Profile

Cover photo
Jim Gettys
Works at Bell Labs
Attended MIT
1,321 followers|33,994 views
AboutPostsPhotosYouTube

Stream

Jim Gettys

Shared publicly  - 
 
The tragedy of the commons...
The bug that rattled the Internet last week exposed the paradox that some of the web’s most crucial coding depends on the efforts of volunteers.
6
1
Larry Gadallah's profile photo
Add a comment...

Jim Gettys

Shared publicly  - 
 
Nothing like DNS addresses as political protest....
5
Jim Gettys's profile photoJoe Philipps's profile photo
2 comments
 
If we can just get dnssec fully deployed and everyone using it, it will be (somewhat) more difficult for bad guys of all flavors to play games attacking services this way.

I'm happy to say that CeroWrt "does the right thing" about dnssec now, courtesy of Simon Kelly's recent dnsmasq work, and for sites that have dnssec enabled, I get a cheery green key in my chrome bar showing that the dns name is secured.
Add a comment...
 
Not sure more comment is needed...
 
YIKES!!! Comcast acquiring Time Warner Cable for $45.2 billion... when do we talk about cable monopoly?@oti @newamerica @fcc @ftc
4
Jim Gettys's profile photoWolfgang Rupprecht's profile photoPhil Karn's profile photo
8 comments
 
Yeah, I am too. I'm actually surprised that I haven't seen anything yet.
Add a comment...

Jim Gettys

Shared publicly  - 
 
For those who are of the security sensitive type, this looks interesting.
 
The #beagleboneblack has an onboard hardware random number generator, which last I looked was not fully enabled in the Linux kernel. (sigh). Even if it were, having only one hw rng is not enough: https://www.schneier.com/blog/archives/2013/09/surreptitiously.html

Good random numbers are needed to keep an entropy pool filled for critical services like ssh, ssl based web traffic, dnssec key generation and others.

Now there is cool new product, the #hashlet (http://cryptotronix.com/products/hashlet/ ) that has support for hw authentication and random number generation. It proves the task can be done on a single inexpensive chip hooked up to an i2c bus (which is common to many devices other than the beaglebone and raspi).

It doesn't have a linux kernel driver yet, but it looks straightforward. +Theodore Ts'o ? Know anybody that has some spare time for that?

In the mean time, I get a warm, fuzzy feeling every time I do this:

d@beagle-5:~/git/hashlet$ hashlet /dev/i2c-1 random
54302AC51CDA68449B637F7EDB552D0EEF0FB9F8B3CBC382A203B4C919B9260B

d@beagle-5:~/git/hashlet$ hashlet /dev/i2c-1 random
8530DFD62BBCDDDF12D83A26726A92F5F4792A8167558A9B98A908C73FE72EF1

Every computer should have at least two different hardware random number generators, designed by different shops/countries and/or spy agencies.
7
Folkert van Heusden's profile photo
 
Somewhat related: http://www.vanheusden.com/entropybroker/

EntropyBroker can get entropy data from multiple sources and then mix them together (no self-invented algorithms, all standard crypto) so that one or more systems can retrieve this data where needed.
Add a comment...

Jim Gettys

Shared publicly  - 
 
I worked with Bruce Schneier on this piece. The situation in home routers and similar devices (between you and the rest of the Internet) is a danger beginning to unfold before us.  This is a generic problem found in embedded systems, but it's particularly a problem for devices on the path between you an the rest of the Internet, as a problem can't be fixed by simply unplugging the offending device (if you can even detect the problem).  The problem goes beyond your home router and includes similar devices such as your cable modems.

"Friends don't let friends run home router factory firmware."

Install OpenWrt or CeroWrt today if you are capable, and help reduce your vulnerability.  And you can suffer less from bufferbloat, as an added bonus.

We must demand open code, and an update stream to go with any device we buy, as we go forward into the "brave new world" that some call the "Internet of Things".  Binary blobs of any sort (particularly unmaintained blobs, which most are) are a long term danger. Make your purchasing choices wisely, educate your family and friends of the problem, and if you are an open source developer, come help out. The network you save and protect may be your own....
38
32
Jürgen Christoffel's profile photogeorge oloo's profile photoP Tufts's profile photoDave Taht's profile photo
2 comments
 
OpenWrt is the most advanced.  And there is CeroWrt, where we do our #bufferbloat  work (you should think of CeroWrt as an advanced, bleeding edged build of OpenWrt, rather than a fork). We push as much as we can into OpenWrt once it is stable (most, but not all of the bufferbloat work is already in OpenWrt at the moment.

Unfortunately, binary blobs are a real headache and therefore OpenWrt cannot run on everything out there.  The hardware we run CeroWrt on was specifically chosen to avoid binary blobs as much as possible (and to have enough RAM & Flash that we wouldn't be spending time engineering around the lack of space).
Add a comment...
In his circles
1,201 people
Have him in circles
1,321 people
Bob Frankston's profile photo
Andrew Tridgell's profile photo
Bob Miller's profile photo
Alison Chaiken's profile photo
 
Advice for people running #CeroWrt and #OpenWrt on #Heartbleed.

