Please stop using DNS already, and other considerations

Monday, 22 February, Year 8 d.Tr. | Author: Mircea Popescu

The most recenti blow-up due to DNS is chronicled below, for your convenienceii

Summary
=======

During upstream review of the public open bug 18665 for glibc, it was discovered that the bug could lead to a stack-based buffer overflow.

https://sourceware.org/bugzilla/show_bug.cgi?id=18665

The buffer overflow occurs in the function send_dg (UDP) and send_vc (TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family and in some cases also with AF_INET6 before the fix in commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).

The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response writing beyond the alloca allocated buffer created by __res_nquery.

Main conclusions:

  • Via getaddrinfo with family AF_UNSPEC or AF_INET6 the overflowed buffer is located on the stack via alloca (a 2048 byte fixed size buffer for DNS responses).
  • At most 65535 bytes (MAX_PACKET) may be written to the alloca buffer of 2048 bytes. Overflowing bytes are entirely under the control of the attacker and are the result of a crafted DNS response.
  • Local testing shows that we have been able to control at least the execution of one free() call with the buffer overflow and gained control of EIP. Further exploitation was not attempted, only this single attempt to show that it is very likely that execution control can be gained without much more effort. We know of no known attacksiii that use this specific vulnerability.
  • Mitigating factors for UDP include:
    • A firewall that drops UDP DNS packets > 512 bytes.
    • A local resolver (that drops non-compliant responses).
    • Avoid dual A and AAAA queries (avoids buffer management error) e.g. Do not use AF_UNSPEC.
    • No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow.
    • No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow.
  • Mitigating factors for TCP include:
    • Limit all replies to 1024 bytes.
  • Mitigations that don't work:
    • Setting `options single-request` does not change buffer management and does not prevent the exploit.
    • Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit.
    • Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query.
      • The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit.
    • Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw.
  • The code that causes the vulnerability was introduced in May 2008 as part of glibc 2.9.iv
  • The code that causes the vulnerability is only present in glibc's copy of libresolv which has enhancements to carry out parallel A and AAAA queries. Therefore only programs using glibc's copy of the code have this problem.
  • A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.

Solution
========

The immediate solution to the buffer mismanagement issues are as follows:

  • Remove buffer reuse.
  • Always malloc the second response buffer if needed.
    • Requires fix for sourceware bug 16574 to avoid memory leak.
      commit d668061994a7486a3ba9c7d5e7882d85a2883707
      commit ab09bf616ad527b249aca5f2a4956fd526f0712f
    • Correctly adjust pointer *and* size for buffer in use.

In order to validate and test the resulting changes, including valgrind validation, the following was fixed:

  • Uninitialized uses of *herrno_p.
    • With all uses initialized we have clean valgrind runs.
  • Result of NSS_STATUS_SUCCESS masking the case where the second response has failed with an ERANGE failure. In this case the second response will contain whatever was on the stack last (alloca).
    • With NSS_STATUS_TRYAGAIN returned if any of the results fail with ERANGE we have deterministic results that can be validated.

High-level Analysis:
====================

The defect is located in the glibc sources in the following file:

resolv/res_send.c

as part of the send_dg and send_vc functions which are part of the __libc_res_nsend (res_nsend) interface which is used by many of the higher level interfaces including getaddrinfo (indirectly via the DNS NSS module.)

One way to trigger the buffer mismanagement is like this:

  • Have the target attempt a DNS resolution for a domain you control.
    • Need to get A and AAAA queries.
  • First response is 2048 bytes.
    • Fills the alloca buffer entirely with 0 left over.
    • send_dg attemps to reuse the user buffer but can't.
    • New buffer created but due to bug old alloca buffer is used with new size of 65535 (size of the malloc'd buffer).
    • Response should be valid.
  • Send second response.
    • This response should be flawed in such a way that it forces __libc_res_nsend to retry the query. It is sufficient for example to pick any of the listed failure modes in the code which return zero.
  • Send third response.
    • The third response can contain 2048 bytes of valid response.
    • The remaining 63487 bytes of the response are the attack payload and the recvfrom smashes the stack with it.

