Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Rob Ricci (ricci@discuss.systems)'s status on Monday, 28-Apr-2025 07:32:29 JST Rob Ricci

   I was asked a really interesting question about whether the US government (or others, but we all know why people are worried about the US right now) could seize domain names, and what would happen if they did.

   This is:

   * An excellent question
   * Quite important to answer
   * Probably impossible to answer in practice

   :thread: 1/?

   Let's dig in, based on what I know (which to be clear is mostly on the technical side, I don't know a lot on the legal side; I invite additional information added or corrected by people with more knowledge):

   The question here is about the vulnerability of the DNS to government-level attacks. I am going to limit the scope of this post to the DNS; there are plenty of potential nation-state attacks on the Internet, I can't talk about all of them nor am I qualified to.

   The good news is that this is, in fact, the kind of attack that people have thought about quite a bit when designing and deploying these systems. That does not, however, mean that they are invulnerable to or that there are not hidden dependencies or vulnerabilities - and honestly the reason why this question is impossible to answer is that there are probably enough hidden dependencies that we just don't know what will fail until (if) somebody tries it.

   If someone tries to seize domain names, either one at a time or in bulk, the direct point of attack would be against the domain registrars; these are the entities who you pay to register the name, and who maintain the top-level information about them, such as whose name they are registered in, the contact information for those parties, and which DNS servers are authoritative for providing further information about those domains. Note that those DNS servers *may* be provided by the registrar, but they don't have to be. More about domain name registrars here: https://en.wikipedia.org/wiki/Domain_name_registrar

   So what's the attack? The government tries to force the registrar to either de-register the names, or re-register them to another party. They would do so by applying legal pressure on the registrar.

   This is one place where there is probably a very thorny legal question: who *owns* the domain name, really? Does the registrar own it? Does the registrant own it? There may be law on this, but I'm not aware of it; I do know that there have been cases regarding trademark law to reassign domain names, some of which have been successful. I'd love (for some definition of "love") to learn more here if folks have good sources to contribute.

   The good news on this front is that there are lots of registrars. Tons. One would assume that a government would have the most leverage, by far, against registrars in their own jurisdiction. Registrars are, however, spread out all across the world, and most domains are portable across registrars - you can move your domain to a different registrar just like you can move your mobile phone number to a different carrier in many (most?) countries. Most TLDs (the last bit in the domain name, such as .com. .org, .social, etc.) are handled by a large number of registrars. So, for most domain names, there is a fairly straightforward step to take for protection: transfer the domain to a registrar outside the jurisdiction you are concerned about. There is, for example, no registrar one can go to in order to seize all .com domains for a given country. (Some TLDs have different rules, but I'm not going to get into that here.)

   Basically, attacking this at a large scale is not impossible, but it would require a lot of resources and can only move so fast, giving domain name owners a chance to try to take proactive steps. It could certainly be disruptive, and targeted attacks against certain domains are possible, but there is enough resiliency that it's very, very hard to snatch the whole thing in one go.

   So, let's go deeper: who gives the registrars the ability to register individual domain names?

   In fact, let's go straight to the root: IANA: https://en.wikipedia.org/wiki/Internet_Assigned_Numbers_Authority . This is the standards organization that administers the list of TLDs and the information in the root DNS servers. It is international; that probably makes it hard for individual governments to assert control over it, though it's hard to say, maybe it means any member is a point of vulnerability instead. IANA more or less delegates responsibility to administering specific TLDs to other organizations; for example, .com is administered right now by Verisign: https://en.wikipedia.org/wiki/.com . Those organizations are themselves a potential point of vulnerability for seizing individual domain names; the system overall does have enough resiliency built in that if one domain name is seized, this does not prevent the person or organization that registered it from getting a new domain name in a different TLD: this is commonly done by sites that are not legal in certain jurisdictions, for example.

2. Embed this notice
   Esther Payne :bisexual_flag: (onepict@chaos.social)'s status on Sunday, 05-Jan-2025 02:09:32 JST Esther Payne :bisexual_flag:

   I'm going to take a copy of my archive and do some spring cleaning on mastodon with some auto deletion tomorrow. Some long term stuff will stay but other stuff will go.

   So if you've bookmarked some of my witterings take a copy.

