Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Vixie Responds To DNS Hole Skeptics

Posted by kdawson on from the be-afraid-be-very-afraid-then-get-patching dept.

syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"

7 of 147 comments (clear)

  1. The back-biting is shameful by hal9000(jr) · · Score: 5, Insightful

    this article at information week said it best the day after the announcement.

    Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"

    1. Re:The back-biting is shameful by Goaway · · Score: 4, Insightful

      So, you figure eighty vendors coordinated a simultaneous patch for some issue that is not really a big deal, probably just some guys vying for attention?

    2. Re:The back-biting is shameful by tyler.willard · · Score: 4, Insightful

      Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)

      Sure you would; and the blame for any damage would be blamed on who made the disclosure.

      There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.

    3. Re:The back-biting is shameful by Anonymous Coward · · Score: 3, Insightful

      Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"

      I don't want "irresponsible disclosure". I don't want to be vulnerable, while major corporations get to do marketing damage control. They had a hole. Ok, everyone makes mistakes. They found the hole. Great, then we can do something about it. Or not, because they kept quiet about it while secretly writing the fixes. They kept quiet about it for long enough that even Microsoft had fixes ready.

      Meanwhile, peoples DNS servers have been exploitable. Yes, they were exploitable before that, but no good guys knew, and bad guys tend to keep information to themselves, so they can keep expanding their botnets.

      But at least their image wasn't damaged by "you don't even have a patch yet? How many months is it going to take? (See Microsoft Internet Explorer)". The only victims were unsuspecting customers, who didn't turn the damn thing off (or at least replaced it with something like djbdns), because they weren't told that it was broken in the first place.

      The "good guys" kept the information to themselves, until they had done their part. Just like the bad guys do. So where's the difference between the bad guys and the "good guys"?

      Paul himself compared it with a house being on fire. If your neighbours house was on fire, would you be working in secret to fireproof the fence, and then tell your neighbour a few days later, "oh, btw, your house is on fire, started a couple of days ago. Here's a fire hose, see if anything can still be saved"?

      They didn't take the hole seriously enough to warn us before "marketing damage control" was done. Why should we take it more seriously?

  2. Doctors make the worst patients by wild_quinine · · Score: 5, Insightful
    ... and IT admins make the worst end users.

    Knowing how to run a system is not purely technical knowledge, it's also a measure of professional ability. That means knowing when to take advice, and knowing who to take it from.

  3. So, are we all compiling from source all the time? by SlappyBastard · · Score: 3, Insightful

    All paranoid theories about this issue sort of ignore the fact that unless you plan to install hundreds (or even thousands) of systems from your own compiled source for years and years to come, all of this discussion is at best academic.

    The new distros are going to have the patch.

    And really, considering the number of prehistoric vulnerabilities that should have been patched, that this one is finally getting patched is fine.

    Yeah, there's a bit of "trust me" factor here with this patch, but a lot of good people are putting their credibility on the line for this patch.

    All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using? There is a level at which we're all sort of hoping that the guys interested in each of the particular parts of the OS have done a thorough job in their separate efforts.

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  4. Re:I'm not worried by Atti+K. · · Score: 3, Insightful

    Where did you get thet? From a (unpatched!) DNS server maybe?

    --
    .sig: No such file or directory