Retrocomputing – Multics

For the past few months, I’ve been using the dps8m fork of  SIMH to create and run Multics, one of the first operating systems I ever used, and one of my favorites. I’ve also built a completely automated process to install Multics in “the cloud”, so that others can play with this piece of Internet history. I’ll show how that works in some future posts.

Around 1973 I encountered my first computer,  GCOS (AKA GECOS), thanks to Honeywell and Explorer Post 414 in Phoenix. After “we” “discovered” some quite a few security problems with GCOS Timesharing, Honeywell management and our Boy Scout leaders decided to move us all to Multics, as it was a much more secure platform.

Multics has an interesting place in computer science history. It wasn’t the first timesharing (interactive) system, it wasn’t the first to have virtual memory, it wasn’t the first to be primarily written in a higher level language, and it wasn’t the first to be designed and developed with security as a primary goal. It wasn’t open source, although every system did ship with complete source code, something that was not true of any other operating systems of the era.

But it was the first operating system where all these things (and many more) came together.

It is a proven fact that without Multics, there would have been no UNIX, and therefore no MINIX and no Linux.

A lot has been written about Multics, by the people that created and ran it. For background about Multics see:

•     http://swenson.org/multics_wiki/index.php?title=Getting_Started
•     https://sourceforge.net/projects/dps8m/files/
•     http://swenson.org/multics_wiki/index.php?title=Main_Page
•     http://ringzero.wikidot.com/start
•     https://github.com/charlesUnixPro/dps8m

Advertisements

Using SIMH in Google Compute to retrace my (UNIX) OS journey

After being introduced to SIMH and getting Multics running, I thought about using SIMH to retrace the steps (and operating systems) that I’ve used in my career. For now, I’ll focus on the UNIX and UNIX-derived systems.

Before coming to UNIX, I had already used Honeywell GECOS, Multics, CP-V and CP-6, and well as DEC’s VMS and TOPS-10. My first UNIX experience was Programmer’s Workbench (PWB) UNIX, which was an interim version between versions 6 and 7.

But after that I used 4BSD, SunOS, UNICOS, HPUX, DomainOS, SGI IRIX, and a host of other UNIX-flavored systems until finally coming to Linux. Along the way I help to extend or create two security kernels – KSOS-11 and KSOS-32.

So my plan is to bring up as many of these operating systems up as possible using SIMH, and focusing on the UNIX family.

Here’s the dependency graph of what I have in mind to begin, and it’s a roadmap for the rest of this series. I have no idea how long it will take, or how far I’ll get.

To date, I’ve got Multics and V6 UNIX, so I’ll show the tooling for those first. Using this information, you should eventually be able to run any OS for which a SIMH emulator exists for the CPU, and for which you can find a bootable or installable image.

A low tech way to get a mail server blacklisted using victim’s own forums

As they say in the military, “If it’s stupid and it works, it isn’t stupid”.

This is a low-tech, labor-intensive way to get a victim’s email server blacklisted at a major public email service, using the victim’s own public forums. The email provider was very helpful in getting this sorted out, and it’s not clear that this “attack” is specific to them.

(This situation can also happen “accidentally” if a number of users subscribe to your forums,  change their minds and then report the notices as SPAM instead of unsubscribing from the forums. That doesn’t seem to be the case in this instance.)

1. Sign up for a few free email accounts with a public email provider. Get as many as you can, perhaps at least 20. Get some friends to help you. More is better.
2. Go to the victim’s public forum servers and use each email account to sign up for one (or in some cases more than one) forum account per public email account. This gives you 20-100 forum accounts. Let’s use 20 as the lower bound and 100 as the practical upper limit.
3. As an alternative, if the forum doesn’t use opt-in confirmation, just subscribe a few hundred random people to get the forum notifications. Let them do the work for you.
4. Set each forum account to send an email notification for every forum update, or as many as possible. Some forum systems allow you to “watch” individual threads, some allow you to “watch” the entire forum system, getting one email for every other users’ post.
5. In a moderately large-ish forum system, there could be perhaps 1 update per minute, so 60 per hour – that’s now 60*20 accounts (1200) or even worst case 60*100 accounts (6000) emails per hour going out from the forums system, perhaps through the victim’s outbound SMTP server. Either way, the target public email system is seeing a lot of email coming from one domain or IP range very quickly.
6. If the rate alone isn’t enough to get the forum or SMTP server blacklisted, then go into each of the public email accounts and mark ALL the forum notifications as SPAM. Or if you subscribed a few hundred random people to the notifications, they’ll do the work for you!
7. The combination of high email rate combined with the 1200-6000 SPAM use complaints should be enough to get either the forum server or the victim’s outbound SMTP server blacklisted.

Note that each and every part of this situation is working as intended. It’s only when they are combined that that you get problems. (Unless the forum doesn’t do email address opt-in verification, in which it’s all on you.)

This “attack” depends on these things:

1. lots of manual labor, either by yourself or with some friends, or even some random victims
2. a forum system that allows one user to cause the system to send lots of email based on the behavior of many people
3. a moderately busy forum system
4. a public email system that is biased more towards rate-based and user complaints than message content
5. a public email system that the victim’s user base depends on, as in “must communicate with users in that public email system”

Fortunately, this is relatively labor-intensive, and not amenable to automation.

Countermeasures are left as an exercise for the reader 🙂

2018? Wait, what?

Wow, I’m behind. It was a busy year, and not a lot going on that I could really talk about publicly.

The recent meltdown and spectre bugs have brought back some memories from Orange Book days. I’ve also been spending a lot of time thinking about “IT transformation” and non-technical stuff. I’ve also been to the UK and Japan, twice, each, which may become the “new normal”.

Let’s see what happens in the next 12 months.

 

Upgrading my personal privacy one small step at a time

I got my start in computer security from the personal privacy side of the equation. Revelations over the past year have made me realize that I have become complacent, and it is time to upgrade some aspects of my personal digital privacy.

My first “paper” on security was an essay that warned that “someday, the government and large corporations will be able to search and manipulate hundred of millions of bytes of information, giving them improper leverage over individuals, who won’t have the same access to computing power or storage”. I got a B. My high school English teacher said the writing was very good, but she couldn’t accept the premise 😦 That was in the late 1970’s.

