Archive for category Computer Security
Retrocomputing – Multics
Posted by tomperrine in Computer Security, Computing History, retrocomputing, System Administration on March 6, 2019
For the past few months, I’ve been using the dps8m fork of SIMH to create and run Multics, one of the first operating systems I ever used, and one of my favorites. I’ve also built a completely automated process to install Multics in “the cloud”, so that others can play with this piece of Internet history. I’ll show how that works in some future posts.
Around 1973 I encountered my first computer, GCOS (AKA GECOS), thanks to Honeywell and Explorer Post 414 in Phoenix. After “we” “discovered” some quite a few security problems with GCOS Timesharing, Honeywell management and our Boy Scout leaders decided to move us all to Multics, as it was a much more secure platform.
Multics has an interesting place in computer science history. It wasn’t the first timesharing (interactive) system, it wasn’t the first to have virtual memory, it wasn’t the first to be primarily written in a higher level language, and it wasn’t the first to be designed and developed with security as a primary goal. It wasn’t open source, although every system did ship with complete source code, something that was not true of any other operating systems of the era.
But it was the first operating system where all these things (and many more) came together.
It is a proven fact that without Multics, there would have been no UNIX, and therefore no MINIX and no Linux.
A lot has been written about Multics, by the people that created and ran it. For background about Multics see:
Using SIMH in Google Compute to retrace my (UNIX) OS journey
Posted by tomperrine in Computer Security, Computing History, retrocomputing, System Administration on March 5, 2019
After being introduced to SIMH and getting Multics running, I thought about using SIMH to retrace the steps (and operating systems) that I’ve used in my career. For now, I’ll focus on the UNIX and UNIX-derived systems.
Before coming to UNIX, I had already used Honeywell GECOS, Multics, CP-V and CP-6, and well as DEC’s VMS and TOPS-10. My first UNIX experience was Programmer’s Workbench (PWB) UNIX, which was an interim version between versions 6 and 7.
But after that I used 4BSD, SunOS, UNICOS, HPUX, DomainOS, SGI IRIX, and a host of other UNIX-flavored systems until finally coming to Linux. Along the way I help to extend or create two security kernels – KSOS-11 and KSOS-32.
So my plan is to bring up as many of these operating systems up as possible using SIMH, and focusing on the UNIX family.
Here’s the dependency graph of what I have in mind to begin, and it’s a roadmap for the rest of this series. I have no idea how long it will take, or how far I’ll get.

To date, I’ve got Multics and V6 UNIX, so I’ll show the tooling for those first. Using this information, you should eventually be able to run any OS for which a SIMH emulator exists for the CPU, and for which you can find a bootable or installable image.
A low tech way to get a mail server blacklisted using victim’s own forums
Posted by tomperrine in best practice, Computer Security, Creativity, scale or die, Stupid, System Administration on April 10, 2018
As they say in the military, “If it’s stupid and it works, it isn’t stupid”.
This is a low-tech, labor-intensive way to get a victim’s email server blacklisted at a major public email service, using the victim’s own public forums. The email provider was very helpful in getting this sorted out, and it’s not clear that this “attack” is specific to them.
(This situation can also happen “accidentally” if a number of users subscribe to your forums, change their minds and then report the notices as SPAM instead of unsubscribing from the forums. That doesn’t seem to be the case in this instance.)
- Sign up for a few free email accounts with a public email provider. Get as many as you can, perhaps at least 20. Get some friends to help you. More is better.
- Go to the victim’s public forum servers and use each email account to sign up for one (or in some cases more than one) forum account per public email account. This gives you 20-100 forum accounts. Let’s use 20 as the lower bound and 100 as the practical upper limit.
- As an alternative, if the forum doesn’t use opt-in confirmation, just subscribe a few hundred random people to get the forum notifications. Let them do the work for you.
- Set each forum account to send an email notification for every forum update, or as many as possible. Some forum systems allow you to “watch” individual threads, some allow you to “watch” the entire forum system, getting one email for every other users’ post.
- In a moderately large-ish forum system, there could be perhaps 1 update per minute, so 60 per hour – that’s now 60*20 accounts (1200) or even worst case 60*100 accounts (6000) emails per hour going out from the forums system, perhaps through the victim’s outbound SMTP server. Either way, the target public email system is seeing a lot of email coming from one domain or IP range very quickly.
- If the rate alone isn’t enough to get the forum or SMTP server blacklisted, then go into each of the public email accounts and mark ALL the forum notifications as SPAM. Or if you subscribed a few hundred random people to the notifications, they’ll do the work for you!
- The combination of high email rate combined with the 1200-6000 SPAM use complaints should be enough to get either the forum server or the victim’s outbound SMTP server blacklisted.
Note that each and every part of this situation is working as intended. It’s only when they are combined that that you get problems. (Unless the forum doesn’t do email address opt-in verification, in which it’s all on you.)
This “attack” depends on these things:
- lots of manual labor, either by yourself or with some friends, or even some random victims
- a forum system that allows one user to cause the system to send lots of email based on the behavior of many people
- a moderately busy forum system
- a public email system that is biased more towards rate-based and user complaints than message content
- a public email system that the victim’s user base depends on, as in “must communicate with users in that public email system”
Fortunately, this is relatively labor-intensive, and not amenable to automation.
Countermeasures are left as an exercise for the reader 🙂
2018? Wait, what?
Posted by tomperrine in best practice, Community, Computer Security, Computing History, System Administration on January 9, 2018
Wow, I’m behind. It was a busy year, and not a lot going on that I could really talk about publicly.
The recent meltdown and spectre bugs have brought back some memories from Orange Book days. I’ve also been spending a lot of time thinking about “IT transformation” and non-technical stuff. I’ve also been to the UK and Japan, twice, each, which may become the “new normal”.
Let’s see what happens in the next 12 months.
Upgrading my personal privacy one small step at a time
Posted by tomperrine in best practice, Computer Security, personal IT, personal privacy, System Administration on February 4, 2014
I got my start in computer security from the personal privacy side of the equation. Revelations over the past year have made me realize that I have become complacent, and it is time to upgrade some aspects of my personal digital privacy.
My first “paper” on security was an essay that warned that “someday, the government and large corporations will be able to search and manipulate hundred of millions of bytes of information, giving them improper leverage over individuals, who won’t have the same access to computing power or storage”. I got a B. My high school English teacher said the writing was very good, but she couldn’t accept the premise 😦 That was in the late 1970’s.