The flaw happens because when send_dg is retried it restarts the query, but the second time around the answer buffer points to the alloca'd buffer but with the wrong size.

Please note that there are other ways to trigger the buffer management flaw, but they require slightly more control over the timing of the responses and use poll timeout to carry out the exploit with just two responses from the attacker (as opposed to three).

A similar exploit is possible with TCP, but requires closing the TCP connection (either with a TCP reset or a regular 3-way connection close), or sending an empty response with a zero length header. Any such action with forces send_vc to exit and retry with the wrong buffer size will trigger a similar failure as seen in send_dg.

While the fellow goes out of his way to point out that "turning off IPv6 won't work", he omits to point out that the only reason this hole exists in the first place is an inane attempt to be clever while implementing the spurious idiocyv that is IPv6. The situation is somewhat akin to a retarded girlfriend trying to flood your apartment, that not only opens all the faucets and stops all the drains, but also takes the "extremely clever" measure of puncturing the water pipes, so she can then preciously inform you that "turning off the faucets won't help" and you must work with her to somehow create a raft out of your widescreen TV so as to navigate the marshy terrain that used to be your living room. The correct solution in the case of the retarded girlfriend obviously is turning off the main and beating her black and blue, rather than entertaining her idiocy. Similarly in the case of the retarded Internet, the correct solution is turning off the main and beating these idiots black and bluevi, rather than entertaining their idiocy.

Which observation takes us to the thing he studiously does not mention, because he doesn't want you to think about the matter at allvii, which is that you don't need DNS, nor is there any conceivable reason DNS should be included in the first place, let alone turned on by default, let alone supported at the level of fucking glibc. Think about it : dns is an aliasing system. Why should it exist at the level of a linked library, when it could just be a random userland program, like bitmap displayers or archiving utilities, randomly chosen exact equivalents ? You see any reason lzw should be supported as a kernel function ?viii

Now suppose you decide to turn off DNS altogetherix. Your first step would be to figure out DNS happens on port 53 (and in the process inform NSA.Google that you're the sort of fellow that asks these sorts of questionsx). Your next step is to search for a method to turn off DNS (and discover that not only this is "not possible", but it is not even contemplated, anywhere!), or else to block access to port 53 via the firewall - and discover that this is only ever done for servers. There's five billion guides as to how you'd go about turning access to port 53 inbound, and exactly zero discussion of the converse.

If you're a thinking sort of fellow (specifically as opposed to an English as Single Language bovine) you might wonder why this is ? Perhaps your bizarre notions that "the Internet won't work without DNS" are principally built out of the fact that you've never encountered a counterexample, or even discussion of a counterexample, or of anything remotely like a counterexample ? What other ideas do you chiefly hold simply because you were raised in a carefully curated barn ? Ever wondered how that curation happens ? Do you know what "personalized google searches" are ?

But enough of that - you're invited to do the rest of the meditation on that line as private study. Let's move to something practical.

Step 1 : Remove your machine from the network by unplugging the UTP cable.

Step 2 : Open a terminal (such as by pressing ctrl-alt-T).

Step 3 : Type in that terminal "sudo ufwxi disable" and hit return.

This will turn off the firewall management tool.

Step 4 : sudo ufw default deny incoming && sudo ufw default deny outgoing

This will deny all networking traffic of all kinds either coming from anywhere or trying to get anywhere. Complete blackhole.

Step 5 : sudo ufw allow out 80,2096,8001,8333/tcpxii

Step 6 : sudo ufw enable.

Step 7 : You can now proceed to reconnect the network cable, and test that in fact "nothing works". This is a good thing.