I’ve had, but rarely used PGP/GPG keys for email since the early 1990’s. I have friends who probably encrypt about 10-25% of their email, and sign almost 100%. Others encrypt and sign more, or less. Some are more consistent about this, some less. I felt that this wasn’t necessary for me, as I was a small enough needle in a large enough haystack, that “computational privacy” probably wasn’t needed in my particular case.

I’ve run my own email servers on my own hardware, off and on, for years. I’ve done the same for personal web servers, photo galleries, and other personal storage. Over the past few years, I’ve made much more use of hosted services, like Gmail, and WordPress.com (for this blog) instead of building, maintaining and securing them myself on my own hardware under my own physical control. I’m going to have to re-think some of those decisions, I guess.

The Snowden revelations, coupled with high-profile cases of seizures of data and equipment from hosting providers, and the inability of those service providers to stand against the abuse of certain government powers has led me to believe that it’s time to step things up a bit.

I want to upgrade my personal privacy stance over the next few months. I’m going to have to re-learn lots of the details of encryption, look at products that didn’t exist a few years ago, look into newer encryption algorithms and key search technologies. I expect I’ll need to make changes in the way I use email and the web and in general communicate. There are a lot of good resources out there; I’ll share what I find.

I don’t plan to wear a tinfoil hat, become a crypto-anarchist, bury guns and ammunition in the desert, or buy gold. This isn’t going to be a knee-jerk reaction, just some slow steady Kaizen  to improve my digital privacy.

new GPG Key

With the recent revelations about privacy issues in the United States, and new recommendations about algorithms and key lengths, I’ve generated a new GPG key.

I’m also providing my prior public keys in case anyone still has old email encrypted or signed with those keys.

Here is my most recent key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQINBFLspJ8BEAC7NMUlCttCzSOGI9V0+13uhXmd7rMHksBwZIJJ3kFgJpymJMq5
fnshgIn3i59OIjYeDlmpPMjaTpiL3dQ8WgeQm/J2r0aJeaR3D8gnOqDr6W2VkCNE
6u+y10EiY0kF1WQTnAM2U3SkW+fPw1DBR5+KwMx0jrDoJNvbD6dYzd2TCQo4sN8Y
nGr69NZ2xI9OPHvlluPWfBOHuoB5SEUpI5c/8HHRFgXS06iAyEpystu3ebZDUZaA
EuyEovxygqanwwdsOYpP/aZWbz/UnoyRMvVrHnHphgKlsVvNue41Z9IGGqyd6okM
YBkyS9Sh7cfm9gfQpjuS1hpU03i8D7bsml8SonCgJ4FG3thw2aTfjFm0ZJq+gQNk
4qMb0U7EHkIOJgyWwS+/1tJA3teUuoBHqbFRcc2W2qUv1Ezyz0Z99Rp0NwmO0AZq
muxk/ZT5R3d7ihy9qKhLcfWJoyXzE0meHPhjIGldx1o5xtXmCMX5/IgE9j1u7LVo
NsI27KQoj/ORxsolZZFJjfvvARujm9Vdhon2MxvrfR1Bt+1PTQuX+tD0eGIztdaZ
ZhZeALU00DaDLkVYQlTBLGl6QB3Nh2YDDaEIo8sfXbSeGdSrIK6d9tgoh/UE7QaO
YlxwAXCMys7uqijXSgsYbah9qVHL0Sd1tS4HmzJj8/6nzmXwZoIxUuDCAQARAQAB
tDBUb20gRS4gUGVycmluZSAoSmFuMjAxNCkgPHRvbS5wZXJyaW5lQGdtYWlsLmNv
bT6JAjoEEwEKACQCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLsrhECGQEA
CgkQcMP7B3sV+GVeAQ/5AWXXwyVbR9/n8AO2pAVJeHXz6o3PlI7NsOya7smWrbnT
b/GF8pepG6MJYnJScWTu0x9VGwZEgRjb7r56AkIngstWwa7Xc5TqmkAYM8VilvZp
2idPiw+95Id8YU/GzeyM9kFk4rkNlmj47ePKqZk4wiB0zr6q60UYh4xOHKL9ESMp
pa4vKIKaYRyDjekYlerGTNmgBadW0G5ScxAdHP6XYyYYNKEPdTS9+T3GrdQLIDuR
KrTKoeoJ6PdcCy5LKJOrrYWAvom5MrE16e/NMs8RwubQimRwGEvnCoqLtseW4hpT
RlMH8ey1nY0cGiadVi7cMYBw6R4MdmqwGKC/vu8C1OipWqs7l/Rh7J4G32p6qZ67
6JtFhtpdEYcqTq/G+MvLZTK5qZeXctS/C5Y+kUCqT/nRnuC34crtW3jqvLWSkkRx
gVgXGempUFieGuiDZfImJJMEGL29jETscCzOVPxDnKA6t+Chah7Q2J9rU1+Nbk6e
S3PHiNSGrvoeGgP9/dtfgOb5/8Env6m+dH0BRSnXJXtuZtfyIWswbdTqW0EZkkuF
Y+pzuFnmUpNQKc7GXYo+ZkSWaUb9QeMhWKQmCa5wZ/lPwHk913S387MtXchby425
Xjn+xiuSnTuMVNr11LVmUlZXHk8tQrmProTEWTxgHxLQpfFVXA6X30wlzFDUadmI
RgQQEQoABgUCUuynGQAKCRA+7nd+FwgS4KauAJ0XmwH3449fm6wm2OYFJC6ZbMiV
bwCdFbZ1MBP1Yx2n7G7aijtHLToutua5Ag0EUuyknwEQANMog3yAdVIou/QVIElO
pF/S9H6G1yv2YZTe34W9VnEKj0ImNVOJjkWXqNapC673YSy9l1T8np6l+wNGs2WW
LZp90d6CUJC8DjFkRpWVCfjJaWfrLatVt+HlK6k4kZFy/uH1trYg+gHwBsgEX8SM
Hnqr0GhG6M+lrGYpCcJi7/4y5geV+j2FK5L8RD1hjcev9NC3++ESNiyf3cyL4RY0
69tGJk26T5nmuRRcHGDiKEk91JFpF9mVhnb9zuywuw5lzv5+n9ye0q7hIJWUqJRQ
boVy/HoQMTcJha05Ce0QNdoZoBBmsoMeYu492Hzqgf6FoOMcy9glxvkTgjWpSxMB
6B7y6OH+dFXoqsBSaE6dqf7lWFxjl57LOaUM0ccLLi0eBDdkYmsICVHIm9J+6qaX
0z3eRRa9Fopb0KkaM2etuTeFdNSKlzg/iXvyXi3YWqz7+cgpHR4YmwyhF5ZMby+q
on72Wd+YfNCUD3W27E4i4y8cLRs03U6Amf5iEErM1EW7Bghq0oOQYnkc+NyRDpQi
qp+4Y/74kTAE49BLvRiNsLIuF6TWTqzc7WGFi5flUwifKiNKwJwuOMwBUSiPse2x
5G2nB4sOvMwzCpDqMpaYEPjkwfd6onVIN+L26BXilXP1YgpOnbxilv53ZzJoGcAJ
ZIxihdWIQDwpQnoIdlll2tmdABEBAAGJAh8EGAEKAAkFAlLspJ8CGwwACgkQcMP7
B3sV+GVwYhAAp+06MYAfjazrHdiOCXTJFW9YTO30B6sb/Dkp8k+EJCaMt+DFZLaG
A9gXM4AtC04tv83NTWHoS4qtrnzWeb/FYILHjFZK/cMxl20ou02640aX91rHFYSe
ADT35bL93CwJao13IxkXUm9QvyU/v0N8pJSeJjm4JjBC8P9X0lsL+ntGwwyCj4Px
KqZMzZKAf6pPM1/lI6AkixtxPAnZx7HCHRxCquuhsoZUJ0tn4Z+pETgLj6SDsi7b
aj8rK5d27H37hcrWqn4rN/xlsrTUL0eUVN8p8osTR0Dm53jduYo076rEKYMn5lyj
XUBE2CLcqCcbNLesB/QXn3oDBhr46dMXFqRLyv+SIX+Gis6uSyhVgyTocJnktwnL
Aic0tFqc09bICBCTKSBaHADPyhbboQQzT0IlBcEb2Shhy2r2Hl6mwbG4bbS94dol
ynEzAhc9j2/A5NLnv7Vzpte93hL4dwOQ1V4twyuQH9206RJKqEt+3nbXmMOrkCpO
YXyGkE0H88Nr5KkYgo81ByveW9U39ABSfaxdYdCDO37J0Q9D9Ua9G7ZgFPFfhsAl
fZ8CNfGS/Re5BqVDYZ+b60s4fBQUpY0vXoN8/nsnqXhmaz+NgbAbWuTXuDu6+tMj
ZJZVI7IOPvnfytZXBBqEu1j8EsdQMRR8vreglclfcqynE78evHv1X24=
=SE+1
-----END PGP PUBLIC KEY BLOCK-----

