Matasano Chargen - Latest Comments in Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Keiren — Fri, 09 Jan 2009 22:30:29 -0000

Are you the Tom Ptacek whose brothers are Chris and Steven?

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

joeyb — Tue, 22 Jul 2008 22:34:14 -0000

Tom,

I'm amazed reading through this blog as to how much you bash Kaminsky...prior to "accidently" publishing the exploit after it's disclosed to you. tell us, how does a security company accidently disclose such a serious vulnerability? all i see is a bruised ego looking to one up a fellow researcher.

and you guys pride yourself as being an infosec company?

lame...very very lame.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

tom brennan — Sun, 13 Jul 2008 09:07:46 -0000

When: Wednesday, August 6, 7:30 PM – 9:30 PM
Where: Blackhat/Shadow Bar, Caesar's Palace, Las Vegas
What: Discuss over a drink ;)

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

ben — Sat, 12 Jul 2008 22:51:56 -0000

There seems to be an unspoken assumption that only one upstream is spoofed. I wonder if there is a negative spoof, first.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Anders Feder — Fri, 11 Jul 2008 17:43:52 -0000

Tom:
If my 450 word attempt at sarcasm did not get through to you, shame on me. If you still think Dan has nothing, shame on you (reading your latest post, though, I know that's not the case).

I was merely addressing all the people calling 'media whore' on Dan on this page. To be clear: It is obvious from the circumstances that Dan has something of at least peripheral importance. Everyone has to stop pretending they have known about this vulnerability since 2003 and wait just 4 weeks for the full disclosure.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Frank — Fri, 11 Jul 2008 12:21:35 -0000

Some of the postings here above show that no matter how a researcher announces his work there's always a segment of the population that ridicules them.

Let's just wait to see how things play out after the details are released.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

ray — Thu, 10 Jul 2008 20:46:23 -0000

GG you got PWNED and you started it. Walking into a gunfight with a knife is the analogy I suppose.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

anonymous hoe — Thu, 10 Jul 2008 18:31:31 -0000

Dan has made a living of wh0ring out his mediocre findings. This is no different, and I very much look forward to seeing his BH talk and the resulting "oomf". Shades of the RST attack and how the intranets are going down. Oh noes! The world is coming to an end. I can insert shell code on IOS, wait a minute!, this was already postulated, yet we are still to see evidence of it. Yet again, another example of "yes it is possible, but it is not practial". Disclaimer: I am six beers under the belt right now. Dan Kaminsky is a smart mofo, I just don't understand the hype, nor will I ever.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Phil — Thu, 10 Jul 2008 12:02:11 -0000

People running BIND on RedHat and similar systems need to be very careful.

http://rhn.redhat.com/errata/RHSA-2008-0533.html

only tells part of the story.

RedHat's original and updated bind and caching-nameserver packages come with .conf files which specify

query-source port 53;
query-source-v6 port 53;

Users will need to comment that out and restart named to make BIND use random source ports when forwarding requests.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Thomas Ptacek — Thu, 10 Jul 2008 11:59:59 -0000

Anders: you're wrong this time.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Anders Feder — Thu, 10 Jul 2008 06:45:38 -0000

Ok, ok, I'm trying to picture this.

5 years after a vulnerability was first described publicly by DJB, Dan Kaminsky, a mediocre security consultant from a dark corner of the interweb, for no reason whatsoever manages to suddenly pull a number of important security vendors together on Microsoft Campus in march 2008. You have to at least admire this man's social engineering skills: no-one, not even DJB himself, nor a single one of all the smart guys posting comments on this page, has managed to convince just one of these vendors to fix this critical vulnerability in 5 years.

Back at Microsoft Campus, the mission of this gathering of high-profile IT professionals is laid out: to take a couple of days out of their busy schedules to reinvent a solution which already has been freely available to the public for 5 years. How about that. I heard Microsoft is also releasing a new version of their IP stack, referred to internally as 'the Kaminsky stack', which by design will route packets as inefficiently as possible - one day Ballmer simply told his boys to "make a stack that makes packets takes as many hops as humanly possible".

Anyway, after these bright developers from such previously respected companies as Cisco, Microsoft and the ISC - along with no-one less than Paul Vixie - adjourns from the 5-year-old-patch-reinvention-exercise and retreats to their usual high-paid day jobs, aforementioned Kaminsky steps up and fools everyone in security media into thinking that he has discovered a new, critical vulnerability in DNS. The story makes it across the globe and yet not a single one of the involved vendors, nor Paul Vixie, nor the CERT bothers challenging Kaminsky's public claims. They are all to busy working out the new least-efficient-routing-algorithm for Microsoft. That's what CERT is for anyway, right - to induce unwarranted panic and release information that is biased to boost some dude's personal PR-stunt. Yeah, its right there at the bottom of the security advisory they sent out to all those companies and organizations all over the world.

You were right guys, it's all so clear to me now: this Dan fellow is one heck of a smooth operator - and I can't wait to see him go down in flames at his talk in august. I bet he can't either - I mean, why stage something like this if you don't like to be the ridicule of the entire industry you work within for years to come. Surely, it must be some kind of humiliation fetish of he is betting his job on.

See you all at Black Hat in a month - and don't bother with those patches, its all bull anyway.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

it is a car analogy — Thu, 10 Jul 2008 02:43:03 -0000

Man, you people and your car analogies.

So the XID is like the fuel injection system, and the UDP port selection is like a non-synchronized transmission...

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Thomas Ptacek — Thu, 10 Jul 2008 00:33:08 -0000

Leaving a shiny new BMW in a San Francisco tow zone will also lead to it being stolen, for the record.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

send9 — Thu, 10 Jul 2008 00:29:55 -0000

@Evil: And what exactly is the 'shiny BMW' in this case?

