* Posts by Crazy Operations Guy

2313 posts • joined 29 Jun 2009

Dead LAN's hand: IT staff 'locked out' of data center's core switch after the only bloke who could log into it dies

Crazy Operations Guy

Re: "especially since nothing is broken."

Sure, you and I would call it broken, but Management sure as hell isn't going to agree. If money is coming into the company at or above, the normal rate means everything works.

Crazy Operations Guy

That is something you can do on Dell networking equipment. The problem is that they can't afford to take it down for the few minutes it would take to do that and why they are screwed until April when they have a scheduled maintenance period.

From the sounds of it, this data-center is mission-critical and even a minute of downtime would be quite costly, especially since nothing is broken.

What was that P word? Ah. Privacy. Yes, we'll think about privacy, says FCC mulling cellphone location data overhaul

Crazy Operations Guy

Re: Target them

Most of the time they won't even do anything to stop it even when they are the target of it. Instead they'll continue to kowtow to their corporate overlords while playing the martyr card and blaming some completely unrelated group.

Crazy Operations Guy

Re: Dealing with the tracking

Except your user agreement with the cellular provide includes a clause that waives your right to class-action suit; instead requiring arbitration, then individual lawsuit.

Crazy Operations Guy

I am gobsmacked

The current iteration of the FCC selling out the people so that massive corporations can continue to rip us off for scads of cash? Why that is clearly something so very out-of-character for them and something I would never expect them to do in a million years...

Cloud atlas: Oh dear. Now Adobe has mapped out a slowdown

Crazy Operations Guy

Probably losing a lot of out-sourced graphic design shops

I wonder how many companies have just abandoned doing graphic design in-house and instead ship the work to outsourcing shops. Then you also have the fact that consumer photo and video products have become good enough for most of the purposes that Photoshop and the like were originally used for (the photo and video editors that are shipping with OSes tend to be more than good enough for internal graphics. MS Office and LibreOffice are capable of producing quality PDFs; camera technology has removed most of the use cases for products like Lightroom; and so on).

Plus, the advertising industry has moved away from well-polished stuff that looks like a studio spent months working on it and moved towards stuff that looks like some trendy Instagram personality threw together in a few minutes with a few taps on their phone.

Mayors having a right 'mare in Florida: Acting mayor arrested weeks after boss also arrested

Crazy Operations Guy

Re: unlawful use of a two-way communication device

From what I understand of the situation, he was using a police-band radio to interfere with the police responses.

Airlines in Asia, Africa ground Boeing 737 Max 8s after second death crash in four-ish months

Crazy Operations Guy

Yeah, I know it only affects a small percentage of their aircraft, but the vast majority of the passengers do not. Their website also doesn't list what specific model of 737 is going to be on that route, so you might have more than a few passengers see that its going to be a 737 and decide it isn't worth the perceived risk. The media isn't also going to spend the time to explain the differences between the models, they're just going to say "737", and leave it at that.

Crazy Operations Guy

Southwest is probably confident in the planes not because they know something we don't but rather because if they doubted their aircraft, they are right fucked. SWA has nothing -but- Boeing 737s in their fleet.

As for what is happening, it may likely be an issue of Pilot training and Overconfidence in the technology. Similar crashes happened when other technologies, like Auto-throttles and A/Ps with TO/GA switches were introduced. What is likely happening here is the pilots are entering incorrect data into the FMS and the aircraft is miscalculating is climb-stall speed, one of the wings is stalling,causing the plane to roll to that side and collide with the terrain. It could also be the FMS not taking certain factors into consideration

As for why its happening to African and Asian Airlines, probably just going to be the law of big numbers. Two events are not a trend. Could also be that Western Pilots tend to be far more cynical about new technologies being total shit for their first few iterations.

Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?

Crazy Operations Guy

Not like looks at all

What he did was closer to fiddling with the television in his hotel room to see what happens when you mash all the buttons at the same time. Sure, there is the potential that he could bork the television itself, the hotel's satellite receiver or VoD server. But that is the extent, no matter what, they aren't going to be able to turn out the lights or stop the toilets from flushing.

Crazy Operations Guy

Re: Entertainment system pen testing

If describing how a system works leads to the system being broken, then the system would have to be so broken that its reckless to allow it to exist.

But, if anything, the information I posted would sate the curiosity of a lot of people that would normally break into such systems for the purpose of exploration.