Here is my key from 2006:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQGiBEQSETMRBACWXd8/2l0AJqquyaYooKFs+qvrDv6Sa/UJrlFHxiKCTMp3l5Np
Ok7YTcuMY7fzMTv1Hidwcr2qkUHGPtxVbtG/Y3cwrZxzIflO9+5X4j28O8uIxe/8
unC5LsFAl5qDBbjDjQTAXSHdmFhQaKbinV1Yelue6AWFnWXWHyFMM7UqEwCgsrVV
p3TuW8t9/8sCHqt0bE+4OxED/inPmmHYx8PqxuCR7C8Z/NrAYS9lttlq9eY8AapL
T0gpF0V16YJbWpHglAEKRkDVN5/8J9QT8tbc85JpnZ9iG09nKk+ajGiF0n281RkO
0alDnOk8CF3q+BWv3xKrn4p2q0gSryHp8wRwZIMHWvzqgOSOm0Cjm1aAlb3Rfjvv
hHGrA/0Vpu8cQ4zRP5ZXX3p8kdYYXWjX0j4F5TOr/8Ekgq1/OTGNEaLhj2PD28Ao
hpWL3ulffXCVkWF6Pe5N5ik2aYu0deL+ofgHu7cAo5n9gSjpCfGeFK8AZRnX+dvy
8lx+ig70DYrV0v0Peyr00pYnHs8Uaf6/0pkiG4UHyC2LU28PX7QbVG9tIFBlcnJp
bmUgPHRlcEBsb3BzYS5vcmc+iF4EExECAB4CGwMCHgECF4AFAkQSHDwGCwkIBwMC
AxUCAwMWAgEACgkQPu53fhcIEuDbpQCfd/tPxdDqHpXDsV0l0XTsJx61dZoAn0JV
pLJCj72K7OtY6U1XCWzg/PnniJwEEAECAAYFAkQTvXMACgkQpFCQLAnT5k3NnQP+
OhyAkSRgRHeFaYuc+TB/dRJ/lMtVLsbt4qfdEoAUKIauokgGvta6J8HRCZOh7/ko
7R9XDBSpEihw6qYwDD88OlobZJlDvu1QgfVgreft6URbzUUSMq+2blr9A6vrKayn
tyc6Xnrfyb4nn6tEVBjKNBzYr+H6hQH9xC/7uK9To5CIRgQTEQIABgUCRBXQdQAK
CRDdom9SQKd+Jt5oAJ9/OcWut3OQKywQcZkBfz4yr1n/5gCfbFFbyzXNkGRSXeve
om+fIoklGZiIRgQQEQIABgUCRBWI8QAKCRBjG6gPu3lAiU6UAKCpzbs5GFlahheX
HLjlwiRYTZTa/gCguT2R1cQHm7ngSnxm431BEsxXDy2ISgQQEQIACgUCRBYYIAMF
AXgACgkQUfAt06xxHoKUCgCdH7YYl2OrHMAsQ2t6xNrP3iPlKVoAoKP/mM2HPMQq
Sd4symHcxU6WqyJWiF8EExECAB8FAkQSEpECGwMHCwkIBwMCAQMVAgMDFgIBAh4B
AheAAAoJED7ud34XCBLgLqcAoLKtXuz5TO40FHGUfkXl/52wCQ/CAJ4inFwDnXzP
3xu2FbTmuvEmsu9dxLQaVG9tIFBlcnJpbmUgPHRlcEBhcnBhLm5ldD6IWwQTEQIA
GwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+7nd+FwgS4AvDAKCKxydL
s1IEBh8PF7lT7rC1YlNfLQCfcxrve/6swAKw50OaMFndWbx/aXGInAQTAQIABgUC
RBIRXQAKCRAU0saVnGgBUbsHA/9H59r4Xtsmbaa9RC5UE3jGg8yEd4lGAg9xLKjP
3g/Jpm+Y/D57TXTzGCffbyPjMrnMJzOo1aBxc2cO28+tCV3Dn8Peqh1wJFmD/OGt
YDZnvTH7pGulxg7n6zaFPfzV7vqykbd6d3cLN/kU2LVzOmVR9BQ+1EyyZyCVKf58
H/rmHYicBBABAgAGBQJEE71yAAoJEKRQkCwJ0+ZNw+UD/i5Hj8ZVQ8wzkCmBMgId
rv/oH1pDZSamOuz733lgY0oJ1sol2hKDB7F+tOrv3+BeZ8CoyR5XmD15L+o35lXd
jpgxPfWbwPzBV+b/QLkMRZSUyIqUhl6rJLp0AbouGrQ+vQ1nIkfFNe/S3Ag4L3yb
hg9kgcigfnBAtn/kxZbXhHuyiEYEEBECAAYFAkQTvkwACgkQ5r/NLxCBo3zmPwCe
MfbDozk77VZeydwdBqjz4X+2A54AnR+uGeLSfgEqXvu2BnwebmZ3gAS3iEYEExEC
AAYFAkQV0HIACgkQ3aJvUkCnfiZWagCfXuDf07S42+EEVKxQZwZQRqH9OxIAnRc2
/8S5EXIThxUPK4OwyhjyilADiEYEEBECAAYFAkQViPEACgkQYxuoD7t5QIkAYgCf
X5UliXq7EE6xAE1Rgwmwh2OaPC8AniKyYN5T2mUYQ0xx1EuRBXX8yR4xiEoEEBEC
AAoFAkQWGCADBQF4AAoJEFHwLdOscR6ClfsAoLKgwdwnoDEWLjnFElPno/5N5f3l
AJ47joWAdiYt9YCzIeMw7FKnoQuYrIhcBBMRAgAcBQJEEhEzBwsJCAcDAgEDFQID
AxYCAQIeAQIXgAAKCRA+7nd+FwgS4EPyAJ4+FptOUmrydpLnD9WJdSrP1jXwRwCf
fGV8PkBZ0b13yEtEkYbCqWiZmO+0H1RvbSBQZXJyaW5lIDx0cGVycmluZUBzY2Vh
LmNvbT6IXgQTEQIAHgIbAwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+
7nd+FwgS4FoJAKCoyxkwEduJgLXjiRvsZmd/5/d32QCdEQhbXVaSt1x9A7vCkQ6a
2BhG8CaIYQQTEQIAIQIbAwIeAQIXgAYLCQgHAwIDFQIDAxYCAQUCRBW5YAIZAQAK
CRA+7nd+FwgS4AEnAKCNpNXpffvHs9LVzDT8RgKCoIdrxgCgnPSOvzp6QWzfF8vh
vCh2J0hqOoeInAQQAQIABgUCRBO9cgAKCRCkUJAsCdPmTTuRBADIr5QfAQlujHyy
KEgalv4XkrfW8J9v5BTE34xFJ7MXhNGah1Bs7rvhSFWeAOw711/W22IpoTdbYqAd
8++LqQKjdoITF8M5lw3Q24zAgd3sEPxSMn18V+X+RPcY9GPvrAlfck+I0g8sdyGV
PSL8Vho/DqS2o33PWYm0Pl+C5xG8BYhGBBMRAgAGBQJEFdB1AAoJEN2ib1JAp34m
GcYAn1XhdRqkyO+UOqeMsELX+bwdHIj8AKCMF6r0HBY4XUCA5MaaYtVBnf4tfYhG
BBARAgAGBQJEFYjxAAoJEGMbqA+7eUCJ65wAoN0MOKv7alZUhlqVH6zT4sU3gKVl
AKDDsua/iPrwuFr53jraEyb/b3vgwYhKBBARAgAKBQJEFhggAwUBeAAKCRBR8C3T
rHEeglsEAJ0WPqMu9ziqGd/LicnVy8XpsNQeIACgqqsywmB+H++yGwhgWDVcxGJX