Step 8 : Let's bypass the inanity of assigned names on a case by case basis : sudo nano /etc/hosts

In there, you add all the IPs of sites you actually mean to visit. Mine for instance, if you're curious, looks like this :

GNU nano 2.2.2 File: hosts Modified

127.0.0.1 localhost
91.218.246.33 trilema.com
23.235.235.227 mpex.co
62.210.127.113 bitbet.us
50.115.127.84 minigame.bz
46.166.170.207 qntra.net
54.197.242.14 btcalpha.com
185.34.216.71 log.bitcoin-assets.com
45.79.3.24 search.bitcoin-assets.com
69.55.226.35 dpaste.com
185.92.220.64 archive.is

Because that's pretty much all I use. Yours can look like anything you want it to look, and again, in so doing you gain the benefits of enumerated goodness. You'll never know what attacks you were immune to, because you simply don't care about the stories of swamp and maggot as they may happen outside your list. You'll never care what inane idiocy you were immune to.xiii

More generally speaking, the more crap you opt out of, the more resources you have available to use towards a purpose you actually care about. This is no small matter, think it through, and ponder it well.

The moral of this article being twofold. One is that your environment doesn't fuck you up by directly lying to you. Instead, it carefully curates your perceived options until you end up debating lively which of two cans of Pepsi. The other is that you don't need to do anything more to counter this completely and entirely other than default deny and enumerating goodness.

The good news is that you can start doing both of these today, that they require nothing you could possibily ever not have in ample abundance, and that they resolve the problem completely and without possibility of recourse. Which is why you've never read about such matters anywhere else.

———
  1. By no means the first, nor in any case the last one. See nss. []
  2. In "Carlos O'Donell" (carlos at redhat dot com)'s own, and very amusing, words. (Note that the patch he proposes is almost as idiotic as the thing it replaces, and should not be used in any case.) []
  3. I suppose it is impolite to mention all the use NSA made of it, or something.

    Pro tip : who is the main (in the sense of only) customer of Red Hat ? Same people that killed Cisco's business, right ? []

  4. It's easy enough to test if you have it, and to find out who to blame :

    $ ldd --version
    ldd (Ubuntu EGLIBC 2.11.1-0ubuntu7.20) 2.11.1
    Copyright (C) 2009 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    Written by Roland McGrath and Ulrich Drepper.

    Yes, that's THE Ulrich Drepper, of drepper fame. Use other stuff by the same idiot at your peril - the only guarantee is that you will find more NSA holes years later. []

  5. What, what, poor derps in the third world "need" IPv6 because there's "not enough IP for everyone" ? What else do poor derps in the third world "need" according to nsa.hq, nsa.rhel, nsa.mit and friends ? Larger Bitcoin blocks ? Bitcoin hard forks ? German passports ?

    Take your poor derps in the thirld world and fuck them. They may, MAYBE, have some crumbs, IF and ONLY IF the crumbs they get come at exactly zero - not approximatively zero, EXACTLY zero - cost to the people who actually matter. 4bn IPs v4 may not be enough for everyone - but then again there's no rule everyone must have everything. In fact, there's a rule that everyone MUST NOT have any one thing if this to any degree degrades the quality of the thing in question.

    No rights for poortards. []

  6. Yes, I mean that. Everyone who now does or ever did work for a USG outfit, which includes Red Hat just like it includes Google et al should be assaulted in the street and beaten into a pulp. Every day. All the time.

    And make no mistake about it - I will insert this rule in the legal process just as soon as I can. []

  7. From the excellent Ballas piece on the shutdown, ad lib :

    All of what is now being subverted by the media has been detailed in The Process Of Government, you should read it. But you won't, it has too many characters, and this is accurate no matter how you define characters. Come on, at least read Chapter XX, it's online. Jesus, here. "Umm, It's pretty boring." I know, I know, you want to know how the news relates to you, and boy oh boy do I have the news network for you.

    "But that book was written in 1908. Based on what I've seen on Downton Abbey, things were a lot different then."

    Well, yes, obviously, there had just been a massive leap forward in technology and industrialization, a booming economy fueling a wealth gap, temporarily course corrected by a financial panic "precipitated" by the failure of two overspeculating brokerage houses. There were also, simultaneously, great advances in progressive causes like worker's rights and food quality, all on the background of decreasing importance of religion among educated whites in favor of science. Not physics or chemistry, but evolution. Tabloids were incomprehensibly popular, partisan media the norm. A loosening of conventional morality manifested as bored promiscuity, female bisexuality, and a flood of new porn the likes of which never existed before.

