Matasano Chargen - Latest Comments in Regarding The Post On Chargen Earlier Today

Re: Regarding The Post On Chargen Earlier Today

Mike — Tue, 23 Sep 2008 23:20:22 -0000

Matasano Crew,

Please don't stop blogging just because you made a mistake. We all do that. It's how you conduct yourself following your mistake, and how you learn from it that matters. I think you folks conducted yourself with class, and made the best of a bad situation.

If you're not posting for completely different reasons, don't have the time, on fire, etc. please disregard.

Kindly,

--Mike

Re: Regarding The Post On Chargen Earlier Today

Joshua Lewis — Fri, 19 Sep 2008 19:17:49 -0000

Hi Thomas,

I came across your blog through some other blogs I was reading while I was doing some research for one my clients, "Solera Networks" in the network security industry. I got distracted and was intrigued by your blog post about your concern in network security. Hopefully you are familiar with the new Tivo. If you are I felt inclined to talk about you because I think Solera Networks has some products out there that are somewhat unique and new to the industry (data capture appliance devices) and would give you some great information to write about on your blog – I know how hard it is to find topics to write about sometimes. If you were interested I could even have them send you a demo version of the software if you want to check it out in more detail. Or if it would make it easy to write I could setup a time for you to ask questions from an engineer at Solera networks and transcribe the interview for you so you can post it on your blog. At the bottom of this email I will copy paste a general overview of what their products do.

If you are interested don’t hesitate to contact me, and keep up the great blog; yours was for sure one of the top in the industry that I came across.

-Thank you
Joshua Lewis
jlewis@twelvehorses.com

Solera Networks DS Appliances provide protection against the unknowns. They give your organization Total Network Recall—enabling IT and security professionals to get to the root cause of a network security or performance problem, minimize the effects on your business, and ensure quality of service. By recording all data that passes over the network, Solera DS Appliances give your network a memory so you can see everything on the network and can replay any traffic when needed.

•Capture speeds up to 10 Gbps (Miercom Performance Verified™ report – March 2008 – www.soleranetworks.com/miercom/)
•Storage scalability to expand window for longer recall time
•Up to 8 gigabit ports (10/100/1000)
•Two 10Gb fiber capture ports
•Appliance platform with certified hardware configuration
•Full traffic regeneration capabilities and PCAP creation
•Open API’s for integration with third-party tools and automation of data collection

All interesting traffic can be replayed exactly as it was captured, creating a controlled environment to investigate new unknown threats. Combined with Solera DeepSee™, organizations can search through the captured data to create a real world context around a threat by rendering “artifacts.

Re: Regarding The Post On Chargen Earlier Today

gwen hastings — Thu, 18 Sep 2008 07:15:46 -0000

Hey come on,
stop sittting there feeling embarassed, we have all done this from time to time, the rest of us are just waiting for updates from you kids. Lets get chargen moving and dynamic again, one of the better security blogs as far as I am concerned.

gwen hastings

Re: Regarding The Post On Chargen Earlier Today

Eric Busse — Wed, 17 Sep 2008 08:15:52 -0000

Hey,

I've been a reader of your blog for quite some time; I understand the DNS bug post was probably a bit embarrassing, but it seems like it time to get back on the horse. The community values your insight into security issues -- not to mention that the lack of updates has left a hole in my morning infosec blog reading. We all make mistakes, but that’s no reason to stop publishing all together.

Good luck.

Thanks,
Eric

Re: Regarding The Post On Chargen Earlier Today

Dennis Fisher — Tue, 16 Sep 2008 10:46:26 -0000

Where oh where has the Chargen blog gone? The world desperately needs the cogent, intelligent smartassery of Tom and Dave. More, please.

Re: Regarding The Post On Chargen Earlier Today

Thomas Ptacek — Wed, 23 Jul 2008 12:09:09 -0000

Thanks, John. We appreciate it. Right now, we're just keeping our heads in the game and busting up the software in our projects. It's cathartic.

Re: Regarding The Post On Chargen Earlier Today

John McDonald — Wed, 23 Jul 2008 12:05:28 -0000

Chin up guys..

