Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Vixie Responds To DNS Hole Skeptics

Posted by kdawson on from the be-afraid-be-very-afraid-then-get-patching dept.

syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"

4 of 147 comments (clear)

  1. The back-biting is shameful by hal9000(jr) · · Score: 5, Insightful

    this article at information week said it best the day after the announcement.

    Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"

    1. Re:The back-biting is shameful by Goaway · · Score: 4, Insightful

      So, you figure eighty vendors coordinated a simultaneous patch for some issue that is not really a big deal, probably just some guys vying for attention?

    2. Re:The back-biting is shameful by tyler.willard · · Score: 4, Insightful

      Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)

      Sure you would; and the blame for any damage would be blamed on who made the disclosure.

      There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.

  2. Doctors make the worst patients by wild_quinine · · Score: 5, Insightful
    ... and IT admins make the worst end users.

    Knowing how to run a system is not purely technical knowledge, it's also a measure of professional ability. That means knowing when to take advice, and knowing who to take it from.