Oh, joy: despite a vigorous round of patching, Shellshock isn’t dead, and isn’t even resting:
Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.
"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.
"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.
— iTnews.com.au, Further flaws render Shellshock patch ineffective. Spotted via Slashdot
Dog.ma resolves, but isn’t interesting. Opti.ma is parked, which almost seems appropriate.
Enig.ma doesn’t resolve, which also seems appropriate, and it isn’t available. And neither are mag.ma and dra.ma.
Look.ma exists but is boring.
Ma.ma doesn’t resolve and isn’t available. Nor is Kar.ma.
Nor even meh.ma.
OK, back to work now.
Seems like every time the Miami-Dade Public Library system has a computer upgrade, their nifty search plugin gets lost in the shuffle. The MDPLS website recently had a major face-lift, with equivocal results on the desktop, but a much better look on my cell phone. And yes, again, the link to the search plugin vanished. And again I wrote in to complain. And again they were very very courteous in replying — I got three emails in less than two weeks, each apologizing for the delay in resolving the issue.
And now there is a new Library Tools page, with a link to install the MDPLS Quick Search browser plug‑in.
This is the same library system whose budget the Mayor keeps slashing by the way. The library is one of the rare cultural successes of Miami-Dade county — and if you live here MDPLS deserves your support.
The IETF has issued RFC 7258, aka Best Current Practice 188, “Pervasive Monitoring Is an Attack”. This is an important document. Here’s a snippet of the intro:
Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise.
The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community’s consensus and establishes the technical nature of PM.
The term “attack” is used here in a technical sense that differs somewhat from common English usage. In common English usage, an attack is an aggressive action perpetrated by an opponent, intended to enforce the opponent’s will on the attacked party. The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties.
The conclusion is simple, but powerful: “The IETF will strive to produce specifications that mitigate pervasive monitoring attacks.”
I can’t help but see this as a shining example of the IETF living up to its legitimate-rule-making potential, as I described in my 2003 Harvard Law Review article Habermas@discourse.net: Toward a Critical Theory of Cyberspace.
Below, I reprint my abstract: Continue reading
This doesn’t happen very often — well, ever, actually — a staff writer on the Wall Street Journal Editorial page just quoted favorably from one of my articles.
Lest the quote make me sound like more of a jingo than I actually am, let me explain the context. The US Department of Commerce (DoC) has been gradually extricating itself from management of the Internet domain name system (DNS). Until a few weeks ago, the major recent step in that distancing process was the so-called “Affirmation of Commitments” between the DoC and the Internet Corporation for Assigned Names and Numbers (ICANN) which I wrote about in Almost Free: An Analysis of ICANN’s ‘Affirmation of Commitments’, 9 J. Telecom. & High Tech. Law 187 (2011). That paper updated my original ICANN paper, Wrong Turn in Cyberspace: Using ICANN to Route Around the APA and the Constitution, 50 DUKE L.J. 17 (2000), in which I explained the complicated web of relationships between DoC, ICANN, and other major players.
But ten days ago, everything changed again — sort of. In response to international political pressure that intensified after the Snowden revelations, the DoC announced that it planned to let go of its major remaining lever over ICANN, control of the so-called IANA function, as soon as the international community could craft a suitable transition plan. ICANN of course rushed to suggest that the transition should be to ICANN, but DoC (via the NTIA) has quite properly suggested that this isn’t quite what it had in mind.
Governments around the world are thought to prefer a system like the ITU or the UN (although not those bodies themselves) which are primarily controlled by governments on a one-sovereignty, one-vote system. And now we come to the part of this which I oppose. As accurately quoted by the WSJ, I believe it would be a mistake to give despots a say over the communications of democracies. Thus a fully world-wide international body dominated by governments seems like the wrong tool to me. It could be international but non-governmental. It could be run by a committee of democracies. We could give the whole thing to Canada (my favorite, but alas unlikely solution). Fortunately the US government has clarified its original remarks by saying it isn’t signing a blank check, and there are also ambiguities in what exactly got promised. So everything remains to be decided. But there are many interest groups that want this to happen as quickly as possible — before the US changes its mind, and before opposition groups wanting structural separation from ICANN or more accountability get organized. So we could be in for a wild ride.