McAfee: Oops, our bad. Sharpshooter malware was the Norks' Lazarus Group the whole time

Crazy Operations Guy

"state hackers weren't smart enough for false flags"

Why would they want to hide? I can think of no reason why they'd want to waste the time and resources to hide their activities. If anything, being discovered is a good thing for them, it shows off their technical prowess and demonstrates that they just don't care. Besides, what's the West going to do, throw more ineffective sanctions at them?

North Korea is a nation seeking to show they aren't to be disregarded and ignored, creating malware that strikes at least a little panic in their enemies is a very cost-effective path to that.

Did you hear the one about Cisco routers using strcpy insecurely for login authentication? Makes you go AAAAA-AAAAAAArrg *segfault*

Crazy Operations Guy

At least implement W^X, FFS

It baffles me how so many developers, even ones writing security-sensitive code, will just turn off all security features and never bother to turn them back on. Like, sure, turn off the NX/XD bit and ASLR, etc during development to get proper debugging, but once the code is working without them, they should be turned back on and the code retested before release.

Crazy Operations Guy

Re: Time gentlemen

My vote would be to allow it, but at least emit a warning (Although I suppose that wouldn't help with the incompetent developers that just disable all warnings, but there is no helping them...)

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints

Crazy Operations Guy

Re: Ironic that...

Although you might not be able to do that for long. Microsoft is hell bent on killing cmd, so your only option for login scripts is going to be PowerShell.

Blockchain is bullsh!t, prove me wrong meets 'chain gang fans at tech confab

Crazy Operations Guy

Ends up being centralized anyway

My big problem with the Block-chain is that at a certain point it will grow too large for anything resembling decentralization to be feasible. As the number of transactions increase, so does the storage requirement. Sure the average punter can probably afford the current storage requirements for a block-chain in its infancy, but at some point it'll grow to the point of needing specialized storage hardware to hold the thing. At that point it becomes essentially centralized as the only entity that would be willing to spend the money to store that information are the entities that couldn't be trusted with centralization in the first place.

Sure it would give the public the ability to 'audit' the government in the beginning when the chain is only a few gigabytes, but when it grows to terabytes, no one is going to think its worth the cost when it grows to hundreds of terabytes. Even watchdog agencies will give up keeping copies of it once it becomes too much of a burden and just go back to normal methods.

Really, it seems like the best way to avoid transparency, just fill the blockchain with so much data that no one wants to store it except you, at which point there is nothing to stop tampering.

Crypto crash leads to inventory pile-up at Nvidia, sales slaughtered

Crazy Operations Guy

Re: Watching UHD TV?

For UHD television, a dedicated GPU is completely unnecessary. Even the Intel HD 4600 can do 3840x2160@60 on a standardized video stream (H.264, H.265, VP8, VP9, etc). I have a NUC plugged into my TV and it has no problem with 4K streams coming down from Netflix, Hulu, and a few other services.

Crazy Operations Guy

There are an awful lot of video cards in my datacenter, Sure they aren't pushing the pixels to a local display, but they are pushing them through the network to massive fleet of thin clients we have for the engineers and graphic designers (This way we can re-dedicate the unused render capabilities to power the physics simulation farm when AutoCAD isn't eating the cards)

Q. What's a good thing to put outside a building of spies? A: A banner saying 'here we are!'

Crazy Operations Guy

The administration doesn't care about security compromises, they just care that government funds might not end up funneled into the pockets of rich American shareholders (AKA their campaign financiers). US Policy makes a lot more sense when you frame it as "How will this affect the people that fund the campaigns of the politicos?"

Ever yearn for the Windows 95 shutdown sound? TADA! There's an Electron app for that

Crazy Operations Guy

Kinda brilliant using JavaScript

In any other programming language, it'd take quite a lot of effort to get a modern machine to perform as badly as something from the mid-1990s...

Want a bit of privacy? Got a USB stick? Welcome to TAILS 3.12

Crazy Operations Guy

Re: With Systemd? No thanks

My concern isn't over tor or anything at that level, I know those things aren't perfect and I can accept those risks. My concern is that they are taking unnecessary risks at the OS level. Systemd is bloated and, from recent reports, full of holes. Security flaws that don't have to exist at all. Tor does not require much to run, it does not require systemd, nor does it require a large swath of Debian's codebase.

