Download: Episode 70.
This week Audrey and I chat about a security incident with Homebrew (the macOS package manager), Twitter’s refusal to moderate hate speech, and Firefox’s upcoming support of DNS over HTTP.
- [03:42] Devopsdays Portland – SEPTEMBER 11-13, 2018 – RECOMPILERFRIENDS 20% discount
- [04:06] Recompiler DevOpsDays ticket giveaway, deadline August 20
- [04:25] Community Event Planning pre-order
- [04:54] Survey for event organizers
- [06:08] Call for Contributors, Issue 12 Machines and Things
- [07:08] Security Incident Disclosure — Homebrew
- [08:16] How I gained commit access to Homebrew in 30 minutes
- [11:39] How I gained commit access to all Jenkins projects in 30 minutes…and how security warnings to the
- [16:19] jack on Twitter: “We didn’t suspend Alex Jones or Infowars yesterday…”
- [19:49] Jay Rosen on Twitter: “It’s been called the bullshit asymmetry:…”
- [22:16] Political Strategy and Buzzfeed’s analysis of “the Twitter problem”
- [33:02] I’m done with Twitter
- [35:10] Episode 57: Do we have to do more Facebook? – The Recompiler
- [36:22] Improving DNS Privacy in Firefox – Firefox Nightly News
- [37:54] ungleich Blog – Mozilla’s new DNS resolution is dangerous
- [45:45] BearCam
- [47:51] Books by Gerald M. Weinberg
Now Broadcasting LIVE most Fridays
We broadcast our episode recordings LIVE on most Fridays at 12pm PT. Mark your calendars and visit recompilermag.live to tune-in. Exception: This week we’re recording on Thursday, August at 3:30pm PT.
We love hearing from you! Feedback, comments, questions…
We’d love hearing from you, so get in touch!
CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.
CHRISTIE: We should be on air. Hi, Audrey.
AUDREY: Hi, Christie.
CHRISTIE: It is Friday, August 10th, just after noon, Pacific Time. We’re totally sick of the heat.
AUDREY: Completely sick of the heat.
CHRISTIE: Yeah. This will be our intro from now until the end of time due to global warming, I think.
AUDREY: My work journal that I take notes in every day, I have just a string of pages where I’ve written hot in capital letters across the top.
CHRISTIE: Hot and sticky. Fortunately, we got some smoke from the wildfires came in today but it stayed pretty high up in the atmosphere.
CHRISTIE: So the ground level air quality has been okay, which is just a big relief to me.
AUDREY: I still know some folks that were kind of struggling. But yeah, it’s not as bad as it has been at points. And I think I just saw the weather service post something about how it was going to kind of sweep out of the area for a little bit.
CHRISTIE: And the ozone has been getting not great in the later parts of the day. So that could also…
AUDREY: And I think that’s actually the one that affects me the most, unfortunately.
CHRISTIE: I did have to cancel my trip to California because of the air quality, which sucks. But it’s better than getting sick, I guess.
AUDREY: The whole Redding fire. I haven’t even seen an update, have you?
CHRISTIE: It’s the Reddit, the Carr Fire which is near the Mendocino complex fire. There’s the Ferguson fire which is around Yosemite. Huge parts of Yosemite have been closed. And there’s also another couple of fires in Southern California.
AUDREY: I saw the Yosemite stuff because I’ve been reading a lot of trail journals for the Pacific Crest Trail and fire closures are increasingly part of the thru-hiking experience. They’ll try to put together alternate routes when they can, but sometimes people have to do what they call flip-flop which is to skip a section and then try to come back to it later.
CHRISTIE: And I think there’s fires around Klamath area, too. I know every time I check Oregon air quality, it’s always been like in the really dark red for a while now.
AUDREY: I’ve read a couple of things from folks in Klamath Falls, too.
CHRISTIE: And the whole Medford-Ashland area. Purple is the very unhealthy. It’s like 292. And then red is unhealthy and it’s like all along the Oregon-California border. It’s awful.
AUDREY: I hope you’re able to reschedule your trip at some point.
CHRISTIE: I think it’s going to be in the fall.
Aside from the weather sucking this week, we’re going to talk about a security incident with Homebrew which is the macOS package manager, Twitter’s refusal to moderate hate speech, and Firefox’s upcoming support of DNS over HTTP which has the acronym DoH. That kind of cracks me up. First I was like, “What is that?” Because I’m so used to seeing it as DNS over HTTP.
