November 2012 archive

What Happens When All Communication From A Country Is Disrupted?

What happens when all communications into and out of a country is completely disrupted? We're seeing that right now with Syria. As I wrote on CircleID yesterday, all Internet access is down... and reports say that all communication via cell phones and landlines has also been terminated.

What happens when a country just completely... drops... off...

It's scary, really, to think about. And we're seeing it play out right now. The links are still all down.

My thoughts are definitely with the people there in the country. I hope things are okay... and that the connections get restored soon.

Crazy times...

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic question can be – how do you generate a TLSA record to put in your DNS zone file?

As we outlined before, there are a number of different tools you can use.  One that is perhaps the simplest, though, is a package for Linux from Paul Wouters called “hash-slinger” that is available at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” which does exactly what you might think – generate the TLSA record!  Paul showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

That’s it!  Now you can copy that record to your DNS zone file and you will be in the business of publishing a TLSA record!

Well, okay, it might not be that simple.  If your nameserver or DNSSEC-signing tool doesn’t yet support the TLSA record (outlined in RFC 6698), you might need to add a “-o generic” flag onto the command line to get the appropriate record. And you might want to add on more options, as Shumon Huque did in his walk-through of setting up a TLSA record.

The key is that this tool is out there and can help all of us interested in getting the DANE protocol more widely deployed to start getting TLSA records more visible. Kudos to Paul for developing the tool and making it available.

If you use SSL/TLS on your sites, and you have your domain signed with DNSSEC, why not go the extra step and get a TLSA record out there?

Hash-slinger – a tool for creating TLSA records for the DANE protocol

Hash-slinger is a package of tools created by Paul Wouters of RedHat to make it easy to create records for  the DANE protocol that will allow you to secure your SSL/TLS certificates using DNSSEC.

The package is available for Linux at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” that generates TLSA records (outlined in RFC 6698). Paul Wouters showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

You can now copy that record to your DNS zone file and be in the business of publishing a TLSA record.

If your nameserver or DNSSEC-signing software does not yet support the TLSA RRtype defined in RFC 6698, you can create a “generic” record type:

$ tlsa --create -o generic ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TYPE52 \# 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

The “tlsa” command also has other options for generating other types of TLSA records.

 

 

Finding My "Barriers To Blogging" Apply To Audio Podcasting As Well

In thinking about how I might do more audio podcasting, I found myself hitting many of the same barriers I wrote about with regard to blogging... so I made this recording:

 

Syria Disconnects From The Internet (Featured Blog)

This morning brought word that all Internet connections into Syria had been severed. Internet monitoring firm Renesys was among the first to report the news in a blog post that they have continued to update. That news was subsequently confirmed by other sites and services... Multiple reports indicate that all Internet, cell phone and landline connections to all or most of the country have been severed. More...

Syria Disconnects From The Internet (Featured Blog)

More...

Skype 4.2.1 for iPad/iPhone Brings Microsoft Integration, Chat Interop, Better IM Features

Skype for ipadSkype today brought its increased integration with Microsoft services to the iPhone and iPad with the new release 4.2.1 available in the iOS AppStore. As you can already do in the Windows, Mac and Android versions of Skype, the big feature is that you can now sign in with your "Microsoft account" and merge our Skype contacts with those from Windows Live Messenger (WLM) and Outlook.com. You will now be able to chat back and forth with your WLM contacts directly from within Skype.

This is very cool from the point-of-view that Skype has always been a "walled garden" of instant messaging (IM) that did not interoperate with any other service. Many of us long ago wound up having to use two IM clients on our system: 1) Skype; and 2) a multi-service client (like Adium or Pidgin) for all the other IM networks. This doesn't quite solve that problem because it is now really just expanding the Skype client to work with two IM networks, but it is at least a step toward greater interop.

In a post on Skype's "Garage" blog, Beom Soo Park indicates these new features:

  • Sign in with your Microsoft Account to merge your Windows Live Messenger, Outlook.com and Skype accounts - then IM those contacts direct from Skype. 
  • Ability to edit and delete instant messages 
  • Choose an emoticon while typing an instant message via a new emoticon picker 
  • Animated emoticons for devices with a Retina display
  • Edit phone numbers from the dial pad
  • Create a new Skype account when you download the app 
  • UI improvements

Skype's post on their "Big Blog" has a bit more detail and mentions that Skype for iOS has now been downloaded over 120 million times.  The improvements to the chat interface, particularly the editing, will definitely be useful.  I personally don't really care about the improved emoticons, but I know some people do like those and will be pleased.