    "That does sound different. And awesome. What did their Millennial kids inherit, what did they experience over their adult lives, say 1929-1945?"

    I totally don't know, Boardwalk Empire only goes up to 1924 and Mad Men starts 1960.

    [...]

    The "independent" demo actually has all the textbook characteristics of a group most susceptible to propaganda, more correctly "pre-propaganda", and by textbook I mean literally Propaganda.

    They consider themselves leaderless. They can have representatives, they can have "evangelists" but they have to believe that their conclusions are all their own, through individual reflection and objective consideration. Interestingly, and on purpose, they believe their brains can handle such an analysis, any analysis. This isn't arrogance. They are told, by universities and the media, that their mind is prepared to do this heavy lifting as long as they are given just the right facts, filtered from the "noise." "Where can we get the right facts, in a world of liars?" Good question, maybe the news?

    [...]

    No doubt this sounds depressing, he's going to start drinking heavily, or become a cynic, or go the Hemingway. So the media=propaganda fosters his regression towards a much desired solution: total alienation. The media explains how things relate to him, and as long as he understands what's going on, he feels empowered. He is given an ideology without even knowing it. Now he doesn't actually have to do anything, indeed, it's way the hell better if he does nothing. All that's required is support, and through his support not only will "the right things" happen but he'll share in the credit.

    You'll counter that there are right leaning and left leaning independents, isn't there a difference? but this misses the point: propaganda doesn't try to get you to believe something, but to do something, and in this case it is to do nothing-- it doesn't matter what you choose to believe, as long as your outrage is done from inside your house.

    This is the whole gimmick of media, not polar but triangular, right, left, middle, mobilizing an army of assonauts to feel strongly enough about something that they don't do anything.

    [...]

    Propaganda doesn't succeed because it is manipulative, it works because people WANT it, NEED it, it gives their life a direction and meaning and guards against change.

    In other words, there's a lot you don't know - and all of it because you're (justly) afraid of what it might mean. []

  8. If you do, it would be for the exact opposite characteristics of dns. For one thing, lzw is universal - which is to say it can be applied equally on any and all buffers. For another, it is self-contained, it doesn't have to talk to anyone else to produce the packed result. DNS is nothing more than a glorified Windows messaging app, or a Netflix video player or somesuch. It doesn't belong in glibc, it doesn't belong as a so at all. It should be in the unrecommended-extras of any self-respecting repository, with the rest of the crud. []
  9. "But MP! The Internet won't work anymore!"
    Yeah, right. And if you put a blindfold on, your cunt won't work anymore either. Try it, who knows. []
  10. "But MP! Google has other roles than to keep a handy archive of everything I do!"
    Yeah, right. Ask that "drugs underground market" derp. You know, the one that was totally caught by an IRS agent doing google searches by hand as part of his full day of looking for small boys impaled on cocks. This happens, in parallel-construction-altworld. []
  11. Yes yes, I know, you're special and don't need ufw.

    Here's a passing thought : the kids that don't rightly know the difference betweeen ufw and iptables have the powerful excuse of their own ignorance. They don't fucking know. What's your excuse for running DNS ? You have no excuse. Get lost, go blush your shame somewhere else. []

  12. I use the web (http - not https!), which is port 80 ; webmail, which is port 2096 ; irc, which is port 8001 and bitcoin, which is port 8333.

    You can adjust this list to suit your own needs, by adding other things you want or subtracting any things you don't need - and in so doing you gain all the advantages of enumerated goodness. This concept is important, so let's spend a moment illustrating it.

    To best understand it, let's define the concept of "node", as a primitive, the concept of "value" as a scalar measure, and on top of these two the concept of "transaction" as an exchange of value between two nodes. By this model, if node A engages in a transaction T1 with node B, then A will gain value T1a and lose value T1b, whereas B will gain value T1b and lose value T1a.

    Consider that nodes aim to maximize their value over time, and in this context consider the policy where node A denies transactions with a given list of nodes while allowing all others, whereas node A' allows transactions with a given list of nodes while denying all others. A finds itself in the situation known as "enumerated badness", whereas A' finds itself in the opposite situation.

