slashdot.org]
HOSTS FOR ANDROID SMARTPHONES: 2012 -> http://yro.slashdot.org/comments.pl?sid=2940173&cid=40455449 [slashdot.org]
APK Hosts File Engine 5.0++ 32/64-bit: 2012 -> http://yro.slashdot.org/comments.pl?sid=3397505&cid=42651965 [slashdot.org]
APK Hosts File Engine 5.0++ 32/64-bit: 2012 -> http://yro.slashdot.org/comments.pl?sid=3137925&cid=41429093 [slashdot.org]


* THE APK SECURITY GUIDE GROUP 18++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=154868&cid=12988150 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://books.slashdot.org/comments.pl?sid=168931&cid=14083927 [slashdot.org]
APK SECURE SETUP FOR IP STACK:2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14211084 [slashdot.org]
APK SECURITY GUIDE (old one):2005 -> http://it.slashdot.org/comments.pl?sid=170545&cid=14210206 [slashdot.org]
APK SECURITY TEST CHALLENGE LINUX vs. WINDOWS:2007 -> http://it.slashdot.org/comments.pl?sid=267599&threshold=1&commentsort=0&mode=thread&cid=20203061 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://tech.slashdot.org/comments.pl?sid=1027095&cid=25747655 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://ask.slashdot.org/comments.pl?sid=970939&cid=25093275 [slashdot.org]
APK SECURITY GUIDE: 2008 -> http://ask.slashdot.org/comments.pl?sid=970939&no_d2=1&cid=25092677 [slashdot.org]
APK SECURITY GUIDE:2008 -> http://it.slashdot.org/comments.pl?sid=416702&cid=22026982 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://it.slashdot.org/comments.pl?sid=1361585&cid=29360367 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://yro.slashdot.org/comments.pl?sid=1218837&cid=27787281 [slashdot.org]
APK SECURITY GUIDE:2009 -> http://news.slashdot.org/comments.pl?sid=1135717&cid=26941781 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://tech.slashdot.org/comments.pl?sid=1885890&cid=34358316 [slashdot.org]
APK SECURITY GUIDE:2010 -> http://yro.slashdot.org/comments.pl?sid=1638428&cid=32070500 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&cid=30649722 [slashdot.org]
APK SYSTEM TUNING:2010 -> http://hardware.slashdot.org/comments.pl?sid=1497268&threshold=-1&commentsort=0&mode=thread&cid=30649722 [slashdot.org]
MICROSOFT SECURITY:2010 -> http://news.slashdot.org/comments.pl?sid=1546446&cid=31106612 [slashdot.org]


* Ah, but that's what you get for your off-topic illogical failing ad hominem attack attempt... you FAIL!



"More than that, your style of posting suggests a problem with your mental health. If you're not already under the care of an appropriately qualified health professional, I would suggest seeking help asap." - by Anonymous Coward on Tuesday January 29, @04:04PM (#42731251)

Seriously - is THAT the "best you've got"? It's tired old troll b.s., seen it a million times before (it's not effective)!

Why? It's libel, 1st of all - I suggest you get a PhD in the psychiatric sciences, a license to practice in them, & a formal examination of my alleged mental state - otherwise, without them? It is, indeed, libeling myself on YOUR part & there's laws against it (as to my "alleged mental state", lol, @ least according to YOU, lol, a mere ac troll)!

Do consider that, before you libel others online too - it is libel!

... apk

Re:Opinions vary (by a 242++:1 ratio)... apk (0)

Anonymous Coward | about a year ago | (#42731657)

So you have a couple of accounts yourself you use to mod your AC posts. Big deal, proves nothing.

Quit projecting YOUR methods, troll... apk (0)

Anonymous Coward | about a year ago | (#42731751)

"So you have a couple of accounts yourself you use to mod your AC posts" - by Anonymous Coward on Tuesday January 29, @04:40PM (#42731657)

Why don't I have all +5 posts then? See my subject-line above, & quit "projecting" your OWN methods of bogus self-upmoderation!

(It's also fairly obvious you're trolling me by AC after you downmodded my initial post, & if you used your "registered 'luser'" account to reply? You'd remove your downmod... that is, unless you know the 'trick' around that (logon/logoff to preserve your cookie state)).


"Big deal, proves nothing." - by Anonymous Coward on Tuesday January 29, @04:40PM (#42731657)

Well - Seems It proved you wrong & OUTNUMBERED by a 242++:1 margin & ratio over YOUR "trollish off-topic" illogical ad hominem attacks easily enough!

Hey - "DO THE MATH" -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42731467 [slashdot.org] :)


P.S.=> Seriously - your trolling career? Find another - you aren't very good @ it & are VERY EASY to outwit... every time!

... apk

Why not all 4+? (0)

Anonymous Coward | about a year ago | (#42731953)

Because you might not have enough accounts with mod points at those times.

Per my 1st post? I do better things... apk (0)

Anonymous Coward | about a year ago | (#42732097)

Sounds like you cheat the moderation system here (I don't - no need, per my list which is good enough for me... especially as an AC poster -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42731467 [slashdot.org] ) but, I have LITERALLY caught others who do (and drove one away in fact - if you would like proof? Ask!).


However, unlike others who don't HAVE anything BETTER to do (lol, like "live for karma points" on a forums)?

As you can see: I am out doing what's right, & right by others too -> http://www.start64.com/index.php?option=com_content&id=5851:apk-hosts-file-engine-64bit-version&Itemid=74 [start64.com] by producing a useful program!

