At 02:16 AM 4/3/02 -0800, Bill Stewart wrote:
>At 05:51 AM 04/02/2002 -0800, Major Variola (ret) wrote:
>>And Morloch: your replacing DNS (as a vulnerable point of
>>failure/control) is a good idea.
>>you'll have to write a browser plug-in, or background daemon that
>>modifies the resolver's behavior, or extendable resolver. You could
>>append to Windows (et al) "hosts" file, and the normal resolver would
>>pick that up. I'm surprised there are no attempts to do that, but
then,
>>there's the Network (aka FAX) Effect operating here. Does that
>>baptista.god fellow write code?
>
>Doesn't take much in the way of code - most Windoze versions are
>willing to let you tell them up to three DNS servers to use,
>though sometimes on dialup connections you'll have to haggle with them
>about whether to accept DNS server addresses from the dialup
>instead of your dedicated ones. That means that as long as you've
>got some DNS server other than 127.0.0.1 to resolve queries for you,
>you can simply point your PC there.
Very good. (BTW, kinda a neat trick for sleazeware to replace the first
DNS
so that it can sell redirected name services..) There is the common
problem that
the DNS owners can track your queries, but your solution requires only a
single change.
(Too bad the bozo who got busted for selling .usa names didn't run a
server, he might
have had a legal chance.)
Nonetheless, here's a first draft of a proposal for the Fully
UnCentrallized Authority for Naming
and Numbers using the local host table. It includes a DOS script which
uses wget and some utilities.
FUCANN
Fully Un-Centalized Authority for Naming and Numbers (*)
Rev 1.0
First, a parable:
You arrive in a place where you can't read the language. The tourist
maps have been printed by a nasty government with a monopoly on
map-making. You want to eat, but all the business names on the
tourist map that are in your language are those approved by the
map-maker.
So you get a trusted friend to give you an overlay, a clear foil
labelled with *his* names and recommendations. You read his label for
"noodle shop" on the foil and then mark the location on the tourist
map. You find a taxi and point to the tourist map where your friend's
overlay said the good food is.
"Tourist map" = government DNS. "Taxis" = routers. "Street
addresses" = IP addresses. "Overlay foils" from your friend are the
FU Naming System host table overlays. Friends = FUNS "root servers".
You can overlay several foils, from different friends. The last one
you overlay overrules lower foils. Since you choose your friends, and
the order you query them, you are the authority over your own name
space.
One friend edits his foils by hand. Another lets anyone add to his
foils, and further allows "hierarchical" editing because when someone
adds "noodleshop" to his foil, they get a password allowing only them
to refine their definitions --thin.noodleshop, wide.noodleshop, etc.
Of course, if a more trusted friend, whose foil overlays the first's,
overrides a name, you see the more trusted name.
Problem: DNS is run by governments, subject to "social malfunction"
(censorship).
Solution: use an naming system where the user chooses whose namespaces
he overlays. Everyone is ICANN.
Implementation: PCs, Macs, etc have a local "hosts" file which is
consulted by the OS's name resolver before the resolver queries the
government DNS. By adding IP & name pairs to this hosts file, we
override government naming authority with that of our own choosing.
This resembles the old Sun "Yellow Pages" hosttab replication ("NIS"
after BT thrashed Sun about "YP").
A Client runs a FUCANN Daemon which periodically queries hosts listed in
a local FUCANN Root Server List "froots.txt". Root Servers listed later
in froots.txt override earlier FRoot Servers. Users edit their
froots.txt file using any text editor.
Users' FU Root Server list "froots.txt" contains lists of URLs. The
URLs point to "fhosts.txt" files which are in the format of the
standard "hosts" file, i.e.,
12.34.56.78 foo.bar
Note that fhosts.txt files can override even government names, e.g.,
12.34.56.79 amazon.com
because the hosts file (into which they are merged) is consulted first.
Anyone can be a FU Root Server and there is no global conflict
resolution. The end-user performs conflict resolution when he orders
the name of Root Servers in his local "froots.txt" file.
This allows anyone to create their own top level domains, merely by
listing names in their exported fhosts.txt file. It is up to each
Root Server to resolve any conflicts in their fhosts.txt file
---either by deciding manually, or a first-come first-served scheme
(with authentication for name-refinements if they want, allowing
DNS-like hierarchical management), etc.
