We keep hearing in the ICANN and IETF crowds that DNSSEC is unavoidable and that it is the way to go. These are the same crowds saying that we should move to – or at least support – IPv6. In both cases, the prophets are not always those who actually do it. While www.isoc.org and www.ietf.org are running on a dual IPv4/IPv6 stack, much of the companies working within the IETF do not run dual stack web sites: Cisco, Microsoft, IBM, Sun, etc.

So, rather than telling others that they should run DNSSEC, I figured I should do my homework and run DNSSEC myself, without waiting for my TLDs to get signed.

The job is done, but it was no easy task. If you are looking for a simple button on a GUI to sign your DNS zones, move on. Currently, this is not for the faint of heart, which might explain the slow adoption path. Bind does include all the tools, but you first have to figure out how the damn thing works and use the right parameters.

I found a tool which made my life much easier. It is called ZKT. Once you have configured the header files to your environment and adapted your file directory structure to the requisites of ZKT, you can actually sign all your zones in one pass. It will call the necessary Bind tools with the right parameters. I have created a cron job that will periodically check which signatures need updating and change the zone files accordingly. Highly recommended.

We all know some countries heavenly censor what their Internet users are allowed to see. The reasons are many. Some point out the mistakes of the Great Dictator (or “Liberator”, as they usually call themselves) or critize the annexion of territories or denounce the use of torture (sorry, this should read “physical pressure”) by the regime, etc. Usually, this means censoring newspapers, civil liberties association web sites, usually hosted outside the country.

Over here in democratic countries, we are often well intentioned in trying to help those who cannot access all information to still be able to. It usually takes the form of letting your computer act as a relay for the person wishing to access those banned sites. There are different technologies, one of them being Psiphon.

Forbes has an interesting story on the unwanted side effects of letting a remote individual use your connection to access banned content. According to Forbes, the Psiphon network is often used not so much to read the web sites of the likes of Amnesty International, Human Rights Watch, the Guardian or the Washington Post, but also to access porn sites.

This has led some people to leave the Psiphon network, because they do not think they should offer bandwidth for looking at porn material.
Fair enough, but one hypothesis the Forbes story did not investigate is that those regimes which censor might be willing to poison the system itself. Rather than trying to block the use of the relaying technology by technical means, they may find it easier to fill the Psiphon network with fake porn lovers, thus disgusting those who offer uncensored access. A quite effective way to prevent their citizens to access the full Internet.

IPv6 deployment is in a chicken and egg situation. On the one hand, there is no willingness from ISPs and commodity DNS router manufacturers to include IPv6 support in their infrastructure or equipment because “there is no demand”. On the other hand, there is no demand because the average Joe Blow could not care less if he accesses a web site under IPv4 or IPv6. It should just work. The equipment and infrastructure should adapt transparently.

One of these days, when there will be IPv6-only web sites, Joe Blow will call his ISP to complain he cannot access them. This may happen sooner that you think. The North American Internet Registry (ARIN) has issued an advisory to alert the community that it will no more be in a position to allocate IPv4 addresses in the near future and strongly advises companies and ISPs to look at IPv6 instead.

What we users can do is to stop waiting for the industry to get its act together and work around its limitations.

Most consumer OSes these days support IPv6, either natively like MacOSX, Linux or Windows Vista or as an add-on, like Windows XP. If you have the traditional setup with a computer connected to the Internet through a DSL router, the latter is being assigned a dynamic IP address. Your computer in turn is being assigned an IP address by the router, typically out of a private address space (per RFC 1918).

What we need now is a way to tunnel trough the hostile IPv4 environment to connect to an IPv6 Internet. The specifications are defined in RFC 4380 and nicknamed Teredo. There is an implementation for Unix-like operating systems called Miredo. And for those of you who are uncomfortable editing Makefiles and compiling source code, the good news is that there are pre-packaged versions for MacOSX and Ubuntu Feisty (just type “apt-get install miredo”. You should have the universe repository active).

I tested both and they work out of the box. I am actually editing this post through an IPv6 tunnel over a straight IPv4 ADSL connection. Pretty amazing.

I did not test the MS Windows implementation. However, since Microsoft wrote the specs, I suppose it should be quite easy to set up there, too. Some tips are available at the IPv6 Task Force web site and Microsoft‘s own site.

