Forwarded from: David E. Thiel <lx (at) redundancy.redundancy.org>
> http://news.cnet.com/8301-10789_3-9985815-57.html
>
> ...
>
> What he did next is remarkable: he waited. Instead of selling the
> vulnerability to a company like TippingPoint through its program Zero
> Day Initiative, wherein the company would then handle the vendor
> contact and resolution, Kaminsky took the responsible step of
> contacting the most affected vendors himself. He discussed with them
> how best to address the flaw that resides at the most fundamental
> level of how the DNS currently works.
This reporter is absurdly clueless. Firstly, it is in no way remarkable
to work with vendors to release a patch and advisory. That is what is
expected of security researchers. Secondly, holding a press conference
announcing a critical flaw without providing users any relevant details
is not "responsible disclosure" in the slightest. The patches have
already been released, and people of all different hats are already
working on determining the nature of the flaws. In the meantime, users
are left unable to accurately gauge their risk.
The worst part is, the ISC "fix" is a joke - it doesn't even correctly
randomize query source ports, instead using the same source port for the
lifetime of the process. It's been commonly known for well over a decade
that randomizing query source ports markedly increases difficulty of
spoofing, and BIND *still* can't get it right.
Received on Thu Jul 10 03:26:00 2008