Slashdot Mirror

← Back to Stories (view on slashdot.org)

BIND Security Info For "Members Only"?

Posted by ryuzaki0 on from the security-through-obscurity dept.

achurch writes: "Paul Vixie has posted a message to bind-announce suggesting the formation of a "members-only" security information list for BIND, the DNS server used on most Internet systems. Membership would be limited to root/TLD nameserver operators, software vendors using BIND, and 'other qualified parties,' and members would have to sign 'strong nondisclosure agreements.'" I'm not sure how I feel about this, but I'm sure a lot of readers do.

19 of 331 comments (clear)

  1. Re:how many more buffer overflows is it going to t by rw2 · · Score: 4
    Ok, who marked this insightful?

    His comment:

    I write C++ code daily.

    Is particularly suspect as a daily C++ writer would know to use the STL and thus remove all (not most, all) possibility of the programmer f'ing up a bounded array.

    C, I'm with you on. It's a lot harder to control (though it's a simpler language too, so maybe the two things are a wash)

    C++. You can easily contain buffers overflows.

    --

  2. I can kinda understand by macdaddy · · Score: 5
    They see bugs being exploited in mass causing huge problems for the Internet world at large and they want to minimize the number of people that here about the bugs before they're fixed. Understandable. I don't think security through temporary obscrutiny is the way to go though. My $.02.

    BTW, first?

    --

    1. Re:I can kinda understand by msuzio · · Score: 5

      I think the biggest problem here is that BIND is *so* widespread (maybe even more so than sendmail?), when a bug breaks, it is immediately a major exploit waiting to happen.
      When the latest BIND 4/8 bugs hit, people were reporting attempts to exploit the bug almost immediately. That's really bad.

      So, is it OK to do this in an attempt to give the good guys a jump on the bad guys? Maybe. I'm very leery of any circumstance where bugs are actively hidden. I do believe that disclosure is key in any security situation. That having been said, I don't think that a closed list which agrees to discuss bugs locally before full disclosure is all bad.

      --
      It's a strange world -- let's keep it that way
    2. Re:I can kinda understand by MartinG · · Score: 5

      So what do you say to the ppl whose boxes are exploited in the meantime?

      BIND user: My box was exploited because of a buffer overflow bug that we didn't know existed.

      BIND bug ppl: Ah yes, we knew about that but we didn't tell anyone in case script kids heard about it.

      BIND user: Great. Now all our top secret info had been stolen and it could have been prevented. If you made the bug public then WE could have decided what was best, and possibly taken the machine(s) offline until there is a fix.

      Think of it this way. If it was discovered that there was a really easy way of unlocking all existing house doors, would you want that information hiding temporarily in case criminals learned about it or would you want to know so you could at least have a chance to board up the doors if you thought it was neccesary. Making the expolit information available to all admins (regardless of whether the hax0rz also know) puts the admins in control which is the right thing to do.

      Also, the problem with this stupid idea of limiting information spread is that it assumes the script kids are more on the ball than the admins. If that _is_ true, then _that_ is the problem that needs solving because in the end a poorly administered box will always be cracked however slowly or quickly you get the exploit info out.

      --
      -- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu
  3. Slashdot in a sentence by dubl-u · · Score: 4

    I'm not sure how I feel about this, but I'm sure a lot of readers do.

    Wow, that is Slashdot in a nutshell, isn't it?

  4. Use djbdns if you want security by mayoff · · Score: 4

    Use djbsdns (from the author of qmail) if you want a secure DNS server. http://cr.yp.to/djbdns.html

  5. Public relation defense by CharmQuark · · Score: 4
    It seems that such a scheme treats security issues a public relations problem and not a technical problem. Although such a PR approach does have merit, as when the mayor of a large city asks the new agencies not to put every murder front page, computer security would not seem to qualify.

    I have just finished reading Secrets and Lies. This book talks about how security problems used to be handled through an organization that would keep the problems from the public until the manufacturer created a patch. The upshot was that manufacturers often did not take the problem seriously. The book also talks about how software and hardware manufactures have no significant liabilities for security faults. This leads to a bad situation in which the only tool the cosumer can use to effect a fix is the publicity attack.

    Additionally, by limiting the distribution of information, one is implicitly limiting the amount of brainpower available to solve the problem. One cannot assume that all of these qualified security experts are going to belong to every closed list. Although open sourcing the code does allow such people the opportunity to look at the code, hiding a problem may not make best use of the available resources.

    Having a secure mailing list for product security defect does not make the product more secure. Have a closed mailing list does not make the loss of personal data any less harmful. A closed list of security defects merely allows security products manufacturers to exaggerate the security of the product to an uneducated populous.

  6. What difference does that make? by jcr · · Score: 4

    If you don't like DJB's attitude, then don't invite him to your dinner party. What does that have to do with the quality of his code?