* That "all said & aside"?

I challenge you to put your energies to better use, per my challenge to you & any LIKE you (i.e. -> Off-Topic trolls especially), here -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42731025 [slashdot.org]

Good luck - You'll NEED it: Many trolls like you have tried over time, & not a single one has validly disproved my points listed where my program is, not a single one!


P.S.=> Ah, you trolls... you're ALL the same - projecting must be part of your "troll mentality" or something, lol... apk

Why didn't you disprove the self mod theory? (0)

Anonymous Coward | about a year ago | (#42732331)

See subject, your inability to disprove this must mean you are modding your own posts.

I'd have all +5's & I don't... apk (0)

Anonymous Coward | about a year ago | (#42732483)

IF I was 'self-modding', as you seem to know ALL about? I'd have all +5 posts not a load of +1's... besides: The technical points in my posts are solid, hence, the upmod ratings by others! Read them yourself, if you wish, as you might learn a trick or two...

I don't use a registered 'luser' account... no need, as again, I have better things to do than live for karma points on a forums! See below...

Above all else: What I do know, is that what you said 'fell apart' vs. my list of upmods here -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42731467 [slashdot.org]


* Again - so it "sinks in" to your skull, "Mr. Troll": I have and DO, better things -> http://www.start64.com/index.php?option=com_content&id=5851:apk-hosts-file-engine-64bit-version&Itemid=74 [start64.com]

(Things which gives users more speed, security, reliability, & even anonymity to an extent, THAT SOLVE THIS PARTICULAR ARTICLE'S DNS ISSUE no less!)


P.S.=> Again - Why not spend your energies *trying* to disprove my points on custom hosts files, noted here as a challenge to ANY 'naysayers' (like trolls especially, like yourself) -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42731025 [slashdot.org]

You might learn something (or possibly, I just might (doubt it vs. a troll, but there it is)).

Seriously - GOOD LUCK: You'll NEED it, badly!

(Again/once more - Since no one has ever disproved my points on custom hosts files with valid critique or information, & not just here on this site either, though 100's have tried & failed, every single time)...

.... apk

Seek help (0)

Anonymous Coward | about a year ago | (#42733701)

I'm the AC who posted about your mental health; I can assure you I have not posted anywhere else in this thread, indeed have never replied to any of your posts. I did nothing more than skim my eye over your reply, but again I say in all seriousness, you have a mental health issue that really should be addressed.

Illogical off-topic ad hominem attacks (0)

Anonymous Coward | about a year ago | (#42733823)

NEED NOT APPLY, troll...

* :)

"I'm the AC who posted about your mental health; I can assure you I have not posted anywhere else in this thread, indeed have never replied to any of your posts. I did nothing more than skim my eye over your reply, but again I say in all seriousness, you have a mental health issue that really should be addressed." - by Anonymous Coward on Tuesday January 29, @08:41PM (#42733701)

Do you have the following items to your name/credit?


1.) A PhD in the psychiatric sciences

2.) A license to practice said psychiatric sciences professionally

3.) A formal examination of myself as to my "alleged mental state" (according to you, an AC troll) given in a professional psychiatric environs



* Without them, you're guilty of libeling myself!

That is also showing us you're:


A.) NOT considering the consequences of your actions here


B.) That you're repeating the same mistake over & over again too!


(Both are often said to be signs of insanity!)

SO, Please - if ANYONE's "insane" here, it is clearly yourself...


P.S.=> Quit projecting your own issues onto me, & grow up (or take your meds, lol)...

... apk

Re:How custom hosts files help vs. DNS flaws... ap (1)

ilikejam (762039) | about a year ago | (#42731133)

APK - what's to stop someone poisoning one of the source hosts files you use to generate yours? Like, for example, adding an entry for google.com which points to a drive-by infection site?

My data sources do... apk (0)

Anonymous Coward | about a year ago | (#42731259)

From reputable sources in the security community, like malwarebytes (hpHosts), Norton/Symantec, ZeusTracker, SpyEye Tracker (& other botnet watchers), MVPS, & other valid reputable, reliable, & punctually updated sources...

* :)

And, there ya go!

(Mind you - I 'hardcode' their entries into my hosts file, AFTER they are properly reverse-DNS pinged, & that hits the in arpa addr 'tld' that houses that information for EVERYONE...)

I.E.-> Thus - I can't be 'misdirected', in other words, & that's how this helps vs. DNS faults here & dns-poisonings, too!


P.S.=> Hope that "sheds some light" on that question of yours... apk

Re:My data sources do... apk (1)

ilikejam (762039) | about a year ago | (#42732923)

Hmm. That's a lot of sources, any one of which could be compromised at any time.

P.S. in-addr.arpa PTR records are delegated from the root nameservers just like A records - doing reverse lookups doesn't buy you much in terms of security, if you're worried about hijacked DNS.

It's more secure than DNS queries... apk (0)

Anonymous Coward | about a year ago | (#42732997)

" doing reverse lookups doesn't buy you much in terms of security, if you're worried about hijacked DNS." - by ilikejam (762039) on Tuesday January 29, @06:54PM (#42732923) Homepage

See subject-line above:Especially vs. what this article's about (the Kaminsky DNS flaw remaining MOSTLY UNPATCHED WORLDWIDE 5 yrs. later no less).

That is a shame!

I certainly DO get better & faster resolutions locally from a custom hosts file too, and don't even run the risk of querying a VERY potentially dns-poisoned redirected DNS server either... bonus and yes, more secure ones because of this article's premise (by avoiding DNS completely).