My complaint is that they are claiming security and privacy, but just taking a stock, general-purpose distro to build on top of. A distro that has made compromise after compromise in the name of increasing market share over security.

Crazy Operations Guy

With Systemd? No thanks

I can't take claims of security and privacy seriously when they are using systemd...

Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data

Crazy Operations Guy

Re: How do these "enterprise developer certificates" work?

The installer module in IOS ignores certificates not in the default CA store. Installing anything on an IOS device therefor requires a certificate that a clean IOS device trusts. From what I understand, Apple will act like a CA and cut a code-signing certificate for developers as part of the Enterprise agreement (So they just have to sign a CSR, and not add it to the certificate store each time a new company signs up to the Enterprise Program).

You can add whatever certificates you want, even ones with the code-signing attribute, but that attribute won't matter, the installer still won't install your code.

The entire point is to prevent people from jail-breaking their devices through various means, such as emulating a MDM system, or manually forcing the certificate (which won't work either, the module verifies the signature of the certificate store against a key burned into the firmware, so making changes without Apple's private signing key or the tools to physical change the silicon yourself).

Microsoft vows to destroy Office, er, offices: Campus to be demolished and rebuilt

Crazy Operations Guy

Re: RIP Building 2

I was on the first floor, it was a nice building (2/1092). Close to Cafe 4, I spent many a summer day hanging out at Lake Bill watching to Koi eating my lunch. Ah, those were the days. I was on the BPOS testing team, managing all the Unix and Linux systems that had come over form acquisitions and no one could quite build a replacement. Nothing like being a perma-temp assigned to keep a pile of SunFires up and running and in the exact same config (We had piles and piles of spares, since a lot of the already-replaced code ran on them too, so when code got replaced, I scooped up the old stuff and crammed it into my storage closet). It was such a fun gig, but eventually I had to move on.

Amazon's creepy facial recog doorbell, Facebook open sources machine learning code and much more

Crazy Operations Guy

Every time Amazon and Google roll out with new AI...

Every time Amazon and Google roll out with new AI I get a stronger and stronger urge to go live in a cave somewhere in central Australia or somewhere equally remote. Its not like I'm afraid because I don't understand technology, but quite the opposite. I understand it far too well and just how easily things can go horribly wrong when others trust in it more than they should (probably because they don't understand it).

But, also, I'm not afraid in the "AI is going to become self-aware and destroy us all" sense, but more in the "It is going to be so rudimentary it blurts out all your personal information because some frustrated person asking it 'Well, what do you know?' after the AI fails to answer a series of trivial questions" sense of fear.

Super Micro says audit found no trace of Chinese spy chips on its boards

Crazy Operations Guy

Release the schematics?

I'd breathe a lot easier if they were to publicly release the schematics of one or two of the products at the center of this. From my knowledge of electrical engineering, the suspected part wouldn't even have access to the proper buses to even doing anything like what Bloomberg is alleging. From Bloomberg's report, the device looked to be a simple two-conductor component, but was quite difficult to see exactly what the device looked like in the images.

I'd go a long way to dispelling rumors if SuperMicro were to release the schematic and board layout drawings so that independent researches and private individuals could take a look to see if such a device is even possible in the first place. It would also allow researchers to test suspected boards to see if the component behaves as expected and is the intended device.

The security researcher in me also doubts the Bloomberg report in that no one in their right mind would go through the effort of breaking a system by inserting a chip into the assembly logistics in the hopes that one of the tens of thousands of parts actually made it into their target's system and the system is in a location that can be compromised and that particular system actually contains the target data. Especially since if they wanted that much access, the IPMI chip and the Intel Management Engines are already present in the system to begin with, either one could be compromised and would give you ridiculous amounts of control over the system without the risk of compromising a component.

Really, it would be so much easier to just send fake firmware patches to the target and produce a much more direct attack rather than casting a massive net in the slim chance of getting access to that specific target.

Crazy Operations Guy

Re: Err

"Super Micro is an american company that does most of it's manufacturing in China."

So you mean like IBM, Apple, Dell, HPE, Cisco, Oracle; Intel, AMD, Nvidia, Micron, Kingston, Asus, Acer, MSI, Crucial, Texas Instruments, and so on.

I don't think there is a single "American" company that hasn't offshore'd the vast majority of its manufacturing to Pegatron, Foxxconn, TSMC, or some other Chinese-owned manufacturer.