    Let us now try to log and find out how well these two strategies are doing.

    Node A will report a precise list of denied transactions, allowing us to calculate a precise count of value A might have lost without the rule, but due to the presence of the rule it did not lose. The transactions that went through are unknown, and generally speaking the value A did in fact lose or gain is not computable, unless and until we pin down every last single node it transacted with and evaluate its transaction (admitting such a wonder is even possible).

    Contrarywise, node A' will report a precise list of allowed transactions, and so we'll be able to calculate a precise count of value A' did in fact gain, and without the presence of the rule it would not have gained. The transactions that were rejected are unknown, and generally speaking the value A' might have gained or lost is not computable, unless and until we pin down every last single node it might have transacted with and evaluate its transaction.

    Strategy A allows one to justify his job to his boss, even while the entity sinks or plunges, unknown. Strategy A' allows one to certify he is gaining value at all junctures.

    It should be directly apparent from this simple analysis that while strategy A may be better when managing other people's resources, especially people you don't like such as for instance in an office environment as such is commonly practiced in the retarded Anglo world, nevertheless when handling your own things you're much better off implementing A'.

    Finally, please note that if you intend to also use Bitcoin, you are well advised to use the TRB version - all others are massively vulnerable to the hole discussed here as well as innumerable other holes, pores and assorted fistulae. []

  13. For instance, suppose a site you visit decides to start tracking you one day - such as for instance by implementing the google analytics javascript. Well... that's too bad, because you didn't specifically opt into this new thing, and so your browser doesn't have a way to resolve the new thing, and so you... simply won't be tracked.

    Because it's your god damned computer and your god damned browser and life and everything. Isn't it high time already ? []

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

33 Responses

  1. DNS sucks, unquestionably. But...

    No TMSR blogs? And no more pr0n links?

    Talk to RMS, he's been living like this, I'm told, for ages.

    For everybody else, the result of this 'hair shirt' tends to be: two boxes on your desk. One running lynx and emacs, and the other - a heathen box, where you find yourself much of the time.

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Monday, 22 February 2016

    See that archive.is in there ?

    Not that I can't add ips to the list if I feel like.

  3. Then archive.is gets dreppered to death instead of your desktop ? This is not entirely different from what many folks do (go through specially-built proxy toilet.)

  4. Mircea Popescu`s avatar
    4
    Mircea Popescu 
    Monday, 22 February 2016

    It's different in that it's specified and enumerated. This is a key element in the entire TMSR construction, yes "people used to" bla bla "even before" etc.

    Anonimity is antisovereignity however - it's one thing for services to rest explicitly on a cleaning service in the open, it's the other (and the wrong) thing for everyone to do his unspecified special-build.

    This point is clouded by the fact that once the explicit end exists (and only then!) then private reimplementations become a point of strength. But before that, they're a point of significant weakness. Sort-of like how a tent with a central pole constitutes a space, where people can gather to enjoy watching the circus, nevertheless the very same tent material without the pole constitutes a blinding, confusing medium in which no one can stand.

    Public wot and private communication at will ; logged forum and private relationships as anyone desires ; explicit "nothing but html" de-javascriptization service and private proxies qs. These are architectures that work, while their parts in isolation fail and worse-than-fail.

  5. "There's a difference between what you need and what you want - and the media will always, relentlessly, give you what you want."

  6. Mircea Popescu`s avatar
    6
    Mircea Popescu 
    Monday, 22 February 2016

    Quite exactly. The inexorable end game of "man is the measure of all things" rendered nonsense by misunderstanding "man" as "everyone" ie the lowest common denominator.

  7. 4bn IPs v4 may not be enough for everyone - but then again there's no rule everyone must have everything. In fact, there's a rule that everyone MUST NOT have any one thing if this to any degree degrades the quality of the thing in question.

    No rights for poortards.

    Still, one could argue that the scarcity imposed by IPv4 is artificial (much in the way the "scarcity" imposed by DRM and other similar crap is artificial) due to NAT and other ad-hoc schemes (really, what the fuck are "IP classes" anyway?) which might allow medieval ISPs such as Comcast, AT&T et al. (and FSM help us if this becomes the norm) to maybe, who knows, not sell any more public routable addresses in the future.