But first, we have announcements.
AUDREY: We do. DevOpsDays Portland is coming up September 11th through 13th. The DevOpsDays events are a series of technical conferences that cover the intersection of software development and IT infrastructure ops. And we are a community sponsor, so that means that we have a ticket discount code, 20% off. Use the code: RECOMPILERFRIENDS. And we are also doing a ticket giveaway through August 20th and there will be a link to a form to put your name in.
CHRISTIE: Yes. Audrey and I will both be there. I’m looking forward to that. What else?
AUDREY: We are taking preorders for our Community Event Planning book. We’re starting to put together….we have an outline. But we’re starting to put together a more detailed content plan about what people are going to see, when they will see it and starting to really work on some of those book sections. So if you want to see the book as it’s in progress, then you need to preorder and there is a link for that.
CHRISTIE: And then along with that, we’re doing a survey. We’ll put together a survey for event organizers to sort of collect information about…part of what we’re doing is to make sure that we basically…like the scope of what we’re covering matches what people are doing and needing to know.
AUDREY: And because in the 10, 12 years that we’ve both been working on events, there’s just been this proliferation of community conferences and user groups, meet-ups, things like that. And so, I’m really interested in getting to see what people have done with that sort of general idea. So we’re expanding the scope quite a bit. I looked at some of the initial responses from people and I saw just a lot of really insightful and on-point comments about the good and the bad of running these kinds of events and the things that people had encountered in the process.
CHRISTIE: Nice. So yeah, if you have been involved in organizing events, we’d love for you to fill out the survey and we’ll have a link in the show notes.
AUDREY: Our last thing is a call for contributors for Issue 12: Machines and Things. This issue is guest-edited by Stephanie Morillo. It’s also sponsored by CentOS. We are going to talk about the overlapping combination of machine learning, internet of things, hacking both self and machinery, and we’re looking for people’s proposals. Contributors are paid. The call is open, I think, through September 4th. I was in the middle double checking that when we started. But there’s at least a few more weeks left. And yeah, we’re looking forward to seeing what everyone has to say.
CHRISTIE: Awesome. September 4th is correct. Did you already say we pay contributors?
AUDREY: I tried to. Did I?
CHRISTIE: I don’t remember. So happens when we have weeks and weeks of heat waves.
CHRISTIE: Yes. So, Homebrew which is the…I think at this point, it’s fair to say it’s the most popular MacOS package manager. What was the…I’m trying to think what the…Darwin Ports?
AUDREY: Yeah, there were a couple that I used previously but it seemed like for most things that I would want to install using a package manager, Homebrew had become the standard.
CHRISTIE: So meaning if…I think this is primarily for…well, it’s not exclusively for command line tools but…
AUDREY: For development-related things for the most part.
CHRISTIE: So if you want to install a different version of Python and what comes with the system or I use it to install Macvim. I use it to install all kinds of stuff. Pandoc is another thing I use a lot.
AUDREY: Yeah, me too.
CHRISTIE: Like a lot of package managers, you open up your command line. After Homebrew is installed and you do Brew and then the name of the thing or the formula you want to install. So they had a security incident and Eric Holmes has this piece that says: how I gained commit access to Homebrew in 30 minutes. Basically how he did it is that Homebrew is running a public instance of Jenkins.
AUDREY: For continuous integration though.
CHRISTIE: For continuous integration. So basically checking out code changes, running tests. I don’t know if they’re doing builds or not. And in the Jenkins instance, he found in a sort of environmental variables, information, a GitHub token in a clear text. And it was a GitHub token for an account that had push access to Homebrew code. So, pretty straightforward of an issue actually.
AUDREY: I think the most complicated part is just digging around for those credentials.
CHRISTIE: Right. The thing that I thought was interesting was in the security incidents response from Homebrew themselves…I’m double checking it to make sure they haven’t added anything or that I missed it. But they said, “What we’re doing about it…” basically said, “We’ve already been using two-factor auth. We enabled branch protection and required reviews on additional repositories as mentioned above. We requested all Homebrew maintainers review and prune their personal access tokens and disable SMS fallback for two-factor auth. And then a security researcher also recommended we consider using GPG signing for Homebrew/homebrew-core. The Homebrew project leadership committee took a vote on this and it was rejected non-unanimously due to workflow concerns.”
AUDREY: I was curious about that, what workflow concerns meant in this case.
