The Market Ticker
Commentary on The Capital Markets
2016-10-21 15:58 by Karl Denninger
in Editorial , 198 references
[Comments enabled]  

DNS, the turning of names such as "" into IP numbers, is an essential part of any online presence on the Internet.  Being without it in most cases doesn't reduce you to using IP numbers, it means what you're trying to do doesn't work at all, especially in any sort of shared hosting environment on the web.

The good news is that it's not all that hard to do DNS on your own but it does take some attention to do well, particularly if you care about security of your domain responses (and online transaction sites most-certainly do!)

The "save a nickel" crowd got rat****ed today, as there appears to be yet another instance of mass-stupidity which has infested the Internet and now it has blown up in those people's faces who relied on it.

This morning a ton of websites and services, including Spotify and Twitter, were unreachable because of a distributed denial of service (DDoS) attack on Dyn, a major DNS provider. Details of how the attack happened remain vague, but one thing seems certain. Our internet is frightfully fragile in the face of increasingly sophisticated hacks.


Why is Dyn at the center of all of this?  Is it impossible for Twitter, Amazon, CNN, Reddit, the NY Times, PayPal, Spotify, Soundcloud, AirBnB, HBO, Netflix, Etsy, Github, Vox and others to run their own damn DNS servers?

No.  They're just cheap, ignorant fools.

And, like the "cloud" guys (some of them are the "cloud guys") they bought into the same bull**** they peddle to the masses.

Oh, and it probably didn't help that a bunch of other cheap bastards sold a lot of crap into the consumer market (like webcams, etc) that are grossly insecure, trivially hacked and taken over either.

What appears to have wound up happening is that these firms DNS services got concentrated at one company instead of being spread out as the Internet was originally designed to work, and some malefactors discovered this and hammered the concentration point using said insecure devices as their "relays", trashing all of them at once.


It's not supposed to work like that, or have an impact like that.  But it did, and it does, and on we go.

You know, I'm just a little blog publisher.  But I run my own DNS.  I even secure it with DNSSEC so attempts to poison my zone won't work.

Gee, how come?

Because it's not really very hard, it's a small part of what running the rest of the site consists of in terms of effort and expense, and without DNS nothing works at all.

That last part is sort of important, you know.....

But heh, it's kinda like sticking your so-called "encrypted" data on a cloud machine, then putting the key there so you can use said data and believing that all of this is secure even though anyone who has administrative access at said cloud provider can almost-certainly read the memory image of your virtual machine, steal the key and once they've done so they have it forever.

Yes, I know, all these nice big cloud companies have great security policies, some might even fingerprint people and do background checks (is it really hard to pull a background check on a high-level sysadmin?).  It's not like taking the three or five guys and gals who might need "God" keys to the infrastructure at your company and multiplying the risk of compromise from five people to 500, including some who aren't even in the US and thus aren't reachable by US law through playing "cloud" is a bad idea, right?

Never mind that if some big company did screw the pooch they'd be held accountable both civilly and criminally, yes, just like the thousands of criminal charges brought against officers, directors and executives of various firms that have done all sorts of nasty things over the years, including the fraud-laced Internet bubble, the fraud-laced housing bubble and the pie-in-the-sky market bubble now, right? You could look at Yahoo, which was so forthcoming about being massively hacked with 500 million accounts stolen; they got indicted, right? Or you could look at all those indictments out at Wells Fargo offices for identity theft against 2 million consumers who had accounts set up under false pretense complete with claimed signatures that never were given (that's forgery, by the way, and bank fraud, by the way, and last time I checked both are crimes.)  Oh wait, you mean there hasn't been even one arrest made in either case and in the latter the abuse has been going on for nearly 10 years?  And how many similar screw jobs have there been in other big businesses and how many busts?  Uhhhhh..... yeah.

And as for the producers of all those nice "Internet of things" devices they have all been held accountable too, just like you would be for putting up a pool with no fence since they've been selling knowingly insecure devices that are trivially hackable and able to be abused to screw others, right?  I mean, we can find thousands of indictments against the officers, directors and owners of those companies, and a bunch of them are in jail right now,  yes?  Oh wait.....

