Forwarded from: David E. Thiel <lx (at) redundancy.redundancy.org> > http://news.cnet.com/8301-10789_3-9985815-57.html > > ... > > What he did next is remarkable: he waited. Instead of selling the > vulnerability to a company like TippingPoint through its program Zero > Day Initiative, wherein the company would then handle the vendor > contact and resolution, Kaminsky took the responsible step of > contacting the most affected vendors himself. He discussed with them > how best to address the flaw that resides at the most fundamental > level of how the DNS currently works. This reporter is absurdly clueless. Firstly, it is in no way remarkable to work with vendors to release a patch and advisory. That is what is expected of security researchers. Secondly, holding a press conference announcing a critical flaw without providing users any relevant details is not "responsible disclosure" in the slightest. The patches have already been released, and people of all different hats are already working on determining the nature of the flaws. In the meantime, users are left unable to accurately gauge their risk. The worst part is, the ISC "fix" is a joke - it doesn't even correctly randomize query source ports, instead using the same source port for the lifetime of the process. It's been commonly known for well over a decade that randomizing query source ports markedly increases difficulty of spoofing, and BIND *still* can't get it right. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.comReceived on Thu Jul 10 2008 - 01:26:00 PDT
This archive was generated by hypermail 2.2.0 : Thu Jul 10 2008 - 01:44:55 PDT