CHRISTIE: And this is the same thing that came up with the NPM security breach too and they also rejected it. I don’t know if there was. I didn’t look around for a public issue about that. I guess that didn’t surprise me because that’s come up in other context and people haven’t chosen to adopt it. What it does not mention is anything about Jenkins which was the vector for how…I mean, there was a layer where security was a little too loose around the use of that GitHub token but that GitHub token never should have been available to the public in the first place.
AUDREY: Right. It might be the kind of thing that if your Jenkins instance was not public, you could overlook. But when you are providing public access to that, then that changes the profile.
CHRISTIE: Yeah. And I believe there are plug-ins or things you can do with Jenkins so that, that information is obscured. And then kind of in conjunction with this, this person Daniel Beck publishes Medium thing saying, “How I gained commit access to all Jenkins projects in 30 minutes…and how security warnings to the Homebrew team went unheeded since 2014.” The weird thing about this is there’s not really any detail and I don’t know if that’s intentional, if it’s more about just trying to raise awareness that there was a pretty significant security issue.
AUDREY: I saw some requests to verify it and I didn’t really see a follow up.
CHRISTIE: I was very puzzled by this one. But it was basically saying there was a remote code execution vulnerability at some point in Jenkins. So I don’t know if this person was just trying to jump on the bandwagon of credit for a little bit, or…I don’t know. This one was confusing.
AUDREY: I’d like to look for a little bit more follow up to see. I mean, these kinds of vulnerabilities, they pop up, they’re going to keep popping up. I thought it was really interesting that more than one of these things pointed out that it’s difficult for small teams to stay on top of this stuff. Even when they’re doing their best, they can still be surprised by a vulnerability. You have to really scramble to fix it and not have a lot of [inaudible] time that they can put toward it necessarily. So I thought it was interesting that more than one thing I saw talking about what had happened with Homebrew at the end said, “You know, if there’s a way that you can support them financially, do it.” Because we’re not trying to punish them for having this problem. We’re trying to make sure that they get the support to not have it happen again.
CHRISTIE: Yeah, I saw that too. And they included a bit about that in their response. But the thing that’s concerning to me is that it’s not clear to me how throwing money at them will actually help because they don’t have a business plan. They don’t have an organization. And software requires ongoing work and maintenance and you need to build. If you don’t want to be in the position of having to work when you’re on paternity leave, which happens in the course of people’s full time work too which it shouldn’t, you have to have redundancy in staffing. And that’s really hard to do unless you’re building an organization or a business around software.
And I think that we’ve talked before about security as a job role and how much like with ops companies will say, “Well, everybody can help with that.” But there is really a value to having somebody who specializes in it, not just because of their experience but also because that means that that’s where their attention will go and that’s what they’ll be trying to facilitate as opposed to other kinds of development goals that you might have. Having somebody who’s responsibility is security means that it gets prioritized in a different way than if everybody is supposed to take a piece of it.
CHRISTIE: Right. We’ve talked about that basically last week when we talked about the Reddit breach and how it was sort of surprising to us that they only recently hired a head of security. That’s not to say they didn’t have someone working in a dedicated security role but that’s sort of what they made it sound like.
So, if you’re using Jenkins and you’re an open source project and your Jenkins instance is public, maybe do a quick check and make sure you don’t have credentials stored in plain text.
AUDREY: We talk about with all of these breaches, review who’s got access to what and how they have access to it. And when you’re talking about your core builds, who can build them? How is that verified? How is it distributed? All of these are still very important questions.
CHRISTIE: And to be clear, Homebrew did work with GitHub support to verify that the token hadn’t been used. And so, no packages were compromised and users of Brew don’t need to do anything. How we should [inaudible] with that.
AUDREY: For most of us, it’s just something to be aware of, to watch out for in our own work.
CHRISTIE: Right. And I think it is good to have awareness that some of these really core tools don’t have corporate backing, don’t have dedicated staff, and it becomes a point of stress.
Speaking of points of stress, Alex Jones is…what do they call it? A conspiracy theorists? Is that how you describe this person? And runs or is a primary author on Infowars, has been peddling some really vile, vile stuff for quite a while. I think he’s the main source of the Sandy Hook Truthers, trying to say that Sandy Hook didn’t happen. Anyway, I actually don’t know what the tipping point was. But last week, we finally had a tipping point and Alex Jones and Infowars get kicked off a bunch of platforms – Facebook, YouTube, iTunes, delisted all the podcasts that they were doing, which meant that the podcasts also got delisted from all other things like Spotify.