I’ve had, but rarely used PGP/GPG keys for email since the early 1990’s. I have friends who probably encrypt about 10-25% of their email, and sign almost 100%. Others encrypt and sign more, or less. Some are more consistent about this, some less. I felt that this wasn’t necessary for me, as I was a small enough needle in a large enough haystack, that “computational privacy” probably wasn’t needed in my particular case.
I’ve run my own email servers on my own hardware, off and on, for years. I’ve done the same for personal web servers, photo galleries, and other personal storage. Over the past few years, I’ve made much more use of hosted services, like Gmail, and WordPress.com (for this blog) instead of building, maintaining and securing them myself on my own hardware under my own physical control. I’m going to have to re-think some of those decisions, I guess.
The Snowden revelations, coupled with high-profile cases of seizures of data and equipment from hosting providers, and the inability of those service providers to stand against the abuse of certain government powers has led me to believe that it’s time to step things up a bit.
I want to upgrade my personal privacy stance over the next few months. I’m going to have to re-learn lots of the details of encryption, look at products that didn’t exist a few years ago, look into newer encryption algorithms and key search technologies. I expect I’ll need to make changes in the way I use email and the web and in general communicate. There are a lot of good resources out there; I’ll share what I find.
I don’t plan to wear a tinfoil hat, become a crypto-anarchist, bury guns and ammunition in the desert, or buy gold. This isn’t going to be a knee-jerk reaction, just some slow steady Kaizen to improve my digital privacy.
new GPG Key
Posted by tomperrine in Computer Security, personal privacy on February 1, 2014
With the recent revelations about privacy issues in the United States, and new recommendations about algorithms and key lengths, I’ve generated a new GPG key.
I’m also providing my prior public keys in case anyone still has old email encrypted or signed with those keys.
Here is my most recent key:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org mQINBFLspJ8BEAC7NMUlCttCzSOGI9V0+13uhXmd7rMHksBwZIJJ3kFgJpymJMq5 fnshgIn3i59OIjYeDlmpPMjaTpiL3dQ8WgeQm/J2r0aJeaR3D8gnOqDr6W2VkCNE 6u+y10EiY0kF1WQTnAM2U3SkW+fPw1DBR5+KwMx0jrDoJNvbD6dYzd2TCQo4sN8Y nGr69NZ2xI9OPHvlluPWfBOHuoB5SEUpI5c/8HHRFgXS06iAyEpystu3ebZDUZaA EuyEovxygqanwwdsOYpP/aZWbz/UnoyRMvVrHnHphgKlsVvNue41Z9IGGqyd6okM YBkyS9Sh7cfm9gfQpjuS1hpU03i8D7bsml8SonCgJ4FG3thw2aTfjFm0ZJq+gQNk 4qMb0U7EHkIOJgyWwS+/1tJA3teUuoBHqbFRcc2W2qUv1Ezyz0Z99Rp0NwmO0AZq muxk/ZT5R3d7ihy9qKhLcfWJoyXzE0meHPhjIGldx1o5xtXmCMX5/IgE9j1u7LVo NsI27KQoj/ORxsolZZFJjfvvARujm9Vdhon2MxvrfR1Bt+1PTQuX+tD0eGIztdaZ ZhZeALU00DaDLkVYQlTBLGl6QB3Nh2YDDaEIo8sfXbSeGdSrIK6d9tgoh/UE7QaO YlxwAXCMys7uqijXSgsYbah9qVHL0Sd1tS4HmzJj8/6nzmXwZoIxUuDCAQARAQAB tDBUb20gRS4gUGVycmluZSAoSmFuMjAxNCkgPHRvbS5wZXJyaW5lQGdtYWlsLmNv bT6JAjoEEwEKACQCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLsrhECGQEA CgkQcMP7B3sV+GVeAQ/5AWXXwyVbR9/n8AO2pAVJeHXz6o3PlI7NsOya7smWrbnT b/GF8pepG6MJYnJScWTu0x9VGwZEgRjb7r56AkIngstWwa7Xc5TqmkAYM8VilvZp 2idPiw+95Id8YU/GzeyM9kFk4rkNlmj47ePKqZk4wiB0zr6q60UYh4xOHKL9ESMp pa4vKIKaYRyDjekYlerGTNmgBadW0G5ScxAdHP6XYyYYNKEPdTS9+T3GrdQLIDuR KrTKoeoJ6PdcCy5LKJOrrYWAvom5MrE16e/NMs8RwubQimRwGEvnCoqLtseW4hpT