Paul Vixie Responds To DNS Hole Skeptics 147
syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"
Re:I'm not worried (Score:1, Insightful)
The back-biting is shameful (Score:5, Insightful)
Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"
Doctors make the worst patients (Score:5, Insightful)
Knowing how to run a system is not purely technical knowledge, it's also a measure of professional ability. That means knowing when to take advice, and knowing who to take it from.
Re:The back-biting is shameful (Score:5, Insightful)
So, you figure eighty vendors coordinated a simultaneous patch for some issue that is not really a big deal, probably just some guys vying for attention?
Re:The back-biting is shameful (Score:5, Insightful)
Sure you would; and the blame for any damage would be blamed on who made the disclosure.
There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.
Re:The back-biting is shameful (Score:3, Insightful)
Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"
I don't want "irresponsible disclosure". I don't want to be vulnerable, while major corporations get to do marketing damage control. They had a hole. Ok, everyone makes mistakes. They found the hole. Great, then we can do something about it. Or not, because they kept quiet about it while secretly writing the fixes. They kept quiet about it for long enough that even Microsoft had fixes ready.
Meanwhile, peoples DNS servers have been exploitable. Yes, they were exploitable before that, but no good guys knew, and bad guys tend to keep information to themselves, so they can keep expanding their botnets.
But at least their image wasn't damaged by "you don't even have a patch yet? How many months is it going to take? (See Microsoft Internet Explorer)". The only victims were unsuspecting customers, who didn't turn the damn thing off (or at least replaced it with something like djbdns), because they weren't told that it was broken in the first place.
The "good guys" kept the information to themselves, until they had done their part. Just like the bad guys do. So where's the difference between the bad guys and the "good guys"?
Paul himself compared it with a house being on fire. If your neighbours house was on fire, would you be working in secret to fireproof the fence, and then tell your neighbour a few days later, "oh, btw, your house is on fire, started a couple of days ago. Here's a fire hose, see if anything can still be saved"?
They didn't take the hole seriously enough to warn us before "marketing damage control" was done. Why should we take it more seriously?
So, are we all compiling from source all the time? (Score:4, Insightful)
All paranoid theories about this issue sort of ignore the fact that unless you plan to install hundreds (or even thousands) of systems from your own compiled source for years and years to come, all of this discussion is at best academic.
The new distros are going to have the patch.
And really, considering the number of prehistoric vulnerabilities that should have been patched, that this one is finally getting patched is fine.
Yeah, there's a bit of "trust me" factor here with this patch, but a lot of good people are putting their credibility on the line for this patch.
All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using? There is a level at which we're all sort of hoping that the guys interested in each of the particular parts of the OS have done a thorough job in their separate efforts.
Re:I'm not worried (Score:4, Insightful)
Re:The back-biting is shameful (Score:2, Insightful)
That same information ... puts the integrity of the entire infrastructure and, more to the point, the information security of a whole lof of people at tremendous risk.
Extremist talk and dire predictions are great, but where have they gotten us in the past? Vixie claims that "Everything we thought we knew was wrong", but at the same time, we know that there are DNS systems and services that did not have this vulnerability, so obviously some people had already given this type of issue some thought.
I'm not saying don't patch. --Security holes should be fixed, after all. But if you tell people a house is on fire when there are no flames and no smoke, don't be surprised when people are skeptical.
Re:The back-biting is shameful (Score:3, Insightful)
Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)
Sure you would; and the blame for any damage would be blamed on who made the disclosure.
There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.
Except Microsoft doesn't handle things this way. If this had been only a Windows issue we would have never heard about it. The fact that Open Source is vulnerable as well means that we will eventually know what the problems were and be able to look to see that it was fixed in the Open Source versions.
Re:Unfortunately, what else is new? (Score:1, Insightful)
From reading the comments on the matasano blog [matasano.com], I get a sneaky suspicion that the port randomisation is a mid-term workaround that they want everyone to get into place, before they reveal the actual hole (and fix, I hope). I don't think the port randomisation is the final fix...
The fact that he says (emphasis mine):
"So, as a temporary workaround, the affected vendors are recommending that Dan Bernstein's UDP port randomization technique be universally deployed."
makes me think so even more.
Re:The back-biting is shameful (Score:3, Insightful)
This has nothing to do with any specific vendor or open source.
This issue is about how and when independent researchers disclose a vulnerability they find.
Re:So, are we all compiling from source all the ti (Score:3, Insightful)
All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using?
There's a specific phrase to describe it, but it escapes me at the moment.
Bascially, when you have a crowd of people standing around watching someone get beat up, nobody steps in to help, because everyone assumes someone else will help.
Verifying source code is somewhat like that: someone else will do it. The great thing about the internet is the crowd is so large that the few people, who would jump in no matter what, are always present.
Re:Why is Vixie recommending it? (Score:3, Insightful)
If I have to guess, it's because Vixie is associated with ISC, who makes BIND, and is hoping that ISC makes more money with the "ZOMG, run DNSSEC or you're all doomed!". Of course, Vixie has never shown any kind of restraint over DNSSEC, and has previously urged adoption of (prior) broken editions of the protocol that somehow passed muster at the IETF despite not living up to their claims.
DJB may be a meanie, but he seems much more technically competent than Vixie. (I offer as evidence, again, the security records of vixie-cron and bind against djb's utilities, djbdjs, and qmail.) Also DJB seems much more intellectually honest and aware of what's going on. Of course, that's just MHO.
(For more lulz invoving DNS, and proof that it isn't, even with DNSSEC, a trustworthy protocol, see Kaminsky's "suckets" work. Using an adversary-controlled DNS server, it's possible to use the "same origin policy" (which is based on DNS being trustworthy) to achieve arbitrary connections. The correct conclusion is that your naming scheme and authority (DNS) ought not try to say anything about the security properties of the entities it names.)