Obviously this was an epic fuck-up, but I don't think anyone really believes that you guys would suddenly trade away a combined 4 or 5 man-decades of credibility for a 5-minute press bump.

Well, Dan probably believes it, but he'll eventually get over it. Besides, he's probably got a few more design bugs in 30-year old protocols left in his career. :>

Re: Regarding The Post On Chargen Earlier Today

Luke — Wed, 23 Jul 2008 09:48:55 -0000

@tyme

Duly noted. I read "Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2," from said post and this, "[r]ecent additional research into these issues and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques" and just drew my thoughts back to combining attacks and had a brain bubble.

Re: Regarding The Post On Chargen Earlier Today

Dan — Wed, 23 Jul 2008 09:37:53 -0000

What moral am I supposed to take away from all this?

Suppose a fellow is telling the world "please, update your critical infrastructure, fast." Then I'm there talking to the media saying "no, no, don't bother, it's probably nothing major." So that fellow confidentially tells me the details, because I'm seriously undermining his attempts to protect the public. And so I get more media attention when I say "oh, he means it folks."

And then when I accidentally spill the beans I get yet more publicity.

Seriously, what lesson does that teach? "Being an ass is rewarded" sums it up nicely for me. I could've just kept my big fat mouth shut at the start, but then I wouldn't have gotten media attention and lots of blog comments.

I'm not sure what I want. Unlike some other commenters above, I really don't think this is an OEE, and I'm not sure it should be.

Thomas will give many more mea culpas, but I see absolutely no reason for someone else not to follow this exact same path. Sure, he *says* he's sorry, and I believe he is, but he and M'tso will only benefit from all this. In a few months no customers are going to remember the details, just that they heard about the company during that DNS kerfuffle a while back.

Again, I'm not sure what I want to see happen. Maybe it's just the way our industry is, which is a pretty sad commentary. It gets harder and harder to keep one's moral compass.

Re: Regarding The Post On Chargen Earlier Today

tyme — Wed, 23 Jul 2008 08:15:42 -0000

@luke

I don't think that's the same cat.

@scott morrison

Try to find a copy of the original Matasano post. Digging through the comments in the slashdot thread might get you a working link, or at least a re-phrasing by someone else. Havlar says on his own blog that "[he] was close... but no cigar."

Re: Regarding The Post On Chargen Earlier Today

ghe — Wed, 23 Jul 2008 05:52:25 -0000

This has turned into a circus/publicity clusterf**k.

First of all, once the information (and by extension, class attack) is out, it is out. You may contain it for a while but in the end, it will spread to everyone. I, for one, got the full Monty from a link contained in a comment in this blog ...

What makes you think that only Halvar was able to deduce this information? Is this not a sign of arrogance? Do you really guys think it is still 1995 (as conveniently written in the now retired blog post?) and that the world of network security research is still a closed self-centered social club? Let me let you in into some news for you:
MOST OF YOU (us, if you prefer) do not have a clue what is the current level of security research in countries like China, India, Russia or in non-state actors, yet you create a storm (someone is calling this a OEE, for crying out loud) in a teacup for what? That "evil" Matasano spoiled (maybe by a bona fide mistake, maybe by something more nefarious, I cannot speculate) the exclusivity for the conference brigade?

Give everyone a break please and let's get the patches out there :)

Re: Regarding The Post On Chargen Earlier Today

jf — Wed, 23 Jul 2008 05:16:57 -0000

I really don't follow the 'security through obscurity' comments, or how this was being kept secret exactly, I mean it's not that incredibly hard to diff the two versions of bind which shows you what was changed, then its off to the RFCs and some creative thinking. The arguments that I've heard about how people have these customers and need more details to judge severity seem misguided at best, if every vendor tells you to patch now, and you can't figure it out on your own via diffs/et cetera, what can anyone really tell you thats going to help you?