Every bit, helps!


P.S.=> And, since I bypass DNS by hardcoded hosts file entries, doing DIRECT reverse DNS against in arpa addr is more secure than querying a potentially redirect dns poisoned DNS server (per this article) - but, I don't *think* you're denying it's so either, per your quoted reply above...

... apk

DNSSEC is not the best long term fix (4, Informative)

Anonymous Coward | about a year ago | (#42729865)

DNSSEC is a flaw too! Once I watched a keynote from Daniel J. Bernstein at FISL pointing out all the flaws that make DNSSEC vulnerable. So he pointed to a better solution called DNSCurve: http://en.wikipedia.org/wiki/DNSCurve

Re:DNSSEC is not the best long term fix (2)

GameboyRMH (1153867) | about a year ago | (#42730397)

Furthermore see Moxie Marlinspike's criticisms of DNSSEC:

http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/ [thoughtcrime.org]

About 2/3 way down the page.

Re:DNSSEC is not the best long term fix (1)

Anonymous Coward | about a year ago | (#42731509)

He doesn't get it. People who tout SSL keys in DNSSEC are very aware of the hierarchical nature of the DNSSEC trust relations and who we would be trusting if we used DNSSEC to distribute SSL keys. The point is that we're already trusting the very same people now, in addition to the CAs, and they're not even using trustworthy DNS yet. When you get a certificate from a no-frills CA, you only need to be able to receive mail at one of a few local parts under the domain that you want the certificate for. Bam, everybody who uses SSL must also trust the DNS hierarchy not to enable an attacker to divert mail. SSL keys in DNSSEC are not less secure than what we have now, but they're much simpler, much cheaper and don't pretend to do more checking before issuing a certificate than they actually do. SSL keys would be the killer app for DNSSEC. Let the CAs do thorough verification and kick out any CA which issues or enables others to issue spoofed certificates. We can still have reasonably secure encryption for most web traffic, and by enabling anybody to switch on HTTPS without having to pay extra for a certificate, SSL keys in DNSSEC would make the web much more secure than it is today.

Re:DNSSEC is not the best long term fix (0)

Anonymous Coward | about a year ago | (#42732801)

SSL with DNS (via DNSSEC) providing the PKI is a done deal, as DANE it was published as an RFC and is standards track already. Google's Chrome supports this functionality today, Firefox has a patch they've sat on.

Moxie doesn't get it because he's not interested in building something people will actually use, he's interested in the intellectual exercise. A fully distributed system where everybody has to make personal trust decisions to get anything to work is Moxie's dream, but in the real world we've _been_ there and the outcome was that everybody proxied their decision onto a handful of "trusted" vendors who solved the Dancing Pigs problem by trusting every vendor they heard about. So DANE doesn't plan to do that again (but Moxie is free to build it, and use it with the six other people who like making trust decisions all day).

Anyway, like I said, DANE is a done deal, like IPv6. Pundits will continue to write that it has "failed" and use phrases like "eggheads" and "whizkids" and talk about how brilliant they are to be able to predict the past so accurately now that it has happened, but that's what pundits do for a living and anyone with half a braincell knows to ignore their wittering.

Not a criticism of DNSSEC (1)

pavon (30274) | about a year ago | (#42731719)

That isn't a criticism of DNSSEC. That is a criticism of using DNSSEC for things other than DNS resolution. Domain names and IP addresses have to be allocated in a centrally managed fashion, so to avoid conflicts. DNS already has a hierarchical design by nature and DNSSEC simply makes it more secure.

SSL key distribution/validation on the other hand doesn't have to be centrally managed, so adopting a hierarchical control structure like DNSSEC for that task is a suboptimal solution. In fact the problems in the CA system we currently have directly stem from such a hierarchical trust scheme. We would be much better of going with a truly distributed system for SSL key validation.

But that doesn't mean that using DNSSEC for domain name queries is a bad idea.

Re:Not a criticism of DNSSEC (1)

dkf (304284) | about a year ago | (#42733261)

In fact the problems in the CA system we currently have directly stem from such a hierarchical trust scheme. We would be much better of going with a truly distributed system for SSL key validation.

I'm unconvinced. (I'm particularly unconvinced by the handwave-assert-jedi-mind-trick style of argument there, but that's by-the-by.) The fundamental problem is that it is very hard to work out if the assertions in a public certificate are true; all you can tell is that the information was digitally signed by someone or something. With a web of trust model, either you have non-transitive trust (which totally doesn't scale at all!) or you have transitive trust, in which case all it takes is for one person to get it wrong and the bad guys get in (and their first acts will be to seek to leverage their new trustedness to obscure how they got in). I suppose you could have someone acting as an authority that says who can be trusted to handle transitive links, but that's virtually back to the CA model except with plenty more technical complexity than before.

Re:DNSSEC is not the best long term fix (0)

Anonymous Coward | about a year ago | (#42731105)

DNSCurve is DJB's solution. Now, DJB ranks as one of the best engineers of our time. But DNSCurve has it's own problems, which DJB merely classifies as design choices. Well... that's pretty much how the DNSSEC classified their "flaws", too.

Personally, I'd prefer DNSCurve. But DNSSEC isn't that bad. Its biggest fault is its complexity.

Re:DNSSEC is not the best long term fix (0)

Anonymous Coward | about a year ago | (#42731217)

DNSCurve is DJB's solution. Now, DJB ranks as one of the best engineers of our time. But DNSCurve has it's own problems, which DJB merely classifies as design choices. Well... that's pretty much how the DNSSEC classified their "flaws", too.

