February 2014 archive

Feb 22

Weekend Project: Join the XMPP “Security Test Day” today to test DNSSEC / DANE

XMPP logoIf you have a bit of time today, February 22, 2014, and want to help an effort aimed at making the Internet more secure, the XMPP Standards Foundation (XSF) is holding their second “Security Test Day” today.  The goal is to encrypt all traffic between servers and clients on the public network of XMPP servers. (Note that some of you may be more familiar with XMPP as its original name of “Jabber”.) This is all laid out in their manifesto for ubiquitous encryption on the XMPP network.

The connection to the work we are doing here at the Deploy360 Programme is that many of the XMPP servers have DNSSEC-signed domains and many are implementing DANE to secure the usage of TLS/SSL certificates in both server-to-server and client-to-server communication.  The XSF provides guidance on securing DNS via DNSSEC for XMPP servers and the IM Observatory provides two lists of interest:

It is outstanding to see the number of servers that have implemented both DNSSEC and DANE!  

Anyway, if you have an XMPP server, or want to set one up, today is a test day when the XMPP community is working on encrypting all their communication.  Visit their “Second Security Test Day” post to understand more about how you can participate.

This is great work that will definitely help make part of the Internet more secure. If you have time to help today, it would be great!

Feb 21

TDYR #107 – The Joy Of Local Theatre Productions

TDYR #107 - The Joy Of Local Theatre Productions by Dan York

Feb 21

NIST Offers New Tool To Verify TLSA Records For DANE / DNSSEC

Are you experimenting with using the DANE protocol to provide an additional layer of security to your TLS/SSL certificates via DNSSEC?  Would you like to easily test that your TLSA record needed for DANE works correctly?

If so, the folks at the US National Institute of Standards and Technology (NIST) now have a new tool for testing TLSA records and DANE support.  All you do is go to:

https://www.had-pilot.com/dane/danelaw.html

and in the simplest form just enter in the URL of the site you want to test.  Here is an example of what happened when I entered https://www.freebsd.org/ (click image to see larger version):

dane-tls-testing-nist-tool

 

The site basically tests that you have your TLSA record correctly configured and that it matches the TLS/SSL certificate you are using with your web server.

Now, if you don’t have a site with a TLSA record but want to see how the tool works, the NIST tool helpfully lets you choose from one of the DANE test sites we list here on Deploy360.  You can also connect to the NIST “DANE Reference site” to explore different usage types.

In an email message to several public mailing lists, tool author Stephen Nightingale at NIST indicated that his latest version of this tool was now offering the choice of testing from clients based either on TLSlite or GnuTLS. He goes on to note:

Mine was one of the ‘DANE-in-the-App’ sites that Viktor Dukhovni reviewed, and he kindly gave an extensive critique. Many of his points have been addressed. A few things still to clear up:

  • I’m not checking for certificate revocation. That is on the list to fix.
  • For 0xx and 1xx uses, it is hard to identify a single canonical CA list. I have overlapping, but different Root Cert sets from Mozilla, Fedora and Linux Mint. So when searching for an authority to build a verification chain I cycle through all of these until succeeding or exhaustion of the possibilities. Some of the DANE 360 listed sets (including some from members of this group) fail to authenticate because the root certs are not in my authorities. A golden, canonical CA list would be nice to find. But I guess that its non-universal availability is one of the problems of the CA system that DANE is aiming squarely at.

The differences between TLSlite and GnuTLS clients highlight the fact that there are unresolved interoperability issues among TLS implementations. It seems reasonable that TLS interoperability testing be instituted as pre-requisite to DANE testing. The development of a TLS Interoperability test suite is therefore on our ‘to-do’ list. I look forward to seeing the newly upgraded OpenSSL client with added DANE. It is quite possible that as an interim step before its appearance I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted.

Thanks to Stephen and the team at NIST for making this tool public and we hope that it will help those of you working with DANE to test out your implementations.

Feb 21

Have You Joined The "FIR Podcast Community" On Google+?

Fir communityIf you are interested in social media, PR, marketing, podcasting and similar topics, have you joined the "FIR Podcast Community" on Google+? While the community is intended for listeners of the "For Immediate Release (FIR)" network of podcasts it is just a great place to go to keep track of current issues, ideas and trends within the world of PR/marketing/communications.

The community has a good mixture of posts by FIR podcast hosts about their shows and also from listeners and others who post links and engage in topics that are along the lines of the themes of various FIR shows.

It's one of the communities on Google+ to which I regularly go and participate in as often as I can. Pretty much every time I visit I see some links that I find helpful.

Anyway, if you have not yet joined the FIR Podcast Community on Google+, I'd encourage you to do so!
 

If you found this post interesting or useful, please consider either:

Feb 20

TDYR #106 – Reflecting On The Facebook Acquisition Of WhatsApp

TDYR #106 - Reflecting On The Facebook Acquisition Of WhatsApp by Dan York

Feb 20

Telcos Should Be Worried – Facebook Controls More OTT Messaging With WhatsApp Acquisition

WhatsappTalk about disruption... the telecom part of the media world is buzzing with news of Facebook's acquisition of WhatsApp. Techmeme is currently showing MANY posts on the topic and the day is just getting started.