RlMH8ey1nY0cGiadVi7cMYBw6R4MdmqwGKC/vu8C1OipWqs7l/Rh7J4G32p6qZ67 6JtFhtpdEYcqTq/G+MvLZTK5qZeXctS/C5Y+kUCqT/nRnuC34crtW3jqvLWSkkRx gVgXGempUFieGuiDZfImJJMEGL29jETscCzOVPxDnKA6t+Chah7Q2J9rU1+Nbk6e S3PHiNSGrvoeGgP9/dtfgOb5/8Env6m+dH0BRSnXJXtuZtfyIWswbdTqW0EZkkuF Y+pzuFnmUpNQKc7GXYo+ZkSWaUb9QeMhWKQmCa5wZ/lPwHk913S387MtXchby425 Xjn+xiuSnTuMVNr11LVmUlZXHk8tQrmProTEWTxgHxLQpfFVXA6X30wlzFDUadmI RgQQEQoABgUCUuynGQAKCRA+7nd+FwgS4KauAJ0XmwH3449fm6wm2OYFJC6ZbMiV bwCdFbZ1MBP1Yx2n7G7aijtHLToutua5Ag0EUuyknwEQANMog3yAdVIou/QVIElO pF/S9H6G1yv2YZTe34W9VnEKj0ImNVOJjkWXqNapC673YSy9l1T8np6l+wNGs2WW LZp90d6CUJC8DjFkRpWVCfjJaWfrLatVt+HlK6k4kZFy/uH1trYg+gHwBsgEX8SM Hnqr0GhG6M+lrGYpCcJi7/4y5geV+j2FK5L8RD1hjcev9NC3++ESNiyf3cyL4RY0 69tGJk26T5nmuRRcHGDiKEk91JFpF9mVhnb9zuywuw5lzv5+n9ye0q7hIJWUqJRQ boVy/HoQMTcJha05Ce0QNdoZoBBmsoMeYu492Hzqgf6FoOMcy9glxvkTgjWpSxMB 6B7y6OH+dFXoqsBSaE6dqf7lWFxjl57LOaUM0ccLLi0eBDdkYmsICVHIm9J+6qaX 0z3eRRa9Fopb0KkaM2etuTeFdNSKlzg/iXvyXi3YWqz7+cgpHR4YmwyhF5ZMby+q on72Wd+YfNCUD3W27E4i4y8cLRs03U6Amf5iEErM1EW7Bghq0oOQYnkc+NyRDpQi qp+4Y/74kTAE49BLvRiNsLIuF6TWTqzc7WGFi5flUwifKiNKwJwuOMwBUSiPse2x 5G2nB4sOvMwzCpDqMpaYEPjkwfd6onVIN+L26BXilXP1YgpOnbxilv53ZzJoGcAJ ZIxihdWIQDwpQnoIdlll2tmdABEBAAGJAh8EGAEKAAkFAlLspJ8CGwwACgkQcMP7 B3sV+GVwYhAAp+06MYAfjazrHdiOCXTJFW9YTO30B6sb/Dkp8k+EJCaMt+DFZLaG A9gXM4AtC04tv83NTWHoS4qtrnzWeb/FYILHjFZK/cMxl20ou02640aX91rHFYSe ADT35bL93CwJao13IxkXUm9QvyU/v0N8pJSeJjm4JjBC8P9X0lsL+ntGwwyCj4Px KqZMzZKAf6pPM1/lI6AkixtxPAnZx7HCHRxCquuhsoZUJ0tn4Z+pETgLj6SDsi7b aj8rK5d27H37hcrWqn4rN/xlsrTUL0eUVN8p8osTR0Dm53jduYo076rEKYMn5lyj XUBE2CLcqCcbNLesB/QXn3oDBhr46dMXFqRLyv+SIX+Gis6uSyhVgyTocJnktwnL Aic0tFqc09bICBCTKSBaHADPyhbboQQzT0IlBcEb2Shhy2r2Hl6mwbG4bbS94dol ynEzAhc9j2/A5NLnv7Vzpte93hL4dwOQ1V4twyuQH9206RJKqEt+3nbXmMOrkCpO YXyGkE0H88Nr5KkYgo81ByveW9U39ABSfaxdYdCDO37J0Q9D9Ua9G7ZgFPFfhsAl fZ8CNfGS/Re5BqVDYZ+b60s4fBQUpY0vXoN8/nsnqXhmaz+NgbAbWuTXuDu6+tMj ZJZVI7IOPvnfytZXBBqEu1j8EsdQMRR8vreglclfcqynE78evHv1X24= =SE+1 -----END PGP PUBLIC KEY BLOCK-----
Here is my key from 2006:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org mQGiBEQSETMRBACWXd8/2l0AJqquyaYooKFs+qvrDv6Sa/UJrlFHxiKCTMp3l5Np Ok7YTcuMY7fzMTv1Hidwcr2qkUHGPtxVbtG/Y3cwrZxzIflO9+5X4j28O8uIxe/8 unC5LsFAl5qDBbjDjQTAXSHdmFhQaKbinV1Yelue6AWFnWXWHyFMM7UqEwCgsrVV p3TuW8t9/8sCHqt0bE+4OxED/inPmmHYx8PqxuCR7C8Z/NrAYS9lttlq9eY8AapL T0gpF0V16YJbWpHglAEKRkDVN5/8J9QT8tbc85JpnZ9iG09nKk+ajGiF0n281RkO 0alDnOk8CF3q+BWv3xKrn4p2q0gSryHp8wRwZIMHWvzqgOSOm0Cjm1aAlb3Rfjvv hHGrA/0Vpu8cQ4zRP5ZXX3p8kdYYXWjX0j4F5TOr/8Ekgq1/OTGNEaLhj2PD28Ao hpWL3ulffXCVkWF6Pe5N5ik2aYu0deL+ofgHu7cAo5n9gSjpCfGeFK8AZRnX+dvy 8lx+ig70DYrV0v0Peyr00pYnHs8Uaf6/0pkiG4UHyC2LU28PX7QbVG9tIFBlcnJp bmUgPHRlcEBsb3BzYS5vcmc+iF4EExECAB4CGwMCHgECF4AFAkQSHDwGCwkIBwMC AxUCAwMWAgEACgkQPu53fhcIEuDbpQCfd/tPxdDqHpXDsV0l0XTsJx61dZoAn0JV pLJCj72K7OtY6U1XCWzg/PnniJwEEAECAAYFAkQTvXMACgkQpFCQLAnT5k3NnQP+ OhyAkSRgRHeFaYuc+TB/dRJ/lMtVLsbt4qfdEoAUKIauokgGvta6J8HRCZOh7/ko 7R9XDBSpEihw6qYwDD88OlobZJlDvu1QgfVgreft6URbzUUSMq+2blr9A6vrKayn tyc6Xnrfyb4nn6tEVBjKNBzYr+H6hQH9xC/7uK9To5CIRgQTEQIABgUCRBXQdQAK CRDdom9SQKd+Jt5oAJ9/OcWut3OQKywQcZkBfz4yr1n/5gCfbFFbyzXNkGRSXeve om+fIoklGZiIRgQQEQIABgUCRBWI8QAKCRBjG6gPu3lAiU6UAKCpzbs5GFlahheX HLjlwiRYTZTa/gCguT2R1cQHm7ngSnxm431BEsxXDy2ISgQQEQIACgUCRBYYIAMF AXgACgkQUfAt06xxHoKUCgCdH7YYl2OrHMAsQ2t6xNrP3iPlKVoAoKP/mM2HPMQq Sd4symHcxU6WqyJWiF8EExECAB8FAkQSEpECGwMHCwkIBwMCAQMVAgMDFgIBAh4B AheAAAoJED7ud34XCBLgLqcAoLKtXuz5TO40FHGUfkXl/52wCQ/CAJ4inFwDnXzP 3xu2FbTmuvEmsu9dxLQaVG9tIFBlcnJpbmUgPHRlcEBhcnBhLm5ldD6IWwQTEQIA GwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+7nd+FwgS4AvDAKCKxydL s1IEBh8PF7lT7rC1YlNfLQCfcxrve/6swAKw50OaMFndWbx/aXGInAQTAQIABgUC RBIRXQAKCRAU0saVnGgBUbsHA/9H59r4Xtsmbaa9RC5UE3jGg8yEd4lGAg9xLKjP 3g/Jpm+Y/D57TXTzGCffbyPjMrnMJzOo1aBxc2cO28+tCV3Dn8Peqh1wJFmD/OGt YDZnvTH7pGulxg7n6zaFPfzV7vqykbd6d3cLN/kU2LVzOmVR9BQ+1EyyZyCVKf58 H/rmHYicBBABAgAGBQJEE71yAAoJEKRQkCwJ0+ZNw+UD/i5Hj8ZVQ8wzkCmBMgId rv/oH1pDZSamOuz733lgY0oJ1sol2hKDB7F+tOrv3+BeZ8CoyR5XmD15L+o35lXd jpgxPfWbwPzBV+b/QLkMRZSUyIqUhl6rJLp0AbouGrQ+vQ1nIkfFNe/S3Ag4L3yb hg9kgcigfnBAtn/kxZbXhHuyiEYEEBECAAYFAkQTvkwACgkQ5r/NLxCBo3zmPwCe MfbDozk77VZeydwdBqjz4X+2A54AnR+uGeLSfgEqXvu2BnwebmZ3gAS3iEYEExEC AAYFAkQV0HIACgkQ3aJvUkCnfiZWagCfXuDf07S42+EEVKxQZwZQRqH9OxIAnRc2 /8S5EXIThxUPK4OwyhjyilADiEYEEBECAAYFAkQViPEACgkQYxuoD7t5QIkAYgCf X5UliXq7EE6xAE1Rgwmwh2OaPC8AniKyYN5T2mUYQ0xx1EuRBXX8yR4xiEoEEBEC AAoFAkQWGCADBQF4AAoJEFHwLdOscR6ClfsAoLKgwdwnoDEWLjnFElPno/5N5f3l AJ47joWAdiYt9YCzIeMw7FKnoQuYrIhcBBMRAgAcBQJEEhEzBwsJCAcDAgEDFQID AxYCAQIeAQIXgAAKCRA+7nd+FwgS4EPyAJ4+FptOUmrydpLnD9WJdSrP1jXwRwCf fGV8PkBZ0b13yEtEkYbCqWiZmO+0H1RvbSBQZXJyaW5lIDx0cGVycmluZUBzY2Vh LmNvbT6IXgQTEQIAHgIbAwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+ 7nd+FwgS4FoJAKCoyxkwEduJgLXjiRvsZmd/5/d32QCdEQhbXVaSt1x9A7vCkQ6a 2BhG8CaIYQQTEQIAIQIbAwIeAQIXgAYLCQgHAwIDFQIDAxYCAQUCRBW5YAIZAQAK CRA+7nd+FwgS4AEnAKCNpNXpffvHs9LVzDT8RgKCoIdrxgCgnPSOvzp6QWzfF8vh vCh2J0hqOoeInAQQAQIABgUCRBO9cgAKCRCkUJAsCdPmTTuRBADIr5QfAQlujHyy KEgalv4XkrfW8J9v5BTE34xFJ7MXhNGah1Bs7rvhSFWeAOw711/W22IpoTdbYqAd 8++LqQKjdoITF8M5lw3Q24zAgd3sEPxSMn18V+X+RPcY9GPvrAlfck+I0g8sdyGV PSL8Vho/DqS2o33PWYm0Pl+C5xG8BYhGBBMRAgAGBQJEFdB1AAoJEN2ib1JAp34m GcYAn1XhdRqkyO+UOqeMsELX+bwdHIj8AKCMF6r0HBY4XUCA5MaaYtVBnf4tfYhG BBARAgAGBQJEFYjxAAoJEGMbqA+7eUCJ65wAoN0MOKv7alZUhlqVH6zT4sU3gKVl AKDDsua/iPrwuFr53jraEyb/b3vgwYhKBBARAgAKBQJEFhggAwUBeAAKCRBR8C3T rHEeglsEAJ0WPqMu9ziqGd/LicnVy8XpsNQeIACgqqsywmB+H++yGwhgWDVcxGJX Ll+IXwQTEQIAHwUCRBISKwIbAwcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQPu53 fhcIEuDFAwCdHoek533QesV5TLAoUUyXbkNkYdYAn2yZ1xevYyMq1oVu8Sa182vR 47pptCFUb20gUGVycmluZSA8dGVwQGV2aWxtaW5pb25zLmNvbT6IXgQTEQIAHgIb AwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+7nd+FwgS4AriAJ41kQev MJ9PQB/4GZOtPiM/ta+kpQCgqJLEztBwOFfjva4HufR0SCptyaCInAQQAQIABgUC RBO9cgAKCRCkUJAsCdPmTUUaBACKy5cp7lWmdSaJkevqjMXvlBrCECj1RqLfzVfT aJQtL7smCb4QKonU77LyO9Ppe3pRCeyEEtwPJYcfWBlpKuCdBzE+teecOp3pSXjp U2ZR3HPcNOOJvB2JOaOuNZMNS6V+Z2D/oSKGnYgzEd/hlvdUO1y3yDNV7imOqrMC zhFbAYhGBBMRAgAGBQJEFdB1AAoJEN2ib1JAp34mukoAnid/4xgCA2foC3PPSv6B MajVLNJaAJ9+k5x/XJNVO7SVkvp/xMbplsXTD4hGBBARAgAGBQJEFYjuAAoJEGMb qA+7eUCJEcEAoNeSzqICrvXcB+Zs0A9Dq3yOxaoeAKCD0CKiddS1cWHLkfCL5oPl DqEga4hKBBARAgAKBQJEFhggAwUBeAAKCRBR8C3TrHEegjhWAKCttLLaF8R4K6Yu 8vmE15qNZ3H8xQCdEjcOQ5mSO9qBu/af63fQUkwi7QmIXwQTEQIAHwUCRBISRgIb AwcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQPu53fhcIEuBA+wCcC2+Q69vPGck6 nomHIcXi6cQCe1AAn02Xx2+xRtFSz7Fs/kiHgzOlz23ktBtUb20gUGVycmluZSA8 dGVwQHNkcml3Lm9yZz6IXgQTEQIAHgIbAwIeAQIXgAUCRBIcQAYLCQgHAwIDFQID AxYCAQAKCRA+7nd+FwgS4C3PAJ0WO/CkgSlStNsbw/ZPFbQzWtGX1wCeO4V4sk9M O5jxBwv/u4sBQcgjEUOInAQQAQIABgUCRBO9cwAKCRCkUJAsCdPmTVNdA/0ejMoi B55LDFCaExPOHhLFezVvhCAqAz+Ks87Fhuvv3hHiKTvN0n38zRYrLN+r3Zh48Ih1 OoW8bJqUSsr8y07Alv4GZndCvidE8xWaCUgbk0zBo78ArJ3pcRIuF8hk/uLqmXs/ ATrYBuHsIFd3iOS9tWbf7wCmRWuadyRrNEhKOYhGBBMRAgAGBQJEFdB1AAoJEN2i b1JAp34mn+IAn2P7M48r5ZMKgyAK2Cjn1jcJZljfAJ4nCXUN3Ab5YQkXVCsvFVGV 0JbF24hGBBARAgAGBQJEFYjxAAoJEGMbqA+7eUCJvnAAoIMpPk3fhxxRTuNBvaWf