July 2012 archive

SC Magazine: Security practitioners need to learn the basics of IPv6

SC Magazine LogoWhat are the security issues of IPv6? With World IPv6 Launch now underway, what should security practitioners care about?

The Australian edition of SC Magazine ran a piece last Friday called “IPv6 co-founder talks protocol security” where Robert Hinden lays out some of the main issues security professionals need to be concerned about, including:

  • Unauthorized IPv6 tunnels can provide hidden gateways in and out of a network;
  • Security devices may not have IPv6 turned on and are therefore not monitoring/scanning any IPv6 traffic;
  • Operating systems may have IPv6 enabled by default and without IT’s knowledge; and
  • These IPv6 tunnels may completely bypass firewalls, intrusion prevention systems, etc.

The article recommends – but unfortunately doesn’t link to – the excellent guidelines from NIST about how to securely deploy IPv6.

We definitely agree with the thrust of the article – security professionals definitely do need to understand the basics of IPv6 because the reality is that IPv6 will be on most networks purely through operating system defaults.  Plus, as World IPv6 Launch has shown, more and more networks are starting to move to IPv6.  The time to learn how to securely implement IPv6 is now!

The Case Of The Missing Hotel Stationery…

Hotel deskSomething's gone missing from hotel rooms these days. In fact, I haven't seen it for quite some time. It used to always be there... and as a lover of writing I'd use it now and then. It was a fun way for me to stay in touch with those back at home.

I'm talking about hotel stationery.

Back in the day, as the younger kids say, that drawer in the desk in your hotel room often contained several pieces of stationery with the hotel name, address, etc. on it. If it wasn't in the desk drawer, it was perhaps in the binder or folder that was in your room describing all the hotel amenities, typically in the pocket in the front or the back.

The best stationery I can remember often had the hotel name in some fancy typeface... or perhaps embossed into the paper. Sometimes there was a drawing or the logo or branding of the hotel or of the geographic. The companion envelopes were also similarly designed.

In the evening, I'd sometimes write letters back to my wife or to other friends. Mail them off the next day... and very often beat them home so that they'd show up sometime after I'd returned. I didn't do it all that often, but now and then it was something fun to do.

Now, though, in the era of email and Facebook and Skype and Instagram, we as a society pretty much don't write letters any more. Not in our homes... not to our friends... not to our family... and not when traveling. Heck, these days many folks would probably be challenged to even find a stamp in their house if they randomly decided to send off a letter! Plus, they'd have to remember how to write with their hand for more than a few words...

And even in the random hotel that might still have stationery, the process of mailing a letter may be more trouble than it's worth. I remember maybe a year or two ago I tried to send a letter to my kids. I wrote it on the hotel stationery, but when I went to the front desk they (after looking at me as if was from Mars) said they had no stamps but that I could perhaps get them from the hotel gift shop. The shop was closed, though, and I was leaving early in the morning, and so I seem to recall bringing that letter home in my bag. Since that time, on a few random times when I've thought of it, I've not seen any evidence of any stationery anywhere in my rooms.

And so, just like hot meals on airplanes, hotel stationery fades off into memory... a quaint anachronism of a distant era.

As a writer and lover of pens and language, I admit that a part of me does lament the passing. There was something solid about writing letters. Something tangible... something "real." And something fun... since each hotel's stationery was different from that of the others.

'Twas an experience that can't really be replicated in the sterile digital world of 1's and 0's. Sure, we can use funky typefaces and can take photos of where we're at... and don't get me wrong, I love having the real-time updates from my friends and family while I'm away and completely enjoy the video calls back home.

But I can't shake the feeling that in those empty desk drawers we've lost a little something...

Ah, well.

Time to post this to my blog, where it will then go out to Twitter and Facebook and be published in ways we could never have even remotely imagined... back in the days when stationery was all there was...

P.S. And if you are young enough to have perhaps never experienced receiving anything written on stationery, the Wikipedia entry talks a bit about what you missed. :-)

P.P.S. As a bonus, if the word "stationery" falls out of usage, the new generations of kids will never have to be concerned about the difference between "stationEry" (writing materials) and "stationAry" (in a fixed place).


