1. 2

    Unpopular opinion time!

    These types of services can not work as marketed. If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext. US ISPs, Comcast being the biggest offender, are known to hijack those requests.

    Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today. A passive attacker could pre-compute the packet data length for the most common domains (Alexa top million, for example).

    The only real solution is to mix different kinds of traffic in to a network specially crafted for privacy/anonymization, like Tor, which supports tunneling DNS queries.

    1. 3

      If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext.

      Well… yeah. Of course you don’t get any security benefits if you don’t use TLS. (Well, even without it you do get some, but it really buys you very little.)

      Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today.

      You can pad an HTTPS query URL with random data. Google even documents it.

      1. 3

        Cloudflare actually addresses that in their blog post:

        While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering.

        An attacker can also observe server name indication in your TLS connections to see who you’re contacting anyway. Preventing hijacking is much more significant in my opinion.

        1. 2

          Not all resolvers support DNSSEC. Not all people even like or trust DNSSEC.

          Either way, I don’t buy that Cloudflare’s solution, especially when using plaintext DNS, enhances security. It simply allows more entities to snoop and/or modify your data en-route.

          1. 2

            That’s true, your ISP can still snoop the DNS traffic going to Cloudflare. But it does make it harder for them to send you bogus records than if you were querying them directly. Assuming Comcast isn’t modifying my traffic in flight, which I agree is sadly a big assumption, I trust Cloudflare more. Right now I use Google DNS, which has all the same problems you’re describing. At minimum, I’m happy Cloudflare is championing a more secure version of DNS (over HTTP / TLS), even if it isn’t perfect.

            I have considered setting up a recursive DNS resolver on a $2.50/mo VPS and tunneling DNS from my home network to there. The IANA of course provides the root information for the root DNS servers, so it wouldn’t be that hard.

            So I guess I don’t disagree with you. DNS is a complete shitshow one way or another, there’s no way to deny that. Unpopular or not, your opinion is objectively correct. It’s more of an uncomfortable fact than an opinion.

            1. 1

              It’s trivial for an ISP to anycast announce 1.1.1.1 and 8.8.8.8 wholly within their own network, capturing all of your DNS requests anyway. They can configure (or not, who would even notice?) all the same features available on CloudFlare or Google. I would be very surprised if people are already not doing it. If you wanted to be sneaky about it you can even set up a reverse proxy for the web content.

              1. 1

                Some Linux nerd might run traceroute and blog about it.

                In any case, if you’re using Cloudflare DNS over HTTPS, they can’t forge Cloudflare’s certificate.

      1. 4

        The example given by the author sound hacky more than anything, to “discover” source files.

        I’ve been using makefiles of this kind for years now, and it works remarkably well. I do that so they’re easy to package, regardless of the distro. I must admit my projects are fairly simple, but I never missed any “feature” with this makefile. I’m probably missing something here though so feel free to tell me!

        1. 1

          I use a very similar makefile for my own projects. It doesn’t support header dependencies, though, and separate (out‐of‐tree) builds would be nice. I’ve been considering adding a (non‐autotools) configure script to the mix for that reason.

          1. 1

            The example I gave doesn’t have header files, but you can easily add them to the mix (example). For out-of-tree build, I don’t get the point of it. Is it only to keep the source tree clean? I’ve seen some handmade configure script in the wild as well, pretty short ones (some only included the line “echo do not use autotools!”). In my case, they would generate the config.mk file, which includes all the customizable bits. IMO, customization should be done at the environment level, and with make -e. That is the reason why I like mk a lot, which does that by default (but that’s another topic!)

        1. 9

          I don’t understand all the Xvfb/Xephyr stuff. I do simple screencasts just by enabling audio monitoring and:

          ffmpeg -f sndio -i snd/0.mon -video_size 1680x1050 -framerate 30 -f x11grab -i :0.0 -c:v libx264 -qp 0 -preset ultrafast output.mkv
          
          1. 1

            “Maybe we can finally get past our nemesis: the lady in the red dress! … Nope, Well, it was worth a shot.”

            someone help me out here, what is this referencing?

            1. 1

              Just a guess, but the game probably crashes early on, enough to reach that character but no further.

              1. 3

                Is the website failing HTTPS cert verification for anyone else?

                  1. 10

                    I keep seeing this as a reply but I’m not sure what purpose does it serve: you still can’t read the site. The only thing you can get from comments is that yes, the site is using a self-signed certificate, meaning that the breakage is intentional.

                    1. 7

                      It is not broken - it is simply a different approach to CAs.

                      1. 4

                        It is not broken

                        Broken has a couple of different meanings in this context. The relevant ones being (a) “according to design” and (b) “according to reasonable expectations of users.” It can be broken(b) while also not-broken(a). Or in other words it can be “broken by design.”

