Just a guy in Vermont trying to connect all the dots...
Author's posts
Dec 09
That moment when your computer makes a notification sound… but you can’t identify it, nor know which browser tab or app made the sound!
That moment when your computer makes a notification sound… but you can’t identify it, nor know which browser tab or app made the sound!
Dec 08
TDYR 192 – Where Are The Positive TV Shows Like The West Wing?
Dec 08
IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking
Recently we’ve seen several articles, such as one out today, that assert that IPv6 addresses will make it easier for security services and law enforcement to track you. Surprisingly, these articles seem to miss that when IPv6 is implemented today on mobile devices or other computers, it is almost always implemented using what are called “privacy extensions” that generate new IPv6 addresses on a regular basis.
To put it simply – almost every mobile device or computer using IPv6 in 2014 changes its IPv6 address on a daily basis (usually) to prevent exactly this kind of surveillance.
To step back a bit – if you read any of the documents explaining the basics of IPv6, they inevitably mention that the “auto-configured” IPv6 address for a device is created using the network address and the MAC address assigned to the device’s network interface. This gives a theoretically globally unique address for your computer, mobile phone, or device.
If this were the only IPv6 address your device had, it would be something that could be easily tracked.
But…
The engineers who created IPv6 were very concerned that IPv6 could be used in this way and so way back in 2007 they published RFC 4941 defining “privacy extensions for IPv6″ autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address.
The device also changes that IPv6 address on a regular interval. The interval can be set to anything, but typically is configured on most operating systems to be one day. In mobile networks, the IPv6 address may change based on the link to which you are connecting, so as you move around you will be generating and using new IPv6 addresses all the time throughout the day.
As we wrote about in a resource page about IPv6 privacy extensions, the following operating systems use IPv6 privacy extensions BY DEFAULT:
- All versions of Windows after Windows XP
- All versions of Mac OS X from 10.7 onward
- All versions of iOS since iOS 4.3
- All versions of Android since 4.0 (ICS)
- Some versions of Linux (and for others it can be easily configured)
So if you are using a Windows or Mac OS X computer, or any of the major mobile devices, you are already using IPv6 privacy addresses.
I know from my own network analysis in my home office network that all my devices are constantly changing their IPv6 addresses. (In fact, these IPv6 privacy addresses can cause problems for some applications that expect IP addresses to be stable – which brought about RFC 7217 this year suggesting a way to create a random address when your device is on a given network but then have that change when you move to another network.)
In the end, the ability of security services to track you on IPv4 versus IPv6 is pretty much about the same. With IPv4, you generally have a public IPv4 address that is assigned to the edge of your network, perhaps your home router or the router at the edge of your corporate network. You then use NAT to assign private IPv4 addresses to all devices on the inside of your IPv4 network. On the public Internet, all that an observer can see and track is your public IPv4 address – there is no further information about the device on the inside of the network beyond a port number.
With IPv6, you typically have a public IPv6 network address assigned to the edge of your network and then the devices internally configure themselves using IPv6 privacy extensions. On the public Internet, an observer can see and track your public IPv6 address, but that will be changing each and every day, making any kind of long-term tracking rather difficult or resource-consuming.
We definitely want to see more articles about IPv6 security appearing out in the mainstream media as these are extremely important conversations to have – but when talking about IPv6 addresses and surveillance, let’s please try to focus on how IPv6 is actually being implemented rather than how it could theoretically be done.
NOTE: For a lengthier technical discussion on this topic, please view this Internet Draft: draft-ietf-6man-ipv6-address-generation-privacy
For more information on how to get started with IPv6, please visit our Start Here page to find resources focused on your role or type of organization.
P.S. From a privacy perspective, I am personally far more worried about the application-layer tracking that occurs through “cookies” (including the new “super cookies” deployed by some mobile network providers) and other mechanisms. For these tracking mechanisms, the underlying IP address is completely irrelevant.
Dec 08
Internet Society Seeks Nominations for Board of Trustees (Featured Blog)
Dec 06
No Adults! An Awesome Aspect of Youth Curling Games
Today I was reminded of one of the truly awesome and wonderful aspects of youth curling bonspiels (tournaments) - when the kids go through the door out onto the ice, the game is ENTIRELY up to *them*.
No adults are allowed out on the ice. No coaches. No parents. No one.
Just the youth.