Ll+IXwQTEQIAHwUCRBISKwIbAwcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQPu53
fhcIEuDFAwCdHoek533QesV5TLAoUUyXbkNkYdYAn2yZ1xevYyMq1oVu8Sa182vR
47pptCFUb20gUGVycmluZSA8dGVwQGV2aWxtaW5pb25zLmNvbT6IXgQTEQIAHgIb
AwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+7nd+FwgS4AriAJ41kQev
MJ9PQB/4GZOtPiM/ta+kpQCgqJLEztBwOFfjva4HufR0SCptyaCInAQQAQIABgUC
RBO9cgAKCRCkUJAsCdPmTUUaBACKy5cp7lWmdSaJkevqjMXvlBrCECj1RqLfzVfT
aJQtL7smCb4QKonU77LyO9Ppe3pRCeyEEtwPJYcfWBlpKuCdBzE+teecOp3pSXjp
U2ZR3HPcNOOJvB2JOaOuNZMNS6V+Z2D/oSKGnYgzEd/hlvdUO1y3yDNV7imOqrMC
zhFbAYhGBBMRAgAGBQJEFdB1AAoJEN2ib1JAp34mukoAnid/4xgCA2foC3PPSv6B
MajVLNJaAJ9+k5x/XJNVO7SVkvp/xMbplsXTD4hGBBARAgAGBQJEFYjuAAoJEGMb
qA+7eUCJEcEAoNeSzqICrvXcB+Zs0A9Dq3yOxaoeAKCD0CKiddS1cWHLkfCL5oPl
DqEga4hKBBARAgAKBQJEFhggAwUBeAAKCRBR8C3TrHEegjhWAKCttLLaF8R4K6Yu
8vmE15qNZ3H8xQCdEjcOQ5mSO9qBu/af63fQUkwi7QmIXwQTEQIAHwUCRBISRgIb
AwcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQPu53fhcIEuBA+wCcC2+Q69vPGck6
nomHIcXi6cQCe1AAn02Xx2+xRtFSz7Fs/kiHgzOlz23ktBtUb20gUGVycmluZSA8
dGVwQHNkcml3Lm9yZz6IXgQTEQIAHgIbAwIeAQIXgAUCRBIcQAYLCQgHAwIDFQID
AxYCAQAKCRA+7nd+FwgS4C3PAJ0WO/CkgSlStNsbw/ZPFbQzWtGX1wCeO4V4sk9M
O5jxBwv/u4sBQcgjEUOInAQQAQIABgUCRBO9cwAKCRCkUJAsCdPmTVNdA/0ejMoi
B55LDFCaExPOHhLFezVvhCAqAz+Ks87Fhuvv3hHiKTvN0n38zRYrLN+r3Zh48Ih1
OoW8bJqUSsr8y07Alv4GZndCvidE8xWaCUgbk0zBo78ArJ3pcRIuF8hk/uLqmXs/
ATrYBuHsIFd3iOS9tWbf7wCmRWuadyRrNEhKOYhGBBMRAgAGBQJEFdB1AAoJEN2i
b1JAp34mn+IAn2P7M48r5ZMKgyAK2Cjn1jcJZljfAJ4nCXUN3Ab5YQkXVCsvFVGV
0JbF24hGBBARAgAGBQJEFYjxAAoJEGMbqA+7eUCJvnAAoIMpPk3fhxxRTuNBvaWf
LUfkUwP8AKCTzG+wOo+eZ61aRZTf//Run8Fq6IhKBBARAgAKBQJEFhggAwUBeAAK
CRBR8C3TrHEegnMRAJ0TPsy9KWCrr2lUj+79krHXgw2N/gCfdcE+mfhZyN4L+q3J
RuVbjAU2/iKIXwQTEQIAHwUCRBISZwIbAwcLCQgHAwIBAxUCAwMWAgECHgECF4AA
CgkQPu53fhcIEuAsngCgnnvQ/moMpUzXmepqIblB0CwdikYAn3lKx86ZT9ZuACre
PsfgZWtyS7dgtB1Ub20gUGVycmluZSA8dGVwQHRodWt0dW4ub3JnPoheBBMRAgAe
AhsDAh4BAheABQJEEhxABgsJCAcDAgMVAgMDFgIBAAoJED7ud34XCBLgczoAn0+H
bdwszcpUeC99gXMKT6WTe5lrAKCsTlkEzB6+VzdHXwZjYc73bsK4aYicBBABAgAG
BQJEE71zAAoJEKRQkCwJ0+ZNyyQD/0BrmB8a6Bgib+dJncgzVxgChTJfZFM5W/tV
b/3KYcGgElCxKvgXhYsQJz9IM4npQWi/g9+ESrmRIDdoj/sPQZ2Y+wtbOxXu1T2c
jkUacfMYb5uW1TbTjfDTnABvsYoKu9txQgNqH+tx4K6lBaA4Ja06seuLBz12GB/V
To0gQd0GiEYEExECAAYFAkQV0HUACgkQ3aJvUkCnfiY8+QCfZ3gr3nXzZMklFNen
zMaPbSsdTL4An0tseCWvpdOSz2r2m1rzZ3d4c9bViEYEEBECAAYFAkQViPEACgkQ
YxuoD7t5QIk7PACgvVYeR/JODli1ZeEV8n7GOhUceFQAn1jMUaf9FOWNtYHzFwmK
J4xmHZVPiEoEEBECAAoFAkQWGCADBQF4AAoJEFHwLdOscR6CPEEAn341yon4r1+L
wjMiqSXWtELne0dGAKCnRNLM6JYs6IDPOdzG/qAPFcSjxIhfBBMRAgAfBQJEEhJ1
AhsDBwsJCAcDAgEDFQIDAxYCAQIeAQIXgAAKCRA+7nd+FwgS4Oh/AJ0fsMR8foMb
41/+/YkFikOKV9F6GQCgkNEfvxuyUdiFHeVuQxGGRc2kgoO0LXRvbS5wZXJyaW5l
QGdtYWlsLmNvbSA8dG9tLnBlcnJpbmVAZ21haWwuY29tPohgBBMRAgAgBQJL/rdf
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQPu53fhcIEuD3QgCeLgk4dIl5
QjSJ4U5afh4aIUtl9lEAnR1xHBxOjBJkJOyUIUQWfJLaVDlguQENBEQSETQQBACV
m8Qta1Sv0Nr2EDUxcUx1/Tuzh1EygSYKFUIiIXDctfe63bIeO/YSu2BKJ1u/IdGa
bT/5wGNdzmxmHqm61ZyCCISM2zmYCCDfVBCam23Xk7QXLnluud5BwLAvnsjdk0y8
N8dvZz/AKBalG/uijEL2O3GWglpcDt+L5qFbin135wADBQP/UsBHpz0ByNgMPV++
LPUUWro2+Rvj0E7wf5g8teAcrIrIsxQ40jnQfHfW0w/mMKS5cfqyMjIkCqM9yUmQ
MVxa7F3OT+7dXa2MoM71J11Mnub8SmzLaNGrnKbwDBYD1Thw/DnwDQcgK+ehNqt+
YB72QVV2fvbduI5rfylqKV0Yj1uIRgQYEQIABgUCRBIRNAAKCRA+7nd+FwgS4ON6
AJ9Cs/Ct+tNugkzqd8DTSU2ETJaAtQCfTOBeR9XFAB902TW361129iPswbE=
=IVpW
-----END PGP PUBLIC KEY BLOCK-----