                        1. 2

                          The user process is broken. The browser tries its best to give a very technical workaround, but the fact is that all other sites I read on the web don’t require me to trade my own sense of security for that of the author.

                          I do respect his choice, to be sure, but I ask people here to stop just silently referring to that original comment thread as if it explains anything. It doesn’t.

                        2. 2

                          In Chrome at least you can certainly read the site, you just have to click “Advanced” and “proceed to teduangst.com”

                          1. 2

                            The idea is to add the CA to the browser store. The CA is constrained to creating certs for tedunangst.org, which is nice. The weakness here is acquiring the CA in a secure way in the first place; the model is similar to SSH or signify.

                            Ideally you would acquire the CA out of band, like by meeting Ted in person. Good luck with that.

                            Unfortunately clicking through like you described loses any benefit: you’re obviously not checking the cert every time, so you’re prone to being MITMed each time you visit the site, as opposed to just the first time. (Firefox lets you save the exception, but Chrome doesn’t.)

                            The benefit of this over Let’s Encrypt is that if you add Ted’s CA and remove all the other CAs (that don’t have their own name constraints) from your cert store, you know that any valid HTTPS cert for tedunangst.com came from Ted and not from another compromised CA. I doubt even people who have added Ted’s CA have removed those other CAs, though, so it doesn’t seem like a real benefit to me.

                          2. 2

                            Indeed. I don’t understand this at all.

                        3. 2

                          Hi wyager, seems it’s my turn to direct you to: https://lobste.rs/s/qeqqge/moving_https ;-)

                          1. [Comment removed by author]

                            1. 4

                              It’s not just a self-signed cert, it’s a custom CA cert. If it were a self-signed cert, great, trust the site or don’t and move on. As a CA, the question is whether you trust @tedu to sign certs for your email, bank, and every other site.

                              1. [Comment removed by author]

                                1. 6

                                  Thanks for digging in. I guess we’re getting to the point where someone should roll all this up in a FAQ to get linked from every “hey site’s ssl config is broken” comment is posted on a tedunangst.com story, which is going to happen regularly for the foreseeable future.

                                  1. 14

                                    Or, you know, he could just use a trusted CA, like everyone else. ;)

                                    1. 4

                                      An alternative that would not violate his conviction would be to still provide a non-HTTPS service on a different port, such as 8080. This allows proper use of HSTS and all the modern trimmings - while still allowing people to use software that doesn’t understand this CA/cert without additional hackery. It’s a solution that works for me.

                                      I use it when I find my overly strong TLS/SSL configuration to fail on an older device, for example.

                                      1. 3

                                        Oh, that’s something I hadn’t considered. Bit of a discovery problem, and then the question of which link people pass around, and duplicate detection, and oh my, but it’s a good addition to the list of alternative plans.

                                        1. 1

                                          Oh! I thought HSTS would enforce HTTPS for all ports. Are you sure this works in all browsers? :O

                                        2. 1

                                          The certificate business is a protection racket, plain and simple, so be sure to read “Or, you know, he could just use a trusted CA, like everyone else” in your very best mobster-movie voice. It’ll make a lot more sense that way.

                                          1. 1

                                            If mob, I was thinking along the lines of, (mafia voice) “it would be a shame of what might happen to your site your users saw it without our protection and quality assurances and that sort of thing.”

                              1. 6

                                And now they’re trying to persuade every project they use to switch to Apache License 2:

                                1. 2

                                  I wish the ASF would still be using APlv1. It’s sad that the US legal system and patent situation caused this mess. The ASF is a very US-centric organisation (even though they don’t tend to view themselves as such), and from a perspective of a country where software paternts are not (yet) a thing, the differences between APLv1 and APLv2 appear as a solution looking for a problem.

                                  1. 1

                                    Even in the US, this feels like a solution looking for a problem. BSD licenses have long been considered to provide an implicit patent grant (by the very wording: “Permission is hereby granted to use, copy, modify and distribute for any purpose…”). http://en.swpat.org/wiki/Implicit_patent_licence

                                  2. 2

                                    And now they’re trying to persuade every project they use to switch to Apache License 2

                                    No, they are asking politely if the projects might be willing to consider changing their licensing to be compatible. There is no persuasion going on by ASF people (which I assume you mean by “they”).

                                    1. 1

                                      Maybe I used the word incorrectly, but to me a polite request to change the license or the influential in the open source world organization would stop using the product feels pretty close to persuasion.

                                      1. 1

                                        I don’t see any major problem with them trying to persuade React and RocksDB to use a different license (in fact, I welcome it, personally). What they aren’t trying to do is coerce RocksDB and React to use the APL2. That would be a very different situation.