Tumblr resorts to AI in attempt to scrub itself clean from filth

Crazy Operations Guy

Re: Spare A Thought

"may well go the way of Yahoo."

Well, tumblr used to be part of Yahoo until 2017 when it was spun off into its own subsidiary of Verizon.

Estonian ex-foreign sec urges governments: Get cosy with the private sector on cybersecurity

Crazy Operations Guy

POlitician praising the private sector?

Let me guess, she, or someone in her family and close friends, now owns a cyber security consultancy company.

Something I've seen time and time again is politicians being utter incompetents at solving a problem or just tend to ignore a little issue that can be easily solved until it becomes some massive problem that is nearly impossible to fix. Then when they leave office, suddenly they found the big solution to the problem in the form of a private company that seems to know a little too much about specific challenges of solving the problem, and is willing to work with the government for a "reasonable" fee.

The former politician then decides they believe in the company so much that they decided to invest in their radical solution. Sure, it looks like the politician had been leaking information to a private company this whole time, and is now receiving a massive payoff, but that's just what one of those evil "Enemies of the State" would think.

It's 'nyet' again, yet again, for Kaspersky: Appeal against US govt ban snubbed by Washington DC court

Crazy Operations Guy

Re: I wonder how much this is helping their sales...

"you now feel that the U.S. government doesn't have a clue and does not act in their own best interests."

No, I am pretty sure they are operating in their best interests, however their interests and the interests of their people very rarely overlap. I've felt this way since DayGlo was still hip and Disco wasn't dead.

But, my reasoning is mostly due to why the US banned Kaspersky. Some NSA worker took a bunch of classified documents home, including some zero-day code. Said NSA worker then disabled their antivirus so the can run a keygen for Microsoft Office (which, big surprise, infected his machine with all kinds of nasties). He then started his antivirus back up, which noticed the infections from the keygen and also noticed some new code it didn't have a definition for, but it still had all the hallmarks of malware. So, the antivirus then beamed the data back to HQ for further analysis where automated tools can be thrown at it to determine if it is a new piece of malware, new strain of an existing one, or just a false positive. Kaspersky, without knowing exactly what they were dealing with, then produced definition files countering the US's unreleased cyber weapons.

So really, its that a Russian company did something a competent company does, but the US thought it was part of some grand conspiracy / spy operation (The current administration sure loves going to that well...). Because what other explanation is there to some of their cyber weapons being neutralized well before deployment other than someone trying to sabotage the Glorious Leader?

Crazy Operations Guy

I wonder how much this is helping their sales...

With how consistently wrong the US Government is when it comes to network security, there couldn't be any better endorsement for Kaspersky products as getting banned by the Feds.

Hell, its exactly why they are now in possession of $70 of my dollars... (I also use a second anti-malware product on my proxy to scan incoming files. Its been banned in Russia, but not the US. I figure between the two, I'd be safe from both sides. But also figure it'd be interesting to see all the cases where one catches something and the other doesn't, and vice versa...)

Magecart fiends punch card-skimming code in Sotheby's Home website

Crazy Operations Guy

"implemented additional security safeguards"

You mean like actually checking what ode is actually running on your fscking website? It bothers me how massive and bloated websites have become and how they've gotten to the point where it is impossible to actually audit the things due to the massive amounts of 3rd party code that gets loaded so the page can show some sparkly menu or the page has a sliding effect that no one gives a shit about.

I really miss the days when even the most complicated of websites could be audited by a single person with a text editor and basic skills in HTML, CSS, and whatever language the the CGIs were written in (And that language almost always being something ubiquitous like shell scripts or C).

Blockchain study finds 0.00% success rate and vendors don't call back when asked for evidence

Crazy Operations Guy

Re: Blockchains are a wonderful tool .....

Ah, good old fashioned rubber-hose cryptanalysis.

Crazy Operations Guy

Re: Gold rush...

" pResident of the USofA grandfather came to make his money supplying the gold-diggers with stuff. " . Well, he didn't so much sell stuff as he sold sex slaves to loggers and gold miners for a few hours at a time. Then skipped town up to British Columbia once the authorities caught on to what he was doing, then when the Mounties caught on, he fled to Alaska, then got caught again and fled back to Germany where to dodge the draft, at which point he ran back to Queens, New York when the Gendarmes came for him.

