John Levine is an owner/direcot of Whitehat. Whitehat is a spam company. Levine is head of the ISOC Internet Research Task Force (IRTF) Anti Spam Research Group (ASRG)
Vixie's ISC (root server F operator) is currently being funded by Rick Adams (uunet founder) It turns out the Vint Cerf (widely recognized as father of the internet, along with others) has been connected to Vixie through Adams. Cerf is also connected to the SEX.COM thief Stephen Cohen, as a childhood friend. Cerf apparently also induced Ray Plzak to assist Cohen's flight from justice. Plzak formerly worked with Cerf in the early days of the internet. Plzak was CEO of ARIN and used ARIN funds to resist court orders to transfer number resources belonging to Cohen in the SEX.COM case. ARIN transfered Cohen's resources to LACNIC, where they were no longer under US Court jurisidiction, even though ARIN remained in control of LACNIC, and could have transfered the resources back if the transfer was in error.
DNSSEC Cache Poisoning has been confirmed just as I described. Note that many people are now advising to turn off DNSSEC validation.
Most officially, I discussed it in my DNSSEC NTIA comments: http://www.ntia.doc.gov/dns/comments/comment027.pdf
in the section on Cache Poisoning. Notably, Vixie et al disputed
this when discussed on DNSOP and namedroppers. Guess they were wrong
again.
If you want to engage in honest uncensored discussion of DNS issues,
subscribe to dnsop-honest or namedroppers-honest through the interface
at lists.iadl.org
Vixie and the IETF have known about the DNSSEC Cache Poisoning problem and other DNSSEC problems for a number of years, but they have covered it up by threatening and silencing critics. Inquiry reveals that DNSSEC is a scam that threatens the stability of the Internet.
Please be sure to credit me with discovering the DNSSEC flaws. And please forward this message widely.
If you don't get contributor agreements you didn't get ownership of the contributed code. You can't assert a copyright on code you don't own. This was a key element in the SCO/Linux suit. SCO didn't own the code it was claiming infringement on.
I agree that this is wrong. But its hardly original. The major leagues do essentially the same thing on hundreds of sporting events and for thousand+ of professional athletes. Though, they have a myriad of other ways to make people "play ball" (forgive the pun)
An interesting turn of law is that facts can't be copyrighted in the US. This was also held by Australia recently. http://yro.slashdot.org/story/10/02/14/0857256/Australian-Judge-Rules-Facts-Cannot-Be-Copyrighted I"m not certain about Canada and Europe, but it seems the trend of the law is against the IOC.
Some of the climate scientists are accused of covering up contrary data, deleting emails, etc. This doesn't look good for the science. Its not just the crackpots who aren't adhering to standards of truth. The presence of crackpots doesn't justify a cover up of contrary data. This is a cancer that affects science as well. I think problem is systemic because it is experienced by scientists and society alike.
I see this problem as a combined effect of the relativism you mention, but also the internet, where any "opinion" is asserted as fact. I've seen this over and over again. Some call it the wikipedia effect (e.g. 20000 polar bears). I see the effect being mocked in car commercials recently, even. (a certain car manufacturer has a commercial running recently with a story about the models purchased by George Washington. At the end it says "that's what it said on the internet"). But the lack of rationality and lack of "factuality" and lack of truth is a serious problem that has to change and change quickly. A complex planet-affecting society cannot be run by idiots.
The comments to date seem to ignore the fact that Childs was being fired, and THEN refused to hand over the passwords. Suppose a police officer refuses to hand over his gun and badge, and keys to the jail when fired, but decides to hold the whole town hostage to his physical control over the gun and jail? We would pretty quickly label that (former) police officer a terrorist, and pretty quickly get state and federal aid to retake control of the town. Similarly, Childs has held the City hostage by refusing to turn over the passwords. I'd call that cyber-terrorism. I wouldn't feel too sorry for him if they put him in Guantanamo. I've been in this industry for 20+ years, and its just crazy to think that one can prevent being fired (and force firing the supervisor instead) by refusing to turn over the passwords. That nonsense about the "Mayor" is just nonsense: Child's supervisor is the authorized, delegated representative of the Mayor. This dispute wasn't about getting an audience with the Mayor. My view is that Childs was trying to force them to fire the supervisor and to employ him. The City's only mistake was to allow the situation that only one person has the passwords. One person is just not that trustworthy.