Even more, I don't recall seeing an advisory from Dan, just a bunch of advisories from the vendors crediting him with a bug find. He never went ape-shit posting places, so I don't see how everyones (over)reaction can be put on him. Sure, I think its silly (and futile) to ask people to not investigate it themselves, but its not like anyone asking for such things has ever gained any traction in the past (and typically inspires the polar opposite), so why all the fuss?

As for this (the leak) being an organization ending event, I think thats pretty much not going to happen, and its pretty absurd to consider that anything anyone could say would have that big of an impact.

Re: Regarding The Post On Chargen Earlier Today

anonymous — Wed, 23 Jul 2008 04:33:36 -0000

Funny thing is that OpenBSD doesn't look forward to patch bind, since they say that ugly pf+nat hack could fix this.
Why didn't these monkeys get nominated for pwnie awards???

Re: Regarding The Post On Chargen Earlier Today

Thomas Ptacek — Wed, 23 Jul 2008 02:52:26 -0000

The post was up for far less than that.

Re: Regarding The Post On Chargen Earlier Today

tokumei — Wed, 23 Jul 2008 02:47:20 -0000

All of you self-proclaimed security experts that have been whining about how "Full Disclosure is the only method for good security" or how "Dan thinks he is God" are annoying as shit.

You all have too big ego's and are just upset that someone else found a serious vulnerability in the Internet's infrastructure, and mostly because that person was not filling you in on the details for a mere 30 days.

The argument that "we don't have the exact details of the bug so I can't assess whether I REALLY need to apply this patch or not" is a complete bullshit excuse and everyone knows it. That's just the best lie that people can come up with to try to pressure Dan in to giving the details out earlier so that they don't feel dumb or excluded.

If every major IT vendor in the world, a creditable security researcher, and some of the most experienced and knowledgeable people about DNS are saying that this is a major issue than that should be enough reason to patch regardless of having exploit code handed to you and the rest of the world.

Sure, there is a good chance that the infamous "bad guys" were able to figure it out before the 30 days, but if it takes all of the world's best security researchers working together for 13 days to come up with an almost-right-answer, than it probably would take "the bad guys" some time as well. Security through obscurity is not good but it is certainly a layer of defense. I don't know how some people here(Esser?) can claim that giving out point-and-click exploit code provides a better defense..

and since when did Halvar rediscover this? Was his guess 100% accurate...???

@Tom
Either the people at matasano are completely ignorant with computers or you posted the details on purpose... If you were so careful about not hitting the "russian roulette" you would have noticed that you posted it the second after it happened and removed it within 30 seconds. 30 minutes of "not noticing" is ridiculous... just enough time to have everyone's RSS readers download it and enough time to act like it was an accident.

@Dan
I think the way you handled everything was great and I am sure there are many many sane people out there that are very grateful for your efforts. (Although you managed to piss off all of the security kiddies in the world.)
The only thing you fucked up was that you gave into peer pressure and let out the details. If only you could have hold your ground, you could have had more than 13 days...

Re: Regarding The Post On Chargen Earlier Today

anon — Wed, 23 Jul 2008 01:42:32 -0000

Personally, I think the discovery should be attributed to Halvar, and that Dan should miss out on the credit. This is the only reasonable way in which we can ensure people don't follow Dan's greed in hoarding knowledge.

In all scientific fields (including IT), it is the first to publish who gets the credit. There have been many cases where others have made discoveries first but missed out on the credit due to their greed (RSA algorithm for example). We need to send a clear message to those who do not believe knowledge is for all.

Re: Regarding The Post On Chargen Earlier Today

Rudd-O — Wed, 23 Jul 2008 00:47:40 -0000

1. Dan: "but we’re not exactly good at bringing in new kids and giving them a stage to be heard"

Hmmm... I WONDER why that is... maybe it's because the "new blood" is busy keeping their discoveries under wraps like someone else I am just becoming familiar with?

Besides, it's not like this info isn't public knowledge now, so calling for "no technical info on this post" is preposterous, when Slashdot (100x the readership of this blog) already has the scoop.

2. I knew it was WordPress. Matter of fact, I dunno if Error 99 triggered the early release of the post, but WP has had, in the past, information disclosure vulns.