AUDREY: A lot of things that seemed like they should have happened already and seemed like very healthy community moderation.
CHRISTIE: Right. I feel like I started seeing it in regard to Spotify hosting the podcast but I don’t know, was there a particular thing that triggered the tipping point?
AUDREY: I’m not really sure either because I think I got more interested in how Twitter responded which is the meaning all that we want to talk about. But yeah, I didn’t actually catch what specific thing that Infowars had done that caused this to happen. There’s just so many possibilities. I mean, the stuff that they do is really vile and reprehensible and encouraging violence toward people. It’s amazing that we have to get this far before anybody’s stuff gets taken off the internet even partially.
CHRISTIE: Right. It’s already amazing that it took so long for Facebook and YouTube and all these other groups to do anything. And then even worse, Twitter is intentionally not doing anything. And so Jack, who runs Twitter, has a Twitter thread about it and basically said, “He hasn’t violated our rules. We’ll enforce it if he does. And we’ll continue to promote a healthy conversational environment by ensuring tweets aren’t artificially amplified.”
AUDREY: I don’t know what that means.
CHRISTIE: There’s just so much garbage in this thread. Later on, he says, “Accounts like Jones’ can often sensationalize issues and spread unsubstantiated rumors, so it’s critical journalists document, validate, and refute such information directly so people can form their own opinions. This is what serves the public conversation best.” That when I read that, I knew it blew a gasket.
AUDREY: It doesn’t match any of the research that’s been done on conspiracy theories and how they function. You can’t defeat conspiracy theories, harmful conspiracy theories by having journalists document and refute that information. That’s important. But for one thing, that doesn’t replace Twitter doing what they should be in terms of moderating the platform. And it also doesn’t actually stop the conspiracy theory.
CHRISTIE: No. And there’s just so many things. It also puts a tremendous amount of pressure and onus on journalists which is a profession that’s already sort of stressed to the max. Jay Rosen had a really good tweet thread in response to this. And this one particular tweet stuck out to me. “It’s been called the bullshit asymmetry: The amount of energy needed to refute bullshit is an order of magnitude bigger than to produce it. Which is another problem with @jack’s statement that it’s critical for journalists to refute Alex Jones directly.” And we’ll link to that because there’s a lot of other good stuff in there.
AUDREY: And I think he said somewhere in there that he’s writing a book on this.
CHRISTIE: That wouldn’t surprise me.
AUDREY: Yeah. I think to everyone who is in Twitter, it’s really obvious what’s wrong with this, whether or not you can do a detailed breakdown of it. Most of us can look at it and say, “This is awful.” This is just absolutely awful. It’s well beyond ignorance. They are deciding to shape their own reality, to shape our reality.
CHRISTIE: This is, in my opinion, willfully harmful.
CHRISTIE: I don’t entirely understand what’s motivating it. I mean, Jack is incredibly wealthy. He is a member of the white male status quo, so it’s very much a self-serving position. It really follows if you’re one of those market place of ideas person where you think that you apply those sort of free market principles to speech.
AUDREY: And it fits into this idea that these things are merely technical platforms, that they’re not a public sphere of conversation and influence, and that they’re controllable by the company that owns them. They have the ability to do something here.
CHRISTIE: It’s duplicitous because they recognize that. They say, “We’re going to serve the public conversation best.” So they claim that role for themselves and then don’t do what they should be doing.
AUDREY: Don’t do something that actually serves that most general stated goal.
CHRISTIE: Right. Flavia Dzodan…I’m probably not saying that right, had this piece actually, I think might be from 2014. Oh no, it’s 2016. With a very weird GIF at the top of it that I don’t understand.
AUDREY: She’s great with the GIFs.
CHRISTIE: First I thought it was a bunch of naked people but it looks like this is either CGI or these are mannequins. I don’t know what this is. But it might be some pop culture thing. Anyway, I’ve got to stop looking at it. It’s freaking me out. Talking about how…why didn’t I pull a good quote for this one?
AUDREY: Oh, how everyone says, “Oh, this violence. What’s the strategy for it when violence is in fact the strategy?”
AUDREY: Like why are they doing this? We have to understand the strategy before we can stop it. Instead of going, “Oh, violence is the strategy, stop the violence.”