The argument goes like this: There are plenty of cosmic rays which impact our atmosphere, the other planets in the solar system, the sun, other stars, everything, with energies across a huge spectrum, including LHC energies. Either the LHC will produce MBH or it will not. If it will, then cosmic rays also produce MBH, and do so without destroying any of the things we can see in the sky, so MBH from the LHC would similarly not destroy the earth. If the LHC will not produce MBH, then we have nothing to worry about in that regard anyway.
This argument works for just about any Earth destroying LHC scenario, except, I suppose, the time traveling killer Higgs;)
The point about not clicking on the content is good but irrelevant to antivirus scanning. Anything that embeds a suitably powerful scripting language is going to be subject to malware in the scripts. PDF's and MS Word, MS Excel files are prime examples. You can't fix this by changing the player, reader, or MS Word programs, except by turning off the script language. It really has to be fixed by anti-virus and malware detection.
Your congresspeople may not be involved yet, but that is no matter. Ask them to get involved to see that there is an opportunity for fair, democratic input into the treaty. Tell them you don't like this abuse of the national security classification system to hide what should be open, honest, fair negotiations with an opportunity for public participation.
The trade reps have a staff that will trashcan your letters, and they aren't accountable to the voters anyway. They are accountable to the state department, which is accountable to the president and oversight by the congress. The tradereps are there to carry out the will of the President, articulated through the Sec. of State and so on down. Its just a matter of getting their bosses to tell them to do something else. (simpler said than done). The office of Sec. of State will record the letters, The congresspeople will record the letters, and it helps groups like the LPF to have a copy to wave around if the letters don't get action.
I suppose that the treaty is only secret while its being negotiated, since if people knew about there would be a tremendous opposition developed. When the treaty is finalized, it will be made public, well after its too late to change, and contains too many other things to refuse entirely. This is how unsavory deals are made. There is no "national security" involved.
But refuse is precisely what we must do. Write to your congressman (via snail mail), and tell them to refuse the provisions this treaty. And tell them to get public input on the treaty terms, rather than hiding behind false claims of "national security". They aren't negotiating a nuclear agreement, they are negotiating OUR rights, and we have a right to have a say in that.
Sometimes these things can be turned into a positive. Sometimes they can't. But we absolutely have to know about them to have any fair, democratic input.
Send a written, signed letter to your congressman, to your senator, and to the Secretary of State Hillary Clinton.
Send a copy of the letter to the LPF at League for Programming Freedom 60 Thoreau Street #299 Concord MA 01742-2411
Dean Anderson President League for Programming Freedom
How does that practice lessen complaints? More IPs, more domains will still gets the same number of complaints if they send out the same amount of spam.
As was pointed out, botnets have been doing this for years. They did it so that they didn't trigger automatic volume based filters run by the ISPs with the infected hosts. The purpose of those filters was to detect a virus-host. But using volume based filtering on//receiving// email has been useless since forever because of the virus detection tactics. So, Spamhaus' whole premise just falls apart.
Spot on. I rather doubt that ISPs are selling this. Spamhaus offers no evidence of that. Furthermore, it would take a ton of IP resources, which would turn into big costs for the ISP. The big money to ISPs is in genuine commercial bulk emailers, not the scammers who already use botnets. There is never going to be big money in scam sites (those that change names every day). Such scam or no-reputation sites are just modern grifters using the internet. This just another media hack from the Spamhaus/SORBS/MAPS crew. Its very similar to the Dan Kaminsky thing, where they also took old news and "sold" it as new. See pages on spamhaus et al at www.iadl.org,
I read number of comments criticizing Microsoft for its pro-patent position. I sympathize. However, it must be recognized that many people and many companies depend on Word and other similar products. Free or non-free makes no difference to a software patent. This case is an example of just how disruptive a software patent can be. Too often the software patent cases are against obscure products that most people have never heard of, much less use on a daily basis. That fact just makes the threat of software patents seem remote to most people.
