Matasano Chargen - Latest Comments in Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

rvdh — Tue, 22 Jul 2008 20:36:56 -0000

Fail. It's all about creating covert channels. This is known since at least 1990 when Steve Bellovin found flaws in the DNS design. But Dan found a way to do it effeciently since 2004. and hence the reason why DNSSEC came to be in 1999.

Why don't you just wait for Dan's talk instead of blowing your trumpets and claiming his thunder. Dan deserves this more than anyone I know given his research on DNS over the years.

Anyway, that's my take on it. Put it to rest and wait for Dan's talk.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Statler and Waldorf — Mon, 21 Jul 2008 19:35:10 -0000

http://blog.invisibledenizen.org/2008/07/kamins...

No one's confirming, but it sure does smell like the real deal.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

jls — Mon, 21 Jul 2008 19:18:18 -0000

any reason why a couple of minutes ago, on my google reader feeds i got a feed/post named: "Reliable DNS Forgery in 2008: Kaminsky’s Discovery" written by ecopeland that starts with the catching phrase "The cat is out of the bag" and then go out and tell us that what Halvar Flake wrote on his blog today is the "Real Thing" and then when i go to this post in matasano´s blog i get a 404?

the link that i got in my reader is/was: http://www.matasano.com/log/1103/reliable-dns-f...

does it means that what was written in the post is *not* the actual "Real Thing" and was "recalled" by the author? or does it means that it *is* the "Real Thing" and was recalled by the author whatever reason it may be?

just curious...

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

E. Westbrook — Mon, 21 Jul 2008 13:57:57 -0000

Disclaimer: I am a confessed DJB fanboy.

It's a shame DJB's (admittedly abrasive) demeanor has so often distracted so many from the quality of his work. I've deployed djbdns exclusively since forever, and I have never been disappointed with its performance and simplicity, particularly over conflated bloated pigware like BIND (imho). The simplicity of the zone file format alone is delightful. But I digress.

Imagine my delight to learn of this massive urgency and then conclude that I need to do NOTHING about it for the security of my networks (all systems here are showing GOOD on the TXT test).

To discover that DJB was right on this issue doesn't surprise me in the least. At the same time, to discover some personal distaste for him remaining at large doesn't surprise me much either.

Good on him, I say. And shame on so many others for not listening years ago.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Jesse Cantu — Sun, 20 Jul 2008 12:59:06 -0000

Incidentally, theReformed was running a poll on Dan’s find posted the other day, so far Dan seems to be coming out on top with the people http://thereformed.org/2008/07/19/poll-dan-kami... .

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Dan Kaminsky — Wed, 16 Jul 2008 21:23:36 -0000

dig @4.2.2.1 porttest.dns-oarc.net in txt

try that?

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Michael — Wed, 16 Jul 2008 16:19:08 -0000

How do you use that port test?
localhost:~ Michael$ dig porttest.dns-oarc.net

; <> DiG 9.4.1-P1 <> porttest.dns-oarc.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30368
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;porttest.dns-oarc.net. IN A

;; Query time: 2323 msec
;; SERVER: 68.105.28.12#53(68.105.28.12)
;; WHEN: Wed Jul 16 13:10:51 2008
;; MSG SIZE rcvd: 39

localhost:~ Michael$ nslookup porttest.dns-oarc.net.
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 4.2.2.2, trying next server
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 68.105.28.12, trying next server
Server: 4.2.2.2
Address: 4.2.2.2#53

** server can't find porttest.dns-oarc.net: SERVFAIL

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

sfk — Wed, 16 Jul 2008 05:25:24 -0000

It isn't the fault of djbdns, but running dnscache behind a typical ADSL router still appears to be unsafe.

I get a "POOR" security if I do the porttest:

dig porttest.dns-oarc.net in txt

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

ivan — Tue, 15 Jul 2008 21:20:47 -0000

It is all very clear now: http://www.circleid.com/posts/87143_dns_not_a_g...

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Dan Kaminsky — Tue, 15 Jul 2008 17:50:16 -0000

Why don't you ping me privately?

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

rG0d — Tue, 15 Jul 2008 16:13:43 -0000

Performance is hard to judge in the lab. From looking at pure packet in/out stats in production, though, at peak times we see just a little over 5000. I'd rather patch once with optimized code rather than revisit this - and this is a question my management should ask about.

I assure you, I'm not treating the time like a snooze button. It's really hard to justify some of the risk ($$ loss if something breaks in production) based on the facts in evidence today. I can try to get everything patched, but it's ultimately the business who makes the decision based on the risk assessment I can show them.

Right now, I can show them vendors giving an Important (not critical) risk rating, and no details (much conjecture) on how we MIGHT be vulnerable and what our ASSUMPTIONS are regarding the risk to our business.

Like it or not, from a non-technical business standpoint, that's hardly compelling.