What does that bring to you ? Well, first you will be considered a certified geek by your neighbourhood. More seriously, not much right now. What I notice is actually that my connection is slowing down. This may be due to the fact that tunnelling a protocol through another one is never efficient. Also, the peering agreements between backbone operators are not as optimal as they are in the IPv4 world. But at least, I am ready for the future.

I was reading this article this morning on IPv6 vulnerabilities and specifically the IPv6′s type 0 routing headers. The recommendation is to disable the routing of these headers, as they have no practical purpose anyway.

After doing some Googling, I read that this kind of header was disabled by default in Linux kernels starting with version 2.6.20.9. This server is running version 2.6.9-42. The workaround here is to filter out those packets at the firewall level. Fine, except for the fact that ip6tables on RHEL4 and CentOS4 does not include the plugin to filter out the routing headers. Hence, you need to recompile the iptables package with the ip6rt module enabled. That’s just a small Makefile editing.

To make life easier for you, here are my RPM and SRPM:

iptables-ipv6-1.2.11-3.1.isoc.i386.rpm
iptables-1.2.11-3.1.isoc.src.rpm

Once installed, do not forget to add the following lines at the top of the /etc/sysconfig/ip6tables file, near the top and before allowing anything else :

-A INPUT    -m rt --rt-type 0 -j DROP
-A FORWARD  -m rt --rt-type 0 -j DROP
-A OUTPUT   -m rt --rt-type 0 -j DROP

Of course, if you are not running IPv6 at all, this is not an issue for you. And if you are using another distribution, your mileage may vary, as they say.

I did some checks on the start-up time of the three operating systems I have on my MacBook. They are fairly equivalent in terms of functionalities. I could use either one to get the job done.

The job is not that difficult to handle. Mainly it consists of web browsing, e-mail and general documents. I have Firefox,Thunderbird and OpenOffice on all platforms. In the case of MacOS, I use NeoOffice instead. It nicely integrates with the Aqua GUI and does not require to load X11 to work, like the official OpenOffice version.

Further, with MacOS, I can close down the lid of my laptop and know it will work when I reopen it. With Ubuntu, I have a 50% chance (risk ?) to need to reboot and loose whatever work I was doing.

I guess I have a good reason to boot MacOSX more than the other two.

A while ago, I pointed out the very bad decision taken by Dexia-BIL bank in Luxembourg to use a Macromedia Flash applet to defeat phishing attempts. Competition being what it is, the number one bank in Luxembourg, BCEE, could not afford to sit and watch. They just copied the idea.

As was pointed out in the case of Dexia-BIL, the system is very user-unfriendly. However, customer-friendliness does not seem to be part of the equation.

Somehow, banks feel responsible for the fact that their customers are clueless when it comes to Internet e-mail. Rather than educating them, they think it is smart to protect these poor souls against themselves and their naivety. Or it could be the legal department telling the IT guys they have to find a way for the bank not to be held liable in case a customer would sue them if he fell victim of a phising e-mail.

So, again let us remind the banks and their customers how to fight phishing attempts:

• Use common sense. A reputable bank does not send e-mails asking for personal information they should already have. Actually, a bank does not use e-mail to communicate with customers. They are convinced you are always available to walk to their branch office during office hours, and that you have nothing better to do.
• Ask your ISP to filter out phising attempts in incoming e-mail messages. The cost is low. Open source tools do a wonderful job at that. MailScanner and Amavis-new do it for free. If your ISP wants to spend a lot of money, there are commercial products, too. If it is unwilling to do that, there is still client-side software. But you should rather move to an ISP which cares about its customers. In the “ISP” acronym, “S” stands for “Service”. If there is no service, vote with your feet.
• Avoid broken mail clients that display HTML by default.
• Double check the hyperlink you are clicking on.

And if you are too dumb to do any of the above, avoid accessing your bank account through the Internet and go to the branch office for every transaction. At least, this will give additional work to the clerk behind the desk and maybe he will be able to keep his job, rather than being fired because “customers use the Internet anyway”.

Update: 2nd March 2007: The bank confirmed they want to use Flash to defeat key loggers.