If you found this post interesting or useful, please consider either:


How To Hack OpenSSH To Add DNSSEC Validation

OpenSSH logoWould you like to have SSH just automagically use DNSSEC to verify the authenticity of the SSH keys you are using to connect to another system?

Over on his blog, Jan-Piet Mens lays out the steps to add exactly this, demonstrating how to add ldns support into OpenSSH. Essentially all you need to do is recompile OpenSSH with the “--with-ldns” option.

To back up a moment and explain a bit more, RFC 4255 defines how to store SSH keys in DNS as SSHFP resource records. With DNSSEC signing all the resource records for a domain, you can now verify the authenticity of those SSH keys with the use of a DNSSEC-validating resolver. This provides a more secure alternative than requiring you to in theory confirm an RSA fingerprint when you are connecting to a server.

So for this all to work, you need to:

  1. Have SSH keys for the target machine stored in DNS as SSHFP resource records.
  2. Have the domain for the target machine signed with DNSSEC.
  3. Compile and install OpenSSH with the ldns option.
  4. Have access to a DNSSEC-validating DNS resolver. (Which could be accomplished by installing DNSSEC-Trigger, for instance, or using a DNSSEC-validating DNS resolver from your ISP if they offer one.)

Once you have done those steps, the beauty of the process is that you are no longer prompted with the message “The authenticity of host ‘____’ can’t be established” with the RSA key and the question about do you really want to connect.

Right now you have to recompile OpenSSH to add the ldns support, but hopefully as DNSSEC becomes increasingly deployed more widely this will just be one of the standard compilation options so that you’ll be able to just go to the command-line and type “ssh” and let it automatically do the DNSSEC validation.

Thanks, Jan-Piet, for writing up these steps!

NIST Guidelines for the Secure Deployment of IPv6

The United States National Institute of Standards and Technology (NIST) created an excellent “Special Publication” related to IPv6 security called:

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial about IPv6 and how it compares to IPv4.   The document then walks through a number of IPv6 security issues in great detail.  As the title implies, a large part of the document is focused on how to deploy IPv6 securely, and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms.

It concludes on the very positive note:

Security risks are inherent during the initial deployment of a new protocol such as IPv6, but mitigation strategies exist and many of the residual risks are no different from those that challenge existing IPv4 networks.

And then goes on to provide lengthy appendices fully of definitions, references and links to learn more.

While written for the audience of US federal agencies, this document is an outstanding reference for anyone seeking to understand how to securely deploy IPv6 within their networks.

 

Warning! DNSSEC-Trigger Installation Issue After Mountain Lion Upgrade

Dnssec TriggerIf you are a Mac OS X user looking to upgrade to the brand new Mountain Lion release – and you also have installed DNSSEC-Trigger to have a local DNSSEC-validating DNS resolver, it seems there may be an issue during the upgrade process that you need to deal with.

[UPDATE: This issue apparently only affects new installations of DNSSEC-Trigger.  If you already have DNSSEC-Trigger installed, the upgrade to Mountain Lion works.  It is when you go to install DNSSEC-Trigger on Mountain Lion that the issue appears.]

Over on the dnssec-trigger mailing list, Olaf Kolkman of NLnet Labs writes about the problem with Mountain Lion and provides instructions for how to address the problem.  If you notice unbound not starting after  the Mountain Lion upgrade, you will need to follow Olaf’s instructions:

If the command
$ id unbound
returns “no such user”, you know that you have been bitten by this problem.

To fix:
Allocate yourself a free id. You can see the allocated ids using the following:
dscl localhost -list /Local/Default/Groups PrimaryGroupID
dscl localhost -list /Local/Default/Users UniqueID

Then assign the ids to the unbound user.
sudo dscl localhost -create /Local/Default/Users/unbound PrimaryGroupID <number>
sudo dscl localhost -create /Local/Default/Users/unbound UniqueID <number>

In his email message, Olaf also provides a “use-at-your-own-risk” shell script for performing this fix.  He also indicates that the DNSSEC-Trigger team will be including a fix in a new release sometime in the next few weeks.