    So this will leave us with the option of Amazon and other Shit-as-a-Service companies, and I bet you wouldn't want to hold your privates there, if you know what I mean.

  8. Mircea Popescu`s avatar
    8
    Mircea Popescu 
    Friday, 26 February 2016

    What the fuck do you mean artificial ? TCP/IP is a man made, therefore artificial system. All its properties are equally artificial, and for that reason. What of it ? When one goes out of the fucking savanna and into the hut with the cable modem, one deliberately opts and chooses to renounce his fucking un-artificial world because the artificial world kicks so much ass by comparison.

    The notion that putting pressure on the poortards gives the US more power is ridoinculous. What will in fact happen will be that the US is stripped of all its remaining IP priviledges, and that's the end of that. Why do you think the US is pushing for all the "inclusive" innanity ?

  9. It is "artificial" in the sense that some of the protocol's *later* design decisions were deliberately made in order to put endpoints behind networks opaque to the outside Internet. So while the Internet is supposedly architected as "A and B can find each other and talk", its topology is now largely "A [US poortard] can find B [Facebook] and talk to it, but not the other way around, because who would even want to do that".

    I understand that the broken model works for "US poortards", but the average idiot over at NSA would like to see this deployed everywhere in the world (and that's how they probably do see it in their wet dreams). Heck, I understand that they even want to implement carrier-grade NAT for IPv6 networks, which beats the whole purpose of "free addresses for every molecule in the observable universe". Also, why else would all ISPs be "all talk, no action" about the whole IPv6 thing?

    Now, I *do* hope that I'm wrong, but I don't see how the US can be stripped of its IP privileges short of IANA falling apart into a pile of rubble. Which may very well happen sooner or later, but at that point no one knows what's next.

  10. Mircea Popescu`s avatar
    10
    Mircea Popescu 
    Friday, 26 February 2016

    The network [that you now call internet] was NEVER designed to work as a flat graph. It was, at all points and all along, designed to work as a network of peers which represent networks, much in the manner gossipd is intended to work.

    The reason for this is that back when the network [that you now call internet] was being designed, the same sort of minds [ie, top of the class military and military-once-removed strategists] were involved, and the same sort of stakes were contemplated as now as gossipd is being designed.

    Please to not confuse the inept practice of the monkeys, such as everyone on the web [which I hope you do not confuse with the internet] for actual design. In the highschool where all the virgin boys use condoms as pocket protectors, condoms were STILL not designed to do anything but go in and out of cunts. More important - nobody gives a shit what facebook might need or want. Facebook is toejam, to posture and pretend in between two showers. It has no value, no relevancy to the world and no future, the myspace of a new generation. Exactly like is the case with the condoms, bizarre old men a la Ted Turner may spend a paper fortune to acquire the spent tools of youthful enjoyment and the bite marks our teeth left in the peach of the world. This doesn't make the bite marks and used condoms valuable - not only because Turner's paper millions lack the capacity to impose value much like his long shriveled penis lacks potency [ie the capacity to impose culture], but principally because THEY ARE NOT VALUABLE. Essentially, as their fundamental quality.

    All this notwithstanding, the limit on total IPs is not related to such design choices, but stems from basic definitions. If you are going to use four 8-bit words to designate places, the total count of places will be 4bn. That's it.

    What you see or don't see matters little. Have you, or had historically your father, seen how Ceausescu can be stripped of his power, and his underwear, and impaled in the marketplace ? These sorts of things are done by the sort of people who see them, and they aren't everyone.

  11. The network [that you now call internet] was NEVER designed to work as a flat graph. It was, at all points and all along, designed to work as a network of peers which represent networks, much in the manner gossipd is intended to work.

    The reason for this is that back when the network [that you now call internet] was being designed, the same sort of minds [ie, top of the class military and military-once-removed strategists] were involved, and the same sort of stakes were contemplated as now as gossipd is being designed.