Friends don't let friends run home routers with factory firmware.
 
I have put out a SHOULD UPGRADE advisory for the home router #CeroWrt project due to #Heartbleed particularly for those using certain optional packages.  Other users of #OpenWrt 's packages and build system may also be affected by #heartbleed #heartbleedbug - see here for more details: http://www.bufferbloat.net/news/50
4
Charles Forsyth's profile photoDave Taht's profile photo
2 comments
 
I don't understand why home/wireless router companies bother with their own firmware, which seems to be inferior. Some functions on my old and new routers simply didn't work (a Google showed I was not alone). The user interfaces are clumsy and buggy.They are always wanting to reset the thing to update a table somewhere. Not exactly stunning.
Add a comment...

Jim Gettys

Shared publicly  - 
 
This needs to stop. That a human error can get you onto a list you can't get off of or maybe even know about is not justice. http://www.huffingtonpost.com/ralph-nader/the-law-must-be-free-and-accessible_b_4747745.html
 
We call it "kafkaesque". How one wrong checkbox destroyed a students life, caused millions to be wasted, made high rank people look really bad afterwards and a lot more. And who insisted on getting the truth out? Judge Alsup. Yes. THAT Judge Alsup who learned programming JAVA to make a good decision in the Oracle v Google case. I admire this man.

"After seven years of litigation, two trips to a federal appeals court and $3.8 million worth of lawyer time, the public has finally learned why a wheelchair-bound Stanford University scholar was cuffed, detained and denied a flight from San Francisco to Hawaii: FBI human error."

http://www.wired.com/threatlevel/2014/02/no-fly-coverup/


18
1
Jim Gettys's profile photoJoe Philipps's profile photoShane Kerr's profile photoGreg A. Woods's profile photo
3 comments
 
yep, the one "closest to my heart" is the NEC.  I forget whether it's NYS, Erie County, or Cheektowaga which incorporated the NEC 2008 into law by reference (probably NY), but that's been the contention of the NFPA, that they own the copyright on that, so you should have to buy a copy of the NFPA 70 from them.  Nuts to that.  If I'm expected to follow NFPA 70, 2008 Editition, I have to know what's in it and it does not seem reasonable at all that I should have to pay extra to know what the law is.

I haven't checked for NYS or Erie County, but I know everything for Federal law and Cheektowaga ordinances are available at no charge online.  Thankfully, bulk.resource.org has at least the NEC, among other things, and that as I recall was due to a Federal court case ruling that these codes need to be available to the public, and not be put behind some sort of walled garden.
Add a comment...

Jim Gettys

Shared publicly  - 
 
Steps in the right direction...  Of course, we can't trust the certificate authorities, but this can be used to help lots of things anyway and makes MITM much harder.
 
+Dan York +Paul Vixie  Getting #DNSSEC deployed out to the edge has taken a decade longer than it should. Probably the most popular edge #DNS server, dnsmasq, has entered an alpha test phase of DNSSEC support.

After support stablizes, hundreds of millions of CPE, android and other devices using dnsmasq, probably more than a billion! - could benefit.

Testers wanted. Test tools wanted. Eyeballs wanted.

Get the code at:

git clone git://thekelleys.org.uk/dnsmasq.git

Test builds for #Arch , #ubuntu  , #debian #suse   , etc are at:

https://build.opensuse.org/project/repositories/home:tohojo:dnsmasq

(but I would encourage you to also closely track the git tree)

Ongoing discussion at:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008086.html

This is a chance to finaly secure a long gaping hole in DNS, and it would be good to get it utterly right. Please help however you can.
9
3
Peter Robinson's profile photogeorge oloo's profile photo
Add a comment...

Jim Gettys

Shared publicly  - 
12
Jim Gettys's profile photoRussell Nelson's profile photopaul fox's profile photoRob Walsh's profile photo
4 comments
 
anytime i try anything remotely like that, it ends up on my head.
Add a comment...

Jim Gettys

Shared publicly  - 
 
Silence is not golden; it is hard enough to get security right in the first place without active undermining of that we depend on. 
 
Unfortunately Obama said absolutely nothing about preventing the NSA from weakening encryption standards, or leaning on hardware and software companies to introduce weaknesses or backdoors into their  encryption systems. 

Give Obama an F for FAIL on that entire section of recomendations from his review panel.
5
Add a comment...
People
In his circles
1,201 people
Have him in circles
1,321 people
Bob Frankston's profile photo
Andrew Tridgell's profile photo
Bob Miller's profile photo
Alison Chaiken's profile photo
Work
Occupation
MTS, Bell Labs
Employment
  • Bell Labs
    MTS, present
  • One Laptop Per Child
    V.P. of Software, 2006 - 2009
Basic Information
Gender
Male
Story
Introduction
X Window System, HTTP, handhelds, OLPC, bufferbloat
Education
  • MIT
    E&PS, 2013
  • Phillips Academy
    1970 - 1972
Links
YouTube
Other profiles