My only criticism is that in order to make use of the Microsoft integration you have to log out of your Skype account and then login with your Microsoft account, at which point you presumably can merge the accounts.  It's not a big deal to me, as I don't use a "Microsoft account" these days.  I certainly did have a WLM login that I used to use years ago, but I haven't used it in years and don't really feel any compelling need to do so.  Still, it would be nice if the Microsoft account could just be added to your existing Skype login as you can do in so many other IM clients.

Anyway, Skype 4.2.1 for iOS/iPad/iPhone is now out there and ready for download from the AppStore.

P.S. If you installed Skype 4.2 yesterday, you'll need to go back to the AppStore today to get Skype 4.2.1 as there were some critical bugs that were fixed in 4.2.1.


If you found this post interesting or useful, please consider either:


 

Can A Blog Post Be A "Work In Progress"?

Are we stuck with the mental model of blog posts as pieces of content that are just published and then not touched again?

Or can we treat a blog post as a "work in progress" that will continue to evolve and expand over time?

I have been asking myself this question in relation to my quest to tear down some of my own barriers to doing more blogging. The model that we have had since the early days of blogging has been one more similar to traditional news media - you write an article, you publish it, you move on to your next article.

You "fire and forget."

Sure, you might go back and update the article if something was wrong or if later information changed the story a bit, but even in the latter case it is often more common to write a new story with the updated facts and then link to the new story from the old one.

But what if we just posted a blog post as a first draft knowing that it would change and evolve over time?

Almost something more like a wiki. ... perhaps a "blicki" :-)

Where you post knowing full well that you will be editing... and then you do so.

Interestingly, I have been seeing news sites doing this. In the rush to be the first one out with a story to get the tweets and retweets and links, they will publish a stub story with "more details to come" - and then they will in those details in the subsequent minutes and hours.

Can we do that as individual writers though? Can we give ourselves permission to post a partially done piece? And can we have the discipline to go back and update it?

An Implied Contract?

To expand on this a bit (and practice this kind of editing myself), I wonder:

Do we have an implied "contract" with our readers?

Do they expect that the content will not change from when they first read it?  Or at least not change dramatically?

Many of us, myself included, seem to feel there is this implied contract and so when we do go back and update a post, we'll often put those updates at the top or bottom of the article with some kind of marker like "UPDATE:" to clearly show what was been updated.  Or we will use strikethrough to indicate that text is removed.

But what if we just wove all the updates in together to make a cohesive article?

Would readers find that troublesome?

What if the initial content is only a few paragraphs... and then over time it evolves into a lengthy document going on for several pages?

What about the "integrity" of a piece?  If someone else quotes an article or references an article as containing a specific quote or bit of information... but then the article gets modified so that that quote or content is no longer there... what does that mean for the original reference?

For these reasons we tend to think of writing that gets posted online as "fixed"...  but what if we move away from that and let posts evolve over time?

What About The Aggregators?

In the comments to this post, Michael Richardson asks "what will my aggregator think?" And indeed that is a good question. Many people read blog posts in aggregators / news readers / other clients that often pull copies of the articles down onto the local system for the user to read. However, once the article is retrieved, the aggregator may or may not go back and retrieve the article again. And so the user may be sitting there reading an article that is now outdated.

Even with my own aggregation site, danyork.me, where I aggregate pointers to all of my writing, I have it set to pull in the RSS feeds from all my sites and store the contents in that WordPress site. (The site is not indexed by search engines to avoid "duplicate content" issues.) Now, in the particular syndication plugin I use, I have set it to merge in and overwrite any changes that come in from the RSS feeds. So as I update this post, the changes should be reflected over on that site. But I don't believe that was the default setting. I think the default was to ignore any changes in the RSS feeds... so the aggregation site would be out-of-sync with the real content.

For all these reasons, it's not clear to me that we should move away from the way we work today. But could we?

I don't know... it's a shift in thinking.

What do you think?


P.S. You may also be interested in reading "Subcompact Publishing" by Craig Mod. It's a long piece that is exploring a different question, that of our mental model of a "magazine" online, but a similar kind of thought experiment...