Finally, and for context in the present situation, none of these firms would ever screw up due to just pure stupidity, incompetence, lack of knowledge or laziness, none of the people they hired would ever be careless, crooked, bribed or blackmailed and the firms would never take a shortcut like........ putting their DNS in the same, concentrated, non-dispersed and thus easily-attacked place?

Aw ****.

You folks getting the point of my last couple of articles on this yet?

Where's the media?

How come my phone is still silent?  Heh, it still works even if Netflix doesn't!

Yeah, that's what I thought -- we can't talk about any of this for real and how all these firms had it coming. Why no, we can't do that, because there's no accountability anywhere and everyone has been selling "vomit" claiming it's all good stuff, just like in 2005-2007.  The difference is that today it's in the Internet of things and "cloud" space but we must not have that discussion in the mainstream (and especially not the "investment" oriented) media because the minute we start having any sort of honest conversation in this area several dozen high-flying stupid-valuation hot-air firms all get turned into a big smoking hole in an hour and we get 2008, on steroids, all over again.

You read it here first, just like you did with WaMu and their dividends paid with magic capitalized interest in the founding posts for The Market Ticker that ran in the spring of 2007.

How's WaMu doing, by the way?

View this entry with comments (registration required to post)

2016-10-21 11:43 by Karl Denninger
in Technology , 182 references
[Comments enabled]  

Public cloud computing, that is, computers at a remote location you do not own but lease space on, which have a hypervisor and clients running under it where you do not have complete, 100% control of said hypervisor are not secure.

If you have allegedly "encrypted" data there that is accessed, modified and used on said machine then the key to decrypt said data must also be on the machine and unprotected so it can be used.  If that is the case it can be trivially stolen since the hypervisor has complete access to all of the memory and disk resources of the client process and once stolen any pretense of security vanishes like a fart in the wind.

This is the lesson of the Wikileaks "Podesta" and related hacks.  It is not that Russia was involved (or not), it is not whether the "hack" was criminal, it is nothing of the sort.  It is that many of these people had their data (email in this case) on a public cloud environment and said environment was trivially broken into and the data stolen within minutes of being targeted.

The media and "business channels" have not and will not talk about this underlying fact for the simple reason that a huge percentage of the current market bubble is being driven and sustained by these so-called "innovations" and what they've done to market valuation.

This is continually claimed to be the "future" of corporate computing, but if you follow this road, embrace this path, and do so with data that needs to be secure then this is what's coming to you the moment your data is specifically targeted, whether you like it or not.

View this entry with comments (registration required to post)

2016-10-21 07:03 by Karl Denninger
in Editorial , 1460 references
[Comments enabled]  

Last night there was somewhat of a ritualistic dinner held.

It was the Al Smith dinner, a white-tie affair, and a ritual that Presidential candidates, very late in the game, have usually taken part in.  This year was no different, with both Hillary and Trump sporting their white-tie best.

But this is not your usual sort of passe' thing. No, it's a benefit, and as are many benefits in New York it was stuffed with priestly types and an extraordinary price tag -- but, as is frequently the case when there are so many with a priestly bent headlining the event the money actually goes to a decent cause -- in this case Catholic Charities.  And, I might add, rumors are that they raised a record amount.  Bravo.

This dinner is in fact a roast, and The Donald went first.  He served up a menu that began with some self-deprecating humor, as is the usual fare.  But then, after getting the crowd nice and warm, with chuckles and even roars of approval, he dropped the hammer:

"Hillary is so corrupt -- She got kicked off the Watergate Commission.  How corrupt do you have to be to get kicked off the Watergate Commission?"

It didn't end there, and there were boos.  Of course there were boos: Trump was in a hard-left, hard-Democrat audience.

But Trump didn't use last night to level charges, he dropped truth bombs.  That Hillary was fired from the Watergate commission isn't an accusation, it's a fact.  That she and her campaign traded slurs against Catholics (and I remind you, this was a Catholic Charities event) in their emails isn't a charge either -- it is also a fact.  Yet there she sat, in a room full of Catholic bishops and priests, raising money for Catholic Charities -- people who, by her own admission, she believes hold anachronistic beliefs that require an "Arab spring" sort of cleansing, and that's just what she thinks Government ought to actively promote -- under her administration, of course.

