VPN providers are hijacking DNS

Are you thinking of using a VPN to bypass DNS hijacking by your ISP (as described in Redirecting DNS for Ads and Profit and Middleboxes considered harmful: DNS Edition)?

Then think again.

A new paper titled “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients” by Vasile Claudiu Perta, Marco Valerio Barbera, Gareth Tyson, Hamed Haddadi and Alessandro Mei, demonstrates that many commercial VPN operators are at it too.

The paper will appear at The 15th Privacy Enhancing Technologies Symposium and is available online now (open access copy linked).

Raft Refloated in the morning paper

I am incredibly excited to announce that Raft Refloated will be featured in The Morning Paper, by Adrian, as part of a series of 10 posts on distributed consensus. Last month, the morning paper also featured our work on the Databox.

Will the raft paper sink or swin? Let’s wait and see.

3 Upcoming talks

I’ve just updated my Research pages with 3 upcoming talks. More details to follow, in particular the topic for the April talk at the Computer Lab, as I cannot reuse the topics from either of the other talks.

“TBC” – Women@CL Talklet Series, University of Cambridge, April 2015

“Life on the Edge (Network)” – 2nd Oxbridge Women in Computer Science Conference, Oxford University, March 2015

“On the Edge: Future-proofing the Internet with Signposts” – Systems Research Group Talklet, Date TBC

Closed gTLDs

Thinking of switching from .io to a proper gTLD like .dev ?

think again http://sealedabstract.com/rants/google-our-patron-saint-of-the-closed-web/

DNS question: Avoiding circular dependencies without glue records?

Can someone help me the understand the following:

When the authoritative name server for a domain (e.g. ns1.example.com) lies within the domain over which it has authority (e.g. example.com), a query (e.g. for example.com) to the parent domain (e.g. .com) will include both the NS RRs, to delegate authority of the domain to the nameservers, in the answer section and the corresponding A RRs in the additional section, this is know as glue records. These glue records are essential to avoid a circular dependency, yet the Netalyzr study found that only 61% of resolvers accept glue records when the glue records refer to authoritative nameservers. How do the other 39% of resolvers actually work then, given that its very common for the authoritative name server for a domain to lie within the domain over which it has authority ?

Comcast blocking NASA.gov

Today, people love to hate their ISPs, they have a public image problem. A great example of this when Comcast apparently blocking NASA’s website in 2012. In fact, Comcast was the only major US ISP to be using DNSSEC validating resolvers thus where the only ones affected when NASA’s website failed to properly sign their DNS responses. Poor Comcast.

On January 18, 2012, the NASA.GOV domain had a DNS Security Extensions (DNSSEC) signing error that blocked access to all NASA.GOV sites when using DNS recursive resolvers performing DNSSEC validation. As one of the largest ISPs in the world utilizing DNSSEC validation, users of Comcast noticed a problem when attempting to connect to the website. This caused some people to incorrectly interpret this as Comcast purposely blocking access to NASA.GOV and recommending users switch from Comcast security-aware DNS resolvers to resolvers not performing DNSSEC validation … Instead, the administrators of the NASA.GOV domain had enabled DNSSEC signing for their domain, and the security signatures in their domain were no longer valid. The Comcast DNS resolvers correctly identified the DNSSEC signature errors and responded with a failure to Comcast customers. This is the expected result when a domain can no longer be validated, and this protects users from a potential security threat

source: http://www.internetsociety.org/deploy360/blog/2012/01/comcast-releases-detailed-analysis-of-nasa-gov-dnssec-validation-failure/

Talk & Poster @ 2nd Annual Oxbridge Women in Computer Science Conference

I’ve been accepted for a talk and a poster at the 2nd Annual Oxbridge Women in Computer Science Conference on 16th March 2015. My submitted abstract is here.

We’re coming to letter box near you

The January edition of the Operating System Review is now out, look out for “Raft Refloated: Do We Have Consensus?”. Also available without dead trees.

Squashing git commits

to squash the last n commits (e.g 37) into one

git reset --soft HEAD~37 && 
git commit --edit -m"$(git log --format=%B --reverse HEAD..HEAD@{1})"
git push -f

source: http://stackoverflow.com/questions/5189560/squash-my-last-x-commits-together-using-git/5201642#5201642, thanks david

Personal Data: Thinking Inside the Box

Our first paper on the Databox, a personal, networked service that collates personal data and can be used to make those data available is now available (open access) on arXiv. Enjoying reading it and let me know what you think.

Title: Personal Data: Thinking Inside the Box
Authors: Hamed Haddadi, Heidi Howard, Amir Chaudhry, Jon Crowcroft, Anil Madhavapeddy, Richard Mortier
Abstract:
We propose there is a need for a technical platform enabling people to engage with the collection, management and consumption of personal data; and that this platform should itself be personal, under the direct control of the individual whose data it holds. In what follows, we refer to this platform as the Databox, a personal, networked service that collates personal data and can be used to make those data available. While your Databox is likely to be a virtual platform, in that it will involve multiple devices and services, at least one instance of it will exist in physical form such as on a physical form-factor computing device with associated storage and networking, such as a home hub.

Read, Write, Execute

Notebook of a researcher in distributed systems.

Archives