Slashdot Mirror
Massive, Coordinated Patch To the DNS Released
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
http://www.doxpara.com/
Your name server, at 65.24.7.3, appears vulnerable to DNS Cache Poisoning.
Sweet!
Still, it's not exactly like you clicked a banner with a lame attempt at a bouncing, fake window telling you your DNS software was in immediate need of a fix and that this combination patch and shopping buddy would fix it.
Your mind is clear / The things that you fear / Will fade with how much you / Believe what you hear
I'm (sort of) a native German speaker, in which "DNA" is abbreviated "DNS" ("DesoxyribonukleinsÃure" with "sÃure" being "acid").
Needless to say, my first impression of the headline was way more futuristic than what is there.
Power corrupts the few, while weakness corrupts the many.
> Microsoft's own DNS implementation is also affected
Did anyone else notice that today is Tuesday?
It's easy, you just look for a comment like: /* BEGIN bug causing possible MASSIVE future EXPLOIT. */
Uhm...
DJB-ware is now in _public_ _domain_. That's even more liberal than the BSD license.
So, update your /etc/hate file with newer facts...
Recommendation is more CERTS, as they will help with the sand breath.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If I was a hacker I would look for that comment to find an exploit in the first place. And other like
// this is ugly, but it seems to work
// remember to fix this later
// whoever wrote this sucks
Oh, the only one your *really* need to look for is // should never happen
although // drunk now, fix later
is also good.
Socialism: a lie told by totalitarians and believed by fools.
it is good to have a sysadmin who can write programs in binary
I'd like to meet one of these sysadmins. I've written system stuff in C and other stuff in Pascal, C++ and Perl over the years but the guy that can write direct to binary must really know his stuff. Just think, his keyboard only needs two keys!
Note that DJBDNS (and derivatives) are not affected, since it uses randmoized source ports for DNS resolving.
Also not affected: DJBDNS's IPv6 and IXFR functionality, since Dan didn't want to bother implementing them.
Dewey, what part of this looks like authorities should be involved?
Attention all DJB software fans, here's another chance to champion the superiority of DJB's software.
Yup, and we even have the time, as we are not busy patching our servers!
No, its binary, real men solder a telegraph device to the motherboard, and just push down for 1, up for 0, Really, really fast!
What are we going to do tonight Brain?
Have you ever seen the oppositte? A bunch of coders trying to be sys-admins.. scary! Was the first admin at a software dot-com, they wanted to know why the network, consisting of a dozen $50 100MB "Switches" they got a staples daisy chained together were so slow.. I can understand their idea, as in theory, it should work, but in reality it doesn't. (kinda like when I program. It always compiles, doesn't always work...)
What are we going to do tonight Brain?
Don't forget to include positive commentary on the licensing and patch status.
Anyone who champions DJB software already has to bear the burden of running qmail. It doesn't get much worse than that already.
In the free world the media isn't government run; the government is media run.
/* John was hit by a bus last week :( I have no idea what he was doing here, I'll just return 1 and hope for the best.. */
which is totally what she said
No. This last week, as often happens, I blindly wandered through the hours in a haze of narcotics and alcohol, vomiting onto my co-workers and randomly saying "whuth day is ih..??". This culminated in me forgetting that it is the second Tuesday in July and therefore due to a long and boring story, the one time in the year where I am meant to come home and cook dinner for the start of a romantic evening with my beloved wife. I think it was rather the straw that broke the camel's back, and she's just this minute left me for a tall Puerto Rican calendar designer. He always knows what day it is.
Oooooh wait, you mean like patch tuesday? Gotcha..
which is totally what she said
" Everybody else is being patched to the level of security that we djbdns users have always had. Not to be *too* smug, of course."
Bingo.
If we were being smug we'd say something like "what do you expect when cert advisories are published as doc files?".
Need Mercedes parts ?