CHRISTIE: Yes. And that the problem of violence on Twitter is not a bug, it’s a feature of the system. Thank you for summarizing that well.
AUDREY: And as long as companies, all of the kinds of companies involved are making money by Twitter doing what Twitter does, then there’s nothing in the system that will stop it.
CHRISTIE: Right. And again, we don’t pay to use, we’re not customer with Twitter. We’re a resource at Twitter. So I think it’s harder to leverage our power, our buying power there.
AUDREY: I’ve seen another round of people asking what it would look like if journalists took a day-off off Twitter. What would it look like if some large groups of people pull their content from Twitter? Would that have an impact on this?
I mean, there’s reasons that we don’t because we have personal relationships that we’ve been able to maintain the most easily using Twitter, because it does serve our businesses. Our small businesses, they can’t afford big marketing efforts.
It’s a huge point of connection for me with the outside world. I have to do work, there’s been a few wave now where I’ve had to fight off the frogs or I guess now they’re red Xs, I don’t really understand it. But I ask questions that get answered, I connect with people. I still get a lot out of it. And a couple times, I’ve tried to dip my toes in the pool of Mastodon. But I spent about 10 years building up being on Twitter and you can’t immediately just transplant that over to a new system.
AUDREY: I’m using both of them pretty regularly now. And I have different kinds of conversations on Twitter and Mastodon. I connect with different people. If I am doing something that is money-related, fundraising, seeking customers, whatever, I have had so much more success on Twitter than I do on Mastodon. I make good community connections on Mastodon, but I don’t tend to have the interactions with people that can throw money at something.
CHRISTIE: Interesting. Mastodon, in addition to not having the same number of connections there, the structure of the platform I do think changes the interactions. In the same way that I never really clicked with Facebook because of how much longer the posts are, I have that same issue with Mastodon. Like the content on Twitter for me is much more digestible than it stills on Mastodon.
AUDREY: Because they’re such short posts.
CHRISTIE: And that’s not just me consuming it. I also think it’s what people post.
CHRISTIE: So far, I’ve been seeing, and this is just my limited view, but I see people writing short things about what is Mastodon and the very meta and then longer posts. So, the other thing is I finally put clients on my phone. And for some reason, half or a good number of the people using it, their apostrophes come through as nines and I don’t know what’s going on with that.
AUDREY: That seemed like a fairly [inaudible] coding problem.
CHRISTIE: Yeah, if it were like squares or some other pattern. But I’m like, “Nine? Where is it…?”
AUDREY: Yeah. You said you saw that on one of my posts and I am only using the web client or the website. So, I really don’t know what’s happening there.
CHRISTIE: Maybe we can troubleshoot it or whatever.
AUDREY: I mean, I’m seeing another wave of people moving toward less Twitter use and over toward Mastodon. Like I said, it’s a really good community on there. I have good conversations. I absolutely make connections with people. But again, if I’m looking for a sponsor for something, Twitter just does so much more. The network that’s on there has a lot more resources to put toward things.
CHRISTIE: I also found myself wanting to be a part of…I sort of started feeling like Mastodon is like maybe a forum, used to be for me. I started wanting to be a part of more localized Mastodons, like I want to know where my…I kind of love a Portland one. And then I would kind of like ones for my different interest areas.
AUDREY: That’s what people do with those 50 zillion Slacks.
CHRISTIE: Oh, I hate Slack.
AUDREY: I know. I just mean obviously, people do desire this because why else would there be like a hundred different tech community Slacks that you could sign up for.
CHRISTIE: But Slack is focused on…it’s channel-focused, not people-focused. It’d be like if the main way you connect with content was only via hashtags.
AUDREY: Because there isn’t any other kind of searchability on Mastodon, that is one thing that happens.
CHRISTIE: What? People or hashtags?
AUDREY: Hashtags. As topics, as clusters of topic.
CHRISTIE: Right. But imagine you couldn’t…
AUDREY: You couldn’t follow individual people at all?
CHRISTIE: Yeah. It’s like I don’t have the same sense of the public conversation. Public, meaning within that sphere that I get on Twitter or Mastodon. I never get that in Slack. I always feel lost in Slack. So anyway, I didn’t realize we’re talking about Mastodon so much. But yeah, I do crave an alternative. Anyway, so I guess what I decided as I go [inaudible], I’m going to install the clients on my mobile devices and I’m going to try to start curating this more. And so basically now, I’m spending time on Twitter and multiple Mastodons and I’ll go see how long that’s…
AUDREY: I try to check everything twice a day.