LUfkUwP8AKCTzG+wOo+eZ61aRZTf//Run8Fq6IhKBBARAgAKBQJEFhggAwUBeAAK CRBR8C3TrHEegnMRAJ0TPsy9KWCrr2lUj+79krHXgw2N/gCfdcE+mfhZyN4L+q3J RuVbjAU2/iKIXwQTEQIAHwUCRBISZwIbAwcLCQgHAwIBAxUCAwMWAgECHgECF4AA CgkQPu53fhcIEuAsngCgnnvQ/moMpUzXmepqIblB0CwdikYAn3lKx86ZT9ZuACre PsfgZWtyS7dgtB1Ub20gUGVycmluZSA8dGVwQHRodWt0dW4ub3JnPoheBBMRAgAe AhsDAh4BAheABQJEEhxABgsJCAcDAgMVAgMDFgIBAAoJED7ud34XCBLgczoAn0+H bdwszcpUeC99gXMKT6WTe5lrAKCsTlkEzB6+VzdHXwZjYc73bsK4aYicBBABAgAG BQJEE71zAAoJEKRQkCwJ0+ZNyyQD/0BrmB8a6Bgib+dJncgzVxgChTJfZFM5W/tV b/3KYcGgElCxKvgXhYsQJz9IM4npQWi/g9+ESrmRIDdoj/sPQZ2Y+wtbOxXu1T2c jkUacfMYb5uW1TbTjfDTnABvsYoKu9txQgNqH+tx4K6lBaA4Ja06seuLBz12GB/V To0gQd0GiEYEExECAAYFAkQV0HUACgkQ3aJvUkCnfiY8+QCfZ3gr3nXzZMklFNen zMaPbSsdTL4An0tseCWvpdOSz2r2m1rzZ3d4c9bViEYEEBECAAYFAkQViPEACgkQ YxuoD7t5QIk7PACgvVYeR/JODli1ZeEV8n7GOhUceFQAn1jMUaf9FOWNtYHzFwmK J4xmHZVPiEoEEBECAAoFAkQWGCADBQF4AAoJEFHwLdOscR6CPEEAn341yon4r1+L wjMiqSXWtELne0dGAKCnRNLM6JYs6IDPOdzG/qAPFcSjxIhfBBMRAgAfBQJEEhJ1 AhsDBwsJCAcDAgEDFQIDAxYCAQIeAQIXgAAKCRA+7nd+FwgS4Oh/AJ0fsMR8foMb 41/+/YkFikOKV9F6GQCgkNEfvxuyUdiFHeVuQxGGRc2kgoO0LXRvbS5wZXJyaW5l QGdtYWlsLmNvbSA8dG9tLnBlcnJpbmVAZ21haWwuY29tPohgBBMRAgAgBQJL/rdf AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQPu53fhcIEuD3QgCeLgk4dIl5 QjSJ4U5afh4aIUtl9lEAnR1xHBxOjBJkJOyUIUQWfJLaVDlguQENBEQSETQQBACV m8Qta1Sv0Nr2EDUxcUx1/Tuzh1EygSYKFUIiIXDctfe63bIeO/YSu2BKJ1u/IdGa bT/5wGNdzmxmHqm61ZyCCISM2zmYCCDfVBCam23Xk7QXLnluud5BwLAvnsjdk0y8 N8dvZz/AKBalG/uijEL2O3GWglpcDt+L5qFbin135wADBQP/UsBHpz0ByNgMPV++ LPUUWro2+Rvj0E7wf5g8teAcrIrIsxQ40jnQfHfW0w/mMKS5cfqyMjIkCqM9yUmQ MVxa7F3OT+7dXa2MoM71J11Mnub8SmzLaNGrnKbwDBYD1Thw/DnwDQcgK+ehNqt+ YB72QVV2fvbduI5rfylqKV0Yj1uIRgQYEQIABgUCRBIRNAAKCRA+7nd+FwgS4ON6 AJ9Cs/Ct+tNugkzqd8DTSU2ETJaAtQCfTOBeR9XFAB902TW361129iPswbE= =IVpW -----END PGP PUBLIC KEY BLOCK-----
Here is my original key from 1996:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org mQCNAi2Ax94AAAEEALlglEMTuVebDOrthGmj9wCaHFw/W0m+WVYTjvQk9ct7xJcP E3dp0Xdq3E/CNJCY8P/zrPcbSvgzaR5WY1xTSihmMFMJFbqJ0FAB4c3lWpoRRXWx GpsQysXF/jQT5pUXE/wsClXFM83CkqSQNRBE6RBMR0Y65GQNMxTSxpWcaAFRAAUR tBpUb20gUGVycmluZSA8dGVwQHNkc2MuZWR1PokAlQMFEC9nSh2Nn20OMr4bUQEB TRgD/00eOvoF3fQFwgfL5jz5N2QGik+AaUPgt+KnujAINcAum0VIoyv+ZtjuccbI efLqmmlpIxnFxK9m+rqdgrtXw2LL/5fgCwUCYom2WB/d6OmsPMZLOKhsYJ1xNBdF qYpAH1WD2w3nY5U3VpinLxlvNzKKrbNeGdtPbiHwCoLvz6sbiQCVAwUQLy5kvpME DvqCGoWtAQHtjQP/RmIGjDf84Bpv0mkDFbbvbhnYdgutFEOkOne6vMKJ+3sJTdsi EEZdeDytidqvdHpkMtVkiOj/kBWndWmLzbCbxlXisjjzj8jTYxrfoN0IxYYCeVKe KwTUpRewmhL2/57wJXviMXso3dNLcwP+RSHSchfLPQwpqprHCvf9iauzHuOJAJUC BRAvHok6bCg0Y9cHbF0BAXFZA/9GXCfMpiEw65CZWgbuJPSkRw0e5FoB3cj5v+Gc yBwKMmpx/aDzoWA9k/Zlc6/o8XdMgWrAmMIzjTIFcpG6lJJ0dqS6qDYp++bxFqDR KM7DhpougZ2u0Nxl54F0EfFK2imfOgVMM1hOx2pHu3esbiNv22bM2H7en+mS8CUA pBT0oYkAlQMFEDPzbb0rYghCgt6juQEB6O4EAJLtH6aiHHPNX8MVLrCj+9cBcmhl 2CK2vjC4BC7Eu98tMRm1hi2QoEZPxPotSl9lrAc6VfCrx1DAuFzy/QvEuH1AZqJt fEvksXBJV5ufyXhLc73sl9Agt6PkQFNb2Jbizlo7cHwdldIms0KPrqNQIKufTuuQ XWqXZxDTg+hjf9lRiD8DBRAz4l1iUfAt06xxHoIRAi9yAJ4zgrrsdt0daw9uElG7 1G4zZa/zkQCdFtejMjzRgFcpZ69Wv1/TKiBSCdeJAJUDBRAyHkabgEp1EPeh9ysB AQggBACUBzGS2ylMymYTZZnEZ7y9zKsS0dOrEZ41NsMVc3hqZ6Q46+rw2vUX/UcR gMu10A3M2cuIuKd6n1uFTQom9+OLp5qUJ66ecqg10Pwo26I+lLEyRxYE8/4aei/v iysiW4OhSrmVpxVLRVqxCSnGaN/TO85D/B/TIoMtAWAYfZiTwokAVQIFEDB5HQFn 1gtYHuhxIQEBTokB/1TYp82r7k2UwL3WCCIBtBqFCAjGN2QocNWcZEb3DFz0r1Kz 9KMuNKPy61KvA0wUSuINRsrkZ+oFRN6sKkWPUqKJAJUDBRAwcEIm0WPXZsfOfw0B AWMbBACpHoslfC0cLhr5H5Sg6Um1/BQ6gGNwrZZH7xZfj6ihGu4h7pJkKxY6lN18 