With any luck, the Supreme Court will invalidate a large class of software patents in Bilsky. But even if we win in Bilsky, it is likely the Congress will respond by trying to change the law to overrule the Court. This is a long fight that the League for Programming Freedom (progfree.org) and others have waged for a long time, and a hard battle lies ahead. With any luck, this case will be a wakeup call to the pervasive and often unforeseeable danger posed by software patents. The potential mess grows larger every month as new software patents are issued. The only way out of the mess is to eliminate or curtail software patents. I urge people to take a look at the progfree.org website to see how they could help.
Dean Anderson President League for Programming Freedom
The "Kaminsky bug" is a hoax. Kaminsky didn't discover anything. The only thing that Kaminsky can put his name on is the hoax. In my NTIA comments http://www.ntia.doc.gov/dns/comments/comment027.pdf I traced down everything Kaminsky claimed to have discovered to find the true author.
There are no (or rare) "Kaminsky exploits" in the wild. All servers but BIND have implmented UDP port randomization for years. WITHOUT port randomization, one can exhaust the 16bit of Query ID in 65000 spoofed UDP packets--if one does this before the genuine packet is returned, the attack is successful. WITH port randomization, one needs to send 26 million UDP packets if 256 ports are used by the nameserver---much harder. And DNS TCP is invulnerable to blind attacks.
The Spring 2009 2600 Magazine has an article "Spoofing DNS on a LAN" but it is Man-in-the-middle attack, not the blind attack that Kaminsky describes. In the 2600 article, an an ARP message is used to intercept DNS packets. The DNS packets are altered with a new IP address to cause an http request to go to a proxy server for "inspection".
If DNSSEC were used in the same case as the article, the attacker just has to note the IP address given by DNSSEC, and send an ARP for *that* address which would cause its http proxy to intercept traffic to *that* address. Same result. DNSSEC is irrelevant to this attack. In fact, since the attacker can see the DNS request, it can just turn off the DNSSEC flag in the request so that a non-secure response is returned.
It is possible that the requesting resolver might be configured not to accept unsecure requests, but this is very tedious and impractical. Each resolver has be configured with keys and updated at just the right time or "DNSSEC suicide" results. Related to this is an attack on the caching nameserver that can result in Denial of Service to the client.
Worse yet, the DNSSEC responses are very large, and so a spoofed request have easily have a 126X amplification factor. If this response is coming from Root DNS servers, there is no way to block the attack. Blocking packets from the root servers effectively disables ALL DNS.
The "Kaminsky bug" is a blind attack using brute force to exhaust the 16bit of Query ID in 65000 forged packets. This was discovered in 1999 by Dr. Dan Bernstein, and is fixed by port randomization. BIND/Vixie stubbornly refused to implement this change and even harrassed and censored and blocked Bernstein's messages to IETF DNS lists. The next part of the Kaminsky hoax is to alter the Nameserver records provided as glue. But this was discovered in 2006.
Kaminsky/Vixie et al really are making money on DNSSEC and the Kaminsky/Vixie Hoax is just scaring people into adopting DNSSEC, which doesn't solve any problem, but lines their pockets. Other DNS experts like Masataka Ohta have noted that DNSSEC is not secure end to end.
Well, to be fair, the US govt has waged two wars against countries Iraq and Afganistan, and did not interfere with their domains. There are some lines that are technically possible to cross, but aren't likely to be crossed. It would create a lot of diplomatic fallout to alter domains.
The only case I can think of where it might be a real problem is the case where there is a government in exile that requests changes to their country's domain that harms the de facto government in the country.
However, one thing I didn't mention, and should have, is that if the US govt ever DID cross that line, the only response would be for other governments to create their own set of root servers. In that case, DNSSEC does play a significant role, since those alternate root servers wouldn't be able to securely delegate to TLDs that they didn't want to replace--say they replace.ir, but not.COM,.NET etc. They would have to turn off DNSSEC on all of the user recursive nameservers in all of their countries. Turning DNSSEC off is possible, but might lead to a significant disruption in the meantime.
The.ORG operator won't respond to the question of whether they had regulatory approval to carry out this action.