    Personally, given sendmail and BIND's history of sprouting remote-root holes, I rather like the idea of an MTA and a name server that were written by someone who's paranoid.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  7. Re:Fights script kiddies by RollingThunder · · Score: 4

    The point of full disclosure is that the kiddies already talk to each other a lot, and schmooze with the actual skillful people - the ones that make the "exploit in a box" packages. Not talking openly and clearly, including an exploit so you can verify if your system is indeed secure or vulnerable, just means that the wite hats are hobbled - the black hats will still operate just fine.

  8. DJB's code may be secure, but it's a pain.... by Skapare · · Score: 4

    DJB's code may be secure, but it's a pain in the arse to administer. And that in itself is a security risk waiting to blow.

    As most of us know, "Security isn't a thing; it is a process" [Schneier]. Administration is a very critical link in security... as critical as the code, if not more so. When administrative procedures and tools are clear and easy to use, fewer mistakes happen. Turn that around and you get more mistakes that can lead to security exposures, even for very experienced and security conscious administrators.

    I switched from Sendmail to Qmail over a years ago. While I didn't regret it, I did experience difficulties in administering it. While I got some help, I also got a lot of "read the source" responses. Those responses were cop-outs. Even though I have 19 years C coding experience, I found DJB's code hard to read, and his organization non-obvious. And there were no comments to explain it. The source code was essentially useless as a resource for administering Qmail.

    I looked into changing again, and studied Exim and Postfix. I decided to go with Postfix for some reasons not really related to any problems I found in Exim. I certainly do not regret this change. It is much easier to administer than Qmail. And unlike the Qmail community, I haven't yet run into anyone in the Postfix community that cops an attitude when there is a disagreement.

    I am aware of DJB's security concerns about Postfix. But I consider the tradeoff to shed the security problems of administration difficulties to be worth making the move over to Postfix.

    This is why I'll be reluctant to immediately move to DJBDNS, though I can certainly say I am tempted to give it a try.

    --
    now we need to go OSS in diesel cars
  9. of course by Dr.+Awktagon · · Score: 4

    How stupid of us! All we have to do is get system crackers to sign NDA's.. man.. and here I am sweating my ass off every day to secure my systems, when a piece of paper will do the trick.

    Actually, maybe I should just put a banner on my systems which is like "click-thru NDA".. so just by looking at it they have to follow it. Yeah.. Where's my patent lawyer?

  10. This actually isn't a bad idea by jayfoo2 · · Score: 5

    I'm a big fan of full disclosure of security issues, but this isn't an alltogether bad idea. If only because of the criticallity of BIND. If we could provide TLD admins with a little (note a little) warning before exploits were announced it would greatly lessen the chance of a script kiddie doing serious damage. However, the information must be then made public, so other administrators can stay informed. I would support giving TLD admins a head start. I would not support giving them an opportunity to try to rely on security through obscurity.

  11. members only is one thing, but fee-based?? by lupa · · Score: 5

    i can understand why they would want to close the list of announcements of security flaws - it would make sense in terms of protecting their users from people who would take the information and abuse it.

    but what's the point in making it cost money? Paul Vixie states "Recent events have very clearly shown that there is a need for a fee-based membership forum" but there's no description of said events, or explanation of any sort. haven't the vendors and name server operators already invested enough in BIND, without making the security information cost more?

    can someone else explain the purpose of the fee to me?

  12. My response.... by jalbro · · Score: 5

    I'm on the bind-users mailing list, and here are some of my comments:

    Date: Wed, 31 Jan 2001 20:39:35 -0500 (EST)
    From: Jeffrey C. Albro
    To: bind-users@isc.org
    Subject: Re: PRE-ANNOUNCEMENT: BIND-Members Forum

    On Wed, 31 Jan 2001, Cricket Liu wrote:
    > > This is not an open source but a full/partial disclosure issue.
    >
    > No, it's not. No one is arguing that the vulnerabilities shouldn't
    > be disclosed and disclosed fully. The question is when.

    I agree. However, the "when" part needs to be laid out MUCH more
    clearly. If a vulnerability is found on the first of the month, and the
    main bind tree is patched by the seventh of the month, how long do you
    wait for vendors to patch their (assuming they have forked to some
    extent) version? To the 14th of the month? How long will a viable fix of
    the main source tree be held in secret?

    > Surely you can understand the need to patch critical pieces of
    > infrastructure such as the root, gTLD and ccTLD name servers
    > and to prepare patched binaries of BIND for various operating
    > systems before the vulnerability becomes widely known.

    Of course. But how long do you give downstream developers? Do you give
    them N days, and when N+1 appears will the forum embarrass paying members
    of your group? If everyone signs an NDA, no-one can squeal. Can a time
    limit be put on the NDAs?

    I believe this idea can help solve security problems faster, with less
    advertisement of the exploit, but steps need to be taken to make sure that
    is actually what happens.