Google Now Lets You Handwrite Search Queries On iPad, iPhone, Android

Google handwritingOkay, I admittedly find this pretty cool... you can now enter search queries into Google on a tablet or mobile phone just by writing anywhere on the screen!

As Google's blog post outlines, you need to go to www.google.com on your mobile device and then go into the Settings to configure this option. You do NOT need to sign in to Google. You just need to go there in your mobile web browser.

I've tested this on both my iPad and iPhone and found it worked quite well (per the blog post and Help Center page, it also works on Android phones and tablets - and is available in 27 languages). I find it particularly useful on the iPad where you have the larger screen to write on. On the iPhone, maybe my fingers are just too big but I found it tight to write in the regular portrait mode.

I did notice, though, that you can enter one or two letters, pause, then enter another letter or two... and as you do the search window is updated with what Google thinks the text should be as well as search query suggestions. So you may just be able to write a few letters and then tap the correct search suggestion.

Now, the question, of course, is WHY I find this interesting and the answer is that I have had some times when I'm in situations where it's not super easy to type nor do I want to be talking to my phone (i.e. using Siri). With the iPad, in particular, there are times I'm holding it while walking around at an event where typing with two hands would not be easy and voice usage isn't really possible. I could see this potentially being faster than hunt-and-peck typing a query using one hand. Will I use it all the time? No... but certainly I can see it being nice to have this option.

What's also interesting about this feature is that it requires you to go to "www.google.com". It doesn't work with the "search" box that is in the top of Mobile Safari in iOS. You need to go to Google's home page... so Google is pulling you out of using the app (Safari) and into using their web page. If you get used to doing that, Google can of course introduce other functionality - and if you are "signed in" you see your Google+ notifications and can easily access other Google services. Intriguing move by Google.

What do you think? Will you use this capability on your iPad, iPhone or Android device?

P.S. Alas, it is not as all-powerful as TechCrunch asserts with an ability to interpret cursive handwriting. I made several attempts at using cursive and found that in some cases the accuracy was "okay", but clearly not as good as block printing. In fact, Google's Tips for Handwrite very clearly state at the beginning that you should use block printing versus cursive.

And here is Google's video on the topic:


If you found this post interesting or useful, please consider either:


Video: An Excellent Tour Of Voxeo’s Awesome New Office!

Voxeo logoMy friends and former colleagues at Voxeo have produced a truly outstanding video giving a tour of the incredible space they have created in Orlando, Florida:

Kudos to the Voxeo marketing team for creating this video! And congrats to Jonathan Taylor and the rest of the team for realizing his vision of creating a truly unique working space and corporate culture in Orlando.

I'd note that Voxeo is quite often hiring and truly is a great company to work for. If you're looking for a job in the communications space with an excellent team of people, you should definitely check them out!

(Full disclosure: I worked for Voxeo from 2007-2011 and remain a shareholder.)


If you found this post interesting or useful, please consider either:


Hiring! Looking For An IETFer To Join ISOC’s Deploy360 Programme

Deploy360logo 300Do you want to help get open standards like IPv6 and DNSSEC more widely deployed? Would you like to see other technologies developed by the Internet Engineering Task Force (IETF) more rapidly adopted by network operators?

Are you passionate about the need to preserve the open nature of the Internet? Do you like to write, speak and create other forms of content? Would you like to be part of the Internet Society, the global nonprofit that serves as the organizational home of the IETF?

If so, the team I'm part of that is behind the Internet Society Deploy360 Programme is looking for YOU!

As we noted on the Deploy360 blog, we're currently hiring a new position into the team specifically to interact with network operators and help accelerate the deployment of open Internet standards.