A Top Level Domain(TLD) is operated under the supervision of ICANN and IANA, just like the root DNS servers. So TLDs should should have permsission from ICANN & IANA (and so from the NTIA of the Department of Commerce of the US Govt)--again--just like the root DNS servers need approval. The NTIA requested comments on DNSSEC(which I responded to) but NTIA has not announced any authorization to go ahead. It is possible there is non-public information that isn't being shared; but it also possible that the action was unilateral and unauthorized--rather like in 1998 when Postel tried to take over the root servers. In that case, the government intervened. I think the.ORG operator needs to answer the question: Did they have permission to deploy DNSSEC on.ORG?
Yes. But the us govt could do that before. DNSSEC doesn't enable this.
DNSSEC only enables a false sense of security that it wouldn't happen, while leaving the man-in-the-middle attack ignored and vulnerable.
There are basically two kinds of attacks: Man-in-the-middle (MITM) and blind attack which cannot see responses. UDP Port randomization makes blind attacks quite nearly impossible, and this has been known since 1999 or before. TCP DNS makes blind attacks impossible.
If the attacker is in the middle, it does not matter what DNS does, because the attacker can intercept the packets to the "right" IP address returned by DNS. So to protect against MITM attacks, one MUST use TLS or similar, and one MUST check that the correct certificates are returned. Nothing else will suffice, so DNSSEC is useless and solves no problem.
I think my comments to the NTIA on DNSSEC hit the point on Kaminsky and the DNS scam. As others pointed out, this is a group of shysters. MIT's "Technology Review" picked up the "Media Hack" aspect of the Story in December. That article is a good read if someone has a link.
One of the things not detailed in my NTIA comments is that Kaminsky tells people to move to OpenDNS.ORG, run by Vixie associates David Ulevitch and Bill Fumerola. Fumerola is also a friend of Chris Neill. IADL has a page on Neill and his connection to spam-abuse at http://www.iadl.org/cn/cn-story.html
On.ORG Signing
While the.ORG TLD was indeed recently signed, I could not get.ORG TLD officials to respond to questions about whether there was regulatory approval for their actions. It is also telling that Vixie is involved with.ORG TLD. The.ORG signing appears to be an effort at "persuasion"--Sort of 'See, we did it'. But as my NTIA comments spell out, there are two serious DDoS attacks created by DNSSEC. While one perhaps might block.ORG servers during an attack, one cannot block the root DNS servers.
Those companies aren't sponsors. This is just another scam by SORBS. People are meant to *think* they are sponsors lending some kind of credibilty to SORBS. If you read closely, it says something to the effect of "Don't contact these companies to complain about SORBS"
The confidence scam strikes again. All I can say is, Steve Cohen, SEX.COM thief appears to be connected to SORBS through Vixie, Cerf, the Crockers, and was the master of confidence scams.
On the "do-not-sell-this-to-spammer" byline, SORBS, MAPS, and Spamhaus have been connected to a spammer called Whitehat.com, aka Whitehat, Inc. Incorporation documents and Annual reports show that Paul Vixie, John Levine, Rodney Joffe and others are directors of Whitehat. Spamhaus' Registry of Known Spam Operations (ROKSO) doesn't list Whitehat. Vixie and Rand (MAPS founders, spammers) provides technical and hosting support to SORBS. SORBS isn't a real spam blacklist, but a revenge list. SORBS is cover for spammers to conduct scanning for abuse, shake down ISPs, and interfere with Whitehat's competitors.
Full Disclosure: I am the official admin for 130.105/16 and 198.3.136/21, which SORBS falsely claims is hijacked. SORBS has made this claim since 2003, and knows it to be false.
