Month: January 2015

Response Policy Zone (RPZ)

Years ago, Paul Vixie developed a component of the BIND DNS server that allowed server owners to easily override specific hostnames. We had done something similar for particularly bad hostnames — if your workstations use your DNS servers, you just have to declare yourself the name server for a domain that has the same name as the hostname you want to block (i.e. I become the NS record for forbidden.google.com and my clients are able to resolve all other records within the google.com zone, but when they resolve forbidden.google.com … they get whatever I provide). I usually did this to route traffic over a B2B VPN – provided the private IP address instead of the public IP provided by the domain owner’s name servers. But for a few really bad malware variants, I overrode their hostname. Problem was the technique wasn’t exactly easy. Every single host required a new DNS zone be created, configured on your DNS servers, and (at least in BIND) the service restarted.

Response Policy Zone was pushed as a functionality that would allow service providers (ISPs). That’s not a use case I forsee (it’s a lot of manual work), but it has become an important component of our company’s network security. Hosting an RPZ domain allows us to easily add new overrides for B2B VPN connected hosts. But it also means we can override hostnames that appear in phishing e-mail campaigns, malware hosts, infected web sites … basically anything we don’t want employees accessing.

Stopping clients from accessing infected sites is a great thing; but for hostnames that are indicative of a compromised box (i.e. there’s a difference between an employee clicking on a link within their e-mail that links them to a specific host and someone having malware on their box that automatically contacts a specific host), we set the IP address for the hostname to a honeypot.

The honeypot is bound to all unused ports on the host (there aren’t a lot of used ports on it), logs all contact to a database, then basically hangs the connection. We have a scheduled job that looks at the contact log and opens a ticket to the desktop support team to investigate the compromised host.

Anya’s 2nd Birthday Cake

This year, I made a parsnip cake for Anya’s birthday tea.

  • 175g butter , plus extra for greasing
  • 250g demerara sugar
  • 100ml maple syrup
  • 3 large eggs
  • 250g self-raising flour
  • 2 tsp baking powder
  • 2 tsp mixed spice
  • 250g parsnips , peeled and grated
  • 1 medium eating apple , peeled, cored and grated
  • 50g pecans , roughly chopped
  • zest and juice 1 small orange
  • icing sugar , to serve
  1. Heat oven to 180 C.
  2. Grease 8″ round cake pans and line the bases with baking parchment.
  3. Melt butter, sugar and maple syrup in a pan over gentle heat, then cool slightly.
  4. Whisk the eggs into this mixture, then stir in the flour, baking powder and mixed spice, followed by the grated parsnip, apple, chopped pecans, orange zest and juice.
  5. Divide between the cake pans. Bake for 25-30 mins until a toothpick inserted into the thickest part comes out clean.
  6. Allow pans to cool on a wire rack for ten minutes.
  7. Turn cakes out of pans and set on wire rack until completely cooled.

This cake is topped with mascarpone (250g tub) mixed with a little maple syrup (3 tbsp).

 

Selecting The Wrong Target Audience

A few weeks ago, we saw a Shark Tank episode with a chap who developed a personal breathalyzer / smartphone app. The Atlantic posted an article about personal breathalyzers too. In both cases, there appears to be a low adoption rate for these devices. But the marketing seems to be going about this the wrong way. Most people I’ve encountered either restrict themselves to a drink or two (and only when they’re going to be hanging out for a while after drinking and before driving), don’t care enough to spend money on a personal breathalyzer, or really don’t care and have the state government install something in their vehicle as a part of the court proceedings. None of these make for a ready market of customers. Why not market this product to businesses. Restaurants and bars carry liability insurance, and one of the liabilities is that alcohol is served to someone who subsequently damages themselves / others / property. The server and establishment can then be liable for providing too much alcohol to someone who, literally, asked for it.

It seems, then, that the insurer should be able to provide a lower rate for an establishment with a policy of only serving to persons under a certain blood alcohol level. A real win for the manufacturer would be getting insurance agents engaged to market these to commercial establishments — you use these things, your premiums are reduced. Akin to the automobile insurance apps that monitor your driving habits in exchange for reduced auto premiums.