Unlike other youth team sports there are no coaches helping call the shots or determine the flow of play. There is no one to consult with. (Although we are nearby if there is a rules question that needs addressing or if there are safety issues.) From the initial start with a shaking of hands and a coin toss all the way to the end... it is entirely up to the kids.
The strategy. The scoring. The flow of the game. The making of the shots. The interpretation of the rules.
All of it... by them.
Of course we as coaches work with them to teach them all the different aspects of the sport and to prepare them for the games.
But when they go through that door... it is entirely up to them!
We are left to just watch from behind the glass... to celebrate... and sometimes to cringe... but there is absolutely nothing we can do but watch!
Pretty awesome for the kids!
Dec 06
TDYR 191 – No Adults! An Awesome Aspect of Youth Curling Games
Dec 05
How To Add An Emoji Character To Your Name In The Wire App
Because I keep getting asked.... here is how you can add an emoji / emoticon to your name inside the new Wire app on Mac OS X / iOS / Android. (The Wire app that I wrote about yesterday and the day before.)
Many people have been asking why some names have a symbol after them inside of Wire, such as Olle's:
Or these:
The answer about how to do this is simple...
YOU JUST ADD AN EMOJI CHARACTER TO YOUR NAME!
Yep... that's it!
Adding an Emoji On Mac OS X
In the Mac OS X client, you click on your name, and then the pencil next to your name:
When you are then in the edit box, you can type the magic Mac OS X keystroke to bring up the emoji panel:
Control + Command + Space
Ta da! All the emoji you could ever want...
Adding an Emoji on iOS
Similarly, you just go into the Wire app on iOS and click on your name at the top of your list of contacts. You should now be in edit mode:
Then you just add an emoji. Now, there may be easier ways to do this, but I had previously added "Emoji" as a new keyboard on my iPhone using:
Settings -> General -> Keyboard -> Keyboards
This then lets me press the "switch keyboard" button on the bottom of the iOS keyboard and switch to the Emoji keyboard and enter characters:
Ta da! All the emoji you could ever want...
Yes, it's that easy.
Adding an Emoji on Android
I have no idea how to do this... because I don't have an Android device right now... but I have to imagine it is basically the same thing. Edit your name. Enter an emoji.
Why Not More Than 1 Emoji?
If you can enter one emoji, why not two or three?
Sure.
Go nuts!
Have fun!
Add however many you want... it's your name as seen by the rest of the world on Wire. :-)
And now with this "problem" solved, we now return you to more serious topics...
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- ;
- following me on App.net;
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Dec 05
Congratulations To .NL For Passing 2 Million DNSSEC-Signed Domains
Congratulations to the team at SIDN and all the .NL registrars and DNS hosting providers for the fact that there are now 2 million .NL domain names secured by DNSSEC! Yesterday as the SIDN team apparently became aware that a large registrar/DNS hosting provider was going to be signing .NL domain names, Kees Monshouwer set up a website that showed an ongoing countdown to when they projected passing the 2 million DNSSEC-signed domain mark. If you go there now, of course, you see that they’ve passed 2 million domains:
But yesterday the countdown was underway:
It was fun to watch yesterday from time to time… and a definite congratulations to the teams at all the various organizations.
As the news announcement from SIDN (in Dutch) explains, this represents over 36% of the 5.5 million .NL domains now secured with DNSSEC! The announcement also explains a bit about how this was accomplished. SIDN, the operator of the .NL registry, offered a financial incentive where .NL domain names are less expensive if they are signed with DNSSEC. Given that incentive, a number of large registrars who also do DNS hosting set up their DNS systems to do bulk signing of the .NL domain names. The end result is that their customers are now getting the added security of DNSSEC without the customers needing to do anything more.
This model may or may not work for other top-level domain (TLD) registries, but it certainly has worked well for .NL. The tweets were fun to see today – among them:
Weer een mooie #SIDN mijlpaal: we hebben ruim 2 miljoen #dnssec gesignde .nl-domeinnamen pic.twitter.com/3NNTgu9NFY
— SIDN (@SIDN) December 5, 2014
and
Look which country now has 2005031 #dnssec signed domains! -> https://t.co/bsqVZgG3rx h/t @SIDN & @KeesMonshouwer !
— Bert Hubert/PowerDNS (@PowerDNS_Bert) December 5, 2014
Congrats again… and if YOU want to get started with signing your domain (from whatever TLD), please take a look at our Start Here page to find resources available to you!