Here is my original key from 1996:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQCNAi2Ax94AAAEEALlglEMTuVebDOrthGmj9wCaHFw/W0m+WVYTjvQk9ct7xJcP
E3dp0Xdq3E/CNJCY8P/zrPcbSvgzaR5WY1xTSihmMFMJFbqJ0FAB4c3lWpoRRXWx
GpsQysXF/jQT5pUXE/wsClXFM83CkqSQNRBE6RBMR0Y65GQNMxTSxpWcaAFRAAUR
tBpUb20gUGVycmluZSA8dGVwQHNkc2MuZWR1PokAlQMFEC9nSh2Nn20OMr4bUQEB
TRgD/00eOvoF3fQFwgfL5jz5N2QGik+AaUPgt+KnujAINcAum0VIoyv+ZtjuccbI
efLqmmlpIxnFxK9m+rqdgrtXw2LL/5fgCwUCYom2WB/d6OmsPMZLOKhsYJ1xNBdF
qYpAH1WD2w3nY5U3VpinLxlvNzKKrbNeGdtPbiHwCoLvz6sbiQCVAwUQLy5kvpME
DvqCGoWtAQHtjQP/RmIGjDf84Bpv0mkDFbbvbhnYdgutFEOkOne6vMKJ+3sJTdsi
EEZdeDytidqvdHpkMtVkiOj/kBWndWmLzbCbxlXisjjzj8jTYxrfoN0IxYYCeVKe
KwTUpRewmhL2/57wJXviMXso3dNLcwP+RSHSchfLPQwpqprHCvf9iauzHuOJAJUC
BRAvHok6bCg0Y9cHbF0BAXFZA/9GXCfMpiEw65CZWgbuJPSkRw0e5FoB3cj5v+Gc
yBwKMmpx/aDzoWA9k/Zlc6/o8XdMgWrAmMIzjTIFcpG6lJJ0dqS6qDYp++bxFqDR
KM7DhpougZ2u0Nxl54F0EfFK2imfOgVMM1hOx2pHu3esbiNv22bM2H7en+mS8CUA
pBT0oYkAlQMFEDPzbb0rYghCgt6juQEB6O4EAJLtH6aiHHPNX8MVLrCj+9cBcmhl
2CK2vjC4BC7Eu98tMRm1hi2QoEZPxPotSl9lrAc6VfCrx1DAuFzy/QvEuH1AZqJt
fEvksXBJV5ufyXhLc73sl9Agt6PkQFNb2Jbizlo7cHwdldIms0KPrqNQIKufTuuQ
XWqXZxDTg+hjf9lRiD8DBRAz4l1iUfAt06xxHoIRAi9yAJ4zgrrsdt0daw9uElG7
1G4zZa/zkQCdFtejMjzRgFcpZ69Wv1/TKiBSCdeJAJUDBRAyHkabgEp1EPeh9ysB
AQggBACUBzGS2ylMymYTZZnEZ7y9zKsS0dOrEZ41NsMVc3hqZ6Q46+rw2vUX/UcR
gMu10A3M2cuIuKd6n1uFTQom9+OLp5qUJ66ecqg10Pwo26I+lLEyRxYE8/4aei/v
iysiW4OhSrmVpxVLRVqxCSnGaN/TO85D/B/TIoMtAWAYfZiTwokAVQIFEDB5HQFn
1gtYHuhxIQEBTokB/1TYp82r7k2UwL3WCCIBtBqFCAjGN2QocNWcZEb3DFz0r1Kz
9KMuNKPy61KvA0wUSuINRsrkZ+oFRN6sKkWPUqKJAJUDBRAwcEIm0WPXZsfOfw0B
AWMbBACpHoslfC0cLhr5H5Sg6Um1/BQ6gGNwrZZH7xZfj6ihGu4h7pJkKxY6lN18
2To55fz6VyBuPdOwURgPHmX2cWSblIfxNjw+foEX6Nr6cLWj0cr6RJFKgn+RqKzx
yxROeUp7dP+HDrsNDxSw4Xfm1zRUELqvAWhMpuwEGuo/XrErAokAlQMFEDBrLwyk
UJAsCdPmTQEBrDwD/RERUTE+Lk4RTHRhHTTjulIWeFY2AoXGEtrqxMirmBgjT4aC
DygrKBrd3qNdbrZIfHMIuPK02VmOF/r1va0PyfuYGFbi68s2oUr6E5nNmMvmjFoF
+GR802v4uZ8CGo1U6Gchi1yLv3ctLsjfgkQY+ESoXqdZueLrdLmgbB+wNeGoiQCV
AwUQMGstM7CxcYNNuhCRAQHAUgP9EKPx4VLZhkR/cEVZD9Tsb5KbPpGwe0MMUJE6
AsBpSEB9f9u4cG52+SGrjlA3YTfEvzIWQ8KMoY9tcGccwut21wS0kYJzSpepqVrO
rPKxYoG5mSO4wJV0Ky8dKCjpQ7UhkXkVdAC/9VvzKBZcjAYSYtERrQf279Ro2+AW
eW1br5aJAJUDBRAwbIbe1eCuZnXGy0kBAdufA/91ahpgcRo/WI0lPMjO0OSNy+Gl
g9x4dpVf5mIvQq4ENN8yrhzOgt1gooL5GSxgg2baMyUdGqEwYKXB0fWjQjU1Y7E+
A4VtgyCCRRlWXVZP3pBYAZ8XppIWjN8nhE3WW4kZsrcMoLiipGKNAFcy9c2IwgVS
