[conspire] Scary Kaminsky News

Rick Moen rick at linuxmafia.com
Thu Jul 24 17:06:23 PDT 2008


Quoting Edward Cherlin (echerlin at gmail.com):

> http://news.cnet.com/8301-1009_3-9998906-83.html
> Kaminsky said the word is getting out about the patches, but there are
> still many systems that are vulnerable. From the period of July 8
> through July 13, 86 percent of the people testing their system on his
> Web site were vulnerable. Today it's 52 percent. "Not perfect; not
> even good enough," he said. But "I'll take 52 any day of week and
> twice on Sunday."

Making a very long story short-er, this really isn't news to anyone
who's been following research into the state of the global DNS over the
past few years.  I heard one of Dan Kaminsky's talks, live, at the
Dec.(?) 2006 LISA conference in San Diego, where he gave one of his
periodic updates:  It was clear, even then, that:

1.  There is a scarily large amount of obsolete and/or grossly broken
    nameserver software deployed in critical infrastructure roles, 
    notably a scarily large percentage of the world's public DNS
    being still operated on BIND8.  Some but not all of the latter
    is BIND8 on MS-Windows.
2.  Bad craziness with cache poisoning was already occurring on a 
    global scale, here and there -- something Kaminsky didn't want 
    to say much about at the time, for obvious reasons.

Given the above, it was obvious that a huge number of sites out there,
and thus a large fraction of the global DNS infrastructure, had gotten
into very bad shape through sheer neglect and lack of attention to
fundamentals -- nameserver sites set up long before and left on
autopilot, mostly.  

So, I aggree with Dan:  That sort of improvement on the sites checking
against his CGI is encouraging.  However, remember that the sites
bothering to check are themselves a small fragment of the total sites
out there:  You're already self-selecting for caring about security and
being aware of problems.  

Anyhow, perhaps you now see part of the justification for my
recommendation to completely eschew (most) ISP nameservers.  Frankly, I
honestly don't understand continued reliance on _any_ third-party
nameservers you haven't checked really thoroughly (e.g., my being just a
little lazy and deciding I trust Raw Bandwidth Communications very 
thoroughly).  It's just so very easy to run a local caching
recursive-resolver daemon, and has such obvious benefits, that it seems
really dumb not to.

> I knew that large Internet companies were largely clueless on
> security, among other things, but this is scary. Most systems wore
> supposed to be able to apply the patch automatically. What did these
> other loonburgers do?

Collect $200 and pass go?  ;->

Afterthought on my prior recommendations:  In addition to what I said,
_now_ do people understand why being incredibly suspicious of changes to
SSL certificates and SSH host keys should be routine?   _Now_ are you
going to do the smart thing and carry around copies of your SSH
known_hosts file (etc.) on a USB keydrive?

(I hadn't until now put information about my Web server's self-signed 
certificate into my PalmPilot -- but I did have its SSH host keys in my
PalmPilot and in the copy of known_hosts in my USB keydrive.)





More information about the conspire mailing list