Internet and e-mail policy and practice
including Notes on Internet E-mail


2017
Months
Aug
Sep Oct
Nov Dec

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home

26 Aug 2017

Not quite two factor, or is your phone number really something you have? Security

A recent article in the New York Times Dealbook column reported on phone number hijacking, in which a bad guy fraudulently takes over someone's mobile phone number and used it to reset credentials and drain the victim's account. It happens a lot, even to the chief technologist of the FTC. This reminds us that security is hard, and understanding two factor authentication is harder than it seems.

The usual definition of two-factor is to pick two different items from a list of security types:

See more ...


posted at: 20:49 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Security/2fphone.html

10 Aug 2017

Supporting new DNS RR types with dnsextlang, Part II Internet
Yesterday's
article introduced my DNS extension language, intended to make it easier to add new DNS record types to DNS software. It described a new perl module Net::DNS::Extlang that uses the extension language to automatically create perl code to handle new RRTYPEs. Today we look at my second project, intended to let people create DNS records and zone files with new RRTYPEs.

See more ...


posted at: 19:17 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Internet/extlang2.html

08 Aug 2017

Supporting new DNS RR types with dnsextlang, Part I Internet

The Domain Name System has always been intended to be extensible. The original spec in the 1980s had about a dozen resource record types (RRTYPEs), and since then people have invented many more so now there are about 65 different RRTYPEs. But if you look at most DNS zones, you'll only see a handful of types, NS, A, AAAA, MX, TXT, and maybe SRV. Why? A lot of the other types are arcane or obsolete, but there are plenty that are useful. Moreover, new designs like DKIM, DMARC, and notorously SPF have reused TXT records rather than defining new types of their own. Why? It's the provisioning crudware.

While DNS server software is regularly updated to handle new RRTYPEs, the web based packages that most people have to use to manage their DNS is almost never updated, and usually handles only a small set of RRTYPEs. This struck me as unfortunate, so I defined a DNS extension language that provisioning sytems can use to look up the syntax of new RRTYPEs, so when a new type is created, only the syntax tables have to be updated, not the software. Paul Vixie had the clever idea to store the tables in the DNS itself (in TXT records of course), so after a one-time upgrade to your configuration software, new RRTYPEs work automagically when their description is added to the DNS.

The
Internet draft that describes this has been kicking around for six years, but with support from ICANN (thanks!) I wrote some libraries and a sample application that implement it.

See more ...


posted at: 23:15 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Internet/extlang.html

17 May 2017

Registered your DMCA contact address yet? Internet

It is not much of an exaggeration to say that the Digital Millenium Copyright Act of 1998 makes the Internet as we know it possible. The DMCA created a safe harbor that protects online service providers from copyright suits so long as the follow the DMCA rules.

One of the rules is that the provider has to register with the Copyright Office, to designate an agent to whom copyright complaints can be sent. The original process was rather klunky, send in a paper form that they scan into their database, along with a check. This year there is a new online systems, and as of December they will no longer provide the old paper database. So if you are a provider (run web servers, for example) and want to take advantage of the safe harbor, you have to register or re-register.

See more ...


posted at: 23:50 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Internet/dmcareg.html

30 Apr 2017

Oh, those wild and crazy new TLDs ICANN

Among the many issues affecting ICANN's thousand new TLDs is collisions, that is, the same name already used elsewhere. The other uses are non-standard and unofficial, but some names turn out to have been used a lot. One approach to see how bad the collisions are is controlled interruption, in which the TLD publishes wildcard records with obvious impossible values, in the hope that systems that use colliding names see them and do something about it.

The process is pretty simple. For 90 days the domain publishes records like these currently in the new .hotels TLD:

hotels. 3600 in a   127.0.53.53
hotels. 3600 in mx  10 your-dns-needs-immediate-attention.hotels.
hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.
*.hotels. 3600 in a   127.0.53.53
*.hotels. 3600 in mx  10 your-dns-needs-immediate-attention.hotels.
*.hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
*.hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.
When the 90 days are up, the domain takes out the interruption records, and starts putting in real ones. That's the theory, and what the ICANN registry agreements require. The practice turns out to be different.

See more ...


posted at: 22:05 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/ICANN/newtldcrud.html

21 Apr 2017

Craigslist gets a $40 million CAN-SPAM judgment Email

Classified ad site craigslist is famously protective of its contents. While they are happy for search engines like Google to index the listings, they really, really do not like third parties to scrape and republish their content in other forms. In 2013 craigslist sued a company called 3taps which had created an API for craigslist data. They also sued real estate site Padmapper, which showed craigslist and other apartment listings on a map, something craigslist didn't do at the time. After extensive legal wrangling, 3taps eventually gave up and in 2015 paid craigslist $1 million and shut down. Craigslist donated the money to the EFF which was a little odd since the EFF had generally supported 3taps.

One of 3taps' other customers was another real estate site Radpad, which kept showing craigslist listings after 3taps shut down.

See more ...


posted at: 23:37 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Email/radpad.html

13 Apr 2017

M3AAWG Offers some Sensible Password Advice Internet
M3AAWG is a trade association that brings together ISPs, hosting providers, bulk mailers, and a lot of infrastructure vendors to discuss messaging abuse, malware, and mobile abuse. (Those comprise the M3.) One of the things they do is publish best practice documents for network and mail operators, including two recently published, one on
Password Recommendations for Account Providers, and another on Password Managers Usage Recommendations. Since I'm one of M3's senior technical advisers, I helped write them, but I think they're pretty good anyway.

See more ...


posted at: 23:42 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Internet/maawgpwd.html

01 Apr 2017

Human rights and regular Internet users Internet

Human rights are a topic that came up several times at the IETF meeting that just ended. There's a Human Rights Research Group that had a session with a bunch of short presentations, and the featured two talks at the plenary asking Can Internet Protocols Affect Human Rights? The second one, by David Clark of MIT was particularly good, talking about "tussle" and how one has to design for it or else people will work around you. You can watch it here.

Although his talk was a lot better than most of the human rights stuff I've heard in technical fora, the rest of the discussion had the same old problem: true believers obsessing about a very narrow set of issues.

See more ...


posted at: 18:45 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Internet/userrights.html

14 Mar 2017

ICANN's Ten Worst Domains ICANN

Yesterday at ICANN 58 in Copenhagen there was session on DNS Abuse Mitigation:

The Cross Community Topic Discussion proposed by the GAC Public Safety Working Group will focus on ICANN's Efforts, based on answers to questions in Annex 1 of Hyderabad Communiqué with expected contributions from ICANN's SSR Team and Contractual Compliance.
In one of the talks, ICANN staff talked about the new Abuse Data Analysis Platform, with an example with live data, including the ten worst gTLDs, ranked by the percentage of the TLD's names that have various abuse indicators (click on the picture to see it at legible size):

See more ...


posted at: 12:32 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/ICANN/tenworst.html

26 Jan 2017

One-click unsubscription is now an RFC Email

In September I wrote about a proposal to allow one-click unsubscriptions from mailing lists without user interaction.

After taking a rather tortuous path through the IETF, it's now been issued as RFC 8058. The changes since September are quite minor, mostly tightening up some details to prevent various attacks from fake unsub requests.

Now that it's official, I expect email service providers will start implementing it, and we'll have an arguably better alternative to mail feedback loops to tell mailers when their mail is unwanted.


posted at: 18:41 :: permanent link to this entry :: 0 comments
Stable link is https://www.jl.ly/Email/oneclickrfc.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
The Criminals Behind WannaCry
130 days ago

A keen grasp of the obvious
Live from the collander-cam
31 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2015 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.