Prez Trump to host chinwag with Google, Microsoft, Oracle and Qualcomm – report

Crazy Operations Guy

Knowing this president, it'll just be several hours of him trying to get tech executives to suck up to him; self-aggrandizing lies; and rants about his "enemies". At least until everyone gets bored of his antics and leave (Satya would probably be first since he's already served under loud, obnoxious balding blubbering buffoon for years and probably doesn't want flashbacks)

What a meth: Woman held for 3 months after cops mistake candy floss for hard drugs

Crazy Operations Guy

Re: @eDog - why should the taxpayers be on the hook?

"Good luck recruiting police officers with that hanging over their heads.'

The medical industry seems to do just fine with such a restriction. But if they fear having their premiums go up due to their behavior, maybe they shouldn't be police in the first place...

Crazy Operations Guy

Re: How many constitutional rights were violated ?

"It was probably the last chance to turn back the clock to a time when liberty was the defining characteristic of the country"

But things kinda sucked for everyone in 1491...

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs

Crazy Operations Guy

Re: TP-Link

Penny-pinching managers, small businesses with almost no budget, schools ad other public institutions, and so on.

I've had a bunch of clients where the manager went out to BestBuy and bought whatever the sales guy said would work then stuck it in the network, then refused to replace it since "It works well enough".

Nvidia just can't grab a break. Revenues up, profit nearly doubles... and stock down 20%

Crazy Operations Guy

If Moore's Law is ending

Then hopefully we can finally get developers to actually optimize and clean up their code rather rather than just relying on the fact that next year's chips are going to be good enough to run their inefficient crap well enough the user doesn't care.

Video chips are literally millions of times more powerful than they were in the 1980s, but graphics performance as really only increased by a factor of a thousand since.

Irony meters explode as WordPress GDPR tool hacked, cell network hack shenanigans, crypto-backdoors, etc...

Crazy Operations Guy

The downside to unregulated currency

That is the downside to having an unregulated currency like BitCoin, if it gets stolen or taken as part of a scam, there are no mechanisms in place to get it back. Whether or not that risk is worth the upsides of bitcoin is something that needs to be considered.

In news that will shock absolutely no one, America's cellphone networks throttle vids, strangle rival Skype

Crazy Operations Guy

"What over-the-air data rate is the cellular network using for voice calls these days?"

Depends on what codecs the handset and network support. Can be anywhere from 2400 bps on an old network and handset, up to 96,000 bps on a new phone attached to a new network that has been set up for the clearest voice possible (Extremely rare outside of a lab environment). It'll also depend on congestion since the tower is going to downgrade a step at a time until there is sufficiently large block of free bandwidth for handsets entering the cell. The other end of the call would also affect the voice channel (no point in giving someone 32,000 bps when the other end is only sending at 4800 bps)

Crazy Operations Guy

Re: Spectrum grows on trees

Voice streams are handled on different blocks of frequency than data streams. There will never be a time when someone's data streaming prevents you from making a phone call. Voice channels are also much smaller than data (What with voice only requiring a few Kbps for a reasonable quality voice call). If the tower runs out of channels to give voice service to newly arriving users, it will take a data channel away from the heaviest user and split it into voice channels. If it runs out of data channels to take away, it will renegotiate with connected handsets for lower quality voice codecs. And even if all phones connected are using the lowest-quality voice possible and the tower still needs more frequency, it will put voice channels into an emergency-only mode allowing only calls to emergency services. But the possibility of that happen would be almost non-existent (you'd have to move the entire population of an entire metro area into a small area for that to happen).

Some networks are set up so that if a cell gets overwhelmed, it will reduce its power and adjacent, less used towers will increase their power levels so their channels can be used to handle the additional load.

Google logins make JavaScript mandatory, Huawei China spy shock, Mac malware, Iran gets new Stuxnet, and more

Crazy Operations Guy

Re: Gmail alternatives

Or, you know, you can spin up a VPS and throw some simple IMAP / SMTP software on it. I've been doing this for a while, I built an IMAP server running OpenBSD with Dovecot installed on top. Cost me a whole $8 a month of a pair of machines running on opposite ends of the earth (Oslo and Auckland and using two different providers) syncing their mail with each other. Certificates are provided via Let's Encrypt (There is a client included into OpenBSD's base along with an SMTP daemon that supports encryption and authentication).

