More Zonkyness

Friday’s DDoS: Assisted By Poor DNS Configuration

Oct 222016

Yesterday lots of people found the Internet disappearing on them due to a significant DDoS attack against the DNS infrastructure of one company. Now there are all sorts of suggested fixes for this sort of problem, some of which are useful.

However it is notable that people have not mentioned one method built into DNS which could have been used more effectively. Indeed one suggestion was for the DNS to do something it already does – caching.

When you ask your ISP’s DNS servers to resolve a name such as example.org, the answer that your ISP’s DNS server gets back contains several bits of information in addition to the answer you are interested in (the IP address to connect to). One of which is how long to cache the value for, which means that your ISP’s DNS servers can save themselves some work for as long as they are allowed to cache the answer for.

Now it is awfully convenient to set this value to something like 5 minutes because if you have a need to change the value, it is nice to have the value change as quickly as possible.

But it also increases your vulnerability to a weaknesses in the DNS infrastructure.

If you increase the time-to-live (TTL) value to something more like 24 hours, then your DNS servers (or more usually the DNS servers of your DNS service provider) are required less frequently which means that if something takes them offline for any reason then there would be a decreased impact. It will still stop some people from getting the DNS answers they need, but the proportion unable to get an answer will drop dramatically.

damascus-dns

Calais Children and the Pathetic Little Whinging Cowards

General, Politics No Responses »

Oct 212016

All that is necessary for the triumph of evil is that good men do nothing

– Possibly not Edmund Burke.

If you are of sensitive disposition and get a little twitchy around ‘naughty’ words, probably best skip this one – I’m really, really angry and the box of swear words is wide open.

Recently there has been some noise on my Facebook feed perpetrated by the kind of malevolent dipsticks who swallow the output of the Daily Fail (I’m not linking directly to their site because the slimy little shits don’t deserve the extra ad revenue) wholesale. Specifically there are some ‘concerns’ regarding the child migrants from Calais entering the country.

Apparently these fearful little whinging cowards are quaking on terror at the thought that some of these child refugees might not be children, but either young adults or some sort of Daesh terrorist in disguise. So because there is a tiny risk that some children might be a little too old to be technically children, or that there is a tiny risk that some might be associated with Daesh, we’re supposed not to give some refugee children in dire straits a home?

Hell, no.

Whilst the pathetic little worms are right in saying that some of the children might be a bit too old to be considered children, and there might be some risk that Daesh could infiltrate a terrorist, it’s time to tell the to tell the worms to piss off until they’ve grown a spine.

We’re British, which doesn’t mean cowering in our little hovels hoping that bump in the night isn’t some monster out to get us. It means doing the right thing and welcoming child refugees to our country, and if that means a bit extra risk (although most terrorist attacks are from home-grown terrorists), then we’ll suck it up. Hell, we take a bigger risk opening the front door and going to work every day.

And if you’re one of those pathetic individuals who doesn’t agree with this, then you can fuck right off. I’m not lowering my standards to pacify your pathetic need for safety, and it is about time a few more of us were prepared to tell you how pathetic you are.

IPv6: Why The DNS Is So Important

Computing No Responses »

Oct 192016

This is a bit of a thought experiment, so it may be not entirely correct (especially the maths – my probability theory is very rusty).

One of the lesser reasons for using the DNS rather than IP4 addresses is that typing mistakes are more easily caught – if you intend to type 192.168.67.52, but accidentally enter 192.168.67.53 instead, you still have a valid IPv4 address. Whereas entering the domain name wombar.example.com instead of wombat.example.com will most likely get you an error instead of sending your secrets off to an unknown location on your network – unless you have a rather silly server naming convention of course!

But how likely are you to make a mistake typing in an IPv4 address? According to a random web site “out there”, the average accuracy of a typist is 92%, or an average of 8 typos per 100 characters. If we convert this into a probability, we get a probability of typing each character correctly as 0.92.

Given that typing IPv4 addresses is something that some of us have a lot of practice at, and in many cases we will notice typos before they become a problem, I’m going to arbitrarily declare that the probability of getting any character within an IPv4 address correct is 0.999. But to type in an IPv4 address correctly we have to get a maximum of 15 characters correct :-

1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
1	9	2	.	1	6	8	.	1	2	8	.	1	2	8

So the probability of getting all those characters right is 0.999 (first character) x 0.999 (second character) … Or 0.999^15.