CHRISTIE: So if anyone has editions of cool Mastodons I should join, let me know.
AUDREY: I do like that the different instances do form their own communities, that there is a local feed like that, that collects things together.
CHRISTIE: That is something I had when I was dialing into BBSs and I’ve never had since and I miss it. If Mastodon becomes that…so it got me and it’s like I started wanting one for work. I’m like, “Okay, I’m not going to convince day job. This is just not going to happen.” But then I thought, “Okay well…could I…where are the other communities I connect with where we could set this up and let people use it or whatever.”
AUDREY: I have thought about doing a Recompiler one.
CHRISTIE: I would love it. Let’s do it.
CHRISTIE: Let’s make a working session, get it going together.
CHRISTIE: Or let me know if you want help. No, we have to do it together.
AUDREY: We should totally sit down and do it. We can document it. But I think that it is a good fit for that kind of thing, for a specific community to put together an instance to post together, have conversations. I see memes and jokes and there’s a particular style of joke that only happens on Mastodon because it has content warnings. So you can start the joke in the subject line and continue it after the content warning button.
CHRISTIE: I’ve noticed some people seem to use that for everything they post.
AUDREY: The content warnings?
AUDREY: Yes, some folks really prefer it because they find it more scannable, more readable when people do that.
CHRISTIE: Unless you click, click, click, click.
CHRISTIE: And when you send it at Mastodon, you can choose whether or not to federate it to the rest the world, right?
CHRISTIE: Part of me really wants like a ‘friends’ one that’s not federated. So that I don’t have to worry about having my account locked down, but the whole ecosystem is locked down.
AUDREY: I think that would be doable. I mean, you decide which ones you want to federate with anyhow.
CHRISTIE: That’s the other thing I want is I want…but the user can’t decide what is on our federated timeline, right?
AUDREY: Not directly. There are some things you can do to affect it.
CHRISTIE: Maybe I just need a personal Mastodon server.
CHRISTIE: Okay, I guess I got some experimenting to do.
AUDREY: Yeah. There was one other thing about Twitter that we read about how he posted about how he’s been on Twitter kind of as long as we have, I think. And he’s done, deleting his tweets. Moving on to other things. I think it was just good for encapsulating kind of the shape of long-time user’s experience, how things have changed.
CHRISTIE: Yeah. Longer than me on the site. 2006 when it just sent texts to your phone. And then he got added sort of not with his permission and actually had to e-mail Biz directly to be like ‘take my phone number out of here’ because he was getting woken up in the middle of night.
AUDREY: Yeah, I think I joined during the very simple web version of this.
CHRISTIE: I think I joined like March 2008. So, later than you. I hadn’t heard about it until I moved up here.
AUDREY: And there was a big crowd of Portland people who had moved off of a couple of different group blogs and things.
AUDREY: Yeah, who had all joined kind of at the same time.
CHRISTIE: And I feel like there might have been Portland people that went to South by Southwest and then got on Twitter sort of around there.
AUDREY: Yeah, that was a factor too.
CHRISTIE: All right. Oh, one other thing I want to mention, back to the whole ‘things won’t change until there’s a business incentive to do it’. We already know this because Twitter has the ability to block hate speech and people who promote it in the countries where that is mandatory by law.
AUDREY: They’ve already done the work. They just don’t want to use it.
CHRISTIE: They’re taking a principled stand in the wrong direction. I’m getting mad all over again about it.
Okay. In Episode 57…wow, we’re at Episode 70. I think I forgot to say that at the top. In Episode 57, we talked about encrypted DNS. There’s basically three ways to do it and one of them is DNS over HTTPS, DoH, and just to kind of remind folks how that works. And here I’m quoting from the Ars Technica article that we mentioned in that episode, “Requests are sent as an HTTP POST or GET with queries in DNS message format (the datagram used in conventional DNS requests) or as an HTTP GET request using JSON (if you like your DNS with extra overhead). And there’s no issue here with certificate management. Just as with normal HTTPs Web traffic, no authentication is required to connect over DoH, and certificate validity can be verified by certificate authority.”
The reason I’m bringing this up is that right now, Mozilla is running…not an experiment. They’re calling it a shield study. Is that a common term, Audrey? Have you heard that before?