Personally, I'd prefer DNSCurve. But DNSSEC isn't that bad. Its biggest fault is its complexity.

I'd say the biggest fault of all of them is lack of implementation.

Rather pointless to sit here bitching about how one sucks worse than the other when 99.999% of the DNS world clearly doesn't give a shit about either solution.

Re:DNSSEC is not the best long term fix (1)

Bengie (1121981) | about a year ago | (#42731183)

From the sound of the wiki article, DNSCurve only secures the channel communicating to the DNS server, while DNSSEC secures channel and the actual DNS records.

We need both secure communications and validation that the returned entries haven't been modified by the server itself.

Wrong (0)

Anonymous Coward | about a year ago | (#42731409)

DNSSEC only signs records, it doesn't do encryption.

Re:DNSSEC is not the best long term fix (1)

Anonymous Coward | about a year ago | (#42733857)

Having delved into both deeply, implementing DNSCurve in one server and partially having implemented DNSSEC elsewhere, I can give you a better comparison.

DNSCurve secures the channel between a recursive DNS cache and upstream authoritative servers. It does not attempt to secure the client->cache channel, although there have been related proposals (modifications of the same basic guts DNSCurve had) to secure that channel as well. DNSCurve is designed for a world where you implicitly trust your cache. Either you decide your ISP or shared cache provider (e.g. OpenDNS) is trustable, or you simply run your own cache. Some people claim the DNS doesn't scale well like that, but it actually copes just fine. Having a recursive cache on every home router is not the end of the world, and makes DNSCurve a fully-secure solution that's miles better than DNSSEC.

DNSSEC is designed around a world that assumes un-trustable, even adversarial, shared DNS caches. It assumes you can't (god knows why) run a local recursive cache or use one that you implicitly trust for other reasons. It assumes that the caches you're forced to use will actively try to screw with your DNS data. So it goes about protecting the actual data end-to-end with digital hashes of the authoritative records that can be verified (after passing through N levels of untrusted caches) all the way down at the client. However, it doesn't secure any of the channels in the general sense, it's design is extraordinarily complex, and it has repeatedly caused security problems of its own (e.g. amplification attacks, denial of service, hash flaws, and new pathways to remotely list the hostnames within a domain via DNSSEC probing). The key management is pretty arcane too, and was clearly set up to make certain DNS companies a lot of money hosting DNSSEC for others because nobody else would want to deal with that crap.

The world as DJB tried to paint it, with DNSCurve and local/trusted caches, is a far better one. The modifications to the DNS were much simpler in nature, it was far easier to implement, and far less prone to introducing new security problems. The only real pragmatic hangup that prevented widespread adoption (well, aside from the "professional" long-term BIND/DNSOPS/Verisign/etc community hating him for constantly pointing out their silliness) was that his public-key sharing mechanism was to essentially name your nameservers after your public key. So for example, if I went to the .com registrar and wanted to register example.com and use DNSCurve on example.com's nameservers, I had to use a base64-encoded public key as a hostname, and it was a long one. Instead of registering "ns1.example.com" upstream, you had to register "aoiejf0a4uaoisrjao84o8halsidjfalkejfoq48falsierfjalskef.example.com" as a nameserver hostname (or whatever, imagine that random crap was a long base64 string).

Some others worked on a modified DNSCurve proposal which dropped the ugly nameserver names in place of stealing DNSSEC's DS or KEY records (and just using them in isolation at the registrar as a registered DNSCurve public key), but that also gained no traction. Really, that variant could've won the day, and should have, if it weren't for bickering and politics.

Re:DNSSEC is not the best long term fix (0)

Anonymous Coward | about a year ago | (#42732061)

Slides from a Bernstein talk [cr.yp.to]
A quote:

Summary so far:
DNSSEC does nothing to improve DNS availability.
DNSSEC allows astonishing levels of DDoS amplification, damaging Internet availability.
DNSSEC does nothing to improve DNS privacy.
DNSSEC, even with NSEC3, leaks private DNS data.

Re:DNSSEC is not the best long term fix (2)

marka63 (1237718) | about a year ago | (#42734007)

Slides from a Bernstein talk [cr.yp.to]
A quote:

Summary so far:
DNSSEC does nothing to improve DNS availability.

Neither does DNSCurve.

DNSSEC allows astonishing levels of DDoS amplification, damaging Internet availability.

Which is not a problem of DNSSEC per say but a basic problem of DNS. It is also solvable. It just requires will to deploy the solutions.

DNSSEC does nothing to improve DNS privacy.

This was a explicit non goal of DNSSEC.

DNSSEC, even with NSEC3, leaks private DNS data.

No more than DNS leaks private data.

Re:DNSSEC is not the best long term fix (0)

Anonymous Coward | about a year ago | (#42732179)

I'm a DJB fan (run qmail and djbdns since I setup my server in the 90's), but as Paul Vixie points out here: http://www.isc.org/community/blog/201002/whither-dnscurve dnscurve doesn't solve the same problems as DNSSEC. dnscurve solves the problems of an insecure internet between the resolver and the responding DNS server. But it doesn't solve the "can the responding DNS server be trusted" problem.