For the $60 a year it costs me for the machines and the domain name, I get peace of mind that at my mail is safely hidden from advertisers. Plus I get as many email addresses as I want and use whatever the hell protocols I feel like using.

Worldwide Web wizard Tim Berners-Lee sticks wellington boot into Worldwide Web's giants: Time to break 'em up?

Crazy Operations Guy

Re: Timing

The only people the tech companies are in the pockets of is those of the investors and the executives of these companies. They only care about inflating their bottom lines. They'll let you post anything from ISIS propaganda, entire copies or Mein Kampf, The Communist Manifesto, whatever so long as they are making a profit off it. Hell, you could probably show graphic depictions of Zuckerberg's grandma being brutally tortured all over Facebook and Mark would nod in approval as the advertising dollars keep coming in.

Tiny Twitter thumbnail tweaked to transport different file types

Crazy Operations Guy

"ICC profiles contain no executable code"

So, they clearly have no clue how malware works. Although I assume they meant that the ICC specification doesn't allow for execution itself, but grossly ignores how trivial a buffer overflow is when handling variable-length data like images in a loose specification like JPEG. All it takes is a manipulated JMP to make that ICC data executable.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

Crazy Operations Guy

Never should be remotely controllable in the first place

Heavy machinery, especially something that if mishandled can kill hundreds, is not something that should be fully-controlled by software. Especially since everyday I am constantly reminded that no matter how well made the software is, it will still screw up in new and interesting ways. And the fact that something like this, which require real-time communication and numerous fail safes, which TCP/IP over a 802.11 is entirely unsuitable for. Like what actions would the crane take if the network gets flooded and commands are being delayed or dropped? Like what if the crane was last commanded to rotate but the command to stop is lost? What if there is a delay and the operator repeats a command, does the crane do it twice or should it assume the operator only sent two under the assumption the first never made it?

I wouldn't have a problem if it had a human manually operating the controls but guided by software, at least then there is human doing the actual control work and can refuse to do dangerous operations. Like I can understand having a remote control unit that would allow someone o the ground direct the crane's actions, but that should really be instructions sent to a human operator. Like you'd have an assistant to the operator on the ground with a device that sends a video feed and to the operator and allows them to send preset commands that show up on the operator's control panel (Like green arrows of varying lengths for move a little to the right, move a lot to the left, lift the load a meter, lower a few centimeters, stop, etc.

Euro eggheads call it: Facebook political ads do change voters' minds – and they worked rather well for Trump in 2016

Crazy Operations Guy

Re: With help from the press right here

Also, I assume you are educated in the US since only an American can manage to forget that San Fransisco is by far from the furthest West, what with the existence of two entire states being firmly to the west of the Bay Area. And even if you disregard both Alaska and Hawaii; Portland, OR and Seattle, WA are both a full degree west of San Francisco.

In the two years since Dyn went dark, what have we learned? Not much, it appears

Crazy Operations Guy

Re: Bind/Named

Don't even need a VPS, I'm using a pair of desktops I rescued from the dumpster almost 15 years ago (I grabbed a bunch and stockpiled spare parts and upgraded the machines as much as possible). I found a pair of Pentium-3 boxes with 512 megs of RAM and a pair of 20 GB disks is enough to server a hundred or so users comfortably. They sure knew how to make computers back then, very few failures in the 15 years since I first powered them up (and after the 3-4 years they survived under users' desks)


Crazy Operations Guy

I just built my own root dns server.

I went with a simple OpenBSD box running nsd and a daily cron job that goes out and grabs "https://www.internic.net/domain/*.zone" and the *.arpa files, stuffs those files into /var/nsd/zones/, and restarts nsd. I have a pair of servers that are just recovered 1 Ghz P3 / 512m / 20g desktops with some extra NICs shoved in them. The two of them seem to handle around hundred users at a time (those are the only boxes on the network that allow port 53 traffic out to the internet and only machines that can listen on 53.

I've dumped www.internic.net into my /etc/hosts file since its IP address hasn't changed from since it went live back in the 1980s (the damn thing is older than the internet, what with it being the root of the internet / World Wide Web and all...). If the IP changes, then something is definitely going wrong.

Between the IP being static and probably the most permanent thing on the internet, and the fact that they have their sig files posted and those too are static, I am very confident in the integrity of its data and then let DNSSEC take care of the rest. No need to trust any third parties, especially the likes of Google.

Biting the hand that feeds IT © 1998–2019