2To55fz6VyBuPdOwURgPHmX2cWSblIfxNjw+foEX6Nr6cLWj0cr6RJFKgn+RqKzx yxROeUp7dP+HDrsNDxSw4Xfm1zRUELqvAWhMpuwEGuo/XrErAokAlQMFEDBrLwyk UJAsCdPmTQEBrDwD/RERUTE+Lk4RTHRhHTTjulIWeFY2AoXGEtrqxMirmBgjT4aC DygrKBrd3qNdbrZIfHMIuPK02VmOF/r1va0PyfuYGFbi68s2oUr6E5nNmMvmjFoF +GR802v4uZ8CGo1U6Gchi1yLv3ctLsjfgkQY+ESoXqdZueLrdLmgbB+wNeGoiQCV AwUQMGstM7CxcYNNuhCRAQHAUgP9EKPx4VLZhkR/cEVZD9Tsb5KbPpGwe0MMUJE6 AsBpSEB9f9u4cG52+SGrjlA3YTfEvzIWQ8KMoY9tcGccwut21wS0kYJzSpepqVrO rPKxYoG5mSO4wJV0Ky8dKCjpQ7UhkXkVdAC/9VvzKBZcjAYSYtERrQf279Ro2+AW eW1br5aJAJUDBRAwbIbe1eCuZnXGy0kBAdufA/91ahpgcRo/WI0lPMjO0OSNy+Gl g9x4dpVf5mIvQq4ENN8yrhzOgt1gooL5GSxgg2baMyUdGqEwYKXB0fWjQjU1Y7E+ A4VtgyCCRRlWXVZP3pBYAZ8XppIWjN8nhE3WW4kZsrcMoLiipGKNAFcy9c2IwgVS b3xv3i9/jgUcoSw/KokBFQMFEDBsJ5t3fs8hRzwYFQEBP3MH/RLXS8Xv4JuNr8U3 ZLiLq4tvdqBIX7bCw8BII9BHacN4tYlS9M6fuUvxRZ5VjdkQJhS6q9DI+viQiJI1 aBrkJRprIZSRf87DczQAQi7s75sDO59jFLMjrOmfGmoCAbYNXHRFV5EIQk8U8ePK PZ/TSqriiHr7Em067g2LoV1f3Ue6TgDZryMDD2lwdYfWVb+gGNiVQ9DQr6Ntdt7L Y0ysmGxsdZB53LleUNu4zd2u5Y5rswHzWlVr/WzuaiMwv+n+cjBG403BkZ78PIep xZqIV/G50wHCv8LyOfheUc9Bw5rnRa3ceBoG7DFjIewuJHBX0Rr6+NTx0HgNJRXY dNgg9cyJAJUDBRAway9w7O/VJ/p5N+UBASStA/45WcDO2+1wFiNvlFTP4NqqLHD2 yE/nxlzZ4sr4mZwvqh5Ss84fqez/m1tUuI/NT9NmRw90cWx+P9B9coBdu9Bt0daI UnXwbuUxzPEq/naealT6Hb6LwcL+JqdrDNGWIBxHg/jccN2dia2YJJH3+h2hI+Is hKxOqtCZG8zsn16etIkAlQMFEDBrBNKvZPwzK6PyvQEBD6oD/jO0hRyioJcfG39c dtKi8oeL5Gm2IoI7i7FCVCJqQltmDqjUOJI7Ioed6/Tzh+KJSdLlYvYmo5K0Wvgv Es1PSF9ihCd5fzvDdSljAsqXQ31fLDZd77/Y/h/PkRcEGG0ZHGfP3TNV4zoHdwn4 SCJruI5ExvvEh3FPq0NUdgO8i/beiQCVAwUQMGoe7uI11LPFgBXjAQGrNgP8D2nf ujoEa0dlX4w7Y0huxPWHpdIoOhMexmtqiWgfyPQLWw4Eq/mnAjdF4KuFlU1C/smd OnvcJ3n6pIiUurPpw9CPFb8xVPaxCmQgUsxDx0877rTLDRCLfr53cZyR5R2N/5gk N8r6PiP64Mob5rg9dRD8DbvFKBv6L+FuTgsqzc6JAJUDBRAwafD8Ct9/qBjwLNkB AZbbA/4h/EqLS2xEbAk3Ifd6brn1ucFzBUGTfhpKJjds/zI62zECObUBy8KJpNUj HHNYR3IRMhT2ZHHap5aKiATw4ZBrILyvYY1lZA34DHKAo3/QztFHaU5gT9qJiFSY wqi5q9bjLJdXszaX7wnb6dVqAB3Sbh6bSNd+MFChuR8XHET5BIkAdQMFEDBp78L5 oc+fdQfBNQEBim8C/Al37Ao842+iSsTEJtBY10AUP6r1CmsT1XEaodNvRCijcSpG 5wQHK70JbLJBOGe7NGzAVuAV6qzIZ3/xniZqTOXPFH+DrO04KYq22Br4GAKrd1dq BCHoJFW3TY3avGOtJIkAlQMFEDBp7KLsTGln+UCrhQEBJ4cD/3xBaYiuzp7t85HO 2gsyv4LiYvY7PkaJhxoeQNv4MimRFX53l7DFvIYrvQs5XqNvELgVzp1OJdaQN09+ ECV3+I+i49dm7cg43nl8dNsBl8Xdk0wEGgx7Z0x2gh6v/JqxUV+GY3tImqxgtxIy v9A2wOv+OR/XNNRMIVwDHFl8U88piQCVAwUQMGi8R17lrK5my3PdAQGWoQQAlC5D 9UD4NMxga1qHevWNPXk8XcbiKB7r2z50aCnGjs33Z+HFjg90TlRRp3g7uK9AyWYF 7ISUFDQScQ3dbTo82/L+P9D1eRls+BMWElGyibyCEs8N5rs2v/+KsTWKqn947srZ fGm8O+GecJbua3Pf9VtBQybxw1hu42LkxqUKFlqJAHUDBRAwaY6jm5WgJWLQSkkB AV2VAv9mc+YEblGLRcrttCMz3PLxOhOIMxrIpcH+kwr7swvhahGBBxucLxJDrGNJ 2ac/1UglYIqa0ju1LdRwgg4JUBxh0tUNi8BMh2qNzFiJQV1bc3N3hYPWj2fa3TNX wHDXRfOJAJUDBRAwGWMhZXmEuMepZt0BAVi0BACNu/hS3l/Wydz9iOqSlrePEkwb YhpJwQB8NEPQxOO2XbZPvkaij1w2oOADcH7UsMw01CjADqZVBkPau+Gjs1mAoWQd E+dVcO8DYlx1H1bek/FCSrle6GuuBfDeNcedFMweHhVEO55EAqS1f5f5QEvrf2P9 QzZONS/j7M6op16mFokAlQMFEDAPRLR4JPhVIxVm3QEBApgD/0VX1UdASMbWTWjg SFnIo8z16F2dvEpG0f1rSWxB2JCMjbPPhN7mH7Ak/Vd+6D6fnQr2OlSxe6TQnUcf MPNrIL15CUMx8vAasumNFp8FC5/BQ4yhHgaXTmT8px6TeT/8F6PNPd0c0ciRPUaB v87RaGEwl8VfQTXjLY0V4U97UNe1iQCVAwUQMA8/cs2oBGsAN8d5AQEpXAP+M1hj QnK3Eh9GURePQ92wZbHgb/8o59R3nNZCdaCIDpUfJGXMApbRdzjibkexZZONO8W1 UcBWduUAV2gUTj61ghIu1o/5JVIfWW3OlqXJqGnp9xlwREgrhHEESMWgk5nKfnK9 bFpEq0qsyAC4+YxD1Xn/g64CzAS2W/F/6TDPT7+JAJUDBRAubhTjFNLGlZxoAVEB AXrNA/90ZZ57TgE7TtzFhTmHu++yBmP8KKEqKxM6ec614povixQJvFX+EXb1wUa1 FZUj9FUCVqWD2y/5uvk8HJ7MepvC4c8Irkc7QOLnQNuF1FAtswxhyWBhrYBQXVnb