1. Key loggers are a “feature” of MS Windows, mostly. Well conceived operating systems do not allow the installation of such malware. The choice of the operating system is up to the user. He is free to upgrade to a more secure one. If he does not, that is his problem not the bank’s.
2. On the Windows platform, key loggers should be intercepted by the anti-virus program. If it does not, that is the user’s problem not the bank’s.
3. While the Flash applet may help defeat the key loggers on the Windows platform for the specific use of the online banking service, it does not solve the general issue of the key logging malware on the Windows platform in general. In fact, this would give the false impression to the clueless user that he is protected against key loggers, while in fact he is only protected for a specific application and not when using his credit card on Amazon or elsewhere.

The only conclusion one can draw from the whole thing is that the bank wants to be legally covered in case a customer complains. Security has nothing to do with it. The bank could easily disclaim liability in case the user does not implement the right security tools on his computer. It could, for example, disclaim liability in case the browser allows the installation of malware, which is typical of Internet Explorer.

The original post is after the break

Read more…

I had been thinking for a while to replace the Sendmail MTA running on this machine with Postfix. The reasons I kept Sendmail for so long was that it just did the job, and also because of the polemics behind Postfix and MailScanner, the spam filter I am using here.

The venerable Sendmail is a good MTA but, for the life of me, I never managed to understand the syntax of its configuration file. I ended up blindly adding rules, some causing collateral damage, and never quite figuring out what happened. The Sendmail team is working on a brand new MTA, called SendmailX, that will use a more understandable configuration file. It is still alpha.

I decided not to wait and go for Postfix. Finally, I have a MTA whose configuration file is easier to understand, that does not care about tabs, spaces and even commas and carriage returns. It can store its tables in a database of just about any kind you could think of: MySQL, PostgreSQL, SQLite or the venerable Berkeley DB. Adding SQL database support to Sendmail has always been an unsupported and painful retrofit process.
The later versions of Postfix now support the Milter interface as developed by Sendmail. This will allow me to add DKIM and Sender-ID headers to outgoing messages in the coming days.

Some unfortunate French friends have been hit by the fact that Wanadoo and Free ISPs are again on most RBLs. I am in the process of whitelisting them. Sorry. Désolé les gars.
To add my 2 eurocents to the polemics about Postfix and MailScanner : no, I did not lose any message over the last days.

An article on ZDNet UK is echoing the concerns of a group of Linux users. They are petitioning the EU Council, claming that the video streams on the EU Council web site are unreadable under Linux.

Strange. It is true the files are in the proprietary WMV format. However this format is supported by both MPlayer and the Xine/Totem player. These packages are included in most Linux distributions. So, it is just not true that Linux users are being left out.
The fact is that the WMV format is proprietary, but this is a different story.

The fact is also that the EU Council’s contractor for video streaming, ie Belgian telecom operator Belgacom, has demonstrated its own cluelessness. In its FAQ dated 1st January 2007 (in Google cache), they stated “We cannot support Linux in a legal way. So the answer is: No support for Linux”. This is mistaken of course, as demonstrated above. The newest version of their FAQ deleted the offending sentence. However, they still do not mention the fact that WMV files can indeed be played under Linux.

This raises the question if one would hire Belgacom to do the video streaming, knowing the company is apparently not able to do a simple homework of googling for “Linux WMV” ? The same question applies to the ZDNet staff writer, by the way. Can you trust an IT information source where journalists seem unable to do some research before publishing a paper ?

However, I agree the EU should use open file formats for publishing information on the Internet. This is why most docs on the EU web sites are posted in PDF format. Soon, documents will also be available in ODF format, where they were previously only in the proprietary MS Office formats. For video streaming, there is still a need to do more. Do we have one open file format that is allows live streaming that compatible with MS Windows, MacOSX and all the different flavours of Linux and *BSD ?

Update: I tried and it failed. The issue is not so much the actual streaming, but the javascript and AJAX put around the URL so that it displays in your current browser window rather than launching another one.

Jeremy Allison, the creator of the open source Samba applications, has announced he is leaving Novell at the end of this month. Samba allows Unix machines to connect to the proprietary, closed source Microsoft networks.
Earlier, Novell has signed a deal with Microsoft. Allison wrote “that even if it does not violate the letter of the license, it violates the intent of the GPL license the Samba code is released under, which is to treat all recipients of the code equally”. Allison added: “Until the patent provision is revoked, we are pariahs….Unfortunately, the time I am willing to wait for this agreement to be changed …has passed, and so I must say goodbye.”

A man with such a high sense of morality must be congratulated. There are so many among the people I know who would find a way to justify undefendable behaviours by their employer, even if this means twisting their own values.