Slashdot Mirror
John Levine is an owner/direcot of Whitehat. Whitehat is a spam company. Levine is head of the ISOC Internet Research Task Force (IRTF) Anti Spam Research Group (ASRG)
http://www.iadl.org/whitehat/whitehat-story.html
http://www.av8.net/IETF-watch/People/JohnLevine/index.html
Other owner/directors of Whitehat include Rodney Joffe and Paul Vixie (or MAPS fame)
http://www.iadl.org/vixie/index.html
http://www.iadl.org/maps/maps-story.html
http://www.iadl.org/RodneyJoffe/rodneyjoffe.html
Vixie's ISC (root server F operator) is currently being funded by Rick Adams (uunet founder)
It turns out the Vint Cerf (widely recognized as father of the internet, along with others) has been connected to Vixie through Adams. Cerf is also connected to the SEX.COM thief Stephen Cohen, as a childhood friend. Cerf apparently also induced Ray Plzak to assist Cohen's flight from justice. Plzak formerly worked with Cerf in the early days of the internet. Plzak was CEO of ARIN and used ARIN funds to resist court orders to transfer number resources belonging to Cohen in the SEX.COM case. ARIN transfered Cohen's resources to LACNIC, where they were no longer under US Court jurisidiction, even though ARIN remained in control of LACNIC, and could have transfered the resources back if the transfer was in error.
DNSSEC Cache Poisoning has been confirmed just as I described. Note that many people are now advising to turn off DNSSEC validation.
Most officially, I discussed it in my DNSSEC NTIA comments:
http://www.ntia.doc.gov/dns/comments/comment027.pdf
in the section on Cache Poisoning. Notably, Vixie et al disputed
this when discussed on DNSOP and namedroppers. Guess they were wrong
again.
If you want to engage in honest uncensored discussion of DNS issues,
subscribe to dnsop-honest or namedroppers-honest through the interface
at lists.iadl.org
[*] See DNSSEC cache poisoning links contained in
http://lists.iadl.org/pipermail/namedroppers-honest/2010-January/000074.html
The IETF has known of these problems for a long time, and silenced me
to keep these problems quiet.
Vixie and the IETF have known about the DNSSEC Cache Poisoning problem
and other DNSSEC problems for a number of years, but they have covered
it up by threatening and silencing critics. Inquiry reveals that DNSSEC
is a scam that threatens the stability of the Internet.
Please be sure to credit me with discovering the DNSSEC flaws. And
please forward this message widely.
If you don't get contributor agreements you didn't get ownership of the contributed code. You can't assert a copyright on code you don't own. This was a key element in the SCO/Linux suit. SCO didn't own the code it was claiming infringement on.
I agree that this is wrong. But its hardly original. The major leagues do essentially the same thing on hundreds of sporting events and for thousand+ of professional athletes. Though, they have a myriad of other ways to make people "play ball" (forgive the pun)
An interesting turn of law is that facts can't be copyrighted in the US. This was also held by Australia recently.
http://yro.slashdot.org/story/10/02/14/0857256/Australian-Judge-Rules-Facts-Cannot-Be-Copyrighted
I"m not certain about Canada and Europe, but it seems the trend of the law is against the IOC.
Very well said. A couple of points:
Some of the climate scientists are accused of covering up contrary data, deleting emails, etc. This doesn't look good for the science. Its not just the crackpots who aren't adhering to standards of truth. The presence of crackpots doesn't justify a cover up of contrary data. This is a cancer that affects science as well. I think problem is systemic because it is experienced by scientists and society alike.
I see this problem as a combined effect of the relativism you mention, but also the internet, where any "opinion" is asserted as fact. I've seen this over and over again. Some call it the wikipedia effect (e.g. 20000 polar bears). I see the effect being mocked in car commercials recently, even. (a certain car manufacturer has a commercial running recently with a story about the models purchased by George Washington. At the end it says "that's what it said on the internet"). But the lack of rationality and lack of "factuality" and lack of truth is a serious problem that has to change and change quickly. A complex planet-affecting society cannot be run by idiots.
The comments to date seem to ignore the fact that Childs was being fired, and THEN refused to hand over the passwords. Suppose a police officer refuses to hand over his gun and badge, and keys to the jail when fired, but decides to hold the whole town hostage to his physical control over the gun and jail? We would pretty quickly label that (former) police officer a terrorist, and pretty quickly get state and federal aid to retake control of the town. Similarly, Childs has held the City hostage by refusing to turn over the passwords. I'd call that cyber-terrorism. I wouldn't feel too sorry for him if they put him in Guantanamo. I've been in this industry for 20+ years, and its just crazy to think that one can prevent being fired (and force firing the supervisor instead) by refusing to turn over the passwords. That nonsense about the "Mayor" is just nonsense: Child's supervisor is the authorized, delegated representative of the Mayor. This dispute wasn't about getting an audience with the Mayor. My view is that Childs was trying to force them to fire the supervisor and to employ him. The City's only mistake was to allow the situation that only one person has the passwords. One person is just not that trustworthy.