Sweden Innovates (4, Informative)

ptudor (22537) | about a year ago | (#42729885)

So, there's OpenDNSSEC [opendnssec.org] to automate deployments; I strongly suggest spending the time to watch the .SE NIC's nine-part training videos from 2010 at Youtube to improve one's understanding: http://www.youtube.com/watch?v=zl3gdM5tDTo [youtube.com]

Some respected members of our community dismiss DNSSEC. This video of DJB presents an opinion: DJB at 27C3 [vimeo.com]

Re:Dutch Innovate (2)

kwark (512736) | about a year ago | (#42730291)

Why choose this instead of powerdnssec? I strongly suggest the dnssec training at http://www.dnsseccourse.nl/en/player.html [dnsseccourse.nl] (flash) to improve one's understanding of the dnssec protocol. And powerdns to implement it http://doc.powerdns.com/powerdnssec-auth.html [powerdns.com]

BTW dnssec adoption is amongst the highest for .nl in absolute numbers of domains, simply because there is a bounty for every domain signed. If you have a few hundred of domains the costs to implement are lower than the discount given till mid 2014 == profit for implementing dnssec. And since powerdns does all the hard work automatically and dynamically in a transparant way (except importing the DS key in the tld)

Re:Dutch Innovate (1)

ptudor (22537) | about a year ago | (#42730389)

Why choose one over the other? I don't care :) So far people have chosen neither.

Re:Dutch Innovate (1)

kwark (512736) | about a year ago | (#42730941)

Nobody is using them? 1/5 of the .nl domains are registered DNSSEC domains:
http://xs.powerdns.com/dnssec-nl-graph/ [powerdns.com]

Re:Dutch Innovate (0)

Anonymous Coward | about a year ago | (#42731135)

So you are saying .00004 % of the internet have registered and nobody is making a huge deal out if it?

Re:Dutch Innovate (1)

kwark (512736) | about a year ago | (#42732101)

Math fail detected: 250*10^6 domains, 5*10^6 .nl, 10^6 .nl with dnssec. So atleast 0.4% of all domains are dnssec:
5/250/5 == 0.004 * 100% == 0.4%
.nl is in the 5 top of most used country TLDs. .nl is used for about 70% of the domains targetting the dutch market. So dnssec implementation is huge for the local market. And while it still might not be perfect, it is better than just plain DNS.

Re:Dutch Innovate (1)

ptudor (22537) | about a year ago | (#42732247)

Whether it's the AC's numbers or your numbers, you're both talking about less than a percent as though it's greater than a margin of error in the real world. Export your expertise and let's all work on dotcom next.

Re:Dutch Innovate (1)

kwark (512736) | about a year ago | (#42732495)

Like I said, for the local market dnssec presence is huge, and last time I checked NLD is still part of the real world and it still has some influence on it (especially considering its size).

But .com has everything in place to do dnssec. So if an owner of a .com wants to get dnssec support, they should get a dutch dns provider, there are many that give the customer the option to activate dnssec.

Re:Dutch Innovate (1)

mooingyak (720677) | about a year ago | (#42731279)

If you have a few hundred of domains the costs to implement are lower than the discount given till mid 2014 == profit for implementing dnssec

I'm assuming there's some kind of catch in there so that it's not worthwhile for someone to register a few thousand new domains and then implement DNSSEC on them.

Re:Dutch Innovate (1)

kwark (512736) | about a year ago | (#42731841)

No catch, just a discount per domain registered for dnssec (0.28 EUR/year). I have about 1k .nl domains, I spend a few days figuring out what dnssec was about, how to implement, test and maintain it. Activated it on the corporate domain, some personal and a couple of test domains and waited 2 months to see if there were problems (none). So now it is active for all domains saving us 420 EUR till the discount ends in 2014-06. For us it was not enough to cover the expense of my time, but this had to be implemented eventually, so better do it now while you still get some discount.

Re:Sweden Innovates (1)

Eunuchswear (210685) | about a year ago | (#42731941)

videos? Does noone know how to rite anymore?

Aargh - the next fucker is telling me to look at some flash shit!

Re:Sweden Innovates (1)

kwark (512736) | about a year ago | (#42732573)

If you just kept reading instead of getting distracted by flash, you'd have seen the next link point to human readable text explaining (briefly) how dnssec works and how to implement it for a specific named. I just have to hope you read past flash this time.

Wow, incredible (-1)

Anonymous Coward | about a year ago | (#42729891)

The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates domain names meaningful for users to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet.
An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses (IPv4) and 2620:0:2d0:200::10 (IPv6). Unlike a phone book, the DNS can be quickly updated, allowing a service's location on the network to change without affecting the end users, who continue to use the same host name. Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates the services.
The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed and fault tolerant and has helped avoid the need for a single central register to be continually consulted and updated. Additionally, the responsibility for maintaining and updating the master record for the domains is spread among many domain name registrars, who compete for the end-user's, domain-owner's, business. Domains can be moved from registrar to registrar at any time.
The Domain Name System also specifies the technical functionality of this database service. It defines the DNS protocol, a detailed specification of the data structures and communication exchanges used in DNS, as part of the Internet Protocol Suite.
The Internet maintains two principal namespaces, the domain name hierarchy[1] and the Internet Protocol (IP) address spaces.[2] The Domain Name System maintains the domain name hierarchy and provides translation services between it and the address spaces. Internet name servers and a communication protocol implement the Domain Name System.[3] A DNS name server is a server that stores the DNS records for a domain name, such as address (A or AAAA) records, name server (NS) records, and mail exchanger (MX) records (see also list of DNS record types); a DNS name server responds with answers to queries against its database.