    That is true. I am however trying to make two distinct points.

    Firstly, the network specified and implemented back in the late '70s/early '80s is quite different from the one we're using today. There is a clear distinction between subnetting (which enables the "network of peers which represent networks" that you mentioned), and trade-offs such as NA(P)T, which violate the separation between the network and transport layers. The latter are conceptually broken, and, if anything, were conceived specifically to address the (arguably non-)problem of "address depletion". Moreover, the various vulnerabilities in backbone protocols such as BGP are themselves a problematic can of worms.

    Sure, one could argue that a. the current implementation, however broken, works and b. non-poortards won't require crap such as NAT anyway, but the fact remains that such abominations shouldn't have existed in the first place. I haven't done nearly enough #b-a log reading to emit an informed opinion on this, but I am guessing that this is also one of the reasons why the concept of gossipd exists.

    Secondly, as little as my opinion matters, I'm not yet ready to buy the argument that IPv6 degrades the quality of the network nor that it is an instrument of the NSA; that is, although highly suspect extensions such as IPSec should be carefully avoided, the network's basic functioning does not deviate from the design you mentioned in the above comment, while it does eliminate some of the abominations that I mentioned in the previous paragraphs.

    But in principle yes, I would very much like to be able to buy cheap IP addresses (as a poortard etc.). This is not currently a problem where I live, but the way things are going... Oh well.

    Please to not confuse the inept practice of the monkeys, such as everyone on the web [which I hope you do not confuse with the internet] for actual design. [...]

    All this notwithstanding, the limit on total IPs is not related to such design choices, but stems from basic definitions. If you are going to use four 8-bit words to designate places, the total count of places will be 4bn. That's it.

    Point taken.

    What you see or don't see matters little. Have you, or had historically your father, seen how Ceausescu can be stripped of his power, and his underwear, and impaled in the marketplace ? These sorts of things are done by the sort of people who see them, and they aren't everyone.

    Again, point taken. Do note however (in regards to the States' public stripping, flogging and/or impaling) that Ceausescu is still alive in the memory and mentality of certain nostalgic individuals, some of whom still have some degree of influence in Romanian politics.

  12. Mircea Popescu`s avatar
    12
    Mircea Popescu 
    Monday, 29 February 2016

    Well sure.

    Broadly speaking, the conflict between "I'm not very smart" and "I want to go to Politehnica Bucuresti" can be resolved exactly two ways : a) get smarter ; b) get Ponta to fuck up the exam criteria. Mixtures of these are not different ways, but merely the same two ways.

    There's no way out of this. If you want a nice car, make more money. If you want to be in prestigious college, be smarter. The more accessible something is, the shittier the something is, and there are no exceptions to this rule.

    > one of the reasons why the concept of gossipd exists.

    Yes, but very vaguely and not a first line reason. The main reason that concept exists is specifically to do to social relations what Bitcoin did to economic relations : make them impenetrable to the mass, but porous enough so that everyone can reach his own level. By making collective bargaining impossible, one simply does away with Ponta altogether, whatever the nigger may call himself.

  13. Unrelated to the previous discussion: in addition to the firewall rules, it's also possible to completely disable DNS-based lookups from NSS by editing /etc/nsswitch.conf. By default it looks something along the lines of:

    [...]
    hosts: files mdns4_minimal dns
    [...]

    which can be edited to

    [...]
    hosts: files

    making lookups rely only on /etc/hosts (and thus making all gethostbyname calls DNS-free).

  14. Mircea Popescu`s avatar
    14
    Mircea Popescu 
    Monday, 29 February 2016

    I don't think I trust software switches on anything made by these schmucks.

    You recall the static linking discussions in the log ? Or the ones re nss lying to operator ? Or etc ?

  15. > add all the IPs of sites you actually mean to visit

    Omitting an IP address from /etc/hosts doesn't prevent you from visiting it. You might be better off using firewall entries to limit outgoing connections to a list of IP addresses you approve of rather than hoping the sites you visit don't leak information to (or download unwanted crap from) IP address you disapprove of.