3. Embed this notice
   Evan Prodromou (evanprodromou@evanp.me)'s status on Sunday, 17-Nov-2024 04:22:43 JST Evan Prodromou
   How to register just enough domains

   I have a problem with registering domains. When I have an idea for a Web site, software project, organization, or sometimes just a pun or joke, I’ll go on a domain registrar site and see what related domains are available. I’ll brainstorm a bit in the search screen to try some different options for names or top-level domains, and if I find something in my price range, I’ll buy it, even if I’m not going to use the domain right away.

   This leaves me with a portfolio of unused domains that are like reminders of unfulfilled dreams. Ah yes, the Web site for the Frito pie restaurant I never made. Oh, right, I was going to start a social network for people in the Plateau de Montreal. Each year, as the renewal deadlines come up, I have to decide if I’m going to give up this little dream, or give myself another year to get started.

   The fact is, I just don’t have the time or the energy to make as many social networks or Web sites or joke URLs as I’d like. I have a full-time job, a family, and existing responsibilities at the Social Web Foundation, CoSocial.ca, and the Social Web Community Group. I can’t spend money on dreams I’m not fulfilling, just because I’m afraid to let them go.

   So, I’m trying to change my habits and come up with a new strategy for using domains. It’s aspirational for now, but I hope I can use it to reduce some of my personal expenses on new domains and domain renewals. I’m sharing it here with you partially in hope that it can be useful, and partially to hold myself to the strategy.

   Domain strategy

   1. Register a short, personal domain name. I know, this probably doesn’t seem like a great first step, but bear with me! This domain is going to be the basis for a long term presence. Also, it’s a chance to get it out of your system, and put those domain registration superskils to use one last time. Use something that represents yourself, as a person, not a company or your personal consulting firm or design agency or whatever. I use https://evanp.me/ , which I registered a while ago specifically for this purpose.
   2. Assign the root domain to a content-management system. For me, that’s this WordPress blog. Other people might want to use Drupal or Jekyll or a wiki or some other publishing system. You can even use plain old HTML, if that’s how you want to fly. The important thing is that you need to be able to create new pages on a path you like — preferably of arbitrary depth, but at least with user-defined pathnames.
   3. When you want to register a domain for a new static website, make a page on the root domain instead. OK, now we’re into the part where we’re actually saving money. When you get an idea for a Web site, and you start searching for domain names, stop doing that. Instead, create a page on your personal CMS. So, for example, when I wanted to register a new domain for the ActivityPub book I wrote, I instead created a page at https://evanp.me/activitypub-book/ . This has two benefits. First, it keeps me from registering a domain for a project I’m not even going to start. Second, it keeps me from burning up all my creative energy on domain-buying, and gets me to use whatever momentum I have to write a first draft of the page I need, and possibly either share it out on my blog or on my social network presence(s). Note that using a short domain puts more emphasis on the page’s path than on the domain.
   4. When you want to register a domain for a new Web service, use a subdomain of your personal domain name instead. There are a lot of Web applications and services that need specific server-side code and databases and can’t be run as a page on a WordPress site — like a Mastodon server, a MediaWiki site, or a NodeJS application I made up. A lot of people will never need to do this; as a software developer, this is something I do all the time. When I need to make a server that can’t run within WordPress, instead of registering a new domain, I create a domain name for my service that is a subdomain of my personal domain. So, if I want to set up a Mastodon server (I don’t, right now) I’d make a subdomain at social.evanp.me and use it for the server. The benefit here is that I have a domain name to start off with, and also I don’t worry about starting to use it until I actually have a server available. One particular trick that has worked well for me is to use a wildcard DNS record that points to a Kubernetes cluster ingress. I can use the ingress to route between services, without having to create or update the subdomains. It saves a couple of steps in this process.
   5. If a project needs to become independent, register a domain and move to it. This is the safety valve that lets me feel OK about not using the “right” domain for a project from the outset. Of course, “needs to become independent” is a hard to specify objectively, but some good rules of thumb are whether there are enough collaborators that I don’t feel comfortable giving them an account on my personal blog, or if the people who use the service or page ask why it’s still linked to my personal domain. At the point when a domain is actually needed, I can go register it, move the service or content to use it, and then use URL redirection to move traffic from my personal site or service to an independent one.
      Having this as an option lets me worry a lot less when starting a new project. There are also so many top-level domains (TLDs) available today that I don’t feel like I have to grab a domain just so it doesn’t get squatted by others. It’s OK to use one of the less popular TLDs if the project is becoming its own thing.