No big deal to me. (-1)

Anonymous Coward | about a year ago | (#42729963)

After Amazon started with that sales tax nonsense, online shopping has just been a bunch of blah blah blah to me.
Good riddence.

so this is aiding and abetting terrorists. (0)

Anonymous Coward | about a year ago | (#42729999)

By not applying the fix, they are aiding the enemies of the USA to attack and bring down everything in the USA.

The DHS should be taking the lot in for questioning about Un-American activities.

If you are a customer (0)

Anonymous Coward | about a year ago | (#42730027)

Of Comcast, you know you are already DNSSEC'd. Just as a heads up!

Basic rule of computer security (2)

dkleinsc (563838) | about a year ago | (#42730057)

Many potentially targeted organizations will not spend the time and money to make the necessary changes without prodding. I've seen this in payment security too: A lot of companies are shocked and dismayed when they find out that they are supposed to store credit card numbers in some way other than in plaintext in a database accessible to anyone with the single database login that everyone in the company has.

The only thing that will prod them is experiencing a cost of doing nothing that is higher than the cost of implementing the solution.

Re:Basic rule of computer security (0)

Anonymous Coward | about a year ago | (#42731265)

...The only thing that will prod them is experiencing a cost of doing nothing that is higher than the cost of implementing the solution.

Basic rule of business: The "experience" they refuse to pay for may just be their last decision as a business.

Have fun gambling. The lawyers always seem to enjoy it.

I deployed it at our ISP recursive servers (4, Interesting)

whois (27479) | about a year ago | (#42730077)

It broke access to several DNSSEC enabled websites that were misconfigured. After a few months of support problems where we suggested the websites fix their issues and they ignored it, it was requested by management that we turn it off.

It's a very bad design as it stands now. It's unable to return any error but NX Domain for DNSSEC errors for reasons of backword compatibility, which is stupid since you need a DNSSEC enabled resolver to make the request.

It also has an incredibly steep learning curve that even experienced public key administrators face problems with.

Re:I deployed it at our ISP recursive servers (1)

anom (809433) | about a year ago | (#42730295)

This. I recently set up a new name server and had to disable it for similar reasons.

Re:I deployed it at our ISP recursive servers (1)

nullchar (446050) | about a year ago | (#42730561)

Would either the parent or GP like to list some sites that were broken with DNSSEC? There are some decent tools to test DNSSEC queries, so I'm surprised the DNS admins for the broken zones have left it broken. There's not really any half-assed zone signing with DNSSEC, you either sign the entire zone or you don't.

Re:I deployed it at our ISP recursive servers (0)

Anonymous Coward | about a year ago | (#42730559)

If you use the correct dns server, dnssec will be a piece of cake.

Re:I deployed it at our ISP recursive servers (1)

gweihir (88907) | about a year ago | (#42730633)

And there is the little problem that in the long run, its certificate system is just as broken as the SSL cert system is now. My guess is it is not worth the effort at all.

Re:I deployed it at our ISP recursive servers (1)

kwark (512736) | about a year ago | (#42731365)

"its certificate system is just as broken as the SSL cert system is now"

Can you explain this? DNSSEC hasn't got much common with the SSL cert system. There is only 1 root authority, the weak point during a key change. Each domain/tld has their own (multiple) keys. tld and domains should regenerate the short Zone Signing Keys fairly often (a couple of weeks), while the bigger Key Signing Keys should be regenerated about once in a year. If a tld is compromised it only has to create a new KSK, individual domains aren't affected (IIRC). If an individual nameserver or domain is affected only that server of domain needs to regenerate a KSK.

Re:I deployed it at our ISP recursive servers (1)

gweihir (88907) | about a year ago | (#42731611)

Too many people in there. Somebody will either mess up or be corrupt. A PKI only works in practice if there is a single CA or a very small number of CAs under tight control. Ignoring the non-technological angle is just incompetent.

Re:I deployed it at our ISP recursive servers (1)

kwark (512736) | about a year ago | (#42732195)

But there are no CAs in DNSSEC. There are only public/private keypairs under control of the owner of the domain.
www.example.com. has 3 pairs/signatures to check:

  • .
  • com.
  • example.com.

example.com. tells the com. authority what it's public KSK is.
com. tells the root zone what it's public KSK is.
The public KSK of the root is known by all people/software that want to check dnssec signatures (the weak point since how do you securely distribute and update that one?).

Re:I deployed it at our ISP recursive servers (1)

idontgno (624372) | about a year ago | (#42732253)

Well, if your assertion is that "people are a problem", you're not the first to make that observation. [goodreads.com].

It's a little-considered fact that 100% of insider crime is committed by insiders.

Short of extincting the human race, I don't see a good solution. Maybe we should not fixate on the insolubles?

Re:I deployed it at our ISP recursive servers (1)

Anonymous Coward | about a year ago | (#42730987)

Except the largest cable ISP in the US, Comcast, has DNSSEC resolvers enabled for customers by default, and they manage to deal with these problems.

They even track and publish informaiton of (large) failing domains and in the backend work with website owners to notify them of the deficiancies. As a Comcast customer, I notify the Comcast DNS folks whenever I have DNSSEC problems, as they have a large amount of clout and will use it to notify website owners.

More large ISPs need to get on board - when we have critical global mass with the majority of the large ISPs enabling DNSSEC, DNS operators will fix their problems - or better yet monitor and proactively update their signatures, keys, etc. This is much like they do with SSL certs.

Re:I deployed it at our ISP recursive servers (1)

whois (27479) | about a year ago | (#42731429)

We beat Comcast to the punch by about a year. I'm happy that they turned it on and can afford to support it, but 90% of the customers you have are dumb and don't care why it doesn't work from your ISP, they just care that it works at Starbucks and doesn't work at their house.