Fashion Designer Chris Benz, Copyright, Photography – And Watching The Social Web React

Jessica nicholsRight now a part of the social web is in full reaction mode to what they see as a strong injustice... and we can watch it unfold right now in Facebook, Twitter, Google+ and more.

Photographer Jessica Nichols has laid out her case in a lengthy post that begins:

I have been fighting an infringement of my work since July and it is time to share my story. Fashion designer Chris Benz used my Loads of Ranunculus photograph without my permission and without compensation on his Spring 2012 line.

She goes on to show photographs, including one where a reader matched her photograph pretty much identically to one of Chris Benz's purses.

Having received no response from Chris Benz or his sponsors, she has put out a call to action for people to let Benz and his corporate sponsors know what they think through their Facebook pages and Twitter accounts. That post was echoed by others and spread into social networks. I saw one such post of support on Google+ where it was spreading virally through friends of mine.

And it's happening... I can see the comments on Chris Benz's Facebook page filling up... and the "Posts by Others" on the Saks and Lancôme pages seem to have posts there.

As a (casual) photographer myself, I certainly understand why Jessica Nichols is upset - and I do hope some resolution can be found sometime soon.

In the meantime, the social web is responding... and unless there is a response from Chris Benz and his sponsors sometime soon, I don't expect it to go terribly well for them...


If you found this post interesting or useful, please consider either:


BT Releases Survey Results on DNSSEC Deployment

BT DNSSEC Survey ResultsYesterday BT’s Diamond IP group released their first DNSSEC Industry Survey Results that resulted from a survey of 120 participants from around the world in October 2012.  The key findings they report in the executive summary include:

  • Only 13 per cent of respondents have deployed DNSSEC signed zones in production and another five per cent are in the process of deployment. Even fewer have configured their caching recursive servers for DNSSEC validation with eight per cent having production deployments and another nine per cent progressing in deployment.
  • Despite modest deployments, nearly two-thirds of respondents agree or strongly agree that DNSSEC can provide organizational benefits and that DNSSEC technology is mature enough to deploy reliably. On the other hand, over half of respondents agreed that DNSSEC provides limited value until more validating resolvers are deployed, highlighting the “chicken and the egg” challenge for DNSSEC deployment.
  • Respondents generally agreed but were a bit unsure about supplementing DNSSEC deployments with hardware security modules (HSMs) with nearly half being neutral and over a third agreeing.
  • Leading obstacles to DNSSEC deployment were complexity of deployment and the inability to demonstrate a strong business case. Training issues and complexity of ongoing DNSSEC management caused concern as well.
  • Because DNSSEC requires knowledge of both DNS and cryptography to some degree, education and training programs may help improve industry awareness of the operation, benefits, and administrative requirements for deploying and maintaining DNSSEC secured resolution.

Most all of which is much inline with what we’ve seen in our own research and in fact the latter two points were precisely why we created the Deploy360 Programms – to get that kind of deployment information and education more widely known so that we can get DNSSEC more widely deployed.

I was particularly interested in the results on page 5 that asked about the value of DNSSEC.  Some of the answers were interesting – and also point to areas in which we as an industry need to provide better information to help people understand the value.  The “Top obstacles to DNSSEC deployment” chart on page 6 also agreed quite well with what we’ve heard from others.

One interesting question I’d not seen asked on other surveys about DNSSEC was about who would be responsible for the company’s DNSSEC implementation (page 8), with an interesting split between the “DNS” and “security” groups, highlighting an additional internal management challenge that may get involved with deploying DNSSEC:

The division makes a good bit of sense in that DNSSEC is something that you could see being in the area of responsibility of either of those groups, depending upon whether the company/organization views it as primarily a DNS issue or a security issue.

There were a number of other interesting charts as well as a section at the end with the demographics behind the survey.

With any survey like this, you do have to consider the source and BT Diamond IP is a vendor of products related to DNS, DNSSEC and IPAM.  Having said that, though, the results are in line with what we’ve seen in other surveys and are a welcome contribution to the ongoing discussion around DNSSEC deployment.  I’d love to see more of these type of surveys coming out with data from other demographics, regions, etc.

Thanks to BT Diamond IP for doing this research and also for making it publicly available without requiring a registration form for access.