A local Fdaemon does this loop forever:
For each URL in froots.txt,
retrieve the fhosts.txt file
Merge it, uniquely, with the local hosts file
Sleep
froots.txt file:
http://www.fred.com/fhosts.txt
http://www.frank.com/fhosts.txt
http://98.76.54.32:81/fhosts.txt
Note that any transport could be used to obtain fhosts.txt files
-email, ftp, etc.
Note that future versions might send file-differences only, using
compression. They might also use HURLs, Hyper-URLs, which specify
other protocols --e.g., text to voice to POTS phone, 802.11blah
guerilla nets, FAXes, etc.
-------
"Can we do it?"
Yes, ICANN
-Frob the Builder
A prototype Windoze directory contains:
uniq.exe -standard utilities
sort.exe
awk.exe
wget.exe
froots.txt -list of URLS, later ones are higher priority
foil.awk -script (see below)
foild.bat -FUCANN daemon (this one does not run forever) (see below)
fmerge.bat -script to merge wget-retrieved URL file into (see below)
c:\windows\hosts
foil.awk:
............................................................
{printf "fmerge %s %s \r\n", $0, $NF}
............................................................
foild.bat:
............................................................
@echo off
echo Foil NS Daemon
echo rem Temporary FoilNS batch file > f.bat
rem EXTRACT URL, FILENAME... / is delimiter
awk -F / -f foil.awk froots.txt >> f.bat
rem RUN TEMP BATCH FILE
f.bat
............................................................
fmerge.bat:
............................................................
@echo off
echo Foil Merge
rem Requires: wget, uniq, sort
echo Getting %1, then merging %2
rem GET FILE
wget %1
echo We got %2
type %2
rem CONCAT FILE INTO HOSTS
rem BACKUP
copy c:\windows\hosts c:\windows\prevhosts
copy c:\windows\hosts hosts
echo Old local hosttab:
type hosts
rem CONCAT
type %2 >> hosts
echo Before Merging:
type hosts
type hosts | sort | uniq > thosts
echo After Merging:
type thosts
copy thosts c:\windows\hosts
rem CLEAN UP
del %2
del thosts
echo FMerge is done.
............................................................
Some comments from anonymous colleages:
>This is what I learned from the shyster panel on Codecon 2002:
>Developers must have ZERO control over the use of their software
We don't need no stinkin policies, we don't need no stinkin authorities,
and we don't need no stinkin' Finn tellin' us when to fork...
-----
>Which brings us to the issue WTF would any ordinary people use FUCAN in
the first place. What is the killer app ?
>
>It is NOT having a top-level domain name .david . Small people do not
care for that, corps care about easy to use names that are 1) easy to
memorize and 2) by their uniquness give importance to the brand.
Informal tribes do not give fuck for that.
>
>I think that the first app would be something that pinpoints moving
targets, which is where DNS fails. Moving targets have to be constantly
tracked, by humans. The only thing worth sharing are brain cycles.
Machine cycles are free.
>
>So, integrating neo-napster host locations (I have app that points my
"discontinued" napster client to one of several hundred napster servers)
or gnutella nodes with static URLs would be neat. Usable.
>
>Then vanity, of course. Kids would go for these domains that you can
reach ONLY if you participate in FUCAN distribution. And thy would be
local. Gangs would love it.
>
>Then SIGs. Many fundamentalist groups would find it sexy to redirect
URLs of enemy sites to PC pages. Anti-porn crusaders could re-map ALL
porn sites to jesusneverejaculated.com . Anti-globalists would find is
sexy to redirect amazon.com to local PC bookstores among themselves.
>
>In general, all users would be more or less "illegal", in the sense
that DNS can not cater for their needs since adversaries have ways of
influencing DNS.
>
>The fact that this is all "among consenting adults" will probably give
some leeway and time to develop FUCAN before it becomes illegal. And if
it gets any measurable success it will become illegal - either through
new laws or existing ones (WIPO and trademarks can easily be used to
mark FUCAN as a tool for circumventing IP laws - absurd, yes, but it
didn't stop them before.)
>
>On technical issues, I think that having HURL (Hyper-Universal record
locator) is paramount. It should be able to point to ANY existing
address space, computerized or not. ISBNs (plus page number -
interesting service, making specific pages available, for a fee). Street
addresses (think AP). Telephone numbers. Bank accounts. License plates.
Prepaid phone cards. Anuthing.
------
(*) Thanks to anon..