Being a huge monopoly has an advantage when it comes to telling customers to pack it up when they have DNS issues. I too am a comcast customer and I run my own resolver (for flexibility, not because they implemented DNSSEC)

All the domains that didn't work at the time were government sites. Usually obscure subdomains that only individual customers needed access to, so hounding random government agency to fix their problems didn't really help the rest of your customers. Also, contact with random government agency admin, which isn't easy to begin with, might be impossible if their admin contact has an MX within the broken DNSSEC domain (or we're forced to use non-DNSSEC enabled resolvers for our own email servers to contact them)

Re:I deployed it at our ISP recursive servers (1)

KiloByte (825081) | about a year ago | (#42732721)

It also has an incredibly steep learning curve that even experienced public key administrators face problems with.

There's a way to do it in the name server itself, but here's a way for newbies:

1. in named.conf.local, change file "example.org.zone"; to file "example.org.zone.signed";
2. where you would do rndc reload example.org after a change, you instead do zonesigner --usensec3 -zone example.org. example.org && rndc reload example.org
3. read the key-signing key zonesigner created, log in to your registrar, add a DS record by pasting data from that file
4. if you want the keys to expire (zonesigner's default), set up a cronjob to re-sign the zone. This can be automated with rollerd, but cron is something everyone already knows.

That's all. I don't think someone not able to follow these steps should muck with DNS records.
(Yes, there are nicer ways, but this one is simplest.)

Dutch solution (2)

CAPSLOCK2000 (27149) | about a year ago | (#42730129)

SIDN (the maintainer of .nl) offers a small discount to domains that use DNSSEC. This was sufficient motivation for a few large hosting companies to enable DNSSEC across all their domains. In just a few days a fifth of all Dutch domains switched over. By now 26% of the .nl domains (1.381.790 out of 5.153.408) use DNSSEC.

And do you know why it's not widely deployed? (1)

grasshoppa (657393) | about a year ago | (#42730217)

Because the standards are a pain in the ass and most implementations are needlessly complex.

Re:And do you know why it's not widely deployed? (1)

bbelt16ag (744938) | about a year ago | (#42730287)

then fix it! whats your excuse now? and if you can't then complain to the ones who can.

Re:And do you know why it's not widely deployed? (0)

Anonymous Coward | about a year ago | (#42730415)

Sounds like you are ready for an entirely plug and play society. Well, welcome to the real world kiddo... people are constantly evolving into trying to break security, and it isn't going to be an out of the box (HOORAY MCAFEE!) solution.

Re:And do you know why it's not widely deployed? (3, Insightful)

grasshoppa (657393) | about a year ago | (#42730465)

Wrong actually. Security works best when it's simple. Make it too complex, or needlessly complex, and you open yourself up for implementation flaws.

Security implementation should only be as complex as needed. Added complexity only serves to compromise the security you are trying to achieve in the first place.

Re:And do you know why it's not widely deployed? (2)

nullchar (446050) | about a year ago | (#42730611)

Agreed. Implementing DNSSEC is a royal pain in the ass for the authoritative server operator. If it was easy, many would have done it.

Additionally, your domain registrar must support DNSSEC to list the digest records or even public keys with the registry so they can be listed in the TLD-root zone. Once you sign a domain, you cannot transfer the domain to a non-DNSSEC-implementing registrar.

Re:And do you know why it's not widely deployed? (0)

Anonymous Coward | about a year ago | (#42731395)

Yes you can, just disable dnssec before transfering.

Re:And do you know why it's not widely deployed? (1)

nullchar (446050) | about a year ago | (#42733493)

Of course you can always un-sign your zone. But the idea is that we all should sign our zones to prevent cache poisoning or MITM DNS responses or ISP filtering/wildcarding, etc.

Just like most mail server admins have enabled SPF via simple TXT records, only a few of those have implemented DKIM which requires signing each outbound email.

I do appreciate the beauty of a crazy chaotic and somewhat democratic process to create new standards (IETF/RFC) and implement them laissez-faire style on an as-needed basis.

If cache poisoning or abusive DNS filtering/hijacking was happening on a regular basis and reported widely in the [tech] media, DNSSEC would be implemented rapidly. There's just not enough threat to cover the pain of zone signing. Also, we have to trust the root server operators to never lose their keys...

Re:And do you know why it's not widely deployed? (1)

gweihir (88907) | about a year ago | (#42730657)

Indeed. Security is even more dependent on simplicity and clarity than reliability is. Today, we have not even really mastered software reliability and then some people think a complex security mechanism is a good idea? Talk about really not getting it.

DNS is not a security mechanism... (3, Insightful)

gweihir (88907) | about a year ago | (#42730595)

If your security depends on DNS working, you are screwed anyways. That is likely the main reason nobody uses DNSSEC: It does solve the wrong problem.

1. The sane way for remote access it is to require 2-sided authentication on connection, making DNSSEC entirely redundant.
2. For the open web, things are a bit differently, but there you can land on a malicious page any time and the only solution for that is a not vulnerable browser or a secure browsing environment.

There is also the small issue that DNSSEC is badly borked and a nightmare to install and maintain. In addition, the other PKI (SSL certs) is badly broken, and there is really no reason the DNSSEC PKI would fare any better if widely deployed. In the long run, it is very likely that DNSSEC is just a waste of time and effort.