The key point here is that WhatsApp is a prime example of what is often called an "Over-The-Top" or "OTT" application. It uses the data channel on a mobile phone to provide services. Here's another key point from the Facebook news release:

  • Messaging volume approaching the entire global telecom SMS volume.

The traditional telecom companies ("telcos") have already seen their voice revenue seriously eroded by Skype and so many of the other OTT voice applications (such as Viber, which was just acquired) and they've been watching SMS traffic and revenue plateau and decline.

WhatsApp was already one of the major players in the mobile messaging space... indeed I have friends in Europe who tell me they can't remember the last time they sent an actual SMS message because they use WhatsApp for all their messaging. Their usage, too, is not just about the "free" cost of WhatsApp messages - it's also about the richer messaging experience they can get over WhatsApp versus plain SMS. They can send photos, display an online status, engage in group chats and much more that was just either difficult or expensive to do with SMS. And... they can send messages to anyone using the app regardless of where they are in the world. They don't have to worry about fees to send SMS messages internationally.

The user experience is so very simple and easy.

Plus, WhatsApp (and other OTT messaging apps) solves the directory issue by just using your mobile phone number as the identifier within their system. With a quick approval of access to your contact list you can immediately start sending messages to any other WhatsApp users. You don't have to try to get anyone's number... it's all stored in the big giant (and constantly growing) WhatsApp user directory.

And now... instead of WhatsApp being a venture-backed startup out there building its service, it is now backed by Facebook, at this point one of the more powerful corporate entities on the global stage today.

Note, too, that Facebook has also been an OTT messaging player for some time with their "Facebook Messenger" application, which even introduced voice calling at one point in the US. In a post today, Mark Zuckerberg writes about how the two apps will co-exist for different communities of friends/contacts (see also the WhatsApp blog post). Zuckerberg also writes of how WhatsApp is, in his mind, on its way to connecting a billion people.

And that is really what should concern the telcos - one of the largest OTT messaging apps is now owned by the largest global social network.

A Larger Danger

There is, though, a broader concern, not just for the telcos but for all of us. All of these OTT messaging apps... whether they are WhatsApp, Line, Facebook Messenger, Apple's iMessage, Google+ Hangouts, Skype ... or any other... are creating SILOS of users.

They are proprietary "walled gardens" of messaging.

You can ONLY send messages to people who have the app installed on their mobile device.

Say what you will about SMS, but the reality is that you can send a message to pretty much anyone with a mobile phone, anywhere on the planet. No apps to download... it's just a "feature" of having a mobile phone.

WhatsApp requires the app. And specifically the app from Whatsapp and not anyone else's application. WhatsApp does NOT have an open API that anyone can use. In fact, WhatsApp's legal counsel was recently sending DMCA takedown notices to crack down on projects interacting with Whatsapp (presumably in the run-up to this acquisition). WhatsApp - and now Facebook - are in total control of the user experience and interaction for mobile messaging on the service.

Is this REALLY what we want for the future of mobile messaging?

Way back in 2007, I wrote about how "e-mail" was returning into walled gardens and while today's players are different than the diagram I had then, the situation is similar.

This is not the open Internet.

And that should concern us all.

If you found this post interesting or useful, please consider either:

Feb 20

Reminder: Curling Open House TONIGHT In Petersham, MA – Try It Out!

Petersham Open HousesWant to try out the sport of curling TODAY?  As we mentioned earlier, the Petersham Curling Club is having an Open House free to anyone TONIGHT, Thursday, February 20, from 6-9 pm.

Over 280 people attended last Sunday’s Open House and the PCC has posted some great photos online.

The  Petersham Curling Club (PCC) is about 45 minutes south of Keene. Just head south on Route 32 (going down past the Keene airport) and stay on Route 32 all the way down through Richmond, NH, Royalston, MA, Athol and on into Petersham.  The club is located right off of Route 32. More information can be found on the PCC directions page. In good weather it takes about 45 minutes to get from Keene down to the Petersham club.

At tonight’s Open House, you’ll learn how to deliver a stone, the role of sweeping and more. This will be a great opportunity to get on the ice and experience the sport yourself. All you need to bring is a pair of clean, rubber-soled shoes and your enthusiasm!

The Petersham Curling Club is a great place to curl and is where several of us involved with starting up the Monadnock Curling Club all curl.  We strongly encourage you to head down to Petersham, MA, and check out the Open Houses.  And if the curling bug bites you as it has us, please do join the PCC and start playing the awesome sport of curling!

This is where you can get started today and enjoy curling!

And then…  please let us know you are interested in seeing curling come to Keene!

 

Feb 20

Reminder: Curling Open House TONIGHT In Petersham, MA – Try It Out!

Petersham Open HousesWant to try out the sport of curling TODAY?  As we mentioned earlier, the Petersham Curling Club is having an Open House free to anyone TONIGHT, Thursday, February 20, from 6-9 pm.