And once you work that out, subtract it from 1 (to get the probability of making a mistake) and convert it into a percentage, there is an 11% chance of making a typo in an IPv4 address.

For an IPv6 address such as 2001:db8:ca2c:dead:44f0:c3e9:28be:c903, which has 38 characters (no I’m not doing that silly table for IPv6) – 100 * (1 – 0.999 ^ 38) – 32%.

Now whilst my calculations may be a bit off, the likelihood of entering an IPv6 address incorrectly is nearly three times higher than the risk of entering an IPv4 address incorrectly.

In other words, with IPv6 you really need a good working DNS solution just to keep the errors to manageable levels.

dam-ip6

It’s Not A Backslash! No, It’s a Slash or Solidus!

Computing No Responses »

Oct 192016

I have just been listening to a Microsoft fanboy on the you tube wittering on about something (not computer related), when he tried to read out a URL. According to him, there are “backslashes” in the URL.

Not in any normal URL. For those who do not know, URLs are web site addresses such as http://really.zonky.org/. The character that appears after the network protocol (http) – the “/” is formally known as the solidus, and less formally as a slash. The slash that goes the other way is called the backslash (or more formally the reverse solidus).

And who decided that one was a slash (‘/”) and the other a backslash (‘\’)? Although it has been used since the Medieval era, it was probably first called as solidus in the 19th century because of it being used to signify the British shilling. Currently it is the Unicode Consortium who call it a solidus in the international standard for character encoding. If you disagree with them, by all means either convince them they’re wrong or set up a new international standard and get it more widely adopted than Unicode.

Until then, I’ll carry on calling someone who says a backslash looks like – ‘/’, wrong.

Does it matter? In the big scheme of things probably not, but it does make reading out instructions more difficult when either slashes or backslashes appear. After all computers rarely say “Ah! I see what you meant! You meant http://example.org/ which is different (and makes sense) to http:\\example.org\“. And as anyone who has ever encountered autocorrect “mistakes” will attest, letting computers decide what you meant is not always the best idea.

And how did the mistake originally occur? To some extent Microsoft is to blame, although I doubt Microsoft ever called the slashes the wrong name.

When Microsoft wrote their first operating system (DOS), they chose to make it semi-compatible with an earlier operating system (CP/M) which used the slash to indicate the use of an option to a command-line command which in turn was inherited from certain early DEC operating systems.

When they came to implementing directories (yes that long ago), they broke with the tradition of stealing ideas from DEC (or we would have ended up with paths like C:[WINDOWS.SYSTEM]FOO.SYS) and instead chose the Unix path separator. But the slash conflicted with option processing on the command-line, so they used the backslash instead – C:\WINDOWS\SYSTEM\FOO.SYS.

Of course people started calling the backslash, a slash, and I’m sure there are many out there who will continue despite being told that they are wrong. Of course when I say they’re wrong, I have the backing of an international group of grapheme experts behind me.
solidus

Is Donald Trump A Democrat?

Politics No Responses »

Oct 022016

donald-trump-bw

I have said it before (quite possibly here): US politics sometimes seems like some kind of bizarre reality media show put on by the US to entertain the rest of the world. No serious political system could be that dysfunctional? Could it?

But this post is going to concentrate on the just one of the possible candidates (despite the media reports there are lots) – Donald Trump. It might be a little tin foil haty to ask this, but is anyone sure that he really isn’t a democrat supporter running as a spoiler? I mean the guy is so over the top as a buffoon, it seems like the most likely cause of his behaviour is that he really is a Democrat supporter who is running as a Republican to remove any possibility that the Republicans can conjure up a credible candidate.

Just look at some of the things he’s said :-

Do you mind if I sit back a little? Because your breath is very bad.

Just a silly example to start with. Most of us have thought this from time to time, but usually have second thoughts before opening our mouths. Now why do we re-think and decide not to say it? Because going around being nasty to people without consideration is indicative of a certain level of sociopathology. What is worse is that it is indicative of a dumb sociopath, as most people with enough sense to keep breathing without being constantly reminded to do so, will realise that acting like a dick will not win friends and influence people.