While leaving an expensive car in a high-crime area is just a bad idea, running DNS is a necessity. You can consider it a "necessary evil", but the Internet would not function without it. So the best you can do is secure it as much as possible and hope for the best. Using products from security-conscious coders (i.e DJB) is a good start, but that's still not removing the 'shiny car' from the bad neighbor that is the Internet. The best you can is to put The Club on it, maybe an alarm, take the keys out and hope that 'bad guys' will target low-hanging fruit instead. (Does this analogy still make sense? Probably not, it's late.)

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Evil McObvious — Wed, 09 Jul 2008 23:12:34 -0000

*yawn*

In other news, leaving a shiny new BMW in a ghetto with keys inside and doors unlocked will lead to it being stolen.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Thomas Ptacek — Wed, 09 Jul 2008 20:30:06 -0000

It's also the case that we basically do two kinds of work here: broadly theoretic stuff, like tools development or studies of protocols and types of products, and very specific work done under NDA for clients.

And it's also the case that a couple times we've hit the press on specific stuff we were at liberty to disclose, we got rolled a bit too.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Dave G. — Wed, 09 Jul 2008 20:18:52 -0000

Ryan: It is a good question as to what we would do differently. To date, we have avoided the situation. Maybe its been luck. I know readers will have a hard time believing this, but I have, on several occasions, wound down talking to the press because I saw some of our findings getting misrepresented or blown out of proportion.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Ryan Russell — Wed, 09 Jul 2008 19:36:57 -0000

One variation from the formula in this case (to Dan's advantage) is that initial vague disclosure began with a patch. We won't be having any vendor denial this time, thankfully.

The uninformed speculation is around why Dan won't disclose details. His stated reason is that he wants people to have more time to patch before the attacks start.

I believe Black Hat requires one to hold the good stuff for one's talk, yes?

I would be completely unsurprised if at least one of the coordinated vendors or Vixie or CERT requested that Dan hold details until his talk. Or perhaps Dan gave a drop-dead date of his talk, and someone is holding him to that.

Dan has zero control over others figuring out his attack and releasing details. Even when they do, he probably still can't say anything until his talk. The only possible schedule change Dan could have made here was to release details before someone else, right?

So are you and Tom saying that what you guys would be doing differently is that you would have shipped the exploit by now?

FWIW, Dan seems to me to not be a fan of blindsiding vendors. In a couple of the books I've done with Dan in the past, he was none too thrilled about people printing 0-day.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Dave G. — Wed, 09 Jul 2008 19:23:41 -0000

Ryan: This story has a formula:

vague disclosure + talking to the media + announcing that all we be made clear in the future (and the future tends to correspond to a talk at a security conference) = this situation.

I think researchers tend to get trapped by disclosing just enough information that when the mainstream press hears it, they make it sound like the world is going to end. Security folks are left with a lot of questions. I've had a couple of customers call me and ask how concerned they should be and they have their boss asking them if they are safe.

If the issue is fixed and the world knows how to fix it, what's changing between now and Black Hat that is impacts when the world can know about it? Is this about waiting for people to patch? Is there another patch coming?

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

ivan — Wed, 09 Jul 2008 19:16:11 -0000

since when doing research on "old stuff" is intrinsically bad or diminishes somebody's work?
In any case, all at Matasano should be happy now.. this randomized UDP source port thingie of will make firewall rules and logfiles such a fun thing to play with. I wonder if they had this in their playbook all along and just planted the idea in Dan's brain exactly at the right time to have it blossom now. That Rauch character probably did it, he posts only when strange things happen in the internec

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Ryan Russell — Wed, 09 Jul 2008 18:49:45 -0000

You (we; security guys) hit the mainstream press by some combination of: finding a flaw that causes large coordinated release, putting out a press release, and having enough bloggers talk about you.

Dan is guilty of finding the flaw, "allowing" IOActive to put out a press release, and doing a couple of podcasts for technical blogs. And later, providing quotes for a couple of mainstream news outlets. I don't think he even wrote his own blog entry until a decent way into the process. I've done all the same before, I'm just rarely as successful at it.

Which of those steps would you have put a stop to, Tom?

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Ryan Russell — Wed, 09 Jul 2008 18:41:43 -0000

Tom: You misunderstand what I'm calling noise. The BBC is not noise. The security community setting up straw men on Kaminsky's behalf and then accusing him of media whoring is noise. Go read fulldisclosure today.

The tactic is to claim this is old stuff and attack Dan for not doing interesting work while he can't say anything. Expectations will be raised so high by the time his presentation happens that he can't possibly meet them, and those who attacked him will claim victory.

See also: Trying to present on wireless driver vulnerabilities or embedded architectures where a null pointer overwrite is useful.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Thomas Ptacek — Wed, 09 Jul 2008 18:37:21 -0000

Ryan: You're not going to win that argument. We're not in the Trib, or at the BBC. People we talk to all the time get wind of a shitstorm about DNS, and ask what I think. We didn't reach out.

I've got a bit of experience dealing with stories like these, and I don't think you hit the mainstream press by sitting back and doing nothing to promote your work.

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

ivan — Wed, 09 Jul 2008 18:35:28 -0000

we don't new a whole new protocol, we can "overload" the current protocol... why not? the RRs have been abused for hundreds of less relevant purposes

Re: Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!

Ryan Russell — Wed, 09 Jul 2008 18:32:30 -0000

Tom: Blitz? IOActive has put out a press release, but I had to go look for it. I'm sure it's the news sources I read, but I've seen Matasano quoted slightly more than Dan, so far.

As he says, he thinks it's important to keep the details quite, but to encourage people to patch.

And he didn't ask you not to look, he asked you not to tell. To whatever degree those are separate.

Like I said, he's probably obliged to ask. Knowing it will be ignored.