The claim of vulnerability was a scam. All aspects were previously known. Kaminsky didn't discover anything.
====================== Excerpt from my comments to the NTIA on DNSSEC http://www.ntia.doc.gov/dns/comments/comment027.pdf Kaminsky-Vixie "Media Hack" Much attention has been given to DNSSEC after the "Kaminsky Attack" was described. The December 2008 issue of MIT.s Technology Review reports the "Media Hack" aspect of the event. The truth of the matter as, reported by Technology Review on pg. 64 is that "Kaminsky had not really discovered a new attack". Dr. Bernstein discovered this attack many years ago, and fixed the DNSCache server software in 1999. The PowerDNS caching server was fixed in 2006. In 2006, NLnet (Kolkman et al) noted the spoofing of NS Records. A design report for the Unbound DNS Server software, developed by Nominet, Verisign, NLnet Labs (Kolkman et al), EP.NET (Bill Manning)) in which the authors describe that "spoofed NS additionals confuse iterator"4. This paper was discussed at IETF 67, in November 2006. Kaminsky is also connected to other questionable activity. In January 2006, Kaminsky announced he had found 580,000 open recursors at a hacker conference called Schmoocon. Its unclear how all this scanning was done without notice or complaint. Coincidentally, the first DNS reflection attack is reported to have taken place in October 2005 in a paper by Professor Vaughn of Baylor University and Gadi Evron5 These events are the subject of a document called "draft-ietf-dnsop-reflectors-are-evil", which seeks to close all open recursive DNS Servers. After news of the "Kaminsky Attack" leaked out, Kaminsky wrote on Twitter: "DNS bug is public. You need to patch, or switch to OpenDNS, RIGHT NOW." OpenDNS is a company that offers Open Recursor service, using open recursors to provided DNS services that deny DNS to phishing sites, and enable the collection of data on user browsing preferences, which is presumably mined for marketing research and other statistics. There are connections between Vixie et al (the BIND Cartel) and OpenDNS founder David Ulevitch and OpenDNS employee Bill Fumerola. Every part of Kaminsky's "attack" was well-known to most DNS experts for a long time, including Paul Vixie. Vixie describes his conversation with Kaminsky very dramatically as "taking 20 seconds to explain the problem." Vixie, having debated the issue with Bernstein, should have realized in that 20 seconds that the problem Kaminsky described was well-known. Instead, with great drama Vixie says: "Dan, I am speaking to you over an over an unsecure cell phone. Please do not ever say to anyone what you just said to me over an unsecure cell phone again" But the well-known bug just doesn.t warrant that sort of drama. Dan Kaminsky and Kevin Day subsequently asserted that there was a problem in DNSCache software. Their proposed fixes, discussed offlist with Dean Anderson, would have introduced a combination of two Birthday attacks into DNSCache, leaving it even MORE vulnerable to spoofing attacks.6 Nothing more has been reported by either Kevin Day or Dan Kaminsky regarding bugs in DNSCache. No vulnerability was ever identified in DNSCache. The code patching BIND has not been analyzed for the presence of the combined Birthday attacks. The Technology Review discusses how a great deal of "urgency" was artfully created. A reasonable review of the facts shows that the alarm is completely without justification. As a result of the .urgency., many people deployed software changes that weren.t properly reviewed. This massive software update, performed on blind trust, is unprecedented in the history of the Internet. The urgency was unjustified, and one must question whether deployment of DNSSEC as a knee-jerk reaction to a artfully created but unjustified perception could ever be wise. Instead, I think the connections between Kaminsky and the BIND Cartel DNSSEC promoters ought to be investigated to see if there was an effort to trick the government IANA function into adopting DNSSEC under artfully created, but false "urgency". -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