MWk8OuPKKHq2ESiPyOFuqzcMD4NuZ3EzL5jmwU9NJR3Ylh2NLYkAVAIFEC5s0h4V rDLOPlxS/QEBoUoB90dpuj4q2Fxu1AsGYEWcPymx3Q0PHrwMcQwPyPB90A0w6QKR ifHz6V9Hb3ubqqyx2Ovg2MUWoftgwUSnf1wkEokAlQIFEC2bXE5hqrGydnZ6rQEB nXwD/2mz0CBQM5Pk5fty050LcirZje1Ykx/WZ32nN9wXmOV+Hyq846yacHysyC9N VjFzPfslyw5W6uzou2gW3B9n6qqm0AiwABgIuTb8tOowZBSvUjmVhuxxPkNuHuqG Q1I0oUwDmWbnsoZSIuPNiYmxc0uPkC1VsYoH5D7XcEeXonIpiEYEEBECAAYFAjtE 3FIACgkQ5r/NLxCBo3xBhQCfb0/uo1VXAJ4m6q/1OcXdjiI6qoAAoPsnJ/wvG4+N TkuP1ISfyWLbEVdSiQCVAwUQO0TcffLlZUzmDiptAQEpSwQAjkqg3jYhTDLQ7ztw K8koz1CorcPue6Cci4twax+2Q6hbChAnTbDvqodPakCYwEfS2up6aXcKpGQa5IPe RnF5RYQthKBSUE9YWrSLm5ZPYBSTGZLf4Hhn6381I6L3tbvOc6M4Jo+VpI1vXnIn a8z1MUsfb6QfIuMyKyUhqYJrtZ2IRgQSEQIABgUCQcoR2AAKCRDdom9SQKd+Jtj6 AJ9W/+UaeYQBhDJvhN+mb24GvBAQngCcDe6Eura36S755DRSKZac+GqyQZ2IRgQQ EQIABgUCNRB0oAAKCRC3BYzpPWXloPUqAJ98UKbWyrkFhcBKIR03v/BzBbLKLQCg 5dpZb0Vr0jsAHb+fC11CRa7KTPqIRgQQEQIABgUCPtutfAAKCRCSAt0MlIMOrUkK AJ46u1nmmb6MX5ErbCCpB7PEuKqZqQCg0YIwUI38J8Q0qEk/tUACsQ1J+AaIRgQT EQIABgUCPrg+bAAKCRDYw7lS6Rq5uVJrAJ40TVuPDvpWJaC6unpV2VOKbnCncgCg r0oF1vMDaKAYhI9puegpZAF9AFyIRgQTEQIABgUCP0uttgAKCRARKrfhNu2SIgxB AJsGu3VMU55NM6j57FtR5w/GmFK9ngCffiUghFCEx1030DbVDfypDBhkCxKJAJUD BRA5gHXomGpB7xiMt8kBAcLUBACBoBKdzQboeUW7wGbHHOZ9vR0Di9MpT74/2lNK WN7G4R6+UAwiZNI3+AJVe56w3EgvOKhIRytgM0PbvS09CCC8gNUTHf1aXRf+0YJM 4zIyn607yPW6wKYgCIyXZXPu4BBm9QHd7VAj3zbZDtHB9JHeKVUWX7XHz0rq9GRm 3K5O7IkBFQMFED0AF/y27RCtRrQFywEBctQIAIuSeYoocMZcCS8WPbXywkY0IdSS rUyqGgRpd8Iyc4mrl2xCG67jXkIAdnkFTLgNVvZijR2UA2ciVyaY1KXJ0H1bKRxE 7DCwSXC9vqzLNdLBOFGFOWt7IBMcj1UecqJfHTPNl33pKszaPeN3gM2H80sti/0j pw+DMTp1zULJiDYRSMSyMgpbhAAop2l1cylzNizO43MqFcEXBdPCwuj1x/yd0BCB dfuEmvrLsYpPrUqjWlYOSmNqpjuwaTnxe9Y4Ftul068uVEmDWe0qMfvuKqQkq3y8 71tgutYJBJoxiw8tSE0mViDv2JJJAy9rAl4wcZJN+3NR4xWiNany3SThRX6JAJUD BRAvJ+6QjZ9tDjK+G1EBARiIA/4gCuZTfnbzLhQSmAe+tCWf3039F4wyj9mb2QPw XgItjeKrMxLpbmeHa3568auGlf+XjvD5MFLGw2EJj9MvgYms9GPUIt/qKfuIcmPC 3pG1SgAfVOXWnwHmljpa26m/yoESk1cWhOtBTxN8XWJgXiU+fQQGV2mBte/9D3xj JbuiGQ== =ow5q -----END PGP PUBLIC KEY BLOCK-----
IPv6 – CGN and Teredo Considered Harmful
Posted by tomperrine in Computer Security, Computing History, IPv6, personal privacy, System Administration, the business of system administration on February 11, 2013
There, I said it. The so-called “IPv6 transition strategies” are making it harder, more complicated and less secure to deploy IPv6 than just “doing the right thing”.
Carrier Grade NAT (CGN) and Teredo (among others) are the last gasps of an IPv4 world, and have no place in the modern Internet. While they may have short-term advantages to network operators, they will cause problems for their end users until they are finally phased out. Dual stack would be a better transition process, especially for customers.
CGN is, as much as anything else, a way for carriers with a large network or large installed base of end users to make the fewest (and hopefully least expensive) changes in their networks. They are betting that by introducing a small number of large-scale NAT devices on the border between their networks and the Internet that they can avoid making sweeping internal network changes, or upgrading CPE (Customer Premise Equipment).
At best, even when working correctly, CGN breaks end-user accountability, geo-location and the end user experience. On top if that, it will slow IPv6 adoption, and force “true IPv6” users to adopt a host operational work-arounds and complicate deployment of next generation mobile and Internet applications.