Donald didn't roast Hillary, he BBQed her.  That Hillary had the audacity to show up for such an event after what she and her campaign have traded in emails about Catholics was the height of hypocrisy bar none, and Donald gave her no quarter.  The audience was squirming, but that's what you have to do from time to time -- take that sacred cow up on stage, praise it, lay down a few laughs, and then show the world by giving a good yank on the cord that the reason it won "largest cow" at the fair is that someone stuck a 4" drain stopper up it's butt.

It's funny how, when nobody can cheat, nobody can get the questions beforehand because there aren't any and you get the lectern to yourself for a few minutes you really get to find out who always seems to find a way to use marked cards at the poker table (begging the obvious question as to who their confederates are) and who plays chess -- a game where it's damn hard to cheat and being able to think ahead of the other guy is crucial to success.

Trump has, through this campaign, showed that he's a grandmaster at laying traps and getting people to step in them.  This makes thrice that he's managed to punk the news media, getting them to cover what they didn't want to not by lying to them but rather by leading them to believe through context that they were going to see something other than what showed up.

Last night may have garnered Trump some boos in the room, but they were boos driven by discomfort of the truth being shoved in the face of so many who claim to wear a robe and stand for universal truth, given by God -- yet who have backed a candidate, publicly and otherwise, that has woven her entire professional and political life from a lie.

View this entry with comments (registration required to post)

As I pointed out in Leverage.... yep.

We didn't pursue this because it does not mesh with naval power and nuclear weapons, both of which are incompatible with the isotopes that are produced by the breeding version of these units.

Yet they are both safer and more-efficient than "conventional" nuclear plans.

Of course that didn't matter to those who killed it, did it?

View this entry with comments (registration required to post)

2016-10-20 16:26 by Karl Denninger
in Technology , 1782 references
[Comments enabled]  

Let's focus just for a minute on the oft-repeated claim that the US Government's "agencies" have "declared" that Russia is behind the Podesta (and other) Wikileaks releases -- that is, they stole the data.

There's no evidence to support that which passes even the most-rudimentary sniff test.

You have one guy who's made that claim in the US -- Clapper.  The same Clapper who knowingly lied before Congress in the past.  Yes, that Clapper.

Now it is certainly true that Russia is likely capable of such a hack.  Then again the hack itself, as I've pointed out, isn't especially surprising given that it appears many of these "email accounts" have been sitting on public cloud-provided email services.

By definition such 'services' are not secure and cannot be made secure. That people like Podesta are using them for sensitive private matters (which the government is NOT entitled to copies of) such as campaign work is proof of their stupidity -- and little more.

Folks, I can set anyone up with a system that is virtually hack-proof for email, yet for those emails where you don't care about security you can still exchange them with anyone else.  I use such a system myself, built by myself.  Key to this sort of design is that unencrypted emails that you wish to be secure against tampering, interception or both are never stored on the server.

This is obviously unsuitable for the government and its official business (which is why they don't do that) because the government relies on being able to see what is going on both for routine business purposes and to comply with FOIA requests.  Obviously a classified network is an entirely different thing but an unclassified network used for government business stores and distributes unencrypted email because if it was otherwise nobody, including legitimate government oversight organs, could access it!

Let's assume you want to send me a secure email.  All you need to do is email me first, and ask me to reply to you.  Doing so will give you my public key for S/MIME.  You now use that key to encrypt your message (which modern email clients can do automatically) and send me the message you wish to send "securely."  Commonly-available client software which can do this includes Outlook (Microsoft's), Thunderbird, BlackBerry's Android phones (the Priv and DTEK50) and reasonably-recent Apple iPhone software, among others.  You can obtain a key pair for such a purpose from a number of places on the Internet, some of them free, and the better ones do not require that anything other than your public key ever touch their infrastructure, so the risk of them leaking your private key to others is zero (since they are never in possession of it.)

Said email can then pass through however many systems and be stored in however many places but if stolen it is unreadable (unless you saved an unencrypted copy in your "sent" folder), because the only place my private key happens to reside is on devices that I have physical control of.