Over 280 people attended last Sunday’s Open House and the PCC has posted some great photos online.

The  Petersham Curling Club (PCC) is about 45 minutes south of Keene. Just head south on Route 32 (going down past the Keene airport) and stay on Route 32 all the way down through Richmond, NH, Royalston, MA, Athol and on into Petersham.  The club is located right off of Route 32. More information can be found on the PCC directions page. In good weather it takes about 45 minutes to get from Keene down to the Petersham club.

At tonight’s Open House, you’ll learn how to deliver a stone, the role of sweeping and more. This will be a great opportunity to get on the ice and experience the sport yourself. All you need to bring is a pair of clean, rubber-soled shoes and your enthusiasm!

The Petersham Curling Club is a great place to curl and is where several of us involved with starting up the Monadnock Curling Club all curl.  We strongly encourage you to head down to Petersham, MA, and check out the Open Houses.  And if the curling bug bites you as it has us, please do join the PCC and start playing the awesome sport of curling!

This is where you can get started today and enjoy curling!

And then…  please let us know you are interested in seeing curling come to Keene!

 

Feb 20

Update on DNSSEC Deployment Maps: Github repo for tracking issues, newgTLDs, more…

2014-01-23-2014-01-23The positive reaction to our publishing of DNSSEC deployment maps has been great to hear and I wanted to provide a quick update.

1. The DNSSEC deployment maps are published every MondayThe best way to receive the most current maps is to subscribe to the dnssec-maps mailing list.   I will be updating our DNSSEC Deployment Maps web page from time to time when there are major changes, but the most recent maps will always go out to the mailing list.  (I’d love to automate the posting to the web page – ideas about how to do so in WordPress are definitely welcome!)

2. There is a Github repository where you can file issues/suggestions. In preparation for making the source code publicly available, we’ve created a repository on Github at https://github.com/Deploy360/dnssec-maps/ We still need to do make some changes to the code to make it publicly available, but in the meantime the major feature of the Github repo is that we now have a convenient place to track “issues”, which could be bugs or feature ideas or more.  If you have a Github account (or want to create a free one), you are welcome to raise issues at:

https://github.com/Deploy360/dnssec-maps/issues

I don’t have a timeframe for when we’ll make the code available – it’s honestly a bit of a background task that I’m trying to fit in amongst everything else and with IETF 89 fast upon us it may not happen for a few weeks.  Meanwhile, though, the issue tracker is already being helpful.

3. All newgTLDs have been entered up to now. I finally caught up with the backlog of all the DNSSEC-signed “new generic top-level domains (newgTLDs)” that have been delegated by ICANN and now have a DS record in the root zone.  These newgTLDs don’t show up in the DNSSEC deployment maps but do show up in the CSV files that are emailed out every Monday.  Given that ICANN is delegating more newgTLDs on a weekly basis, it will be a constant effort to update our database, but at least now we’re caught up to the present time.

4. Visualizing the DNSSEC status of the generic TLDs is of interest. As I noted in a recent post here, I would like to think about how we could provide an image in the email that visualizes the DNSSEC status of all the generic TLDs, both the “newgTLDs” and all the ones that existed before.  Suggestions and ideas would be welcome, either to this post or to the “issue” on Github.

That’s the quick update… I am glad some folks are finding this service useful and welcome any comments and feedback.  Thanks!

Feb 20

Smithsonian: Why Curling Ice Is Different Than Other Ice

curling iceWhat makes curling ice so different than other ice?  What extra preparation has to be done to the ice?  And how does sweeping really work?

The Smithsonian Magazine has a great article out this month that dives into detail about what goes into making curling ice – and how it is different from, say, ice used for figure skating or hockey.  The key part about the ice is:

If curling ice was flat, the stone would move barely halfway across the “sheet,” or curling lane. And that’s assuming the curler is hurling it as hard as possible. Friction would halt the rock within seconds. So, to make the ice more amenable to the sport, devoted ice makers employ a technique called “pebbling.” More or less what it sounds like, pebbling involves freezing small droplets of water across the playing surface between each match.

Curling stones weigh 44 pounds. They are concave, on bottom, which limits the contact they have with the ice. The curling stone’s concave bottom, which limits how much it comes into contact with the ice, and the pebbles reduce friction. Essentially, the pebbles melt a bit when the heavy stone runs across them, creating a micro-layer of water upon which the stone can glide.

The pebbles create the “spin” (or curl, hence the sport’s name) of the stone after it’s released, at least in part; physicists contend that something called “wet friction” also accounts for the curl. Sweepers—those furious ice brushers who’ve become fodder for Olympic memes and GIFS—use a broom to brush the pebbles, thereby changing how the stone spins. Specific techniques melt the pebbles, reducing friction and helping the stone travel even farther and straighter. Naturally, the game changes as the pebbles erode, and sweepers have to constantly compensate.

The article goes on to talk about the efforts made by professional ice-makers (and yes, there are those people) to prepare the ice for events such as the Sochi Olympics.  It’s well worth a read to understand why curling ice is different!

(And if you found that interesting, please sign up to help us bring curling to Keene!)