You can read read the job description for what is called the "Operational Engagement Programme Manager". As noted in the document:

The Operational Engagement Programme Manager is a newly created position within the Internet Society. This position will report to the Director, Deployment and Operationalization. The primary focus areas of this position will be to: 1) develop and coordinate increased industry collaboration and conversations about the operationalization of Internet technologies; 2) work with targeted audiences around the globe to develop operational documentation on technology topics covered by the Internet Society Deploy360 Programme including, but not limited to, IPv6 and DNSSEC.

The job description goes on to list out the responsibilities and desired qualifications... the key point is that we're looking for someone who can help us expand the work we're doing in creating content that helps people deploy technologies such as IPv6 and DNSSEC. We're a small, fast-moving team that is highly focused on finding and creating the best possible content and promoting that through many different channels.

If you join our team, you'll be writing for the Deploy360 site and probably working with video, too. You'll be interacting with network operators through various online channels, including social media. You'll be speaking at events scattered all around the world.

And you'll be having fun while doing it! And serving the incredibly important mission of promoting the value of the open Internet!

Additionally, THIS IS A "TELEWORKING"/VIRTUAL POSITION! You do NOT have to be located in our Geneva, Switzerland, or Reston, Virginia, offices, but can be located anywhere. You can, just like me, work out of a home office. (There's this wee little thing called the Internet that makes this possible!)

One note - you MUST have experience with the IETF, so if you have never interacted with the IETF... well... don't bother applying! Experience with other operator groups is also very important.

If you're interested, the job description has contact information and instructions. We're also going to be out at IETF 84 in Vancouver next week speaking to people about this new role and would be glad to meet with you there. We have already received applications, so if you are interested, please contact us soon!

We've got a lot of great plans ahead of us... and we're looking for the right person to join our team. Please do check it out and consider applying!

P.S. The Internet Society is also hiring a Senior Director of IT Development and several other roles. It's a great organization with great benefits, great people and a great mission!


If you found this post interesting or useful, please consider either:


Images/Photos Alone Do Not Make A Content Strategy

Thisisnotacontentstrategy

Credit: C.C. Chapman

Lately, it seems, the social media world is all abuzz about "images" in various forms. Photos, pictures... Instagram... Pinterest... infographics... plus Twitter, Facebook and Google+ all enhancing their capability to handle photos... and now this intense fascination with posting images with words and sayings on top of them!

I get it. I do. Visual storytelling is incredibly powerful. Evocative. Inspirational. Images and photos can transcend words and cut right to the emotional core of an issue. I personally enjoy photography, and you can usually find me shooting photos at events I attend. I'm sharing photos all the time into Facebook, Twitter, Google+, etc.

But...

... lately we seem to be seeing in the corporate PR / marketing / social media space a really severe case of "bright shiny object" syndrome. All over the place... large enterprises, small startups... and everyone in between.

Oooo... let's post a bunch of photos to Instagram because we'll look hip and cool! Hey, clearly we need to be pinning all the photos we can to Pinterest boards, because "everyone" is doing it! Hey, look, another new mobile app that lets us do _____ with our photos - cool! Wow, look how cool we are because we can post a photo with some pithy quote written on top of it in a funky font! And let's not even jump into the cesspool of poorly done infographics...

All of this without answering a fundamental question:

WHY?

WHY are you posting those images? Why are you using that service? How do the images help communicate your message to your audiences? How do they help get your message out? How do they facilitate sharing? How does posting the images to ______ increase your interaction with your audiences?

Now, don't get me wrong... experimentation is awesome and necessary. And I'm the last one to talk about chasing bright shiny objects... that's what I love to do (and in fact write about). Experimentation is really required if you are going to stay on top of the insane pace of new products and services appearing on a daily basis. But there is a difference between experimentation and trumpeting the fact that you are now using these services, as if the use of those services will somehow make you cooler and help you communicate better.

They might help you communicate better, and you won't know unless you experiment... but as you experiment you need to think about the why.

Ultimately these services are all tactics that need to line up with a larger strategy.

Why are you using them? Why are you posting the images you choose to post?

