Comments on: 3rd Annual Symposium on Information Assurance http://xs-sniper.com/blog/2008/06/14/3rd-annual-symposium-on-information-assurance/ Thoughts on Security in an Uncivilized World… Wed, 08 Sep 2010 02:39:08 -0700 hourly 1 http://wordpress.org/?v=3.0.1 By: kuza55 http://xs-sniper.com/blog/2008/06/14/3rd-annual-symposium-on-information-assurance/comment-page-1/#comment-502 kuza55 Sun, 15 Jun 2008 05:07:55 +0000 http://xs-sniper.com/blog/?p=105#comment-502 Academia seems kind of weird, some of the stuff they do is pretty cool, e.g. things like this: http://technology.newscientist.com/article/dn14124-compressed-web-phone-calls-are-easy-to-bug.html or http://shampoo.antville.org/stories/1586524/ or the PwdHash/SafeHistory/SafeCache stuff to come out of Stanford or the web cache & DNS pinning stuff done by Princeton ages ago. But security is really an applied topic, and it's pretty irrelevant when your great design relies on something which the browser doesn't guarantee (SessionSafe, PwdHash) or they simply have implementation flaws (SafeCache, SessionSafe). And I've had a sour feeling towards academia ever since Stanford released that Anti-DNS Pinning paper where they didn't really do anything other than re-implement and use what others had done before and get a shitload of press for it. Anyway, I think your premise that it's ok for ICANN to use this isn't completely correct since you're assuming that you can detect unauthorised modifications. I don't know how updates to DNS are handled, but unless they're all cryptographically signed, then you still have the problem of knowing when you're owned. Academia seems kind of weird, some of the stuff they do is pretty cool, e.g. things like this: http://technology.newscientist.com/article/dn14124-compressed-web-phone-calls-are-easy-to-bug.html or http://shampoo.antville.org/stories/1586524/ or the PwdHash/SafeHistory/SafeCache stuff to come out of Stanford or the web cache & DNS pinning stuff done by Princeton ages ago.

But security is really an applied topic, and it’s pretty irrelevant when your great design relies on something which the browser doesn’t guarantee (SessionSafe, PwdHash) or they simply have implementation flaws (SafeCache, SessionSafe).

And I’ve had a sour feeling towards academia ever since Stanford released that Anti-DNS Pinning paper where they didn’t really do anything other than re-implement and use what others had done before and get a shitload of press for it.

Anyway, I think your premise that it’s ok for ICANN to use this isn’t completely correct since you’re assuming that you can detect unauthorised modifications. I don’t know how updates to DNS are handled, but unless they’re all cryptographically signed, then you still have the problem of knowing when you’re owned.

]]>