Slashdot Mirror
Paul Vixie Responds To DNS Hole Skeptics
syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"
Today at Black Hat the DNS exploit was explained and demonstrated in full. After getting 98% of the systems running DNS to apply an urgent patch it was disclosed that the patch was the hack. All patched DNS servers were then compromised during the Black Hat demonstration. This shows how a process can be used to introduce code that allows an outside entity full control of all systems on the network. During the demonstration Dan repeated his statement, "stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching." Obviously he was refering to all the work he had to do to coordinate the largest take over of the Internet. A bot net of 100,000,000 systems was created in just a few minutes.