[conspire] Scary Kaminsky News
rick at linuxmafia.com
Thu Jul 24 17:06:23 PDT 2008
Quoting Edward Cherlin (echerlin at gmail.com):
> Kaminsky said the word is getting out about the patches, but there are
> still many systems that are vulnerable. From the period of July 8
> through July 13, 86 percent of the people testing their system on his
> Web site were vulnerable. Today it's 52 percent. "Not perfect; not
> even good enough," he said. But "I'll take 52 any day of week and
> twice on Sunday."
Making a very long story short-er, this really isn't news to anyone
who's been following research into the state of the global DNS over the
past few years. I heard one of Dan Kaminsky's talks, live, at the
Dec.(?) 2006 LISA conference in San Diego, where he gave one of his
periodic updates: It was clear, even then, that:
1. There is a scarily large amount of obsolete and/or grossly broken
nameserver software deployed in critical infrastructure roles,
notably a scarily large percentage of the world's public DNS
being still operated on BIND8. Some but not all of the latter
is BIND8 on MS-Windows.
2. Bad craziness with cache poisoning was already occurring on a
global scale, here and there -- something Kaminsky didn't want
to say much about at the time, for obvious reasons.
Given the above, it was obvious that a huge number of sites out there,
and thus a large fraction of the global DNS infrastructure, had gotten
into very bad shape through sheer neglect and lack of attention to
fundamentals -- nameserver sites set up long before and left on
So, I aggree with Dan: That sort of improvement on the sites checking
against his CGI is encouraging. However, remember that the sites
bothering to check are themselves a small fragment of the total sites
out there: You're already self-selecting for caring about security and
being aware of problems.
Anyhow, perhaps you now see part of the justification for my
recommendation to completely eschew (most) ISP nameservers. Frankly, I
honestly don't understand continued reliance on _any_ third-party
nameservers you haven't checked really thoroughly (e.g., my being just a
little lazy and deciding I trust Raw Bandwidth Communications very
thoroughly). It's just so very easy to run a local caching
recursive-resolver daemon, and has such obvious benefits, that it seems
really dumb not to.
> I knew that large Internet companies were largely clueless on
> security, among other things, but this is scary. Most systems wore
> supposed to be able to apply the patch automatically. What did these
> other loonburgers do?
Collect $200 and pass go? ;->
Afterthought on my prior recommendations: In addition to what I said,
_now_ do people understand why being incredibly suspicious of changes to
SSL certificates and SSH host keys should be routine? _Now_ are you
going to do the smart thing and carry around copies of your SSH
known_hosts file (etc.) on a USB keydrive?
(I hadn't until now put information about my Web server's self-signed
certificate into my PalmPilot -- but I did have its SSH host keys in my
PalmPilot and in the copy of known_hosts in my USB keydrive.)
More information about the conspire