The point is that you can’t be too greedy.

Really? Kind of symptomatic again.

All of the women on The Apprentice flirted with me – consciously or unconsciously. That’s to be expected.

Creepy. Even ignoring political correctness, the later sentence implies an horrendous arrogance to the man.

If people can just pour into the country illegally, you don’t have a country.

Now there may well be problems with illegal immigration (although personally I doubt the problems outweigh the advantages), but the idea that you’ll lose you country because of immigration? Ridiculous. Illegal immigrants are nowhere near populous nor powerful enough to take over your country, and by the time their descendants are, they won’t be illegal immigrants any more but they will be you.

Scare mongering is the tactic of the lowest form of politician, and we all know how low they can get.

People love me. And you know what, I have been very successful. Everybody loves me.

No they don’t. Some people may love you, but not all. To think so is extremely delusional.

As for successful, it all depends on your criteria for success but most of his alleged success has taken place in the property development field which is notoriously easy if you already had money to invest (he did). There are a considerable number of serious commentators out there who question his business acumen.

I feel a lot of people listen to what I have to say.

What he neglected to mention is why people listen. Sometimes it’s to fall about pissing themselves with laughter.

That’s one of the nice things. I mean, part of the beauty of me is that I’m very rich. So if I need $600 million, I can put $600 million myself. That’s a huge advantage. I must tell you, that’s a huge advantage over the other candidates.

Which is of course another condemnation of the US political system which allows the rich and powerful to buy their way to power.

Sure, sure, I’d like to see Apples built in the United States, not built in China. I’d like to see them have factories in the United States. At least partially. They make nothing in the United States, virtually.

I’m reminded of King Canute (or Cnut) trying to hold back the tide. Fundamentally China is successful at producing mass market goods because it has very low labour costs. By the time you reduce US labour costs to the level of the Chinese, you will be looking at a revolution; the myth of the American dream won’t survive starvation.

As for nothing being built in the US, Trump needs to get out of his tower and go and take a look. There’s plenty being built in the US, but you won’t find cheap consumer goods (unless you count that made with slave labour; sorry I meant prisoner labour).

As your president, I will do everything in my power to protect our LGBTQ citizens from the violence and oppression of a hateful foreign ideology.

I hear the LGBTQ community has more to worry about the violence and oppression of a hateful domestic ideology.

Thanks to Hillary Clinton, Iran is now the dominant Islamic power in the Middle East, and on the road to nuclear weapons. Hillary Clinton’s support for violent regime change in Syria has thrown the country into one of the bloodiest civil wars anyone has ever seen – while giving ISIS a launching pad for terrorism against the West.

This is not the only quote about how Hillary Clinton is responsible for all of the world’s ills (and probably the four horsemen of the apocalypse too). Fact is that no foreign policy is going to cure the world’s ills; you can only respond to what other countries and people are doing. Foreign intervention in a country can make an existing situation worse but not create that situation.

build a permanent border wall between the US and Mexico that Mexico “must pay for”. The plan proposes various sticks to force Mexico to cooperate, such as impounding all remittance payments to Mexico from illegal wages earned in the US.

Ah yes! The infamous wall to stop immigration from Mexico. If we assume the wall will cost $1.5 million per kilometre, covering the whole 3,200 kilometres of the US-Mexico border will cost a cool $4.8 billion although this is probably a wild underestimate of the cost given that the 2006 Security Act allocated $1.6 billion for just a fence, and critics claim that it will need at least $4.8 billion more than is allocated. And that is for a fence not a wall.

And why should Mexico pay for it? They are not getting the benefit.

And you can use all the long words you like, but “impounding remittance payments” is just theft.

And that is of course just a quick taste of the inanities that Trump has come out with. There are those who excuse these comments by claiming a blunt honest man is better than another slimy politician. But there is a difference between bluntness, honesty and just plain stupidity. And having a stupid man in charge of the White House (and all that goes with it) is definitely not a good thing.

Older Entries Newer Entries