Profile

Cover photo
Paul Vixie
Works at Farsight Security, Inc.
Attended Keio University
Lives in La Honda, California
2,320 followers|284,908 views
AboutPostsPhotosYouTubeReviews

Stream

Paul Vixie

Shared publicly  - 
 
<<The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when.>>

i re-read this about three times a year. so should you (all).

https://medium.com/message/everything-is-broken-81e5f33a24e1
Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and…
36
30
Martin Seeger's profile photoDave Taht's profile photo
2 comments
 
I just wish more of the right people re-read this 3 times a year.

Paul Vixie

Shared publicly  - 
 
sometimes i crack myself up.

<< Sadly, there isn't a lot of money to be made telling people what to avoid, and it's hard to build a resume by listing all the things you refused to do because they would not have been prudent. >>

https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie
17

Paul Vixie

Shared publicly  - 
 
yo, peeps. protecting consumer privacy online is a good idea, but this FCC NPRM (16-39) is an explosively bad way to go about it. i'd thank you all to consider responding, even if to only the first thing you see that annoys you, and not to all 100+ pages.
6
1

Paul Vixie

Shared publicly  - 
 
<< We've seen several companies achieve ambitious growth plans, yet still find it challenging to raise follow-on capital due to concerns about high burn and the fundamental unit economics of the business. >>

perhaps because driving margins toward zero in order to outlast your competitors is a sucker's game, where the sucker is whatever company you sell out to?
Limited partners letter from the fourth quarter of 2015.
5
1
Sean Fagan's profile photoMartin Seeger's profile photo
2 comments
 
There were several takeover offers from other companies for us in the past. Most of them were startups. The most stupid of them tried to lure us into the takeover by boasting about their high cash burn rate (not "growth", not "new users", not "strategy"). They did not even make the next six months ;-).

Paul Vixie

Shared publicly  - 
 
this is really quite cool. i played "spot the bug" for each error message, and mostly lost until i read the explanatory text. BIND9 deserves to be checked by this tool.

http://www.viva64.com/en/b/0377/
17
1
Shane Kerr's profile photoPaul Vixie's profile photo
2 comments
 
i think C will peak at age 50, like fortran and cobol did.

Paul Vixie

Shared publicly  - 
 
<< In November 2014, Anderson was told he was being terminated during the middle of the fellowship. His review performance placed him among the lowest five percent of Yahoo's employees, all of whom were being fired, his supervisor told him. >>

not for nothing, but, i would only ask managers to rank employees in a linear fashion so as to find out which managers would actually do it vs. those capable of telling me i was insane to want it. i'd fire the former. all of them, down to the last man, woman, or child.
Gregory Anderson says his supervisors consistently preferred to hire women.
14
1
Ken Wallich's profile photoRussell Nelson's profile photoPaul Vixie's profile photo
3 comments
 
hint: using a linear model on a nonlinear process is a data-losing transformation.
Have him in circles
2,320 people
Putra Dedy's profile photo
Humo Del Diablo's profile photo
Shankar Chandraker's profile photo
David Burns's profile photo
Jothan Frakes's profile photo
Chris Yetman's profile photo
Oliver Pursche's profile photo
Venky Shankar's profile photo
Mathew Marlin Mallory Phillips's profile photo

Paul Vixie

Shared publicly  - 
 
thank you, thank you, and thank you again, cloud2butt browser add-on. seen on my g+ feed just now:

"The Evolution of Seamlessly Integrated Work Environments in my Butt | RingCentral Blog"
15
2

Paul Vixie

Shared publicly  - 
 
this article bears re-reading. or reading, if you havn't yet.