   So, that’s it. Have a personal domain, put a CMS behind it, use that for publishing static pages, use subdomains of it for standalone services, and register new domains only when you need to. I think this kind of strategy is inherent in the idea of having “your own domain”, and a lot of people follow it to a greater or lesser degree, but I wanted to spell it out fully to make it clear to myself how I would deal with different circumstances.

   Let me know if you have other tips for reducing your domain registration spending by committing to a good personal domain.

   #domains #spending

4. Embed this notice
   Tobias Hellgren (thanius@thanius.chuggybumba.com)'s status on Saturday, 25-May-2024 17:23:46 JST Tobias Hellgren

   It’s been a while since I’ve written any long form posts. To remedy this, I’ve now installed the WordPress app on my phone so that I can post on the go.

   So, what’s been up lately? Well, for starters, we’re getting a dog! It’s a still some weeks away, since doggo’s only a couple of days old. She was born on May 14th and her current name is Fia-Lotta, although I’m not too keen on that name so we’re thinking of renaming her once she gets home. The name candidates are Lexi, Chili, Hilda and Cilla. She’ll be ready for pickup in the middle of July, we can’t wait for her to join our family!

   Our newborn pup

   What else, what else… Oh! I’m off to see Bruce Dickinson in Stockholm and Gröna Lund on June 11th! It’s going to be awesome. Even though his latest album ain’t no Chemical Wedding, it still has some bangers. Also it’s likely that they’ll play some classics as well. Anyway, as soon as I heard about the concert I booked all the tickets immediately. I wasn’t sure if any of my friends were going, but it seems like I’m getting some company after all – one of my best mates even booked in the same hotel! Did I mention it’s going to be awesome?

   Promotional photo of Bruce Dickinson for the album The Mandrake Project

   In other news, my birthday was this week! Yes, you’re now looking (?) at a 41 year old fart. It was quite low key since I’m not too excited over birthdays that aren’t major milestones, like last year. I was happy that my wife got me the NES game Micro Mages on physical cart, as well a rechargeable air duster and a HDD Clicker. Unfortunately, the HDD Clicker doesn’t seem to like the LED signal from my 486 (it was clicking non-stop), so it will have to live in my Pentium 2 instead. And for those who haven’t heard of Micro Mages, it’s an awesome arcade platformer with some tiny mages scaling towers full of baddies. It’s amazing how they managed to fit everything in just 40 kilobytes, there’s a great video on YouTube explaining how they did it.

   Micro Mages by Morphcat Games

   How can I have such a thoughtful wife that knows exactly what I wanted? Well, I just gave her the link to my nifty Wishlistr.

   Until next time:

   l i v e    f a s t    e a t    t r a s h

   https://thanius.chuggybumba.com/2024/05/25/its-a-baby/

5. Embed this notice
   Mighty Sisserou 🇩🇲 (mightysisserou@blacktwitter.io)'s status on Tuesday, 06-Feb-2024 22:26:15 JST Mighty Sisserou 🇩🇲

   in reply to

   People ask for rights, this is your history of action:

   https://en.wikipedia.org/wiki/Sharpeville_massacre

   Your behavioural pattern as a group of "Superior Beings". So "civil" you are.

   You all do the same shit everywhere you go.

   So of course, you're unbothered when the same types of shit are done to Palestinians.

6. Embed this notice
   Tanya (solderandchaos@mastodon.me.uk)'s status on Sunday, 09-Jul-2023 15:59:28 JST Tanya

   I mentioned to my PhD chat group buddies that it’d be lovely to see them on Mastodon, and some have agreed to give it a go.

   So I’m asking for help. In advance of them arriving, I’d love to be able to point them at this post and replies to find their connections. Are you doing a #phd too? What’s it about? Have you just finished one and have some advice?

   [edit: mine's about getting kids interested in data science at school]

   Could you help me find as many PhD researchers as possible?