b3xv3i9/jgUcoSw/KokBFQMFEDBsJ5t3fs8hRzwYFQEBP3MH/RLXS8Xv4JuNr8U3
ZLiLq4tvdqBIX7bCw8BII9BHacN4tYlS9M6fuUvxRZ5VjdkQJhS6q9DI+viQiJI1
aBrkJRprIZSRf87DczQAQi7s75sDO59jFLMjrOmfGmoCAbYNXHRFV5EIQk8U8ePK
PZ/TSqriiHr7Em067g2LoV1f3Ue6TgDZryMDD2lwdYfWVb+gGNiVQ9DQr6Ntdt7L
Y0ysmGxsdZB53LleUNu4zd2u5Y5rswHzWlVr/WzuaiMwv+n+cjBG403BkZ78PIep
xZqIV/G50wHCv8LyOfheUc9Bw5rnRa3ceBoG7DFjIewuJHBX0Rr6+NTx0HgNJRXY
dNgg9cyJAJUDBRAway9w7O/VJ/p5N+UBASStA/45WcDO2+1wFiNvlFTP4NqqLHD2
yE/nxlzZ4sr4mZwvqh5Ss84fqez/m1tUuI/NT9NmRw90cWx+P9B9coBdu9Bt0daI
UnXwbuUxzPEq/naealT6Hb6LwcL+JqdrDNGWIBxHg/jccN2dia2YJJH3+h2hI+Is
hKxOqtCZG8zsn16etIkAlQMFEDBrBNKvZPwzK6PyvQEBD6oD/jO0hRyioJcfG39c
dtKi8oeL5Gm2IoI7i7FCVCJqQltmDqjUOJI7Ioed6/Tzh+KJSdLlYvYmo5K0Wvgv
Es1PSF9ihCd5fzvDdSljAsqXQ31fLDZd77/Y/h/PkRcEGG0ZHGfP3TNV4zoHdwn4
SCJruI5ExvvEh3FPq0NUdgO8i/beiQCVAwUQMGoe7uI11LPFgBXjAQGrNgP8D2nf
ujoEa0dlX4w7Y0huxPWHpdIoOhMexmtqiWgfyPQLWw4Eq/mnAjdF4KuFlU1C/smd
OnvcJ3n6pIiUurPpw9CPFb8xVPaxCmQgUsxDx0877rTLDRCLfr53cZyR5R2N/5gk
N8r6PiP64Mob5rg9dRD8DbvFKBv6L+FuTgsqzc6JAJUDBRAwafD8Ct9/qBjwLNkB
AZbbA/4h/EqLS2xEbAk3Ifd6brn1ucFzBUGTfhpKJjds/zI62zECObUBy8KJpNUj
HHNYR3IRMhT2ZHHap5aKiATw4ZBrILyvYY1lZA34DHKAo3/QztFHaU5gT9qJiFSY
wqi5q9bjLJdXszaX7wnb6dVqAB3Sbh6bSNd+MFChuR8XHET5BIkAdQMFEDBp78L5
oc+fdQfBNQEBim8C/Al37Ao842+iSsTEJtBY10AUP6r1CmsT1XEaodNvRCijcSpG
5wQHK70JbLJBOGe7NGzAVuAV6qzIZ3/xniZqTOXPFH+DrO04KYq22Br4GAKrd1dq
BCHoJFW3TY3avGOtJIkAlQMFEDBp7KLsTGln+UCrhQEBJ4cD/3xBaYiuzp7t85HO
2gsyv4LiYvY7PkaJhxoeQNv4MimRFX53l7DFvIYrvQs5XqNvELgVzp1OJdaQN09+
ECV3+I+i49dm7cg43nl8dNsBl8Xdk0wEGgx7Z0x2gh6v/JqxUV+GY3tImqxgtxIy
v9A2wOv+OR/XNNRMIVwDHFl8U88piQCVAwUQMGi8R17lrK5my3PdAQGWoQQAlC5D
9UD4NMxga1qHevWNPXk8XcbiKB7r2z50aCnGjs33Z+HFjg90TlRRp3g7uK9AyWYF
7ISUFDQScQ3dbTo82/L+P9D1eRls+BMWElGyibyCEs8N5rs2v/+KsTWKqn947srZ
fGm8O+GecJbua3Pf9VtBQybxw1hu42LkxqUKFlqJAHUDBRAwaY6jm5WgJWLQSkkB
AV2VAv9mc+YEblGLRcrttCMz3PLxOhOIMxrIpcH+kwr7swvhahGBBxucLxJDrGNJ
2ac/1UglYIqa0ju1LdRwgg4JUBxh0tUNi8BMh2qNzFiJQV1bc3N3hYPWj2fa3TNX
wHDXRfOJAJUDBRAwGWMhZXmEuMepZt0BAVi0BACNu/hS3l/Wydz9iOqSlrePEkwb
YhpJwQB8NEPQxOO2XbZPvkaij1w2oOADcH7UsMw01CjADqZVBkPau+Gjs1mAoWQd
E+dVcO8DYlx1H1bek/FCSrle6GuuBfDeNcedFMweHhVEO55EAqS1f5f5QEvrf2P9
QzZONS/j7M6op16mFokAlQMFEDAPRLR4JPhVIxVm3QEBApgD/0VX1UdASMbWTWjg
SFnIo8z16F2dvEpG0f1rSWxB2JCMjbPPhN7mH7Ak/Vd+6D6fnQr2OlSxe6TQnUcf
MPNrIL15CUMx8vAasumNFp8FC5/BQ4yhHgaXTmT8px6TeT/8F6PNPd0c0ciRPUaB