AUDREY: No, I haven’t heard about before. I don’t know, though. Maybe it’s a UX term.
CHRISTIE: By shield study, they basically mean there’s some studies that they run automatically in Firefox Nightly and others that they do prompt the user to opt-in. So basically, they’ve added DNS over HTTPS support in Firefox 62. So that’s sort of the first part of the effort. And then they say the second part of their effort focuses on building a default configuration for DoH servers that puts privacy first. So, when the study is active — and it may already be active, some of this news is a little bit old — Firefox Nightly will use CloudFlare’s secure DNS over HTTPS service. The first study will test whether DoH’s performance is up to the task.
This popped up in my Twitter and when I was trying to track it down, I was like, “Why is this popping up now?” Because this announcement was actually back at the end of May, but it seems like someone just sort of paid attention to it again. And so there’s this blog post titled: Mozilla’s new DNS resolution is dangerous. And their primary complaint is the use of CloudFlare, is a US company. It’s also venture-backed which they didn’t talk about but that’s what I would want. That’s one of the things I would talk about. And so turning that on as a default, basically providing a lot of information about people using Firefox to CloudFlare. And then they talk about single point of failure. I don’t know how much that’s an issue.
AUDREY: I think the aggregation is more of the deal. It seems like when they’re asking or when they’re saying that the study that they’re doing is about the performance, part of what they’re asking is can we send all of the DNS traffic to a single service and have it work correctly?
CHRISTIE: Yes. It’s not just single service but it’s DoH itself, at least that’s what I thought.
AUDREY: Whether it’s fast and responsive enough.
CHRISTIE: Right, because that was one of the things that we talked about in Episode 57 is that there is an overhead. We’ll use the default resolver as we do now, but we’ll also send the request to CloudFlare’s DoH server. Then we’ll compare the two to make sure that everything is working as we expect.
So it’s probably multiple factors, not just speed. It’s not the default now. You can go into About config and change things. You can use a different DoH server. But it’s pretty clear that they’re looking to identify a default configuration for this.
A couple of things kind of came up for me. One, I’m kind of a mind that I think there’s advantages to DNS over HTTPS, but also part of me still wants to look at the operating system level, not just at the browser. Because it’s possible, I am very much in the minority of this now but I still use lots of clients that are not the browser. And so, I want encrypted DNS for those things too. And then there’s the overhead of it. And then I’m not entirely trustful of CloudFlare either for a couple of different reasons.
AUDREY: Sure. We’ve talked about some problematic stuff in the past.
CHRISTIE: And I looked up their funding, they’re venture-funded. And then because one of the things at Mozilla, we have a very strong privacy contractual agreement with CloudFlare. And I just told them, “Well, you also had agreements with Yahoo.” And then Verizon bought them and now there’s this company called Oath and you’re suing each other. Companies get bought, things change.
AUDREY: And if they ever have access to the data, there’s only so much that you can do to control whether they continue to have access to it.
CHRISTIE: Right. It also got me thinking about the economics involved and that’s something that at this point, I’ve become very suspicious of any service that gives away a lot of stuff for free. Like there’s always an incentive to do that, what is it? And CloudFlare has been giving a lot of stuff for free and so I started thinking, “Well, what is being the default?” It’s also my knowledge that a big part or the main way that Mozilla has been funded is by selling the default position in search. So, this to me looks like a possible parallel to that.
AUDREY: Are they selling the default DNS configuration?
CHRISTIE: Right. I don’t know that they are. I have no insider knowledge. I’m not necessarily saying that’s bad. I would just like to know. And I started thinking, “Does CloudFlare gain value from being that provider? Does having that body of information tell them anything?” I don’t know. It’s a kind of market share, and this is a new standard. I think it’s basically Google and CloudFlare that support it so far. I don’t know if there’s others.
AUDREY: The thing that I saw said they’re only going to hold on to 24 hours worth of requests, something like that. So, nobody can go back and dig through your history. I always wonder about the details of those agreements. Does that mean that they are absolutely holding on to nothing or have they allowed themselves the ability to aggregate, to count what people are looking at? And those things have different implications, too.
CHRISTIE: And it also doesn’t stop the government from intercepting that information and storing it themselves or another third party. It got me curious if that becomes the default for all Firefox users, how does that impact EU Firefox users and how does GDPR come into play. That I didn’t find any answer for yet, either.
AUDREY: Yeah, because that would be a kind of personal data.