  16. Mircea Popescu`s avatar
    16
    Mircea Popescu 
    Tuesday, 1 March 2016

    Omitting a domain from /etc/hosts does prevent you from visiting it. Which is what this particular discussion is all about.

    In an unrelated discussion, what the fuck is wrong with your head, that'd allow random substitution of items without throwing an exception ?

  17. Glen Poitevin`s avatar
    17
    Glen Poitevin 
    Monday, 14 March 2016

    When using this way, the DNS servers you enter only get used while the VPN connection you set it for is active.

  18. Mircea Popescu`s avatar
    18
    Mircea Popescu 
    Monday, 14 March 2016

    VPN connection you set for what ? DNS servers you enter how ? I'm thoroughly confused, what are you trying to say ?

  19. UlyssesJB`s avatar
    19
    UlyssesJB 
    Friday, 8 July 2016

    What should people with bad credit do when they need a loan? Banks won't touch someone with a sub 600 credit score with a 10 foot pole. Is Google going to promote an alternative lending service for low credit individuals capped at a 36% interest rate? If you don't provide a better, more convenient option for instant cash, your censorship is hurting more than helping people. Poor or struggling people don't want wealthy liberal companies to tell them loan modification service are bad for them, and taking away their option.

  20. Mircea Popescu`s avatar
    20
    Mircea Popescu 
    Friday, 8 July 2016

    A) "People" don't belong having any options in the first place. They're slaves, fucking embrace this already. What "people" want or think they want is a concern entirely invalid and utterly irrelevant.

    B) There's way the fuck better deals than 36% pa to rebuild your credit. If you can't find one, buy rope and soap, you'll be doing everyone a favour. Especially your family.

    C) I'm not interested in "helping" "people".

  1. [...] results. Alienation is first and foremost a coping mechanism. [↩]Recall Ballas' excellent "only the facts" piece ? [↩] Category: Gandesc, deci gandesc Comments feed : RSS 2.0. Leave your own [...]

  2. [...] is the fate of the imbecile "objectivist", the "independent", the asscientist of neon lights and plasticated surfaces. The man who "only wanted to" always ends [...]

  3. [...] reflected in the best possible parochy of all parochies, where he happens to live ? He, much like a certain sort of imbecile that's pretty much all literate America these days, imagines himself equipped enough to do all the [...]

  4. [...] of how this boomerang cracked our skull in How to deal with pseudoscience ? [↩]On this point, Ballas controls. [↩] Category: Cuvinte Sfiinte Comments feed : RSS 2.0. Leave your own comment below, [...]

  5. [...] and look how nicely it works! Just as soon as your stupidity is contradicted by reality, the "objectivity" considerations kick in! With a brain like yours, who even needs assholes [...]

  6. [...] powerful language of its powerful antecessors ; daring to measure people and circumstance by their narrow cluelessness and to voice disapproval of anything that doesn't fit in their 75 grams of brains, this youth, I [...]

  7. [...] the ocean, either. You understand this, yes ? This is how the world works! You didn't know ? The "intellectual" by virtue of certificate, who's never had opportunity to test whether his mind works or doesn't [...]

  8. [...] Oh wait, what, are you going to say "he was being ironic" ? Fuck you.v ———Obviously "beasty.pl" ie "the server at f8l.netne.net" is taking too long to [...]

  9. [...] while we're on this, please stop using USG.DNS already! [↩]Talk about an epic example of the socialists' weapon working for them a short distance of [...]

  10. [...] I was hiring namecheap.com to do nothing whatsoeveri for me wrt various domain names I hold (and don't want). Then they decided to "upgrade" their website, because this is somehow how bullshit leech services [...]

  11. [...] amply chronicled elsewhere, DNS is a steaming heap of imperial dung. At 7:27 PM my time, Lord mod6 and shinohai [...]

  12. [...] that wonder. [↩]I expect he also imagines he needs "just the facts". [↩]The question is still open. Mylord phf knows the guy, but that says little about how [...]

  13. [...] myself. as far as the world is concerned, however, here's a list of oughts". goes straight into "just the facts"-ism, and all that. i suddenly understand what they're trying to say by "not being [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.