v87RaGEwl8VfQTXjLY0V4U97UNe1iQCVAwUQMA8/cs2oBGsAN8d5AQEpXAP+M1hj
QnK3Eh9GURePQ92wZbHgb/8o59R3nNZCdaCIDpUfJGXMApbRdzjibkexZZONO8W1
UcBWduUAV2gUTj61ghIu1o/5JVIfWW3OlqXJqGnp9xlwREgrhHEESMWgk5nKfnK9
bFpEq0qsyAC4+YxD1Xn/g64CzAS2W/F/6TDPT7+JAJUDBRAubhTjFNLGlZxoAVEB
AXrNA/90ZZ57TgE7TtzFhTmHu++yBmP8KKEqKxM6ec614povixQJvFX+EXb1wUa1
FZUj9FUCVqWD2y/5uvk8HJ7MepvC4c8Irkc7QOLnQNuF1FAtswxhyWBhrYBQXVnb
MWk8OuPKKHq2ESiPyOFuqzcMD4NuZ3EzL5jmwU9NJR3Ylh2NLYkAVAIFEC5s0h4V
rDLOPlxS/QEBoUoB90dpuj4q2Fxu1AsGYEWcPymx3Q0PHrwMcQwPyPB90A0w6QKR
ifHz6V9Hb3ubqqyx2Ovg2MUWoftgwUSnf1wkEokAlQIFEC2bXE5hqrGydnZ6rQEB
nXwD/2mz0CBQM5Pk5fty050LcirZje1Ykx/WZ32nN9wXmOV+Hyq846yacHysyC9N
VjFzPfslyw5W6uzou2gW3B9n6qqm0AiwABgIuTb8tOowZBSvUjmVhuxxPkNuHuqG
Q1I0oUwDmWbnsoZSIuPNiYmxc0uPkC1VsYoH5D7XcEeXonIpiEYEEBECAAYFAjtE
3FIACgkQ5r/NLxCBo3xBhQCfb0/uo1VXAJ4m6q/1OcXdjiI6qoAAoPsnJ/wvG4+N
TkuP1ISfyWLbEVdSiQCVAwUQO0TcffLlZUzmDiptAQEpSwQAjkqg3jYhTDLQ7ztw
K8koz1CorcPue6Cci4twax+2Q6hbChAnTbDvqodPakCYwEfS2up6aXcKpGQa5IPe
RnF5RYQthKBSUE9YWrSLm5ZPYBSTGZLf4Hhn6381I6L3tbvOc6M4Jo+VpI1vXnIn
a8z1MUsfb6QfIuMyKyUhqYJrtZ2IRgQSEQIABgUCQcoR2AAKCRDdom9SQKd+Jtj6
AJ9W/+UaeYQBhDJvhN+mb24GvBAQngCcDe6Eura36S755DRSKZac+GqyQZ2IRgQQ
EQIABgUCNRB0oAAKCRC3BYzpPWXloPUqAJ98UKbWyrkFhcBKIR03v/BzBbLKLQCg
5dpZb0Vr0jsAHb+fC11CRa7KTPqIRgQQEQIABgUCPtutfAAKCRCSAt0MlIMOrUkK
AJ46u1nmmb6MX5ErbCCpB7PEuKqZqQCg0YIwUI38J8Q0qEk/tUACsQ1J+AaIRgQT
EQIABgUCPrg+bAAKCRDYw7lS6Rq5uVJrAJ40TVuPDvpWJaC6unpV2VOKbnCncgCg
r0oF1vMDaKAYhI9puegpZAF9AFyIRgQTEQIABgUCP0uttgAKCRARKrfhNu2SIgxB
AJsGu3VMU55NM6j57FtR5w/GmFK9ngCffiUghFCEx1030DbVDfypDBhkCxKJAJUD
BRA5gHXomGpB7xiMt8kBAcLUBACBoBKdzQboeUW7wGbHHOZ9vR0Di9MpT74/2lNK
WN7G4R6+UAwiZNI3+AJVe56w3EgvOKhIRytgM0PbvS09CCC8gNUTHf1aXRf+0YJM
4zIyn607yPW6wKYgCIyXZXPu4BBm9QHd7VAj3zbZDtHB9JHeKVUWX7XHz0rq9GRm
3K5O7IkBFQMFED0AF/y27RCtRrQFywEBctQIAIuSeYoocMZcCS8WPbXywkY0IdSS
rUyqGgRpd8Iyc4mrl2xCG67jXkIAdnkFTLgNVvZijR2UA2ciVyaY1KXJ0H1bKRxE
7DCwSXC9vqzLNdLBOFGFOWt7IBMcj1UecqJfHTPNl33pKszaPeN3gM2H80sti/0j
pw+DMTp1zULJiDYRSMSyMgpbhAAop2l1cylzNizO43MqFcEXBdPCwuj1x/yd0BCB
dfuEmvrLsYpPrUqjWlYOSmNqpjuwaTnxe9Y4Ftul068uVEmDWe0qMfvuKqQkq3y8
71tgutYJBJoxiw8tSE0mViDv2JJJAy9rAl4wcZJN+3NR4xWiNany3SThRX6JAJUD
BRAvJ+6QjZ9tDjK+G1EBARiIA/4gCuZTfnbzLhQSmAe+tCWf3039F4wyj9mb2QPw
XgItjeKrMxLpbmeHa3568auGlf+XjvD5MFLGw2EJj9MvgYms9GPUIt/qKfuIcmPC
3pG1SgAfVOXWnwHmljpa26m/yoESk1cWhOtBTxN8XWJgXiU+fQQGV2mBte/9D3xj
JbuiGQ==
=ow5q
-----END PGP PUBLIC KEY BLOCK-----