    How is the conflict of interest solved?

    -Jeff

    >
    > cricket
    >
    >
    >

  13. Fights script kiddies by DeadVulcan · · Score: 4

    I think there is probably general consensus (here on Slashtot anyway) that "security through obscurity" doesn't work.

    However, I believe that on the internet, the ubiquity of script kiddies is changing the rules.

    The argument traditionally goes that people who want to compromise security will learn the "tricks of the trade." It's therefore in the interests of the securers to discuss exploits openly, or at the very least among themselves.

    That last stipulation is the crux.

    I think that exploits that are revealed by securers and crackers alike are broadcast across the internet so quickly and sometimes, in such a convenient fashion (like a little program in which you just "press the big red button") that an early and temporary "information quarantine" of this sort can make a lot of sense, as long as it's done right.

    That's just my take, anyway.

    --

    --
    Accountability on the heads of the powerful.
    Power in the hands of the accountable.
  14. Won't help the "general user", at least not a lot by mdb31 · · Score: 5
    You're reading this wrong: Vixie is proposing to form this 'support group' in response to criticism that only the root and some TLD server operators were notified in advance about the latest BIND emergency fix release. A lot of people were asking "why weren't we told in advance about these bugs, and this is the answer. This proposed group (now with public membership rules instead of a "secret handshake") would know about new BIND emergency maintenance releases a few days/weeks before they would be generally available, allowing them to safely upgrade.

    This is not about doing away with full disclosure: merely delaying it to make sure that critical parts of the Internet infrastructure can't be easily brought down by K3WL RAD SCR1PT K1DD13S. For "regular" users, this won't make a difference: even if they receive advance notification (say, 1 or 2 days), as soon as the new version hits the FTP server, every "hacker" idiot will be out there diffing the new version against the old and finding the security flaws

    Exploits will still be on Bugtraq in a few hours, and the usual legions of K3WL RAD SCR1PT K1DD13 L00SERS will be on your servers anyway soon after that. The proposed group would just make sure the really important servers are difficult to exploit and that your vendor might have a fixed version available at the same time the new general BIND (in source format...) is.

    I don't feel great about this, but only because I'm asking myself what happened to the Internet where users used to care, not mindlessly destroy each other's networks...

  15. It makes some sense by dubl-u · · Score: 5

    I don't think security through temporary obscrutiny [sic] is the way to go though.

    Giving vendors a little jump on the crackers makes some sense. When a bug is announced, it's nice to have patches ready, too, and a whole mess of people ship BIND.

    I'd be worried, though, that this would allow coverups; to prevent that from the start, they should make the mailing list archives automatically available after, say, 30 days.

    Information control is usually harmful in the long run, but it can be helpful in the short run.

  16. We became BIND-free, and love it. by SgtAaron · · Score: 5
    It's an amazing coincidence that I was in the process of ridding our network of BIND forever when I saw Paul Vixie post to NANOG. That was last Friday evening, three days before I saw anything about this on Bugtraq.

    Just last week I had decided that BIND was just too much of a hog, and the past security issues always nagged at me. I got rid of Sendmaul three years ago for the same reasons and switched our mail servers to qmail; this time I decided again to use djb's software and did the work of installing djbdns, a pretty lightweight name server that does everything I need it to do.

    Some of the things I have started to like about djbdns:

    • Easily-parsible data file format
    • Fast and lightweight, you can set it to use little memory and it will still work fine (my last day using BIND it had sucked 50MB of RAM)
    • It's secure! While still remaining skeptical, and no matter what you think of djb, he writes damn secure code
    • Return different answers depending on where the question came from; i.e. internal and external ip addresses get a different (or none) answer when looking for foo.example.com. (did bind do this? not sure)
    The easily-parsible data file format allows me to keep our DNS data in a mysql database and write tools to manage things easier--via the web, command-line, whatever. I would hate to have to hack together something to read/write bind's zone files (perhaps there is a tool already, I don't know off-hand, but I don't care any more ;-). It's nice to be running a piece of software that I know will not enable the script kiddie next door access to my network.

    Even though I know BIND 9 is supposed to be completely different, it still does not engender my trust enough to use it any longer.

  17. Re:j00 R ! 31337! by kju · · Score: 4

    It seems you are not understanding, not me. Of course BIND is open source, and of course we all can go out to hunt that bugs and holes ourselves. But we will likely miss some of them.

    Now imagine a list where new found holes are described in secret. No one else knows about it, no one else will fix it, before these guys decide, that the poor rest is now ready to get the news.

    This is fine until some cracker finds his way into this list. That would be dreamland for him: Unpublished exploits, fearless targets out in the whole world.

    Its a bit like security by obscurity. After all its just a damn dumb idea. Hiding the bugs or delaying the information about them will not fix them.

    I can not see any positive thing is this, not a little bit.