                                  1. 1

                                    Is the current source available? I can only find the original Undeadly tarball (http://undeadly.org/undeadly-src.tar.gz).

                                    1. 7

                                      What’s unclear about MIT/ISC and patents? I always assumed the answer was a simple no.

                                      1. 6

                                        “Unclear” probably just means “would have to be decided in court”.

                                        US-based lawyers are super happy with an explicit patent grant they can use to defend their client in court, should someone sue for patent infringement.

                                        1. 5

                                          The author has a full article on MIT. It comes down to “Neither copyright law nor patent law uses “to deal in” as a term of art; it has no specific meaning in court.” and refers to the following part of MIT:

                                          to deal in the Software without restriction,

                                          1. 5

                                            ISC does not use this terminology. So why did he throw it in one bucket with MIT?

                                            EDIT: See https://www.openbsd.org/policy.html for arguments in favour of ISC.

                                          2. 2

                                            I think that’s because MIT doesn’t mention patents explicitly while Apache has this:

                                            1. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.
                                            1. 2

                                              There’s an implicit patent grant in these licenses. Given the statement “Permission to use, copy, modify, and distribute this software … is hereby granted” I think it would be hard to argue that the recipient is not given a license to use the patent.

                                              This only works if the copyright holder also holds the patent. But I (an eminently unqualified non‐lawyer) don’t see what the Apache 2.0 text provides that the ISC text doesn’t. “Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual … patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted.”

                                              What’s really annoying about Apache, besides the deluge of verbiage, is the next sentence: “If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.”

                                              1. 1

                                                What’s annoying about the patent pooling? It discourages a sue fest by revoking any patents granted to you by other contributors if you sue users of the software for patents you have granted to the project.

                                            1. [Comment removed by author]

                                              1. 1
                                                gunzip -c SRCFILE.tar.gz
                                                

                                                Why not just use zcat? :)

                                                1. 2

                                                  zcat ist a shell script calling gunzip

                                                  1. 1

                                                    A month late, but that depends on the system ;):

                                                    ~ % file /usr/bin/zcat
                                                    /usr/bin/zcat: Mach-O 64-bit executable x86_64
                                                    
                                                2. [Comment removed by author]

                                                  1. 3

                                                    You do, because tar’s behavior is not portable. On OpenBSD, for example, if -f is omitted then tar defaults to /dev/rst0 (a tape drive).

                                                1. 4

                                                  It’s been about ten years, but I had an idea for a site called “listen to my CDs”. I’d upload a CD, and then allow a visitor (one, singular) to listen to it, streaming data in real time, but no faster. Surely I’m allowed to do that?

                                                  I thought it would be a really good test case for copyright law, but never quite got around to it. Never decided to give it up, maybe it’ll still work.

                                                  1. 2

                                                    the aereo case seems relevant.

                                                    1. 2

                                                      Indeed. By the way, Scalia (RIP) dissented in Aereo:

                                                      We came within one vote of declaring the VCR contraband 30 years ago… The dissent in that case was driven in part by the plaintiffs’ prediction that VCR technology would wreak all manner of havoc in the television and movie industries. … We are in no position to judge the validity of those self‐interested claims or to foresee the path of future technological development.

                                                      1. 1

                                                        surprisingly enough, I was in favour of the aereo ruling. I absolutely believe rebroadcasting should not be illegal, but if it is, the sophistry of having one microantenna per customer to make it technically okay is a clear case of evading the law

                                                  1. 6

                                                    Maybe also of interest:

                                                    Document Formatting and Typesetting on the UNIX System (ISBN: 9780961533625)

                                                    Document Formatting and Typesetting on the UNIX System: GRAP, MV, MS and TROFF (ISBN: 9780961533632)

                                                    Some parts are also available at google books.

                                                    1. 5

                                                      there’s some more titles on http://www.troff.org/books.html

                                                      1. 3

                                                        A free ebook for writing manpages, Practical Unix Manuals, by Kristaps Dzonsons (the author of mandoc): https://manpages.bsd.lv/

                                                        It also contains “The History of UNIX Manpages”, another nice read.

                                                      1. 4

                                                        This is a scan of the original book. The Groff community transcribed the scans into troff source and generated a new PDF from that, which is much nicer to read: http://home.windstream.net/kollar/utp/

                                                        1. 2

                                                          yes, see the last link on the O'Reilly site

                                                          1. 1

                                                            I saw, but it was worth pointing out because people are more likely to click “A single PDF file via HTTP” than “groff and PostScript files‐‐Beta”…

                                                        1. 3

                                                          I really love this talk. Leveraging userland exploits and GPU to gain full kernel access and finally total control of the system within moments from boot.

                                                          And all on a common piece of consumer electronics with over 60 million units shipped. Makes you wonder how much other hardware/software is capable of being so completely compromised.