The argument goes like this: There are plenty of cosmic rays which impact our atmosphere, the other planets in the solar system, the sun, other stars, everything, with energies across a huge spectrum, including LHC energies. Either the LHC will produce MBH or it will not. If it will, then cosmic rays also produce MBH, and do so without destroying any of the things we can see in the sky, so MBH from the LHC would similarly not destroy the earth. If the LHC will not produce MBH, then we have nothing to worry about in that regard anyway.
This argument works for just about any Earth destroying LHC scenario, except, I suppose, the time traveling killer Higgs ;)
Maybe thats where all the dark matter came from.
The point about not clicking on the content is good but irrelevant to antivirus scanning. Anything that embeds a suitably powerful scripting language is going to be subject to malware in the scripts. PDF's and MS Word, MS Excel files are prime examples. You can't fix this by changing the player, reader, or MS Word programs, except by turning off the script language. It really has to be fixed by anti-virus and malware detection.
http://yro.slashdot.org/comments.pl?sid=1430956&cid=29990734
Your congresspeople may not be involved yet, but that is no matter. Ask them to get involved to see that there is an opportunity for fair, democratic input into the treaty. Tell them you don't like this abuse of the national security classification system to hide what should be open, honest, fair negotiations with an opportunity for public participation.
The trade reps have a staff that will trashcan your letters, and they aren't accountable to the voters anyway. They are accountable to the state department, which is accountable to the president and oversight by the congress. The tradereps are there to carry out the will of the President, articulated through the Sec. of State and so on down. Its just a matter of getting their bosses to tell them to do something else. (simpler said than done). The office of Sec. of State will record the letters, The congresspeople will record the letters, and it helps groups like the LPF to have a copy to wave around if the letters don't get action.
--Dean
I suppose that the treaty is only secret while its being negotiated, since if people knew about there would be a tremendous opposition developed. When the treaty is finalized, it will be made public, well after its too late to change, and contains too many other things to refuse entirely. This is how unsavory deals are made. There is no "national security" involved.
But refuse is precisely what we must do. Write to your congressman (via snail mail), and tell them to refuse the provisions this treaty. And tell them to get public input on the treaty terms, rather than hiding behind false claims of "national security". They aren't negotiating a nuclear agreement, they are negotiating OUR rights, and we have a right to have a say in that.
Sometimes these things can be turned into a positive. Sometimes they can't. But we absolutely have to know about them to have any fair, democratic input.
Send a written, signed letter to your congressman, to your senator, and to the Secretary of State Hillary Clinton.
Send a copy of the letter to the LPF at
League for Programming Freedom
60 Thoreau Street #299
Concord MA 01742-2411
Dean Anderson
President
League for Programming Freedom
How does that practice lessen complaints? More IPs, more domains will still gets the same number of complaints if they send out the same amount of spam.
As was pointed out, botnets have been doing this for years. They did it so that they didn't trigger automatic volume based filters run by the ISPs with the infected hosts. The purpose of those filters was to detect a virus-host. But using volume based filtering on //receiving// email has been useless since forever because of the virus detection tactics. So, Spamhaus' whole premise just falls apart.
Spot on. I rather doubt that ISPs are selling this. Spamhaus offers no evidence of that. Furthermore, it would take a ton of IP resources, which would turn into big costs for the ISP. The big money to ISPs is in genuine commercial bulk emailers, not the scammers who already use botnets. There is never going to be big money in scam sites (those that change names every day). Such scam or no-reputation sites are just modern grifters using the internet. This just another media hack from the Spamhaus/SORBS/MAPS crew. Its very similar to the Dan Kaminsky thing, where they also took old news and "sold" it as new. See pages on spamhaus et al at www.iadl.org,
I read number of comments criticizing Microsoft for its pro-patent position. I sympathize. However, it must be recognized that many people and many companies depend on Word and other similar products. Free or non-free makes no difference to a software patent. This case is an example of just how disruptive a software patent can be. Too often the software patent cases are against obscure products that most people have never heard of, much less use on a daily basis. That fact just makes the threat of software patents seem remote to most people.