It is most-specifically not on the server where the email resides!

Here's the important point to remember when it comes to public key cryptography: Once you encrypt the message to send it not even you can decrypt it again!  That is, the key you used for encryption is worthless to decrypt; you need the other half and you don't physically have it nor is it on the server.  Only the person you targeted the transmission toward has it.

So now to break in and steal that email you cannot "just" break into my server and steal the database or files full of messages (you get a bunch of encrypted messages, which you can't read) nor can you intercept the messages while they're being sent (ditto.)  Instead you have to steal both the encrypted message and an unlocked copy of my private key, which exists in unlocked form only while I'm actually using it and it is only present on my personal devices.

In other words you now have to catch me, personally, using said key and manage to get the device out of my hands and into yours, then get said device to divulge the key, before the device locks itself or detects your attempt at tampering (at which point you're screwed since they key is no longer unlocked and/or it has been destroyed!)

Is this possible?  Sure.  But it's a hell of a lot harder than stealing the email itself.  Why do you think the FBI, when they go to bust someone they think might be doing something illegal (like trafficking in kiddie porn) always want to catch the perp with his computer on and unlocked?  It is for this very reason -- seizing a computer that has an encrypted disk but is turned off is frequently going to result in them having exactly zero means of retrieving whatever is on there.  The only way around that is if there is a back door that will trick said device into divulging the encryption key (such as was the case for the infamous California shooter's iPhone.)

So what we have here is a group of people who are intentionally using insecure means to communicate and then whining when one of their own people leaves the front door unlocked.  Does this require some "Grade A" hacker to break in and rip it all off?  Oh hell no it doesn't; in fact, all it requires is that you be stupid, and apparently plenty of these people are.

Where did the hackers come from?  I strongly doubt it was Russia.  I would not be at all surprised to discover that it's nothing more than third-rate folks who send out spams that look like "password reset" requests; it only takes one time you fall for that and then, well..... yeah.  (Or something equally stupid, such as using the same password in a dozen different places, some of which use insecure hashing systems, one of those files gets stolen and the password cracked.  Now I don't have to break into anything since I have the actual password!)

All of this underlies one reality that I pointed out in an earlier column though, which is why none of the media will talk about this, why my phone hasn't rung with a request for an interview on the matter nor has anyone else's who knows what they're talking about: The moment it gets into the public consciousness that "cloud" computing is never secure at any time any a key is on said cloud or unencrypted data is stored or used there the "value" of all these public cloud companies, which are a huge part of the valuation bubble in the stock market today collapses.

So to summarize:

  • The campaign is full of stupid people who have been passing around sensitive data without encryption.  These are the people who the candidate, incidentally, thinks ought to be running in the country if she wins.  It ought to be obvious that putting stupid people in public office is a bad idea.

  • There are moderately easy ways to avoid this problem for sensitive communications where no central authority needs to be able to get to them for legitimate purpose.  The campaign decided not to do that, however, which goes directly to point #1 -- they're stupid.

  • Responding to a question about a leaked email with a "where did you get that" sort of response is demonstrable evidence that the allegations raised about said content are true.  If they're false (that is, the email was falsified and not really sent) then you'd instead get a categorical denial. Why would someone ask "where you got it" if they never said it in the first place?  A denial doesn't mean that the allegation isn't true, but questioning the source instead of the content is nearly-always an admission that the content is factual. Use your head folks.

  • The underlying issue related to these hacks is that so-called "public cloud" providers are insecure if, at any time, unencrypted data or the keys to decrypt said data are on said machines.  The value of a whole bunch of "new economy" bubblicious companies depend on this not making it into wide public consciousness because the minute that it does nobody is going to consent to their health data, their financial data or anything else that's personal and sensitive being put on this sort of infrastructure ever again.

In other words blaming Russia is a distraction intended to keep you from paying attention to both the content of the emails (which certainly appear to be factual given the reaction to their release thus far) and the fact that a whole host of data about you is being similarly stored in similarly-insecure fashion by literally thousands of companies.

View this entry with comments (registration required to post)

Main Navigation
MUST-READ Selection:
The CERTAIN Destruction Of Our Nation

Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.