CGN is inherently selfish on the part of the network operators that deploy it. They are saying “I want to spend less money, so I’m going to force everyone else to make changes or suffer in order to continue to talk to my customers.”
Or, as Owen Delong put it in his excellent look at the tradeoffs in CGN:
Almost all of the advantages of the second approach [transition to CGN and avoid investing in IPv6 deployment] are immediate and accrue to the benefit of the provider, while almost all of the immediate drawbacks impact the subscriber.
The next part of my rant has to do with Teredo, a “last resort transition technology”.
Like CGN, Teredo promises to allow end-user equipment to connect to the public IPv6 Internet over IPv4. It does this by “invisibly” tunneling your IPv6 traffic over the public Internet, to a “Teredo gateway”. A Teredo gateway performs a 4to6 network translation and passes your traffic onto the desired IPv6 destination. Teredo is implemented transparently in some Microsoft operating systems and can by default provide an IPv4 tunnel to the outside world for your IPv6 traffic. It can, also provide an “invisible” tunnel from the outside world back into the heart of your network. And of course, all your network traffic could be intercepted at the Teredo gateway.
Teredo security has been a hot topic for years, with some concerns being raised shortly after Teredo’s standardization in 2006, and RFC6169 finally providing IETF consensus in 2011. Sadly, Teredo security must still be discussed, even though it is 0.01% of network traffic to dual-stacked resources. Fortunately, there’s a move in IETF to declare 6to4 technologies (including Teredo) as “historic”. Teredo will complicate network security until it is gone.
I for one, cannot wait for both CGN and Teredo to be consigned to the dustbin of history.
Security – why programmers should study computing history
Posted by tomperrine in best practice, Computer Security, Computing History, personal IT, personal privacy on June 11, 2012
You can now add LinkedIn, eHarmony and last.fm to the long list of major sites that have had poor password security in their user database designs. The saddest part is that in the case of LinkedIn, at least, this was apparently completely avoidable. (I haven’t found enough details to comment on the others, yet.)
Protecting stored user passwords is not rocket science. This problem was pretty much solved in the 80s and 90s: Use a salted one-way hash function of sufficient strength to resist a dictionary attack.
(LinkedIn’s mistake was to use hashes, but to not salt them. )
That’s it. Really. UNIX has been using a salted hash since about 1985, initially with a hash based on DES. Since that time, as computing speeds have increased, new (salted) hash functions based on MD5, Blowfish, and SHA-2 have all been introduced.
In other words, stored password security has been a solved problem for at least 25 years. The concept is the same, only the algorithms have needed to be updated as Moore’s Law has dictated.
This is just one reason that programmers (and sysadmins) should study history, if only the history of computer security. Oh, if you’re not a cryptologist, for security-critical functions, please use well-vetted library functions.
A few references:
- CSC-STD-002-85 DoD Password Management Guideline
- crypt(3)
- The Rainbow Books, the Knuth of computer security
- Dictionary Attack