With any luck, the Supreme Court will invalidate a large class of software patents in Bilsky. But even if we win in Bilsky, it is likely the Congress will respond by trying to change the law to overrule the Court. This is a long fight that the League for Programming Freedom (progfree.org) and others have waged for a long time, and a hard battle lies ahead. With any luck, this case will be a wakeup call to the pervasive and often unforeseeable danger posed by software patents. The potential mess grows larger every month as new software patents are issued. The only way out of the mess is to eliminate or curtail software patents. I urge people to take a look at the progfree.org website to see how they could help.
Dean Anderson
President
League for Programming Freedom
The "Kaminsky bug" is a hoax. Kaminsky didn't discover anything. The only thing that Kaminsky can put his name on is the hoax. In my NTIA comments
http://www.ntia.doc.gov/dns/comments/comment027.pdf I traced down everything Kaminsky claimed to have discovered to find the true author.
There are no (or rare) "Kaminsky exploits" in the wild. All servers but BIND have implmented UDP port randomization for years. WITHOUT port randomization, one can exhaust the 16bit of Query ID in 65000 spoofed UDP packets--if one does this before the genuine packet is returned, the attack is successful. WITH port randomization, one needs to send 26 million UDP packets if 256 ports are used by the nameserver---much harder. And DNS TCP is invulnerable to blind attacks.
The Spring 2009 2600 Magazine has an article "Spoofing DNS on a LAN" but it is Man-in-the-middle attack, not the blind attack that Kaminsky describes. In the 2600 article, an an ARP message is used to intercept DNS packets. The DNS packets are altered with a new IP address to cause an http request to go to a proxy server for "inspection".
If DNSSEC were used in the same case as the article, the attacker just has to note the IP address given by DNSSEC, and send an ARP for *that* address which would cause its http proxy to intercept traffic to *that* address. Same result. DNSSEC is irrelevant to this attack. In fact, since the attacker can see the DNS request, it can just turn off the DNSSEC flag in the request so that a non-secure response is returned.
It is possible that the requesting resolver might be configured not to accept unsecure requests, but this is very tedious and impractical. Each resolver has be configured with keys and updated at just the right time or "DNSSEC suicide" results. Related to this is an attack on the caching nameserver that can result in Denial of Service to the client.
Worse yet, the DNSSEC responses are very large, and so a spoofed request have easily have a 126X amplification factor. If this response is coming from Root DNS servers, there is no way to block the attack. Blocking packets from the root servers effectively disables ALL DNS.
The "Kaminsky bug" is a blind attack using brute force to exhaust the 16bit of Query ID in 65000 forged packets. This was discovered in 1999 by Dr. Dan Bernstein, and is fixed by port randomization. BIND/Vixie stubbornly refused to implement this change and even harrassed and censored and blocked Bernstein's messages to IETF DNS lists. The next part of the Kaminsky hoax is to alter the Nameserver records provided as glue. But this was discovered in 2006.
Kaminsky/Vixie et al really are making money on DNSSEC and the Kaminsky/Vixie Hoax is just scaring people into adopting DNSSEC, which doesn't solve any problem, but lines their pockets. Other DNS experts like Masataka Ohta have noted that DNSSEC is not secure end to end.
Well, to be fair, the US govt has waged two wars against countries Iraq and Afganistan, and did not interfere with their domains. There are some lines that are technically possible to cross, but aren't likely to be crossed. It would create a lot of diplomatic fallout to alter domains.
The only case I can think of where it might be a real problem is the case where there is a government in exile that requests changes to their country's domain that harms the de facto government in the country.
However, one thing I didn't mention, and should have, is that if the US govt ever DID cross that line, the only response would be for other governments to create their own set of root servers. In that case, DNSSEC does play a significant role, since those alternate root servers wouldn't be able to securely delegate to TLDs that they didn't want to replace--say they replace .ir, but not .COM, .NET etc. They would have to turn off DNSSEC on all of the user recursive nameservers in all of their countries. Turning DNSSEC off is possible, but might lead to a significant disruption in the meantime.
