[conspire] Scary Kaminsky News

Edward Cherlin echerlin at gmail.com
Thu Jul 24 22:57:19 PDT 2008

On Thu, Jul 24, 2008 at 5:06 PM, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Edward Cherlin (echerlin at gmail.com):
>> http://news.cnet.com/8301-1009_3-9998906-83.html
>> Kaminsky said the word is getting out about the patches, but there are
>> still many systems that are vulnerable. From the period of July 8
>> through July 13, 86 percent of the people testing their system on his
>> Web site were vulnerable. Today it's 52 percent. "Not perfect; not
>> even good enough," he said. But "I'll take 52 any day of week and
>> twice on Sunday."
> Making a very long story short-er, this really isn't news to anyone
> who's been following research into the state of the global DNS over the
> past few years.

Well, unfortunately, that didn't include me. Somehow I thought that
sysadmins were talking about switching the infrastructure to IPv6 and
other up-to-date issues. I also had the idea that there were
organizations tasked to keep up with security threats and put out the
word on them. You know, CERT, maybe even Homeland Security? I guess
the Mainstream IT Media doesn't consider Apocalypse Tomorrow a story.
Um, hasn't anybody considered legal liability?

> I heard one of Dan Kaminsky's talks, live, at the
> Dec.(?) 2006 LISA conference in San Diego, where he gave one of his
> periodic updates:  It was clear, even then, that:
> 1.  There is a scarily large amount of obsolete and/or grossly broken
>    nameserver software deployed in critical infrastructure roles,
>    notably a scarily large percentage of the world's public DNS
>    being still operated on BIND8.  Some but not all of the latter
>    is BIND8 on MS-Windows.
> 2.  Bad craziness with cache poisoning was already occurring on a
>    global scale, here and there -- something Kaminsky didn't want
>    to say much about at the time, for obvious reasons.
> Given the above, it was obvious that a huge number of sites out there,
> and thus a large fraction of the global DNS infrastructure, had gotten
> into very bad shape through sheer neglect and lack of attention to
> fundamentals -- nameserver sites set up long before and left on
> autopilot, mostly.
> So, I agree with Dan:  That sort of improvement on the sites checking
> against his CGI is encouraging.  However, remember that the sites
> bothering to check are themselves a small fragment of the total sites
> out there:  You're already self-selecting for caring about security and
> being aware of problems.

I don't think it's that bad. This is the percentage of _users_
checking whether their ISPs are pwnable. I gather that it is the few
largest and most clueless providers that are the main problem, like

> Anyhow, perhaps you now see part of the justification for my
> recommendation to completely eschew (most) ISP nameservers.  Frankly, I
> honestly don't understand continued reliance on _any_ third-party
> nameservers you haven't checked really thoroughly (e.g., my being just a
> little lazy and deciding I trust Raw Bandwidth Communications very
> thoroughly).  It's just so very easy to run a local caching
> recursive-resolver daemon, and has such obvious benefits, that it seems
> really dumb not to.

Yeah, where's the Howto on that? Oh, never mind. Google and apt-get
are your friends.

>> I knew that large Internet companies were largely clueless on
>> security, among other things, but this is scary. Most systems wore
>> supposed to be able to apply the patch automatically. What did these
>> other loonburgers do?
> Collect $200 and pass go?  ;->
> Afterthought on my prior recommendations:  In addition to what I said,
> _now_ do people understand why being incredibly suspicious of changes to
> SSL certificates and SSH host keys should be routine?

As suggested by Vernor Vinge in Rainbows End, and Charlie Stross in
Halting State?

> _Now_ are you
> going to do the smart thing and carry around copies of your SSH
> known_hosts file (etc.) on a USB keydrive?
> (I hadn't until now put information about my Web server's self-signed
> certificate into my PalmPilot -- but I did have its SSH host keys in my
> PalmPilot and in the copy of known_hosts in my USB keydrive.)
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

Edward Cherlin
End Poverty at a Profit by teaching children business
"The best way to predict the future is to invent it."--Alan Kay

More information about the conspire mailing list