Re:DNS is not a security mechanism... (0)

Anonymous Coward | about a year ago | (#42732095)

Missing the point. The internet depends on DNS being secure. Unfortunately DNSSEC sucks, and DNSCurve is from DJB, so neither are gaining widespread use.

Was it really that critical? (0)

Anonymous Coward | about a year ago | (#42731069)

If nobody's updating, how many compromises were there, really? Is it really all that critical? Or is it really a lot of FUD?

"Major flaw" is a tricky term (1)

jbmartin6 (1232050) | about a year ago | (#42731359)

How "major" is the flaw when there are few reports of it being used in attacks? People will change their behavior when there is a real reason to do so. Until there is an upswing in DNS cache poisoning, most will see no reason to go to the expense of converting. As another poster pointed out, there are plenty of other techniques attackers are using to impersonate websites.

Re:"Major flaw" is a tricky term (0)

Anonymous Coward | about a year ago | (#42731715)

Keep in mind that cache poisoning works during the TTL, and so can be intermittent. People might not know, and then if they investigate, it might be gone.

DNSSEC is a PITA (1)

FuegoFuerte (247200) | about a year ago | (#42732615)

And the Dans are both tools (Kaminsky and Bernstein). And to the guy who suggested hosts files with nasty scripts copying things to and fro, ummm... NO. Sounds like some of the horror stories I've heard of how things are cobbled together at a certain large Seattle-based internet retailer, and it's the kind of hair-brained idea a DevOps fan might dream up.

Saw your comment on hosts... apk (0)

Anonymous Coward | about a year ago | (#42733381)

"And to the guy who suggested hosts files with nasty scripts copying things to and fro, ummm... NO. Sounds like some of the horror stories I've heard of how things are cobbled together at a certain large Seattle-based internet retailer, and it's the kind of hair-brained idea a DevOps fan might dream up." -

See subject-line above: This is far better & how/why vs. this threat -> http://it.slashdot.org/comments.pl?sid=3417867&cid=42729809 [slashdot.org]

* Beats the hell outta scripts by far, & is "GUI easy" to use (for Windows users).



P.S.=> Against this particular threat? It works, hands-down, AND, against tons of other malicious sites-servers/hosts-domains that are known to "f you up" too!

It gains you MORE speed, MORE security, MORE reliability, & even anonymity to an extent!

(See this short list of what it can do in a direct link to it -> http://www.start64.com/index.php?option=com_content&id=5851:apk-hosts-file-engine-64bit-version&Itemid=74 [start64.com] for a short summary).

Both 32 &/or 64-bit as well...

... apk

Quick thoughts from a DNS implementer (1)

MaraDNS (1629201) | about a year ago | (#42733253)

Really quickly:

  • DNScurve, as pointed out above, doesn't do nearly as much as DNSSEC does. In particular, DNScurve still allows "NXDOMAIN recirection" but DNSSEC doesn't. In addition, Bind, NSD, Unbound, and PowerDNS (non-recursive) have DNSSEC support, but there is not a mainstream DNS server out there with DNScurve support.
  • djbdns hasn't been updated since 2001 and even the unofficial forks do not have patches for all three CVE security holes in DjbDNS [nist.gov]. Since DjbDNS' goal was security, I consider it abandoned until someone makes a fork fixing all of the known security problems.
  • There are ways to make blind DNS spoofing almost impossible [maradns.org] without needing to add complex cryptography. Crypto, however, is needed when the attacker can watch the DNS packets that the victim sends.
  • I would love to implement DNSSEC for MaraDNS, but I would need $50k US to pull it off [maradns.org]. I would like make it a kickstarter project, but I think people would rather just use Unbound/NSD (which, unlike MaraDNS, was funded with a government grant) instead of throwing money my way.

Oi (1)

Anonymous Coward | about a year ago | (#42733385)

DNSSEC has nothing to do with the Kaminsky attack.

The Kaminsky attack took advantage of what was essentially bad randomness in DNS resolver implementations.

DNSSEC solves the problem of DNS being plaintext (and consequently vulnerable to man-in-the-middle attacks) in the first place. If you want to call that a "vulnerability", it's one that's been around (and known) for as long as DNS; I guess ~30 years? Current internet culture requires more security so DNSSEC throws a layer of cryptography on top of traditional DNS; the same way that TLS/SSL/IPSec throw a layer of cryptography on top of TCP/UDP. Why not let TLS/SSL/IPSec solve the problem as they are used at a layer below DNS you ask? Because not everyone wants everything crypto'ed all the time (it eats up processing power), and TLS/SSL/IPSec don't solve the DNS problem in the form they are currently used.

As far as cryptography, DNSSEC has no known flaws beyond the standard complaints against PKI based systems (and no one's agreed on a way to improve on PKI).

As far as usability, DNSSEC has unfortunately exposed a lack of fundamental DNS/crypto knowledge amongst sysadmins. Adding to the problem is the fact that BIND/Unbound were messy to administer in the first place, but systems that automate the process have seen very steady development/improvement.

It pains me how uninformed the currently modded comments are. It similarly pains me that this comment will likely not catch anyone's attention. It pains me the most that I bothered to write it.

DNSSEC is badly flawed (0)

Anonymous Coward | about a year ago | (#42733757)

DNSSEC is a really horrible idea. Google for yourself all the critiques by well-known security persons. It's really really poorly designed, and should be aborted while it's still remotely possible. The DNS does need upgrades. In 20/20 hindsight there are a ton of pragmatic security, scalability, and general design flaws with our ancient DNS, but DNSSEC just piles more crap on top of the heap and makes things worse...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account