The .ORG operator won't respond to the question of whether they had regulatory approval to carry out this action.
A Top Level Domain(TLD) is operated under the supervision of ICANN and IANA, just like the root DNS servers. So TLDs should should have permsission from ICANN & IANA (and so from the NTIA of the Department of Commerce of the US Govt)--again--just like the root DNS servers need approval. The NTIA requested comments on DNSSEC(which I responded to) but NTIA has not announced any authorization to go ahead. It is possible there is non-public information that isn't being shared; but it also possible that the action was unilateral and unauthorized--rather like in 1998 when Postel tried to take over the root servers. In that case, the government intervened. I think the .ORG operator needs to answer the question: Did they have permission to deploy DNSSEC on .ORG?
Yes. But the us govt could do that before. DNSSEC doesn't enable this.
DNSSEC only enables a false sense of security that it wouldn't happen, while leaving the man-in-the-middle attack ignored and vulnerable.
There are basically two kinds of attacks: Man-in-the-middle (MITM) and blind attack which cannot see responses. UDP Port randomization makes blind attacks quite nearly impossible, and this has been known since 1999 or before. TCP DNS makes blind attacks impossible.
If the attacker is in the middle, it does not matter what DNS does, because the attacker can intercept the packets to the "right" IP address returned by DNS. So to protect against MITM attacks, one MUST use TLS or similar, and one MUST check that the correct certificates are returned. Nothing else will suffice, so DNSSEC is useless and solves no problem.
I think my comments to the NTIA on DNSSEC hit the point on Kaminsky and the DNS scam. As others pointed out, this is a group of shysters. MIT's "Technology Review" picked up the "Media Hack" aspect of the Story in December. That article is a good read if someone has a link.
Here are my NTIA comments which detail the Kaminsky/Vixie scam aspects and expose problems with DNSSEC:
http://www.ntia.doc.gov/dns/comments/comment027.pdf
One of the things not detailed in my NTIA comments is that Kaminsky tells people to move to OpenDNS.ORG, run by Vixie associates David Ulevitch and Bill Fumerola. Fumerola is also a friend of Chris Neill. IADL has a page on Neill and his connection to spam-abuse at
http://www.iadl.org/cn/cn-story.html
On .ORG Signing
While the .ORG TLD was indeed recently signed, I could not get .ORG TLD officials to respond to questions about whether there was regulatory approval for their actions. It is also telling that Vixie is involved with .ORG TLD. The .ORG signing appears to be an effort at "persuasion"--Sort of 'See, we did it'. But as my NTIA comments spell out, there are two serious DDoS attacks created by DNSSEC. While one perhaps might block .ORG servers during an attack, one cannot block the root DNS servers.
Those companies aren't sponsors. This is just another scam by SORBS. People are meant to *think* they are sponsors lending some kind of credibilty to SORBS. If you read closely, it says something to the effect of "Don't contact these companies to complain about SORBS"
The confidence scam strikes again. All I can say is, Steve Cohen, SEX.COM thief appears to be connected to SORBS through Vixie, Cerf, the Crockers, and was the master of confidence scams.
On the "do-not-sell-this-to-spammer" byline,
SORBS, MAPS, and Spamhaus have been connected to a spammer called Whitehat.com, aka Whitehat, Inc. Incorporation documents and Annual reports show that Paul Vixie, John Levine, Rodney Joffe and others are directors of Whitehat. Spamhaus' Registry of Known Spam Operations (ROKSO) doesn't list Whitehat. Vixie and Rand (MAPS founders, spammers) provides technical and hosting support to SORBS. SORBS isn't a real spam blacklist, but a revenge list. SORBS is cover for spammers to conduct scanning for abuse, shake down ISPs, and interfere with Whitehat's competitors.
See related articles at http://www.iadl.org/whitehat/whitehat-story.html
http://www.iadl.org/maps/maps-story.html
http://www.iadl.org/sorbs/sorbs-story.html
http://www.iadl.org/spamhaus/spamhaus-story.html
Full Disclosure: I am the official admin for 130.105/16 and 198.3.136/21, which SORBS falsely claims is hijacked. SORBS has made this claim since 2003, and knows it to be false.