CHRISTIE: I would think so.
AUDREY: IP logs are then. This has to be. It’s interesting. And aside from what we’ve talked about before, I haven’t seen a lot about implementing DNS over HTTPS and people making a move toward doing that more generally.
CHRISTIE: I don’t know if any of the other browsers are trying this yet.
Anything else about that?
AUDREY: No. I think every time we talk about DNS, there’s this certain amount of skepticism because it’s very critical. It has lots of frailty in various places. So, everybody wants to improve on it. We all want to see it work better to be safer, more private. All these kinds of things. But the very nature of the service makes that complicated.
CHRISTIE: Any time there’s sort of an evolution, there’s going to be a land grab too. And so, we’ve got a couple of competing specs and offerings also too and that’s still very much being worked out. I’m interested to see how this evolves.
So, some things we love on the internet this week. What have you got, Audrey?
AUDREY: We talked about the weather.
CHRISTIE: Which is not a thing we’ll ever love.
AUDREY: No. But when it gets really hot like this, I think about how Oregon’s lakes and rivers are very cold. And so to me, one of the best things that I could do if I didn’t need to sit here at the computer, would be to go lie in the lake or float on a river or something like that. That sounds really great. And because I can’t just ditch in the middle of the week and do that all the time, or sometimes I can, but since I can’t do it all the time, I really enjoy watching things like this Bear Cam where we can see bears doing what I’d like to be doing right now.
CHRISTIE: It’s loading very slow. It must be windy there. Oh, I see a bear! There’s a bear on the shore, kind of facing away from the camera.
AUDREY: When I had it open earlier, there were two of them just sort of bobbing along.
CHRISTIE: So they fish, right? That’s one of the things they do with rivers and then they also just like cool off and play too?
CHRISTIE: Oh, what was that? Just some splash in the water. Are these seagulls? What are these birds?
AUDREY: Yeah, those look like seagulls.
CHRISTIE: It’s amazing how far inland they can get.
AUDREY: Well, they come all the way to Portland all the time.
CHRISTIE: Yeah. So this is the Katmai National Park in Alaska.
AUDREY: And there’s a couple of these.
AUDREY: Another popular one where you can watch them fishing out of waterfall.
CHRISTIE: The camera just moved. That’s why I went ‘whoa’. Someone must be…
AUDREY: I think a lot of these have at least part-time camera operators.
CHRISTIE: I keep seeing these splashes. Is a fish splashing out of water?
AUDREY: That on went in a different direction though. I don’t know.
AUDREY: That bear is just sitting there. You said earlier, there were two of them just sort of bobbing along in the lake and I thought, “Oh, that just looks so good.”
CHRISTIE: All right. So my thing is a little bittersweet. Jerry Weinberg passed away this week. Jerry is a very prolific writer on consulting and technology and systems thinking and all kinds of really interesting stuff. And so, him passing away is not the thing I love on the internet but he has a Leanpub where you can get a lot of his books. And so, that’s the thing that I wanted to mention. And he also has a blog to which all linked to. But if you haven’t seen any of his books, check him out.
AUDREY: Is there a particular one that you’d recommend?
CHRISTIE: I read his Secrets of Consulting book. I haven’t read a lot of his other. And there’s another one on problem solving in general called Are Your Lights On? So, those are the ones I’ve read personally. I haven’t read any of those system stuff yet. And yes, he has a blog, so you can kind of get a sense of his style in the blog. But anyone who’s ever asked me about pricing and consulting, the main thing I [inaudible] is actually from his Secrets of Consulting book. And I just really appreciate his style. It’s not informal. It’s just very like down to earth and just with a lot of good information. So check that out.
All right. I think that’s our show this week. Next week, we’re going to record in a slightly different time. Well, not slightly. Totally different day. We’re going to record in the afternoon on Thursday.
AUDREY: But we’ll post the thing on Twitter.
CHRISTIE: Yeah. All right. And hopefully, it’ll be a little cooler, probably not.
AUDREY: I think we get like two days of better weather and then it’s awful again. But I am going to take myself to a mountain creek.
CHRISTIE: Oh, good
AUDREY: And stick my feet in, at least. So, I’ll get to cool off a little bit.
CHRISTIE: All right. Well, enjoy that Audrey and thanks for joining me again. Have a good week, everyone.
CHRISTIE: And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to firstname.lastname@example.org or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.
The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.