3. Jesse: "The bottom line in this case is pretty simple - If person Dan tells Thomas some information only because Thomas agrees to unconditional secrecy, then it’s really not up to Thomas.".

Please reread the first paragraph of my post.

4. Finally: I'm willing to bet a few thousands of us had the text of the post saved, but I only see a few posts around the net with it. So I guess this campaign for obscurity (let's call it for what it is) has simultaneously succeeded and failed.

If anything, Thomas shouldn't have promised secrecy to Dan in order to get the goods. It was probably a matter of reading the commits in BIND to figure it out. That way, Thomas wouldn't have been obligated to secrecy in a matter that was bound, sooner or later, to hit the public.

Re: Regarding The Post On Chargen Earlier Today

anon — Wed, 23 Jul 2008 00:34:35 -0000

dan was playing god. now he's not. it's not good to play god. who does dan think he is?

Re: Regarding The Post On Chargen Earlier Today

anon — Wed, 23 Jul 2008 00:12:43 -0000

Seriously, good work Tom (no sarcasm intended). We have all been desperate for news/confirmation regarding this and Dan has let the entire net community down. Whether or not your post was intentional (I doubt a man of your skill would screw this up accidentally), you did the right thing in releasing this information and breaking the monopoly Dan held on it. Kudos to you.

Re: Regarding The Post On Chargen Earlier Today

marc — Tue, 22 Jul 2008 23:41:34 -0000

so... you are a security company and you accidentally publish a post about one of the biggest secrets of the internet?

ah! no! it's just that "a post appeared on our blog"

good work... (sarcasm)

Re: Regarding The Post On Chargen Earlier Today

Thomas Ptacek — Tue, 22 Jul 2008 23:17:08 -0000

Matt:

The goal, once I saw Halvar's post, was to wait for Dan's imminent confirmation (we expected a blog post from him) and post then.

I was surprised that Dan continued to keep it quiet after Halvar posted, and even more surprised to see our draft had been published. It was a worst-case scenario for us.

There are a lot of things I could have done differently to keep us out of this story, almost all of which I wish I did.

Re: Regarding The Post On Chargen Earlier Today

Thomas Ptacek — Tue, 22 Jul 2008 23:13:01 -0000

Joey, it sucks that you think that, and I have no illusions that I'm going to change your mind. But I'm going to come back at you on the "bashing Kaminsky" comment, because it's not true. Did I doubt Dan had a real new vulnerability, and not just a clever new exploit? Absolutely. Did I get set straight? Yes. I've respected Dan since his talk at Black Hat in '04 when he stored files in DNS caches.

I think Dan has a right to feel like he took flak from me even after telling me what the vuln was. At this point, I've fumbled any moral authority I have to persist in those arguments. But I didn't make them to hurt Dan's feelings. He retains what is likely to be the best talk at Black Hat, though it's his business to tell you why.

Re: Regarding The Post On Chargen Earlier Today

joeyb — Tue, 22 Jul 2008 23:01:13 -0000

@ jf

"well congrats, you guys managed to squeeze your name in on dan’s find and garner some of the press for yourself. Is this a matasano marketing technique? Attack whoever is in the news now as a means of getting in the news also?"

this "accident" is worse than a marketing scheme gone bad, it's the type of thing that i refer to when a highly public data loss occurs as an OEE (pronounced "Oy"- organizatinal ending event). whether matasano can endure the data loss is anyones guess, but i find it beyond inexcusable for an infosec research company to faciliate the very breaches that Dan worked very hard at attempting to protect..

Re: Regarding The Post On Chargen Earlier Today

Matt — Tue, 22 Jul 2008 22:14:37 -0000

@Mike: Yes, as I get older I believe more and more in people's devious hidden agendas, but I am of the opinion they just pulled the trigger too early on this one, and that's all.

Re: Regarding The Post On Chargen Earlier Today

John — Tue, 22 Jul 2008 22:05:50 -0000

What about DNS Servers behind a NAT device which doesn't randomize the new source port? (Which from what I have read, is the majority.) Has anyone confirmed if this negates the patch and means we are just as vulnerable as we ever were?