Re: [ISN] Researcher offers insight into DNS flaw

From: InfoSec News <alerts_at_private>
Date: Thu, 10 Jul 2008 03:26:00 -0500 (CDT)
Forwarded from: David E. Thiel <lx (at)>

> ...
> What he did next is remarkable: he waited. Instead of selling the 
> vulnerability to a company like TippingPoint through its program Zero 
> Day Initiative, wherein the company would then handle the vendor 
> contact and resolution, Kaminsky took the responsible step of 
> contacting the most affected vendors himself. He discussed with them 
> how best to address the flaw that resides at the most fundamental 
> level of how the DNS currently works.

This reporter is absurdly clueless. Firstly, it is in no way remarkable 
to work with vendors to release a patch and advisory. That is what is 
expected of security researchers. Secondly, holding a press conference 
announcing a critical flaw without providing users any relevant details 
is not "responsible disclosure" in the slightest. The patches have 
already been released, and people of all different hats are already 
working on determining the nature of the flaws. In the meantime, users 
are left unable to accurately gauge their risk.

The worst part is, the ISC "fix" is a joke - it doesn't even correctly 
randomize query source ports, instead using the same source port for the 
lifetime of the process. It's been commonly known for well over a decade 
that randomizing query source ports markedly increases difficulty of 
spoofing, and BIND *still* can't get it right.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting.
Received on Thu Jul 10 2008 - 01:26:00 PDT

This archive was generated by hypermail 2.2.0 : Thu Jul 10 2008 - 01:44:55 PDT