Do the images help educate your audiences about your products? your mission? your services?
Do they help humanize your organization and show a more personal side? or show the people behind the name?
Do they entertain or amuse people and help build your community?
Do they inspire people because of how beautiful or artistic they are?
Do they promote your brand name or social account? Will you gain more followers/fans/etc?

How does posting images to service X fit within your larger strategy? Now, maybe you are posting that LOLcat image purely as link-bait to build your followers... that's okay, just call it what it is. And this doesn't mean that every image needs to be serious and "on message" - images can certainly be posted "for fun"... and maybe that's one of the purposes they serve.

The point is that some conscious thought needs to be given to the use of images and the use of the various services... rather than just doing it "because everyone is doing it"!

As I was thinking about this, a trio of posts yesterday on this precise topic caught my eye:

First, in "Pictures With Words", C.C. Chapman provides this awesome photo that I've included here and hits the point:

If your brand is thinking about diving into this because everyone is doing it, remember that it is a tactic and not a strategy. Where does it fit into your other marketing programs and what can you do with this trend that is unique and relavent to your business? Always ask why before you do anything. Make sure it is a fit and that you are not doing it simply because everyone else is. Following the herd rarely gets you noticed.

We as a society love shiny new toys and are scared of doing the grunt work. We see other people doing things, so we have to do them. If there is a shortcut that looks like it’ll make things easier we take it.

Exactly!

Second, in "The Rise of the Junkweb and Why It’s Awesome or At Least Inevitable", Chris Brogan talks about this new love of images as the "junkweb":

It’s the Junkweb. Why “junk?” Because the original intent of the Internet was that links were gold, that searchability was key, that this ability to find anything and use resources from wherever was magic. And this new web? The web of pictures with text over them? They’re junk. They’re a dead end. The picture is the payload. They don’t lead you elsewhere. They are the stopping point, the cul de sac.

But goes on to say that maybe this is okay in our new world and that the new tools we have access to have in fact made it easier for anyone to participate and share. He concludes offering three suggestions for people to engage in the "junkweb":

1. Make interesting graphics worth sharing.
2. Make it easy to share them.
3. Evoke an emotion.

And for Chris the "why" is because this world of sharing images is where the sharing and interaction happen between "regular" people and thus is worth investigating. Good article and, as with many of Chris' posts, the comment stream is well worth a read, too.

Finally, in his AdAge column titled "The Revolution Won't Be Televised; It Will Be Instagrammed" and subtitled "Businesses That Bank on Photographic Storytelling Will Win", Steve Rubel discusses why businesses should pay attention to what is going on with the rise of visual storytelling through photography. Inadvertently aligning with Chris Brogan's "junkweb", he writes:

Visual storytelling today is blissfully cliche. Photos are deliberately over animated, over filtered and even over exposed. They ignore all the rules. Just as the proliferation of texting arguably made the written word less formal and YouTube did the same for video, the ubiquity of smartphones has changed the expectations of what's considered "good" photography.

On this last sentence my professional photography friends can definitely agree! Steve goes on to basically offer suggestions for people involved with advertising to get involved with this space. Earlier in the article, too, he makes some interesting points with regard to why photos will be more important that videos, particularly with regard to mobile devices.

He doesn't touch on the "why", though, beyond the fact that this is the "new normal" and businesses need to be embracing it.

Which goes back to my original points... WHY are you embracing the use of images? Or perhaps more HOW are you going to embrace them? How does it help you?

Are you asking these questions?


If you found this post interesting or useful, please consider either:


Have You Checked Out This Online IPv6 Training?

Are you looking to learn what IPv6 is all about?  Would you like to understand the basics of how IPv6 addresses work?  If so, the 6Deploy project has put some great video tutorials online at:

http://www.6deploy.eu/e-learning/english/

As we mention on our resource page about the training, the seven sections of the course cover the basics of IPv6, the construction of IPv6 addresses and headers, security issues, mobility/routing issues and suggestions for co-existence with IPv4.  If you have a few minutes to watch these videos, you may find them a quick way to start your learning about IPv6:

6DEPLOY training

P.S. The 6Deploy project also has a great set of IPv6 tutorials that you may find helpful.