<< C is good for two things: being beautiful and creating catastrophic 0days in memory management. >>

https://medium.com/message/everything-is-broken-81e5f33a24e1
32
6

Paul Vixie

Shared publicly  - 
 
is there anything the USG can or should do about IoT deployment across the world economy? don't tell me... tell them:
As part of the Commerce Department's Digital Economy Agenda, NTIA is initiating an inquiry regarding the Internet of Things (IoT) to review the current technological and policy landscape. NTIA seeks broad input from all interested stakeholders — including the private industry, researchers, ...
3

Paul Vixie

Shared publicly  - 
 
<<A recent Mega Millions lottery had 1-in-175,711,536 odds of winning. To put those chances in perspective, that’s about the number of seconds in six years. So it’s like knowing a hedgehog will sneeze once and only once in the next six years and putting your hard-earned money down on one particular second—say, the 36th second of 2:52am on March 19th, 2017—and only winning if the one sneeze happens exactly at that second. Don’t buy a Mega Millions ticket.>>
 
Great explanation of Graham's Number...head explodes.
Graham's number is so big, we need a whole new set of tools to even discuss it.
View original post
13
Russell Nelson's profile photoKevin Oberman's profile photoGreg Shepherd's profile photo
4 comments
 
It's a tax on people who are bad at math. Your odds of finding the winning lottery ticket are affectively no worse than the odds of buying one. So when the jackpot gets big, just look down.

Paul Vixie

Shared publicly  - 
 
so much for the small chance of ever reaching ubiquity that dnssec had until this week. time to move on, i suppose.

- Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g. Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses that overflow.
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow.
[PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow. From: "Carlos O'Donell" ; To: GNU C Library ; Date: Tue, 16 Feb 2016 09:09:52 -0500; Subject: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer ...
9
2
Robert Edmonds's profile photo
2 comments
 
And DNSSEC isn't wedded to large responses either. Cloudflare has ~200 byte signed A/AAAA responses and ~300 byte DNSKEY responses, for leaf zones, using ECDSA.

Paul Vixie

Shared publicly  - 
 
because of long-tail problems amply demonstrated in every part of I.T. for ever and ever, we cannot expect that ssh initiators will add "UseRoaming no" to their configurations, nor that they will upgrade to a client that lacks this undocumented "feature" altogether. that is, many clients will respond to this threat, perhaps even most, but far from all.

i believe that the right solution to this to quasi-implement Roaming in the standard ssh server, such that if it can fetch the client's private key, it does so, and prints it on standard output, and closes the connection. perhaps an additional option would syslog it, or transmit it to some centrally located wall of sheep somewhere.

opin plz?
14
5
Dave Taht's profile photoRussell Nelson's profile photobert hubert's profile photoPerry Metzger's profile photo
5 comments
 
Generally, invisible exploitation of this one is unlikely -- not very unlikely, just unlikely -- because a server making use of the roaming feature breaks scripts and is visible to users in interactive sessions.

I agree that rapid turnover of clients is less likely than one would like -- where, for example, is the new version for my OS X boxes? -- but on the other hand this is not a problem confined to the current bug but to most exploits. We need more general mechanisms to force upgrades and more general mechanisms to make upgrades less painful.
People
Have him in circles
2,320 people
Putra Dedy's profile photo
Humo Del Diablo's profile photo
Shankar Chandraker's profile photo
David Burns's profile photo
Jothan Frakes's profile photo
Chris Yetman's profile photo
Oliver Pursche's profile photo
Venky Shankar's profile photo
Mathew Marlin Mallory Phillips's profile photo
Work
Occupation
Gray Lensman
Employment
  • Farsight Security, Inc.
    CEO, 2013 - present
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
La Honda, California
Links
YouTube
Other profiles
Contributor to
Story
Tagline
Hey you kids get offa my lawn!
Education
  • Keio University
    computer science, 2007 - 2011
Basic Information
Gender
Male
Relationship
Married
Room 110 is directly above the lobby. The music in the lobby was left on all night, in spite of a complaint to the lobby staff. June 12 2014 there was no way sleep was going to happen in that room. Sign me sleepless in Copenhagen. It is now 4:29am.
Public - 2 years ago
reviewed 2 years ago
1 review
Map
Map
Map