IPv6 – CGN and Teredo Considered Harmful

There, I said it. The so-called “IPv6 transition strategies” are making it harder, more complicated and less secure to deploy IPv6 than just “doing the right thing”.

Carrier Grade NAT (CGN) and Teredo (among others) are the last gasps of an IPv4 world, and have no place in the modern Internet. While they may have short-term advantages to network operators, they will cause problems for their end users until they are finally phased out. Dual stack would be a better transition process, especially for customers.

CGN is, as much as anything else, a way for carriers with a large network or large installed base of end users to make the fewest (and hopefully least expensive) changes in their networks. They are betting that by introducing a small number of large-scale NAT devices on the border between their networks and the Internet that they can avoid making sweeping internal network changes, or upgrading CPE (Customer Premise Equipment).

At best, even when working correctly, CGN breaks end-user accountability, geo-location and the end user experience. On top if that, it will slow IPv6 adoption, and force “true IPv6” users to adopt a host operational work-arounds and complicate deployment of next generation mobile and Internet applications.

CGN is inherently selfish on the part of the network operators that deploy it. They are saying “I want to spend less money, so I’m going to force everyone else to make changes or suffer in order to continue to talk to my customers.”

Or, as Owen Delong put it in his excellent look at the tradeoffs in CGN:

Almost all of the advantages of the second approach [transition to CGN and avoid investing in IPv6 deployment] are immediate and accrue to the benefit of the provider, while almost all of the immediate drawbacks impact the subscriber.

The next part of my rant has to do with Teredo, a “last resort transition technology”.

Like CGN, Teredo promises to allow end-user equipment to connect to the public IPv6 Internet over IPv4. It does this by “invisibly” tunneling your IPv6 traffic over the public Internet, to a “Teredo gateway”. A Teredo gateway performs a 4to6 network translation and passes your traffic onto the desired IPv6 destination. Teredo is implemented transparently in some Microsoft operating systems and can by default provide an IPv4 tunnel to the outside world for your IPv6 traffic.  It can, also provide an “invisible” tunnel from the outside world back into the heart of your network. And of course, all your network traffic could be intercepted at the Teredo gateway.

Teredo security has been a hot topic for years, with some concerns being raised shortly after Teredo’s standardization in 2006, and RFC6169 finally providing IETF consensus in 2011. Sadly, Teredo security must still be discussed, even though it is 0.01% of network traffic to dual-stacked resources. Fortunately, there’s a move in IETF to declare 6to4 technologies (including Teredo) as “historic”. Teredo will complicate network security until it is gone.

I for one, cannot wait for both CGN and Teredo to be consigned to the dustbin of history.

Security – why programmers should study computing history

You can now add LinkedIn, eHarmony and last.fm to the long list of major sites that have had poor password security in their user database designs.  The saddest part is that in the case of LinkedIn, at least, this was apparently completely avoidable. (I haven’t found enough details to comment on the others, yet.)

Protecting stored user passwords is not rocket science.  This problem was pretty much solved in the 80s and 90s: Use a salted one-way hash function of sufficient strength to resist a dictionary attack.

(LinkedIn’s mistake was to use hashes, but to not salt them. )

That’s it.  Really.  UNIX has been using a salted hash since about 1985, initially with a hash based on DES. Since that time, as computing speeds have increased, new (salted) hash functions based on MD5, Blowfish, and SHA-2 have all been introduced.

In other words, stored password security has been a solved problem for at least 25 years. The concept is the same, only the algorithms have needed to be updated as Moore’s Law has dictated.

This is just one reason that programmers (and sysadmins) should study history, if only the history of computer security. Oh, if you’re not a cryptologist, for security-critical functions, please use well-vetted library functions.

A few references:

• CSC-STD-002-85 DoD Password Management Guideline
• crypt(3)
• The Rainbow Books, the Knuth of computer security
• Dictionary Attack