I WANT to patch before your presentation, but I NEED to be ready for when (not necessarily in order of likelihood):
a) the business gets scares by all the press
or b) I can show the security risks are high enough to assume some business risk

This is helped by having everything up and running in the lab as long as possible before either of these things occur (due diligence). It's also helped along by making sure the various security teams (CSIRT, VulnMgmt team, etc.) are on side, and everything is in place so major apps can ensure zero impact.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Dan Kaminsky — Tue, 15 Jul 2008 14:28:54 -0000

rGod,

We're actively trying to get you what you need. Seriously though, you really want to pull the trigger before my talk. Really you want to pull it as soon as possible. Yes, I've bought you some testing time...but don't treat it like a snooze button :)

How's the perf impact hitting you right now? Most name servers are not run to the edge of capability. I'll look into the GA date.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

rG0d — Tue, 15 Jul 2008 12:48:52 -0000

Lots of people saying [paraphrasing] "how can we know our risk and prioritize the patch if we have no details" and, stuff may break. I agree.

Dan rightly indicates that it takes a lot of meetings, time, and money to get these things done in an enterprise space (I work in a shop with 90,000+ endpoints). Again, lots of stuff may break.

The advantage of enterprise, though? I have a huge test lab.

What I'm doing? Patching EVERYTHING in the lab now, so if stuff is going to break it'll break now. It also gives me some burn-in/testing time of my own. As soon as the BH presentation hits the fan (so to speak) and the press starts to turn into pressure to act, I can pull the trigger WITH full information.

ISC says that the "beta releases include optimized code that will reduce the impact in performace".

What I would like to know is when the when the beta code is expected to become GA? Anyone clear on ISC's release practices?

Dan / Paul Vixie- any insight here?

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Dan Kaminsky — Mon, 14 Jul 2008 13:15:12 -0000

My opinion on the Important v. Critical thing is that severity is only linked to impact, not distribution. For example, it's a Critical in WINS, even though you probably aren't running it on any particular server. This is an Important in everything, but it's still an Important.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

c8364ab9946979cf165113a3d0190a — Mon, 14 Jul 2008 11:58:29 -0000

I see on daily-dave there are people who goes along with my theory.
So if they say ICMP, I say pure UDP and fragmentation.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

mywittlepwnie — Mon, 14 Jul 2008 11:09:32 -0000

Is Kaminsky going for the Pwnie of Most Overhyped Bug?

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

anemonemous — Mon, 14 Jul 2008 06:15:24 -0000

Dan stuck between a rock and hard place? So are we. At least the suspense is exciting. :P

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Thomas Ptacek — Mon, 14 Jul 2008 01:44:24 -0000

Because "Critical" vulnerabilities are worm-able. Vulnerabilities that are not themselves critical, but can be "added up" to critical, are almost the definition of "Important".

This vulnerability is still less important than the RSA signature forgery issue, which wasn't critical either.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Brian Dowling — Mon, 14 Jul 2008 01:16:06 -0000

Probably not the right forum for this, but does anyone understand the logic in why not all vendors are rating this Critical? Microsoft for example only lists the patch as Important. This simple point can make it harder for enterprise admins to get the support and resources they need behind changes out of regular patch cycles.

I realize that these vulnerabilities are not direct code execution issues, but they chain so darn well.

With the understanding that full details will be released in little more than 3 weeks, one would think more emphasis on the criticality, the better.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Statler and Waldorf — Mon, 14 Jul 2008 01:05:06 -0000

@anonymous

Still reading RFCs to see if I can guess who your boss is. In the meantime, why not having him call up Vix for the 411 on the DL?

Lots and lots of patchii come out with vague info. This one has more press and affects something critical, but do you really delay installing MS or Cisco patches unless you have working exploits, srsly?

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

mark — Sun, 13 Jul 2008 14:35:10 -0000

I hope the internet doesn't break. I'm not good at anything else..

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

anonymous — Sat, 12 Jul 2008 01:17:26 -0000

Guys, I have been put in a very sensitive situation because of this. How do you expect me (a non-DNS nor DNS security expert) to go to our CTO (who helped draft the RFC for DNS) and tell him we need to patch, but there are no details available? Heresy!

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Brian Dowling — Sat, 12 Jul 2008 01:15:02 -0000

Findings-v1: bb821e88d15c198951660424cd9692736356b253290ac3cad5a2cbbb87ab5a4e

Findings-v2:
0fca0b42a9795b35f12c1d7fdb7abcd6a85e1f7810ede46fb59b8d318487da36

(SHA256 - Just for posterity ?)

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

Anders Feder — Sat, 12 Jul 2008 00:51:48 -0000

Ivan:
If you have a suggestion that will make the Internet a more secure place before the 6th, please, put it forward. If not - please quit addressing me.

Re: Patch Your (non-DJBDNS) Server Now. Dan Was Right. I Was Wrong.

ivan — Sat, 12 Jul 2008 00:35:42 -0000

@Anders: ok sorry, it seems we've been talking about different things then.
I am interested in figuring out what is the most effective and less expensive solution to this problem for vulnerable organizations so I can provide guidance to them when asked. I am not interested in using Dan Kaminsky's finding and the process he and the other 15 people to disclose it as a proxy for a debate on how to improve the vulnerability disclosure process.